Having had previous success with the Great Wall of Spam and DSPAM, I was still a bit annoyed by the amount of spam making it to the DSPAM quarantine, and so to be periodically scanned and a small number of false positives permitted through.

I'd been hearing a bit about Greylisting, and Mike had had some good results with it, so thought I'd give it a go. A wee mail SNAFU last week was the trigger, and I installed qgreylist as a layer between IP blocking and DSPAM.

The way it works is like this: SMTP is designed to be tolerant of downtime of the recipient mailhost. So if a sending hosts discovers a problem, it'll wait a bit, then try again (and if it still has a problem, will wait for a longer time and try again - repeat for a few days until finally giving up). However, spam-sending software is designed for maximum volume throughput, not maximum %age reaching destination, both for not sweating the small stuff reasons, and because spam-senders tend to get blackholed within a few hours. So generally, it doesn't follow this part of the SMTP protocol.

So what happens when you deliberately cause a temporary problem to every piece of mail? Spam generally doesn't get repeated - it disappears before reaching your MTA. As long as you keep a track of mailservers that have tried to send you mail, and accept mail the second time around, real mail still gets through.

The results are impressive: my average 60-80 spams a day has been cut to around 10. Checking the DSPAM quarantine is no longer a nightmare if you leave it a few days. And as far as I know, no real mail has been lost.

So it would seem that our friendly neighbourhood 419 scammers have updated their lists of widows of former leaders who've (allegedly) stashed large sums away, and just need a friendly person wishing to smuggle it into the UK.

I received one today, which started:

Dear Intending partner

This mail may not be surprising to you if you have been following current events in the international media with reference to the Middle East and Palestine in particular.

I am Mrs. SUHA ARAFAT, the wife of YASSER ARAFAT, the Palestinian leader who died recently in Paris.

DSPAM rightly quarantined it, estimating probability of spamminess at 1.00000 with a confidence level of 99.97%.

Honestly, I'm expecting to get one in a few weeks time claiming to be the Pope's secret widow...

You now can't email me from Brazil either...

If you're using a mail host in China and Korea, you can't email me any more, sorry.

Spammers use all kinds of tricks to try to get their mail through spam filters - forged addresses, additional faked headers, obfuscated subjects, adding lists of non-spammish words or even whole jokes. But this one took the biscuit.

Sender Policy Framework - a useful way to reject obvious spams from forged addresses before they hit a computationally intensive classification filter. The acronym association with Sun Protection Factor is intentional, apparently.

http://spf.pobox.com/

Reasonably good OpenSource spam filter, using both heuristic and statistical methods. Not as good as a trained DSPAM instance, I've found.

http://spamassassin.apache.org/