How to deal with SPAM and Unsolicited Commercial Email (UCE)

Spam is a plague. It's antisocial behaviour. Unfortunately there are no signs of hope, since the irresponsible assholes don't seem to die out.
You think this wording is too strong? Consider for a moment what would happen if we applied the Spammers business and ethics rationale (it's possible, therefore ok) to nuclear arms: they would sell it to every extremist, just because it's possible, therefore ok.
We'd all be dead by now. So: different business, same attitude. Wording too strong? I think not.

For a more analytical look at spam, read that essay. It also explains what spam is, in case you don't know.

So, since they won't go away, here is what you can do. A list of measures that can be taken and that will help (albeit with varying degrees of success).

1. Avoid making your mailaddress known:

Try to avoid exposing your mailaddress. The more exposed it is, the more SPAM you'll get. Unfortunately making your mailaddress known is part of what makes the internet usable.

Avoiding mailto tags in HTML

If you want to display your mailaddress in a HTML mailto link on a web page, here is a code snippet to hide it better from the harvesters (using Javascript). Users with Javascript turned off will still be able to see it, though not clickable:

<script>
myat=String.fromCharCode(64)
myadr="John.Doe"+myat+"mydomain.net"
document.write("<a href=\"mailto:" + myadr + "\">")
</script>

John . Doe @ mydomain . net

<script>
document.write("</a>")
</script>

Use a keyword in the subject line

The second (weaker) option if you don't like javascript is to add a keyword to the subject line, best in combination with a mail alias. Then you can filter out all mails that do not have that keyword. This may fail though because users may edit/change the subject line. Here's how to do it anyway:


<a href="mailto:alias@mydomain.net?subject=[keyword]:%20Do%20not%20change%20the%20subject%20left%20of%20the%20colon.">mail to me</a>

Use a cgi mail form

Alternatively, use a cgi mail form.

Never reply to opt-out requests

Spammers sometimes claim you can opt-out to not receive their spam any longer. First and foremost this will do one thing: prove to the spammer that your mail adress is valid and actively being read. So it's probably a bad idea, especially since the legislation concerning opt-out differs internationally. The only exception to this rule is web sites that you have registered with that offer such an opt-out mechanism (such as yahoo or ebay), since they know your mailadress anyway.

2. Filter the SPAM on the Mailserver

Blocking Spam on the mailserver is by far the most effective way to deal with the problem. Because:

You don't have to download the spam to your client machine
It's automatic you don't even get to see it

You need control over the mailserver to be able to do this though (e.g. root access).
Note that I say blocking, not filtering. The difference is thus: if you filter, you silently delete the mail (or move it to a spam folder). That means that to the spammer, it will appear as if your mail was delivered and your mail address is valid: more spam will come. This also has the downside that you may loose mails due to false positives.
Blocking means that your mailserver sends an error message during the original SMTP communication. This has the following advantages: if the spammer does a cleanup of his lists, it's more likely for your mailadress to be removed. The mail will not be delivered fully which saves resources (processor time, bandwith, storage). In case of a false positive block, the sender will get an error message and will thus know that the mail did not reach the intended recipient (he can thus contact you otherwise).
The strategy I found to be most effective (if you have a smaller site of users) is a combined whitelist/blacklist approach:

Whitelist all known email addresses of my users (and automatically add all addresses that they send mail to)
any mail that's still left here is subject to very strict scrutiny, e.g. a lot of realtime blacklist checks, etc.

This results in very very few false positives, because most senders are known. It also results in very few spams coming through, because the IP-based blacklists are quite effective.

How to whitelist all your known senders with Postfix

Write a script that collects all addresses that your users sent mail to and write them to a file. An example shellscript is here: make_global_mailadr_whitelist.sh
You need to adjust it accordingly, and then run it with an hourly cron job.
Add the following line to Postfix's main.cf, e.g.:
check_sender_access hash:/etc/postfix/uce_spam/global_whitelist

Block mails from IP-based realtime blacklists

If you have control over your SMTP mail server configuration, enable the use of an open mail relay black list. Almost all spam originates from either open mail relays or dialup IP address ranges of Internet providers (such as AOL). See the Open Relay Database for details. This will weed out 90% of the spam, while not a single important mail gets lost (it may bounce back to the sender though, in which case he can take appropriate action). There are several blacklists, choose some that suit you:

www.ordb.org
relays.osirusoft.com
www.spamhaus.org
www.mail-abuse.org
www.spamcop.net

Here's some Postfix sample code to include the blacklists:


  reject_rbl_client ix.dnsbl.manitu.net,
  reject_rbl_client relays.ordb.org,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client combined.njabl.org,
  reject_rbl_client sbl-xbl.spamhaus.org,
  reject_rbl_client dul.dnsbl.sorbs.net,
  reject_rbl_client list.dsbl.org,
  reject_rbl_client opm.blitzed.org,

If you combine that with the whitelisting above in Postfix's smtpd_recipient_restrictions you'll catch most of the current spam.

Filter SPAM in your mail account on your mail server

There are many ways to filter mail. Preferably you'd want to do it on the mail server, thus avoiding having to download the SPAM (in case you have a dialup line). Some of the more succesful methods are:

filtering with procmail, get started with Timo's procmail recipes, he has devised a nice way to filter spam. This can be effective in conjunction with email-aliases (for example, only accept mail for a specific alias if it comes from a mailing list, etc.).
An extensive procmail approach of the computermagazine IX, nixspam (in german), procmail recipes downloadable here. Very well suited for organisations who have to make their mailaddress widely known as part of their business (and thus attract a lot of spam).
Use the Tagged Message Delivery Agent (TMDA), a software written in Python to filter and process mail. Filters and blocks mail based on whitelists and confirmations and will solve your SPAM problems once and for all, while completely avoiding the "false positives" problem of content-based filters. Here is a TMDA rpm for SuSE Linux (no support, sorry), and my example config to get you started.
Spam Assassin filters mail based on content, has the downside of possible false positives.

These tools may require a Unix/Linux mail account and some flexibility in configuring it.

Filter SPAM on your client machine

As a last option (if you have no control over your mail server), you can filter mail as it arrives on your client PC. Part of the damage is already done at this point, because you have to pay for the mail being downloaded to you machine. Another downside is that at this point in the mail processing chain, some of the info a mail server has is no longer available to the spam filter program, so that the filters work content-based only.
If you have a Windows client, try Spampal.

3. Report it

This is most often a waste of time, but if you feel like it, complain to the provider of the mail server that delivered the spam and to the ISP that hosts the advertised domain. Usually their acceptable use policy (AUP) forbids sending spam and they may be able to take some action (at least cancel the account). This makes it more difficult for spammers, as they have to switch ISPs all the time (and they may get sued by the ISP for violating the AUP).
Send a complaint with the full mail + headers to abuse@ISP.domain or postmaster@ISP.domain.

If you are able to identify the spammer (because the website is advertised in the spam), you may try to sue them or charge them/send them an invoice. Some people have been doing that with varying degrees of success, depending on your countries legal system you mileage may vary. Usually only works if the spammer resides in the same jurisdiction (country).