Ask Freelock: How do you stop spam?

We get a lot of questions about how to fight spam. For the most part, it's too late when it reaches your email program--but on the mail server, there are several tactics we employ to minimize what reaches your inbox.

Some of these can be applied universally, while others offer very effective protection with some trade-offs:

• Tar pitting: Postfix can be configured to throttle connections when there are multiple errors. Throttling is a great way to minimize the damage of "Joe jobs", where attackers connect to a server and try to scan every English name and other common aliases to determine which accounts are valid. With tar-pitting, you set a soft error limit for when to start throttling, and a hard error limit to cut them off. We generally set all of our servers to do this, so that after the 3rd bad addresses the connection starts slowing down until each one takes a minute or more to respond, until they've hit 20 errors when they're dumped. This ties up the spammer's connection, preventing them from quickly moving on to other hosts, making it a losing strategy for them and they don't get far in harvesting our legitimate addresses.
• Sender Policy Framework (SPF): This tactic works best for those spams that appear to come from you. There are two parts to setting up SPF: publishing a policy for where mail from your domain can come from, and setting the mail server to enforce any published SPF policies. This stops spoofed mail from your own domain cold, if you can designate all the servers you send mail through. As more people publish SPF policies, it promises to help cut down spam that appears to come from known domains. The downside is that publishing these policies may interfere with mobile workers who send mail through a variety of different servers.
• Greylisting: This tactic has a downside: you don't get mail from new people immediately. Many early spam-fighting techniques used a "whitelist" to accept mail only from known people, and force everybody else to jump through hoops to get through to you. Other less effective techniques published blacklists of places known to send spam, but these failed miserably because most spam comes from botnets that are scattered across millions of Internet addresses. Greylisting takes advantage of the resilience of mail delivery, by temporarily rejecting mail from any unknown sources the first time that source sends. Legitimate mail servers just queue the mail up and try delivering again in an hour or so. Infected bot-nets don't bother. Greylisting has been extremely effective for our clients who are willing to wait an hour or two for new mail.
• Traditional Filtering: You can't overlook the basics. Once you've received the mail, we think the best practice is to run it through a virus filter and SpamAssassin set to reject or discard the most egregious, spammy messages, and for mail that gets through, tag it with a SpamAssassin score so that mail delivery agents can further quarantine messages that have a lower score.
• Dspam: Dspam is a Bayesian mail filter, and for those who get more spam than the above methods reliably pick up, or find too many false positives flagged by SpamAssassin, we've found nothing that beats Dspam. With Dspam, you simply tell the filter when it's wrong, and it learns through pure statistical calculation of "interesting" tokens--words, mail headers, whatever it finds unique about a message. On my personal mailbox in the past year, Dspam alone has picked up over 250,000 spams. It missed about 2,000 spams, and flagged about 40 innocent messages falsely--none from any of my regular correspondents. I've found no other spam system so effective with so few errors--but it does need to be told when it's wrong. For our less technical users who don't bother to train messages, it hasn't been so effective.

Those are the tools in our spam-fighting toolbox. All of these are implemented with open source software, with no per-user licensing charges. Setting up a reliable mail server with all of these elements is challenging, however. As a provider of these services, we recommend hiring a shop with this expertise to get it running quickly and efficiently. We often build up an Internet-facing mail relay server to provide this type of filtering, and then relay it on to Exchange or Domino or another proprietary mail server to minimize any disruption to employees.

If you use our email hosting or relay services, and are seeing too much spam, drop us a line or a phone call, and we'll crank up one of these options for you. If you'd like us to build a relay server for you, contact us for a quote.