Blacklists (or block lists) are a spam prevention technique that uses lists of IP addresses or domain names that are associated with spamming to determine whether to block or allow a particular email transmission.

Although the technique falls under one general description, there are many different implementations of block lists that can be used to make different determinations about whether an email is spam or not.

Some of the different techniques include:

• URI lists – these are lists of domain names and IP addresses that have been used as hyperlinks in emails that lead a victim to a malicious website, for example a bank phishing scam
• Open Relay lists – these are lists of mail server IP addresses that have been discovered as open relays and can be (or have been) used by spammers to send emails
• IP lists – aside from open relays an IP address that has directly been a source of spam, or is highly likely to be a source of spam (eg an ISP’s customer IP blocks)

The mechanism for each is basically the same – the mail server inspects the SMTP connection, or email message, that it is receiving.  It then queries one of these block list providers with the URIs or IP addresses, and if it registers a hit it then takes the configured action (usually to drop the email).

With so many different block list providers and different techniques the obvious question is whether more than one provider should be configured on the email server that is responsible for blocking spam in your organization.  Naturally this depends on the specific organization and which services are being used. Continue reading Should You Use More than One Blacklist to Prevent Spam?»

A “catch all” email address is a mailbox that is configured to receive any emails that are sent to addresses that do not match a real, valid recipient.

Catch all addresses are popular in a few different scenarios and for a few different reasons.

Common Uses of Catch All Email Addresses

Small businesses often use a catch all email address rather than configure separate sales@, service@, news@ and other common email addresses.

Similarly, many businesses use a catch all as a means to avoid missing potential sales opportunities if someone was to email a non-existent address.

Catch alls are also sometimes used to prevent email sent to misspelled email addresses from being rejected.

Why You Should Not Use Catch All Email Addresses

Catch all email addresses also have some downsides.  A catch all mailbox is going to receive a lot of multi-purpose email such as sales enquiries and support requests, and so it may become difficult to sort and prioritise new emails.

The catch all mailbox will also naturally receive email that may be private correspondence to an individual within the organization, but that had a misspelled email address.  Instead of privacy or confidentiality being maintained by rejecting the misspelled email address so that the sender is made aware of their error, it is instead delivered to the catch all mailbox which may cause an information leak. Continue reading Why You Should Not Use a Catch All Email Address»

The Techbusy.org blog offers us 4 tips for hiding email addresses from spammers and hackers when displaying the address on a web page.

The reason behind it is simple – spammers use spiders (much the same as search engines do) to crawl web pages looking for email addresses in the familiar something@something.com format.  When they find one they will add it to their address database and start sending it spam.

It’s true, and if you were to list your email address on your website it would quickly be discovered and you’ll start receiving spam.  Of course it’s also true that most email addresses will receive spam shortly after they are created thanks to the many ways in which spammers find your email address.

The 4 techniques proposed by Techbusy.org fall into either the “security by obscurity” category (also known as “things that make you feel more secure but really don’t help”), or the “makes it harder for real people to email you” category.

The former is wasted effort, and the latter is not good for businesses who want to hear from potential customers via email.  So let’s take a closer look at the 4 tips. Continue reading 4 Ways to Protect Email Addresses on Websites, That Don’t Really Work»

Ninety-five percent of email never reaches an inbox.

Email service providers trash 95 percent of the traffic headed to their customers’ inboxes, according to a survey from a European security group.

“[S]pam’s impact on the business has been greatly reduced through effective anti-spam measures,” the European Network and Information Security Agency reported recently in its third annual 2009 Anti-Spam Measures Survey.

“Anti-spam measures are doing their job, reducing the threat of spam to a manageable security process,” it added. “This process still requires focus, expertise and resources, but it is arguably predictable.”

“These measures currently filter out over 95 percent of email traffic, using a variety of methods, greatly reducing the volume of spam that customers receive, without causing significant problems with false positives,” it continued.

The researchers found “alarming” the current state of blacklist management.

Blacklists are one of the most common ways service providers block spam from leaving their servers, followed by outbound virus scanning and port 25 monitoring. Yet some 66 percent of the survey participants said their servers had been added or retained on blacklists incorrectly. What’s more, the same percentage told the surveyors that they believe that major blacklists sometimes incorrectly include servers that do not or no longer send spam.

Continue reading Spam traps nab 95% of all email»

Business Week reports that a study by researchers in New York reveals that as many as one in five young, overweight people have been a victim of email spam.

The study revealed some interesting statistics:

• 88% of overweight individuals reported receiving spam pitching weight loss products, compared to 73% of other respondents
• 42% of overweight individuals said they opened the spam, compared to 18% of other respondents
• 18% of overweight individuals said they bought products promoted in the emails, compared to just 5% of other respondents

Firstly why do overweight people receive more weight loss spam?  One theory is that these people are visiting more web sites on that topic than other people, and therefore end up in marketing databases.  This means that the spam is either coming from the website owner, or another party that is given access to the database of email addresses.  This access may be either from selling the list or by using co-registration, which is a legitimate lead-sharing strategy that is often abused by spammers.

For any email marketer a 42% open rate is outstanding.  It means that the subject line for the email was very effective at enticing the recipient to open the email and read more.

For a spammer sending 1,000,000 emails 42% open rates do not mean 420,000 people opened them.  Most of those recipients will never receive the spam due to anti-spam protection on their email server or their computer.  But even a 1% penetration could mean several thousand people open the email.

Finally the conversion rate for overweight people is very good at 18%.  Several hundred conversions of a weight loss product likely to cost $50-$200 is a good day’s pay for the spammer. Continue reading Weight Loss Scams Reveal Why Spam Works»

In November 2008 the antispam community collectively cheered as the McColo ISP, a major source of the spam on the internet, was disconnected by its network providers effectively shutting it down.

At the time global spam levels dropped by about 75%.  Since then spam has steadily risen in volume and returned to similar levels again.  Some might wonder why more spam network shutdowns similar to McColo are not occurring again.

The problem is highlighted in a recent monthly report by a security vendor.

McColo has taught botnet owners a lesson.  Botnet control centres have become more distributed, spanning many networks in many countries. The loss of a big hosting provider today would prove only a minor inconvenience – as opposed to a major defeat – for spammers.

I’ve written in the past about the international nature of spam fighting.  Microsoft’s Terry Zink described the problem very well in an analysis of a spam message he received.

Here’s how it works: A malware author infects a machine in Canada (1) that relays spam to a machine in the United States (2), which contains payload that points to a machine in Spain (3) registered by a guy in the United States (4) using a registrar in France (5), which is resolved by a name server in the Czech Republic (6).

And thats not all.

The guy in Texas is using name servers that look like they are located in Russia, but they are not.  The one name server which resolves the spammy site is exploited (the one sitting in the Czech Republic) and then the top domain cn8.ru, sitting on a machine in China…

So for this one item of spam, which is probably one of many from an organized spam network, the authorities of Canada, USA, Spain, France, Czech Republic, Russia and China would all need to cooperate to shut the spam network down. Continue reading No More Big Spam Network Shutdowns»

New figures from security analysts estimate as many as 5 million computers are under the control of the top 10 botnets.  This includes the Cutwail botnet, which has been been blamed for as much as 29 percent of all spam during the 6 months between April and November of this year, or approximately 8,500 billion spam emails.

That’s 8,500,000,000,000 spam emails from one botnet, contributing to not even one third of the total spam for that 6 month period.  If your business needed one more reason to invest in spam prevention there is 8.5 trillion to choose from right there.

Where to Start?

Choosing from the variety of antispam systems available on the market can seem like a daunting task.  The best place to start is an analysis of your own needs.  Ask yourself these questions:

How many users do we need to protect? – Most antispam products are licensed per-user or per-mailbox that is being protected.  You need to know how many licenses you will need so that price comparisons can be made.

How many servers do we need to protect? – Some products are also licensed per-server, so it is important to know how many email servers are in your environment.  Depending on the antispam product it may be installed onto mail servers or it may reside on its own server.

How many locations do we need to protect? – For larger organizations with multiple entry points into the network for email a distributed antispam system might be required.  This will affect the choice of product as some are easier than others to administer in multi-server deployments.

Do we want to host this ourselves or outsource it? – Some businesses will require complete control of important systems like antispam while others will prefer to outsource spam protection so they don’t need to install and manage yet another server of their own.

Learning about Available Products

Once your basic needs have been determined it is time to find out what is available in the marketplace for antispam software.  You can use Google searches such as “email security” and “business antispam” to identify vendors and product names. Continue reading 8,500 Billion Reasons Your Business Needs Spam Protection»

Cloud computing is a popular topic these days.  One of the ways in which cloud computing is being delivered to businesses is by hosted email security services.

A hosted email security provider offers antivirus and antispam protection for their customers using servers hosted off the customer’s premises.  This delivery model carries many benefits to the customers.

Equipment Costs – by choosing a hosted service the customer is not required to purchase their own server hardware to run the security product on their own premises.

Support Costs – support is included in the monthly fee to the hosted provider, so the customer is not required to hire and retain staff to manage an on-premise solution.  The hosted provider is responsible for all maintenance and upgrades to keep the service running smoothly.

License Costs – because the customer is not running their own server they also save on software licensing costs.  Furthermore they are simply paying a per-user license cost to the hosted provider.

Bandwidth – because any virus or spam emails are filtered by the hosted provider that traffic never reaches the customer’s network, saving their bandwidth which is both a cost and a performance benefit. Continue reading 9 Benefits of Hosted Antispam Services»

Anyone who uses the internet whether for business or for leisure has had first hand experience with spam at some point in time.  Spam is a problem that plagues the internet and affects us all in some way.  Like most problems the spam problem is a very complex one.  There is no single source or cause of spam, which means there is no single solution to the problem.  In this post I’ll explain some of the sources and causes of the spam that we see every day.

Botnets and Zombies

Bots or zombies are typically home computers that have been infected with some type of virus or malware, which puts the computer under remote control by a malicious person.  A group of these computers is referred to as a botnet, and is used by a spammer to send out millions of emails containing spam, phishing scams, and computer viruses.

Examples of botnets include the Cutwail and Rustock botnets that are responsible for massive spam attacks around the world.

Because botnets are made up of computers located within ISP customer IP subnets they can often be blocked by using connection filtering to block any SMTP connections from those IP address ranges.  When this fails you have to rely on content filtering to detect the spam content within the messages.

Open Relays

An open relay is a poorly configured email server that allows anyone to relay messages through it to any other destination email address.  Modern email server software is not configured to permit open relay by default, it usually takes human error to cause a server to be configured this way, and there are few genuine reasons to run an open relay especially not one that is open to the internet where it can be abused by spammers. Continue reading 7 Major Sources of Spam on the Internet»

When you boil the spam problem down it becomes quite simple – someone is sending you emails that you don’t want to receive.  This makes the anti-spam solution a simple one too – stop unwanted emails from arriving in someone’s email account.  However, actually achieving this is a very complex task.

Any anti-spam system that is worth using will contain a range of preventative measures and features that are used to determine whether an email is likely to be spam or not.  As a complete solution they can be very effective, but taken individually and their weaknesses become more apparent.  Here are some examples.

Source IP Filtering

Also known as Connection Filtering, DNSBL, or RBL, this technique compares the source IP of an incoming SMTP connection to a list of suspected spam sources.  The list can be either a manually generated list that the email administrator creates, or can be a subscribed list by a third party provider (such as SpamHAUS).  If the IP address is on the list then the email is considered likely to be spam and the server will drop or reject it.

The weakness of this technique is when IP addresses are mistakenly included in the list.  A legitimate email server may find itself blocked by other systems that are subscribed to a particular IP list, which prevents important business email from being sent to those systems.  Similarly, some regular sources of spam emails such as free web-based email services cannot be blocked by IP address because that would certainly block a lot of legitimate email as well.

Content Filtering

Early anti-spam products made decisions about spam emails using single word matches such as “Viagra” or foul language.  This quickly proved fruitless because spammers would simply vary the word slightly in each email, for example “v1agra” and “via.gra”.  Content filtering then improved to include databases of spam phrases and patterns and would assess more of the content in an email to determine if it was spam. Continue reading Anti-Spam Products Are More Than the Sum of Their Parts»