« Westercon | Main | Assumptions in queries »

Acres of Spam

| 6 Comments

Email spam had reached more or less a steady state for me for a while, but things have suddenly escalated in the past couple weeks:

Anywhere from once every few days to two or three times in a day, I'll get approximately 2500 pieces of spam in an hour.

They're not actually spam per se. They're backscatter: a spammer has sent out thousands upon thousands of spam messages to other people, but has used kith.org addresses for the return addresses. In this particular case, the usernames at kith.org are generally all of the form human-first-name + random word + second random word, such as "louellaenumerabletyranny."

Many of those spam messages presumably reach their intended targets. But some percentage of them get bounced by well-meaning mailservers and autoresponders. And since the return address is @kith.org, the bounce message goes to kith.org, to be delivered to the nonexistent username. So what I'm really receiving isn't so much spam, as 2500 bounce messages in an hour, for spam I didn't send. And the only way I can be sure that they're not bounces of a legitimate message of mine hasn't gotten through is to visually examine the To line of each. (Because I have a lot of different email addresses, so it wouldn't work to just search for the bounces with a To line that contains my real address.) Fortunately, Eudora's spam filter eliminates about 95% of the messages, but I still end up having to go through up to a couple hundred in a day.

So of course what I really need to do is what most sensible people already do, which is to have Pair's mail server automatically throw away all mail that isn't addressed to a known-good valid kith address.

But for something like ten years now, I've been operating under the assumption that any username at kith.org will reach me. So I haven't been careful about keeping track of what email addresses I give people and organizations that want to contact me.

A couple months ago, when I first thought about doing this, I ran some automated tools over ten years' worth of email and created a list of all the email addresses that had ever shown up on mail in my mailbox. For various reasons that seemed like good ideas at the time, I wanted the From addresses as well as the To addresses. The result was a list of well over 20,000 addresses. And although I could do searches to find certain kind of addresses (like all the ones that started with "logos"), there were a great many that I couldn't think of a good way to sort through other than examining them by hand.

So I set the list aside and didn't deal with it. In the past couple weeks, spurred by wave after vast wave of spam, I've been going through it again--but I've still got about 4,000 addresses left to go. (But that's down from 15,000 two days ago; the end is in sight.)

I probably should've just looked at the To addresses for a first approximation, and figured I would lose a certain amount of mail. But at this point, I've done enough work on it that I want to continue.

I'm not actually sure that Pair's filter works the way I want it to, though; for example, if mail comes to a mailing list that I'm on, rather than directly to one of my legitimate addresses, will it get thrown away? I'll need to do some experiments to find out. Not really something I want to spend a lot of time on, but at this point I don't know how else to avoid drowning in backscatter.

Of course, if the spammers decide to start sending out thousands of emails from my actual address, this new approach won't work. Not sure what I'll do if that happens.

6 Comments

I have pair.com set to toss all mail that's sent to an address/recipe not specified in the mail settings. As far as I know, it has not affected any of the mailing lists I'm on. That is, I receive all postings I think I'm supposed to get. Of course I have no idea what I'm not getting, but that hasn't been a problem. I share my account with 6 people and about a dozen domain names, and none of us has had a problem once we made that change in the settings. and we've enjoyed a lot less spam.


My domain warriorgoddess.org got hit by this a few months back, and I had to configure my settings at sabren.com to only accept emails addressed to specific addresses. Seems to have worked; I don't give out that email address usually, so I don't expect anything in the inbox.


Pair filters on envelope recipient (i.e. the recipient header passed during the SMTP dialogue), not on anything in the To: or Cc: or other typically visible fields of the message. If you look at the full headers of your messages, you will see a header, X-Envelope-To:, which contains the address to which Pair thinks it was sending that message. That will probably give you a much smaller set of potentially valid addresses than scanning To/From fields.

But, at any rate, you will see if you look that messages to mailing lists are X-Envelope-To: whatever address you subscribed to the list, so they will find you even if you shut off your catch-all.

I highly recommend ditching the catch-all. I was terrified of doing that, for reasons somewhat similar to yours, for years. Eventually i got pushed over the edge by the fact that SpamAssassin had started generating nontrivial false positives because i was throwing so much spam at it. Now i am receiving a tiny fraction of the amount of spam i used to get, and am partying like it's 2003. It's pretty cool.

Here's a recommendation for how to make the change: set things up so that you still have a catchall, but, instead of delivering mail to your main logos address, the catchall delivers mail to a separate mailbox with a name like "catchall". Check that mailbox occasionally. If you find legitimate mail in it, make a rule to match the address to which the mail was sent. Once you are no longer seeing legitimate mail in the catchall box, it is probably safe to turn off the catchall (and, until then, it won't bother you as much, because you'll only have to check it occasionally once you have your initial set of addresses programmed in).


I absolutely love how you can discuss a topic like this without once venting your spleen. Either you are a very enlightened individual or else you have standards. Bravo!


I miss my spam. My ISP was bought out and now rarely get any. Before, when I got it, I'd reply with my own: Rarity from the Hollow, a fun novel that raises funds to prevent child abuse. I guess you never know what you miss until it's gone.


I recently had a friend who sent me an email with subject " free coupons available at".
Guess what, it ended up in bulk folder. I wonder whether in 2007 free=Spam for ISP's ?

[This commenter's URL redacted by Jed when it became clear that he was posting content-free comments simply to increase traffic to his site. This comment here seemed fine; it was a later one, that I've subsequently removed, that added nothing to the discussion other than a link to his unrelated site.]


Post a comment