Fighting And Tracking SPAM With Email Alias Patterns

Intro

First off, I should mention that the title may be a little misleading. Sorry, I couldn't think of anything better. The idea I'm presenting here will not help you fight the SPAM you currently receive. For that, you should try using SpamAssassin, and you should also consider joining the Okopipi program once it's up and running (a successor to the effective, but unfortunately now-defunct Blue Frog project from Blue Security). You should also use an email program with good built-in SPAM filtering such as Mozilla Thunderbird. If these are set up properly, you should be able to filter nearly all the SPAM you receive so that you never have to look at it (personally, I run SpamAssassin with a very aggressive threshold of 3-4).

Instead, I'll be showing you a simple technique to help you limit the SPAM you receive in the future, and track where it comes from (I'll explain exactly what I mean by that below).

Note that you'll need your own website to do this (or you'll have to ask your administrator to set this up for you).

The 'Problem'

Assume my email address is mnicholas@nicholassolutions.com (it's not, by the way, so feel free to SPAM me there), and I want to sign up for the forum at expertsrt.net. I know that wonderful group of folks would never never misuse my information, but I'm a little paranoid, and I don't want to give them my real address. Or maybe I'm about to purchase something online at one of those places that requires you to 'make a new account' in order to buy something (I hate that by the way).

I've had a lot of unpleasant experiences with places like that subscribing me to newsletters (which I don't really have a problem with) that it seems impossible to stop receiving (which I do have a problem with). Even worse are the places that sell email addresses to the hard-core spammers who start harassing you with ads for 'v!4grÁ.' It can be hard to know where the spammer got your address if you've used it to sign up for 50 different websites; any one of them may have either sold or accidentally exposed your address.

The 'Solution', Part 1

Now, imagine that instead of giving sites my real email, I give each of them a separate one (say, from Yahoo!). Say I give creative-widgets.com my matt-no-spam-please@yahoo.com address, and a month later I start getting unsolicited email. There's no question about where it came from, and it's easy to deal with. First, I write creative-widgets.com and tell them I think they are Bad People, and that I may file a report with my government (in the US, the appropriate place is the Federal Trade Commission). Then, I stop using matt-no-spam-please@yahoo.com. Since I only ever used it for one purpose, by shutting it down, I'll never lose any important messages, and for other site sign-ups, I have my alternate addresses like matt-hates-spam@gmail.com.

The 'Solution', Part 2

You're probably thinking that setting up and maintaining hundreds of different email accounts in order to prevent SPAM sounds like more trouble than it's worth, and I agree with you...But what if you didn't have to set up new accounts and log in to different addresses in order to do this? That would be pretty manageable. Enter patterned email aliases. The idea is to set up your mail server so that any mail with a To: header that matches a certain pattern is automatically forwarded to your address. For example, I could configure my mail server so that any mail coming to

mn_[anything]@nicholassolutions.com

is automatically forwarded to me. When I go to stuff.com and they make me sign up, I just tell them my address is

mn_stuff.com@nicholassolutions.com

By including the domain name of the site (or maybe something similar), it's easy to remember what address I've given each site, which already makes my life a little easier than having 3-4 addresses for sign-ups. Every time I sign up for a new site and create a 'new' address, it requires no extra configuration — I just give them an address that conforms to the pattern, and I'll get the mail they send me.

Just like before, if I start getting SPAM and I see it's been sent to the address I gave stuff.com, I know who's been up to no good. I can report them, and then add a rule to mail server that automatically deletes everything coming to that address, or more simply, I can just set up a filter in my email client to automatically send it to the trash. I might even feel like changing the forwarding for that particular address so that all the SPAM it receives is fired back at contact@stuff.com, but I'd probably restrain myself since that might get me in trouble.

You may be wondering what happens if a spammer figures out your pattern. They'll be able to send mail to any address matching your pattern and it will get through, right?. Well, technically you have a point, but you have to remember how SPAM works. Spammers send mail to millions upon millions of addresses, knowing the vast majority of it will not get through, and they have no idea to whom they're sending it. They don't waste their time trying to figure out how one person has things set up, which you already know if you've ever looked through logs and seen hundreds of failed emails sent to contact@yoursite.com, info@yoursite.com, admin@yoursite.com, etc. when those addresses don't even exist. If you make your pattern unusual enough, you'll have nothing to worry about. Also, remember that your real address is not inextricably linked to the patterned alias: if you do start getting flooded, you can always route the mail elsewhere (or even just disable the alias entirely) and come up with a new pattern. It's exactly like abandoning a Yahoo! address because the only thing you get there is SPAM

Simple Implementation

Hopefully you're sold on the idea and you want to try it. If you're reasonably experienced at administering your own server, you can probably stop reading at this point and just go off to try out the idea. If not, I'll explain how to set this up on Unix using either Procmail [ HOW-TO ] or the popular CPanel [ Documentation ].

Procmail

Setting this up in Procmail is a piece of cake. In your /etc/procmailrc file, just add the following to the top:


#match subscription addresses

:0H

* ^To:.*prefix_.+@yoursite\.com

! realuser@yoursite.com

This tells Procmail to look in the headers for a To: line that is of the form prefix_[anything]@yoursite.com, and if it finds it, forwards to realuser@yoursite.com. You need to replace prefix, yoursite, and realuser with the appropriate values for your setup.

To block specific matches, you have a couple options. The first is to set a filter in your email client that throws away the mail to that address automatically each time it checks your mailbox. This is probably the easiest thing to do. If you insist on having your server throw it away automatically, you can add additional rules to to your procmailrc file above the rule you just added:


#throw away spam

:0H

* ^To:.*prefix_badsite@yoursite\.com

* ^To:.*prefix_otherbadsite@yoursite\.com

/dev/null

This tells procmail to write mail coming to those specific addresses to /dev/null, which is the Linux version of a black hole: the mail gets trashed and you never even know it came in. Every time you need to add an address, you just stick in another * ^To.... rule before the /dev/null line.

CPanel

The basic setup for CPanel is similar to that for Procmail. The menu scheme for CPanel is not entirely standard among all hosts, so you may have to search around a bit for the right section. On most setups, you'll click on your Mail menu from the main screen, and then go to the E-Mail Filtering section. Next, click on the [Add Filter] link, and you should see a screen that contains a section like this:

Change the "Subject" to "To", and "contains" to "matches regex" in the pulldown menus. In the first text field, enter prefix_.+@yoursite\.com (where you replace prefix with whatever you'd like, and the domain name with yours). In the Destination field, replace "discard" (or whatever the default is) with your real email address where the matching mail should be forwarded to.

Filtering out the SPAM is done in pretty much the same way as with procmail. You can either do it with your mail client, or you can add extra filters on the server. The filter you'd use in CPanel would be

To that equals prefix_badsite@yoursite.com
Destination Discard

More Ideas

Using A Subdomain

If you're paranoid, you may worry about giving out an address at your real domain name, for fear that you'll receive loads of SPAM For example, spammers may start sending messages to addresses like info@yoursite.com, contact@yoursite.com, or admin@yoursite.com, which may well be valid addresses. Most likely, though, these are already public, so it's unlikely that your SPAM will increase (I say increase, because you almost certainly receive SPAM there already) any as a result of using this system. One thing that you might consider is creating a subdomain (e.g. mail.yoursite.com) where your subscription alias is located, and have all mail coming to this domain that does not match your alias be automatically discarded. For example, in procmail, your rule set might look like this:


#match subscription addresses

:0H

* ^To:.*prefix_.+@mail.yoursite\.com

! realuser@mail.yoursite.com



#throw out all other mail to mail.yoursite.com

:0H

* ^To:.+@mail.yoursite\.com

/dev/null

In CPanel, you can just add a rule to discard all mail where the To: matches the regex .+@mail.yoursite.com

Multiple Users

If you'd like to set this up for multiple users, you have a few options. The first is to just set up exactly what I described above over and over again. If you only have a few users, this is probably fine. If that is not practical, you might consider using backreferences in Procmail. Unfortunately, procmail's regex engine does not support backreferences to the degree that, say, Perl's does: you can only match from a given point in the string to the end. You do this by using the \/ token, and the match is then accessible in $MATCH. You could utilize this by making the following rule:


#match subscription addresses and send mail to the appropriate user

:0H

* ^To:.+_\/.+@yoursite\.com

! $MATCH

In this setup, the user johndoe@yoursite.com would sign up using an address like stuff.com_johndoe@yoursite.com. If that doesn't float your boat, you could write your own script to handle mail, and have procmail pipe mail to it for you:


#match subscription addresses and pipe the mail to a program to handle it

:0H

* ^To:.+_.+@yoursite\.com

| /path/to/your/script

The script would need to read from the standard input, figure out where the mail should be sent, and then deliver it, which is not a particularly difficult task in Bash, Perl, PHP, etc. I'm not going to go into it in this article, but I may deal with it in a subsequent one (a little research on Google should help get you started).

If you wanted to get very fancy, you could even have the script query a database, where you allow users to enter 'dead' addresses via another front end script, and throw out any mail that matches those. That way, you don't need to keep track of constantly updating the procmail files or your script yourself.

I hope you found this tutorial helpful. Feel free to send questions, comments, or flames (but please, no SPAM) to info [_at_] nicholassolutions (dot) com (you may also use the contact form on our website, nicholassolutions.com). If this is your first time visiting ERT, why not stay and look around for a while? This article is just a small part of the content we have to offer.