Why am I suddenly getting more spam? (Careful, rant ahead...)

Tue, 06/02/2009 - 12:56 -- John Locke

One of our clients asks why she's suddenly getting more spam, and what we can do about it.

For a few years, she got no spam at all, and then suddenly she's getting upwards of 80 a week. What happened?

Quite simply, somebody she knows got their Windows machine infected with a virus or spyware. Possibly even her computer. Or, her email address got published online, perhaps on a company web site, perhaps in an online forum. Somehow, the email address got out to the spammers of the world, and once that happens, it's quite hard to stop the spam entirely. You basically have two choices: switch to a new e-mail address, or start using or training a spam filter.

Where does the spam come from?

Windows computers. The vast majority of spam comes from home computers infected with a virus. Most people have no idea that their home computer is responsible for sending out thousands of spam messages every week. All they know is that their computer is a little bit slower than it was before. Our bodies carry lots and lots of viruses, and we don't know the difference unless one makes us really sick. Many Windows viruses work the same way, flying under your radar, spewing spam to the world in spite of your anti-virus software.

And sometimes, even worse. One of our clients came home to find the mouse moving around her screen on its own, opening and snooping through files on her hard drive. She ended up having to get her computer's operating system completely re-installed, and all her account info changed all over the web.

I'm sorry to have to tell you this, but Windows is just plain broken. Everybody seems reluctant to try Linux, because they think their Windows machine works ok, and why should they take the time to learn something new? Well there's your answer--yeah your computer works fine, for all the spammers in the world. They're using it quite effectively to shove thousands of spams down our collective throats every day. Yeah, it's possible to secure Windows, to be diligent about updates, to keep anti-virus signatures up to date. And it's possible to do all of this and still get infected. CBS News was shocked to find their own internal network had been infected with the Conficker virus, in spite of professional, competent IT staff with many best practices in place.

If you have the time and competence to keep your Windows computer clean, fine. But if you're going to spend all that time, why not pick up Linux? You'll probably find it much easier to keep it clean. And if you don't have the time or expertise to keep your Windows computer clean, please buy a Mac or get somebody to install Linux for you, and get your filthy virus-ridden machine off the Internet, and stop sending us spam!

Ok. Sorry about the rant. Glad to get that off my chest. Where were we? Oh yeah...

What can we do about it?

Well, that's step 1 - get off Windows and start being a part of the solution, not the problem.

Next, spam filtering.

The problem with spam filtering is that spammers are smart -- they do everything they can to trick spam filters into thinking that the message is good. If you look closely, you'll find they're always changing the wording slightly, introducing new misspellings, embedding images, and pulling all sorts of tricks. And the problem is, computers are not as good at recognizing patterns as people--they're easily fooled. To make it harder, it's much worse if a spam filter catches mail from somebody you want to get mail from, than it is if it misses a spam. So all spam filters tend to be biased towards missing spam, rather than catching good mail.

On the upside, there are some very smart people developing spam filters, too, and they have become very, very good at catching spam. But almost all of them take a bit of education on your part to make use of them effectively, to tell them when they're wrong.

We have a bunch of spam fighting strategies already in place, and still spam gets through. Here are some optional features that we can turn on, to give you more tools to deal with the influx of spam:

  1. Greylisting. There's several approaches to spam fighting that have mostly failed in the past, either because they were too labor-intensive to manage, or too arduous for your friends. Whitelisting is when you create a list of people allowed to send you mail, and reject mail from everyone else. Then people who aren't on your list have to visit a web page and ask for you to add them to your whitelist. Whitelists suck, big time--they're a big barrier between the world and you, making your spam everyone else's problem. But in certain situations, if you know you only want mail from a select group of people, they can be effective. Blacklists, on the other hand, share data about where spam has come from in the past, and reject all mail from those locations. The problem with blacklists is that because so much spam originates from places that also send legitimate mail, getting off a blacklist can be difficult. Greylisting basically sets up an automatic whitelist after delaying mail for an hour or so--since most viruses wouldn't try sending again if they got rejected the first time. But viruses are getting smarter, and greylisting isn't as effective as it was a year ago. If you want this on a Freelock mail account, ask, and we'll turn it on for you.
  2. Sender verification. Are you getting lots of spam from yourself? We can fix this, by setting up a "Sender Policy" for your domain. Basically, you tell us every server you use to send email through, and we publish a policy for your domain listing those. Then if we (or anybody else) gets mail from your domain that doesn't come from your server, we reject it. Gone is the spam that uses your domain as a From address. But it takes a bit of setup, and we charge for this.
  3. SpamAssassin. SpamAssassin is one of the most popular spam filters at ISPs, and we use it, too. It works by looking for particular words and specific patterns that are commonly found in spam, and any time it finds one, it adds a score. There are hundreds of SpamAssassin rules, and each message gets a spam score. The higher the score, the more spammy the message. However, spammers have spamassassin too, and they can easily test their spam and adjust it until it doesn't get caught. It's an escalating battle between spammers and SpamAssassin, with new rules coming out regularly. We have SpamAssassin set to tag all messages, and reject those that have a score higher than 10. Generally anything under 0 is probably good (though I have seen spam with negative scores), while anything over 4 or 5 is usually spam (though I have seen good mail with a score of 4). You can set a rule in your email client to filter any mail with a score above 4, and it should catch a fair amount of spam that makes it through the other filters.
  4. Dspam. Dspam is our final spam fighting system, and it's really great. It has been catching nearly 1,000 spams a day for my personal account, and letting only a handful a week make it to my inbox. Dspam is a pure statistical filter--it breaks down each message into "tokens" and then looks to see out of all the past messages you've received, whether the tokens are more like messages you've flagged as spam, or like messages you've said were ok. The only thing you have to do is tell it when it's wrong, but it takes a while to get accurate. You'll need to get at least a hundred good messages, and a hundred spam messages before it catches more spam than it misses. And it doesn't consider its training done until you've received 2500 good messages. This service we can simply turn on for you if you want it, no charge.

Those are the optional spam-fighting systems we can turn on on our mail system. If we host your email and you'd like one of these turned on, drop us a line and we'll do so--#1 and #4 are free. We charge an hour for #2, and for #3, it all depends on your email client and how long it takes us to talk you through it.

If you don't host with us, but would like to, let us know. We do provide a mail gateway service to a couple clients as well, so you can have us filter your mail for spam and viruses before it reaches your server.

Now that we've solved the spam problem, what's next? Maybe we can do something about that climate change problem we keep hearing about...

Comments

Step 1 should be obvious, but it takes good folks such as yourself to help individuals get off of the legacy software Kool-aid. :)

Most people are by nature, prefer to be serfs. And Microsoft is their king, apparently. If we can ever get to a point where the legacy software cords can be cut...likely by more usage of Open Source apps on Windows, then switching desktops for these users ought to be pretty simple. After all, the apps feel the same then, right?

As for setup and OS updates/maintenance, this is where or I might come into the picture. Just remotely login (SSH -x, whatever) and let the good times roll.

Add new comment

  1. There is no chance you won't learn something important from reading this book.

    Dr. Dobb's Book Reviews
    Jerry Pournelle

Need More Freelock

       

About Freelock

We are located in Pioneer Square, in downtown Seattle. 83 Columbia Street #401 Seattle, WA 98104  USA [P] 206.577.0540 Contact Us/Directions | Site Map Get Updates ©1995-2014 Freelock Computing