Stay up to date on the latest in ACME Labs' mail filtering technology, and spam news in general.
- 28oct2005 - Microsoft Discovers Zombies (permalink):
"I'm shocked, shocked to find that zombie PCs send spam."
Full article here.
Microsoft Stalks Super Spammers
Takes legal action after test PC is bombarded by 18 million spam messages in three weeks.
Microsoft announced today that it has filed a lawsuit against groups
that use zombie computers.
The software giant took the action after learning through a company
experiment that use of infected PCs to thwart spam blockers and pass
along immense quantities of junk e-mail is more widespread and
disruptive than Microsoft expected.
- 08aug2005 - BMF (permalink):
I added a third Bayesian filter to my line-up.
- 28jun2005 - MX Switchover (permalink):
Since I'm now ignoring all the crapmail sent to acme.com, I started
thinking about whether there might be some use for it.
I asked around and found two different organizations who were interested
in getting it, as a massive source of spam and virus examples.
Sending it to them is a simple matter of changing the MX record
for acme.com - or is it?
It turns out that many crapmail senders ignore MX records!
I kind of suspected they might, so I did the switchover in
three phases to look for this effect.
First, a couple of days ago, I re-enabled mail reception on acme.com,
to get back my baseline.
Then yesterday at noon I changed the MX record.
I let things run that way for 24 hours, to make sure that the
new record had a chance to propagate throughout the net.
Then at noon today I turned off acme.com's mail reception again.
The graphs are on the right.
They show that switching the MX record caused a drop-off,
but only by 50% or so.
Around half the mail was still being sent here, despite the MX
record saying to send it elsewhere.
I think that's pretty interesting.
Anyway, my IP-address block is back in place now, and the crapmail
is being sent off where it can do some good.
- 24jun2005 - adminfoo.net (permalink):
Got a really great review of these pages from
- 21jun2005 - qsf (permalink):
A new version of
finally showed up in the FreeBSD ports tree so I installed it,
upgrading from 1.0.18 to 1.1.0.
With this version it is recommended that you retrain from scratch,
so I did that - it took 60 hours, because I have a lot of training
After that was done, it has been working great, much faster
than the previous version.
I'm using the re-vamped built-in database backend.
- 17jun2005 - IP Address Switchover (permalink):
Back on the 13th I noticed acme's loadav was up to 8, and there was no
idle CPU time.
I don't know what was going on - maybe some new attack - but I decided it
was time to switch off the old IP address and mail address.
I've been running on the new address only for the past few days.
You can see from the stats on the right that it has been very effective.
I'll probably re-enable the old address at various points in the
future, to get a reading on the spam level.
But basically, acme.com is dead!
Long live mail.acme.com!
- 16jun2005 - Paul Graham Blacklisted (permalink):
Paul Graham, the guy whose "Plan for Spam" essay popularized Bayesian
spam filtering, has been
blacklisted by SBL.
He makes some of the same points I did in my Hall of Shame entry for DNS-RBLs.
No doubt this particular case will get sorted out, and mail containing my
url will stop getting blocked.
But this example is enough to prove that the whole idea of blacklists
Blacklists have a structural flaw: there is no one to watch the watchers.
- 09jun2005 - PIPELINING (permalink):
One of the comments on yesterday's slashdotting suggested I should
turn off PIPELINING in sendmail.
I tried this, and didn't find it useful.
Here's my writeup.
Also more bloggings:
thak's cool links,
and we showed up in the top ten of
del.icio.us / popular.
- 08jun2005 7pm - Whew (permalink):
The aforementioned collisions problem lasted a few hours, but
a slashdotting tapers off pretty fast so things were back to
normal by around 5pm.
I helped things out by temporarily turning off mail service on
my old IP address.
Aside from slashdot we also got mentions in
C.Jack's Stay Focused,
Random Thoughts from Joel's World,
Peter Adams Weblog,
and no doubt more to come.
- 08jun2005 11am - Slashdotted! (permalink):
Looks like the mail filtering pages have been posted in slashdot.
I haven't actually been able to check, since my network connectivity
is kind of hosed right now.
My CPU is mostly idle and the pipe isn't even full, what's hosing me
I'm getting about 400 collisions/second out of about 1500 packets/second.
It's because of the half-duplex ethernet segment between my switch and
the DSL box.
- 05jun2005 - Blacklist Scripts (permalink):
I got around to cleaning up the scripts I use to build my IP-address
They are now available in the blackmilter section.
- 01jun2005 - milter-cli (permalink):
Here's an interesting little tool I just ran across:
It's a milter that takes as command-line argument an external program to run.
The program gets the mail to be filtered as input, and returns an exit code
telling the milter what to do.
Nice, simple, and very general.
I might try running bogofilter site-wide using this.
- 01jun2005 - Blogs (permalink):
Oops, I had a little glitch in my scripts that prevented people from
subscribing to this news blog.
It's because the blog is inside a frame.
Anyway, it's fixed now.
Also, in our first week on the air we've gotten nice mentions in two
other blogs: Jim Thompson's
Sex, Drugs & Unix,
and Rafe Colburn's
- 25may2005 - Published (permalink):
I finished a second draft of these pages, so they're now open to the public.
- 24may2005 - FTC vs. Zombies (permalink):
The FTC is recommending that ISPs start doing outbound mail filtering.
They are also going to identify specific IP addresses as being
spam-sending zombies, and report them to their ISP for disconnection.
This is pretty good news.
Of course, the smart ISPs are already doing this without government
prompting, so it remains to be seen whether the other ISPs - by definition
not so smart - will comply.
Also, I like the headline that Information Week gave to this story:
FTC Launches International Campaign Against Zombies
- 20may2005 - New IP Address (permalink):
Ran another experiment today, and this one had immediate and very
Over the past few days I've been setting up email on a second IP address
(my ISP lets me have up to eight at no extra charge).
I made a new domain name, mail.acme.com, which maps to the new IP address.
I set up mail service on that name.
I changed the address in all my local files (which was made a lot easier
by the previous experiment, hiding the email addresses).
And (the hard part), I got all my friends, mailing lists, and web site
accounts to change my address to use the new domain name.
Then today at 1pm I did the switchover by changing one firewall rule
to block port 25 on the old IP address.
I let things run this way for 5 hours, until 6pm, and then changed the
firewall rule back.
You can see the results in the stats graph snapshot on the right.
Since the new domain name is almost unknown to spammers and viruses,
my traffic immediately dropped to near zero.
Raw connection attempts decreased from 100,000/hour down to 6,000/hour.
Loadav went from 5 or 6 to 0.1 or 0.2.
Even my CPU temperature decreased, from around 90F to 80F.
Legitimate email was not affected.
After a few more days to look for loose ends such as low-traffic mailing
lists I forgot about, I'm going to make the change permanently.
I expect the improvement will not be permanent, though.
After a while the spammers will add my new address to their lists and
traffic will pick up again.
Perhaps the previous change I made, hiding my web page email addresses,
will help delay this process.
Also, my friend Jordan speculates that some spammers canonicalize
addresses that have three-level domain names down to two; if so, then
those folks will turn mail.acme.com back into acme.com, which won't
work, so I'll never hear from them.
- 13may2005 - Mailto: Links (permalink):
I started my first anti-spam experiment today, and it's a long-term one.
I got rid of all the mailto: links on my web pages, replacing them
with an image of my address and a link to a form for sending me mail.
The idea is to confirm or disprove my theory about viruses targetting me
due to finding my address in web cache files on infected machines.
If this theory is correct then I may see a gradual drop-off
in virus mail, as the old web cache files expire over the next
few weeks or months.
- 09may2005 - Welcome! (permalink):
Today I finished writing the first version of these pages.