Administrators View of Spam

April 6, 2012

The actual definition of spam (electronic) by wikipedia:

“Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social networking spam, television advertising and file sharing network spam. It is named for Spam, a luncheon meat, by way of a Monty Python sketch in which Spam is included in almost every dish.

Spamming remains economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. In the year 2011, the estimated figure for spam messages is around seven trillion. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge. Spamming has been the subject of legislation in many jurisdictions.[1]

My definition is:

Email messages sent as marketing from a company (real or not) that you did not authorize to market to you. The personal messages from people you don’t know are also spam. Most of these are attempts at Phishing. Phishing is any approach used to trick or coerce a person into giving up information they normally would not.  Most times it is personal in nature – a password, ssn, address or something similar.

Required for outgoing mail service:

1. Mail server is domain registered to a static IP address.
2. There is a valid reverse dns record (at the isp) for the mail server.
3. MX records point to your mail server.
4. SPF record you create athorizes your mail server to send mail.
5. Your server is configured to dissallow open relay attacks.
6. Server is not listed on any Block List Provider Services.

Email Marketing Rules.

1. Mail should include a method for users to remove themselves from your mail list and it needs to work.

Does your orgainzation still get a ton of spam?

Mail administrators should consider using SPF in addition to reverse dns lookups and other ip validations. Also employ mail delaying for new “conversations” into your organization. Configure the server to reference block list providers such as cbl.abuseat.org or dnsbl.njabl.org. spammonkey.com has very fast turn around and can identify the type of internet service for the originating IP address.  If it is not a true static set up properly then the mail will be rejected if you use their RBL list.  There are many others. Purchase mail server enabled anti-spam software such as trend micro messaging security. It directs otherwise un-blocked Greyware to the users junk folders cutting down on your work trying to find blocked mail that should have come in. Greyware is spam originates from a mail server that appears to meet all of the requirements for a valid outgoing mail server. However, the messages you recieve are unsolicited. Which ever solution you choose make sure of the following.

  • There is temporary storage of blocked mail.
  • It is possible to create reports on blocked messages.
  • It provides message recovery options for blocked mail.
  • White Lists for keywords, domains, email addresses and IP locations to guarantee delivery from known locations (with badly configured mail services!).
  • Black Lists for keywords, domains, email addresses and IP locations to filter out previously seen examples of spam.

So you ask – how the heck did they get my email address.  I never shared it…  Some hackers actually poll the mail server via telnet with hidden commands to the mail sevice. If you have a lot of unsecured mail traffic going to your server they could packet sniff you without too much effort.

Have a look at the image below.  This is grey ware.  The sending server of this spam passes spf, and appears to be valid.  My user tried to unsubscribe but it still keeps coming in.  So I have looked up the ip and found it inside the US.

My options are to block the IP (prefereably at my servers firewall), filter the keywords in the subject, and add the domain to a black list.

I like to go one step further. If I see that the mail originated outside the country I use subnet blocking which blocks that entire network. I prefer to do this using the CIDR notation. Subnet blocking covers millions of addresses all in one shot. This network is stateside so I did not block it.

What about webmail (gmail or hotmail)?

From a  personal standpoint, say with gmail or windows live, use strict mail filtering allowing only mail from your contact list to email you. Then monitor the junk folder for everything else. Skim the junk folder for important items. If you find something move it to the inbox and add the sender to your contact list. When your done empty the junk folder.

If you are tech savvy use an anti-spam proxy to go between your mail client and your mail provider. You configure your mail provider to allow pop and smtp mail access.  Then you configure the proxy to check the mail for you. Finally set your mail client to check the proxy. Let it do the work. If a bad peice comes through you send it back to the proxy “spam” address to report the situation. It takes care of that problem. If a good email gets blocked you might look at the reports and recover it. Then reclassify the message to the white list.

With spam there is no magic cure. You can spend thousands on spam prevention. But dont.  Be smart and vigillant.

Midnightech.