Blocking E-mail Spam from China and Korea

First and foremost: if you're looking for a regularly updated list of IP addresses for China and Korea, you can get them from the Okean site.

This adventure began in November 2002, when the amount of spam I got each day was starting to exceed my tolerance level.  The article explains what I did and why I did it, and has a series of updates on the progress of an experiment in which I only disabled addresses from which I received spam.

In July of 2005, I decided that the experiment had gone on long enough.  I'd explicitly blocked nearly 1000 class B addresses, and didn't see a point in continuing to update the list manually.

I have discovered the joy of Postfix CIDR block lists.  If you run Postfix, and want to block all mail from China and Korea, here's what you need to do (as root):

  1. Download the Okean CIDR list for China, Korea, or both.  I used the list with both.
  2. Substitute the word "REJECT" for "China" and "Korea" in the list. You can add a message to each line to make it clear what's happening; this appears in mail logs and in the rejection messages. My config file lines look like this: REJECT Source IP blocked China REJECT Source IP blocked Korea

  3. Copy the file to /etc/postfix/sinokorea.cidr.
  4. Add the following line to /etc/postfix/main.cf (or modify the existing line to include):
    smtpd_client_restrictions = check_client_access cidr:/etc/postfix/sinokorea.cidr
  5. Run "postfix reload".

That's it.  If you want to update the list of IP addresses, just repeat steps 1-3.  For testing purposes you can insert "warn_if_reject" before "check_client_access".  This will allow the mail to be delivered, but write a reject_warning message to /var/log/maillog.

(You should probably run "postconf -m" and verify that "cidr" is in the list of supported table types.)

2015 Update: according to my postfix mail logs, in the last 5 days I have blocked 120 messages from Chinese IP addresses, but only 11 from Korea. Sounds like the situation in Korea has improved. For the mail that didn't get blocked, my spamassassin filter collected 1915 pieces of spam (50MB) in 10 days. Ignoring the (unfortunately large) amount of spam that got past spamassassin, that means roughly 262 of 2177 spam messages, or about 12%, came from China or Korea. Factoring in the false-negatives that ended up in my inbox would reduce the percentage further.  (Note I'm ignoring "speculatively addressed" spam, sent to nonsense addresses like "faddentnat" or "faddendxzv", or system names like "daemon" or "mail", because those would get rejected even without any spam protection.)

In February 2015 I switched away from running my own mail server. After a server snafu (failure to restart after a power outage while I was on vacation) I decided I needed to get my mail server out of my house, and even with the China/Korea blocking I was still getting a lot of junk mail, so I decided I'd rather have somebody else handle it. Google Domains offers e-mail forwarding, by specific address with a catch-all wildcard, which allowed me to keep my multiple addresses. You can configure gmail to use a different address as the sender, and have it default to the target address when replying to e-mail, so I can continue to send and receive @fadden.com e-mail while letting Google do all the work. The setup process requires several steps but it's working great, and it's included in the cost of the domain registration (US$12).

August 2015 update: several months later, I'm still very happy with the decision to switch to gmail servers. The gmail spam folder keeps messages for 30 days before deleting them; this morning mine had 6,570 messages in it.

One other data point: for many years I used unique addresses for every company that wanted one. For example, the e-mail I provided to Fubar Corporation would be site_fubar@fadden.com. Changing the postfix recipient_delimiter from '+' to '_' caused all site-specific addresses to be delivered to a single mailbox, so having multiple addresses didn't make it harder to read my mail. Of all of the addresses I used, the only ones that showed up in spam are those I gave to Intuit and to the Motley Fool investment site (the latter being especially bad).

Original Article (from 2002)

I get a lot of spam.  Not as much as some folks, but 60 to 80 pieces per day is quite a bit by any means of reckoning.  I do not believe that I'll get less if I "just hit delete" or try to hide from it, so I use SpamCop to report every piece of spam I get.

Why do I get so much spam?  I wrote a popular FAQ on CD recording that is available on the web and posted on Usenet.  Both versions have my e-mail address, so Usenet-harvesters and web-harvesters find it.  I have registered .com, .net, and .org domains, so spammers targeting businesses also love to send me stuff.  (In one memorable day I got eight different variations of the Nigerian Scam e-mail.)  I accept all mail sent to my domain, so random "marketing@domain.com" stuff gets through.  It's worth noting however that a rather spam-prolific address -- a dialup account with concentric.net that received 20+ pieces of spam per day until I cancelled it -- was never listed or used anywhere, so clearly there's not much benefit in trying to hide if the spammers can steal user lists.

Sometimes, when people see a web page they find interesting or useful, they copy it onto their own pages.  In some cases they'll even do a partial translation to a different language.  In the case of my FAQ, this is both legal and encouraged.  The trouble I've had is that, when the Chinese and Korean spammers harvest web pages for e-mail addresses, they get mine from a copy of my page in Asia and assume I'm local.  As a result, a significant portion of the spam I get is in a language I can only recognize by examining the MIME type.

It has become clear from my daily spam-reporting that some sites are either unwilling or unable to deal with the spammers.  Take, for example, the "Ship Sale & Purchase News" e-mail I started getting once a week.  It was sent from bora.net, it advertised a web page on bora.net, and had response e-mail addresses at bora.net.  Despite repeated complaints, the mail kept coming.  Another negligent ISP is hananet.net.  I can't read the message, but some of the URLs are always the same, and other URLs often have the word "sex" in them somewhere.  I've found that most of these "repeat offenders" are in China or Korea.

I was all set to continue my futile efforts at reporting them when a couple of things happened.  First, the quantity of spam began to increase.  Second, I saw some news articles (e.g. wired) about how system administrators at various ISPs were starting to cut off large parts of Asia because the majority of spam they were receiving came from China, Korea, and Taiwan.  I realized that I wasn't alone in my frustration.

What to do?

It was clear to me that reporting the spam coming out of mainland China and Korea was having roughly the same impact as teaching a pig to sing.  (It doesn't work and it annoys the pig.)  I decided it was time to block whatever I could.  However, I wasn't willing to write off two entire countries all at once.

What I decided to do was block the subnets that inbound spam originated from.  To keep things manageable, I decided to block all of an offending class B network.  (If the spam came from, I would block everything starting with 192.168.  I decided to treat class C subnets the same as class B, which isn't correct but meant less work for me.)  Not wholly surgical, but I wanted to be able to maintain this without needing an elaborate set of automated scripts.  By selecting subnets in this manner, I hoped to avoid legitimate corporations and concentrate on problematic ISPs.

It was important to me that the sender *know* they were being blocked.  Again, ignoring spam will not make it go away.  Having an SMTP session rejected with a code 553 ("you're a spammer, go away") makes it clear to the sender that their messages are simply unwanted.  Using SpamAssassin or a procmail filter wouldn't have the same effect.  (Note this is not a bounce; it is a refusal to accept the message at all.)

I shifted my qmail installation from being managed by inetd to being managed by tcpserver, and added rblsmtpd to the command line.  (See the qmail anti-spam HOWTO page for links and information.)  Rather than use one of the standard block lists or set up a small DNS server to act as one, I just fed a list of obstructed subnets to tcpserver.  When tcpserver identifies the source as being from a "bad" network, it passes an environment variable to rblsmtpd that tells it to respond to the incoming e-mail message with a code 553 and a text message telling them why I don't like them.

The script I use to start qmail looks like this:

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`

/usr/local/bin/tcpserver -x $CONTROLFILE -c "$MAXSMTPD" \
  -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
  /usr/local/bin/rblsmtpd /var/qmail/bin/qmail-smtpd >> /var/log/tcpserver-qmail.log 2>&1 &
exit 0

I can see rejection messages in tcpserver-qmail.log.  The "smtp.cdb" has a bunch of lines that look like '200.171.:allow,RBLSMTPD="-Go away."'.  The actual messages are longer and include a web page to visit in case an actual human sees the rejection message.  Thus far, nobody has visited the page.

I began this experiment on Wednesday, November 6th, 2002.  Every day that followed I compared the source of each incoming spam to the list of Chinese and Korean networks, and added the source subnet to the "reject" list when appropriate.  Some people have asserted that most of the spam coming out of Asia is actually US spam being reflected through open relays, so I made a note of what language the spam was in.  After a week, I checked the results.

The Results

I began around mid-day on November 6th 2002, and stopped a week later at noon on November 13th.  I collected spam for the 24-hour period starting at noon on the 12th.

Here are the stats on the e-mail.  I have two domains accepting mail, each of which accepts all mail sent to that domain, regardless of user name.

Here's the figures for my block list used to filter the above.  This is what I had after adding subnets for slightly less than a week; it doesn't include additions I will make after receiving today's spam:

A separate account on a different ISP received 17 pieces of spam in the same period, 3 of which came from China or Korea.  If I add those into the mix, I get a total of 100 pieces of spam received in 24 hours, 32 from China or Korea (32%).  If you aren't getting quite that much spam, don't worry, you will soon enough.

What do I conclude from this?

It would be unwise to draw sweeping conclusions from a single day's data.  However, I believe the general proportions for all of the numbers are correct.

Clearly the block is helping.  It's trivially rejecting the spam I can't seem to do anything about, so I can focus my attention on the spammers that might be stoppable.  With the quantity of stuff being thrown at me, I'll take any edge I can get.

My method for generating the block list is adapting slowly but effectively.  More than half of the spam aimed at me was blocked, and I'd guess I'm blocking far fewer than half of the class B subnets in China and Korea.  In another couple of weeks the wall should be pretty solid.

Update: after two more weeks, on November 27th, I have 238 subnets blocked.  Of these, 68% were blocked due to messages in Chinese or Korean character sets.  I still get two or three messages slipping past the block each day, but most of the junk is now blocked.  I suspect most of what I'm getting now are hijacked servers rather than dedicated spammers, but I still get stuff from spam domains like bora.net or kornet.net.  I've used the blocking mechanism to block a persistent Brazilian spam domain (200.207.*.*) and a couple of sites that send me spam and refuse to accept SpamCop reports.

Update: after two months, on January 7th 2003, I have 365 subnets blocked.  We're down to 61% Chinese and Korean language spam.  I think the holiday spamming season had a lot to do with the increase in blocked subnets.

Update: nearly a year later, on September 27th 2003, I have 573 subnets blocked.  Spam from Chinese or Korean sites rarely gets past my filters anymore, and what I do get is almost always in English.  (In the last 24 hours I blocked 95 attempts to send me mail, 59 from unique IPs.)  This may be due in part to a Chinese crackdown on spammers, though I still see a lot of spam web sites hosted in .cn domains.  A large portion of spam is coming from USA cable modem networks now (comcast.net, charter.net), as well as Brazillian nets and telefonica.es domains.  I still get 100+ pieces of spam most days, but I'm now running spamassassin and can sort through it quickly.  Incidentally, my mail blocking stuff helped immensely when the SoBig.F virus inspired a couple of sites to send me hundreds of messages a day.

Update: two years later, December 7 2004.  I have 829 subnets blocked.  I continue to add subnets only as spam appears, and there are some address ranges from which I have never been spammed, but I have a pretty significant chunk of China and Korea blocked.  In the last 48 hours I blocked 518 messages, 429 from China or Korea.  The non-China/Korea messages came from Taiwan, Hong Kong, Brazil, Spain (especially auna.es), Israel, and other locations that were persistent enough to warrant blocking.  Of those 429 messages, 372 came from unique IP addresses, which means I'm blocking at least 186 spam attempts from China or Korea every day.  That's roughly 3x what it was a year ago, though traffic has picked up a bit for Christmas.

Update: February 17, 2005.  Christmas is long over, but the spam flood continues.  In the past 24 hours I blocked SMTP connections from 241 unique IP addresses in China and Korea.  Looking back at my previous update, 186 was probably too low, because some sites will send messages every day.  In the last 10 days I have blocked 2121 attempts, from 1762 unique IP addresses.  I would guess I'm blocking somewhere around 65% of my spam with this simple filter, and I've never blocked a network that didn't send me spam.  I currently have 879 subnets blocked, only 42% due to spam in an Asian language (typically Big 5 Chinese).  Since Aug 19 2003, I have blocked 33,954 attempts to send me viruses by banning specific addresses that were flooding me.  I am not an ISP, I'm one guy running a mail server at home.

What Next?

I don't advocate walling off every country with an above-average number of spammers.  I think block lists targeted against rogue ISPs are much more useful.  I do not, for example, advocate walling off Taiwan.  While I'm receiving a modest amount of spam from there, I have seen a reasonable level of responsiveness from some of the ISPs (e.g. hinet.net).  I suspect they will be able to get the problem under control.

The problems with China and Korea, however, are simply too extreme to be worth handling any other way.  Blocking these messages outright means I have one less wall to beat my head against.

Looking over the set of IP addresses that mail comes in on has also led me to be very concerned about Brazil (.br).  A significant percentage of spam is coming from there, for the most part in English.  This seems to be due largely to a rapid expansion of broadband access there.

Links and Other Info

General information about e-mail spam: http://spam.abuse.net/spam/

Chinese and Korean subnet list: http://okean.com/asianspamblocks.html

A discussion about this page on slashdot.org.

For the curious, here are the subject lines from the 67 non-blocked pieces of spam I received this day:

  1. Christmas Cash!
  2. Please read this letter carefully, it works 100%..
  3. Are you ready for the holidays?
  4. Watch your auction sales SOAR
  5. Dcouvrez le logiciel de prospection e-mail qui nous a permis de vous contacter.
  6. Screening of Academy Award winner,
  7. 22% Teeth Bleach Kit! REALLY WORKS!
  8. Alan Greenspan keeps em' low
  9. Eccezionale......novita'
  13. I Never Have to Tell My Kids "We Can't Afford It" uephb
  14. =?big5?Q?=A6X=AAk=B5u=B4=C1=C0=B0=B6=C4=A1B=AC=DD=C5@?=
  15. Homeowners won A NEW TV ?Mgt
  17. Ever seen such bestiality site (people+animals hardcore)?
  18. ޴Ӻ!! ֽű ޴ ܵ 3Դϴ!! üϼ!![]
  20. PJǶ̺!
  21. IBM 36 GB 10K 1" only $ 90
  22. Family Health Care For $49.95-$79.95 A Month!
  23. Family Health Care For $49.95-$79.95 A Month!
  24. =?koi8-r?B?8sHT09nMy8Egz9Qg6+Mg8MHS1M7F0g==?=
  25. free porn
  26. Letter of intent
  27. =?euc-kr?B?KLGksO0psMfBtsfRILDowP0tsK2+xsH2v6Gw1LW1ILq4vcDAzCDHyr/kx9Eg?=
  29. Share the Magic of Christmas
  30. Do it now brx
  31. How are you doing ? 2660OiFH9-853CBp-15
  32. ~>Don't Miss this Opportunity ~
  33. This is something that works !!!!!!!!!!!!!!!!!!
  34. Ǻδ Ҹ Ѵ. Ҹ Ŵ. ......... [ ]
  35. No te lo podes perder
  36. ** You're -Approved-!
  37. Comunicazione
  38. membership account
  39. NORTON SystemWorks 2002 BLOWOUT! 10239
  40. ()̸ϸƮ 48000 մϴ.
  41. Hi, this is for you
  42. Mortgage Rates At 40 year Low 123
  43. Generate Extra Income
  44. membership account
  45. flashlight
  46. Bullet proof bulk email friendly hosting & cheap mass email campaigns.
  47. Andy McFadden
  48. fadden turn back time
  49. en it will work for you
  50. Fadden, your childhood family orgy
  51. [] ſī ߱~~~ , ϰ~~~
  52. Extra income for Christmas, and for the next 20 years!
  53. Extra income for Christmas, and for the next 20 years!
  55. Selective Popup is here! (from Marcel)
  56. Make a fortune on eBay - FREE Info 23953
  57. Free Satellite TV Offer ebr
  58. fadden 3000+ AUDIO Books on CD wrv
  59. Lowest Life Insurance Rates - free quote qcsdy
  60. * * Your -approval-! * *
  61. Do it now! cfa
  62. Bullet proof bulk email friendly hosting & cheap mass email campaigns.
  63. Information fadden
  64. fadden this will help you look good and feel great
  65. Debt termination
  66. Money for fadden
That's all, folks...