Stopping Spam at the Gateway

Bandwidth-sapping spam is more than just an annoyance; it's increasingly becoming a drain on the bottom line. Fortunately, administrators can fight back with technology that yields cleaner in-boxes and fewer mail server meltdowns.

By Steven J. Vaughan-Nichols | Posted Oct 2, 2003
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

I hate spam. You hate spam. We all hate spam. But none of us hate spam as much as ISPs and business network administrators do. Alexis Rosen, president and co-owner of Public Access Networks, which runs Panix, one of the oldest ISPs, concedes that while spam may "not be as bad as Adolph Hitler, it is morally evil."

Well, that's clear enough. Why such strong feelings? Rosen explains that spam "chews up a lot of bandwidth and disk space," and the non-stop disk I/O sucks down system resources and significantly stresses the mail server. And why exactly is this so annoying? Because it directly interferes with the ability to perform as an ISP, and that, in turn, directly – and negatively – affects the bottom line. This certainly isn't just Panix's problem; all ISPs and corporate networks face it.

So what can you do about it?

Stopping Spam at the Gateway

There are four basic ways you can try to block spam at the gateway: blacklists, whitelists, rules-based filtering, and Bayesian filters. None of them is perfect, and none of them ever will be perfect. All of them working together will never be perfect either, but they are much more effective than doing nothing at all.

The fundamental problem with anti-spam protection, as David Ferris, president of leading e-mail researcher Ferris Research, says, is that "the ideal goal is 100% effectiveness with 0% false positives — an impossible ideal." Still, "most people will find high false positive rates of the order of one in 1,000 quite acceptable." Unfortunately, the very, very best anti-spam programs, when set to stop the most possible spam, average one false positive in a hundred.

Still, for the sake of end users, not to mention the workload on your mail servers and network bandwidth, a network engineer must do the best he or she can, so let's take a look at each of the spam-blocking methods.

Blacklists

The idea is simple. Determine the domain names or IP addresses of known spammers and their ISPs, and then block them. Typically, you subscribe to a blacklist listing and then use it at your gateway to refuse any mail traffic (SMTP or POP) from the spammers. Unfortunately, blacklists can also block perfectly fine users that happen to have the bad luck of being at the same ISP, or simply having an IP in the same IP address range, as a known spammer.

Worse still, blacklists are as subject to human error as any such listing, and many users or their e-mail systems are unfairly tarred with a blacklist. Adding insult to injury, getting off some blacklists can be almost impossible for ISPs or individual owners.

SpamCop, for example, is infamous for being overaggressive in blocking possible spam sites. Another problem is that when a spammer can change his e-mail address faster than you can change your underpants, the overall effectiveness of blacklisting drops enormously. For example, Giga reported in "MAPS Realtime Blackhole List Under Fire" that even the well-respected Mail Abuse Prevention System/Realtime Blackhole List RBL (MAPS/RBL) snags only 25% of spam and can block up to 34% of good mail.

That said, careful use of blacklists can still be helpful from keeping spam from ever getting past your network perimeter. The Spamhaus Project, for example, has a reputation for maintaining accurate and up-to-date spammer lists, and the Open Relay Database remains useful for identifying unsecured mail servers that can easily be used for spamming.

Whitelists

Whitelists sound like a good idea. Users simply refuse to receive mail from anyone unless they've first approved the specific message or the sender. This works in two ways. In the first method, users simply block any message from anyone not on their approved list, while in the second form, software automatically replies with a verification message to emails sent from unknown addresses. These messages usually require the sender to send a message back confirming that there is in fact a real person on the other end of the Internet

Both forms of whitelists have two problems in common — they're cumbersome and they don't always work. For example, if a user likes getting mail from Amazon.com or an e-mail list, he or she must set up a specific rule to allow this. As another example, if a previously approved friend moves to a different e-mail address, the user must update his whitelist with the friend's new address or risk not receiving the friend's emails.

The list of negatives goes on and on. Whitelists sound like a good idea in theory, but they're too much of a pain for most users to be worth considering. Worse still, from an ISP's viewpoint, they're very cumbersome since they can generate tons of mail asking spammers for response messages, which is likely to only cause more spam.

Page 2: Rule-based filters

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter