Understanding Spam

Previous page
Table of content
Next page


In a book like this, it’s often hard to explain complex concepts so that people of different technical backgrounds and skill levels can understand them. Happily, it’s really easy to explain spam: it’s electronic junk mail; most people hate it; and it’s proliferating. Some estimates say that more than 80 percent of the mail sent to recipients at popular free e-mail services such as Hotmail or Yahoo! Mail is spam. I know of one 100,000-mailbox Exchange site that gets more than half a million spam messages every day! At those volumes, spam ceases to be merely an annoyance and turns into a positive threat.

Of course, even small amounts of spam can be threatening. Spam is often used to advertise questionable products or sites you don’t want your internal workstations visiting. It annoys users, wastes your bandwidth, and uses valuable storage space. Accordingly, most Exchange administrators are hungry for ways to keep spam off their servers; finding the right approach starts with understanding the possibilities.

Common Spam-Blocking Tactics

Unfortunately, spam isn’t illegal in most jurisdictions, and it’s definitely against the law to shoot spammers on sight (at least for now). In the meantime, there are several approaches to spam protection. Most sites find that a combination of perimeter filtering, user education, and content scanning works well.

start sidebar
Separating Spam from Real Mail

One key obstacle to a perfect spam filter is simple: computers can’t process human languages well enough to reliably distinguish spam from legitimate mail. A spam filter that frequently throws away mail you actually want won’t be widely adopted, but a filter that doesn’t filter enough spam won’t be either! This conundrum is tricky for filter designers. Spam often has unique characteristics that give filters an easy way to identify them. For example, the words “XXX”, “porn”, and “p0rn” are found much more often in spam messages than in real mail, as are excessive numbers of dollar signs or exclamation points, or the words “home mortgage” in the subject line.

However, sometimes the filter guesses wrong. Either it lets through a spam message (which is bad) or filters out a real message (which is worse). To solve this problem, many filtering systems are indicating to the user why the message was marked as spam and letting the user decide. For example, a filter can change the subject line so that pornographic spam messages are tagged with “{porn}” in the subject—an easy hook for a server-side filter to catch. Another possibility is scoring: the more characteristics of spam a message has, the higher its score. Scoring systems prevent a real message that happens to have a few spam-like features (say, a message from your boss titled “READ THIS NOW!!!!!!!”) from being filtered.

Unfortunately, spammers are nothing if not clever, so even as I write they are busily adjusting their tactics and the content of their messages to outfox widely deployed filters. That’s led to the development of collaborative filtering engines such as Vipul’s Razor (http://razor.sourceforge.net/), used in the popular SpamAssassin (http://www.spamassassin.org) package for UNIX systems. With collaborative filtering engines, when one system detects that a particular sender, IP address, subject line, or message body is spamming, it notifies a central database, and all other filters that use the same database can then be forewarned about that particular message or sender.

end sidebar

Grinning and Bearing It

The first, easiest, and most widely used approach is very simple: tell your users to delete or filter the spam themselves. For small servers, this solution is probably the most cost-effective, even though it doesn’t do anything to solve the problem. Microsoft’s built a decent junk mail filter into Outlook 2000, Outlook 2002, and Entourage. With minimal effort, users can filter junk mail themselves or just delete it altogether.

For a slightly more sophisticated solution, you can install a client-side spam filter that works with Outlook. Examples include Cloudmark’s SpamNet ( http://www.cloudmark.com) and Deersoft’s SpamAssassin Pro (http://www.deersoft.com). These products install within Outlook and either augment or replace its junk mail filtering capacity. Some of the products tap into collaborative spam filtering systems so that when you report a message as spam, you’ll help prevent others from seeing it in their inboxes.

Tip

Slipstick Systems maintains a great set of options and resources for filtering junk mail with Outlook. (See http://www.slipstick.com/rules/junkmail.htm.) Included are a simple set of four rules that can help reduce spam without any third- party products (although the rules require updates as new spammers emerge).

Although putting the burden of spam removal on users means less work for you, this method has its disadvantages. First, users dislike it. Second, it just sweeps the problem under the rug instead of solving it. For that reason, it’s most often used for small offices that don’t want to spend money or time on more sophisticated solutions.

Blocking by Sender or Domain

If you know that spam is coming from a particular place, you can block the sender or his or her entire domain. This seems on the surface like a great option, but unless all your spam comes from predictable sources, it’s not likely to work well for you (although it will no doubt be tempting to block all mail from some domains). If you want to, it’s fairly straightforward to block IP traffic originating in countries you know you’re not going to do business with. For example, a great deal of spam originates in China and South Korea, with Turkey and Russia in the running for third place.

It’s also possible, and arguably more useful, to block individual senders, and that is often a valuable way to filter persistent senders or companies that just don’t seem to get it. One advantage to filtering by sender address is that you create a filter only once for your entire organization, whereas IP-based restrictions apply to individual servers.

Blocking by IP Address

The next step up in antispam technology is to block incoming connections from IP addresses or domains known to be used by spammers. This approach requires you to have a list of address ranges or domain names of known spammers, which you can obtain experientially or by subscribing to a service like relays.osirusoft.com or the Mail Abuse Prevention System (MAPS; http://www.mail-abuse.net). Some of these list providers also provide lists of known open relays and address ranges used by dial-up systems—both prolific sources of spam. However, a number of controversial issues surround open-relay blocking. (See the sidebar, “How to Get Off Blocking Lists.”)

Once you have access to such a list, there are two useful things you can do with it:

  • Exchange can be configured to block SMTP connections from particular hosts. You use the Connection dialog box shown earlier in Figure 8-5 to list IP addresses or ranges you want to block. Because the blocking restrictions are stored locally on each server, you’ll need a script to apply the entries to each of your SMTP servers.

  • Some SMTP servers allow you to check incoming IP addresses against a DNS-style blacklist of spammers. When the SMTP server gets a connection request from a particular IP address, the server inverts the address and looks it up in the blacklist DNS server, which contains pointer (PTR) records for known spammers’ IP addresses. If the IP address is found in the blacklist server, the connection is dropped. Exchange 2000 doesn’t support this type of blocking directly, but various third-party products do, and you can always put your Exchange server behind an SMTP server from your ISP that does use blocking lists if that capability is important to you.

start sidebar
How to Get Off Blocking Lists

Blacklisting is perhaps more controversial than any other approach because innocent senders sometimes have their IP addresses added to the blacklist. One common reason for being added to a blacklist is having a relay tester decide that you’re an open relay. Another more troubling reason is that you’ve bought IP connectivity from a company that also sells bandwidth to spammers. Because many blocking lists are operated by people whose philosophy can be summed up as “death to spammers,” it’s often difficult to get off a list once you’re on it.

This difficulty is multiplied by a simple fact: you probably won’t find out you’re on the blacklist until someone contacts you and complains that they cannot exchange mail with your server. You might also find yourself in the opposite position: one of your users might complain that a particular sender’s mail never arrives, and on investigation you find that an intermediate SMTP server is blocking an IP address.

Of course, the best way to get off blocking lists is to stay off them in the first place. If you’re not sure whether or not your servers are open relays, test them using the instructions given earlier, and tighten any openings you find. If you do it quickly enough, you might escape being blacklisted.

When you suspect you might have been added to a block list, your first step is to see whether that’s really the case. The OpenRBL Web site (http://www.openrbl.org/) allows you to look up an IP address to see whether it’s listed on any blocking lists. If you find your server on one of the lists, your next move is to get it off. Exactly how you do that varies by list. Generally, you’ll have to visit the site and ask to be retested. http://relays.osirusoft.com offers a one-stop retesting process, but unfortunately it flags Exchange servers as being open relays even when they’re not.

end sidebar

Filtering Mail at the Perimeter

Another alternative is to filter mail before it actually reaches your Exchange server, at the perimeter of your network. Most commercial spam-filtering products and services take this approach because the goal is to keep any of your resources from being wasted by the spammer. There are two basic approaches to perimeter spam filtering:

  • Use a commercial service such as Brightmail or an ISP that provides something similar. In this case, your domain MX records will point to the ISP’s server, and your SMTP mail will go there first for filtering. Mail that doesn’t get filtered will be routed to your server for delivery. Most commercial filtering services offer a Web-based interface that allows individual users to check the filtered messages to make sure no real messages were filtered.

  • Buy a commercial filtering product, and use it as the front-end SMTP server. Some products, such as Trend’s InterScan, are stand-alone SMTP servers, whereas others, such as Nemx’ Power Tools for Exchange, must be installed on an Exchange 2000 server. These products are often combined with antivirus and content-scanning features. Microsoft’s Internet Security and Acceleration (ISA) Server, discussed in Chapter 12, “E-Mail Encryption,” includes an SMTP proxy, which is a message filter that can do keyword scanning of inbound messages, and an attachment scanner.


Previous page
Table of content
Next page
Secure Messaging with Microsoft Exchange Server 2000
Secure Messaging with Microsoft Exchange Server 2000
ISBN: 735618763
EAN: N/A
Year: 2003
Pages: 169
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
File System Forensic Analysis
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy