Stopping Spam Before Looking at the ContentWritten by Jeff on September 26, 2012
When we think of our spam filters, we usually think of a tool that scans through the content of our incoming email messages scouring each for specific words or phrases that are commonly used by spammers.
For anti-spam filtering to be reliable, there needs to be a variety of methods used to identify junk mail. Since the bad guys are aware of the many techniques used to identify spam based on the content of the message, they are often able to craft emails that slip through the cracks.
To keep these more savvy emails from getting through, the best spam filters use any number of the following means:
Before even looking at the message itself, spam filters will look at the IP address of the incoming connection and check the reputation of that address. This address is matched against both white lists, that allow the message to come through for further processing, and black lists, that immediately stop a message from any further review.
Other things that more sophisticated filters look at is to see if the sender is known to send a mixture of spam and legitimate email or if the IP address has only recently begun to send emails. In either case, the address can be scrutinized more closely because certain flags have been raised.
With botnets being the most prolific senders of spam these days, a quick check of the operating system can also provide the anti-spam solution with some excellent information to help stop spam from being delivered.
If the operating system of the email server is one that is commonly used for the consumer market, then it is not likely a legitimate email server. Not many businesses are using Windows XP as the operating system for their mail server.
Whenever a receiving mail server is sent a message it is supposed to reply with an SMTP greeting. This greeting is usually something along the lines of 220 mail.yourdomain.com ESTMP Service ready. Once the sending server receives this message it will proceed to send the rest of the information, but not until it receives this message.
Some anti-spam solutions will pause this greeting on purpose to see if the sender waits to receive the acknowledgement before sending the rest of the information. If the sending server fails to wait, it could be a clue that the message is being sent by a spammer.
When a connection raises suspicions, some anti-spam filters will slow down the connection using throttling technology. Because the server connection is so slow, spammers may give up because it is a waste of their resources. Basically, if messages take too long to be delivered then they reach less potential victims. They would be better served by spamming another mail server’s users so they can be more efficient. This technique is often referred to as a tarpit by those in the anti-spam industry.
These methods help fight spam because they recognize junk mail before the content even gets looked at. The problem with some of these methods is the fact that they can produce false positive rates that are a bit too high for most people to find acceptable.
For example, a marketing campaign that relies on email can hurt a mail server’s reputation if it is not carried out properly. Legitimate emails sent from that same server can be blocked or subject to excess scrutiny as a result. Believe me, I have worked for a company who was guilty of this on many occasions.
However, these techniques can be extremely effective when combined with a solid content filtering solution as well. Anti-spam solutions that look at the message from multiple different angles are always the best at stopping spam from the average bad guys and as equally effective at preventing spam from the more sophisticated ones as well.
Is your company using any of these techniques to fight spam? If so, let us know how well it is working.