Blocking Unsolicited Email (Spam)

Bruce Momjian

Most email accounts receive lots of unsolicited email, also called spam. While you can easily delete unwanted email, spam is an annoyance to many people. However, with a few simple steps, you can dramatically decrease the amount of email you receive in your mailbox. This article outlines these steps:

This article assumes you have control over your own mail server, meaning you control the program that accepts your mail from the Internet (sendmail, qmail, etc.). For simplicity, I will assume sendmail is being used. You can also use procmail to filter your personal email. However, with procmail the email has already been transfered and it doesn't return a nice reject message to the spamming machine.

Advertising

Spam is just part of the daily barrage of advertising we're exposed to: radio and television commercials, print advertisements, billboards, telemarketing calls, door-to-door salesmen, web banner ads, and most recently web pop-up ads. These are all efforts by companies to get our attention in the hope we will become customers.

Of course, spam's magnitude is different. For nearly zero cost, an advertisement can be sent to millions of people, meaning you get lots of spam for items of no interest to you because it cost nothing to send it.

Preventing Email Address Exposure

Many people believe that preventing spammers from getting your email address is the best defense. Precautions include posting to Usenet and mailing lists with an obscured email address, and keeping your email address off of web pages. While this works for a short time, one slip and your email address is out and is swapped among spammers.

While this may work for people who aren't very visible on the Internet, for active people it is a losing battle. Someone has written an article, http://www.cnet.com/software/0-3227888-8-6602372-1.html?tag=ld, showing how email addresses spread to spammers.

Blocking Email from Insecure Servers

Though spam seems like a pervasive part of the Internet, most spam originates from a very small percentage of computers. These computers are often either run by spammers, or are configured so insecurely that spammers use the computers as though they were their own.

Fortunately, there are organizations that track these computers, and allow you to automatically reject any email coming from them. One such service is the Mail Abuse Prevention System (MAPS), http://mail-abuse.org/. They track chronic spammers, insecure email servers, and dialup accounts that shouldn't be sending email. Mail arriving from any of these machines can be automatically blocked.

Blocking Spam Sent by Viruses

Though most machines are quite secure, they share the Internet with insecure machines. These insecure machines can easily get viruses that send email. A popular virus activity is to read the address book of the infected computer and send email to everyone listed in it. If another insecure machine receives the email, it gets infected too and more email is sent. These viruses can generate lots of spam.

Blocking Email with Specific Patterns

Much spam has a specific pattern that can be automatically blocked. For example, email subject lines with a trailing number shifted far off to the right are usually spam. Also, for me, email subject lines with non-ASCII encodings are often spam. Sendmail can block a message based on a regular expression match of any part of the envelope or message header. By default, sendmail can not block based on message content.

Blocking Specific Mail Servers

The above measures automatically block 90% of spam arriving at my machine. However, a few chronic spammers still slip through. My solution for them is to add their computer addresses to a sendaccess list, http://www.sendmail.org/m4/anti_spam.html that will block any future email from those computers.

Fishing for Spam

One trick I use involves actually seeking out spam. I created a dummy acount, Andy Catcher mailto:andy_catcher@momjian.us, and posted that email address to Usenet and serveral web sites. Anytime it receives email, I block the server that sent it. I chose an address that would be listed early in and alphabetical list, so once an email arrives, later email boxes will automatically block the spam.

Checking Content

Somtimes there isn't enough information in the email header to identify spam. For those cases, I use procmail http://www.procmail.org/ to check for patterns in the email message. I check for specific words as well as web addresses. If any are found, I forward them to a spam mailbox that I review, and block the sending host and any email containing similar web addresses. These methods catch an additional 5% of spam, allowing me to prevent 95% of spam from reaching user mailboxes. Using Spam Assassin to compute spam scores, blockage of 99% of spam is possible.

Anatomy of an Email Message

An email message has two parts -- one part is the part you see, containing To: and Subject: and other informational headers, and an envelope, which gets the email delivered to you. It is just like a postal letter. It has an envelope with your name on it, and perhaps the name of the person who sent the letter. Inside is the actual letter, where your name usually appears again and the name of the sender.

With non-spam email, names on the envelope and the names in the email message usually match. However, with spam, that is not the case. To hide their identity, spammers rarely put their real computer names in the email message. Instead, they put a hotmail or yahoo account name to collect replies from people who read their spam.

To find the machine that actually sent the spam, you have to look at the envelope, http://spamcop.net/fom-serve/cache/17.html, also called full message headers. Most email readers, http://spamcop.net/fom-serve/cache/19.html can show envelopes. Envelopes shows the IP address and perhaps name of the machine that sent the email to your mail server. The spam machine is the one that connected directly to your mail server. Machines listed after that are often forged by the spammer.

Why So Much Work?

Why does reducing spam require so many steps? Because the Internet was designed to allow easy communication, but not designed to provide secure communication. Anyone on the Internet can email anyone else with no prior arrangement required. This is a boon for communication, but spammers abuse this ability by communicating their message to as many people as possible.

The steps above provide a way to block unwanted email while allowing desired email to get through. It is not prefect but hopefully, with the steps outlined above, the flood of spam you receive can be reduced to a trickle.

Additional Resources