Fare Ye Well Work Email You Have Served Me Well
Monday, 17th September 2012, 14:36

Perhaps I should be grateful that for 13 years I had one decent work email address, which I used for everything relating to work and beyond. But finally, last Thursday, I was forced to lay it to rest, cause of death being spam.

It was 2004 when that genius of predicting the future, Bill Gates, added one of his many futurist suggestions to the litany of other equally inaccurate ones. He said that spam would be a thing in the past within 2 years, which makes it at least 8 too late. Nice idea Bill, but whatever product you had in mind to cure that, it's running a bit late.

Microsoft is an odd company, on the one hand it does a good job of actively targeting spam bot networks and taking them down, which helps a bit. But on the flip side it creates the badly written operating system which allows machines to be part of those networks in the first place.

I dream of a great operating system, perhaps Apple have it, I've not used a Mac since I sold my Quadra 700 all those years ago, and it's come on a lot since then I believe. I know that most of the time iOS on my iPad and iPhone do a wonderful job, and serve to increase the frustration the moment I turn on my Windows PC or laptop, both running Windows 7, and experience how awful it does basics like memory management and searching.

Where Did They Get My Email Address?

My spam attacks have come on two fronts, firstly my email address appears publicly on many websites, often because of mailing lists I've posted to about everything from MAME to PostgreSQL. From those, scrapers have added me to lists, which got added to more lists, and so on, this is where phishing scams and viagra offers get to me from.

It's this last fortnight that over 60 a day have flooded into my inbox, resulting in the need to throw in the towel and change it to something else.

But an equally frustrating line in spam has come from UK based business lists, scumbags who alternate between selling my details on without my permission to companies I neither care about or remotely relate to my work. Our spam laws are weak, and our enforcers of it are even weaker.

What's more, anytime I asked some crappy company that cared not where they got my email from, who sold it to them, they'd never tell me. The scumbags are in league with the scumbags. I'd post a big list but it would no doubt only help their google ranking.

Defensive Steps

It's not even as if I've taken all this lying down either. Incoming connections on SMTP are checked with various Realtime Black-Lists which helps to cut down known spam sources. I also have my own personal blacklist where any source of spam that sends me more than two, gets added onto.

Next, I run a spamd greylisting daemon on our server, which causes any new contacting mail server to be sent a temporary "try again later" error code, which all proper ones (unlike spam bots) will do. This keeps out hundreds of spam emails a day, but unfortunately not only does there seem to be a limitless supply of insecure PCs out there, an infinite supply of insecure mail servers also seems present.

The next step is the Sender Policy Framework, which checks that an email has been sent from a server which has permission to do so. That cuts down on some email address forgery, but when quite a lot of spam these days is coming from a genuine mail server such as Yahoo, SPF is less of a defence than it should be.

If something is a genuine mail server and gets past all of the above, then it hits qmail-scanner which checks for unusual things in the headers, in fact anything which might be spam, and then rejects or marks it respectively.

Only after all that does it make it to my inbox, and all the above really does reject hundreds and hundreds of messages a day, but when 60 are still getting through, it no longer becomes enough.

It's Like Reinstalling Windows

You know when you decide to do a clean install, and you write down all the apps you think you need, and start the process? Then a few days later you realise, oh wait I forgot to install X or Y, and so on, and so on. Changing my work email has been to a certain extent a bit like that.

I keep realising things that use the old address which I've forgotten, hopefully nothing major now, but still every now and again I panic and go to change it somewhere.

But this is a small price to pay, because now I get maybe one spam a day. and when that gets too high another email address is going to have to get it. :/