Blocking Spam

The SPAM-L mailing list will be shut down as of May 11th, 2009. Please read this post for more information and an explanation.
This FAQ will be kept indefinitely for historical purposes but updates will be rare, if they are made at all.
[Edit: Some folks have set up a successor to the list at http://spammers.dontlike.us/ (SDLU). I have no current involvement with that list, but I encourage folks to check it out!]

This section covers ways to block spam.


How do I "block" spam?

If you're on Unix, use procmail, a general purpose mail filtering package. You can find more info on it at http://www.ii.com/internet/robots/procmail/. Another good place to find information on Procmail is at http://www.iki.fi/~era/procmail/links.html.

If you're on Windows or Macintosh, see if you can find a mail client which will do filtering for you. Better yet, ask your ISP if they can filter your mail for you so that you don't have to download spam only to have it filtered.

Back to Top

I see this funny header which seems to occur only in spam e-mail. Could I filter on that?

RFC 822 is an official Internet document which describes all the standard headers. There are of course many non-standard headers which are inserted by some mail programs. Some of those are merely a strong hint that a message is spam, others only under certain circumstances, and some are only added by bulk e-mail programs.

Here are a few examples that are frequently brought up:

X-PMflags
This is inserted by Pegasus. The only time it should appear on incoming e-mail is when someone who uses Pegasus is forwarding e-mail to you.

X-UIDL
There is a feature of the POP3 protocol, (which is used to download e-mail from your ISP) where you can issue a command called "UIDL" which will generate unique "identifiers" for each message where results in that header being written into the message. So, if your POP3 client doesn't add those in (like mine), you can safely filter on them. Here's a valid header, for reference:
X-UIDL: b07a13a309dff618f53a09eeb9b966cc

Comments: Authenticated sender ...
This is inserted by Pegasus. If the message doesn't also have
X-Mailer: Pegasus
the information here is bogus and the message was sent using one of the broken bulk e-mail programs.

Back to Top

How do I "block" spam in a LAN?

Since more and more LANs are running Windows NT on their servers, they have MTAs that aren't quite as configurable as sendmail, so it may be more difficult to filter out unwanted spams.

A way around this is to set up a UNIX box to handle e-mail, and create an MX record pointing to it in the DNS database for that domain so that all e-mail gets sent to the UNIX box, which can filter out spam with procmail, sendmail, or whatever, and then pass it on to the LAN.

If you are trying to keep costs down, I would recommend that you check out Linux, a free version of UNIX that runs on 386/486/Pentium systems.

Another alternative would be to investigate the possibility of getting the Realtime Blackhole List.

Back to Top

How can I "block" a site?

Blocking a domain is a serious step, and can generally only be done by the sysadmin. It involves configuring one's router to ignore any and all TCP/IP packets from a given network, regardless of type. This means they can't even browse your website. See IDP. An automated method for doing this is by joining the Realtime Blackhole List, which has proven effective in keeping spam down on the sites that have joined it. More information can be found at http://mail-abuse.org/rbl.

Your administrator could also configure their MTA (mail transport agent) to refuse mail from a spammer's site. This is not 100% effective, because the spammers can route their mail via an innocent third party's server. More and more sites are disabling the relay feature from their servers, though, making it harder for the spammers to get through.

Another step some administrators take is to block a site by way of Procmail, which can filter mail by the IP address of the originating site (provided this information is present in the message headers).

Back to Top

What's a UDP?

Usenet Death Penalty. This is used only in the most extreme of cases where NNTP servers are configured to refuse any and all postings coming from a certain system. This happened to Prodigy in September of 1995 due to them refusing to take action against phone sex spammers. When they started nuking the accounts, the UDP was lifted.

UDP also stands for User Datagram Protocol, part of the TCP/IP protocol suite, so the use of this acronym can be a bit confusing; however, it is usually possible to determine which one is being used from the context.

Back to Top

What's an IDP?

Internet Death Penalty. Used when a site refuses to do anything about abuse coming from them. What happens is that other sites will refuse connections of any sort coming from this site. The premise behind this is that users on that site will start complaining to their system administrators and the sysadmins will have to deal with their spammer problems or lose customers.

IDPs are less common today, having been replaced by The RBL instead.

Back to Top

What's a plussed address?

Plussed addresses are available for UNIX boxes running newer versions of sendmail. You can add a plus sign and any string you want after the username and before the '@' and the mail will still be delivered properly. For instance, dmuth+this-is-a-test@ot.com will reach me just fine.

However, before you attempt to use plussed addresses in your e-mail, I would suggest trying to e-mail yourself with a plussed address to make sure your ISP supports them.

Back to Top

How can I use it effectively?

In terms of catching spammers, I have "dmuth+virus@ot.com" on my anti-virus homepage and NOWHERE else. I got a spam to that address about something that had nothing to do with viruses so it _really_ served to prove that spammers don't check their lists. Also, it proves that they look for 'mailto:' links.

Furthermore, if you start getting lots of spams to a plussed address (maybe after posting to Usenet with it), you can easily write a procmail recipe to dump all mail to that address to /dev/null.

Back to Top

0
No votes yet
Your rating: None