Protection against SPAM
Black and white lists

Easy advice, follow these 10 Rules and you will definitively not get blacklisted by us or our Members:

1. DO NOT HARVEST email addresses on the web.

2. DO NOT BUY EMAIL ADDRESSES from anyone.

3. DO NOT SELL EMAIL ADDRESSES to anyone.

4. DO NOT TRY to relay email on hosts that the owner has not granted you signed written permission allowing you to do so.

5. If you are running a mailing list, be sure that users who would like to subscribe have to CONFIRM-OPT-IN

6. AUTOMATICALLY UNSUBSCRIBE EMAIL ADDRESSES that have a failure (e.g. 550) when your server tries to deliver.

7. DO NOT THINK it is acceptable to send OPT-OUT MAILS. OPT-OUT is ILLEGAL in many countries and becoming the global standard.

8. If you need to send the same email to more than 1 Recipient DO NOT put all the recipients in TO or CC, be professional and use BCC instead or 'crack' the list so each recipient receives his/her own individual email.

9. If you have a dynamic / dialup account (Modem, ISDN, CABLE or DSL) use your ISP's email server as a smarthost.

10. DO NOT think SPAMMING is a business - It has no future.

Spam Database Query

Anti-spam security Tools & Techniques

Email security solutions should be able to use various defence in depth technologies when analysing harmful email messages. These include common defence mechanisms addressing many of the connection based and content based attacks, as well as other security aspects.

The following information below provides the most common connection based and content based controls, anti-spam solutions use to protect organisations from email based threats.

Connection based controls

The following provides examples of connection based controls:

Denial of service protection – protection against DOS attacks.

Rate control – controls how many connections are permitted from the same IP address. This is a subset to DOS protection.

Sender authentication – validating and authenticating the sender using techniques such as reverse DNS look up, SPF, and anti-spoofing techniques.

Recipient Verification – protection against directory harvesting attacks using techniques such as verifying users against an LDAP server and ensuring RFC compliant emails.

SPF Sender Policy Framework and Sender ID Validation – if SPF records of the connecting host exist, then these would be checked to validate that the email is coming from where it is supposed to come from, verifying the sender address and preventing spoofed email.

Greylisting – greaylisting will reject the connection temporarily. The originating server will retry sending the email message after a short period. Spam botnets are not capable of or do not tend to retry to send an email message that has already been rejected, where legitimate email servers do retry.

Real time IP Blocklist – the connection will be checked against RBL servers to determine whether the connecting IP is a known or a suspected spam originating IP address.

BATV (Bounce address tag validation) Address validation – validating bounce back messages ensuring it is a legitimate bounce back.

Validate sender domain – reverse DNS lookup is performed against the connecting host.

Blacklisting – blacklisting a host name, IP address, domain name or email address so that the source is not able to send any email messages. With blacklisting, wildcards can be used to simplify the process. For example if you wanted to block a list of IP addresses in the 192.168.1.0 255.255.255.0 address range, you can type the wildcard 192.168.1.*

Whitelisting – whitelisting against a host name, IP address, domain name or email address, to ensure the source is able to send email messages.

Directory Harvesting Protection – detecting invalid recipients per connection in order to detect and block directory harvesting attacks.

LDAP Integration – by integrating the anti-spam security solution with an LDAP server, the anti-spam service would accept and process only valid recipients living within the LDAP database, though dropping all other invalid recipients, where there is no account on the LDAP server.

Content based controls

The following provides examples of content based controls:

Anti-virus Engine – content is checked for viruses. Some anti-spam security solutions support the use of multiple anti-virus engines. Having this facility enables a proxy to consist of two different anti-virus software packages, where if one fails to pick up a virus, chance are, the other anti-virus engine may pick it up.

Anti-spyware Engine – content checked for spyware.

URL Blocklist – the content of the email message is checked for any URL's registered with a URL database. These URL's within a database would have been previously identified as spam sources.

Anti-spam signature database – email message signature is checked to see if one matches within a database of signatures. If matched, then the email message would be classified as spam.

Detection of malformed messages/attachments – the detection of deliberate malformed email messages that are usually used for DOS attacks.

Blocking file types (*.vbs, *.exe, etc) – blocking of certain files.

Defined files to be blocked by checksum – using a checksum to define which files should be blocked. Blocking file types by file names can prove to be vulnerable because users just change the filename to bypass the system, hence the requirement to use checksums.

Compress or strip attachments by size or type – delivery of email, however stripping of large or dangerous files.

Stripping of active HTML code from an email – delivery of the email, however removal of links that could potentially lead to dangerous websites.

Blocking via MIME types (Multi-Purpose Mail Extensions) – blocking of images, video, music and other MIME type content within an email.

Percentage of HTML in message – if too much HTML is found within an email, it signifies a very spam looking email and some proxies, depending on how they are configured, may quarantine or tag the message.

If a message contains an unsubscribe link – another example of using regular expressions.

Bayesian Analysis – is used to determine the probability of an email message being spam using the Bayesian algorithm.

Image analysis – used to analyse images within the body of the message. Images such as pornography are dropped or quarantined. Also attachments can be scanned for images.

Off hour's delivery – large emails taking bandwidth and resources can be parked for delivery out of hours when network usage is at its lowest.

Expression Lists / Dictionaries – to look for within email headers, subject or body of the email message for certain words, expressions, and sentences. If there are any matches, perform an action which should be dictated by by the organisations security policy. For example you can configure your email security solution if the statement, "Buy Viagra" or any words containing profanity are detected in an email message, the email is quarantined.

Rule based spam scoring – anti-spam security solutions will have their way of assigning an email message an overall spam score, depending on the overall characteristics and behaviour of the message and sender. If this score is above a threshold, then a certain action will be applied, such as blocking the message. If the threshold is not met, another certain action can be applied, such as permitting the message to be delivered to the end user. Sometimes anti-spam solutions have an assignment in between, where if an email has scored around the boundaries of a threshold, a certain action will be applied, such as tag the message as suspicious spam, and further analysis is applied to the message.

With most anti-spam solutions, an email message is checked against connection based defence methods and then content based defence rules. This makes sense, because connection based control methods, as discussed above; provide a first line of defence from attacks such as denial of service attacks. There is no point breaking messages down and undertaking content based checks, if its then blocked because it's part of a denial of service attack. Content based scanning can be quite heavy on the CPU and therefore should be done as the final verification after all the other security inspection checks.