Results 1 to 4 of 4

Thread: The best approach to combat spam

  1. #1

    The best approach to combat spam

    My mail server has an anti spam feature that enables it to scan the body content of any incoming mails for certain words. And, when it founds them the email is either rejected or deleted.

    Now, I began to realize that it may be the best approach to combat spam email because I can create filters that would reject emails which contains certain hyperlink names, like the spammers’ domain name, email address or even his porn image file name.

    I harvest most spammer’s domain name, email addresses, image file name and source (img src="http) from looking at their html source code. If they use html number code, I can always use them on my filter, as well. I also translate them at http://javascript.internet.com/equiv...-revealer.html just to know what they mean in plane English.

    I collect them most from links like:
    Sorry if this email caused you inconvenience.
    to stop me sending you more please go here
    To stop this go here
    remove me
    Click here to Claim Your prize!
    no more? push here
    Visit us at:
    not for me
    CLICK HERE FOR MORE INFO
    Since, RBL and firewall ACL can only block already known offending hosts and IP addresses – you can still get the spammer email again and again from newly found open relay and open proxies. But, if you block it through mail body content filter, you will never see the spammer email again unless he/she edits it with a new domain name and so on.
    The good thing about this approach is that the spammer may never know - why his/her email is being rejected. The other good thing is that the spammer will have to pay for a new domain names and host service, if the spammer email has to have value like an email reply from the victim or a web visit from the victim.
    What do you guys think about this approach? And, why it’s not a common feature on most email server software?
    smilies are ON

  2. #2
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    I think the approach is valid and I would think it would exist to some degree on mail servers. I know I can filter within the Outlook client software based on message content.

    However, I think the main reason to NOT filter this way is processing power. You are asking the email server to not only route messages based on the header information, but also to actually open and read each message to scan for certain words or phrases. This will hugely impact the performance of the mail server- especially in a large corporation that is receiving thousands of emails an hour.

    The signature-based approach to virus blocking seems to me like it will eventually hit a wall as well. The weekly vendor updates for AV software can be up around 4Mb or 5Mb already. What happens in 5 years when there are thousands more known viruses and the weekly update gets to be 100Mb? It will become too daunting to download and update every week and it seems like the AV software would consume a lot of resources to try to process all traffic against a signature database of that size.

    I like your solution at the client level though. Outlook lets you add filter words to the JunkMail rule or you can manually create rules to handle messages in a specific way based on message content, subject line, or just about any other feature of the email.

    I used MailWasher but the free version only works for 1 account and I have about 5. I am currently using K9 to filter my spam. It takes some time for it to learn and I had to whitelist some domains so they wouldn't get flagged but it seems to be doing OK. I'll give it another couple weeks and see how accurate it is.

  3. #3
    I use this approach on my mail server (Merak Professional) which has 20 domains with about 140 users on the Dell PowerEdge Raq, Windows 2000, Pentium III, 520MB RAM. So far, the only difference I have noticed is that my customers hardly get any spam, no cpu or memory deterioration.

    This is my stats for a day.

    Message received/sent 422/573
    Failures:
    Virus:6
    CF:47
    Filter:120
    Limit:0
    RBL:256
    My mail server process it in this order RBL,Filter,CF and virus. As you can see by the failures my filter catches 120 spam after process the RBL.

    Anyway, most mail server now uses RBL that in my opinion would use more processing, memory and bandwidth than filtering.
    smilies are ON

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    On the enterprise level, you can take the heat off of your e-mail servers by using an appliance like my favorite, IronMail. It has a layered approach to removing spam. We process about 250,000 messages a day and IronMail has proven itself time and time again otherwise I wouldn't shamelessly promote it

    Enterprise Spam Profiler (ESP) aggregates the results of five detection tools to create a highly accurate overall probability that a message is spam.

    FirstAct™, IronMail’s update service, detects and blocks spam messages by creating signatures and policies and providing them to IronMail units in the field.

    Statistical Lookup Service to compare message signatures in order to identify bulk email via collaborative filtering.

    Header Analysis to identify forged headers by applying heuristics.

    Weighted content filtering of keywords identified using Bayesian analysis.

    Heuristic message scanning to identify new threats and spam outbreaks.

    Whitelists, blacklists, and automated list updating.

    Other tools including Reverse DNS lookup, Realtime Blackhole List support.

    http://www.ciphertrust.com/ironmail/
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •