Anti-Spam and Testing

Antispam products are just beginning to hit their stride but their overall inner workings are best guesses and not reliable.  SPAM and UCE (Unsolicited Commercial Email) is becoming so prevalent it is estimated to be 50% of the overall mail traffic on the internet.  There has been a concerted effort to bad mouth the internet blacklists by commercial entities (probably because they were sending out UCE and got blacklisted), so many vendors have released products that try to have the computer guess what is good mail (content filtering).  The spammers are well ahead of this game and word their junk so that these types of filters are ineffective.  In our tests this type of filter blocked 25% of the spam.  That leaves the other 75% in your mailbox.  The only way to truly attack the spam issue is to use the blacklists.  These organizations work very hard to track and test spammers and mail servers.  Yes it is true that entire ISP's can end up on a blacklist, but it is their lax restrictions, mis-configurations and poor acceptable use policies that got them on the list.  Yes it is painful to try and get off the blacklists, but with proper configurations and tighter policies on appropriate use they would not have gotten there in the first place. 

The latest weapons in the Anti Spam world come in multiple items: Greylisting, Tarpitting, SURBL, AutoWhitelisting.  So what are they and what do they do.  The traditional approach has been using the Blacklists where the email header is taken apart to look at where the mail was sent from and look up on blacklists if this is a known network or server that has had multiple reports of spam and if so block it.  This has been only sort of good.  Spammers constantly switch services and therefore address so they can avoid being caught via a blacklist.  Often they leave the service they were using blacklisted and legitimate users of the service cant use mail.  Filtering is another way of blacklisting at the destination. The trick is for the computer to look at the words in the email and determine if it is spam.  Spammers quickly got around this by adding nonsense letters into the email words to confuse the filters, but the human eye makes sense of the words and the spam is there.  Greylisting is another approach.  Often the spammer blasts the email out of their system with little regard to SMTP protocol.  So it sends it out and moves on to the next destination email address without checking to see if the recipients mail server bounced it or received it.  Greylisting automatically rejects every piece of mail as a real mail system will check to see what the receiving mail server is doing.  The greylist issues a temporary rejection and stores the ip address of the sender.  A real mail server will retry 5 to 10 minutes later and is then accepted by the recipients mail server.  SURBL is a new type of blacklist.  It is not based off the senders IP address but looks at mailto: http: and ftp: urls in the body of the mail message.  It looks those items up to see if they are spamvertised URL's and blocks the message if it is.  This is pretty effective as moving websites is pretty difficult.  The last item is tarpitting.  THis is more of a reverse attack on the spammer specifically if the spammer is running a directory harvester.  A directory harvester sits and tries to find all the legitimate email addresses on a server by doing dictionary attacks on the mail server.  Tarpitting puts a long delay in the response to that spammer.  It does this by working in conjunction with the use of any of the techniques talked about above.  If the spam package determines that the sender is to be rejected then it waits a programmed amount of time before sending a response.  This slows down the spammers server while it waits for the handshake to tell it to send the body of the mail.  Spammers are paid by how much they deliver per hour and this will drive their profits down.  Auto whitelisting protects the users of your mail system.  Obviously there are problems with all the techniques and a legitimate user who is trying to send your user an email can be blocked.  Auto Whitelisting looks at the outbound mail and grabs the recipient's address and adds it to a dynamic list so that when they respond the email is not checked.

In our testing we found one product that we use for our Microsoft Exchange Server's and that is Vamsoft's Open Relay Filter Enterprise Edition.  ORFE has Blacklisting, Directory address checking, SURBL, Greylisting, REGEX filtering, Auto Whitelisting and Tarpitting.  It is the best and one of the cheapest solutions we have ever found.  We like it so much we have a link on this page so you can buy it.  For those with UNIX or LINUX based Sendmail systems making modifications to the Sendmail configuration file to use the blacklists is easy to do.  We in fact use 8 blacklists to filter mail and are now eliminating 98% of the spam.  We also have deployed Cloudmark's anti-spam product on all our Outlook clients.  While it does not block the spam from getting in your mailbox it does move the spam to a folder so you can deal with it at a later time.  The principal behind Cloudmark is similar to the music sharing products, but in this case it is a list of spammer's. The last item we believe in is reporting spam to SpamCop.  To do this we purchased a subscription to the spam reporting service at SpamCop and purchased a product called SpamDeputy that automates the reporting. SpamCop is our first line of defense in our blacklist filtering and is why we do all our reporting to them.  See our page on the Vamsoft ORFE and you can order it online from us.

Some new software is emerging to deal with Spam in the Windows world called iHateSpam from Sunbelt Software, PureMessage from Sophos, and SpamButcher from SpamButcher.  We hope to be giving this package a look as we have heard good things about it, but the web site does not say how it works.

Anti-Spam on the Server

• Vamsoft  ORF (No doubt this is the best product we have ever seen, and it has Greylisting. Tarpitting, Auto Whitelisting and SURBL)

• IHateSpam

• PureMessage

• MailMarshal

• NEMX

• GFI

• TrendMicro

• Sybari

Spam Reporting Tools and Detection for the client

• SpamDeputy (Reporting Tool)

• CloudMark  Safety Bar (If you are running Outlook and Outlook Express get this product)

• IHateSpam (Sunbelt Software )

• Spam Butcher (good reviews we have not tested this one yet)

• Anti-Spam for Outlook (Trend Micro, the product does generate multiple false positives)

Lorimer Network Research, Inc is an Information Technology Consulting Company based in Ouray County Colorado and serves clients in Ouray, Ridgway, Telluride, Montrose, Denver, Colorado Springs.  Our local service covers Ouray County, Montrose County, Delta County, San Miguel County with highly qualified engineers who care deeply about our clients.