Tag Archives: Spam

Catching spam with repeated phrases

This is more of a ‘for future reference’ post than anything else.

Recently my mailing lists have been getting hit with stupid spam (what spam isn’t) that invokes bible related conspiracy spam. The messages reference bible verses multiple times.

To catch the spam, I put in a rule that matches bible references.

It’s a pretty simple rule … it looks for specific bible chapters followed by a number colon number.

body LM_BIBLE_MULTI /\s(matthew|revelation|john|corinthians|thessalonians|luke|romans|ezekiel|mark)\s+\d+:\d+/i
describe LM_BIBLE_MULTI Contains bible verses
score LM_BIBLE_MULTI 0.5

The thing about the spam I’m trying to catch is that it references the bible verses multiple times. The above rule only catches a single bible verse reference and adds the score.

To increase the score for each individual hit of the rule, you need to add the following to the rule:

tflags LM_BIBLE_MULTI multiple

This way, every time the LM_BIBLE_MULTI rule is hit, the score increases by 0.5. The more bible references in the email, the higher the spam score.

The multiple modifier for tflags is available in SpamAssassin 3.2 & higher.

Postmaster Resources

This post is as much to help me remember as it is to help other people.

Below is a list (not comprehensive) of the postmaster resource pages for some of the major email providers.

Microsoft / Outlook https://postmaster.outlook.com
Google https://postmaster.google.com/
AOL https://postmaster.aol.com/

On these sites you can get information about how the provider handles spam, feedback loops, blacklists, whitelists, etc.

Very useful for those managing mailing list servers.

Mailbait Threats

Back in October of 2012 I devised a way of blocking abuse of my mailing list server by detecting mailbait abusers (mailbait.info offers a ‘service’ to fill your, or someone else, mailbox with unwanted mailing list subscriptions). In June of 2013 I refined the technique.

Basically I detected if someone was visiting the mailing list subscribe page from mailbait.info and sent them to a special page that also annoyed them by popping up hundreds of javascript alerts about not spamming people.

Regardless of the popups, people still try to use mailbait to involuntarily subscribe people to my lists (well, try at least, my lists require a closed loop confirmation system).

Today I received the following threat from a mailbait.info user ..


I’m inclined to ignore the ‘warning’ … but I find it somewhat satisfying that my approach has annoyed someone sufficiently.

As an added measure, I’ve updated my system security mechanism to block any IP that attempts to use the mailbait service more than once.

Tech Tip: Don’t use qmail as a mail server

A while ago I added a new anti-spam technique to my mail server setup called “No Listing”.

No listing basically means putting a high priority MX record in the DNS that always rejects mail server connections..

It seems, however, that the qmail mail server can’t cope with that.  It’s not RFC compliant.

Continue reading

Adding Envelope Sender in sendmail

Fair warning: This post is pretty darn technical and is of little interest to people who don’t muck around with Linux and/or mail servers.

Recently I had a problem with someone on a midrange.com mailing list where they sent obvious spam.

The problem was, they were a subscriber to the list and had posted before … so the normal counter measures for that didn’t work (the first post for all subscribers are held until approved, to prevent people from subscribing, posting spam, and unsubscribing).

The puzzling thing about this was … the ‘from address’ on the message was not in the subscriber list.

Turns out that Mailman will accept message based on the FROM address of the message or the SENDER address (also known as the envelope-from).  The sender addressed is set by the sending mail server and is not normally in the body of the message.

After a bit of digging around, I figured out a way to add this information to the message headers so I can more easily diagnose the problem in the future.

Continue reading

DNS: Sends No Mail

I really wish there was a way to indicate, in DNS, that a domain never sends mail.

That way, if a mail server recieves mail claiming to be from that domain, it can be discarded out of hand.

I’ve got a bunch of domains that JUST do web serving … they never send mail.  If the web server that they are hosted on does send mail, it’s sent from via the midrange.com mail server (and is identified as such).

Continue reading