What are some of your favorite spam fighting tips?

Pegasus Mail (free, powerful) also has a built-in spam filter, both Bayesian and content-based. For us it works beautifully.

Re John's question about hiding your email address on a website, I know of a few general methods. One is to post the address as a graphic. Some email harvesters can understand graphics, so you might have to use a funky font or colors. Another is to spell it out, like so: k a r l a t g m a i l d o t c o m or some variation. Another way is to use a web form, so the user never sees an email address. Another way is to use some kind of encryption tool like Enkoder.

Karl

I give my email address out to everyone, and I hardly have a problem with spam. The only problem account is an old edu one, which forwards to my gmail one.

For my personal use, I use Thunderbird + Gmail + Spamcopper. Gmail catches the vast majority of spam, and Thunderbird's adaptive filter catches the rest. I then use Spamcopper to automatically report the limited amount of spam that might have actually gotten through. I often follow up with abuse departments in the United States to shut down local spammers. (I'm about to point my Gmail to a personal IMAP server so I can easily check it on Thunderbird with multiple computers, but that's another post)

For work, I have gazillions of solutions, depending on the size, budget, and spam load of the company. For a company that, say, needs spall business server, I make sure it has the latest Exchange SP2 and enable SPF, blacklists (only conservative ones, such as Spamhaus), and install IMF updates. This usually does the trick for the vast majority of small business users, unless there is one person who basically just writes his email address on every bathroom wall.

If this isn't enough, I might couple the above solution with a Barracuda service, such as OCHosting's SpamSTOP (<$10/mo/domain for unlimited accounts) or GFI's Mail Essentials. GFI's bayesian filter works quite well and is a godsend for companies that are stuck with Exchange 2000 and can't upgrade. Vamsoft's ORF is also a good solution for Exchange 2000 users. (100 - 1000 user solutions are a completely different discussion).

For super small companies (<10 ppl) I usually just suggest going to ICDsoft, buying and account, and then enabling SpamAssassin globally for all accounts. Once that's done, I'll just create a rule (e.g. in Outlook) that puts all [SPAM] tagged email in a POTENTIAL SPAM folder. For truly difficult people who POP dozens of email account and aren't always sure where the spam is coming from, I'll suggest Cloudmark if they're using Outlook. They're usually more than happy to pay the ~$30 for the desktop license. If, for whatever reason, they don't wanna shell out ~$30, then I'll tell them to religiously update their "adaptive junk mail filters" on Outlook (if they're using Outlook 2003) and/or install a free program like SpamBayes.

I've used several MX filtering solutions (MXlogic, SpamSoap, Postini, etc). All of these work pretty well. Each has its own "flavor", and each company should probably try it out for a month or so. Almost every company nowadays has some sort of money back guarantee on these MX filtering solutions.

Bottom line: personally, all the "free" solutions are more than enough for me. The "free" solutions are usually enough for others, but when they complain, I tell them that getting that last 1% of spam that gets through is going to cost them dearly. If their time is that important, then they'll splurge.

Hi Susan, I just found your article, and even though it's a tad dated, it's still an important helper in the anti-spam community.

I've setup something called a Piratefish anti-spam system to block spam coming into my system - the Piratefish is sold as an ebook guide that's focused on building an anti-spam server using open-source Linux. It combines spamassassin, mailscanner, clamav and webmin into an easily managed anti-spam system.

The ebook was written with the Windows user in mind, so folks without Linux experience can follow the instructions and build an anti-spam gateway without any previous Linux experience.

It can be downloaded at www.piratefish.org

Just an FYI, the Piratefish has been updated - it's now at version 3.01 - and it uses Ubuntu Server 7.04 now. http://www.piratefish.org

We use Sentry, which is a pice of hardware. It uses the bayesian filter or you can just block every email coming to your box and have the user verify that they are legit. It works well for us.

Just another 2cents:

I'd recommend www.addressmunger.com
to easily change your mailto: links on your page. Just copy and paste and you've obfuscated your emails for spammers.

Also, I've had good luck using postini through a local ISP - we don't receive the enterprise version but piggy-back on the service they provide for their users. Your mileage may very but I'd recommend postini which at least for us is a low cost - highly effective solution. (The recent purchase by google hopefully improves services as well, with the possibility of a free solution..?)

Good luck out there!

I am a bit surprised or perhaps I missed it, in your tips for avoiding spam I do not see the suggestion to use BCC in group emailing. Additionally, remove any previous emails if you do choose to forward.

Disclaimer: I run a IT consulting firm in Raleigh, NC and provide paid support to non-profits. Connected NC

Short & Sweet Answer -

Filtering --
What I have found to be the most effective way of dealing with SPAM for my clients is to utilize Google's free Apps service. This service is free and provides the same level of SPAM filtering as you would receive if you had a @gmail.com account. I haven't seen a better catcher yet.

Preventing --
So...if you run a mail server for your organization (other than a hosted solution) then I think it's best to make users authenticate to send mail.

Googles free apps, like gmail, do have free options, but they also have limits - unless you want to pay $50 per year per user. That's still not unreasonable, but it's not quite the same as hosting your own server.

Fighting spam by handing it over to Google, is like firing your IT staff and telling employees to take their PC's to CompUSA or calling the Geek Squad. It will be cheaper, but the service isn't as good.

There are major privacy concerns when a company hands over core operations to other companies. Smaller organizations, like Banks, Credit Unions, and even small hospitals and medical offices can't do that or trust them without taking some major hits on their IT audits, and can't do this legally without going to the larger hosted mail handling firms, and they charge more like $15/user/month at the low end - more if you want anti-spam too.

Bringing spam fighting in house is not that hard, and depending on what you want to do/pay is up to you.

Most anti-virus programs have anti-virus aspects - programs like Zone Alarm Internet Security Suite are actually pretty good at it in fact.

For a network, on the low end you can roll your own using Linux or Windows, or buy a low-cost how-to like from Piratefish.org for $67 - even gets some support too, and build it yourself using Linux.

On the mid-end, you can add in Anti-Spam software to most email servers, like Microsoft Exchange, or Kerio Mail Server and even the free Centos+BlueQuartz os that I use for hosting and email.

On the appliance solution side, you can run with a low cost Barracuda 100 appliance for under $1000 and have the nice gui, phone support, Etc.

As for best practices, there's lots of things people should do:

* Never pass on that email from your Aunt Adele that has 50-60 other email addresses in it without cleaning all that crap up first.
* Never post your email address online unless you're ready to get spammed.
* Never enter an online contest with your real email address - make throw-away aliases on your mail server for that stuff. You'd never believe it if you won anyway.
* On business websites, don't post personal email addresses unless you encode them into an image - putting them directly into the HTML page makes them indexable and findable using search engines and spider programs.
* Be sure that your network has a proper SPF record. Without it, people will be able to send emails in your name from any server on the Internet. Inbound SPF filtering will prevent many of the emails from phishermen from getting to your users. The Piratefish and Barracuda have this.
* Use filtering technology on your email to prevent you from seeing non-related website links without warning text. If someone from aol.com sends me a link to banking.com, those links are highlighted with phishing warnings since only people@banking.com should be directing me to their site. The Piratefish and Barracuda do this.
* Setup your email filtering to include PDF and image scanning. This way, spammy language can be detected in pictures contained in email attachements. The Piratefish does this.
* Use DNS blacklists to prevent known high-volume emailers from getting junk into your inbox. Just about every spam filter on the planet does this.
* Secure the process of receiving email and sending email using SSL and TLS if possible. This helps prevent exposure of message content on potentially unprotected networks.
* Be wary of using shared hosting services that offer Linux shell accounts to users. If the hosting company offers that level of access, ask them specifically if those servers have "jails" for each website. If they do not, don't use them. Hosting without jails leaves all content on the server ultimately accessible from any Linux command line.
* Clean your PC. Spammers can spam because people in the world don't know how to clean up their mess, and leave it connected. Those machines contribute to the mess. Use Spybot S&D, install JavaCool Software's SpywareBlaster (a good preventative). Free anti-virus like AVG Free work, but right now Kaspersky and Zone Alarm Internet Security Suite are the best - they both use Kaspersky's AV engine - and it protects against new threats faster than anyone elses solutions.
* If you run a network firewall, be sure to limit outbound access on port 25 to your mail server only. Large businesses should not be permitting port 25 outbound from workstations - since that's an email delivery port, only email servers should be using it. All firewalls should be configured to control the outbound traffic - and not just block inbound traffic, and let all outbound out. It's this type of "security" which has led to the situation we're in today. If you need help here, contact my employer about getting protected. Cadamier Corp.
* Consider suing the senders of spam. This sounds crazy, but in the USA, if the sender is here in the US, they must abide by the CAN-SPAM act, and there's some people who have taken up the practice of suing spammers. I actually have a good case against CMP networks myself right now, and all it takes is a small claims court setup, a form letter sent via certified mail, and you're set. Present evidence that you've asked and asked them to remove you, and show them your most recent messages. In Colorado, I can sue for $1500 and they won't even fly their lawyers out for it - and that's $1500 in your pocket. Others have done it, you can too - just be sure not to bite off more than you can chew.

As an IT consultant, I've found a great SPAM solution and it's OPEN SOURCE. I use it on all my mail servers.

ASSP antispam works wonders! It combines many forms of anti spam to make a wonderful (user adjusted -some like more spam) spam filter.

If you combine it with Mailshell's sink event for exchange, it will auto-move all spam to your spam folder (and auto delete as well!).

Aaron Gill (DC)
www.3-it.com

For any of you who administer discussion boards such as vbulletin, etc., I have one tip to share - we had abour 10 - 15 spambots attempting to join the board each day, for the purpose of posting links to pharmaceuticals, porn, etc. We had to screen new applicants individually.

Then, we renamed our register.php file and edited everything of ours that pointed to it. We did that in January 207 and not one spambot has attempted to register since then.