FOILING:
SPAMMERS & OTHER WORMS

(for system administrators)

==========

With somewhere around 10 separate active & publicized email addresses, some in continuous use since 1985, and hosted by a variety of systems & servers, you can probably imagine that I might have a problem with incoming Spam!

Since you are reading this document, you may also be experiencing the "Spam Explosion" that is currently taking place (spam production has increased by nearly an order of magnitude, from 2001 to 2002).

I run my site from a virtual server on DigitalDaze, which allows me full "virtual root" shell access to the FreeBSD operating system & directories.

Over the past few months, I've been exploring various ways to characterize and control incoming SPAM, and recently I've also directed my attention to the "Code Red" & "Nimbda" WORMS that are starting to resume attacks on WWW servers.

Before getting into my personal efforts, I should mention my "first line of defense" against spammers:

SPAMCOP.NET

I pass all my incoming email thru SpamCop ($30/yr POP/IMAP account) first, which seems to filter out 25%-50% of the most offensive spam. My setup is to have all my various "public" email addresses automatically forward everything to my single spamcop account, which filters out some of the spam, then forwards the remaining "filtered" email to my "secret" (unpublicized) POP account, where additional filters are applied (see below). Finally, after two layers of filtering, I "POP" my email off my "secret" account, to my home computer. At this point, I'm managing to catch and filter out >95% of incoming spam, so that it never reaches my home computer (and I don't need to waste bandwidth & time, downloading & deleting it by hand). We're talking 50-100 spams a day, here....

Note that you don't need a "secret" POP email account, to use SpamCop in this fashion- with the $30 account, you can "POP" your email directly from your SpamCop account, skipping a step in my description above. (You could also use SpamCop as your sole email server, without needing or using any other email address at all) In my case, I use the "secret" account to provide me with an additional filtering step, and a backup of all my sanitized email.

Below are the tools that I use to filter out most of the Spam that SpamCop misses, and also some tools to log Spams caught, and also monitor Worms that have attempted to access my system, folks who attempt to use NITWIT as an "Open Relay", and other attacks on my server.

I'm working on a script to email webmasters at sites that originate WORM attacks, in the hope that they will disinfect their machines... This page is an ongoing effort- I'll be adding links to explain what I'm doing, and my "spammers.txt" file is updated automatically, as I add to the blacklist database.

Note that you will need substantial server shell access and authority, to use these tools- if you don't have that access, you needn't read further.

If you have comments, suggestions, tips, or useful scripts, please do contact me- I'm really a novice at all this, and will gladly accept any help offered. I'll post useful data or links here, with accreditation, as they come in.

====== Stuff Here ======

My sendmail spammers database is built from:

spammers.txt

I use a shell script to automate editing, building, and archiving the database:

spamedit

Here is my script to log Spam & Worm attacks:

check_spams

I email the output of this script to myself daily, so that I can monitor attacks- my crontab includes this line:

59 23 * * * ~/scripts/check_spams | mail -s "==> CHECK_SPAMS daily"

 

Here's what the output looks like (actual list of yesterdays inderdicted SPAM):

spams_yest.txt

 

====== Links ======

(pending)