|
Randy Cassingham's BlogHistorical Details and Author's Notes from This is True®
|
How I Beat Spam
...Without Having to Change My E-mail Address
My e-mail address has been around online for many, many years, and it gets a lot of spam -- many hundreds per day. For most users, spam far outstrips legitimate mail. It was 1996 that I realized that spam would become a huge problem, which is why I wrote my Spam Primer to educate my readers about it. And sadly I was right: it's estimated that more than 90 percent of all e-mail transmitted is spam. And how many of them get to my inbox? Lately, I'm averaging less than one a day.
Free Weird Newsletter
That's right: I beat spam, and without changing my e-mail address.
About this point, a lot of you are wondering "HOW?!" How much of my solution you can put into place depends on your setup, your access to filtering, and your technical expertise, but you can certainly do a lot of what I do. I'll explain everything as best I can; if you're fairly techie, you'll perhaps find it simplistic, but I know even with full explanations (and some links for more information), some will find this over their heads. If that's you, stick with it: you can still learn a good part of it; it's not all that technical!
The best part? I did it without having to change my e-mail addresses. I didn't even have to make any changes to my DNS records; not even the MX.
Part one I did years ago: the server company I was using didn't support any spam filtering. If I wanted some sort of spam filtering package, I had to install it myself, configure it myself, and maintain it myself. If I screwed something up, they wouldn't help. The only thing I felt qualified to do myself was "procmail recipes", which is fairly nerdy but easy enough to do if you spend some time learning it. When you see a pattern in the spam, you can write a "recipe" to reject it or dump it. What I wanted was a more "intelligent" solution, and one was available: SpamAssassin.
Since my server provider wouldn't support SpamAssassin, I left them for another provider that would, and life got better.
SpamAssassin
Step 1 was using SpamAssassin. Since it's my own server, I have the ability to customize the "rules" that SpamAssassin uses, and what I learned in doing procmail ("regular expressions") directly applies. So not only can I easily block all mail from specific domains (which is of only limited use), but I can, for instance, block mail that has that classic line, "If you believe this is spam, click..." -- yeah: I believe it! If that phrase is in a message, it gets a few points toward "spam status". If a message gets enough points -- passes a threshold I can set myself -- it's dumped.
But I'm the author of the Spam Primer: what if someone wants to legitimately ask questions about spam, using examples to ask a question? I'd want to get that mail, so I have programmed a "password" that people can put in the subject line. It's currently "hammer": if that's in the subject line, the message gets through even if there are dozens of "forbidden" phrases in there, it gets through. (Turns out "hammer" isn't the best word to use, since some porn spammers like to use it in the subject line, so I'll be changing it when I get around to it. The current password is always shown on my Contact page.)
But SpamAssassin Isn't Enough
After a few years of running SpamAssassin, my spam numbers were creeping up. The folks behind SA do revise it from time to time, but they really can't keep up with the tactics that spammers use: they are always finding ways around its rules, and they can move faster than the SA volunteers. Clearly, it was time to up the ante.
I've long recommended Google's Gmail to my readers as the best free webmail service. Not only does it not have ads that flash in your face (which I hate), but they have long been the best at spam filtering. If something does get filtered, it goes into a spam folder so you can recover it. Yes, other webmail services do this too, but I've found Gmail does it best.
But there are definitely problems with using free webmail services: they're free, and if something goes wrong, you can lose all your mail and contacts (address book). I've heard the fewest bad reports about Gmail, though even they aren't guaranteed to not screw up. Next is Yahoo -- they do better that most, but I've heard a lot more reports of problems there than at Gmail. (And they have irritating ads, unlike Gmail's simpler not-in-your-face ads.) But most of the horror stories I've heard center around Hotmail, which is run by Microsoft. (For more on the dangers of free webmail services, see Are free email services worth it? on Ask Leo!)
I not only run an online business, but it's centered around legitimate e-mail publishing -- free and paid subscription newsletters. Thus e-mail is extremely important to me: I need to get messages from readers, yet not be distracted by the huge flow of junk.
Gmail is great because there's a full-time staff of smart people at Google constantly looking for new spammer tricks and patterns, and updating their filtering algorithms to keep that junk out of our inboxes. So I want to use Gmail, even though there's a risk in using free webmail services, as Leo explains. What to do?
I've figured out a way to get the best of both -- my own server's filtering and Gmail's benefits -- without having to risk my business if something happens to Gmail.
My Hybrid Solution
I've long had a Gmail account for testing, playing, and to have an address to give online merchants I don't trust a lot, but in April I switched all of my mail there. But I didn't change my address to my Gmail account, I forward it there. Here's how:
- Mail still comes to my thisistrue.com addresses, and still gets filtered by SpamAssassin, which gets most of the spam.
- After that filter pass, I've set my server to forward any mail that gets through to my Gmail address, but still keep a copy on my server -- that latter step is important, as I'll explain below.
- I've set my computer's mailer software to get my mail from Gmail via POP, instead of my server. My Blackberry is also set up to get my mail from Gmail, rather than my server (though it uses IMAP).
- I set up Gmail to delete mail from its inbox once it's successfully downloaded to my regular mail program (Settings → Forwarding and POP/IMAP → choose "delete Gmail's copy" on the line, "2. When messages are accessed with POP".)
- Last, I set up Gmail to send mail "From" my regular thisistrue.com address. This is easy to do: Google's instructions are here. Even if I use Gmail's web interface, my regular thisistrue.com address is the default "From" address.
Google's spam filtering is excellent, but it's important -- especially during the first few months -- to "train" the filters according to your own mail flow. That is, if it lets spam into your inbox, click the "Report Spam" button on that message, and if it puts legitimate mail into the spam folder, open it and click the "Not Spam" button. It's extremely important that you never use the "Report Spam" button on e-mail you asked to get: that screws up the anti-spam formulas for others. Use the proper "unsubscribe" function and only mark it "spam" if that doesn't work.
I've been very careful to properly "train" Gmail's spam filters. The result? It's now extremely rare to get spam in my inbox. It's down to 2-4 per week. It's also quite rare to get legitimate mail in my spam folder -- that's down to 4-6 per week. And it's not a huge deal to go through the spam folder, since most of my spam is deleted by my server's SpamAssassin long before it gets to Gmail.
I watch for patterns in the spam folder, too. I was noticing a lot of Cyrillic (Russian) subject lines. It's all spam, and I didn't want to have to wade through it again and again. I searched Google for help in filtering it, found a SpamAssassin rule to use, and added the two-line rule on my server -- and the Russian spam was all gone, just like that.
In Case of Emergency
Last week Google had a well-publicized several-hour outage, which only affected a moderate percentage of its users. (It was well-publicized because it is so rare.) The point is clear: it happens, even to Google! And worse could happen, or your password may be stolen, or you otherwise get locked out of your account. If all you had was Gmail, you could be in real trouble. As I said, my mail is very important to me, so I want to ensure I don't lose it, even if I lose access to my Gmail account permanently. It's unlikely, true, but it would be catastrophic to me if I lost several days, or weeks, of mail. I just can't risk that.
Remember I said that when I was setting this up, I set my server to forward all mail, but keep a copy? That's in case of a problem like this. If I lost access to Gmail for any reason, all I have to do is set my computer's mailing software (and my Blackberry) to switch back to my server to get mail, and I'm instantly back in business again until Gmail fixes the problem.
Doesn't my server-based mailbox get full? It has a huge quota, but even with that the server would eventually run out of disk space, so I go in weekly and delete mail that's more than a month old. (Next step: set up a program in the server to do that automatically.) So I get all the benefits of Gmail's excellent filtering without having to worry about the risks of using a free webmail service.
One Caveat, and a Summary
A tiny muss when using Gmail to send mail "from" your regular address: any mail sent through Gmail's SMTP (outgoing mail) server has a header --
Sender: my.address@gmail.com
-- which I can avoid by having my computer's mail program use my server's SMTP server to send mail, and thus I don't have that header on my mail. But really, so what? I don't really care if people who know how to view Internet routing headers see what my Gmail address is, since all my mail ends up there anyway now. And if it changes later? *shrug*! -- they should send mail where I say, and if they don't, any bounces should give them a clue.
So there you have it. I get around 200 legitimate e-mails per day, and somewhere on the order of 300-500 spams. A good 90-95 percent of the spam is filtered out by SpamAssassin, and then all the remaining mail is forwarded over to Gmail, where it's filtered again, leaving me a small number of spams to look through once a day. If I see something miscategorized, I "train" Gmail to do better. If I see spam patterns, I can add a rule to SpamAssassin to filter it before it gets to Gmail, so I don't have to look through it anymore. The result: virtually no spam gets downloaded into my desktop mailer's inbox anymore. And that, my friends, is how e-mail should be!
If you're completely non-technical, you can get most of the benefit by switching to Gmail and "training" it carefully with the "Report Spam" and "Not Spam" buttons. And remember: never buy anything from spammers: that just encourages them to send more. Be sure you've read my Spam Primer so you understand the dangers. If you don't, you can fairly easily lose your savings, or allow your computer to be turned into a spammer's robot to spam or attack others. It's not something you can ignore.
- - -
Share This on Twitter: Click to Tweet a link to this page.
Last, if you're a visitor here, you might want to scroll to the top of the page and subscribe to my weird news e-mail newsletter. As you've already realized, it has a lot more than just amusing weird news stories! (Sample Issue)
RSS
Most Recent Comments
Posted by Don, Palo Alto, CA on September 17, 2009:
I've come to your site multiple times in years past to review your anti-SPAM tactics and I am happy to see that I've come to a nearly similar solution as you.
One option to take advantage of the Google/Gmail filtering is to use Postini. I work at a 20 person company and SPAM was killing us. We tried a few third party vendors and finally settled on Postini. They have been providing Google with the anti-SPAM tech for years (as of about a year ago were purchased by Google). You can have your MX record routed through them to get all the latest filters, anti-malware protection, etc. Of course, there is a monthly fee, but I always found it to be reasonable. In my situation, I rather pay the few dollars a month than spend a few hours a month updating software and filers.
Thanks again for your insight.
---
I'm definitely not up on the available solutions for larger organizations; my solution is more geared for individuals and small businesses. So thanks much for helping those too big for this idea. -rc
Posted by Anthony, Netherlands on September 19, 2009:
I used to get an exponential increase in spam in my work inbox after returning from vacation. I was curious about it and after a very brief google search I came across the reason. Spam Primer rule number 2 "never, never, ever reply to spam".
I NEVER do, even if I am mildly curious about the product. One thing, however, I ALWAYS do is turn on the Microsoft Office out of office assistant before leaving on vacation or a business trip, which replies to every incoming message. This would validate my address as an active account to the Spamkers, would it not? Thus resulting in the huge increase in crap I get in my inbox.
---
Vacation autoresponders are evil. -rc
Posted by Kermit, Florida on December 14, 2009:
How can I get the precise instructions for filtering my email through gmail?
This breaks down into two questions.
(1) How can I automatically send a copy of my email in my ISP's account to my gmail account?
(2) How can I automatically send email that has been sent to gmail back to my ISP's account?
---
Exactly how to do #1 depends on your ISP, what they allow you to control, and what software they have running on their servers, and it's impossible for me to give instructions for every ISP out there. The basic thing you need to do is forward a copy of incoming (and preferably already-filtered) mail over to your gmail account.
As for #2, you don't want to -- because then you'll be in a loop with copies going back and forth forever. I no longer check my own inboxes, only gmail's (and I've set up a routine to automatically delete the mail on my server after X days, so that I have a backup in case of gmail outage or failure). I have also set up gmail so that if I send mail, it comes "from" my regular e-mail address, not my gmail address, so there's no confusion over what my preferred address is. -rc