Spam Control

My mail system is now useless unless I’m on a broadband connection to the mailserver, and even then it’s pretty badly bogged down. And it’s all due to spam, roughly 50 thousand messages in the last month.

And that 50,000 messages is after spamcop’s realtime block list and spamassassin discarding anything over a 5 before it gets delivered to my mailbox in the first place.

I don’t think spamcop’s blacklist is actually making a difference — in the last 5 days of mail logs, I’m seeing 18000 rejected connections, while I’ve still seen 2000 spams a day getting to my account. I’m pretty sure that the spammers are using multiple trojaned proxy servers, and they just try untill they get through.

It’s not as bad as it could be, since I do have a reasonably good client side filter that keeps all but 10 or 20 of those a day out of my inbox, so I don’t have to individually delete them. But all of them have to be delivered and download, and that’s a real pain. And why it’s now useless to connecto to my mail on anything but a fast network. GPRS is right out.

To be honest, some of this is my fault, as I have a combination of issues that makes it a little more difficult than average to kill the spam. First, I’m running all my mail through a virus filter and spam assassin before address verification. That means postfix, the front end MTA, has the same problem that usually happens with backup mx machines: it has to accept the mail, process it, then deal with addressing. That’s not a problem with well addressed mail, but when there’s a dictionary attack on your domain, it’s not a pretty sight.

Second, I have a catchall email address, and I’ve been using it. So I don’t actually know which addresses are valid and which ones aren’t. I have a pretty good idea, but they’re not exactly all in code anywhere.

Third, this interacts really badly with spammers. I suspect that their adaptive proxy attack mechanisim records when an address has been accepted for delivery, so that they can refine their dictionary attacks for the next run. So the first attack probably added thousands of addresses in my domain to their lists, which they retry with annoying regularity.

However, there is a resolution. I have recently updated postfix to a version that allows delegation of address policy to permit greylisting. So I can delegate to a script to check for: known emails that I use from the wildcard domain, addresses from the backend mailserver, and most importantly, some spamtrap email addresses. If they’re good, I can accept them, if they’re bad, I can drop the whole connection. With Feeling.

No comments

No comments yet. Be the first.

Leave a reply

You must be logged in to post a comment.