Anti spam tools

This page gives details of some of the things I use to try to detect spam on our systems. Hopefully they might be of some use to other people.

N.B. I take no responsibility for the use or misuse of any of these facilities.

• Dialup networks. Lots of spam comes from directly connected dialup lines (i.e. modems). Almost all legitimate mail comes via ISP's mail servers. There are various international blacklists which identify blocks of IP addresses as being dialups. Using the these lets you block lots of spam on the basis of IP address. However, they are not exhaustive, so I maintain a local list generated from the spam we receive. The link above points to my list of regular expressions which match hostnames that have generated spam to Aber and which appear to be dialup lines. Messages with Received: lines which match these patterns are likely to be spam.
• Dialup network matcher in perl. Much the same as the one above, but this one is a perl function which takes an IP address and a hostname and tries to determine from these whether the IP is part of a dialup range. I haven't used this one for blocking spam, as I'm afraid it might be too aggressive. Instead I'm using a match on this to trigger a delay at SMTP time.
  Usage: if (DialIP::scan($ip, $host)) {...
• New residential IP matcher in perl. This one is my new version. It returns a score which shows how many parts of a hostname are based on its IP address, along with a regular expression which you could use to match other names of the same form. So, you can use this as an outright check of the current connecting host (just block high scores). Or you can, on receipt of spam, check the score and, if high, use it to generate a regular expression to block future mail. This latter use is handy because it allows you to only place blocks on residential ranges that have proven themselves to be naughty already!

  	 Usage: my ($score, $regexp) = ResidentialIP::check($hostname, $ip, 1);
  		or: my $score = ResidentialIP::check($hostname, $ip);
  	

• Description of greylisting.
• Performance of greylisting at Aber.
• Greylisting. This is my implementation of greylisting, as a perl module with a MySQL backend. This is by far our most effective anti-spam filter.
• IP whitelist for use with Greylist.pm, in mysql dump format. N.B. This is just a daily export from my own greylist database. Presence of a machine on this list is no guarantee as to its legitimacy.
• Exim socket daemon. Simple daemon for listening on a unix domain socket and taking commands from exim via ${readsocket{. Use with Greylist.pm to do greylisting.
• Example exim ACL fragment to do the greylisting.
• Powerpoint format presentation of a talk I gave on greylisting to the Welsh Regional JANET User Group, April 2004.
• LD_PRELOAD wrapper for getsockname to return the original destination address if you're using Linux iptables rules to redirect traffic to the local host. See the README.txt inside the tar file for details of why I wanted this.

The information provided on this and other pages by me, Alun Jones is under my own personal responsibility and not that of the University of Wales, Aberystwyth. Similarly, any opinions expressed are my own and are in no way to be taken as those of U.W.A.

My GPG public key is here

This page is located at: http://users.aber.ac.uk/auj/spam/index.shtml
It was last modified on Wed Aug 18 09:57:56 2010
It has been accessed 21475 times since 26 Sep 2002