TMCnet
ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells
 

Cc:
February 2004


Tom Keating

Are You Feeling Spam Rage?

BY TOM KEATING


Are you getting buried in a never-ending deluge of spam? Do you feel �spam rage� any time a piece of spam makes it through your anti-spam filters? I know I do. I loathe spam and spammers more than just about anything I can think of, even more than those morons that blow through red lights, block the intersection, and cause me to wait another turn at the light. Yep, my road rage has nothing on my spam rage!

As CTO at TMC, I�ve been challenged to try and block and filter spam without blocking legitimate e-mail from our employees. Without a doubt there is a �productivity hit� every time an employee is distracted by a spam e-mail. There have been countless studies on the number of minutes or hours wasted each day, so I won�t go into that. Besides, as someone who receives over 200 spam messages each day, I speak from personal experience that spam kills my daily productivity.

I tried implementing a spam filtering gateway onto our corporate network from Elron Software a couple of years ago, but unfortunately, the filtering algorithm left a lot to be desired. First, it would only allow for Boolean �OR� logic and not Boolean �AND� logic. Thus, if I wanted to filter on �increase your member,� it would have a �match� if any e-mail had the word �increase,� �your,� or the word �member,� when really what I wanted is a match if the e-mail contained ALL of those words in that specific order. Supposedly, if you adjusted the scoring, it would only score a match if it saw two or more keywords, but this didn�t work as advertised.

The software also had some performance issues on our network that caused e-mails to be delayed and worse -- some even disappeared. There was a heavy user backlash against the filtering software, and I was forced to take the e-mail filtering gateway offline.

I learned some valuable experience from the failed experiment with implementing a corporate-wide e-mail filtering solution. First, users are very territorial when it comes to their e-mail. Many users would rather wade through 100 spam messages a day than take the chance that even a single legitimate e-mail might be blocked.
Well, a couple of years had passed and after my very sour experience with Elron Software, I was very hesitant to implement another corporate-wide spam filtering solution. As �stop gap� measures, I did implement client-side PC-based spam filtering using Outlook filters as well as anti-spam software such as Sun-Belt Software�s iHateSpam, or McAfee�s SpamKiller, or Cloudmark�s Spamnet, which worked quite well, but weren�t perfect, especially since it was more of a �distributed� solution than a �centralized� one.

Most spam filtering solutions merely move spam to a �quarantine folder,� which means users still have to scan 50-200 Subject fields and From fields per day to determine whether or not to open the e-mail. While still an improvement over no filtering at all, I would rather that dubious messages get deleted outright before being delivered to the user. Many of these solutions also offer the option to delete the e-mail outright, but without knowing the exact inner workings of their filtering, I�m hesitant to ask users to set up their spam filters to delete suspect spam e-mail outright.

Blacklists
I was well aware of blacklists that contain lists of IP addresses (and domains) of known spammers, but was hesitant to implement any sort of blacklist within our organization since often these lists are arbitrary and sometimes innocent bystanders get caught in the crossfire. MAPS (SPAM spelled backwards) (http://mail-abuse.org/rbl/) was perhaps the most well known RBL (Realtime BlackList) and most utilized until they changed from �free� to a �fee-based� subscription model. They even patented the term �RBL� which is why the politically correct term is now DNSBL (DNS-based Black List) spam database.

So how does it work? Well essentially when any e-mail comes in, your mail server queries the blacklist by performing a DNS lookup. If the IP address of the mail server trying to send you e-mail is in the database, a value is returned telling your mail server that the incoming e-mail is from a known spam IP address. The mail server can then terminate its connection with the remote e-mail server trying to send the message with the added benefit of not wasting bandwidth receiving the spam e-mail. Your mail server has to support DNSBL lists. Linux�s SendMail has had native support for quite some time, and Microsoft Exchange Server 2003 now also supports DNSBL. If you haven�t upgraded to Exchange 2003, no worries, you can install an add-on called ORFilter via http://martijnjongen.com/eng/ which works with Exchange Server 2000. For home users with a standard POP3 client, you can try http://www.spampal.org/ which is a freeware utility that sits between your e-mail client and your mailbox and tags the e-mail using DNSBL lists.

One popular DNSBL black list is run by Blars (http://www.blars.org/errors/block.html) and he answers the following question, �How do I get off the blacklist?� with �You don�t. Don�t bother.� Wow, don�t get on Blars� bad side! In fact, on Blars� site, he writes, �In general, an entire netblock is added rather than just a single IP or customer of a larger ISP. (For example, if hugeisp has a /16 that they allocate a single /24 to spam customer, the /16 will be listed rather than just the /24.) An entire ISP may be added if they show a pattern of rejecting valid spam complaints for invalid reasons.� His aggressive blocking of ISPs that permit spammers to prosper has me cheering him on, �Go Blars!! Go Blars!�

Unfortunately, his list is probably too �aggressive� to use in our corporate network, since we have incoming sales inquires and such from all over the world. There are however more conservative DNSBL lists that are very accurate and can easily block 90�95 percent of spam. Such lists include the Open Relay Database (www.ordb.org) that contains a free list of open relay servers known to allow spammers to send spam through. Another list, Spamhaus (www.spamhaus.org) is a free realtime DNS-based database of IP addresses of verified spam sources (including spammers, spam gangs and spam support services). According to Spamhaus� Web site, SpamHaus� Block List (SBL) is used by a number of the world�s backbones, many large tier-1 providers and ISPs in all countries, by a number of U.S. and European government and military networks, and a number of giant free e-mail providers. They claim to be protecting a user base calculated in July 2003 to be approximately 120 million users.

Another useful site is www.openrbl.org, which allows you to query multiple DNSBL lists to see if your company�s IP address(es) are listed on any blacklists, which is important to know since customers may not be able to reach you. Another good site for querying multiple blacklists is www.moensted.dk/spam. A good site for finding a comprehensive list of DNSBL sites is http://www.declude.com/junkmail/support/ ip4r.htm.

In the past with so much annoying spam, it often made me (together with my MIS colleagues) feel like Aragorn, Legolas, and Gimli when they are surrounded and attacked by a seemingly never-ending wave of Orcs, Uruks, and Ringwraiths. Fortunately, just as Gandalf came to the rescue at Helm�s Deep and turned the tide, I feel as though DNSBL has helped me win an important battle against spam as my spam has been reduced by about 95 percent.

Tom Keating is CTO of Technology Marketing Corporation and the executive technology editor of TMC Labs. He can be reached at tkeatingtmcnet.com.

If you are interested in purchasing reprints of this article (in either print or HTML format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at reprints@tmcnet.com or by phone at 800-290-5460.

[ Return To The February 2004 Table Of Contents ]



Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
MSPWorld
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas