I've had my main email, run on a semi-private server since before 2000, and have used it for every bloody subscription signup and login imaginable since. Not to mention that the web site it used to be associated with used to get hit by scrapers and I'd never protected my DNS record (to so now would be ridiculously ineffective), although my email is linked to a specific domain using an SPF record. Some stupid email systems don't check the SPF record to see if a faked email using my address follows the SPF record and sends me a bounce message anyway - I count those as part of the total. I set up the system in the email to do several things: 1. Only allow whitelisted email addresses thru to the inbox, everything else should initially be considered spam. 2. If it's using my email address and isn't from my email server's IP, it's automatically spam and goes to /dev/nul. 3. They run SpamAssassin on every email, which leaves the tags of each test in the email header. I don't use SA's ranking system. If it contains any of the following, it's automatically spam and should be sent to /dev/nul - especially RDNS_NONE, which basically means from an open relay (99% of them): URIBL_ABUSE_SURBL, URIBL_DBL_SPAM, URIBL_INV, URIBL_SBL, URIBL_SBL_A, URIBL_DBL_ABUSE_SPAM, URIBL_DBL_ABUSE_REDIR, RCVD_HELO_IP_MISMATCH, HELO_DYNAMIC_IPADDR, HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_SPLIT_IP, RDNS_NONE, RDNS_DYNAMIC, URI_ONLY_MSGID_MALF, BOUNCE_MESSAGE 4. Barring those, I also check the IP address my server received it from, which is really hard to spoof, and I check it against a mini DNS lookup of sorts that I've been building since April. It converts the IP to a parent domain (that you see in the graphic). If the parent domain is on a special block list send it directly to /dev/nul. 5. Last test, if everything else passes, I check a list of email address partials (some include before the '@', some include the faked domain). If any part of the 'From:' matches anything on the list - /dev/nul. All of these get logged using the format you've seen earlier so I can collect statistics on how the system is doing and can routinely update the mini-DNS if the IP results in a domain it doesn't know about yet. That mini-DNS has grown to a 99k text file, containing a regex lookup of IP ranges, abuse email, domain, and a comment. Was originally going to have the system automatically route the email to the abuse email address, but I found that just makes things worse in many instances. Everything else goes to junk just in case someone's used a new email address not on the whitelist, which happens a lot, but some still sneak thru. Those are usually the "dear beneficiary" or some of the zombies made to look like they came from your printer/voice mail, or the zombies where the 'From' includes the name of someone you know - how they do that is a complete mystery to me. That last one usually contains a link luring you to an infected site, which SA should detect and trigger one of the URI flags, but half the time it doesn't and they scoot through. Nonetheless, as you said, only 9 out of over 1700 in a month... I'd say it's pretty effective.
... View more