Monday, October 1, 2007

A quick tip that’ll block bajillions of unsolicited messages

FIGHT BACK AGAINST SPAM

By David Gewirtz

Ahhhh! What a great week. My junk mail load has dropped so much that I've regained almost an hour a day. And all it took was one little configuration change to our mail server (and reading a manual).

Up until this week, I got thousands upon thousands of email messages a day. My running average was more than 7,000 messages a day. If an hour went by and I didn't hit Send/Receive, I'd get 300 or so new messages.

What bugged the crap out of me was that we had three layers of spam defense already. All our mail is routed through Prominic's Postini service. Postini (just bought by Google) is a service that filters your email, removing spam, and sending on the good messages to your server.


"My junk mail load has dropped so much that I've regained almost an hour a day."

Next up, we had tarpitting and a second layer of SpamAssassin spam filtering on the mail server. Third, I use SpamBayes within Outlook to grab the remaining thousands of messages a day.

Skipping Postini

I'd honestly been quite disapppointed in Postini. I couldn't understand how it couldn't tell that certain messages were junk, in particular those for male enhancement drugs and those clearly not in English. How could they make it past Postini? Turns out, Postini wasn't missing those messages. The messages never went through Postini at all.

To use Postini, you change your MX records (the Mail Exchange records) to point first at the Postini servers. When a mail server sends a message, it looks at the MX record to know which IP address to send the message to. When you lookup mail.zatz.com, for example, our MX records return the IP addresses for Postini's servers.

As a result, the sending mail server is supposed to send the email message to Postini's servers, Postini runs its filters, and then those messages deemed not spam are forwarded to our own mail server. Technically, the only mail our mail server is supposed to get is that sent to it by Postini's servers.

But instead of looking at our MX records, all those spammers simply found where zatz.com was located and sent mail directly to our mail server, completely bypassing Postini's filtering. The net result was 30 to 60 minutes a day of me filtering through my Questionable box and dealing with 7,000+ new messages. And I wasn't alone. All the ZATZ users had the same problem.

Fixing the problem

One day last week, I finally noticed something interesting. Most of the spam messages didn't have Postini's headers. Generally, when a message passes through Postini, it embeds headers in the message, something like this: