Mail Filtering News

Stay up to date on the latest in ACME Labs' mail filtering technology, and spam news in general.


28oct2005 - Microsoft Discovers Zombies (permalink):
"I'm shocked, shocked to find that zombie PCs send spam."

Microsoft Stalks Super Spammers

Takes legal action after test PC is bombarded by 18 million spam messages in three weeks.

Microsoft announced today that it has filed a lawsuit against groups that use zombie computers. The software giant took the action after learning through a company experiment that use of infected PCs to thwart spam blockers and pass along immense quantities of junk e-mail is more widespread and disruptive than Microsoft expected.

Full article here.

08aug2005 - BMF (permalink):
I added a third Bayesian filter to my line-up. Info here.

28jun2005 - MX Switchover (permalink):
Since I'm now ignoring all the crapmail sent to acme.com, I started thinking about whether there might be some use for it. I asked around and found two different organizations who were interested in getting it, as a massive source of spam and virus examples. Sending it to them is a simple matter of changing the MX record for acme.com - or is it?

It turns out that many crapmail senders ignore MX records! I kind of suspected they might, so I did the switchover in three phases to look for this effect. First, a couple of days ago, I re-enabled mail reception on acme.com, to get back my baseline. Then yesterday at noon I changed the MX record. I let things run that way for 24 hours, to make sure that the new record had a chance to propagate throughout the net. Then at noon today I turned off acme.com's mail reception again.

The graphs are on the right. They show that switching the MX record caused a drop-off, but only by 50% or so. Around half the mail was still being sent here, despite the MX record saying to send it elsewhere. I think that's pretty interesting.

Anyway, my IP-address block is back in place now, and the crapmail is being sent off where it can do some good.

24jun2005 - adminfoo.net (permalink):
Got a really great review of these pages from adminfoo.net. Thanks!

21jun2005 - qsf (permalink):
A new version of qsf finally showed up in the FreeBSD ports tree so I installed it, upgrading from 1.0.18 to 1.1.0. With this version it is recommended that you retrain from scratch, so I did that - it took 60 hours, because I have a lot of training material! After that was done, it has been working great, much faster than the previous version. I'm using the re-vamped built-in database backend.

17jun2005 - IP Address Switchover (permalink):
Back on the 13th I noticed acme's loadav was up to 8, and there was no idle CPU time. I don't know what was going on - maybe some new attack - but I decided it was time to switch off the old IP address and mail address. I've been running on the new address only for the past few days. You can see from the stats on the right that it has been very effective.

I'll probably re-enable the old address at various points in the future, to get a reading on the spam level. But basically, acme.com is dead! Long live mail.acme.com!

16jun2005 - Paul Graham Blacklisted (permalink):
Paul Graham, the guy whose "Plan for Spam" essay popularized Bayesian spam filtering, has been blacklisted by SBL. He makes some of the same points I did in my Hall of Shame entry for DNS-RBLs. Quoting:
No doubt this particular case will get sorted out, and mail containing my url will stop getting blocked. But this example is enough to prove that the whole idea of blacklists is broken. Blacklists have a structural flaw: there is no one to watch the watchers.


09jun2005 - PIPELINING (permalink):
One of the comments on yesterday's slashdotting suggested I should turn off PIPELINING in sendmail. I tried this, and didn't find it useful. Here's my writeup.

Also more bloggings: thak's cool links, 1134.org, and we showed up in the top ten of del.icio.us / popular.

08jun2005 7pm - Whew (permalink):
The aforementioned collisions problem lasted a few hours, but a slashdotting tapers off pretty fast so things were back to normal by around 5pm. I helped things out by temporarily turning off mail service on my old IP address.

Aside from slashdot we also got mentions in brainboy.com, GRYNX, C.Jack's Stay Focused, Random Thoughts from Joel's World, Peter Adams Weblog, MikeJuvrud, Reducing Privacy, and no doubt more to come.

08jun2005 11am - Slashdotted! (permalink):
Looks like the mail filtering pages have been posted in slashdot. I haven't actually been able to check, since my network connectivity is kind of hosed right now. My CPU is mostly idle and the pipe isn't even full, what's hosing me is collisions. I'm getting about 400 collisions/second out of about 1500 packets/second. It's because of the half-duplex ethernet segment between my switch and the DSL box.

05jun2005 - Blacklist Scripts (permalink):
I got around to cleaning up the scripts I use to build my IP-address blacklists. They are now available in the blackmilter section.

01jun2005 - milter-cli (permalink):
Here's an interesting little tool I just ran across: milter-cli, by SnertSoft. It's a milter that takes as command-line argument an external program to run. The program gets the mail to be filtered as input, and returns an exit code telling the milter what to do. Nice, simple, and very general. I might try running bogofilter site-wide using this.

01jun2005 - Blogs (permalink):
Oops, I had a little glitch in my scripts that prevented people from subscribing to this news blog. It's because the blog is inside a frame. Anyway, it's fixed now.

Also, in our first week on the air we've gotten nice mentions in two other blogs: Jim Thompson's Sex, Drugs & Unix, and Rafe Colburn's rc3.org.

25may2005 - Published (permalink):
I finished a second draft of these pages, so they're now open to the public.

24may2005 - FTC vs. Zombies (permalink):
The FTC is recommending that ISPs start doing outbound mail filtering. They are also going to identify specific IP addresses as being spam-sending zombies, and report them to their ISP for disconnection. This is pretty good news. Of course, the smart ISPs are already doing this without government prompting, so it remains to be seen whether the other ISPs - by definition not so smart - will comply.

Also, I like the headline that Information Week gave to this story: FTC Launches International Campaign Against Zombies

20may2005 - New IP Address (permalink):
Ran another experiment today, and this one had immediate and very good results. Over the past few days I've been setting up email on a second IP address (my ISP lets me have up to eight at no extra charge). I made a new domain name, mail.acme.com, which maps to the new IP address. I set up mail service on that name. I changed the address in all my local files (which was made a lot easier by the previous experiment, hiding the email addresses). And (the hard part), I got all my friends, mailing lists, and web site accounts to change my address to use the new domain name. Then today at 1pm I did the switchover by changing one firewall rule to block port 25 on the old IP address.

I let things run this way for 5 hours, until 6pm, and then changed the firewall rule back. You can see the results in the stats graph snapshot on the right. Since the new domain name is almost unknown to spammers and viruses, my traffic immediately dropped to near zero. Raw connection attempts decreased from 100,000/hour down to 6,000/hour. Loadav went from 5 or 6 to 0.1 or 0.2. Even my CPU temperature decreased, from around 90F to 80F. Legitimate email was not affected.

After a few more days to look for loose ends such as low-traffic mailing lists I forgot about, I'm going to make the change permanently.

I expect the improvement will not be permanent, though. After a while the spammers will add my new address to their lists and traffic will pick up again. Perhaps the previous change I made, hiding my web page email addresses, will help delay this process. Also, my friend Jordan speculates that some spammers canonicalize addresses that have three-level domain names down to two; if so, then those folks will turn mail.acme.com back into acme.com, which won't work, so I'll never hear from them.

13may2005 - Mailto: Links (permalink):
I started my first anti-spam experiment today, and it's a long-term one. I got rid of all the mailto: links on my web pages, replacing them with an image of my address and a link to a form for sending me mail. The idea is to confirm or disprove my theory about viruses targetting me due to finding my address in web cache files on infected machines. If this theory is correct then I may see a gradual drop-off in virus mail, as the old web cache files expire over the next few weeks or months.

09may2005 - Welcome! (permalink):
Today I finished writing the first version of these pages.