A great deal of spam we receive comes from [what appear to be] hacked boxes on DSL or Cable accounts. The harnessed box does not go through their ISP's mail server but rather connects directly to us on port 25 and speaks smtp. The broadband customer has no idea that hundreds or thousands of messages are coming through their connection and the ISP will never know unless it gets enough complaints. Some ISPs filter all port 25 packets unless the destination is that ISP's mail server. I never liked this policy but it seems that it could get rid of a bunch of spam.

MS has discussed the notion of causing the sending server to perform a brief task (10 seconds or so) before successfully sending a message out and this should cut the amount of mail being sent out to a max of 8600 per day per computer. But with potentially hundreds of thousands of hacked boxes out there on the net, we won't see much benefit, in my view of course.

I would guesstimate that 50%+ of the spam we receive come from consumer connections and I can only guess that they have no idea it is going on. If I could ignore all of those connections (reject them that is) I could focus more on blackholing the major spam machines. I know there is an RBL of sorts which tracks "dial-up" or consumer IP space but there are some babies in that bath water so it is tough to use that DB. I'd prefer to have that DB and a list of valid and verified exceptions. I don't want to have to add them in a reactive way though so there would need to be a way for small guys running legitimate mail servers from DSL connections to register themselves. This combo and the use of other RBLs could get the spam level way down. Hopefully Bayesian and other filtering technologies can thwart much of the remaining flow and work on a much smaller load.

My feeling is that services such as Postini are going away in the future. The company may still be around if they roll with the changes but analyzing mail for spam based on content is going away. I think mail will be usable again with permission based mail, using something that is not too difficult to use by Mom and Pop.

MS' idea of requiring some computing power is decent but being that so many (mostly MS based) computers are in "drone mode" right now, the spammers could care less; They'll simply use the hacked boxes to deliver their messges of evil. RBLs are cool too but again, the hacked boxes or quick accounts don't stop the garbage flowing. Bayesian filtering has been a nice way to begin filtering but it is also getting thwarted more and more. I think identity is going to rule the full stoppage of spam but the problem is, it ain't gonna be easy. You need to get the major players involved and Mom/Dad need to be able to work the system.

I'm not saying that I'll come up with the solution but I think that content based processes will always be a small step behind the bad guys. We're filtering based on content and we'll also likely be behind the bad guys in the near future as well. Bummer. I have some ideas but I want to wait until they take better shape before I share them.

I figured I would start blogging my fun with the spammers to record some of the tricky things I notice and some of the pain we deal with, mostly so I can look back on it in the years to come, when spam is a thing of the past (I hope). I'll start off with a few items that we've already experienced and then just simple notes as I think about posting.

We recently (in the last few weeks) implemented some spam prevention measures for ourselves and the domains we host. There is a mixture of SpamAssain (Amavis frontend), native Postfix rules and our own homegrown things which only apply to the type of mail system we have. Adding these features has dramatically reduced spam but it has not come free - our servers are feeling the pain and as small as we are, we're still bouncing 150K messages per day which plays havoc with our queue. We've fought with delivery delays, especially when dealing with mail forwarding which goes to domains outside of our own network. We've gotten past most of the items but it is taking a half-time guy right now to keep things in check.

I've seen my 3-500 spams/day go down to 20-30, then back up to 40 and back down again and so on. I can sit there and watch the bad guys play with responses from our servers, change their message style and retry until they see some level of success. They can likely see us changing things a bit as their success dwindles and then they start again. It's like playing tennis against dozens of people at once but we are more like Samprass and they're not ranked (but still good).

I tend to get one or two misconfigured attempts at sending spam where their URL or "##randomstring##" gets bungled. I assume most of these are people who think they've got everything dialed in, send out a mail bomb and find that they had one subtle thing wrong. I know, I do it in productive programming and it is really no different for them.

Since we implemented the filtering our sheer number of requests has gone through the roof. It's as if they need to get 10K messages through so when their success level falls, they simply up the number of messages being sent.

I regret that we ever pushed the "catch-all" addresses for our domain owners. This results in tons of extra mail all going to the same person. Going forward I will have that turned off by default. I may even take it away as a service offering for new clients unless a special request is made... dunno about this one.

I've come up with all sorts of crazy schemes to help thwart spam (especially the "joe job") but most require that all mail servers play by the same rules and that seems too bloody difficult to pull off, unless you're a Yahoo! or Microsoft or AOL.

Because of the changes to our system I'm never sure that we don't have a buglet somewhere. Today a client called and told me that he was no longer receiving his misaddressed (catch-all) mail. We spent hours looking into things only to find that SBC Global had placed all of his forwarded mail in a SPAM box. Saturday morning: Wasted. But you can't blow off issues like this and the spammers win yet again because we wasted our time fighting against their crap.

That's it for now. I don't expect that I'll put too much here but as I think about it, I'll catch things and give them a permanent home.