Engineer internet spam

Anti spam best practice

You may have noted the spam theme of my posts this week.  This is because we are in the process of upgrading our anti spam capabilities. The management of spam is a hugely complex process and involves many factors contributing to a scorecard against which an email is rated.


There is a general set of principles that the industry could apply that would make it a lot harder for spammers. Unfortunately many ISPs seem to the fairly lenient with their customers about how they set up their email services and are prepared to accept mail from poorly configured mail servers.


For example most spam comes from compromised Windows computers at residential or business premises.  When a host connects, ie when a mail is being set up for sending, it should perform a HELO with it’s fully qualified domain name (FQDN) as specified in RFCs (industry standards or standards in waiting).  The sender sometimes lies and presents a fake or incorrect HELO string, which can be used to judge the validity of the sending server. The string given at HELO time should have forward and reverse DNS that matches. 


Additionally, the reverse DNS of the sending host could be considered.  If there is no reverse DNS, it’s very unlikely that the mail is legitimate, and should be rejected.  If the reverse DNS makes it clear that the sending host is within a DSL pool, ie at the user premises at the end of an ADSL line rather than an ISP’s mail server, this could also be taken into consideration when it comes to scoring.


A genuine Reverse DNS might look like whereas a corresponding ADSL based DNS, (and therefore likely to be the source of spam), would be where the x’s represent the ip address.


Another technique in the fight against spam is to rate limit emails from users. In other words to apply a policy controlling a maximum number of emails an individual can send in a day.  A rate limit for a residential user might be 200 mails a day for example.  It is unlikely that the residential user will send more than 10 or 20 mails in a day.  A compromised machine may, however, send thousands in the same time period. The rate limit would prevent this. 


Customers with a genuine need to send more emails than the limit can easily be accommodated.  The limit is there to protect the user rather than to stop them sending emails. The spam being sent would normally be caught here anyway but this technique does at least minimize the load on spam filters.


The factors taken into consideration in spam scoring systems are not normally made public domain because to do so would just help spammers.