[IMail Forum] why filtering spam sucks and won't get any better

[Bill Foresman]

We've all been filtering email for years now and it's not getting any better. No offense to the people offering filtering software but the information on who is spamming our systems is right in our own logs. I don't think we'll ever be able to not filter but I do think we can save some bandwidth as well as some filter processing by denying access from obvious sources of spam and/or infected machines. The one thing we can count on is that the handshake IP cannot be forged as everything else is suspect which is fine because that's the source of the spam anyway.

How do we determine whom to deny? Believe it or not you can cut out 90% or better pretty easily but as always it's the final 10% that gets a little tougher. This is why filtering won't go away. The point is that denying 90% of the spam that your mail servers have to even process is huge. Given that 95% of email that comes to all of our servers is spam can you imagine not having to process or pay to receive it?

 

Sorting the information culled from our logs by IP reveals some interesting information.

1. many spammers blast most of their crap out within one minute in spurts of 10 or 20 emails
2. all of those "invalid user" lines are likely to be future spamming IP's
3. the same IP's keep showing up so blocking one IP removes it from bothering you again
4. spammers like emails beginning with the letter "J" as the from address (I know, weird)
5. patterns do emerge

Regards,

Bill Foresman
Matrosity Hosting
850-656-2644

-----Original Message-----
From: "Bill Foresman" <[EMAIL PROTECTED]>
Sent 11/24/2007 7:13:20 AM
To: Imail_Forum@list.ipswitch.com
Subject: Re: [IMail Forum] Suddenly Imail Refusing Mail from Gateway Server

imail

Thanks,

Bill Foresman
Matrosity Hosting
850-656-2644

-----Original Message-----
From: "John T (lists)" <[EMAIL PROTECTED]>
Sent 11/23/2007 8:23:06 PM
To: Imail_Forum@list.ipswitch.com
Subject: RE: [IMail Forum] Suddenly Imail Refusing Mail from Gateway Server

Bill, I am looking forward to that. Would this be using the Declude logs or the Imail logs to gather the IPs to block?

 

John T

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Foresman
Sent: Friday, November 23, 2007 4:43 PM
To: Imail_Forum@list.ipswitch.com
Subject: Re: [IMail Forum] Suddenly Imail Refusing Mail from Gateway Server

 

We're using the logs for data mining to determine what IP's to block. It's been extremely enlightening and productive. At this point we're trying to determine an algorythm to automate the process of identifying IP's that we're not going to accept maill from. Just after a few days we're denying connections from over 30,000 IP's that are absolutely spammers! We're going to release the software opensource as soon as possible.

Regards,

Bill Foresman
Matrosity Hosting
850-656-2644

-----Original Message-----
From: "Len Conrad" <[EMAIL PROTECTED]>
Sent 11/23/2007 7:36:36 PM
To: Imail_Forum@list.ipswitch.com
Subject: RE: [IMail Forum] Suddenly Imail Refusing Mail from Gateway Server

>So what does that translate to for Imail?  Max two sessions? 1 bad
>recipient, then blacklist it?  That seems awfully low.
IMGate doesn't blacklist in a session. It disconnects the session
after 2 5xx's.
Eventually, through harvesting the mail log, enough sessions with
(even one) bad recip, and the IP gets blacklisted.  How many is
enough? over how much time? day?  week?
The threshold depends on several other factors.  eg, if the IP
doesn't have a PTR, then the blacklist threshold is a lot lower than
if it had an IP.
And John is right.  A gateway that accepts all recips and passes them
to Imail is asking for trouble, is a useless gateway.  Rejecting bad
recips is the FIRST task of an MX gateway.
Len
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/