|Intro| |News| |Threats| |Alerts| |Papers| |Events| |Reading| |Links| |About Me| |Powered-by...|
Spam, spam, spam, spam, sampity spam!
[Back to Main]

I remember getting my first spam in a hotmail account and thinking how weird it was that someone would randomly send me a e-mail about their product--now no one is surprised when they receive spam.

Spam, also called UCE (Unsolicited Commercial E-mail), is now an epidemic. It easily accounts for more than 50% of all Internet mail at this point and the percentage is growing by the month. Some experts believe that in the next one or two years spam will make up more than 90% of all Internet mail. At rates like that, spam is no longer an annoyence, it's a Denial of Service.

Once you start looking at spam from the proper perspective it becomes apparent that laws will never be able to make a dent in the problem. There are already laws against damaging property and interferring with the operation of a business, yet script kiddies and more skilled crackers launch DoS and DDoS attacks daily. Clearly the perpatrators of these attacks do not think they will be made to pay for their actions, and largely they're right. Law enforcement agencies are already swamped with "normal" crimes and very few local agencies have the training to go after high-tech crimes even if they had the will. Federal agencies are hardly better off and currently most of their efforts are tied up looking for terrorists.

In fact, just look at the debacle of the recent CAN-SPAM measure passed by Congress. What was originally tauted as a bill to stop spam ended up legalizing far more of it, and of course the very few aspects that were outlawed either could have already be interpreted as illegal under other laws, or will simply be ignored by the already criminal spammers. The bill even goes so far as to defy years of conventional wisdom by security experts, and codify an "opt-out" method for controling spam. This is probably the single worst thing you can ever do in response to an unwanted message. The vast majority of the time that "opt-out" link only confirms that a live human reads your e-mail and responds to links. The only group of people that CAN-SPAM benefits is the Direct Marketing Association and others of their ilk. Clearly, the US Federal government is out of step with the rest of the world on the issue of spam.

Great, so you're on your own, what can you do? Fortunately, there's a lot you can do. First and foremost, start with the human element. Spammers don't send millions of messages just to be annoying, they send them to elicit responses. If there weren't a few people out there responding and sending money, there would be no reason for spam. That means you need to educate your employees on proper e-mail use. Because this will be in one ear and out the other to a certain percentage of employees, you should also have a strong company policy regarding e-mail use and it should be backed up with technical controls.

Here are some helpful things to include in employee education and e-mail policy:

Do not click any links in a spam (even unsubscribe links, 99% of the time they just confirm that you read the spam!)
Do not reply in any way to spam (this confirms that you're a "live" account)
Do not sign up for any non-work related accounts or websites with your work e-mail address (this is one of the main ways spammers collect addresses)
Do not post your work address on the Internet if you can at all help it. If you must post your address, use some type of obfuscation technique, such as rewriting the address, using an image instead of text, or using a script to render the text.
Do read privacy policies and use agreements carefully, often they include a clause to "opt-out" of commercial mailings, offers, and information sharing with third parties. Always look for check boxes which will sign you up for additional mailings, since these are often check-marked by default. Be sure to clear any such check boxes before proceeding to sign-up for an account on the 'web.

Here are some helpful technical controls to help you enforce the above:

Do have a firewall rule in place to block outbound connections to ports 25, 110, 143, 465, 993, and 995 (all TCP). Additionally you may be able to configure your IDS to look for outbound connections (on any port) which include e-mail traffic (to prevent using e-mail applications on non-standard ports in an attempt to circumvent the firewall). It should go without saying that your actual e-mail server IPs should be exempted from the above rules.
Do send all outbound HTTP traffic through a proxy. On the proxy, make sure to block requests to spam-related sites (those sites that show up in the CLICK HERE!!! links in spam). NOTE: this will require some on-going maintenance to be effective. You can also monitor the URL requests of users that are getting a lot of spam, chances are they're disobeying company policies.
Do filter out mail recieved from unapproved mailing lists. Require employees to get permission from HR for company-approved mailing lists. These should be clearly work-related. When a particular list is approved by HR, update your e-mail filter whitelist to reflect the approved list.

The above steps are excellent as a jumping-off point, but it won't cause you to receive less spam, it will just cut the rate of increase in spam. You're going to need to invest a lot of time and resources if you want to stem the tide of spam. While it's possible to do this with freely available tools, remember that the cost to setup and maintain these tools is still a cost. Weigh that carefully against actually purchasing a tool to do most of the work for you. You may be surprised by the cost effectiveness (or lack there of). The following are some tips that apply whether you use free tools, or buy a commercial tool:

Do not accept mail from domains that don't exist. Some MTAs have a setting to cause this behavior, and some commercial anti-spam tools have this option as well.
Do not connect your groupware server directly to the Internet (common groupware servers are MS Exchange, Novell Groupwise, IBM/Lotus Domino, etc). You do not want your groupware server spending excessive CPU cycles dealing with spam, this is a job better left to an e-mail gateway. Also, your groupware server should not be reachable from the Internet even if it isn't listed as a Mail eXchanger (see the next two bullet points).
Do make sure that your DNS only lists filtered servers as MX hosts. The Threats section on Rogue MX hosts discusses this further.
Do make sure that your firewall only allows external SMTP connections to approved servers. See the Rogue Mail eXchangers threat for more info.
Do consider implementing a tool to reject unqualified recipients. This is nearly always done in the form of LDAP look-ups. NOTE: this is usually mutually exclusive to the next suggestion.
Do consider implementing a tool to prevent directory harvesting. This can be accomplished by configuring your MTA to not respond to the VRFY request with detailed information (if it responds at all, it should only confirm that it will deliver to a certain domain, never to a certain mailbox). There are also various other tools that will notice a directory harvesting attack in progress and either alert you to it, or take steps to stop it. NOTE: this is usually mutually exclusive to the previous suggestion. You need to decide which is worse: a flood of e-mails to non-existent addresses, or the possibility that someone could construct a perfect list of real e-mail addresses for your company.
Do consider rejecting e-mail from domains that don't have valid MX records. I'm not aware of any current tools that allow this, but if you're working with an Open Source MTA you might be able to hack this in. I also know that it's currently being considered for implementation in some commercial and Open Source anti-spam tools.
Do consider implementing RBL lookups, although be very careful picking which RBLs to do your lookups from. Some sites are notoriously bad, while others are amazingly accurate. Historically, the biggest complaint about RBLs has been their false positives (i.e. listing "good" IPs), coming in a close second is that they're unresponsive to requests to remove "good" IPs. Due care must be excersized in selecting RBLs to use. They're supported by both Open Source and commercial tools.
Do setup SPF records for your domains and include SPF verification in your border MTAs and/or e-mail gateway. More information on SPF can be found via the link in the Links section of this site.