How do you manage your spam?


#1

I thought I’d post this here, rather than make a private support request (like they’ve got the time right now with all the down-time and dos attacks around here!).

Curious to know how some of you deal with spam, spoofing and the like.

In short, I have a domain that, due to longevity (alive and kicking since 1995) and plenty of past cluelessness, receives thousands of spam messages and has frequently been spoofed by spammers (resulting in lots of bounce-backs of undeliverable messages). Even with razor on and lots of old addresses killed, lots of junk gets through. Essentially, I’d like to kill all but one new virgin address and bounce everything else.

Can I just bounce *@mytotallyspammeddomain.com
(obviously, not its name) from the panel?

Is there anything that can be done about domain spoofing? SpamCops just seems like a black hole.


#2

The plural of virus is viruses

http://www.perl.com/language/misc/virus.html


#3

[quote]Is there anything that can be done about domain spoofing?

[/quote]

I guess what I’m asking is, is there any proactive thing I can do to keep spammers from choosing my domain to spoof. It’s a public domain, as I mentioned, and has been active for a long time. It seems that domains that have been around a long time get spoofed more.

I know that if I kill the addresses, and do my best to not let the new, clean ones out of the bag, that I won’t actually see the evidence of the spoofing but it will still go on and it still uses DH server resources (when lots of them bounce) yes? And, of course, its embarrassing.

Anyway, it seems that I can delete the * without messing up any active addresses, so that’s a start!


#4

If SPF (http://spf.pobox.com/) becomes more widespread (AOL has indicated that they are working on validating against SPF records for inbound mail), we will almost certainly create a mechanism for customers to automatically generate SPF DNS records for their domain. This won’t help prevent spammers from spoofing your domain, but it may help other sites recognize and reject spoofed mail.

In the meantime, if any customers want to try this out, I’ll be happy to add the necessary records by hand. Allowing all hosts with reverse DNS inside dreamhost.com will probably work for most customers if they are using our servers for outgoing mail. We will probably also setup a “dreamhost.com” SPF record which can be included by customers in their own SPF records via the include mechanism.

Note, however, that adopting SPF does require some though. You have to be sure to consider every possible place that might legitimately send mail “from” your domain. Since it’s a fairly new scheme, you also have to consider that you may run into unexpected problems.


#5

I checked out http://spf.pobox.com/ and it seems almost idiot-proof. Am I right that all I need to do as an average DH customer is to use the wizard to create the SPF entry for the DNS servers and then give that entry to DH support with reference to this forum thread? Then you guys will put that into the DNS and that’s it? Sounds too easy to be true, so it probably isn’t. What have I missed?

I host an ordinary small personal homepage (g-b.dk) but the domain name is used regularly by spammers. If this can be stopped, I’d be a happier neticen. I understand that it won’t stop spam completely and right away, it’s only the first step, but the road leads towards a spamproof net. Those receivers that support SPF will recognize that the spam is not really sent from my domain and reject the spam. And that’s really what my benefit is. Yes please, I’d like that.

Is there any downside to jumping onto the SPF wagon now? If not, then why not have all DH customers aboard? If there is a downside, let’s hear it, because I didn’t come across it on the SPF website. For the record, I’m not an MX guru but an ordinary web guy being tired of “undeliverable spam” messages.


TorbenGB


#6

The wizard doesn’t quite figure things out right for us (guesses that the inbound MXs are the same as the outgoing mail servers, tries to add an include for dreamhost.com even though we don’t currently publish SPF records), and doesn’t account for stuff like:

  • Announcement lists (though generally, the envelope-sender is generally an address within dreamhost.com, not your domain, so this wouldn’t likely cause many problems)
  • Discussion lists
  • Mail sent from the user machines with an envelope-sender of your domain (mail sent from Pine / mutt, mail sent from properly configured scripts on your site, etc.)
  • Mail sent through your ISP’s mail server (if applicable).
  • Mail sent from any of your users (if any) through outside SMTP servers.
  • Configuration changes on our end.

I’m sure there are cases I’m forgetting. As I said before, the safest option (though one which would let other DH customers more easily spoof your domain if they wanted to) would be to use the simple record:
“v=spf1 ptr:dreamhost.com -all” (adding entries as necessary for any outside servers you or your users might be sending mail “from”).

There are also possible issues if you’re doing any email forwarding.
See http://spf.pobox.com/faq.html for information on that.

I haven’t messed with it much yet, so I’d also have to do some tests to make sure our DNS generation stuff doesn’t mess up the TXT records, and to make sure that BIND accepts the records properly.

Well just the possibility that problems will come up in the future when you (or we) make a configuration change that changes things around without updating the SPF records.

Because many of our customers have setups that would cause some or all of the problems mentioned above. SPF is good because it gives users and providers the flexibility to configure things in a number of different ways.

If / when SPF becomes more popular, we are very likely to provide a mechanism for customers to publish SPF records, and we’re likely to encourage them to do so - however it’s not something that we could or should setup by default. I think it’s still a little early for us to start spending a lot of effort supporting it, either for inbound mail or for outbound mail.


#7

Excellent answers – thank you very much. As I half expected, I see now that it’s not quite as easy as it looked at first sight.
As for the downsides, I only have a small user base (5 people) so any problems would not cause major problems, or at least not to many people.
So I’m still interested. When you said “if any customers want to try this out”, did you mean that DH is testing SPF, or that DH would assist any customer who is testing SPF? I’m asking that way because I wouldn’t mind being a guineapig for DH’s SPF testing, but I wouldn’t be able to conduct my own testing.


TorbenGB


#8

I have been looking at SPF for a couple of months now since it was on /.

It really sounds like an excellent way to solve spam problems, but it needs a critical mass take up to get there.


#9

True, critical mass is the thing. But according to the homepage, there’s quite a number of big-wig companies and websites that already support this so even though the ten thousand supporters are few compared to the billions of mailservers out there, the few at least have significant weight. Imagine if the top three e-mail providers (like hotmail, yahoo, whatnot) support SPF, that would address maybe 80-90% of worldwide spam. Well, a man can dream…


TorbenGB


#10

This looks really promising, although since my outgoing mail comes from a different server than Dreamhost (that’s true of all of your customers, yes? unless they are using webmail?) it will probably cause problems of its own. But, at least something is being done to close up this spoofing loophole.

Also, if I created a mailbox for someone under the domain, I’d need to know their outgoing mail server info too.

But, it seems if you have a simple one-user domain and only need one or two mailboxes and no special scripts or discussion features, that this is a good way to keep it clean from the outset.

Thanks for the info!


#11

Here’s a link someone sent me as another way to hide your email address on a page (without using a form or javascript):

http://www.colmgallagher.com/encode_all.html

it encodes your address as decimal or hex, which is understood by the browser. Good for thwarting email harvesters.


#12

[quote]Just as addresses and such can be easily encoded like that, spammers can easily decode the pages like your browser, so it’s not a very long term fix.

[/quote]

True, but wouldn’t it a least stop bots?


#13

Will said:
If/when SPF becomes more popular, we are very likely to provide a mechanism for customers to publish SPF records

With the recent news that Microsoft and SPF join forces, would you consider to use SPF? My domain is suffering a lot from spammers spoofing my domain, and it’s a pain that I believe SPF will address – to a certain degree, at least.

If I’m DreamHost’s only user who is asking for SPF then I wouldn’t bother with it, but if there is a small crowd then I’d be very interested to be part of a pilot test. The benefits for me are appealing; the drawback is that I’m no MX guru so I’d be at your mercy.

Comments – from Dreamhost as well as from other users??


TorbenGB


#14

If you have DNS records you want to publish, we will be happy to publish them for you… however again, we won’t take responsibility for any problems you encounter due to any mistakes on your side, our side, or anyone else’s side.

It also sounds like the new (merged) scheme may be somewhat more complex, though I understand that backwards-compatibility with older versions of SPF is planned.

I honestly don’t think that publishing SPF records will really help you out a whole lot, though… it’s really not something that’s being implemented on inbound mail by very many sites.


#15

On the topic of protecting conatct addresses from email harvesting, you’ll never beat making an image with the address on it, but of course the lack of clickability can put some people off. I’ve used a little bit of javascript on a couple of sites; it seems to be working. I got it here:

http://simplythebest.net/scripts/DHTML_scripts/javascripts/javascript_120.html