Last Updated: 2006-08-20 02:49:51 UTC
by Marcus Sachs (Version: 1)
2) Use a simple filter for your inbox: If sender is NOT already-known (in address book, or in previous recipients), file in a New-Contacts folder. This leaves your inbox clean of spam, without worrying what the spam actually looks like. A quick scan through the New-Contacts folder can reveal new contacts and spam. Additional rules to identify specific problem spam (and send to a Spam folder) can also be applied. New contacts can be either replied to (so they become "previous recipients"), or added to your address book.
3) Use a variation of (2) for company-wide filtering:
a) Don't accept email for unknown addresses. This forces the outside server to create any bounce messages, and if that server is a spammer, the spam disappears.
b) Depending on the company needs, either don't accept email from unknown addresses, or limit what a previously-unknown address can do. Use your logs to populate a "previous recipients" database, a "known-good-sender" database, and a "known-bad-sender" database. The known-bad senders get rejected, the known-good senders get very relaxed thresholds (can send more mail per second, etc), the previous-recipients get somewhat relaxed thresholds, and everyone else gets restrictive thresholds (only 1 message per minute, for instance). Adjust to taste.
4) Do as much filtering based upon "protocol" as possible (as opposed to filtering based upon message content). Spammers change message content constantly. Spammers cannot do their jobs unless they send lots of copies of the same message really quickly. This generally means multiple recipients per message, and multiple short messages per connection. This also means there is likely to be a greater than 1% rate of bad addresses, as spammers' lists are not generally perfect.
5) Encourage TLS and DKIM use. Spammers tend to use botnets, which are unlikely to use TLS or various encryption/signing methods.