British ISPs have reacted strongly to the suggestion of Trend Micro CTO David Rand that the ISPs should actively combat the problem of spam on the internet.

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient. Continue reading ISPs Don’t Want to be Spam Cops»

Independent security organization Virus Bulletin has called for makers of email security products to collaborate in the fight against spam.

Virus Bulletin conducted a test of 14 anti-spam products using 200,000 emails made up of both spam and legitimate content.  They found that this both increased the rate of detection as well as decreasing the likelihood of false positives.

Although the increased detection rate compared to typical rates from popular anti-spam products was only a minor percentage this can account for many thousands of additional spam messages blocked in larger business environments.

Combining multiple email security engines into a single product is not a new concept.  Antivirus products have been doing this for several years now, with major antivirus companies licensing their engines as optional plugin components to an email security product.  It is not unusual to find email systems protected by 3 to 5 different antivirus engines.

In the fight against spam, collaboration could make significant improvements for businesses.   Primarily this would occur in the content filtering engine component of anti-spam products.  Different vendors produce different content filtering databases that are more effective against some spam threats than others.

But the collaboration would not work, or would not even be necessary at other levels of an anti-spam system.  For example DNS block lists from different providers are already easily plugged in to most email security systems and can be used in combination with each other.

Bayesian filtering would also not benefit from collaboration because of the way it works.  What a Bayesian filter learns about one organization’s email patterns would not always translate well to other organizations, so the sharing of this data would be pointless (and potentially a security risk in itself). Continue reading Two Heads Fight Spam Better Than One»

Anyone who uses the internet whether for business or for leisure has had first hand experience with spam at some point in time.  Spam is a problem that plagues the internet and affects us all in some way.  Like most problems the spam problem is a very complex one.  There is no single source or cause of spam, which means there is no single solution to the problem.  In this post I’ll explain some of the sources and causes of the spam that we see every day.

Botnets and Zombies

Bots or zombies are typically home computers that have been infected with some type of virus or malware, which puts the computer under remote control by a malicious person.  A group of these computers is referred to as a botnet, and is used by a spammer to send out millions of emails containing spam, phishing scams, and computer viruses.

Examples of botnets include the Cutwail and Rustock botnets that are responsible for massive spam attacks around the world.

Because botnets are made up of computers located within ISP customer IP subnets they can often be blocked by using connection filtering to block any SMTP connections from those IP address ranges.  When this fails you have to rely on content filtering to detect the spam content within the messages.

Open Relays

An open relay is a poorly configured email server that allows anyone to relay messages through it to any other destination email address.  Modern email server software is not configured to permit open relay by default, it usually takes human error to cause a server to be configured this way, and there are few genuine reasons to run an open relay especially not one that is open to the internet where it can be abused by spammers. Continue reading 7 Major Sources of Spam on the Internet»

Exchange Server 2007 anti-spam functionality includes the Content Filter agent which is designed to provide spam detection based on the contents of an email message.

The Connection Filter agent is based on the Intelligent Message Filter first introduced in Exchange Server 2003.  The Intelligent Message Filter bases its spam detection on a database of email submissions from Microsoft partners that is used as a basis for heuristic scanning of email content.  A “spam confidence level” (SCL) rating is then assigned to the email message and used to determine whether to classify the message as spam or not.

The SCL rating is a number from 0 to 9 where the higher the number the more likely the email message is spam.

The Content Filter agent assesses the content of email messages after the Connection Filter agent has initially determined whether the sending host should be blocked entirely or not.  The order of priority improves Exchange server performance by removing the most obvious spam based on the sending IP address before the more resource intensive content filtering takes place. Continue reading How to protect Exchange Server 2007 with Content Filtering»