Antispam, how I do it.

I manage some servers that provide mail services. Because of the nature of the organisations I support, there are some things I can do that larger organisations cannot.

The servers I manage all run distributions of Linux, but they don't all run the same distribution.

One, for a school, runs Debian. Until recently, it was Debian Stable, but Debian has released a new "stable," so it will need to be updated sometime soonish.

On others, I use clones of Red Hat Enterprise Linux.

At home, I use CentOS4 facing the Internet. That is the system which currently handles this website. I get almost no spam at my email addresses. Inside my LAN, I run a second mail server, this one running the now-defunct WBEL4, but with maintenance from CentOS4. This handles most of my mail, which arrives from some mailing lists.

My CentOS4 system also runs a fairly complex firewall which, amongst other things, redirects incoming SMTP connexions from some sites to my internal server. This means that those sites cannot talk to my external mail server.

I have a free domain name,, courtesy of the DNS record points to my external mail server, but my external mail server does not handle or relay mail for it. However, my internal mail server does.

If someone not on my approved list of domains tries to send email to an address at, they get a "relaying denied" error message and that is the end of it.

However, connexions from sites on my approved list are forwarded directly to my internal server, and that handles email for and relays mail to, so people at those places can reach addresses in either domain.

People who collect email addresses from archives of the lists I'm on, and those who subscribe to those lists so they can harvest addresses of active members, get email addresses they cannot reach.

It is extremely effective, but of course it's not something everyone can do.

I also have a system of short-term email addresses. For a short while, email to will reach me, but it will expire automatically. It's good for those sites whose owners insist I must give them a working email address, but I'd rather not. I can register, receive their confirmation email, click on the link. In the short term, "followup" email from them will reach me, but when the address expires....

That kind of approach can be adapted to any organisation: I could provide an internal website for users. They identify themselves, request a temporary email address and it's done.

It can also be adapted to a website, if/when I create a contact me page, I can use the same technique. Perhaps the address would only have a life of a day or two. No need for those silly capcha images.

Additional to those, I use block lists of known sources of spam, and I use a content filter to file suspect email into special folders for users,one for Spam and one for Windows Woes,a receptacle for anything Windows might try to run (including Office documents).

There are also regions of the world from which we do not expect any legitimate email. We have firewall rules to block entire (fairly large!) networks.

We also insist correspondents use valid host names (helo/ehlo greeting).

Late 2008 we were rejecting as spam over 1000 messages a day. This does not include email attempts by misconfigured senders.

School users, out of office, authenticate against our mail service and then they can send email through it