Understanding Spam | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

In a book like this, it s often hard to explain complex concepts so that people of different technical backgrounds and skill levels can understand them. Happily, it s really easy to explain spam: it s electronic junk mail; most people hate it; and it s proliferating. Some estimates say that more than 80 percent of the mail sent to recipients at popular free e-mail services such as Hotmail or Yahoo! Mail is spam. I know of one 100,000-mailbox Exchange site that gets more than half a million spam messages every day! At those volumes , spam ceases to be merely an annoyance and turns into a positive threat. America Online, Hotmail, Yahoo! Mail, and other major mail providers and ISPs have tried a variety of measures to stem spam flowing into and out of their systems, but that only helps a bit; we still have plenty to do on our own.

Of course, even small amounts of spam can be threatening . Spam is often used to advertise questionable products or sites you don t want your internal workstations visiting, especially because many of the things advertised through spam are likely to offend at least one person at any given company. Spam annoys users, wastes your bandwidth, and uses valuable storage space. Accordingly, most Exchange administrators are hungry for ways to keep spam off their servers; finding the right approach starts with understanding the possibilities.

Common Spam-Blocking Tactics

Unfortunately, spam isn t illegal in most jurisdictions, and it s definitely against the law to shoot spammers on sight (at least for now). In the meantime, there are several approaches to spam protection. Most sites find that a combination of perimeter filtering, user education, and content scanning works well. Microsoft has been very aggressive about attacking spam, both through taking legal action against spammers and by beefing up the Exchange Server 2003 and Microsoft Office Outlook 2003 spam-filtering capabilities. Let s look at how we can leverage these technical improvements to reduce the amount of spam on your network.

Separating Spam from Real Mail

One key obstacle to a perfect spam filter is simple: computers can t process human languages well enough to reliably distinguish spam from legitimate mail. A spam filter that frequently throws away mail you actually want won t be widely adopted, but a filter that doesn t filter enough spam won t be either! This conundrum is tricky for filter designers. Spam often has unique characteristics that give filters an easy way to identify them. For example, the character strings XXX, porn, and p0rn are found much more often in spam messages than in real mail, as are excessive numbers of dollar signs or exclamation points, or the words home mortgage in the subject line.

However, sometimes the filter guesses wrong. Either it lets through a spam message (which is bad) or filters out a real message (which is worse ). To solve this problem, many filtering systems are indicating to the user why the message was marked as spam and letting the user decide. For example, a filter can change the subject line so that pornographic spam messages are tagged with {porn} in the subject ”an easy hook for a server-side filter to catch. Another possibility is scoring: the more characteristics of spam a message has, the higher its score. Scoring systems prevent a real message that happens to have a few spam-like features (say, a message from your boss titled READ THIS NOW!!!!!!! ) from being filtered.

Unfortunately, spammers are nothing if not clever, so even as I write they are busily adjusting their tactics and the content of their messages to outfox widely deployed filters. That s led to the development of collaborative filtering engines such as Vipul s Razor ( http://razor. sourceforge .net/ ), used in the popular SpamAssassin ( http://www.spamassassin.org ) package, and the Distributed Checksum Clearinghouse (DCC; see http://www.rhyolite.com/anti-spam/dcc/ ). With collaborative filtering engines, when one system detects that a particular sender, IP address, subject line, or message body is spamming , it notifies a central database, and all other filters that use the same database can then be forewarned about that particular message or sender. This is a powerful idea, but it depends on what technology pundits call the fax machine effect : fax machines are only useful when there are lots of other machines to talk to. Collaborative filters are only useful when enough systems use them; fortunately, it looks like both DCC and Razor-based systems are gaining critical mass. Exchange doesn t directly support either of these technologies, but third parties are building them into their Exchange-aware spam filters (more on those in a bit).

Grinning and Bearing It

The first, easiest , and most widely used approach is very simple: tell your users to delete or filter the spam themselves . For small servers, this solution is probably the most cost-effective , even though it doesn t do anything to solve the problem. Microsoft has built a decent junk mail filter into Outlook 2000, Outlook 2002, and Entourage. The new junk filter in Outlook 2003 is terrific ; it s derived from work done by Microsoft Research, which was in turn made into the MSN 8 junk filter. With minimal effort, users can filter junk mail themselves or just delete it altogether. (For a more complete description of how Outlook 2003 client-side filtering works, see Chapter 13, Securing Outlook ).

If you re not using Outlook 2003, you might find that a client-side spam filter that works with Outlook 2000 or Microsoft Office Outlook XP is valuable. Examples include Cloudmark s SpamNet ( http://www.cloudmark.com ) and McAfee s SpamKiller ( http://www.mcafee.com ). These products install within Outlook and either augment or replace its junk mail filtering capacity. Some of the products tap into collaborative spam-filtering systems so that when you report a message as spam, you ll help prevent others from seeing it in their inboxes. However, these solutions have one major disadvantage : they don t work with Outlook Web Access.

Tip

Slipstick Systems maintains a great set of options and resources for filtering junk mail with Outlook. (See http://www.slipstick.com/rules/junkmail.htm. ) Included are a simple set of four rules that can help reduce spam without any third-party products (although the rules require updates as new spammers emerge).

Although putting the burden of spam removal on users means less work for you, this method has its disadvantages. First, users dislike it. Second, it just sweeps the problem under the rug instead of solving it; your servers still have to waste time, space, and bandwidth on receiving, processing, and storing spam messages. For that reason, user filtering is most often used for small offices that don t want to spend money or time on more sophisticated solutions.

Blocking by Sender or Domain

If you know that spam is coming from a particular place, you can block the sender or his or her entire domain. This seems on the surface like a great option, but unless all your spam comes from predictable sources, it s not likely to work well for you (although it will no doubt be tempting to block all mail from some domains ) . If you want to, it s fairly straightforward to block IP traffic originating in countries you know you re not going to do business with. For example, a great deal of spam originates in Pacific Rim countries , with the Middle East and Eastern Europe pitching in their fair share.

It s also possible, and arguably more useful, to block individual senders, and that is often a valuable way to filter persistent senders or companies that just don t seem to get it. One advantage to filtering by sender address is that you create a filter only once for your entire organization, whereas IP-based restrictions apply to individual servers. However, sender-based filtering is like stepping on roaches: you might get a few, but there are too many scuttling around to get them all .

Blocking by IP Address

The next step up in antispam technology is to block incoming connections from IP addresses or domains known to be used by spammers. This approach requires you to have a list of address ranges or domain names of known spammers, which you can obtain experientially or by subscribing to a service like the Mail Abuse Prevention System (MAPS; http://www.mail-abuse.org ). Some of these list providers also provide lists of known open relays and address ranges used by dial-up systems ” both prolific sources of spam. However, a number of controversial issues surround open-relay blocking. (See the sidebar, How to Get Off Block Lists. ) In particular, some providers of blocking lists have been attacked by distributed denial of service (DDoS) attacks and are no longer operating; when you choose a service provider, make sure you regularly monitor their health, lest your blocking abruptly stop working.

Once you have access to such a list, there are two useful things you can do with it. First, you can configure individual Exchange servers to block SMTP connections from particular hosts . Use the Connection dialog box shown earlier in Figure 8-6 to list IP addresses or ranges you want to block. Because the blocking restrictions are stored locally on each server, you ll need a script to apply the entries to each of your SMTP servers. The other useful thing you can do with a list of spammers IP addresses is to use a new Exchange Server 2003 feature, the Connection Filtering tab of the Message Delivery object s Properties dialog box. You can easily miss this tab, because the Message Delivery object itself resides under the Global Settings node under your Exchange organization object ”many administrators never realize that it s there. On this tab, you can specify zero or more block list services (including block lists that you set up on your own DNS servers), and you can set up a global list of IP addresses to use when deciding which connections to accept or deny.

How to Get Off Block Lists

Block listing is perhaps more controversial than any other approach because innocent senders sometimes have their IP addresses added to the block list. One common reason for being added to these lists is having a relay tester decide that you re an open relay. Another more troubling reason is that you ve bought IP connectivity from a company that also sells bandwidth to spammers; even if your ISP is totally aboveboard, you might find that your Digital Subscriber Line (DSL) or cable modem connection s IP address appears on a dial-up user list (DUL), which some filtering services use as prima facie evidence that your traffic should be blocked. Because many blocking lists are operated by people whose philosophy can be summed up as death to spammers, it s often difficult to get off a list once you re on it (especially given the terrible people skills that some service operators routinely display).

This difficulty is multiplied by a simple fact: you probably won t find out you re on the list until someone contacts you and complains that they cannot exchange mail with your server. You might also find yourself in the opposite position: one of your users might complain that a particular sender s mail never arrives, and on investigation you find that an intermediate SMTP server is blocking an IP address.

Of course, the best way to get off blocking lists is to stay off them in the first place. If you re not sure whether or not your servers are open relays, test them using the instructions given earlier, and tighten any openings you find. If you fix them quickly enough, you might escape being block listed.

When you suspect you might have been added to a block list, your first step is to see whether that s really the case. The OpenRBL Web site ( http://www.openrbl.org/ ) allows you to look up an IP address to see whether it s listed on any blocking lists. If you find your server on one of the lists, your next move is to get it off. Exactly how you do that varies by list. Generally, you ll have to visit the site and ask to be retested. Some relay testers offer a one-stop retesting process; just be careful that they re not going to flag your Exchange servers as being open relays even when they re not.

Filtering Mail at the Perimeter

Another alternative is to filter mail before it actually reaches your Exchange server, at the perimeter of your network. Most commercial spam-filtering products and services take this approach because the goal is to keep any of your resources from being wasted by the spammer. There are two basic approaches to perimeter spam filtering:

Use a commercial service such as Brightmail ( http://www.brightmail.com ), MessageLabs ( http://www.messagelabs.com ), or an ISP that provides something similar. In this case, your domain MX records will point to the ISP s server, and your SMTP mail will go there first for filtering. Mail that doesn t get filtered will be routed to your server for delivery. Most commercial filtering services offer a Web-based interface that allows individual users to check the filtered messages to make sure no real messages were filtered.
Buy a commercial filtering product, and use it as the front-end SMTP server. Some products, such as NetIQ s MailMarshal SMTP or Trend s InterScan eManager, are stand-alone SMTP servers, whereas others, such as Nemx Power Tools for Exchange, must be installed on an Exchange Server 2003 server. These products are often combined with antivirus and content- scanning features. Microsoft Internet Security and Acceleration (ISA) Server, discussed in Chapter 12, Secure E-Mail, includes an SMTP proxy, which is a message filter that can do keyword scanning of inbound messages, and an attachment scanner.