Like most companies, you probably put a lot of work and thought into your marketing emails. You carefully compile a list of interested customers, choose the perfect design, write amazing content, come up with hard to resist offers, and send it off. Unfortunately all your hard work may be in vain if your emails end up in a spam folder or filter. Most people don’t bother to check their spam folders and some don’t even understand that they have two of them-the one in their email program, and the one in their ISP’s webmail service. Here are five ways to make sure your marketing emails make it to your customers:

1. Make sure your content is top quality. Avoid spammy words such as amazing, fast, free, please read, now, congratulations, win, offer and bargain. These words, and many more, are programmed into most email programs and spam filters. These programs scan incoming mail and immediately dump any with the trigger words in the subject line or body into a spam folder. You can find lists of words to avoid by doing a quick Google search.

2. Ask your subscribers to whitelist you. Not all email programs and systems have this feature, but it’s still a good idea to ask your recipients to whitelist the email address your marketing emails come from.

3. Make sure that your marketing email address is a high quality one. Reputation matters, so make sure you use one with your domain name in it such as sales@xyz.com.  Avoid using addresses from hotmail, AOL, msn, yahoo, and other free email services.

4. Choose your lists with care and check them regularly. Make sure everyone on your list opted in, respond to unsubscribe requests promptly, and go through your list regularly to get rid of invalid addresses.

5. Pay attention to your stats. When you run a campaign be sure to take note of your deliverability rates and other stats so you can spot and fix problems early.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Ways to Keep Your Marketing Emails away from Spam Filters

Blekko, the nascent search engine that launched last November, announced last week that it has identified over a million web domains as spam and blocked them from its search results. Utilizing a technology that Blekko calls its AdSpam algorithm, the move could have tremendous implications, at least for the users of Blekko, which reports a million queries a day and about a half million users each month. Rather than adopting Google’s method of lowering the rank of suspicious sites in its search results, AdSpam instead takes a scorched earth policy by identifying sites that are laden with ads and light on content, and blocking them altogether

The move of blocking 1.1 million domains has the direct effect of removing potentially hundreds of millions of spam pages, an achievement of which Blekko CEO Rich Skrenta is tremendously proud.

“Domains with low quality content plus keyword ads are ‘machines that print money,’ Skrenta has been quoted. “If you make a machine to print money, people will exploit it.”

According to Blekko, AdSpam is “a machine-learning algorithm that examines pages for a specific spam signals — the presence of multiple display ad positions on a single page and thin to zero content. Unlike algorithms used by other search engines, AdSpam is being used in conjunction with human curation to detect [Spam and] continue the War on Spam.”

What makes Blekko unique is its search method utilizing slashtags to pinpoint search and minimize spam results. By targeting content farms that push spam (like eHow.com and answerbag.com), Blekko has managed to provide what it feels is the path to “better search results…by using an algorithm that was created to kill spam, not just crawl it.”

This latest development is just another foray in a war that both Google and Blekko have committed to fighting.

“In the past, our efforts to clean-up search have included our partnership with the Stack Overflow community,” states the Blekko blog, “and our public banning of the top 20 sites most users marked as spam at Blekko.”

What remains to be seen is what both engines have up their sleeves. According to The New York Times, Skrenta hasn’t been squeamish about calling out Google.

“Google didn’t actually take anyone out, they just reshuffled the deck. Instead of demoting these sites to No. 5 or No. 7, we’re just throwing them out.”

It should be stressed that Googoliath hasn’t exactly been sitting on its hands. In the past several months there has been a public backlash on the deteriorating quality of Google’s search results. The company has responded with series of remedies, including updated search algorithms and the penalizing of low quality sites like content farms. In fact, RCR Unplugged reports that the recent ‘Panda’ update to Google’s algorithm caused such a swing in page rankings that how-to site Mahalo had to lay off staff almost immediately.

Most recently, Google reports that it’s adding a ‘Block All Results’ option that will live right next to the ‘Cached’ and ‘Similar’ buttons, so that users can choose to weed out the spam that seems to have mastered the art of worming its way into the top ranks of Google. Even though Google’s blog talks about this functionality as if it’s already here, there’s no indication if or when it will become active – a search performed while this article was written revealed no ‘Block’ link – please feel free to leave a comment if you’ve seen it in the wild.

Admittedly, there are inherent problems with Google’s proposed solutions. First, it’s difficult to identify an entire site as spam simply from search results. Also, sites like Mahalo will suffer from algorithms that box up their criteria in a way that may misidentify legitimate sites. For example, Google’s new algorithms are based on the consistency of content – a site that focuses on one topic, like healthcare, will probably not be flagged whereas a generalized site with content based on a variety of topics may suffer the wrath of the giant G. By its own admission, Google states “generally low quality” of content as a reason to block something. For sites which rely on user-generated content by nonprofessional writers, this could end up being a troubling trend.

So who has the right formula? Bing and Yahoo! haven’t really entered the fray as of yet, perhaps waiting to see what Google has to say on the whole matter of spam sites. Blekko, on the other hand, has chosen to lead and not to follow, a move that could greatly benefit the company as searchers seek alternatives to the millions of results being passed back to the end user. By being proactive, they certainly seem to be taking the war to the content farms and the unending battle between search engine and spam.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Blekko Identifies Over a Million Domains as Spam

Let’s start with a little vocabulary that is used when we discuss Bayesian filters and spam in general.

Spam

Unsolicited Commercial Email, or messages that were neither requested nor welcomed, and generally are an attempt to sell you something.

Ham

Email that the intended recipient would like to receive, but that was identified as spam. See false positive.

False positives

Legitimate email identified as spam, sometimes called ham.

False negatives

Spam that is classified as legitimate email and passed to the user’s inbox.

Rev. Thomas Bayes

Bayesian filters’ namesake, Reverend Thomas Bayes was born over two hundred years before the technology that uses his theorem was created. He was a Presbyterian minister and mathematician who lived in England in the 1700s, studied mathematics and theology at the University of Edinburgh, and became a Presbyterian minister. He wrote a mathematical treatise, published posthumously, that defended Sir Isaac Newton’s calculus, as well as a respected theological text.

However Bayes is best known for his theorem on probability. Bayes’ theorem is also called the theorem of probability of causes.

In short, it states that if you consider an event where A₁, A₂ … A_N are all mutually exclusive events which could have caused B, then the sample space S = Uⁿ_k=1, i.e., one of these events has to occur. Bayes Rule gives us the probability of event B, and is expressed as:

The probability of event A given event B (e.g. the probability that an email is spam because it contains one or more keywords associated with spam) depends not only on the relationship between events A and B but also on the marginal probability of the occurrence of each event.

Bayes’ theorem is used by Bayesian filters to calculate the probability that an email is spam based on the likelihood that any individual email is spam, the likelihood of the presence of certain word in spam, the likelihood of the presence of that same word in ham, and other traits such as links to sites from other domains or known spam domains, etc. If that makes your head spin (and it does mine) then let’s simplify this with a practical example.

This example is just using round numbers to illustrate the point…the percentages are arbitrary. Consider an email that contains the phrase ‘bank account.’ If we take all emails collectively and say that 80% of them are spam and 20% are legitimate, and we say that the phrase ‘bank account’ appears in 20% of spam messages and 10% of legitimate messages, then the likelihood that an email containing the phrase ‘bank account’ is spam is eight times higher than that it is legitimate (16% versus 2%.) This will be factored in with the probabilistic analysis of other phrases in the email, any links, the source domain, or other attributes to come up with a total probability that a specific email is spam. If the probability exceeds the threshold, it is filtered. If it is below the threshold, it is passed on.

Bayesian filters need to be ‘trained’ as the attributes that can identify spam are not consistent across all organisations. You can imagine the percentage of emails sent to a bank that would include the phrase ‘bank account’ would be much higher than to another company.

Spammers try to fool Bayesian filters using several techniques. You have probably seen paragraphs of seemingly random text at the end of a spam message, or words that are broken up with nonsense characters or soft-hyphens. These are ways to game the system by either escaping detection, or throwing the total calculation off by placing words or phrases that are more likely to be found in legitimate mail than in spam.

While Bayesian filtering is an important part of most anti-spam systems, it is only one part and should be used in combination with other methods like whitelists, blacklists, and other filtering technologies. Fighting spam, just like any other security initiative, should take a layered approach, often called defense in depth.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

What are Bayesian filters anyway?

The Content Filter Agent can be configured to take actions when a message meets or exceeds a certain SCL rating. These actions include deleting the message, rejecting the message, and quarantining the message. It can also flag email to go to the junk mail folder on a client.

SCLs are rated from 1 to 9, so you may choose to set something like this:

1-5 Deliver as normal
6 Route the email to the client’s junkmail folder
7 Quarantine-the email is routed to the quarantine folder, where an admin must review it and either delete or forward it.
8 Reject-the email is rejected and the sending SMTP server receives a 550 response.
9 Delete-the email is deleted. No NDR is sent.

Enabling or disabling Content Filtering

You can use the Exchange Management Console to enable or disable Content Filtering. Remember that it is enabled by default.

1. Log onto the Edge Transport Server and launch the Exchange Management Console. 
2. Click Edge Transport. 
3. In the work pane, click the Anti-spam tab. 
4. Click Content Filtering. 
5. In the action pane, click enable or disable as required.

You can also do this using the Exchange Management Shell.

1. Log onto the Edge Transport Server and launch an administrative Exchange Management Shell. 
2. Enter the appropriate command to enable or disable Content Filtering. 

Set-ContentFilterConfig -Enabled $true

Set-ContentFilterConfig -Enabled $false

Additionally, you can use the Exchange Management Shell to enable Content Filtering for outbound messages.

By default, Content Filtering only scans inbound messages. You can use the cmdlet Set-ContentFilterConfig -InternalMailEnabled $true to enable scanning of outbound messages, and Set-ContentFilterConfig -InternalMailEnabled $false to disable that.

Best Practices

Microsoft recommends, and I agree, that you should enable Content Filtering and use the default SCL thresholds for the entire organisation. You should monitor how mail is being handled, and solicit user feedback where appropriate, but the defaults should be correct for orgnanisations of any size. You can use the PowerShell script %ExchangeInstallPath%\Scripts\get-AntispamSCLHistogram.ps1 to easily monitor how mail is being handled and to see if any adjustments are necessary.

Additional information

• You can use the Set-Mailbox cmdlet in the EMS to set specific SCL action levels on a per-mailbox basis. I do not recommend this, as it entails micro-managing mailboxes.
• Per-mailbox SCL settings have no effect on mails received to a Distribution List that the user belongs to.
• Messages over 11MB are not scanned by the Content Filter. Messages containing phrases on the Allowed Phrases List, and senders on the Allowed Senders List, will bypass Content Filtering.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Understanding Exchange 2010 Content Filtering

SCL stands for Spam Confidence Level.  It is the “score” that Exchange Server anti-spam assigns to an email based on the email’s contents.  This score is then used to make decisions as to how to handle suspected spam based on the thresholds that the Exchange administrator configures.

The SCL score is calculated and assigned by the Content Filter Agent, which examines all of the content within an email message to look for patterns that indicate spam.  Once the SCL score has been calculated it is added to the message header.

In this snippet of an example message header you can see the SCL score of 7 has been applied.

X-MS-Exchange-Organization-SCL: 7

How the SCL is Used by Exchange Server

The SCL score can then trigger certain actions to take place.  The Exchange server can take the following actions based on the SCL:

• Delete – the message is deleted with no notification to the sender or recipient.
• Reject – the message is rejected with a notification to the sender but not the recipient.
• Quarantine – the message is quarantined in a specified mailbox with no notification to the sender or recipient.  Typically only email administrators can access the quarantine mailbox.
• Junk – the message is delivered to the recipient’s Junk Email folder.

SCL scores range from 0-9 with 0 meaning not likely to be spam, and 9 meaning very likely to be spam.  There is also a -1 score for trusted email messages.  A -1 SCL would apply to email messages sent between recipients of the same Exchange organization, or messages from external senders that have been whitelisted in some way.

The SCL threshold is then configured for each of the actions.  However it is important to understand that the actions are assessed in a certain order.

1. Delete is the first action to be assessed.  If the SCL is equal to or higher than the Delete threshold then the message is deleted.  If not, or if there is no Delete threshold configured, then it is passed to the next assessment –  reject.
2. Reject is the second action to be assessed.  If the SCL is equal to or higher than the Reject threshold then the message is deleted.  If not, or if there is no Reject threshold configured, then it is passed to the next assessment –  quarantine.
3. Quarantine is the third action to be assessed.  If the SCL is equal to or higher than the Quarantine threshold then the message is quarantined.  If not, or there is no Quarantine threshold configured, then it is passed from the Hub Transport server to the Mailbox server.
4. The Mailbox server then applies the Junk Email threshold if one is configured for the organization or for the recipient of the email.  If the SCL exceeds the Junk Email threshold it is delivered to the Junk Email folder of the mailbox and the recipient is able to access it via Outlook.

Getting the SCL Thresholds Right

When you understand the processing order for the different actions that can be taken based on SCL you can see how important it is to get your configuration correct.  There is no point having a Junk Email threshold of 7 if the emails are going to be deleted for an SCL of 6.

Delete and Reject thresholds should be configured to delete the most likely spam.  Quarantine is optional and I personally find it quite cumbersome to manage, so I prefer not to enable it at all and instead use the Junk Email threshold to put management of less likely spam within reach of the end user.

It is also important to understand that the Content Filter Agent only deals with spam that has already made it past earlier, more deterministic test such as Connection Filtering which blocks SMTP connections from known spam sources.

The Connection Filter Agent will often remove as much as 95% of spam so the Content Filter Agent becomes a fine tuning process to remove as much of the remaining 5% of spam from inboxes without causing an unacceptable number of false positives.

Other Uses of the SCL

The SCL can also be used as criteria for Transport Rules on the Exchange server.  One way to make use of this is to create a Transport Rule that blind copies all email that meets or exceeds a certain SCL to another mailbox.  The contents of that mailbox can then be used to assess how many false positives the current configuration might be generating and make some fine tuning adjustments.

Another alternative would be to configure a Transport Rule that appends a disclaimer to all emails that are going to trigger the Junk Email threshold.  The disclaimer text can explain the process that end users can go through to whitelist a trusted sender so that future emails are not treated as spam, without them having to contact the IT help desk for support.

In summary, having a detailed understanding of the SCL and how it is used in Exchange Server anti-spam will allow an email administrator to get good performance from their anti-spam deployment.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Understanding the Spam Confidence Level in Exchange Server

The reality is that not all anti-spam techniques are suitable for all occasions, and often require specific configuration or tuning to suit a given environment.  Here are some examples:

Recipient Filtering

This technique makes the assumption that email that is sent to a non-existent address is likely to be a spammer trying a dictionary attack, and should therefore be rejected.

However that assumption does not take into account some valid scenarios, such as:

• Email servers that are accepting email for other organizations and relaying it to them. In these cases the recipient does not exist in the first organization, but does exist in the second organization.  The first organization therefore must accept emails even for recipients that are invalid in its own organization.  This is quite common for two organizations going through a merger process.
• Companies that want to make use of a “catch all” mailbox to receive misspelled or incorrectly addressed email that might be critical to their business, such as sales and customer service enquiries.

Content Filtering on Specific Keywords

About 10 years ago it was very common to do anti-spam filtering by using a list of specific keywords and phrases.  Some organizations try to continue this technique even today, and it can work well, but in some industries it is impractical or impossible to block certain keywords that most people would associate with spam.

• Pharmaceutical companies and their partners would not want to block the names of certain products, even though those product names are frequently used by spammers selling counterfeit versions of them.
• A jewellery business cannot treat the word “Rolex” in emails with the same level of suspicion as other businesses.

Blocking Top Level Domains

There are statistics that show that certain top level domains are frequently used when sending spam emails.  A business that deals only within their own city or country has little to lose by blocking those top level domains from sending them emails; however a global corporation cannot do the same thing without potentially cutting themselves off from entire markets.

Worse, if a global corporation are themselves using multiple email domains they could potentially cut off parts of their business from communicating with each other, if this sort of blocking was applied too strictly.

One Size Fits All

Instead of looking for a “one size fits all” anti-spam solution you should instead look for a flexible, highly configurable product that can be tailored to suit your specific business environment.  When a solution is properly implemented and configured it is far more effective than blindly following other people’s version of “best practice” for preventing spam.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Anti-Spam is Not One Size Fits All

“We are getting spam from postmaster addresses and we don’t know why.”

This complaint has a multitude of variations but we tend to label the problem as “postmaster spam”.

Simply put, postmaster spam is any spam email that comes from a postmaster email address, whether it is the postmaster for your own domain or for someone else’s domain.

The postmaster address performs a critical role in email communication and its presence and use is prescribed in the RFCs for the SMTP protocol.

“Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox “postmaster” as a case-insensitive local name.”

…and…

“SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet.”

Who is the Postmaster?

The postmaster address is usually the source (or “from”) address for system generated emails such as non-delivery reports, although some email servers allow a different address to be used.

But this common usage, combined with the RFC requirements, creates a series of problems.  Spammers know that the postmaster@ email address is almost always going to be valid, and email servers often treat email from postmaster@ email addresses as more trusted.

Postmaster Forgeries

One way in which spammers try to exploit this is by forging the sender address of spam to make it appear that it is coming from a postmaster@ address for a well known domain name.  This is an effective technique because most email users have received genuine NDRs in the past and have at least some idea that a postmaster@ address is valid and trustworthy.

Because the human element of this exploit is so weak the best defence against this technique is to detect and block the spam before it reaches the intended victim.  Anti-spam techniques such as connection filtering, content filtering, and Bayesian filtering are effective in stopping this.

Backscatter Spam

Another way spammers create “postmaster spam” is by causing NDRs, also known as backscatter spam.  With this method a spammer will send email with forged sender addresses to various email systems, and when it is sent to non-existent addresses the receiving server sends back a NDR from their postmaster@ address to the forged sender address.

The person whose email address was used as the forged email address then receives the NDR, usually along with the original spam content attached or embedded.  This technique is often successful because email systems don’t want to block important non-delivery reports.

Some anti-spam products specifically include protection for this type of NDR backscatter spam through a combination of technologies.  There is also an emerging technique appearing in some products that uses a header tag for all outgoing email.  When an NDR comes back from an external source it can be checked for that tag.  If it exists and matches a known email that was sent, then the NDR can be trusted and allowed back in to the email system.  If the header tag does not exist then it is likely that the email originated elsewhere, probably from a spammer, and can be considered less trustworthy and subject to different filtering rules.

Other Postmaster Problems

The two problems that are mentioned above mostly impact end users, those who we are trying to protect from spam threats.

But another issue also exists, and that is spam addressed to the postmaster@ address itself.  Because of the importance of the postmaster as prescribed in the RFC it is common for it to be exempt from any form of filtering or protection, to ensure it receives 100% of important email addressed to it.

Fortunately although this opens the door to spammers, the postmaster@ mailbox is usually only accessed by experienced administrators who are less likely to be tricked into opening spam or clicking on a phishing link.  And in extreme cases the RFC does permit blocking of particularly bad sources of spam to the postmaster@ address.

And for our customers we are able to prescribe quality solutions to the problem of postmaster spam by implementing effective anti-spam systems on their networks.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

How to Prevent Postmaster Spam

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient.A serious issue is also that of costs.  A higher email load combined with more thorough monitoring means more costs to the ISP for servers and software to do those jobs.  The human resource costs also increase, both in the management of the systems as well as the teams who need to contact and support customers who are suspected of sending spam.

Although email is currently the largest source of spam on the internet there are other forms of spam that are quickly becoming very common that would not be addressed by this solution.  Social networks such as Facebook and Twitter have become rich hunting grounds for spammers and phishers who are able to target victims with highly personalized attacks thanks to the open nature of these networks.

In a world where ISPs block spam email from customers the focus of botnets would simply shift to exploiting social networks and identity theft for the same outcomes.  Because these networks run simply as interactive websites they become impossible to block at the protocol level, and blocking them on a site by site basis would immediately outrage customers.

The British ISP heads who commented are correct in their view that businesses and email administrators need to take the responsibility of blocking spam that is sent to them, rather than expect ISPs to do all the work for them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ISPs Don’t Want to be Spam Cops

Virus Bulletin conducted a test of 14 anti-spam products using 200,000 emails made up of both spam and legitimate content.  They found that this both increased the rate of detection as well as decreasing the likelihood of false positives.

Although the increased detection rate compared to typical rates from popular anti-spam products was only a minor percentage this can account for many thousands of additional spam messages blocked in larger business environments.

Combining multiple email security engines into a single product is not a new concept.  Antivirus products have been doing this for several years now, with major antivirus companies licensing their engines as optional plugin components to an email security product.  It is not unusual to find email systems protected by 3 to 5 different antivirus engines.

In the fight against spam, collaboration could make significant improvements for businesses.   Primarily this would occur in the content filtering engine component of anti-spam products.  Different vendors produce different content filtering databases that are more effective against some spam threats than others.

But the collaboration would not work, or would not even be necessary at other levels of an anti-spam system.  For example DNS block lists from different providers are already easily plugged in to most email security systems and can be used in combination with each other.

Bayesian filtering would also not benefit from collaboration because of the way it works.  What a Bayesian filter learns about one organization’s email patterns would not always translate well to other organizations, so the sharing of this data would be pointless (and potentially a security risk in itself).

As a downside to this idea hardware resources for anti-spam servers would likely need to be increased.  Content filtering is a resource intensive process and so inspecting an email with multiple engines will require many times more hardware power than a single-engine filter would require.

One positive side to this idea is that it allows developers of content filtering engines to focus on improving the quality and performance of the engine itself, which they can then license to anti-spam vendors.  The vendors are then free to focus more on important features that businesses consider when choosing an anti-spam product, such as reporting capabilities, end user self-service, and ease of administration.

Finally, some may rightly see this idea as adding complexity to an already complex product.  Experienced email administrators have probably already encountered at least one problem in the past with multi-engine antivirus products when changes are made to one of the engines by the developers.  However this type of perceived complexity can be resolved by considering hosted anti-spam solutions instead, which will likely be one of the earliest available offerings of a multi-engine spam filter.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Two Heads Fight Spam Better Than One

Botnets and Zombies

Bots or zombies are typically home computers that have been infected with some type of virus or malware, which puts the computer under remote control by a malicious person.  A group of these computers is referred to as a botnet, and is used by a spammer to send out millions of emails containing spam, phishing scams, and computer viruses.

Examples of botnets include the Cutwail and Rustock botnets that are responsible for massive spam attacks around the world.

Because botnets are made up of computers located within ISP customer IP subnets they can often be blocked by using connection filtering to block any SMTP connections from those IP address ranges.  When this fails you have to rely on content filtering to detect the spam content within the messages.

Open Relays

An open relay is a poorly configured email server that allows anyone to relay messages through it to any other destination email address.  Modern email server software is not configured to permit open relay by default, it usually takes human error to cause a server to be configured this way, and there are few genuine reasons to run an open relay especially not one that is open to the internet where it can be abused by spammers.Servers that are found to be open relays are often added to block lists.  This will prevent that server from sending legitimate email as well, so having an open relay in your own network can be detrimental to your own business.

Backscatter

Backscatter spam is caused by a combination of email address spoofing and poorly configured spam defenses on email servers.  When an email server detects spam it may generate a “Non Delivery Report” (NDR) to what it thinks is the originating email address.  Because most spam is from spoofed (or forged) email addresses this means that the person whose email address was spoofed receives the NDR, often containing the original spam content as well.

Backscatter or NDR spam can be difficult to detect and block and not all antispam systems do it very effectively.

Unsecured Wireless Networks and Business Premises

An often forgotten source of spam is poorly secured business networks.  People may assume that business computers would need to be part of a botnet, or that the email server has to be an open relay for spam to originate from business networks.

However some networks are compromised simply because attackers are able to gain physical access to data ports in unsecured sections of the office.  These risks highlight the importance of businesses filtering outgoing email from their networks.

Wireless networks are also a vulnerability for both businesses and homes.  In Australia one state’s police force is considering patrolling neighborhoods for unsecured wireless networks so that they can assist people in securing them and cutting off the opportunity for criminals to use them.

Email Marketers

Not all email marketers are spammers but there are definitely those out there that consider themselves to be genuine marketers as they engage in spam tactics.  This is a problem not only for the incoming spam it causes people to have to deal with, but also means that businesses must be careful when engaging in email marketing not to be labeled as spammers themselves.

There is also the perception that any unwanted commercial email must be spam, but often a person will forget they signed up for a mailing list or simply do not want to receive them anymore and will start treating it as spam instead of simply unsubscribing.

Instant Messaging

Instant messaging is a very useful and productive tool but like any internet communication is also subject to spam.  Malicious users will simply add as many contacts as they can and start sending out links to spam and phishing sites before the messaging service notices them and blocks them.

Instant messaging spam attacks are often successful because it is perceived as a more trusted platform by the end user and also commonly used by people to communicate with other people they have never met, causing them to be less suspicious of messages from unknown contacts.

Social networks

Social networking is one of the most popular online activities today and like instant messaging is used to connect with people all around the world, some of whom a person has never met or even knows very well.   This makes social networks a lucrative hunting ground for spammers who use the personal information people reveal about themselves on social networks to tailor their spam messages.

The personalized content in the spam and phishing messages causes unsuspecting victims to lower their guard and be more trusting, which leads to them falling for the scam that the attacker is using.

Most social network spam and phishing attacks cannot be effectively prevented in any other way than by increasing user awareness of the risks.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

7 Major Sources of Spam on the Internet

The Connection Filter agent is based on the Intelligent Message Filter first introduced in Exchange Server 2003.  The Intelligent Message Filter bases its spam detection on a database of email submissions from Microsoft partners that is used as a basis for heuristic scanning of email content.  A “spam confidence level” (SCL) rating is then assigned to the email message and used to determine whether to classify the message as spam or not.

The SCL rating is a number from 0 to 9 where the higher the number the more likely the email message is spam.

The Content Filter agent assesses the content of email messages after the Connection Filter agent has initially determined whether the sending host should be blocked entirely or not.  The order of priority improves Exchange server performance by removing the most obvious spam based on the sending IP address before the more resource intensive content filtering takes place.

How to configure the Content Filter agent for Exchange Server 2007

The Content Filter agent is enabled by default on Edge Transport servers but must be enabled by an administrator on Hub Transport servers using the “install-antiSpamAgents.ps1″ script that is included with Exchange Server 2007.

The Anti-spam tab now appears in the Hub Transport section of the Exchange Management Console.

Configuring custom word lists

The Content Filter agent can be configured to never block messages containing certain keywords or phrases.  This option is effectively a whitelist of words that when contained within an email message must ensure that the message is not blocked as spam.

Although some organisations will require this functionality most will not.  Using a whitelist in this manner carries the risk that a spam message that happens to contain a whitelisted word will not be blocked.  A message that contains a whitelisted keyword or phrase is assigned an SCL of 0 regardless of whether it contains spam content that would score it higher.

Keywords and phrases can also be configured as a blacklist, which will cause any message containing those words to be blocked as spam.  To block the message as spam the Content Filter agent assigns an SCL of 9 to the message.

Configuring exceptions

The Content Filter agent can be configured to ignore messages sent to certain email addresses within the organisation.  An example would be an important customer service email address.  If the organisation wishes to ensure that no customer service emails are inadvertently blocked as spam then the customer service email address can be added as an exception.

Configuring actions for spam messages

The default Content Filter agent configuration rejects messages with an SCL of 7 or higher.  This configuring will reject the most obvious spam but will more than likely result in many spam messages getting through to user mailboxes.

To configure the Content Filter agent to deal with spam messages we must first understand the three available actions:

• Delete – the message is silently deleted with no notification to the sending host.
• Reject – the message is rejected with a Non Delivery Report to the sending host. The NDR can be customised to a limited degree.
• Quarantine – the message is redirected to a specified email address, usually a special mailbox on the Exchange server.

Delete takes precedence over Reject and Quarantine, and when used must always be set to a higher SCL than Reject or Quarantine.  Reject takes precedence over Quarantine and must also always be set to a higher SCL than Quarantine.

Using the Delete action is risky when combined with blacklisted keywords or phrases.  A legitimate email message that happens to contain a blacklisted word will be deleted with no notification to either the sender or the intended recipient, and with no way of retrieving the message from a quarantine area.  For this reason the blacklisted custom word list should only contain keywords or phrases that the organisation wants to block regardless of the importance of the content of the email message.

The Reject action is most commonly used to handle likely spam but requires constant monitoring and tuning to ensure that it is not producing too many false positives, nor that it is allowing too much spam through to user mailboxes.

Quarantine can be used to store likely spam in a mailbox where it can be retrieved if requested by the end user.

Pros and cons of the Exchange Server 2007 Content Filter agent

The most obvious advantage of the built in Content Filter agent is that is provides content filtering at no additional cost to the business.  However this cost saving may be negated by one or more of the following disadvantages.

• The effectiveness of the content filtering relies on anti-spam signatures released by Microsoft. There is no capability for the Content Filter agent to “learn” about your organisations email content and make better judgements as to what is and isn’t spam.
• When the Reject action is used and a message is rejected it cannot be retrieved from the server by the Exchange administrator.
• When the Quarantine action is used and a message is quarantined neither the sender nor the intended recipient are notified. Crucial time may pass before an important business email is suspected of being quarantined and the Exchange administrator is asked to retrieve it.
• There is no “self service” capability for end users to check and retrieve their own quarantined items. Only a single quarantine mailbox can be used, which raises privacy concerns if end users were given access to it and able to look at quarantined emails that are intended for other recipients.
• Very limited reporting capabilities.

Alternatives to Exchange Server 2007 Content Filter agent

The shortcomings of the Exchange Server 2007 Content Filter agent can be addressed by implementing a more comprehensive email security solution.

A dedicated, quality email security product contains more effective spam content analysis, the ability to “learn” about an organisation’s business emails, greater configurability in how to handle suspected spam emails, end user “self service” to make quarantine management easier for users and less costly for administrators, and detailed reporting features so that system administrators and business stakeholders can see and judge the performance of the email security product.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

How to protect Exchange Server 2007 with Content Filtering