Jef Poskanzer, a long term internet guru and one really sharp dude, has written some fantastic notes on how he stops spam dead in it's tracks and I see his article as a must-read for server admins - the ideas give us some working, tested, clues to completely changing our anti-spam paradigm.
If you're a control panel developer - take note!
Jef has had the domain acme.com for over 10 years and now gets 1 million (that's right, 1,000,000) spam attempts per day. Only 10 of those get through to his email box with a tiny ratio of false positives. He gets 100 times the spam that Bill Gates gets, and has a tiny little server, and yet almost none gets through! Wouldn't we love to do this as hosters? Even a few of these techniques could increase the capacity of our servers substantially. So, how does he do it?
Some of his techniques are really surprisingly simple.
One is what he calls greet_pause - simply pause for a couple of seconds before sending the greeting and if the client has already started sending, it's a spammer violating SMTP rules, not a real MTA, so he blocks it. That got rid of a whopping 10%-20% of his spam in one fell swoop! (this is fairly well known - it's a part of sendmail from v8.13 on).
Another interesting trick is to blacklist for one hour the sites that get detected later by more expensive filters such as Bayes analysis or A/V software - for instance, if Bayesian analysis detects really high scoring spam, or ClamAV detects worms/viruses, the originating site is blocked for an hour. This combined strategy killed off up to 90% of his overall spam. Also sites that violated the greet-pause or other measures (eg dictionary attacks) were listed for an hour. The really clever thing about only blocking for an hour is that if a legitimate site does something strange it's only locked out for an hour, yet it's enough to completely block most spammers. This is nice because one can avoid RBLs so often get it wrong - over the years I've noticed that mostly, as part of their very nature, it's hard for the authors not to get overrun with requests and email from oceans of twits and thus morph into evil grumpyheads from hell.
A marvellously simple trick was to use graylisting - simply refusing a first attempt from an IP to send in email. A real MTA will queue the email attempt, whereas a spammer will just give up. This killed another 10% of spam, ie 5000 messages per hour, and is one heck of a lot better than spambox or other similar ideas as it requires no human intervention. Note - it does delay the first email from someone for probably around 30 minutes (most MTAs would retry in about 30 minutes the first time) but that's a small price to pay.
One really interesting thing is that (I think) he doesn't run SpamAssassin at all! He says it's too slow and that spammers find ways around it too quickly. Interesting ... and we think it's a key!
So, purveyors of fine control panel software, and mail filters, here's your chance to differentiate yourself from your competitors in one easy swoop! What about it? Which vendor will be first to take on the challenge?
As a control panel customer I would seriously consider a swap to a vendor who excelled in this area, all other things being (reasonably) equal.
You other hosters - would you consider swapping?
What are you guys' opines on this??? Could this be done in exim rules?
ps: the whole article is here: http://www.acme.com/mail_filtering/
pps: apologies to those who already saw this on slashdot ...
ppps: MTA = Mail Transport Agent, eg sendmail, exim, postfix, qmail etc
I have seen these types of methods used and to me the most interesting is the blacklist for one hour, which is what I do with the narrow beam exim deny ACL. It's an area I would like to explore further on cPanel servers, possibly in conjunction with SpamAssassin and MailScanner.
I have seen serious problems with greylisting if it hasn't been implemented perfectly and it is something I do take issue with. If you deny an email, even for a temporary error, then you're still saying that you're not going to process the email and to me that is an abuse of the SMTP protocol.
Note: the problem I've seen with greylisting is with BT in the UK and being a large ISP, you hit a brick wall when trying to explain to them that they have got it wrong.