james lick jlick@drivel com n.
Skip this Video
Loading SlideShow in 5 Seconds..
Methods for Stopping Spam PowerPoint Presentation
Download Presentation
Methods for Stopping Spam

Loading in 2 Seconds...

play fullscreen
1 / 24

Methods for Stopping Spam - PowerPoint PPT Presentation

  • Uploaded on

James Lick jlick@drivel.com. Methods for Stopping Spam. AOL blocks 780,000,000 spams each day (Feb 2003) I am sent ~900 spams each day (Jan 2003). The Problem. Methods for Stopping Spam. Security Policy Enforcement Blocking Filtering Avoidance. No method will block all spam

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Methods for Stopping Spam' - paige

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
aol blocks 780 000 000 spams each day feb 2003 i am sent 900 spams each day jan 2003
AOL blocks 780,000,000 spams each day (Feb 2003)

I am sent ~900 spams each day (Jan 2003)

The Problem
methods for stopping spam
Methods for Stopping Spam
  • Security
  • Policy Enforcement
  • Blocking
  • Filtering
  • Avoidance

No method will block all spam

Every method will sometimes block real mail

Spammers always get more aggressive

These tools are just a sample

Combining tactics works best

Blocking/Filtering hides extent of problem

  • Make sure you aren't part of the problem
  • Check infrastructure and customers:
    • Open relays
    • Open proxies
    • Use of latest security patches
  • A lot of spam is sent through security holes
  • Notify authorities for extreme cases
policy enforcement
Policy Enforcement
  • Have a reasonable AUP
  • Have users agree to it (legal contract)
  • Enforce it!
    • This is a contract, lack of spam law is no excuse
    • Don't give second chances too easily
  • Respond to complaints
policy enforcement cont
Policy Enforcement (cont)
  • If you get a reputation of soft on spam:
    • You will get more spamming customers!
    • Your mail will be blocked more and more
    • You lose customers
    • You go out of business
  • The earlier you address problems, the easier it is to solve
  • Policy enforcement is an ongoing responsibility
  • Bad sender address
  • Spam Source lists
  • Open Relay lists
  • Open Proxy lists
  • Dialup/Dynamic IP lists
  • Other
  • Local blocks
bad sender
Bad sender
  • Most spam is sent with forged sender
  • Look up sender domain
    • Reject message if it doesn't exist
    • Defer message if lookup fails
  • Supported by most mail servers
  • Default in modern sendmail
  • You can also check sending hostname, but this is not reliable as spam sign
spam source lists
Spam Source lists
  • Lists IP addresses which belong to spammers
  • MAPS RBL (www.mail-abuse.org)
  • Spamhaus BL (www.spamhaus.org)
  • Sometimes widens block to whole networks, but usually in extreme cases
open relay lists
Open Relay lists
  • Blocks mail from old servers which allow anyone to send mail through them
  • MAPS RSS (www.mail-abuse.org)
  • ORDB (www.ordb.org)
  • Can block real mail from insecure sites
  • Sometimes listings are based on old information
open proxy lists
Open Proxy lists
  • Blocks mail from insecure open proxies
  • OPM (www.blitzed.org/opm/)
  • Usually doesn't block any real mail
  • Most lists incomplete – finding open proxies is hard
dialup dynamic ip lists
Dialup/Dynamic IP lists
  • Blocks direct mail from dialups and dynamic IP addresses
  • Be sure to whitelist your own customers!
  • Dynamic clients should use ISP mail server to send mail
  • SMTP MSP can be used to send mail remotely safely
  • Usually does not block real mail
dialup dynamic ip lists cont
Dialup/Dynamic IP lists (cont)
  • MAPS DUL (www.mail-abuse.org)
  • PDL (www.pan-am.ca/pdl/)
  • Dynablock (basic.wirehub.nl/dynablocker.html)
  • As spammers get more aggressive, anti-spammers get more aggressive in blocking
  • Blocking is often done by:
    • Any IP sending any spam ever
    • Countries/regions perceived as soft on spam
    • Networks perceived as soft on spam
    • Faulty methods of identifying spam
    • Other forms of 'spite' listings
other cont
Other (cont)
  • Most of these methods are not used widely
  • As spam problem gets worse, these methods may become more widespread.
  • Before using a blocking service
    • Make sure their policies match your expectation
    • Make sure it is reputable
    • Test it out first
local blocks
Local blocks
  • Setup your own local blocks (access_db, local dnsbl)
  • Requires diligence and upkeep
  • Do it only if you can devote resources to it every day!
  • Better yet, get involved with contributing to public blocking lists
  • Analyze content, not where it came from
    • Pattern matching
    • Bulk detection
pattern matching
Pattern Matching
  • Spams have common 'spam signs'
    • Common types of header forgery
    • Common disclaimers
    • Common wording of sales pitch
    • Garbage strings, header style, etc.
  • Filters can detect and score based on how many spam signs are in a message
spam assassin www spamassassin org
Spam Assassin(www.spamassassin.org)
  • Has a set of rules, each with a score
  • If a message scores over a threshold, marked as spam
  • Can also use bulk detection, blocking lists
  • Uses a lot more CPU
    • Can scale to large mail loads by using a cluster of cheap servers running SA's spamd
  • Can be run on a client system too
spam assassin 2 50
Spam Assassin 2.50
  • Just out!
  • Adds Bayesian filtering
  • Bayesian filtering statistically analyzes what content shows up in spam more often than real mail
  • For best results, needs training on what is and isn't spam
  • SA 2.50 auto-trains based on SA scoring
bulk detection
Bulk Detection
  • Razor (razor.sourceforge.net) aka SpamNet (www.cloudmark.com)
  • DCC (www.rhyolite.com/anti-spam/dcc)
  • Reliably detects messages sent in bulk
  • Razor designed to detect unsolicited bulk
  • Not perfect, sometimes blocks large mailing lists (recently Crypto-Gram)
  • Try not to expose email addresses
    • Don't publish user directories
    • Give users help and tools to do filtering
  • Advise users
    • Use spam filtering software (in addition to ISP)
    • Don't give out email address freely
    • Use disposable email addresses
    • Change email addresses periodically
questions answers discussion