What to do about a wall of spam?

Peter Rukavina

Here’s a graph that shows traffic, over the last day, on our Internet connection here at the office (time runs backwards from the left-hand side of the graph):

MRTG Graph showing a sudden uptick in spam on our network - Share on Ovi

See the two “mountains” of traffic, one yesterday afternoon and the other starting at 9:00 a.m. this morning? That’s all spam. Loads of it. Floods of it. Enough incoming network traffic that our SMTP server is having trouble keeping up.

In this case it’s not the spam itself that’s a problem — most of it is so obviously spam that we can easily throw it into /dev/null — but rather the impact on our bandwidth, and the server resources needed to identify and throw the spam away.

Looking at our mail server logs, this spam is coming from all over the place — there’s no discernable pattern of IP addresses or domain names that we could simply firewall out. And so I’m sort of as a loss as to how to react, other than to hope that, like the flood yesterday, this too shall pass.

Anyone have any advice to offer?

Update, the next morning: the spam flood seems to have passed, at least for now…

nettie_3-day.png - Share on Ovi

Comments

Submitted by Daniel Von Fange on

Permalink

http://www.spamhaus.org/

Use their zen or sbl/xbl realtime dns blacklist. Cuts the majority of spam out at the IP level which means you down have to spend bandwidth receiving it, or CPU time checking it.

I’ve been very happy with it for three years.

Submitted by Cody Swanson on

Permalink

Spamhaus is a good step, unfortunately it only stops about 40 percent of spam these days due to the large amount of bot net based spam.

One of the most effective anti-spam techniques I’ve seen so far is a technique called greylisting. Greylisting involves issuing a temporary bounce (450 error) to all incoming mail from unknown IP addresses. This forces the sending mail server to attempt a retry to deliver the mail. On the retry the mail is let in to the server. Why does this work? Most spamming software gives up at the first sign of a problem, spammers are about quantity and retry’s are resource intensive.

There are programs to do greylisting for pretty much every MTA out there. Most of them are their own standalone programs and tend to take very little in the way of resources. And since the body of the messages are not delivered to your MTA save a lot on bandwidth and MTA resources.

One of the drawbacks of greylisting is that you have to wait for new mail to be delivered, as dictated by the sending MTA’s retry timer. In practice I’ve found that to usually be under 15 minutes. The other drawback I’ve discovered is greylisting tends to flush out incorrectly configured mail servers. Of course one could argue that a poorly configured mail server should not be on the internet but that’s not very realistic.

Submitted by David Richardson on

Permalink

Use Google hosted apps for your domain(s).
What is it that you believe hosting your own services gives you?

Submitted by Chuck McKinnon on

Permalink

As an alternative to full-blown GAFYD, you can purchase Google (i.e. Postini) Message Filtering for $3/user/year. That ought to take the load off your SMTP servers.

I disagree with the Spamhaus recommendation. My experience has been that they have far too many false positives to make me comfortable using them.

Submitted by til on

Permalink

@david : privacy and control over my own data are reasons for me to host my own mail services and not outsource them google where they would be under the control of a foreign (to me) legislature with different, lesser restrictions on what the host is allowed to do with my data. In the case of email this is at the very core of my private and business communications, so very important to me.

Submitted by mike on

Permalink

Have you heardof spamd?

it is written as part of OpenBSD, and sounds like it could help.
Features include; greylisting, throttling of incoming connections (causes most bots to drop the connection before they have used much bandwidth)…

just google for “spamd” :)

Submitted by Peter Rukavina on

Permalink

Spamassassin has been in place for a long time.

The problem isn’t that I’m actually seeing the spam, it’s simply the effects that the incoming spam is having on network resources.

Submitted by til on

Permalink

Acknowledge that there is a creative part in spam, and listen to spamradio.com from time to time?

Seriously, I don’t know. Spam of course annoys me a lot too, but in the last year or so I haven’t noticed a significant increase in the annoyance level that it causes me, and it’s far from dethroning email from being the most useful medium of electronic communication for me. Maybe that is only because I am not looking too close at the traffic statistics of my server.

Greylisting seems to work quite well. I’ve found the whitelist_recipients config file to be useful sometimes when registering for websites with an alias like tils-superimportantwebsitecom@tils.net so that the confirmation mail arrives on the first delivery attempt. Some smtp servers of bigger services have very long retry intervals.

Add new comment

Plain text

  • Allowed HTML tags: <b> <i> <em> <strong> <blockquote> <code> <ul> <ol> <li>
  • Lines and paragraphs break automatically.

About This Blog

Photo of Peter RukavinaI am . I am a writer, letterpress printer, and a curious person.

To learn more about me, read my /nowlook at my bio, listen to audio I’ve posted, read presentations and speeches I’ve written, or get in touch (peter@rukavina.net is the quickest way). 

You can subscribe to an RSS feed of posts, an RSS feed of comments, or a podcast RSS feed that just contains audio posts. You can also receive a daily digests of posts by email.

Search