Lumpy's Corner

Lumpy shall start with a few items directly related to the previous postings. First matter to clarify is that I did forget a pretty decent resource. NANAE.org which is a USENET newsgroup which discusses spam. Their links page is, although it contains some pretty old links, a good resource.

Another reader mentioned that I did not warn my readers about the evils of Outlook and Outlook Express. This was done intentionally. I have switched over to Thunderbird which is all everyone claimed to be. I like it very much. Unfortunately, many an e-mail user have no choice when at work. Most businesses still use Outlook and Internet Explorer. My intent was to discuss some items that would help all e-mailers. Also, at the time I had not tried Thunderbird. Having tried it and also having created a disposable e-mail addy which I signed up for about 50 "get this free" items, I rate it's built in spam filtering very high. (For the record, I was 0 for 50 on actually getting anything free.)

The same reader pointed out several other things I overlooked. The first being the suggestion to block port 80. This may or may not be that feasible for Joe "Average" User. It is a decent precaution for it is a commonly targeted port. It is the port typically assigned for HTTP. It is the default port that the server "listens" too. This option, however, is more than most users care to do.

It was also suggested that one turn off all HTML for e-mails. Now, I do agree that this will make your inbox safer but I don't see the point. I want to get HTML e-mails. If I wanted text messages only, I would just stick with a Telnet BBS. To me, this seems like solving the problem of the bully taking your lunch money by simply leaving it home. Lumpy wants his lunch.

The same reader pointed out a major oversight on my part. Something I have been doing myself, habitually, when I wrote I did not even think about it. If you do use e-mail software, turn the preview pane and auto-reply off. This will make it a bit safer in terms of spam, viruses and spy ware. One of the methods to exploit e-mail software is to have things activate off of those features. Scripting is another vulnerability, which can be taken advantage of as well. I like leaving scripting on personally (see my comment above on HTML) but shutting off will make your system more secure.

I had some one else suggest a method of spam avoidance that I have heard elsewhere as well. They suggested that one use great care and avoid e-mail names that can be easily guessed. The only problem I have with that is that the e-mail addresses will be just as easy to forget. I feel this approach is little more than simply giving the bully on the playground your lunch money. That is simply not Lumpy. I want my e-mail addy to be memorable and easy to spell.

There are also various "redirect" and temporary e-mail services available. I feel that there is enough to discuss on that matter to make it a future blog entirely.

Now that I have blabbed on for over a page on what I previously should have written about, it would be a good time to get to today's topic. Assuming you can access your server, what more can be done about spam? There are a plethora of options available.

Be warned however, having server access is similar to having another lockable door. Thieves can still get to your innermost cherished room. It is not a guarantee. It does, however, add one more layer of protection.

There are all kinds of spam protection programs available. Some are Bayesian and analyze the entire e-mail content and rate it. The rating determines how likely it is that the e-mail in question is spam or not.

Others simply check against a blacklist. In other words, it checks the subject and sender against a list of known spammers. This may seem like a tedious process but, as I will cover later, it is very effective.

There are others as well, most of them are an offshoot of the two methods above. Some of them are even more drastic than blacklisting such as Real Time black Holes. My take on these things is that a good Bayesian filter and a good black list should be more than enough for the average individual, small business or small website.

I also found one that I do not recommend. Some companies are offering both PC based and server based software, which requires the sender to confirm that they are human by some criteria. For example, Joe sends Betty an e-mail and, before Betty sees it her software sends Joe a picture of 8 puppies. Betty will not see the e-mail until Joe replies that there are 8 puppies in the picture.

I do not recommend the "confirmation method" for three reasons.

1. The expression "people are inherently lazy" does have some truth to it. Many will feel the extra step annoying. Some will certainly no longer bother. E-mail is meant to facilitate communication adding extra steps to it is counter-intuitive.
2. It creates an extra step and potential delay. Many people, myself included, send e-mails right before they end their day. If I send you an e-mail as I am leaving the office Monday night, get your puppy-gram Tuesday morning and immediately confirm it is no different than sending it Tuesday morning. Part of how e-mail was meant to facilitate communication was to expedite it so, again, counter-intuitive.
3. If the e-mail you receive is from a spammer, it does two things. First you use your bandwidth and, second, it lets the spammer know your e-mail addy is valid. Spammers really do not care how large the workload is on their robot. It is likely that they will keep sending it anyways, perhaps hoping it gets read in your spam box. The only thing this uses is your bandwidth.

Lumpy's recommendation is a good blacklist AND a Bayesian filter. Before you even do that, you must decide on two other options first.

The first decision is whether to use a white list. If you are going to use server side protection it is often recommend to use a white list along with it. A white list is a list of individuals you wish to assure can always send you e-mail. Most protection uses a blacklist, which is discussed below, to deny email based on address, subject and keywords. Without a white list, it is possible for your family doctor to send you an e-mail with the subject of "Regarding your Prescription" and you never receive it. However, putting your doctor on a white list should assure it ends up in your inbox.

There is a down side to a white list. What if your buddy, Ima n00b, running his PC with out anti-virus protection catches the latest worm which replicates it and sends it to everyone in his entire address book? At best, your perfectly updated anti-virus software catches it and you have the nuisance of removal. I personally do not use a white list because I use a spam box, which is the other decision you must make. More specifically, what do you do with all the spam?

A spam box is a location you send all your spam to. If you wish, you can check it from time to time. This is one option for spam. This method is, honestly, often not worth it. In all the years I have been using spam assassin and a blacklist, I have only found three e-mails in my spam box that should not be there. I however, do not consider it much effort to hit CTRL-A and DELETE to clean it out occasionally. I am anal enough where I am comfortable with this method.

The other solution is to have the software automatically delete it or bounce it back. I do not recommend bouncing it for, as stated before, it eats bandwidth and lets the spammer know the e-mail address is valid. I feel using a white list, spam box, or deleting is your personal choice. I suggest and recommend, at the bare minimum, what follows. I feel I do the bare minimum and feel I have very few spams get through.

I tried bouncing at one point in time. I was receiving gobs of spam from someone with the e-mail addy something like bettybot@a#$.com so I blocked it. Next thing I knew I got spam from bettybot@b#$.com, bettybot@C#$.com, etc.

You should a good server side anti-spam program. I personally use SpamAssassin with very customized little filtering. Personally, I think it is a very decent package and it is free. I did not have to deal with the install or configuration of it but am told that it is pretty painless.

SpamAssassin prevents spam on two fronts. It uses Bayesian filter and it can use DNSBLs (DNS Block lists or, as some prefer, DNS Black List). The user may also add their own black/white list. I have a high success rate with this program.

About 80% of all spam comes from 200 known spammers. This means using a good black list can be very effective. I use, swear by and endorse Spamhaus. Spamhaus offers a block list of known spammers, a block list of known exploits and the ability to use both list off the same link.

The next level you can add is your own filtering. Exactly how you do that will vary from server to server. I have, at present, about thirty items in my black list filter. Exactly what you do hear depends on what slips by Spam Assassin or whatever filter you are using. Most of my blacklist targets the sender's information. I blacklist any sender with the following word or words in their address or subject: deals, bargains, rebate, workathome, etc.,

One should also think a bit when they set filters. Most filters allow "wildcards", specially chosen characters which accept any character in that position. Typically "*" will block any string of characters and "?" is often use for any single character. Some example: bettybot@*.com would block any sender who's name was bettybot at any .com domain,betty*@*..com would block any betty at any .com domain, and betty*@* would block any betty. This can be a good thing if betty"whoever" is spamming you but what if your Aunt Betty who goes by bettyboop@nodomain.com is really tyring to e-mail you about some long lost inheritance? If you chose the second or third option, you would not get the e-mail.

There are other programs out there that do similar and/or identical things. My opinion is that the list I use and the server side version of spam assassin are as effective as anything out there.

I welcome your take on things. Feel free to leave comments. (And spammers, feel free as well your efforts seem to only motivate me to better figure out how to thwart your efforts.) Blink and I will get to them as soon as we are able.