Spam blocking

[Ken Sims <mdrg5003@xxxxxxxxxxx>]

Hi Jim and the gang -

> Ken - would you consider sharing exactly how you achieve such spam blocking
> perfection??
Summary:

1. I run my own router.

2. I run my own server.

3. For all practical purposes I'm the only user on the server and none of 
the email makes me any money so I can afford to have a heavy hand with the 
blocking.
I block most of the world at the router so none of the spam originating out 
of China, Korea, Spain, Brazil, Argentina, etc. has any chance of getting 
through to me.  For the purposes of my incoming email those parts of the 
world don't exist.
Likewise of I block huge chunks of U.S. and Canada cable and telco provider 
netblocks because the people in those netblocks should not be trying to 
send email directly, they should be sending it through their ISP's mail 
servers.
See http://www.kensims.net/blocks/blocklrt.shtml for my router blocks.  The 
IP addresses in the netblocks in the "All protocols and ports:" and "TCP 
port 25 inbound (email):" sections cannot get past my router to my mail server.
On the server itself, the email addresses fall into three classifications:

1. Role accounts - of which I have only postmaster and abuse.

2. Private email addresses - email addresses of which each is given only to 
a small group of individuals or to a single company or organization (or in 
one case a small group of related organizations) or to a single small 
restricted membership email list.
3. Public email addresses - email address of which each is used for 
something where it is publicly visible - the contact address on my website, 
the address I use for newsgroup postings, addresses used for mail listings 
with a large membership, such as the midrange.com lists, and particularly 
the email address I use for domain registrations.
For incoming connections that get past the router, on the mail server I 
apply checks as follows:
1. If the host name in the EHLO/HELO command is one of my hosts (except the 
one that is allowed to send email), the email is rejected, regardless of 
who it is from or to.  No legitimate mail server is going to pretend to be me.
2. If the host name in the EHLO/HELO command is invalid (invalid 
characters, etc.), the email is rejected, regardless of who it is from or to.
3. If the host name in the EHLO/HELO command is not a fully qualified 
domain name, the email is rejected, regardless of who it is from or 
to.  This one blocks a lot of spam from zombied systems that identify as 
localhost or friend or something like that.
4. I reject all email from a few senders regardless of who the email is 
to.  See the bottom section of 
http://www.kensims.net/blocks/blockles.shtml.  This is based on the 
envelope sender in the SMTP "MAIL FROM" command, not anything in the email 
headers.
5. I reject anything where the recipient email address does not have a 
fully qualified domain name.  This is based on the envelope recipient on 
the SMTP "RCPT TO" command, not anything in the email headers.
6. I accept email where the envelope recipient is a role account and or 
private email address.  Emails to those addresses skip the rest of the 
checks in this list.
7. I reject email from envelope senders in the top section of 
http://www.kensims.net/blocks/blockles.shtml.
8. I reject email from IP addresses listed at 
http://www.kensims.net/blocks/blocklei.shtml.  The result is that these 
netblocks can send email to my role accounts and my private email 
addresses, but not to my public email addresses.
No spammer should ever get any of my private email addresses.  If they do, 
I immediately change the address, even if the email was not delivered 
because it was attempted with bad EHLO/HELO host name or something.
Likewise, if any of my public email addresses starts getting a lot of spam 
attempts, regardless of whether any are actually delivered, it will be 
changed.  My domain registration email address gets changed about once a 
year.  My midrange.com email address gets changed about every two years.
9. I reject email where the envelope sender does not have a fully qualified 
domain name.
10. I reject email where the envelope recipient is not a valid email 
address on my server.  There are different error messages if it is a role 
account that I don't have or an email address that is no longer valid 
because it was recently changed or it is just a bad address.
11. I accept outgoing email from my own PC.  This skips the next step.

12. I reject email to domains other than my own.  This keeps my system from 
being an "open relay".
With these checks I'm sure that I do block some email that is not 
spam.  But just because it is not spam doesn't mean that I want it.  For 
example, if someone on this list were to email me directly with a question 
about this email and it were to be blocked, that wouldn't bother me.  They 
should be asking the question through the list so that everyone can benefit 
from the discussion.  And I make sure that I don't block David's netblock 
so that the emails of his lists can always get through.
Of the emails blocked at the server (not the router), so I can see the 
envelope sender and recipient, only twice that I can recall have I removed 
the block and emailed the sender and asked them to resend their email.  On 
the others where I didn't do that, none of them emailed a role account 
requesting to be whitelisted.  If it wasn't important enough for the sender 
to contact me through a role account, it wasn't important enough for me to 
be concerned about missing it.
In fact only once have I received a request to remove one of my 
blocks.  That was a sender block.  No email had been blocked, but the 
company found the block through a search engine and didn't want their name 
on my block page.  I had blocked them because it was a company offering 
anti-spam services that had spammed the news.admin.net-abuse.email 
newsgroup.  The person who contacted me lied about the newsgroup spam.  The 
block is still in place on my server and still listed on the webpage.
I check the mail server logs daily.  Spam attempts from a netblock that 
isn't already blocked will result in a block, either on the server or the 
router.  My policy is "one strike and you're out" or actually "one strike 
and you're in [my blocklists]".  Repeated spam attempts from a netblock 
blocked on the server *will* result in a router block unless there is some 
specific reason not to.
After this long, rambling email, aren't you sorry you asked? <GGG>

Ken
http://www.kensims.net/
Opinions expressed are my own and do not necessarily represent the views
of my employer or anyone in their right mind.