sus4.net

sus4.net internet services

Attacking Spam

May 15, 2004

How We Fight Spam

As spam has become more and more of a problem, we are stepping up our efforts to protect you from this onslaught. We view spam as a serious problem for several reasons. First, spam wastes your and our time. While it doesn’t seem like much time to just “hit the delete key”, studies have shown this time is more than it might seem. Second, it wastes resources: disk storage and network bandwidth. Third, it is often offensive.

Our goal is to minimize the amount of spam you have to download while also minimizing the number of messages incorrectly identified as spam. This document describes how our spam fighting system works and how you can take advantage of it.

Our first stage of offense is to reject certain classes of mail. Secondly, we have implemented server-side virus and spam scanning using a combination of clamav and SpamAssassin.

Identifying Spam and Viruses

Increasingly, evidence shows a very close tie between spammers and virus writers. Modern viruses are geared to give its writers control over infected computers. While there are exceptions, most of these “zombie” computers are controlled by spammers. Each infected computer can send tens of thousands of spam messages.

While we are attempting to help curb the flow of spam and viruses to you, local virus protection should not be overlooked. Good virus scanning on your local computer is a protection of your assets against exploitation.

Classifying spam is a game of cat and mouse. Spammers are clever people dedicating significant resources to defeating spam detection. SpamAssassin is a tool that uses many, many complex rules to determine the likelihood that a given message is spam. Each rule has a weighted score. Each message receives a score that is the aggregate sum of all the rules that pass on that message.

Our mail system allows each individual user to set the threshold at which a message is considered spam. The default is five. This is a fairly conservative number that is likely to produce few, if any, false positives.

Instead of delivering suspect mail to your inbox where you must download it and filter through it on your computer, we place the suspect message in a “quarantine”. Every other week, you will recieve a digest of the messages we have identified as being spam or containing a virus. After scanning the digest, if you find any legitimate mail messages you can re-submit them for normal delivery. If you do nothing, quarantined mail messages will be deleted prior to the mailing of the next digest.

We provide the ability for each mail user to adjust their preferences on filtering spam. For more information on how to find your quarantined mail or adjust your settings, see our HOWTO.

Rejecting Illegitimate Mail

Instead of just trying to identify mail as either spam or not spam, we try to identify where spam comes from. Spam comes from several sources: dynamic IP addresses, open relays, and ISPs that are known to harbor spammers.

In the “good ol’ days”, it was possible to do web and mail hosting out of your basement using nothing but a modem, a spare phone line, and an unlimited Internet account. In fact, Sus4.net got it’s beginnings in such a humble arrangement. Sadly, those days are gone forever. Spammers have killed the possibility of hosting a mail server over dynamic IP addresses. It’s too easy to hide behind dynamic IP addresses and get away with sending millions of messages. Today, those of us interested in avoiding spam can only accept mail from identifiable sources. That means a static IP address. In addition to spammers using dynamic IP addresses to send mail, email-born viruses typically also come from dynamic IP addresses.

We use a service called The Dynamic User and Host List to determine if mail we are receiving is from a dynamic IP. This is a list maintained by the IP netblock owners. The Internet Service Providers who provide dialup and dynamic IP allocation identify which IP addresses they use for this service. No attempt is made to guess which IP addresses are dynamic. It is maintained entirely by hand. If you have examples of legitimate mail that is being rejected due to this policy, contact for assistance.

An “open relay” is a legitimate mail server that can be manipulated into sending illegitimate mail. Most of the time open relays are due to server mis-configuration. Sometimes viruses can make a system an open relay. Usually though, viruses only allow specific individuals to exploit the backdoor. Open relays, due to their misconfiguration, allow anyone to exploit the backdoor. We use SORBS to determine which hosts are open relays. Their service only lists hosts that can provably be demonstrated to send illegitimate mail. They have a series of tests for known mis-configurations. If a server fails one of their tests it gets listed. Once the server can be shown to no longer fail the test it is removed from the list. We believe this is a fair process.

Finally, we also reject mail delivered “incorrectly”. This means that the mail server delivering the mail to our server must follow the proper protocols. Many spammers (and viruses) abuse the protocol in order to make their mail appear more legitimate. While we don’t require absolute strict adherence due to some older mail servers sloppy conformance, we do require the server to properly identify itself before delivering mail.

We do try to work with other system administrators to correct any issues they may have on their mail servers. In most cases, the administrator is cooperative and the issue is resolved quickly in order to expidite mail delivery as much as possible for our clients. Contact for assistance.