Block SPAM by Source

SPAM is a serious problem for any non-trival, internet facing email setup. At shannon, we receive on average 200+ SPAM per day, sometimes more than legitimate emails. There are ways to filter SPAM, such as content based filtering. However, they are resource intensive, and need human training to work best. It is important to know:

• trying to filter all SPAM is both unrealisitic and not necessary
• blocking legitimate emails is worse than letting some small amount of SPAM through.
• the majority of SPAM arr generated by non-sophistic bot networks

So, a simpler and effective method to fight SPAM is to block them by SMTP source IP. This article explore several ways to accomplish this task and derived an effective ways to block the vast majority of SPAM.

Identifying SPAM sources

The majority of SPAM are coming from either professional SPAM network or botnet of hijacked residential PCs. Lucky there are ways to identify them by IP or the software driving them:

• There are public database of known SPAMER network and IP range
• They usually do not bother to setup proper forward and reverse DNS
• The SPAMing softwatr are usually non-conforming SMTP source

A number of ways has been found to identify SPAM sources

spamhaus.net

spamhaus.net is a public database of known spammer network and ips. It provide free of charge, DNS based ways to query, and any ip flaged by it is very likely to be bad. There are also some downsides:

• It may take some time to list new spammer IPs, which pop up everyday
• Sometimes it is overloaded and fail to respond to our query

Reverse DNS

A legitimate SMTP host is supposed to have maching forward and reverse DNS record. Because the forward and reversed DNS are governed by seperate entitys there are some time delay and procesure to have everything setup correctly, SPAMMER usually do not bother to do that. Also, it is generally impossible to do that for residential IP blocks anyway. So one can do 2 DNS calls, first reverse (ip to DNS name) then a forward (DNS name to ip) to verify they matched up, then have a high confidence of the SMTP source is legitimate. However, there are also downsides:

• Some legitimate domains do not have matching records (newbies)
• Sometimes DNS query will timeout and cannot give you definate answers

Grey listing

Oftentime, the spamming software are poorly written and does not conform to standard. The idea of greylist is to establish whether a prior relationship exists between the sender and the receiver of a message. Most of the time it does, and the delivery proceeds normally. On the other hand, if no prior relationship exists, the delivery is temporarily rejected, using a 451 SMTP response. Legitimate MTAs will treat this response accordingly, and retry the delivery in a while. In contrast, ratware will usually fail to retry the delivery in a normal fashion. The downsides is the initial email would arrive late.

Combining all 3

We can combine all of the above to have a more robost SPAM blocking scheme:

1. first, use a white list to let high traffic known good sender ip pass
2. then, do reverse DNS and forward DNS. if it fails, go to 3. otherwise, skip to 4.
3. go through grey listing because the odd of SPAM is higher
4. finally, verify with spamhaus.net

The popular MTA exim can be configured as such fairly easily. SPAM traffic at shannon is reduced by 95%, with very little false positive.