Spammers hapless fate = ISP toil and sweat

Wed Sep 17 18:16:12 CEST 1997

>>Spamming is a serious problem. [...]
>
>Thanks to Luis!  I totally agree, we need to handle these 
>assholes seriously.
>

>My personal filtering technique is to accept the email and never
>deliver it.  Interestingly enough, some of the spammers have one

  As postmaster for Esoterica together with Paulo Laureano (who's
 on holiday) I and Paulo have been responsible for dealing with the
 spammers.

  There are two distinct problems: one is your local users being
 hit by spam. I dont mean one or two or ten. I mean when someone
 gets a hold of your list of users (/etc/passwd or mailing lists or
 scanning Usenet) or (like we had in the past) have someone create
 a program to generate all the permutations of 8 letters and try do
 deliver mail to permutationN at esoterica.pt.

  The other problem is your email server being used as a relay for
 spamming. Someone delivers mail on your server saying it is destined
 for somewhere else. Not only do you spend computation and bandwidth
 resources, but you also appear to be the origin of the spam, and thus
 get bothered a lot by other sysadms.

  This last problem was quite simple to solve, since there are patches
 and configurations for sendmail to do relay for only a list of machines.

  The second problem we dealt with by detecting which spams were
 being sent and blocking email coming from such domains or addresses.

  The problem with this approach is that there's still a conection being
 made; there's still a process launched on your machine. 
   The next solution was to block packets coming from those addresses
 to port 25 of any machine on our network.

  This, together with the no-relay change, worked wonders. Our spammer
 friends didnt like this at all. They started sending out spam through other
 mail servers with fake From addresses ending in @esoterica.pt; we've had
 no end of complaints from people thinking we were the origin of spam and
 had to do no end of explanation.

  Our current solution is quite devious :-)

  We receive mail from anywhere!....Yes...But we have a daemon running
 that checks the incoming mail queue for certain patterns of use, domains,
 volume of messages, etc. If a spam is detected, the daemon at once, using
 Linux's ipfwadm ( firewall/packet blocking tools), blocks reception of
packets
 from the address/domain originating the spam for about 15 minutes. After
 that the reception is restored.

  This means that normal mail comes in; even very frequented mailing lists
 are no problem; but a repeated message, from the same address with
 the same size puts up a red sign; some of the messages are received; but
 then reception is blocked and for 15 minutes no more messages can be
 delivered; for the spammers it looks like a network congestion or lack
 of connectivity, so they give us no problems; 15 minutes later, reception is
 reestablished, for normal recepetion of email (even from the previous
offending
 domain) or for another 15 minutes of blocking.

  This has worked wonders. We still receive unsolicited email, but no more
 heavy duty spams.

  C U!

   -- Mario Valente