Blocking Spam

 
 
By eweek  |  Posted 2003-02-03 Email Print this article Print
 
 
 
 
 
 
 


Spamcop has a reporting tool and we began reporting a majority of the spam that got through to help get those spammers on their list. It also feels good to report the spam we get -- were fighting back at spam, in a way. We also noticed that some spammers are very tricky. Spamcops list is IP-based. Several of the spams getting through were coming from domains that changed their mail servers IP frequently and kept on sending spam to our users. That led us to blocking some domains manually with rules like:
  • etracks.com
  • dartmail.net
  • freesex.net
  • specialmailoffers.com
  • greatmailoffers.com
  • singnet.com.sg
  • c0olmail.com
  • eserve01.com
  • eserve02.com
  • and about 15 others.
We averaged over 1,500 rejected mail connections thanks to using the RBL. We block a new domain every other week or so, and normally the spam drops off from those sources in about a month. We keep the manually blocked domains in our rule set just in case someone decides to try us again.
Spamcops online reporting tool helped us realize a lot of the spam getting through was on other black lists, especially lists that had open relay and proxy servers on them.
Our next step was to upgrade our firewall to the Symantec Enterprise Firewall Version 7 that supports multiple RBLs. Here are the ones we are currently using:
  • bl.spamcop.net
  • rbl.spamhaus.org
  • dnsbl.njabl.org
  • relays.ordb.org
  • list.dsbl.org
The firewall performs a DNS lookup on each of the blacklists. On the first positive confirmation, the spam is promptly rejected as the example logfile entry shows. <code>Jan 06 01:50:12.586 fire-wall smtp[370]: 343 smtpd Warning: Rejected connection from 199.184.5.130 as it was on the Realtime Blackhole List at bl.spamcop.net</code>
Now the spam is just trickling in, for the most part. Users who used to get 30 to 40 spams over the weekend are now down to two or three. Some dont get any. Weve had a few days recently with no reported spam. We have been faithfully using Spamcops Web-based spam reporting tool for months now. Since the incoming spam load is much lower, we have time to investigate whether a spam e-mail has been relayed or proxied. Now were submitting those we find to the www.ordb.org people. Spamcop and Spamhaus are blacklists targeting spam sources. The other blacklists above primarily list open mail relay servers. Open mail relay servers are used by spammers to send their junk using others identities and resources. Open relaying is a major part of the spam equation. (You can learn more about open relays at www.ordb.org.) We did have some cases of legitimate mail getting blocked. We had to back off using multihop.dsbl.org and unconfirmed.dsbl.org, for example. It was tough to take those RBLs off the list -- the days they were on, we were virtually spam-free. We set the firewall to reject the spam connection so the email never enters our mail server. As a result, there is no quarantined mail. We found out we were blocking good mail when two of our customers couldnt get through. It turns out both had in the past configured their mail servers to relay. We got them off of the relay lists by re-submitting them for testing. The multi-hop and unconfirmed list blocked some legitimate personal mail. We tried to fix this whenever we heard a complaint. Using RBLs requires some manual tuning, so be sure and let your users know if you plan to block spam using RBLs. Its likely as you add more RBLs you will run into some problems with the rejection of legitimate mail. Still, the best place to reject spam is before it enters your internal network and servers. Besides being a total annoyance and waste of resources there are definite security implications concerning spam. Some viruses are disguised as spam. HTML or Web-type messages can contain malicious code and scripts. Even just previewing a malicious e-mail can let the code execute. In addition, servers can be subjected to an overload of spam causing a denial of service for your email users. Both system storage and processing are subject to this threat. Remember -- the best way to protect your internal systems security and resources, as well as your users, is by rejecting spam at the perimeter. While these techniques work for us, many spam filtering software packages now exist for both individual use and corporate use. Check out Slam the Spam, an upcoming PC Magazine story, for more insights. For more information:
  • Spam RBL Resources


  •  
     
     
     
     
     
     
     
     
     
     

    Submit a Comment

    Loading Comments...
     
    Manage your Newsletters: Login   Register My Newsletters























     
     
     
     
     
     
     
     
     
     
     
    Thanks for your registration, follow us on our social networks to keep up-to-date
    Rocket Fuel