We were getting spammed to death! We hadnt practiced good e-mail address practices in the past and now some users were getting blasted with 20 or more spams a day and over 50 during the weekends. Spam became an issue at management and IT meetings. We had to do something. Many users Inboxes became almost unmanageable. Pressing the Delete key is easy but wading through 20 spams to find two good e-mails is a total waste of time.
Spam became the bane of my existence.
We tried everything at the desktop level using Outlook and Exchange filters, rules and anti-spam add-on programs. They just didnt work well for us. Good mail got rejected and spam still got through.
Luckily for us, our Raptor/Symantec Enterprise firewall supported the use of one Real Time Black Hole List (RBL). The default service was MAPS; however, they wanted money for their service and wouldnt let us test the service first.
Not knowing much about RBLs and after being spoiled by our Apache/Linux web server cost (that is, zero), we decided to pursue other options. Our company is going through a “belt-tightening” process.
We then shifted gears and looked into creating a mail proxy server using Spam Assassin and Linux. Our research for Spam Assassin pointed us in Spamcops direction; Spamcop has a free RBL (bl.spamcop.net).
We configured our firewall to use Spamcop and wham! We started blocking hundreds of spam attempts per day.
Now we were onto something. We started blocking a large majority of our spam using just one RBL and we were rejecting it at the perimeter, so it didnt clog up our mail servers or users folders. Most of the desktop-based programs redirect incoming spam to a folder on the mail server.
Spamcop has a reporting tool and we began reporting a majority of the spam that got through to help get those spammers on their list. It also feels good to report the spam we get — were fighting back at spam, in a way.
We also noticed that some spammers are very tricky. Spamcops list is IP-based. Several of the spams getting through were coming from domains that changed their mail servers IP frequently and kept on sending spam to our users. That led us to blocking some domains manually with rules like:
- and about 15 others.
We averaged over 1,500 rejected mail connections thanks to using the RBL. We block a new domain every other week or so, and normally the spam drops off from those sources in about a month. We keep the manually blocked domains in our rule set just in case someone decides to try us again.
Spamcops online reporting tool helped us realize a lot of the spam getting through was on other black lists, especially lists that had open relay and proxy servers on them.
Our next step was to upgrade our firewall to the Symantec Enterprise Firewall Version 7 that supports multiple RBLs. Here are the ones we are currently using:
The firewall performs a DNS lookup on each of the blacklists. On the first positive confirmation, the spam is promptly rejected as the example logfile entry shows.
<code>Jan 06 01:50:12.586 fire-wall smtp: 343 smtpd Warning: Rejected connection from 220.127.116.11 as it was on the Realtime Blackhole List at bl.spamcop.net</code>
Now the spam is just trickling in, for the most part. Users who used to get 30 to 40 spams over the weekend are now down to two or three. Some dont get any. Weve had a few days recently with no reported spam. We have been faithfully using Spamcops Web-based spam reporting tool for months now. Since the incoming spam load is much lower, we have time to investigate whether a spam e-mail has been relayed or proxied. Now were submitting those we find to the www.ordb.org people.
Spamcop and Spamhaus are blacklists targeting spam sources. The other blacklists above primarily list open mail relay servers. Open mail relay servers are used by spammers to send their junk using others identities and resources. Open relaying is a major part of the spam equation. (You can learn more about open relays at www.ordb.org.)
We did have some cases of legitimate mail getting blocked. We had to back off using multihop.dsbl.org and unconfirmed.dsbl.org, for example. It was tough to take those RBLs off the list — the days they were on, we were virtually spam-free.
We set the firewall to reject the spam connection so the email never enters our mail server. As a result, there is no quarantined mail. We found out we were blocking good mail when two of our customers couldnt get through. It turns out both had in the past configured their mail servers to relay. We got them off of the relay lists by re-submitting them for testing. The multi-hop and unconfirmed list blocked some legitimate personal mail. We tried to fix this whenever we heard a complaint.
Using RBLs requires some manual tuning, so be sure and let your users know if you plan to block spam using RBLs. Its likely as you add more RBLs you will run into some problems with the rejection of legitimate mail. Still, the best place to reject spam is before it enters your internal network and servers.
Besides being a total annoyance and waste of resources there are definite security implications concerning spam. Some viruses are disguised as spam. HTML or Web-type messages can contain malicious code and scripts. Even just previewing a malicious e-mail can let the code execute. In addition, servers can be subjected to an overload of spam causing a denial of service for your email users. Both system storage and processing are subject to this threat.
Remember — the best way to protect your internal systems security and resources, as well as your users, is by rejecting spam at the perimeter.
While these techniques work for us, many spam filtering software packages now exist for both individual use and corporate use. Check out Slam the Spam, an upcoming PC Magazine story, for more insights.
For more information: