Preventing and Stopping Spam: Email

sorry-man

It seems almost overwhelming, the sheer amount of garbage that attempts to get to you through your inbox. It may be trying to sell you Viagra, concert tickets, ripped software, or turn your computer into a soldier in the latest botnet, but all spam has two things in common.

  1. You didn’t ask for it.
  2. You don’t want it.

An entire industry has popped up around stopping the daily deluge of spam mail. The Can Spam Act did absolutely nothing to stop or staunch the flow – legitimate businesses that cared about their reputation weren’t doing it, and spammers didn’t much care because they knew their chances of getting caught and prosecuted were next to nil.

It fell on the administrators of email systems and end users to combat what they didn’t want to see.

What We Do

As administrators of the servers that house the email systems, it is up to us to put enough roadblocks in the spammers way that we stop as much of those emails as we can, but we have to do it carefully so that we don’t accidentally get legitimate email stopped at the gate as well. As you can imagine, its not an easy task and if everyone had to come up with their own systems it would be even harder.

While we write a few rules ourselves, we generally employ known spam fighting techniques developed by others to decide who we will, and won’t, take mail from. Some, but not all, of those techniques are:

  1. Blocking dictionary attacks by dropping and ratelimiting hosts with more than 4 failed recipients – If you email four people on our server that don’t exist, we’re going to assume that you don’t know what you are doing or you are spamming. Either way, we won’t talk to you anymore.
  2. Reject mail at SMTP time if the recipient is an address of the primary hostname of this server – you all have domain names. You shouldn’t be getting email at our server address.
  3. Ratelimit incoming SMTP connections that violate RFCs (usually spammers and broken MTAs) – RFCs are “Request for Comments” and not to get too technical, they’re like computer memos from the computer Gods (the IAB) that tell you what you HAVE to do. If you didn’t get the memo and aren’t doing “it” (whatever it happens to be), we’re perfectly ok with not talking to you (and there’s an RFC saying we don’t have to).
  4. Require incoming SMTP connections to send HELO conforming to internet standards (RFC2821 4.1.1.1) – you have to say “Hi!” correctly. If you do not give the proper greeting, we do not have to talk to you.
  5. Use callouts to verify the existence of email senders – you need to let us know where you came from, and they better say they know you. If they don’t, we don’t talk to you.
  6. Reject mail at SMTP time if the sender host is in the zen.spamhaus.org, or bl.spamcop.net RBL – if everyone thinks you’re a big jerk, you don’t need to come over here.
  7. and much more…

You can see that whether mail servers will actually talk to one another is much like judging who to dance with at a bar – pass off the wrong line, don’t follow the local courtesies, or act like an complete idiot, and eventually, no one will talk to you and you’re going home alone and rejected.

Once we decide that a piece of mail passes our tests for whether it’s more than likely legitimate, then we pass it off to you and you get to decide what to do with it.

What You Do

Generally?

Most of you do a big, fat, nothing, relying on us to decide whether your email is legitimate, assuming that if we let him into the bar and poured him a drink, he’s ok.

What You Could Be Doing

You have a number of tools in your cPanel that can dramatically lower the amount of spam that you get in your inbox and for the most part, these tools remain unused by the vast majority of hosting clients. Your first tool is MailScanner.

spamfighting-mscanner

There are three things in MailScanner that you can do that will make a difference.

  1. Click on “Other Settings” and play with the threshholds – changing the spam score that MailScanner filters will change what it catches. Tighten it up – they are deliberately pretty loose when we hand you your new account because we want to make sure you get your mail.
  2. Use the Whitelist and Blacklist – if mail gets tagged a lot, make sure that the people that you know will be emailing you frequently but who may have “spammy” looking mails to an algorithm get whitelisted. Likewise, if there is a mailing list that you seem to be totally unable to get off, blacklist it.
  3. Delete instead of Deliver – there’s a big caveat with this solution. By default, MailScanner delivers your spam, tagged, so you can filter it out yourself. If you do this, you will pass the filtering to MailScanner. The plus is that you will see a lot less spam because it never even makes it to you. The minus is that if your friend writes “spammy email” you won’t see it, ever. It’s not held somewhere – when this option says delete, it means delete. You can also pick an in between – have it delivered to spam@yourdomain.com, set up an email address for that, and check it once a week to clean it out.

MailScanner is not the only tool in your arsenal, though this takes a bit more time, and a b it more work.filtering

You also have Mail Filters, both Account Wide and per email address. You can find both the accounts in your “Mail” area in cPanel.

You can filter mail with a series of “If it says this in the subject but not this in the body” and so on and cause those emails to be deleted regardless of their spam score and regardless of who they are from.

By gathering your spam for a week and looking at the text, you’ll discover patterns to some of the spams and some key words and phrases that you probably would never think anyone would legitimately email you for any reason. One filtering system I saw was  at 7 pages of filters with keywords I just don’t think anyone would need to use when emailing a support desk, like “Viagra”.

Here’s a snippet of ours:

my filtering

I mostly work with headers because their patterns seem to be repetitive, the easiest to match, and I can’t find histories of people emailing me with some of these “weasel words” in the subject line. After working on it for a while eventually, I was able to bring the helpdesk spam down to almost nothing.

Use the Unsubscribe! Really!

A final word about the unsubscribe link at the bottom of emails – you know how everyone says don’t use it? Use it, but with caution.

If you click on the unsubscribe link and the page you land on asks you to enter your email, don’t. That is likely a spammer trying to harvest valid email addresses and common wisdom says giving them information is not your best course of action here.

If you click that link and it already has your email address and its telling you to click something else to confirm you want to unsubscribe, it is more likely than not a legitimate list and you will be legitimately unsubscribed. If you have any questions, do a Google search – most places use professional mailing list services to lend themselves legitimacy and help their legitimate marketing email go through. A little snooping around might help tell you one way or another whether it’s a good idea to click.

One Response to Preventing and Stopping Spam: Email

  1. Michael says:
    June 23, 2010 at 5:34 pm.

    Great post, Jen!

    My only comment is that, for some reason, the local spam assassin white/black lists through cpanel don't seem to work. If memory serves, I had the same problem when I used spam assassin on my own servers. (I've sense switched to postfix which has a much better spam crasher that is far less work.) The system wide blacklist/white list files worked just fine. The local ones didn't work at all.

    I currently have about a dozen sites blacklisted through cpanel. Every one of them — *every* one of them, still gets through to my inbox.

    I have also noticed that the cpanel controls don't allow us to use the full number of pattern matching that blacklist and white lists support. Assuming the local files can be made to operate correctly documenting and supporting the full range of patterns would make best use of the 30 pattern limit. (I think I'm remembering that number correctly.)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>