methods for stopping spam james lick [email protected]
TRANSCRIPT
![Page 2: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/2.jpg)
The Problem
• AOL blocks 780,000,000 spams each day (Feb 2003)
• I am sent ~900 spams each day (Jan 2003)
![Page 3: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/3.jpg)
Methods for Stopping Spam
● Security● Policy Enforcement● Blocking● Filtering● Avoidance
![Page 4: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/4.jpg)
Disclaimer
• No method will block all spam
• Every method will sometimes block real mail• Spammers always get more aggressive• These tools are just a sample• Combining tactics works best• Blocking/Filtering hides extent of problem
![Page 5: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/5.jpg)
Security
● Make sure you aren't part of the problem● Check infrastructure and customers:
– Open relays– Open proxies– Use of latest security patches
● A lot of spam is sent through security holes● Notify authorities for extreme cases
![Page 6: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/6.jpg)
Policy Enforcement
● Have a reasonable AUP● Have users agree to it (legal contract)● Enforce it!
– This is a contract, lack of spam law is no excuse– Don't give second chances too easily
● Respond to complaints
![Page 7: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/7.jpg)
Policy Enforcement (cont)
● If you get a reputation of soft on spam:– You will get more spamming customers!– Your mail will be blocked more and more– You lose customers– You go out of business
● The earlier you address problems, the easier it is to solve
● Policy enforcement is an ongoing responsibility
![Page 8: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/8.jpg)
Blocking
● Bad sender address● Spam Source lists● Open Relay lists● Open Proxy lists● Dialup/Dynamic IP lists● Other● Local blocks
![Page 9: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/9.jpg)
Bad sender
● Most spam is sent with forged sender● Look up sender domain
– Reject message if it doesn't exist– Defer message if lookup fails
● Supported by most mail servers● Default in modern sendmail● You can also check sending hostname, but this is
not reliable as spam sign
![Page 10: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/10.jpg)
Spam Source lists
● Lists IP addresses which belong to spammers● MAPS RBL (www.mail-abuse.org)● Spamhaus BL (www.spamhaus.org)● Sometimes widens block to whole networks, but
usually in extreme cases
![Page 11: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/11.jpg)
Open Relay lists
● Blocks mail from old servers which allow anyone to send mail through them
● MAPS RSS (www.mail-abuse.org)● ORDB (www.ordb.org)● Can block real mail from insecure sites● Sometimes listings are based on old information
![Page 12: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/12.jpg)
Open Proxy lists
● Blocks mail from insecure open proxies● OPM (www.blitzed.org/opm/)● Usually doesn't block any real mail● Most lists incomplete – finding open proxies is
hard
![Page 13: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/13.jpg)
Dialup/Dynamic IP lists
● Blocks direct mail from dialups and dynamic IP addresses
● Be sure to whitelist your own customers!● Dynamic clients should use ISP mail server to
send mail● SMTP MSP can be used to send mail remotely
safely● Usually does not block real mail
![Page 14: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/14.jpg)
Dialup/Dynamic IP lists (cont)
● MAPS DUL (www.mail-abuse.org)● PDL (www.pan-am.ca/pdl/)● Dynablock (basic.wirehub.nl/dynablocker.html)
![Page 15: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/15.jpg)
Other
● As spammers get more aggressive, anti-spammers get more aggressive in blocking
● Blocking is often done by:– Any IP sending any spam ever– Countries/regions perceived as soft on spam– Networks perceived as soft on spam– Faulty methods of identifying spam– Other forms of 'spite' listings
![Page 16: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/16.jpg)
Other (cont)
● Most of these methods are not used widely● As spam problem gets worse, these methods may
become more widespread.● Before using a blocking service
– Make sure their policies match your expectation– Make sure it is reputable– Test it out first
![Page 17: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/17.jpg)
Local blocks
● Setup your own local blocks (access_db, local dnsbl)
● Requires diligence and upkeep● Do it only if you can devote resources to it every
day!● Better yet, get involved with contributing to
public blocking lists
![Page 18: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/18.jpg)
Filtering
● Analyze content, not where it came from– Pattern matching– Bulk detection
![Page 19: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/19.jpg)
Pattern Matching
● Spams have common 'spam signs'– Common types of header forgery– Common disclaimers– Common wording of sales pitch– Garbage strings, header style, etc.
● Filters can detect and score based on how many spam signs are in a message
![Page 20: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/20.jpg)
Spam Assassin(www.spamassassin.org)
● Has a set of rules, each with a score● If a message scores over a threshold, marked as
spam● Can also use bulk detection, blocking lists● Uses a lot more CPU
– Can scale to large mail loads by using a cluster of cheap servers running SA's spamd
● Can be run on a client system too
![Page 21: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/21.jpg)
Spam Assassin 2.50
● Just out!● Adds Bayesian filtering● Bayesian filtering statistically analyzes what
content shows up in spam more often than real mail
● For best results, needs training on what is and isn't spam
● SA 2.50 auto-trains based on SA scoring
![Page 22: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/22.jpg)
Bulk Detection
● Razor (razor.sourceforge.net) aka SpamNet (www.cloudmark.com)
● DCC (www.rhyolite.com/anti-spam/dcc)● Reliably detects messages sent in bulk● Razor designed to detect unsolicited bulk● Not perfect, sometimes blocks large mailing lists
(recently Crypto-Gram)
![Page 23: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/23.jpg)
Avoidance
● Try not to expose email addresses– Don't publish user directories– Give users help and tools to do filtering
● Advise users– Use spam filtering software (in addition to ISP)– Don't give out email address freely– Use disposable email addresses– Change email addresses periodically
![Page 24: Methods for Stopping Spam James Lick jlick@drivel.com](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cd85503460f949a1872/html5/thumbnails/24.jpg)
Q&A
• Questions
• Answers• Discussion