Categories
Engineer internet spam

Anti spam best practice

You may have noted the spam theme of my posts this week.  This is because we are in the process of upgrading our anti spam capabilities. The management of spam is a hugely complex process and involves many factors contributing to a scorecard against which an email is rated.

 

There is a general set of principles that the industry could apply that would make it a lot harder for spammers. Unfortunately many ISPs seem to the fairly lenient with their customers about how they set up their email services and are prepared to accept mail from poorly configured mail servers.

 

For example most spam comes from compromised Windows computers at residential or business premises.  When a host connects, ie when a mail is being set up for sending, it should perform a HELO with it’s fully qualified domain name (FQDN) as specified in RFCs (industry standards or standards in waiting).  The sender sometimes lies and presents a fake or incorrect HELO string, which can be used to judge the validity of the sending server. The string given at HELO time should have forward and reverse DNS that matches. 

 

Additionally, the reverse DNS of the sending host could be considered.  If there is no reverse DNS, it’s very unlikely that the mail is legitimate, and should be rejected.  If the reverse DNS makes it clear that the sending host is within a DSL pool, ie at the user premises at the end of an ADSL line rather than an ISP’s mail server, this could also be taken into consideration when it comes to scoring.

 

A genuine Reverse DNS might look like mail.timico.net whereas a corresponding ADSL based DNS, (and therefore likely to be the source of spam), would be xxx.xxx.xxx.xxx.adsl.timico.net where the x’s represent the ip address.

 

Another technique in the fight against spam is to rate limit emails from users. In other words to apply a policy controlling a maximum number of emails an individual can send in a day.  A rate limit for a residential user might be 200 mails a day for example.  It is unlikely that the residential user will send more than 10 or 20 mails in a day.  A compromised machine may, however, send thousands in the same time period. The rate limit would prevent this. 

 

Customers with a genuine need to send more emails than the limit can easily be accommodated.  The limit is there to protect the user rather than to stop them sending emails. The spam being sent would normally be caught here anyway but this technique does at least minimize the load on spam filters.

 

The factors taken into consideration in spam scoring systems are not normally made public domain because to do so would just help spammers.

Trefor Davies

By Trefor Davies

Liver of life, father of four, CTO of trefor.net, writer, poet, philosopherontap.com

4 replies on “Anti spam best practice”

Hi Graham,

I am responding as the postmaster for Timico. I am aware that our out going mail relays (which include the IP address you show) is almost always in the list at backscatter.org – that’s currently the only list it’s in, so can’t comment about the 2nd list. I’d like to point out that Tref’s post is very little to do with policies for mail relays, and more to do with MXes. In small installations often the responsibilities blur, but the rules and restrictions for MXes is completely different. Due to the nature of our business, we relay mail for our customers who do often have poorly setup Exchange servers. These Exchange servers (I’m picking on exchange because 90% of the time, it’s Exchange) accept mail for non-existant users, and then generate NDRs and relay them out via our relays. We of course have a responsibility to our customers to deliver these emails – this is what puts us in backscatter.org, and we’ll likely to be there for a long time. I expect this is the case with many ISPs out going mail relays. This being said, Timico have been good enough to provide our team with the resources in both time and money to upgrade our entire mail platform – and part of this process is getting customers to fix their own mail servers. I have reduced the number of bounces we delivery significantly as part of this effort.

We do occasionally get spam relayed though our servers, as customers sometimes do get compromised – but we are quick to detect these issues and respond. As part of the new platform we are building, automatic systems will be put in place to aid in early detection of such problems. We handle many millions of mail connections a day across a range of legacy mail systems, so this isn’t a simple problem to solve – but we are getting there.

Timico are committed to reducing the spam issue, and as you can see we are putting significant effort into the problem. If anyone does have any concerns about the Timico mail systems, please email the postmaster team at [email protected], or visit our postmaster website at http://postmaster.timico.net

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.