It never stops, does it? 07:45 to 20:45 at the office yesterday, then on my way home stop in to help someone install and setup a freeview box, then home and off to bed without supper! Not a typical day but nor does that sort of non-stop action seem too unusual either. Why is it there is always more to do than time to do it? Never time to get bored these days, that’s for sure.

What else has been occupying those few stolen moments recently, then? Spam. Damn spam. A.K.A Unsolicited Commercial E-mail (UCE, note the correct spelling of e-mail, not that I tend to use it, it’s email to me!) You see I’ve just managed, after several years, to enable the Staggering Stories emails. Yes, all those emails on the Contact Us page haven’t worked since day one. Whoops. I’ve been meaning to do something about that for quite a while but see the previous paragraph as to why it’s taken so long! For the first two or three years of Staggering Stories’ existence the email addresses were right there in plain ASCII text as part of the Contact Us page. Not surprisingly spammers quickly got the idea of harvesting email addresses from web sites and if Google can find our site to index it so can they. What must be a year or so back I decided that this wasn’t a great idea and now, if you look at the page source, you’ll notice that instead of hard coded email addresses there are script calls such as <script type=”text/javascript”>getaddress(“adam”);</script> Anyone with Javascript enabled in their browser (and that is just about everyone these days) will see the address as before but robots (also know as spiders, the programs that index the web) most likely don’t interpret the script. Or so I hope. It may be too late, though…

In the last 5 days I’ve had over 350 junk emails to a Staggering Stories address and that’s after some fairly aggressive anti-spam measures I’ve implemented in the last few days. My first effort was Greylisting, in the form of Postgrey. This works on the theory that most spam these days comes in from zombies. Yes, zombies are sending out most of the spam. Really! Of course, when I say ‘zombie‘ I don’t really mean the animated corpses who crave human brains. Instead they tend to be Windows machines that have been security compromised, almost certainly with the owner being completely ignorant of the fact, and are being backdoor controlled by a spammer. The spammers have thousands of such machines at their command which form what is known as a botnet. The botnet is then commanded to send out spam, using the bandwidth of the compromised systems. Suddenly the spammer have a huge resource of thousands of machines sending out thousands of spam emails an hour each – all for free. These botnets are also employed to take down Internet sites by focusing all that bandwidth power on one poor site in a big sustained assault. Of course to the owners of the individual zombie machines all they might notice is a slowdown of their computer and Internet link as their machines do the botnet’s bidding in the background. Generally zombie machines don’t use their ISP’s email servers to send the email and you will never see this spam appearing in your Outbox or Sent Items. Instead the machines connect directly to the destination email server (in Staggering Stories’ case my own Bytemark Virtual Machine), effectively pretending to be another email server that is passing the message on. This is where Greylisting comes in (and notice the odd use of the English spelling, as it should be, rather the more likely American English). A real email server works within well specified (in theory) protocol. If an email server isn’t able to handle an incoming message at that time it will tell the sending email server and the sender will queue it up to resend later. Zombie PCs don’t normally follow the protocol, they fire and forget – if it fails to get through first time they won’t queue and resend. Why bother when you’ve got a list of 50,000 email addresses to spam? Of course Greylisting does cause a delay in the email being received but once it has successfully had a resend from a machine it then allows future emails from that one through first time.

Did it work? Not noticeably, no. I’m not sure why yet. Perhaps zombie software has improved to do resends. Perhaps my Greylisting isn’t working at all. I’m not sure yet how to test those theories so it was on to another measure: Real-time Blackhole Listing.

A Real-time Blackhole List (also known as DNS-based Blackhole List) is the somewhat controversial idea of checking the IP of every machine connecting to your email server and outright banning them if they appear on the said list. So, we’ve got a list of bad IP addresses and we’re going to ignore email from any of those. Doesn’t sound too controversial. That is until you think how that list was built and maintained. There are at least a dozen such lists available, the majority free, and they vary greatly in how they obtain and maintain their lists. There are conservative lists and very aggressive lists. Some just use email honeypots, email addresses they seed on the web, newsgroups or elsewhere, that are never used for real emails, and any IP that sends an email to one of these is automatically banned (perhaps after a number of trangressions, perhaps only one). Then there are lists that contain known ‘dynamic IP addresses’ (almost, but not quite, exclusively used by home users). Many people take the not entirely unreasonable view that emails should never be coming directly from people’s home IP addresses, as legitimate users always relay it through their ISP. There are other schemes too, such as running email content analysis (much as your email client will do) to guess whether an email is spam – too many of those from your IP and you’re out too. Many lists combine such techniques. Some even allow you to appeal, though not all. That’s where it really gets nasty. If you find yourself on such a list, rightly or wrongly, it can be nearly impossible to get yourself removed from them. Some lists are very clandestine, in an attempt to avoid the wrath of the spammers (and let’s not kid about that, the spammers are increasingly linked with the Russian Mafia – there’s big money in spam). So, can I trust the quality of these lists? What the heck – I’ve got to try something! In the end I chose about a dozen different filter lists, based on nothing more than an Internet recommendation and crossed my fingers.

Did it work? Not noticeably, no. I’m not sure why yet. I am beginning to get the feeling my email server, Postfix, isn’t checking with any of these filter lists, let alone performing the Greylisting. More investigation is required…

This entry was posted on Friday, August 25th, 2006 at 19:54 and is filed under computing, linux, staggering stories. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.