Earlier this week I was talking with a client and discovered that they had not received an important email that I sent them that morning.  After a brief investigation we found the email in their Outlook Junk email folder.  This was unusual because, of course, we send emails to each other quite frequently.

I checked it out and was able to determine why that particular email got marked as Junk email, made a configuration change, and emails have been delivering fine ever since.  The experience left me thinking about some of the ways that perfectly legitimate email might be marked as spam, and the steps that can be taken to avoid those situations.

Flagged as Spam by End User Email Client

An email recipient can flag an email as spam in a number of ways.  If their email client has built-in junk filters then they can simply mark it as junk email in their client and your emails will not reach their inbox.

For businesses with Exchange Server 2007 and Outlook on the desktop this goes a step further due to a feature called Safelist Aggregation.  This feature aggregates each individual user’s personal safelist and blocklist information onto the server itself, so that an email address marked as spam by one user is also blocked for other users.

Unfortunately this can happen when people either forget that they signed up for a particular newsletter or promotion, or they simply decide that they no longer want to receive it, and instead of unsubscribing they mark it as spam.

Continue reading 7 Ways to Prevent Your Emails Being Blocked as Spam»

Anyone who uses the internet whether for business or for leisure has had first hand experience with spam at some point in time.  Spam is a problem that plagues the internet and affects us all in some way.  Like most problems the spam problem is a very complex one.  There is no single source or cause of spam, which means there is no single solution to the problem.  In this post I’ll explain some of the sources and causes of the spam that we see every day.

Botnets and Zombies

Bots or zombies are typically home computers that have been infected with some type of virus or malware, which puts the computer under remote control by a malicious person.  A group of these computers is referred to as a botnet, and is used by a spammer to send out millions of emails containing spam, phishing scams, and computer viruses.

Examples of botnets include the Cutwail and Rustock botnets that are responsible for massive spam attacks around the world.

Because botnets are made up of computers located within ISP customer IP subnets they can often be blocked by using connection filtering to block any SMTP connections from those IP address ranges.  When this fails you have to rely on content filtering to detect the spam content within the messages.

Open Relays

An open relay is a poorly configured email server that allows anyone to relay messages through it to any other destination email address.  Modern email server software is not configured to permit open relay by default, it usually takes human error to cause a server to be configured this way, and there are few genuine reasons to run an open relay especially not one that is open to the internet where it can be abused by spammers. Continue reading 7 Major Sources of Spam on the Internet»

After an organisation has made the decision to invest in an anti-spam solution, often the next consideration is where within their network infrastructure should the anti-spam system be located.  When making these decisions it is helpful to understand common anti-spam techniques and how they will integrate with other elements of your network.

Small to Medium Businesses

For small- to medium-sized businesses the decision is simplified to a certain degree, especially for organisations that operate from single premises.  Many of these organisations will operate a single email server such as Microsoft Exchange Server.  When an Exchange-integrated solution is chosen then the anti-spam software is installed on the same server as Microsoft Exchange.

Although this basically eliminates any need to consider the location of the anti-spam system, there is still some consideration that needs to be given to configuration and tuning of the various anti-spam features.  For example, connection filtering should be enabled and assessed first before the more resource-intensive content filtering.  Even though most small businesses do not deal with the volume of email that makes performance difficult to manage, this sort of attention to detail will ensure that an integrated anti-spam system does not adversely impact the performance of the organisation’s email server.

Large Businesses and Enterprises

Large businesses and enterprises typically operate a complex network infrastructure due to two main factors – they operate out of many separate premises across a city, country, or even the world; and they have very large numbers of staff using the email system.  This presents many additional factors when considering the location of the anti-spam system, such as:

• Multiple email entry points for the network;
• Heavily loaded email servers with critical performance/uptime requirements;
• Strict security policies for incoming connections from the internet, including for SMTP;
• Strong focus on lower total cost of ownership (TCO) for systems such as email security.

When these factors are considered in light of the technical features of an anti-spam system the decision can be a complicated one. Continue reading Where to Locate Anti-Spam Servers in Your Network»

Protection of email traffic flowing between hub servers and separate servers that store mail box accounts is established through encryption in an Exchange 2007 environment. So interception of emails transported between the hub and mail server is nearly prevented with an Exchange journaling system in place. Although email traffic is encrypted, there are other steps required to tighten security with the Exchange journaling mail box.

What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email.  Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else.   A spammer’s daily routine includes using this technique regularly.

When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook. Continue reading Go Beyond Encryption with a Tunnel»

Most of the articles you’ll read on a blog such as this will describe how to protect yourself from certain types of spam.  Most of the articles I’ve written so far do exactly that.  Today I’m going to add another dimension to my post and discuss how to protect both yourself and others from “backscatter” spam.

What is Backscatter Spam?

The term “backscatter spam” refers to a spam attack that targets non-existent email addresses and causes email “bounce” messages to be sent to innocent parties.  The “bounce” messages are known as Non-Delivery Reports (NDRs) and are sent by an email server to let the sender know that the message was not delivered.

NDRs are a normal and useful part of the SMTP protocol.  However when NDRs were first envisaged the concept of address spoofing was not considered.  Address spoofing is when a spammer forges the “From” address on a piece of spam they are sending.  This is how backscatter affects innocent parties – even though they didn’t send the spam, they receive the NDR because their email address was forged by the spammer.

Continue reading Protecting Yourself and Others from Backscatter Spam with Exchange Server 2007»

Have you ever wondered how spammers manage to find your email address and start sending you junk and scam emails?  In this post I’ll describe three ways in which spammers are able to get their hands on lists of valid email addresses to target with their spam.

Directory Harvesting

Directory harvesting is a technique spammers use to trick an email server into telling them which email addresses exist in an organisation and which do not.  The spammer bombards the email server with thousands of combinations of common names.  Any test emails that are accepted mean the spammer can be confident that particular email address exists at that domain and can be a target for future spam.  Sometimes the directory harvesting is performed by other parties who then sell the lists of valid email address to spammers. Continue reading This is why you get spam emails»

Anti-spam companies around the world generally agree that the average volume of spam travelling through the internet is as much as 90% of total global email traffic.

That is an alarming, but not surprising statistic.  Spammers have relatively low business expenses.  They only need to harvest an email address database, buy a swarm of virus infected computers to send the emails through, and they are able to pump out millions of spam emails in minutes.

Effective spam prevention costs money.  Just like insuring your property against theft, it would be nice not to have to pay to protect oneself from the evil-doers of the world, but free solutions are simply not as effective as dedicated commercial email security products.  Some businesses would prefer not to pay though, and will give some consideration to not installing an anti-spam system.

What does it cost to NOT prevent spam?

When planning an Exchange server deployment there are formulas used to size the servers and storage that will host the email system.  One of the elements of the formula is the type of mailbox user.  An “average” mailbox user is considered one who sends 10 email messages and receives 40 email messages each day.

Continue reading Is spam prevention too costly for your business?»

When talking about email servers the term “open relay” means a mail server that allows anyone to send email through it to any destination.  An email server may become an open relay through accidental misconfiguration by the server administrator, or from malicious action by an attacker.

How do open relays cause spam?

Open relays are like gold to spammers.  When a spammer knows about an open relay they will use it to send thousands or even millions of spam emails to recipients via the open relay server.  The benefit to the spammer is twofold – they can mask their own location by relaying through another source; and they can leverage the positive reputation of the email server they are relaying through (at least until that reputation is ruined).

What damage can an open relay do to your business?

There are many ways in which an open relay email server can harm your business -

Continue reading Is your email server an open relay?»

When planning an email security solution many organizations put a lot of thought and effort into protecting their environment from external threats.  They use such measures as blocklists and content filtering to prevent spam from reaching end user mailboxes.

Despite this effort some businesses fail to also consider filtering outbound emails.  Often the outbound email path bypasses the system that scans incoming emails from the internet, and instead sends the emails directly out to the destination.

Why should we scan and filter outbound email messages?

Outbound email messages should be checked for spam or malicious content because of the risk such content poses to the organization’s reputation.

An organization found to be sending spam or viruses risks:

• Damage to their brand names
• Loss of trust and reputation with customers and business partners
• Being blocked by other email administrators
• Being added to IP block list provider databases such as SpamHaus
• Bandwidth saturation impeding other online communications

How can spam or viruses be sent from our business networks?

I’ve worked with a lot of customers over the last 10 years and it is not uncommon to find more than one of the following weaknesses in their network security: Continue reading The importance of filtering outgoing email in Exchange environments»

Most organisations that have deployed an email anti-spam solution will at some stage encounter a situation in which a false positive (legitimate email blocked as spam) or a false negative (spam email allowed to pass through) causes a problem for their business.

False positives can affect important business emails and can have a very high cost to the organisation if the email was time sensitive.  False negatives can have a similar impact on the business by annoying or offending end users who receive unwanted spam.  Both situations can also erode the confidence the end users have in the organisation’s email system.

To combat these issues many organisations configure whitelists or blocklists on their anti-spam systems.

What is a Whitelist?

A whitelist is a list of known safe email senders.  Whitelists can be made up of IP addresses, domain names, or email addresses.  In most cases businesses will choose to whitelist domain names of highly trusted customers or suppliers, or email addresses that are the source of critical emails.

As a real world example in one customer I worked with the email address that was the sender of voicemail attachments from the external voicemail system was whitelisted to ensure that the anti-spam system never blocked a voicemail message as a false positive.

Whitelists carry some risks.  For example some domains such as hotmail.com, ebay.com, and paypal.com are frequently forged by spammers sending commercial spam or phishing emails.  If ebay.com was whitelisted it would cause eBay phishing scams to pass through the anti-spam system to end users.

What is a Blocklist?

A blocklist (also sometimes called a blacklist) is the opposite of a whitelist.  Blocklists can also be made up of IP addresses, domain names, and email addresses.  Businesses will choose to blocklist domains or email addresses that are found to always be the source of spam yet sometimes slip through the anti-spam system as a false negative.

In some customer environments I have worked in, the email administrators have chosen to block entire top level domains such as .ru (Russia) and .tw (Taiwan) because the company did no business with anyone in those countries yet constantly received spam, viruses, and phishing emails from those domains.

Blocklists carry some risks as well.  For example even though hotmail.com is often used by spammers blocking the entire hotmail.com domain would prevent any customers or legitimate senders who utilise Hotmail from emailing your business.

How does Exchange Server 2007 manage Whitelists and Blocklists?

Exchange Server 2007 can apply whitelists and blocklists on Edge Transport servers and Hub Transport servers that have the Exchange Server 2007 Anti-Spam components installed. Continue reading Managing whitelists and blocklists for Exchange Server environments»