Successfully blocking spam...

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,113
Location
California
From time to time a few people have posted that SpamBlocker isn't good enough for them.

I've never said that the tools in the blocklists are enough to block spam; only that they're a good start and part of a good solution.

For example, a few days ago (a reasonably average day) I checked to see how much spam actually made it through to my main nobaloney mailbox, which has been around and attracting spam and spammers for over eight years:

Here's the total:

2 spams
11 majordomo-based spam

A word about majordomo-based spam: If you run majordomo mailing lists eventually you'll get spam to both the signup address and the actual email address.

What do I use to keep the spam in my desktop inbox so low:

1) SpamBlocker version 3.1-beta, with all the blocklists and defaults.

2) SpamAssassin as supplied by DirectAdmin, no changes to the configuration.

3) DirectAdmin Email Spam Filters set up for many common words and phrases, continually updated.

4) Filters on my local desktop to filter out all marked by SpamAssassin as Spam.

Together the mix is extremely successful for me.

Jeff
 
1) SpamBlocker version 3.1-beta, with all the blocklists and defaults.
3) DirectAdmin Email Spam Filters set up for many common words and phrases, continually updated.

Can you please tell me whether your config for 1) is different from default one and supply with the list of common words in 3) ?
 
1) It's slightly different, but the blocklists are the same.

2) What works for me may not work for you at all, but I block the following as body code and also locally on my desktop system as subjects:

First of all, I block the use of the left side of my email address in the subject and body of incoming email; this may not work for you, especially if it's also your name or a common word.

Then I block these words (don't forget a space before and after):
000,000 people
500,000 people
000,000 PEOPLE
500,000 PEOPLE
in compliance with the CANSPAM

FDA approved on-line pharmacies
Unlimited PPV
Viagra and cialis
Ink & Toner
It Types from IBM
Hoodia
Melt away
weigh less
Don't pay for your business cards
250 Full-Color Business Cards
Christian Singles
Samples are being shipped
Clorox?
Anatrim
Can you imagine that you are healthy?
PE patch
pound melting
Adobe Suite
HDTV from Xerox
penis size
government grants
Secret Shopper
Vacansy for you
Creative Suite 3
vacansy
a postcard
Popular Softwares
You've received a greeting
Hallo!
Re: Pictures
Two Telephone Calls
life is beautiful
ideal weight
worship you
Life is good
AutoCAD
in your PJ's
As-Seen-on-TV
As Seen on TV
Magic stick
Super stick
special price on
new pharma site
Travel Offer
won't tell them
Legal software sales
Always ready
21ebw.com
oral sex
privacy is in your hands
Claim Your Tickets
Mr Credito
I am nice girl
loan request
loan application
250 Color Business Cards
Free* King James Bible
Viagra
Ink and toner
Dish Packages
Need a break
Slim down quickly
Rachael Ray
Auto Insurance
Target Gift Card
Free Stay
A Thanksgivings offer
Job Openings in Your Area
Any one of 4 laptops
Lint b Gone - BOGO
Help Wanted in Your Area
clean Colon
smoker
Fico Score
Consultants needed
climbing the walls
It's True
Must Have toy
Budget tight
for the Holidays
Gift Card
Alarm System
American Airlines - On Us
Help Wanted
Naughty or Nice
Thomas Kinkade
ree Business Cards
Internet millionare
Bid For A Buck
Satellite Software
Any Telephone Number
Flush up to
Green Tea Endorsed
calling points
Oprah
Ado6e
Victoria Secret
Home-Invasion
a joke right
ringing in your ears
Office 2007
InfoPath
Office Enterprise
OEM version
Access 2007
Lotto Winnings
Best Deals
and I block these words in the "From" field (also on my local system):
Gevalia
Tinnitus
Russel Chase
Help Wanted
Perhaps DA can make some additions to their SPAM filter settings and to exim.pl to allow checking specifically of From and Subject fields.

Jeff
 
1) It's slightly different, but the blocklists are the same.

2) What works for me may not work for you at all, but I block the following as body code and also locally on my desktop system as subjects:

First of all, I block the use of the left side of my email address in the subject and body of incoming email; this may not work for you, especially if it's also your name or a common word.

Then I block these words (don't forget a space before and after):

and I block these words in the "From" field (also on my local system):

Perhaps DA can make some additions to their SPAM filter settings and to exim.pl to allow checking specifically of From and Subject fields.

Jeff
Thanks.
You block these words in DA SPAM filters or somehwere else?
Most of those words will work for me as well.
Thats what i wanted to suggest. DA SPAM filter settings are too poor to add advanced SPAM rules.
Did you enabled DNS based blacklists check in SA?

My current problem is mostly related with baunced emails which were not actualy sent from my server.
I am trying to add filters to Squirrelmail but there are so many subjects and i cant add advanced rules like subject+body.
Is it possible in SB and overall will it help me much to fight SPAM?
Those spammers are getting more and more aggressive.
 
Also how about enabling "SPAM filters allow you to select from various DNS based blacklists to detect junk email" in Squirrelmail, will it help too and which DNS servers would you recommend?
I guess enablign all of them will put a lot of load on the server.
 
I block what I can in DA SPAM filters, and the rest in my local email client. That's why I'm suggesting that DirectAdmin make some changes to exim.pl.

I do my blocklist checking long before the mail gets accepted; I use all the blocklists in SpamBlocker version 3.1-beta, which I wrote.

SpamBlocker doesn't block on content; only reputation. If you use DNS-based blocklists with SpamBlocker you shouldn't have to use them again in Squirrelmail or in SpamAssassin.

Jeff
 
Ok as I understood i can enable SpamBlocker(which is already built in DA?) and enable all DNS-based blocklists in SA or SB and it will not put a significant load on my server?
 
Using SpamBlocker lowers server load by quite a bit.

Enough so you can probably turn on DNS-blocklists in SA without hurting the server load. But you might want to remove rulesets for blocklists you already run via SpamBlocker.

Jeff
 
SpamBlocker doesn't block on content

I believe this blocks on content. Jeff correct me if I am wrong.

Code:
# ACL that is used after the DATA command
check_message:

deny message = contains blacklisted regex ($regex_match_string)       
     regex = URGENT BUSINESS PROPOSAL : My Dear Friend

  accept
 
Don't know. It's not part of SpamBlocker; someone added it.

I've not researched that because I believe it needs to be done on a per user basis, since users may not agree on what content should be blocked. So the default delivered SpamBlocker versions don't use this kind of code but instead depend on the DirectAdmin filters and the exim.pl code.

Jeff
 
Yes I added to my exim.conf file based on http://www.exim.org/exim-html-4.50/doc/html/spec_40.html#SECT40.4

But yes you are correct it would be global and some users may disagree on what content should be blocked. So everybody use at your own risk.

I would like to confirm with you that it would bounce back to the sending server and not the From address. I read somewhere that the filter file (users or system) bounces back to the From address which possibly be innocent people. Can you confirm either of these?
 
It's not bouncing back anything; it's denying it with the message:
contains blacklisted regex URGENT BUSINESS PROPOSAL : My Dear Friend
similarly to the way my blocklists deny email with the message to see a certain website to be whitelisted. In my opinion you should offer the whitelist option; it tells the sender how to get whitelisted.

Why would you want to whitelist someone with certain text in their emails? I can think of millions of reasons, including that it may be an anti-spammer writing about a particular spam source.

Filter files will bounce back to the wrong address if you use it to bounce back; we NEVER use a filter to bounce email back, and neither should you.

Jeff
 
I guess I was thinking that a bounce and a deny was basically the same thing. But deny is definitely what I want. I hate it when mail servers bounce a message to me that I never sent.

I could probably whitelist my abuse email so that everything sent to it would go through and then for the deny message:

contains blacklisted regex URGENT BUSINESS PROPOSAL Please email abuse@...

Is there anyway to whitelist my abuse email? Or is that not a good option either?
 
You're not the only admin in the world worrying about whitelisting your abuse@ email address. For example, I can no longer use the abuse@ address to report email to yahoo; it was getting too much spam, so they simply replaced it with an autoresponder telling me to visit a site to report spam coming from their system.

Of course I don't take the time to do that; maybe they get spam reports from other sources, but we just end up blocking a lot of yahoo mail.

In other words it's your choice between convenience and responsibility.

Personally? I use a whitelisted address where I can be notified, but it's not the abuse@ address.

To see what it is, visit: http://www.spamblocked.net/blocked.html

We simply send people to that URL when we block their suspect emails, the URL is in our error message.

To see how we do that look at any recent SpamBlocker exim.conf file in your DirectAdmin configuration, and make sure your bounce messages don't use our address or example.com.

The advantage is that you can change the address from time to time if/as it ends up in spammer lists.

Jeff
 
Jeff,

Great idea.
Thanks, I will try to tweak my SPAM settings, but I was wondering whether if enabling rDNS in SA is a good idea? Will it block too much legit emails?
 
An awful lot of admins who really don't know enough to be admins are running mail servers without reverse DNS. I hate to say this, but it even goes for a lot of DA servers; just don't ask me how I know.

We don't block for not having rDNS, and we don't give SA points for not having rDNS. Your mileage may vary.

Jeff
 
Back
Top