MTA E-mail Filtering

Blocking List Technologies

Even today, with the very public clash between administrators and spammers, many servers on the Internet remain vulnerable to abuse (unauthenticated relaying of e-mail), meaning they errantly "retransmit and distribute" the spam we all receive. One well-known system that was one of the first of its kind was the e-mail Abuse Prevention System (MAPS). MAPS was originally started by Paul Vixie, creator of BIND (DNS server software) and founder of the PAIX. MAPS administers an initiative called the Real-time Blackhole List (RBL) where known spam offenders (actually, the specific e-mail hosts they abuse in order to propagate spam) get added to an IP access control list, which is in turn "subscribed to" by Internet border routers and anti-spam software filters everywhere (enterprises, ISPs, and so on). While MAPS was ground-breaking in its day, several other blocking lists have since been developed, many of which are free of charge to use.

To further explain RBLs, when a spam goes out and early recipients complain to the managers of such RBLs (often an automated process), the perpetrator is almost immediately added to the RBL and many sites (companies, educational institutions, and ISPs that had intentionally subscribed to the RBL) are able to block the abusive host from performing e-mail transactions before the wave of spam is able to reach their MTA and subsequently their users. The vast majority of spammers will try to abuse the same e-mail systems on subsequent occasions (perhaps weeks later) and the RBL will preclude them from being successful in their following attempts. Blocked sites must go through an arduous process to protect themselves and their e-mail hosts from abuse, and prove to the various RBLs that they have taken steps to correct what had gone wrong. Once this is done, they are removed from the RBL and will again be able to ubiquitously send e-mail, assuming the RBL maintainer(s) approve their new operating plans.

As described earlier, there are many more RBLs available today in addition to the MAPS RBL initiative. Many of these blocking lists work very well and significantly reduce spam, while others are implemented with an all-too-aggressive approach to rid the world of spam completely. These latter RBLs are so rigid that administrators utilizing them often find themselves continuously receiving complaints of users not receiving e-mail because the RBL was "too rigid." An administrator's goal should be to find one or more RBLs that fit the organization's spam filtering policies. As previously mentioned, several RBLs are more than just open relay lists. The Composite Blocking List (CBL) known as http://cbl.abuseat.org includes many different systems, such as the detection of open relays, open proxies, infected systems using direct mail transmission, and so on. The CBL does not rely on reports from administrators to populate lists; rather, the lists are populated through data gathered automatically (spam traps, and so on). This type of RBL reduces the need for increased human reports to be more successful. Right Hand Side Blocking Lists (RHSBLs) allow MTAs to filter spam based on the entire domain and not just a system or IP address. Many RBL maintainers also maintain RHSBLs; however, there are organizations that solely provide RHSBLs as a means of combating spam. RBL technology (which includes RBLs, RHSBLs, and URI BLs) is in use by the vast majority of ISPs, educational institutions, and major corporations worldwide and does a good job of significantly reducing the transport of unsolicited e-mail. Also, URI BLs provide administrators with a list of systems or IP addresses that are found within the bodies of spam messages themselves. If a system is associated with spam messages, the system is added to URI BLs and systems subscribing to the URI BLs will not communicate with said systems.

The list below provides some suggestions for various DNSBLs and RBLs. However, an organization must determine the level it deems necessary to fight spam. Some of the examples below are aggressive in blocking and can cause day-to-day issues with e-mail delivery if not carefully maintained . Recommended sites for RBLs include

• http://cbl.abuseat.org

• http://list.dsbl.org

• http://pss.spambusters.org.ar

• http://opm.blitzed.org

• http://relays.ordb.org

• http://relays.visi.com

• http://bl.spamcop.net

• http://sbl.spamhaus.org

• http://blackhole.securitysage.com

• http://dsn.rfc-ignorant.org

For more comprehensive lists of RBLs, you may wish to visit http://www. dnsbl . info /dnsbllist.asp or http://www.sdsc.edu/~jeff/spam/cbc.html, both of which contain several more RBL listings than those above. With these lists (and others like them), you can decide which lists make the most sense for your organization.

While it's not necessary to use all of the RBLs listed above, you should use more than one to have a more comprehensive blocking list. The first (http://cbl.abuseat.org) is certainly a recommended option and a choice of one or two others should be sufficient for most organizations attempting to block spam through RBLs. For more information, please review the section "Relay Security and Blocking Lists," earlier in this chapter.

Collaborative Spam Identification Systems

But what happens when spam originates from an organization that is legitimately set up to send unsolicited e-mail? In this case, there is no compromised e-mail server to block (via most RBLs) as an incentive for its owners to secure it. While few of these businesses exist today (and while very little unsolicited e-mail is attributable to their ventures ), every indication suggests they may become a problem in the future. Additionally, MTAs that do not allow unauthenticated relaying but that have been attacked and subsequently compromised for the purpose of sending spam are also legitimate problems. The Spamhaus Blocking List (SBL) is a form of blocking list and includes many of these types of systems, but what if the SBL is not used by your organization? To combat these types of systems, new ideas were needed in the anti-spam fight.

Collaborative spam identification systems such as DCC (the Distributed Checksum Clearinghouse), Razor (Razor2), and Pyzor are all additional methods used for eradicating spam. These systems use statistics gathered from multiple systems available on the Internet to determine whether e-mail messages should be considered spam. For example, the DCC is a system that consists of more than 250 servers. These servers collect and calculate checksums on over 150 million e-mail messages per day. (The checksum used ignores various aspects of messages and is continuously modified to keep up with ever-changing spam messages/techniques.) These messages generally traverse one or more ISPs in their transits where DCC servers reside. DCC servers exchange or "flood" common checksums. The checksums consist of values that are constant even when a spam message is varied slightly (such as customizations to users). These checksum counts gathered by DCC servers are then used to assist in determining if a message is spam by comparing with other DCC servers. If deemed spam, SMTP servers utilizing DCC services reject or filter the message as unsolicited bulk e-mail. E-mail servers or MTAs utilizing DCC simply act as clients soliciting statistics from DCC servers. Therefore, the implementation of such techniques is similar to that of RBLs.

Each organization must decide independently how to handle each spam message. If any checksum exceeds limits set by the organization, the MTA (with the DCC client) can log, discard, or reject the message. Whitelists are used by the MTA similar to other anti-spam techniques to ensure solicited e-mail is delivered properly.

There is an increase in network bandwidth requirements when using the DCC; however, the communication between the DCC client (organization MTA) and the DCC server consists of a single pair of UDP/IP datagrams. The methodology used by the DCC is that the more messages it is exposed to (more DCC servers, more DCC clients), the more accurate the checksum counts and subsequently spam identification will be. While this increases bandwidth requirements, it certainly can be argued that the decrease in spam and UCE counters that increase with a larger decrease in bandwidth requirements (if e-mail is discarded or rejected).

As with other anti-spam methods, spammers have found ways to circumvent the checksum or fuzzy hash anti-spam methods. Spammers now often use "hash busting" information in spam messages. This information may include random words or random lines as a different data set in every spam message. This data is often randomly collected web data used purely as a camouflage technique attempting to hide the messages from these types of spam filtering technologies. Bayesian filtering is an algorithm using many of the same characteristics of checksum and fuzzy hash systems and also falls prey to randomized data included in the spam messages.

Whitelists and CRAM

Beyond RBLs and the DCC, some organizations harden their e-mail systems using whitelists as a means of protection. In a pure whitelist-based system, all e-mail except that which is explicitly flagged as acceptable is blocked. In many organizations, public exposure to the global e-mail system is limited and the extent of most participants ' usage can be summarized by a number of rules that accept e-mail from outside a corporate network. Anything outside of those rules will be turned away.

One method that builds upon the whitelist methodology is a Challenge-Response Authentication Mechanism (CRAM). In this type of system, a received message is queued by the MTA temporarily, often referred to as sidelining. The purpose for this inbound queuing is to check whitelists to determine whether the sender is authorized to send to the recipient. If the sender is authorized per the whitelists, the message is forwarded on to the sender. If not, the MTA holds the message in the queue and contacts the sender for verification. Various checks are performed (which generally are configured per the implementation), but may include

• Option 1: Sending E-mail Domain Validation MTA checks for a real domain with DNS-listed MX records identifying mail servers that respond to SMTP. Once the MX lookup is completed for the sender domain, the MTA will connect to the MX to ensure it is a legitimate e-mail server.

• Option 2: Validation Request to the Sender Sender must reply to validation request (normally via e-mail, but alternatively by clicking a URL and visiting a web site) to be added to the system whitelist and subsequently allowed to send e-mail to the intended recipient.

• Option 3: Turing Test The sender must respond by answering a test that is difficult for a computer system to evaluate or answer correctly. This successful response indicates there is a human presence associated with the sender's "From" address in the original message in question. Turing tests generally use human senses for validation, such as typing a word/phrase that appears in an image or typing a phrase heard in an audio file. The CAPTCHA Project of Carnegie-Mellon is an example of Turing tests in action (http://www.captcha.net).

If the sender (or the sender's MTA) passes the preconfigured tests or responses to challenges, the message is removed from the queue and delivered to the recipient. Of course, once the user has been added to the whitelist (presumably automatically after passing the test(s)), he will not be required to go through the testing process again. If any of the challenges fail, the message is rejected, dropped, logged, and so on (all configurable in the MTA).

Some of the concerns with CRAM systems include the additional load on systems and network infrastructure to support the validations involved with challenging and responding. The additional traffic as well as the productivity loss involved with validating e-mail makes this type of technology less attractive. Instead of users contending with unsolicited e-mail, they are bogged down with validation requests , Turing tests, and other mechanisms for corroborating who they are and that in fact they should be allowed to send e-mail to the intended recipient. This is a similar problem as that caused by anti-virus systems that attempt to respond to the spoofed sender with an NDN-type notification. Because the sender of the original message was spoofed, the NDN notification just spammed the legitimate user (who was spoofed) unknowingly (the justification for turning off NDNs in anti-virus packages was discussed earlier). Option 1 listed above allows a simplistic form of challenge-response without the need for sender involvement creating a scalable option within the anti-spam fight. Options 2 and 3 require sender validation, which may not be viable in most organizations.

Option 3 (Turing tests) may also be limited in its usefulness because of recent efforts by spammers to defeat this type of test. The CAPTCHA-style validation is meant as a test requiring human interaction. As with many other anti-spam techniques, spammers are finding ways around this type of validation. There are software packages that are now able to defeat CAPTCHA-style validations (for some examples available at the time of writing, please see http://sam.zoy.org/projects/pwntcha). Other methods for defeating CAPTCHA-style and other Turing test challenges include posting Turing test response requests to alternative sites under the spammer's control. The unsuspecting user of the alternative site inadvertently inputs the Turing test response and passes the test for the spammer, unknowingly allowing the spammer to then continue on his spamming endeavors.

For example, spammers utilize automated processes to sign up for free e-mail account access, providing a means of gaining access to hundreds (even thousands) of legitimate e-mail accounts. When confronted with a CAPTCHA-style or other Turing test, the spammer simply redirects the test to another sign-up mechanism taking place on some other system within the spammer's control. Pornography web site sign-ups are a popular posting place for redirected CAPTCHAs and other Turing tests. Spammers that control web servers hosting pornography (which require sign-ups) have access to a large number of "in progress" sign-ups that can be used to process the redirected CAPTCHA (or other Turing) tests during the web sign-up process. The user at the pornography web site assumes the CAPTCHA test is part of the sign-up process, but in reality, this is redirected from the other CRAM-enabled system (that is, the free e-mail account sign-up discussed above). (For more information on defeating CAPTCHAs using methods similar to those outlined above, please see http://nilesh.org/weblog/2004/12/defeating-captchas/.)

As mentioned earlier, because of the increased network load, sender validations, and the bypass capabilities, option 3 (Turing tests) in CRAM systems should be analyzed very carefully before implementing to ensure there is legitimate benefit to your organization.

Whitelists, Blacklists , and Greylists

Where using whitelists exclusively provides an organization with a "deny all unless an allow exception is made" posture, blacklists can be used to block or reject only certain e-mail messages. This posture ("allow all by default, deny only those on the list") can be used to block single e-mail users, certain IP addresses or netblocks, or entire domains. If an organization is having spam problems only from certain entities, these entities can be added to blacklists.

Another technique that is growing in popularity is "greylisting." This technique works best when combined with whitelisting and is not suitable for large enterprises or ISPs, but is quite effective for single-user MTAs and for small organizations. Greylisting works by tracking tuples (a pre-set number of characteristics). These characteristics include

• MTA IP address (from sender)

• Envelope sender

• Envelope recipient

If the connecting MTA IP address is on the whitelist or the sender has been seen before within a configured timeframe, the e-mail is allowed for delivery. If these criteria are not met, a "450 temporary failure" message is issued. Since most spammers only attempt to send a message once, this effectively blocks a large amount of spam.

Micropayment and "Stamps"

Another form of whitelisting includes the use of micropayments or stamps. An organization (or single user) could enforce micropayments for all e-mail being received. The general concept is if an e-mail recipient has to contend with unwanted e-mail messages, he or she should be compensated. In theory, the sender would "pay" the recipient to receive e-mail. E-mail that is solicited may be allowed a "free pass" and the sender would not be charged when sending to organizations using this technology. On the other hand, spammers will not find e-mail as efficient (or cheap) to send bulk spam because of the micropayment; therefore, the spam sent to the organization or user would be reduced. Some similar alternatives include various types of "stamps" included when e-mail is sent. If senders' e-mail holds cryptographic stamps, recipients can set rules to accept these messages exclusively. These stamps do not have to cost money; instead, they could have an indirectly associated cost (such as CPU time, as you will see in the example that follows ) giving the sender authenticity. The end goal of this type of technology is to have all legitimate e-mail users holding a stamp and MTAs accepting e-mail exclusively from all stampholders.

An example of this type of anti-spam is a technology called Hashcash. Hashcash runs as a plug-in on mailers or MTAs and for each message being sent, it inserts an additional header. This header stamp includes information about Hashcash and the associated recipient. The example below is displayed in the Hashcash FAQ located at: http://www.hashcash.org/faq/:

 X-Hashcash: 0:030626:adam@cypherspace.org:6470e06d773e05a8 

In order to produce this Hashcash header stamp, there is an associated CPU cost. For typical e-mail operation, this is generally unnoticeable; however, if a spammer attempts to send e-mail with hosts using Hashcash, the MTA output is significantly reduced (waiting for the CPU to generate cryptographic stamps). The theory is if spammers are slowed down enough, they will not target those systems for sending spam.

Throttling MTAs

A more recent method used for deterring spam from being sent to or accepted by an organization's MTAs is to slow down or " throttle " the MTA incoming message processing. In a day and age where performance is critical, the idea of slowing down the MTA processing seems counterintuitive; however, many spammers will not interact with a slow MTA as it decreases the amount of overall spam that can be sent. Since spammers thrive on volume, any slowdown in the process is subsequently avoided. This methodology affects all incoming messages for an organization, but if incoming spam is significantly reduced, the increase in MTA performance (because of now- unallocated resources previously used by spam) and increase in user productivity (not having to contend with inboxes filled with spam) create legitimate debate over the benefit outweighing the cost. Ecelerity is an MTA product developed and maintained by OmniTI that utilizes MTA throttling as a spam deterrent. While throttling sounds as if it may hurt MTA performance, the Ecelerity product is capable of very efficient message processing and transferring even in a large organization without significant delays.

Authenticated Sender Protocols

There are various technologies available today to provide information about who should be allowed to send e-mail for an entity, organization, or domain. Some of these include

• Sender Policy Framework (SPF)

• Sender ID (Caller ID for e-mail by Microsoft)

• Domain Keys (by Yahoo!)

While each provides various techniques for determining what systems are allowed to send e-mail for an organization, details on SPF will be explained here to provide more information on this type of anti-spam technique.

SPF is a relatively new method to mitigate spam and third-party relaying. As mentioned earlier, MX records are configured in the DNS to advertise the systems that receive mail for a given domain. SPF works using "reverse MX" records, whereby the records indicate the systems (IP addresses) that are permitted to send mail from the domain. These are implemented in DNS as TXT records and are only queried/noticed by systems that support this anti-spam technology. Therefore, publishing them can only help. Given that spammers and relay abusers tend to forge the headers of e-mail to masquerade as another domain, SPF makes spamming much more difficult. If some portion of the SMTP headers is not forged or if a spammer has access to a legitimate account in a domain from which they send, SPF cannot stop the spam. Implementation of SPF consists of the following general steps:

1. Domain administrators must identify systems permitted to send mail for the domain. Next, DNS TXT records, containing SPF information, must be published for the domain.

2. Receivers must request the SPF information through standard DNS queries for the domain, and act on that information.

3. Both senders and receivers must configure MTAs appropriately to handle SPF directives. This is completely MTA dependent. The SPF specification does not dictate how the SPF information should be interpreted and acted on.

The configuration of SPF is quite simple. We'll look at the domain vostrom.com. The following MX records are published for this domain.

 *host -t mx vostrom.com vostrom.com          MX     10 inbound.postal.lax.vostrom.com vostrom.com          MX     20 inbound.postal.phx.vostrom.com 

The MX hosts noted above are also the two systems that deliver all mail from http://vostrom.com; therefore, a simple TXT record is created (below) to specify the systems permitted to send mail from the domain.

 vostrom.com. IN TXT "v=spfl mx ptr -all" 

The following list defines all available SPF directives, including those used in the above example:

• A If the domain has an A record that matches the sender's address, the sender is valid.

• MX If the domain has an MX record that resolves to the sender's address, the sender is valid.

• PTR If the sender's IP address reverse-resolves to a domain that matches the sender's domain, the sender is valid.

• IP4 If the sender's IP address is in the given IPv4 address range, the sender is valid.

• IP6 If the sender's IP address is in the given IPv6 address range, the sender is valid.

• EXISTS If the sender's domain name resolves (regardless of the IP address it resolves to), the sender is valid. (This attribute is used to perform more complex searches with the SPF macro language.)

Using SPF, an ISP or organization may "self-publish" the DNS TXT records with SPF directives. However, for ISPs and large enterprise organizations, accreditation organizations exist that can validate that senders utilizing SPF are not spammers. There is also a certification process in development to help senders and receivers validate their SPF configurations and MTA interoperability.

SPF can solve some of the problems with spam, but like most anti-spam solutions, it is not an all-encompassing solution. Additionally, in implementing SPF, other items are broken. For example, say you are a bargain shopper when it comes to your ISP. You change ISPs regularly for price and performance reasons, but you do not want to inconvenience your points of contact every time you change ISPs. To solve this problem, you registered a domain and use an e-mail address within that domain as your main e-mail address. You point that e-mail address (or addresses in that domain) at your current ISP e-mail address. Now, when you decide to change ISPs, you simply change the forwarding destination of your main e-mail address to your new ISP e-mail address. So you send and receive e-mail at "you@vanitydomain.com" no matter what your ISP. The problem is the e-mail actually is sent through your ISP e-mail server. This is called message forwarding. Natively, SPF implementations break this and other types of message forwarding. In order to solve this problem, a proposed Sender Rewriting Scheme (SRS) must be implemented, which at the time of writing has not been fully adopted yet. Also, SPF is in use by spammers today. If your organization will not accept messages from a server not included in SPF, spammers simply add relays to SPF, thereby bypassing the system. While authenticated sender protocols exist today, these systems need to be analyzed carefully to determine whether they will bring true value to your organization's anti-spam battle.