We have been laboring over the SPAM issue for as long as anyone I suppose, and have trined multiple methods for relieve. I would agree that one of the most effective ways of dealing with SPAMmers is to cut them off at the source when possible. I have found that most ISP, and domain registrations authorities are very cooperative in dealing with the problem. The question we have really been working on though is how to stop the stuff before it hits the clients desktop. There are all kinds of services available to assist you, but all that we have looked at until recently required a lot of work on our part to keep them up to date, and have had marginal success. Recently, on of our Tech's advised me of Disributed Check Sum Server (DCC). We ran some off line tests, then some limited production tests to be sure that it wouldn't cause us problems, and are now running full production. We have seen a significant reduction in the amount of SPAM that actually gets past DCC into our network. Tollerances can be tuned to the level you desire. The participation in the work wide DDC Server community allows automatic updates without a lot of effort. Frankly, most of our effort these days is in making sure that we get our legitimate news letters etc that exceed count thresholds. Here is Andy's write up on it: The Distributed Checksum Clearinghouse (DCC) is a method of finding spam by making a checksum out of the email and storing the number of times it's been received. It's free (open-source), and plugs right into your current Sendmail configuration. When we get an email, the DCC client in Sendmail makes a checksum (number based on the message's size and content) out of the message and sends it to a server. The server keeps a count of each checksum received and returns the current number of times it's received that checksum. If it's a bulk message, the count will be high and the client can then delete it, archive it, or whatever. The matching is "fuzzy" to protect against so-called "personalized" spam, random characters in the message or subject line, and slightly different wording. According to the documentation, the additional traffic generated is lower than a nameserver query, and we can ensure maximum security for it in the same way we do for nameservers. By linking servers, a single DCC server can become vastly more powerful. Alone, our server could still knock out "routine" spam such as the stuff from "L.U.C.I.D" and certain porn sites, since it repeats itself and would quickly exceed whatever count we set. But if we link our server with other DCC servers on the Internet, we can catch all kinds of spam; as soon as a site with DCC gets spammed, all the other servers linked to it quickly know about the spam and get a high count. They have a testing script on one of their servers, which I'll give the link to at the bottom of all this. I've tested all the mail in my test account on it (since I can save the headers there), both personal and spam. So far I've got a 100% accuracy rate. I noticed that it returns three different checksum checks, so even if some things are different, one of them has always caught the spam. I notice that MAPS (the spam blackhole) is also using it, which makes for some impressive credentials. The nature of DCC is such that it can be tested on a production machine without client impact (by having it passively log the headers of emails that it classifies as bulk). Links Home Page: http://www.rhyolite.com/anti-spam/dcc/ Their Test Script: http://www.rhyolite.com/cgi-bin/dccproc-demo Kevin E. Dorning Cyber Security Program Manager Office of the CIO DI-2 Bonneville Power Administration - USDOE -----Original Message----- From: T. Kenji Sugahara [mailto:sugahara@private] Sent: Thursday, August 29, 2002 10:22 AM To: 'crime@private' Subject: CRIME Spammers beware "New" method to fight Spam "After realizing that all registrars are required to keep accurate information, Mr. Murdock said he did a whois search on the domain of a particularly offensive spammer. He sent e-mail to the registered owners of the domain and when they bounced back, forwarded the information to their registrar. Generally, domain holders are required to notify their registrar of any address or information changes within 48 hours or risk having their accounts frozen. The result? The account was frozen and the domain is now inaccessible." Source: http://www.eweek.com/article2/0,3959,491395,00.asp If you have time... great way to stop spammers. It's a heck of a lot better than having to constantly update your filters. T. Kenji Sugahara Chief Operating Officer counterclaim Phone: 541-484-9235 Fax: 541-484-9193
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 13:15:52 PDT