Vendor-specific e-mails to fight spam

by Michael Alderete on 4/13/2003

Managing your own e-mail server is a pain in the ass. There’s no two ways about it, when you want to take control of your own network infrastructure, you increase the complexity of the systems you manage, and you greatly increase the consequences of screw-ups.

For example, when I was using aggressive RBL blocking, it was bouncing e-mail I actually wanted to receive, in addition to some spam. A different anti-spam tool was causing occasional, apparently random errors, which resulted in some e-mail messages being dropped on the floor. And back in September, when Rochelle and I were in France and the e-mail server died, we lost about two weeks of e-mail.

So if it’s hard work, and screw-ups mean you lose important messages, why would anyone want to run their own e-mail server? For me, it’s all about spam and viruses. I have a great deal more options for strategies to deal with unsolicited commercial e-mail (spam) and for protecting us from e-mail borne viruses. Since I get about 200 spam messages every day, this matters a lot to me.

One of the tactics I use is to create vendor-specific e-mail addresses, and then expire them when they start generating spam. Here’s how it works. When I register at a new web site, say, www.bigcommerce.com, I give them the e-mail address bigcommerce@alderete.com, which will be an “alias” for my actual e-mail address. This lets me receive mail from the vendor, but tagged in a way that’s traceable to them. Any e-mail sent to that address, I know it’s www.bigcommerce.com that generated it — or sold my address to spammers.

And that happens surprisingly often, especially with dot.bombs that went out of business and sold all their assets, including their customer lists, to whomever wanted to buy them. The biggest offenders in my Inbox have been myspace.com and techies.com.

When the amount of spam going to a vendor-specific e-mail address gets to be too much, or if I know they’ve gone out of business, I will “expire” the address. This is done by setting the alias to bounce when someone tries to send messages to it. For folks who want the technical details, I add an entry like the following to sendmail’s virtusertable file:

techies@alderete.com error:nouser 550 No such user here

This trick is only possible if you own your own Internet domain name, e.g., alderete.com, and have complete control over the e-mail aliases for your domain, usually by running your own e-mail server. (Some hosting services will let you do stuff like this, but most of them don’t give you full access to your aliases files.)

I’m still evolving my strategies to combat spam. With almost 1500 offensive messages being sent to me each week, I have to have pretty sophisticated filters. What I have today works fairly well, but could be even better. I’ll surely post when I add new techniques or tools. But no matter what I add, vendor-specific expiring addresses will continue to be a useful and important part of my anti-spam system.

Previous post:

Next post: