You need spamWhy do you need spam? Well the same reason as doctors need diseases. Of course in a perfect world, there would be no disease and no need for doctors but that can never be. And in our imperfect world, doctors are only effective against disease because they have seen enough of it to know how to fight it.
Spam you trap yourself is useful because you can use it to tune protocol level blocking (set up local blocks, choose public block lists and so on) or content filters. But you also need the spam you use for such tuning to be at least somewhat representative of the spam intended for your users, so just using public lists of spam (e.g. NANAS) for this purpose is likely to be unproductive - you will spend a lot of time fighting spam that may never actually be a problem at your location.
So now the question becomes how can I obtain representative spam samples without opening up the floodgates and drowning all my users. And this is why you need spamtraps.
Here are some tips for setting spamtraps:
- Keep an eye on your logs!
- If you see a large amount of email addressed to <nosuchuser@yourdomain> (where nosuchuser is a username part that is not valid for any current user on your system) and these emails are being blocked by "Verify that local domain recipients exist in the Domino Directory:" or are being accepted and then going dead in mail.box, then grab it.
This is not uncommon. Spammers do seem every now and again to believe they have discovered a valid address at yourdomain and to include it in lists that they sell and this is where a large proportion of our spamtraps originated.
How to grab it? Well, just set up a mail-in database and give it an address of nosuchuser@yourdomain. Ensure if using Domino 5 or 6+ that you preserve the original MIME (this mail-in must not prefer Notes Rich Text). You can use one mail-in for a large number of aliases. Just add them as multiple values to the field "Mail-in name:".
- Post sightings to NANAS and use as the email address of the poster another alias for your spamtrap mail-in. Spammers harvest Usenet all the time and yes, they do grab addresses even from groups dedicated to fighting network abuse (rule 3).
Our NANAS sightings are all from <nanas_sub@ourdomain>. And <nanas_sub@ourdomain>, like so many other users here, gets a lot of 419 (Nigerian advance fee fraud) spam.
- When a user leaves, particularly if that user has been the target of a lot of spam, delete his person record and include him in your deny access group(s) as you normally would, but add his former Internet email address as an alias to (all together now) your spamtrap mail-in.
By now you should be collecting a fair amount of spam.
- If you use "Verify that local domain recipients exist in the Domino Directory:" (and I recommend you do), then you may become a target for dictionary attacks. You can use these to great advantage providing the names harvested by dictionary attacks are not actually real email addresses, but are aliases based on some variation of users' names.
For example, if my real email address is Fred_Bloggs@example.com, and I am the only person named Fred in the Domino directory, then Internet mail addressed to Fred@example.com will also be delivered to me (unless you have done this). If you see a dictionary attack in your logs, take the harvested addresses and (once again, with feeling) add them as aliases to your spamtrap mail-in.
Then you will see this happening and can take pre-emptive action, with luck before a real user sees any spam.
- Finally for now, consider getting a few alternate Internet domains. This will not always be effective, but if an opportunity arises (as it did here a year or two back) to buy, say, a non-geographic variant of your domain, then take it (particularly if that domain has been used before). Say your domain is example.co.uk and example.com becomes available - that sort of thing.
Add it as an alternate Internet domain to your global domain document and set up MX so that one of your Domino hosts gets mail for that domain. Then sit back and wait to see who tries to deliver mail to what "users" in that new domain and (last time, from the top) add them as aliases to your spamtrap mail-in.
Phew. That was hard work. Well no, not really and now you have a growing library of real life spam samples that were never a threat to any real users and which you can use to learn about spam and spammers, and what to do about them.
Next time (when I get round to it) - what to do about them.
Category: Domino: Administration
Technorati: Domino: Administration
1. James Johnston24/05/2006 14:06:07
Do you use a standard or custom Notes template for the spamtrap. Also how do you calculate your stats for blocked spam (either from local or DNSBL)?
2. Chris Linfoot24/05/2006 18:47:23
I use standard mail templates. Others use mail.box templates. Both have their uses. For stats, try this:
http://www.openntf.org/Projects/pmt.nsf/ProjectLookup/Mailanalysis
3. James Johnston25/05/2006 21:24:26
Thanks for the help Chris.
I've set the mail-in to "Prefers MIME". Now, how can you view the raw MIME? I've tried exporting through various methods. Am I missing something obvious?
4. Chris Linfoot26/05/2006 08:33:59
Notes/Domino 6 and above, open the mail document and use menu option View / Show / Page Source
Version 5 and below, forget it.
5. Gomez01/06/2006 19:36:28
Homepage: http://none
Hi, I am looking for a professional spammer, who can spam to millions and millions, We will make a 50% deal on all stuff i'm selling, this is a serious offer.
Contact me: [email address removed - remaining part of comment stands for comedy value]
Unable to post a comment? Please read this for a possible explanation...
-