Are you getting buried in a never-ending deluge of spam? Do you feel
�spam rage� any time a piece of spam makes it through your anti-spam
filters? I know I do. I loathe spam and spammers more than just about
anything I can think of, even more than those morons that blow through red
lights, block the intersection, and cause me to wait another turn at the
light. Yep, my road rage has nothing on my spam rage!
As CTO at TMC, I�ve been challenged
to try and block and filter spam without blocking legitimate e-mail from our
employees. Without a doubt there is a �productivity hit� every time an
employee is distracted by a spam e-mail. There have been countless studies
on the number of minutes or hours wasted each day, so I won�t go into that.
Besides, as someone who receives over 200 spam messages each day, I speak
from personal experience that spam kills my daily productivity.
I tried implementing a spam filtering gateway onto our corporate network
from Elron Software a couple of years ago, but unfortunately, the filtering
algorithm left a lot to be desired. First, it would only allow for Boolean
�OR� logic and not Boolean �AND� logic. Thus, if I wanted to filter on
�increase your member,� it would have a �match� if any e-mail had the word
�increase,� �your,� or the word �member,� when really what I wanted is a
match if the e-mail contained ALL of those words in that specific order.
Supposedly, if you adjusted the scoring, it would only score a match if it
saw two or more keywords, but this didn�t work as advertised.
The software also had some performance issues on our network that caused
e-mails to be delayed and worse -- some even disappeared. There was a heavy
user backlash against the filtering software, and I was forced to take the
e-mail filtering gateway offline.
I learned some valuable experience from the failed experiment with
implementing a corporate-wide e-mail filtering solution. First, users are
very territorial when it comes to their e-mail. Many users would rather wade
through 100 spam messages a day than take the chance that even a single
legitimate e-mail might be blocked.
Well, a couple of years had passed and after my very sour experience with
Elron Software, I was very hesitant to implement another corporate-wide spam
filtering solution. As �stop gap� measures, I did implement client-side
PC-based spam filtering using Outlook filters as well as anti-spam software
such as Sun-Belt Software�s
iHateSpam, or McAfee�s SpamKiller,
or Cloudmark�s Spamnet, which worked
quite well, but weren�t perfect, especially since it was more of a
�distributed� solution than a �centralized� one.
Most spam filtering solutions merely move spam to a �quarantine folder,�
which means users still have to scan 50-200 Subject fields and From fields
per day to determine whether or not to open the e-mail. While still an
improvement over no filtering at all, I would rather that dubious messages
get deleted outright before being delivered to the user. Many of these
solutions also offer the option to delete the e-mail outright, but without
knowing the exact inner workings of their filtering, I�m hesitant to ask
users to set up their spam filters to delete suspect spam e-mail outright.
Blacklists
I was well aware of blacklists that contain lists of IP addresses (and
domains) of known spammers, but was hesitant to implement any sort of
blacklist within our organization since often these lists are arbitrary and
sometimes innocent bystanders get caught in the crossfire. MAPS (SPAM
spelled backwards) (http://mail-abuse.org/rbl/)
was perhaps the most well known RBL (Realtime BlackList) and most utilized
until they changed from �free� to a �fee-based� subscription model. They
even patented the term �RBL� which is why the politically correct term is
now DNSBL (DNS-based Black List) spam database.
So how does it work? Well essentially when any e-mail comes in, your mail
server queries the blacklist by performing a DNS lookup. If the IP address
of the mail server trying to send you e-mail is in the database, a value is
returned telling your mail server that the incoming e-mail is from a known
spam IP address. The mail server can then terminate its connection with the
remote e-mail server trying to send the message with the added benefit of
not wasting bandwidth receiving the spam e-mail. Your mail server has to
support DNSBL lists. Linux�s SendMail has had native support for quite some
time, and Microsoft Exchange Server 2003 now also supports DNSBL. If you
haven�t upgraded to Exchange 2003, no worries, you can install an add-on
called ORFilter via
http://martijnjongen.com/eng/ which works with Exchange Server 2000. For
home users with a standard POP3 client, you can try
http://www.spampal.org/ which is a
freeware utility that sits between your e-mail client and your mailbox and
tags the e-mail using DNSBL lists.
One popular DNSBL black list is run by Blars (http://www.blars.org/errors/block.html)
and he answers the following question, �How do I get off the blacklist?�
with �You don�t. Don�t bother.� Wow, don�t get on Blars� bad side! In fact,
on Blars� site, he writes, �In general, an entire netblock is added rather
than just a single IP or customer of a larger ISP. (For example, if hugeisp
has a /16 that they allocate a single /24 to spam customer, the /16 will be
listed rather than just the /24.) An entire ISP may be added if they show a
pattern of rejecting valid spam complaints for invalid reasons.� His
aggressive blocking of ISPs that permit spammers to prosper has me cheering
him on, �Go Blars!! Go Blars!�
Unfortunately, his list is probably too �aggressive� to use in our corporate
network, since we have incoming sales inquires and such from all over the
world. There are however more conservative DNSBL lists that are very
accurate and can easily block 90�95 percent of spam. Such lists include the
Open Relay Database (www.ordb.org) that
contains a free list of open relay servers known to allow spammers to send
spam through. Another list, Spamhaus (www.spamhaus.org)
is a free realtime DNS-based database of IP addresses of verified spam
sources (including spammers, spam gangs and spam support services).
According to Spamhaus� Web site, SpamHaus� Block List (SBL) is used by a
number of the world�s backbones, many large tier-1 providers and ISPs in all
countries, by a number of U.S. and European government and military
networks, and a number of giant free e-mail providers. They claim to be
protecting a user base calculated in July 2003 to be approximately 120
million users.
Another useful site is www.openrbl.org,
which allows you to query multiple DNSBL lists to see if your company�s IP
address(es) are listed on any blacklists, which is important to know since
customers may not be able to reach you. Another good site for querying
multiple blacklists is
www.moensted.dk/spam. A good site for finding a comprehensive list of
DNSBL sites is
http://www.declude.com/junkmail/support/ ip4r.htm.
In the past with so much annoying spam, it often made me (together with my
MIS colleagues) feel like Aragorn, Legolas, and Gimli when they are
surrounded and attacked by a seemingly never-ending wave of Orcs, Uruks, and
Ringwraiths. Fortunately, just as Gandalf came to the rescue at Helm�s Deep
and turned the tide, I feel as though DNSBL has helped me win an important
battle against spam as my spam has been reduced by about 95 percent.
Tom Keating is CTO of Technology Marketing Corporation and the
executive technology editor of TMC Labs. He can be reached at
tkeatingtmcnet.com.
If you are interested in purchasing reprints of this article (in
either print or HTML format), please visit Reprint Management Services
online at www.reprintbuyer.com or
contact a representative via e-mail at
[email protected] or by phone at 800-290-5460.
[ Return
To The February 2004 Table Of Contents ]
|