All the Perl that's Practical to Extract and Report

Killing spam

drhyde on 2005-07-04T12:40:14

My various spam-killing systems are pretty damned good if I may say so myself. There are four lines of defence:

  • Deny connections from a large number of netblocks - these are egregious spammers like verizon, charter, comcast, china etc. Where possible I have whitelisted ISPs' legitimate outgoing mail hosts (eg AOL list all theirs here). The idea is that spambots are too stupid to fall back to using my secondary MX, whereas the one or two legitimate mails coming from there will be coming from proper mail servers and so will do so.
  • Once someone has connected, drop them with extreme prejudice if they claim to be me in their HELO.
  • A load of procmail rules to kill winfestations and the like.
Those three are mainly there so that the amount of mail going through the fourth step is minimised.
  • Spamassassin - this is a great big fat pig and eats more CPU and memory than I like, so it is only used if mail gets through the first three filters *and* isn't sent to any of my mailing lists.
Unfortunately, there's a flaw. *Some* spammers *do* fall back to secondary MXes so can get around the first filter. Then other spammers go straight to the secondary MXes and don't bother with the primary. And finally, spamassassin isn't perfect. There's not a lot I can do about the latter, but I can help it. So as of a few days ago, there's another little filter just before mail gets to spamassassin. It looks for messages that have been delivered by my secondary MX, then looks at the host that the secondary received the message from. If that host is in my blacklist, it adds a header like:

X-Dodgy-Received: blacklisted netblock (218.82.225.65 is in 218.64.0.0/11)

the presence of which means a positive spamassassin score. The number of spams getting through to my inbox is now noticeably lower. Source code available on request.

request!

jdavidboyd on 2005-07-05T14:23:41

Oh yes, please show us the code for this. The more I can do to cut out spam, the better!

Re:request!

cog on 2005-07-05T16:57:41

The more I can do to cut out spam, the better!

Change your email address periodically.

Like... every minute! :-\

Re:request!

drhyde on 2005-07-08T13:56:16

It's here. The code is pretty self-explanatory. You will need to change the pattern matching immediately after the 'CHANGEME' comment so that it correctly spots the Received header inserted by your secondary MX.

Any message which goes through your secondary MX will have a header inserted to tell you whether it came to the secondary from a blacklisted or whitelisted host, or whether the sending host is neither black- or white-listed.