Jul 28

Comment/Trackback Spam

Lately this site has been overrun with comment and trackback spam, not that it shows because I moderate everything. Still, my inbox has been full of junk because of it. I enabled a CAPTCHA image on comment posts. I hope this isn’t much of an inconvenience, but it was either this or disable comments completely. I also disabled trackbacks site-wide. I never used trackbacks anyhow, so it’s no big loss.

I don’t receive many comments, but when I do they are usually meaningful or informative in some way, so I did not want to drop them.

Now, if I can just find the time to post more often…

Dec 23

Merits of RBLs?

A couple weeks ago, the SORBS spamtrap list picked up a few Hotmail and Gmail servers, and a Yahoo mailing list server. This lead to me getting complaints that legitimate mail was bouncing. I’m all for letting the mail get blocked, because it’s the only way that large companies like Google and Microsoft will be forced to fix problems. Unfortunately, the end users don’t see it this way. They think because Hotmail user A can’t get mail to our user B, it’s a problem with our system and we need to fix it. Ignoring the fact that thousands of other ISPs who use the same RBL are also blocking mail from those people. Long story short, I was forced to remove the spamtrap RBL (by using all of the separate SORBS RBLs instead of the composite list) — the mail started flowing again and the complaints stopped.

This is leading to conversations on the general merit of RBLs in general, and whether or not we should use them because it’s allowing someone else to control whether or not mail gets to our users. Of course the people raising these questions do not have to listen to the end user complaints. People want all their mail and no spam, which of course is impossible.

Currently, between several different RBLs, we reject about 130,000 messages per day (~80% of the total daily mail volume) at the MTA level. Should we turn them off, everybody would notice. There are no other spam filtering techniques that have done as much to reduce our spam overall as RBLs. Sure, we could throw a million content filters at it, but that takes a lot of horsepower to run, and probably would not be as effective. I put more stock in RBLs than I do in content filtering. The only legitimate alternative to using RBLs at the MTA level is using them in SpamAssassin where they are ranked with scores based on the RBL’s reliability and such. However, performing the RBL checks in SpamAssassin also introduces a lot more delays in message delivery (and of course, if someone sends an e-mail and the other person doesn’t have it in less than a minute people call and complain too!)

Life would be so much easier if there was a secure and spam-resistant alternative to SMTP, but that won’t be happening anytime soon.

Jun 23

Spammers Faking Received Headers (duh)

Recently I was perplexed by the number of spam messages that were getting through my SpamAssassin setup. A coworker forwarded a couple obvious spams the other day and he was wondering too. So I decided to do a little digging. Out of a random sample of spam coming through when I checked, about 85% or more were using a particular tactic trying to bypass filters.

All of them had a faked received header at the “beginning” of the message’s path. The faked header matched up with the faked from address as well. Of course this was not a big shock. I’ve seen faked headers before, but not on this scale and so similar. An unusual number of them were pushing stocks instead of pills, too.

Continue reading