Spam Factories
by Ed Sawicki
Tailored Computers
January 3, 2007
Targeting spam factories significantly reduces spam.
For the past few months my company's eScrubber spam suppression service has been blocking spam from a growing number of spammer sites that I call spam factories. These are spammers who have been allocated unusually large blocks of IP addresses from which to send their spam. These spammers can afford to have their IP addresses blocked because they simply use other addresses in their large block. It could be months before all their addresses are blocked and they move on to another ISP and netblock.
Traditional block lists that block spam only after spam has been sent and received aren't very effective against these spammers. What's needed is preemptive blocking.
I grew tired of always being on the defensive with these guys and decided to take the offense. Starting in October 2007, I actively hunted down these spam factories and placed their IP address blocks on an eScrubber block list. In the first few days, the list had grown to over 50,000 IP addresses. As of this minute, the list blocks 1,710,148 IP addresses but the list grows by about 1024 addresses each day on average. My network of honeypots alerts me to these spam factories and I block them before most eScrubber customers receive their spam. I then check out the IP "neighborhood" to see if that ISP is harboring other spammers, thus blocking spam before the spammer has a chance to send it. eScrubber monitors the addresses on the spam factory list for changes, such as an ISP reassigning addresses to a non-spammer.
1.7 million IP addresses is not a particularly large block list compared to the public DNS block lists run by Spamcop and Spamhaus. However, for many eScrubber customers it is more effective. Here's last week's internal report for one eScrubber customer:
eScrubber Report for Customer A
Total messages received: 3545
Accepted: 410
Blocked: 3135
Percentage blocked: 88.4%
Blocked by IP: 516
Blocked by CIDR: 1162
Blocked by DNSBL: 607
Blocked by Greylisting: 502
NoSuchUser: 270
Bad SPF: 77
BadSender: 0
From None: 1
The number of spam factory messages blocked is shown in the Blocked by CIDR line. In contrast, spam messages blocked by DNS block lists is shown in the Blocked by DNSBL line. For this customer, the spam factory block list outperforms the traditional block lists by almost 2 to 1. This is not the same for all customers. We have one customer who isn't targeted by the spam factories as much:
eScrubber Report for Customer B
Total messages received: 4735
Accepted: 1739
Blocked: 2996
Percentage blocked: 63.2%
Blocked by IP: 838
Blocked by CIDR: 127
Blocked by DNSBL: 840
Blocked by Greylisting: 868
NoSuchUser: 276
Bad SPF: 39
BadSender: 2
From None: 6
The average eScrubber customer has results closer to Customer A - the number of spam messages blocked by our spam factory list is better than the DNS block lists. The combination of our spam factory list, public DNS block lists, greylisting, SPF checking, and discrete IP address blocking blocks the vast majority of spam. For example, my company now gets less than one spam message per user per day. This is so little that we don't bother with processing-intensive Bayesian filtering to block the rest.
For companies that would like to block these spam factories but don't want to use eScrubber, we make the spam factory block list available (as a DNS block list or RBL) separately. For more information, contact me at ed@escrubber.com or 503-635-6370.