What to do about a wall of spam?

Here’s a graph that shows traffic, over the last day, on our Internet connection here at the office (time runs backwards from the left-hand side of the graph):

MRTG Graph showing a sudden uptick in spam on our network - Share on Ovi

See the two “mountains” of traffic, one yesterday afternoon and the other starting at 9:00 a.m. this morning? That’s all spam. Loads of it. Floods of it. Enough incoming network traffic that our SMTP server is having trouble keeping up.

In this case it’s not the spam itself that’s a problem — most of it is so obviously spam that we can easily throw it into /dev/null — but rather the impact on our bandwidth, and the server resources needed to identify and throw the spam away.

Looking at our mail server logs, this spam is coming from all over the place — there’s no discernable pattern of IP addresses or domain names that we could simply firewall out. And so I’m sort of as a loss as to how to react, other than to hope that, like the flood yesterday, this too shall pass.

Anyone have any advice to offer?

Update, the next morning: the spam flood seems to have passed, at least for now…

nettie_3-day.png - Share on Ovi

Comments

Daniel Von Fange's picture
Daniel Von Fange on July 25, 2008 - 21:29 Permalink

http://www.spamhaus.org/

Use their zen or sbl/xbl realtime dns blacklist. Cuts the majority of spam out at the IP level which means you down have to spend bandwidth receiving it, or CPU time checking it.

I’ve been very happy with it for three years.

Daniel Von Fange's picture
Daniel Von Fange on July 25, 2008 - 21:30 Permalink

which means you *don’t* have

Cody Swanson's picture
Cody Swanson on July 26, 2008 - 04:07 Permalink

Spamhaus is a good step, unfortunately it only stops about 40 percent of spam these days due to the large amount of bot net based spam.

One of the most effective anti-spam techniques I’ve seen so far is a technique called greylisting. Greylisting involves issuing a temporary bounce (450 error) to all incoming mail from unknown IP addresses. This forces the sending mail server to attempt a retry to deliver the mail. On the retry the mail is let in to the server. Why does this work? Most spamming software gives up at the first sign of a problem, spammers are about quantity and retry’s are resource intensive.

There are programs to do greylisting for pretty much every MTA out there. Most of them are their own standalone programs and tend to take very little in the way of resources. And since the body of the messages are not delivered to your MTA save a lot on bandwidth and MTA resources.

One of the drawbacks of greylisting is that you have to wait for new mail to be delivered, as dictated by the sending MTA’s retry timer. In practice I’ve found that to usually be under 15 minutes. The other drawback I’ve discovered is greylisting tends to flush out incorrectly configured mail servers. Of course one could argue that a poorly configured mail server should not be on the internet but that’s not very realistic.

David Richardson's picture
David Richardson on July 26, 2008 - 04:46 Permalink

Use Google hosted apps for your domain(s).
What is it that you believe hosting your own services gives you?

Chuck McKinnon's picture
Chuck McKinnon on July 26, 2008 - 16:52 Permalink

As an alternative to full-blown GAFYD, you can purchase Google (i.e. Postini) Message Filtering for $3/user/year. That ought to take the load off your SMTP servers.

I disagree with the Spamhaus recommendation. My experience has been that they have far too many false positives to make me comfortable using them.

til's picture
til on July 27, 2008 - 22:49 Permalink

@david : privacy and control over my own data are reasons for me to host my own mail services and not outsource them google where they would be under the control of a foreign (to me) legislature with different, lesser restrictions on what the host is allowed to do with my data. In the case of email this is at the very core of my private and business communications, so very important to me.

Mark's picture
Mark on July 27, 2008 - 23:08 Permalink

Postini is seconded, excellent service , great controls

Peter Rukavina's picture
Peter Rukavina on July 27, 2008 - 23:37 Permalink

@david : what Til said.

mike's picture
mike on July 28, 2008 - 06:59 Permalink

Have you heardof spamd?

it is written as part of OpenBSD, and sounds like it could help.
Features include; greylisting, throttling of incoming connections (causes most bots to drop the connection before they have used much bandwidth)…

just google for “spamd” :)

Peter Rukavina's picture
Peter Rukavina on July 28, 2008 - 12:47 Permalink

Spamassassin has been in place for a long time.

The problem isn’t that I’m actually seeing the spam, it’s simply the effects that the incoming spam is having on network resources.

oliver's picture
oliver on July 28, 2008 - 15:16 Permalink

DomainKeys?

til's picture
til on July 28, 2008 - 20:42 Permalink

Acknowledge that there is a creative part in spam, and listen to spamradio.com from time to time?

Seriously, I don’t know. Spam of course annoys me a lot too, but in the last year or so I haven’t noticed a significant increase in the annoyance level that it causes me, and it’s far from dethroning email from being the most useful medium of electronic communication for me. Maybe that is only because I am not looking too close at the traffic statistics of my server.

Greylisting seems to work quite well. I’ve found the whitelist_recipients config file to be useful sometimes when registering for websites with an alias like tils-superimportantwebsitecom@tils.net so that the confirmation mail arrives on the first delivery attempt. Some smtp servers of bigger services have very long retry intervals.

Darryl MacLeod's picture
Darryl MacLeod on July 29, 2008 - 02:53 Permalink

ASSP works well.