ZeroMx
About > News > Stigmergic antispam > Techniques

Techniques

There are several techniques based on exposing fake addresses.

Discard

Spam mail usually arrives in large lots, with a single sender asking for delivery to a list of different recipients. If these include a fake address, you can easily discard the whole bunch. The higher the number of fake addresses published and  the number of simultaneous deliveries allowed, the lesser the probability to have spam eventually delivered. Postfix has makes it very easy to use this technique with a very simple implementation. See here: all you need is a DISCARD statement associated with fake addresses, along with check_recipient_access rules.  I believe this should work well with small sites.

Fake mailserver

Even if it's more complex and needs two MTAs, you can make all yur fake addressess point to a fake mail domain, using addresses like <name@fake.company.tld>. Then *any* mail arriving on that mail server (which should not have any valid address) triggers the blackmail procedure against the sender. The fake mailserver can be combined with firewall rules dropping any further connection from the offending IP. I believe this should work well with large sites.

Dedicated blacklisting

An intermediate solution with a single mail server, could be implemented using a dedicated blacklist daemon which is instructed and interrogated by a delegated policy module of the MTA. This is the solution I am working on. If you are intrested, see the working proof of concept I wrote in perl. I use bld as a blacklist daemon and postfix as an MTA.
What my module does is, every time a "rcpt to:" request arrives:
  1. Check if the address is fake.
    If it is, submit a blacklist request to blacklist server and REJECT message.
  2. Ask the blacklist server if the sender IP address is blacklisted.
    If it is, REJECT message.
  3. Otherwise, let the message go along (issue a "DUNNO" action)
Instead of rejecting messages according to SNMP protocol, you can also disallow any TCP/IP traffic (as DenyHosts does). This will save your computing resources, but is less respectful of RFCs.