Following the series of articles about spam I last wrote about detection of spam by analyzing the content. This usually works great but it is a big waste of resources for the user receiving the spam, as he has to download the mail (mostly free if you are on a residential line, but might be expensive if you are on the road) and analyze it (spending computer time).
It would be better if the server was able to avoid these messages being sent. Although some mail servers analyze the content of the message before delivering there are some other techniques which have been proposed to work against spam. Some of them are even standards, but haven’t usually been widely deployed. Let’s have a look at some advantages and disadvantages of them.
DNS blacklist. This is one of the most old and known techniques which tries to avoid the spam being delivered by checking if the computer sending it is a “probable” spammer. It looks up its IP address in an online service (for example, MAPS or ORBS) and if the address is listed the mail will be rejected (or at least, flagged as suspicious).
There are various online services, each one listing IP addresses depending on different factors. For example, some of them list dynamic and dial-up IP addresses, which usually should send the mails through their server. Other only list IP addresses which have sent spam in the past.
Some controversy has built around these services because sometimes IP addresses have been added in error and this makes a “legal” server unable to send mail to whoever uses this filtering system. Furthermore, spammers are trying to take down some of this sites, usually by DDoS them, so users can’t check them.
You can find more technical information about DNS Blacklists at the Wikipedia.
Greylisting. If a server uses greylisting when a new mail is received it will check the IP address of the sender, his mail address and the recipient mail address against a local database. If this combination has already been seen before the mail is delivered. If it hasn’t been seen before the message is rejected with a “Try later” message.
This works because most spammers will never retry to send the message but legitimate mail server will try again in a short time, so when they retry the mail will be accepted. This can be a really powerful technique while spammers don’t adapt to it (if many servers use this they will finally retry to send the mails).
The disadvantage of this technique is that it delays all messages coming from unknown sources, be it spam or not, which might not be suitable for everyone, especially online business. Even more, if the sending server is not configured correctly it might not retry to send the mail.
This can be combined with whitelisting (addresses which are always accepted) and blacklisting (addresses which are always rejected).
More information about greylisting at the Wikipedia and links to implementations for different servers.
SPF and DomainKeys. Many spammers use fake mail addresses as the remitent of the message and send the mail from hacked machines or open relays. To solve this one can build a list of IP addresses allowed to send mail from one domain. This is the way SPF works, adding a DNS registry which tells the authorized IP addresses to send mail for that domain. This solution is really simple but it requires the “big players” to use it in their mail servers, which hasn’t happened yet.
DomainKeys is another similar technique proposed by Yahoo which uses cryptography to authenticate the message and check it comes from the mail server indicated. One of the possible disadvantages of this method is that it requires more resources to check the cryptographic signatures, although this shouldn’t be a problem in servers with a low number of users. Also, as SPF it has to be implemented by most mail servers to be really useful.
More information about SPF in wikipedia or at their homepage. Also about DomainKeys in Wikipedia or at Yahoo.
0 Responses to “E-mail security: avoiding spam”