How we deal with the spam forwarding problem

March 4, 2008

We have a spam forwarding problem. Specifically, we forward spam, although not through choice; it's a political mandate not to impose filtering on people, and some of the people who don't filter forward their email elsewhere, and predictable things ensue.

We're dealing with this in three ways:

  • we use a different source IP address when forwarding spam-tagged email, splitting good email traffic away from the spam so we avoid contaminating the former with the latter.

    This is especially important for places where a bunch of users may be forwarding their email, like Yahoo and Hotmail; this way we avoid having a user that forwards a lot of spam cause problems for other users who mostly forward non-spam.

  • in order to eliminate as much backscatter as possible, we outright discard bounces of spam-tagged email. This is definitely not RFC compliant but is the lesser evil in a situation with no really good way out.

    (It also keeps our delivery queues small, since otherwise they would fill up with all of the bad addresses that spammers use.)

  • just in case, bounces go out from yet another source IP address, used only for bounces, so if we get blocked for being a backscatter source it will affect as little mail as possible.

Our spam-forwarding source IP address has already shown up on a few email reputation systems, although I believe not in any of the public DNSbls. This doesn't bother me, because I can hardly blame anyone who blacklists it; it is pretty much a spam source.

(Since I don't believe in tempting fate, it has an innocuous host name.)


Comments on this page:

From 67.168.17.122 at 2010-09-06 13:51:06:

Yes, this is a significant problem.

Some major services are getting smarter about these types of relays and allowing them as long as all the messages are going to a consistent address and not sent to multiple addresses.

In other cases, I've had to contact email admins at other services and plead for whitelisting, which so far has always been granted.

Spammers are doing severe damage to the internet, they are causing legitimate communication to be obstructed. Spam is essentially a Denial of Service Attack.

I like your solution of using dedicated IP addresses, that will certainly help, but it also adds one more layer of cost and complexity.

What are your views on using/implementing Domain Keys? I have so far resisted doing this because of the costs/complexity involved, I see few legitimate emails using it, but I do see occasional spam emails which do have it. So it seems like a failure to me. But every now and then the issue resurfaces as a possible ToDo project. What is your experience with this?

codeslinger at compsalot.com

By cks at 2010-09-06 22:56:54:

I haven't done anything with DomainKeys/DKIM so far, but that turns out to be largely because I misunderstood DKIM. Now that I have a better understanding, I need to think about it a bit before I have any answer.

(And it was your comment that sparked me looking into it, which turned out to be very useful.)

Written on 04 March 2008.
« How not to set up your DNS (part 18)
How we make Exim discard bounces of spam »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Mar 4 23:25:13 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.