Looking for ways to control the spam beast?

This Post focuses only on technical and organizational measures to fight against spam. The legal aspects are not addressed.

Techniques based on the limited resources

These techniques can be used against issuers who pass all spam filter to your single server. Therefore we need to set restrictive rules on this server.

The idea underlying these methods is that the sender of spam or bomber misused resources of the mail server. Limiting the resources allocated to transport estimated abusive email, we limit the impact of spam, with a marginal negative effect on legitimate email.

Resources that can be limited, for example, depending on the options configuration tools:

  • the number of recipients per message;
  • the number of messages per source per unit of time;
  • the maximum size of a message;

Techniques based on the qualification of the source of the email

The idea is the basis of these techniques is that spam is sent by a server.

Existence of the mail domain of the sender

Some mail server software has an option to check if the sender’s domain exists. They block emails from domains that do not exist and therefore avoids emails with a field emitter fabricated.

The risk of mistakenly blocking is limited. In fact, these emails do not expect a response.


The idea is to describe the function of the mail server name that issued.

The reputation of a mail server that issued the spam recently is flawed, since it is assumed that it could again be issued. The sending server is identified by the only reliable information: its IP address.

– A first kind of blacklist identifies, based on reporting / whistle blowing, servers that sent spam.

The sending server spam whose name or IP address has been blacklisted takes the risk that a significant number of legitimate messages or not to send spam is automatically qualified and ultimately never read.

The first kind of blacklist has limited value. The sender of spam adapts to his server is not known by its IP address or domain name.

– Another kind of black list identifies open mail relays.

In a technique used by issuers is to identify spam mail servers configured as open relays and use them to relay spam. The address for the server by e-mail receiver is one of the mail relay, not the address of the sending server spam.

The bias of such a list is that the probability of receiving a spam mail relay open is greater than the probability of receiving spam to a server that is not open.

Authorized Connections Restrictions

– Some recommendations in the fight against spam advocate refuse mail from particular.

The underlying idea is that, normally, a particular user of the internet, when to send a message, configure email client (MUA) to connect directly to the server (MTA) of the provider . Conversely, a robot sending email, as some of those used by issuers spam, speaks directly to the recipient’s MTA or an open relay.

To counter this method, a technique increasingly used by issuers of spam is to take control of a machine poorly protected, using a Trojan horse for example, and install a server or mail relay. It is generally recognized that many individuals do not configure their home computer to allow it to withstand such takeovers. Machines connected to the IP address ranges allocated by ISPs to their retail customers are more often used to send spam that addresses business customers.

Also addresses allocated to individuals are often dynamic addresses (the user does not always have the same IP address). It is therefore difficult for an individual to place his own MTA on this type of address. This is another argument to say that, normally, on a range of IP addresses assigned to individual customers, there is no mail server deliberately installed by the owner of the machine.

When an email from a given IP address, it is plausible that it is a spam.

The downside is the risk of false positive can receive a legitimate email sender who has the skills to install an MTA on your personal computer.

Behavior of the mail server the email sender

Interpretation of error codes

The sender of spam, a pragmatic approach may be tempted to simplify his use of SMTP. In particular, given that the list of addresses available to it is imperfect and in order to reach as quickly as possible recipients whose addresses are valid, it is sometimes tempted to ignore the error messages returned by the mail server that sends e-mail messages.

A technical fight against spam called gray list is to send an error message temporary (That is to say, a type code 3xx). Transmitter to force the MTA to try to resend the email. If the email is successfully retransmitted, the sender address is stored for a few weeks.

The underlying idea is that a legitimate normally configured MTA will try to resend the email. In contrast, a software mass mailing email will not bother.

Interpretation of the SMTP protocol

The assumption is made that is spamming software is designed to send mail and not to receive. He can produce SMTP commands, but do not know how to interpret. Whether we are in the presence of a server or a spam mail server, we will test it with SMTP commands. Examples of tests:

– check if the server accepts the email sender MAIL FROM: <> (accepts he relay the error message?)

– whether the sending server agree to receive emails on their email postmaster (RCPT TO: postmaster@emetteur.com)

– check if the originating server agree to receive e-mails addressed to the address of the transmitter (RCPT TO: emetteur@emetteur.com).

The disadvantage is that if the source address of the message is falsified, as in the case of Joe Jobs, then the test server is not the one who actually sent the email.

Response to a challenge

When the message arrives, it is placed in a queue. The server sends a request to the sender to authenticate. Authentication is usually to provide a password or to visit a page. This requires the issuer phase human interpretation of the query. It should ensure that the collection of email addresses in this way is consistent with the statement made ​​to the CNIL .

  • The downside is that it slows down the delivery of mail. There is a risk of false positives.
  • Techniques based on the qualification of the message content
  • The basic idea of ​​these techniques is that the phenomenon of spam content covers quite stereotyped. The study of email content can help qualify or not spam.

Filter keywords

It is described as spam emails that contain certain keywords.

This technique is inadequate: it is very easy for a sender of spam to a minor modification of the text, which leaves intelligible but that bypasses the filter keywords.

Filter footprint

A filter footprint calculates a signature of the content of an email and compares it to a database of fingerprint messages classified as spam.

The underlying idea is that spam is in the mass mailing all the same.

There are two problems behind these tools:

  • – Like all system signature, fingerprint filter only detect known spam.
  • – The other problem is that minimal changes to the body of the text (some random characters) sufficient for fingerprinting is rendered ineffective because each fingerprint is different.

Heuristic filter

These filters are seeking to establish a probability that the message is spam by looking at its contents, and comparing it with the characteristics of spam sent in the past:

  • – HTML in the message body;
  • – many words written with capital letters only;
  • – keywords corresponding products often touted through spam;
  • – very large number of recipients;

Techniques based on system configuration

Policy against malware

More malware (viruses, Trojans, bots, …) install a mail server on the machine they compromised. This feature malicious tools is designed to facilitate the spread of spam.

The fight against spam, so it also fight against malware. The CERTA issued many documents on how to protect against malware.

Configure mail servers

Make a statement SPF

One way to help qualify an email received could be “is that the server that issued a machine is recognized by the domain master transmitter apparent legitimate to send email?”.

We have seen, the DNS domain through its MX record may indicate the mail server for receiving e-mail for the domain. It is absolutely necessary to send mail as the MUA and the MTA must determine which server acts as a relay the message to the recipient.

The MX does not answer the question is to determine which machines are set to send mail. There should be a kind of MX backwards.

This is the purpose of the SPF field. It identifies the DNS machines authorized by the domain of the mail issue. The MTA then have the option, upon receipt of EHLO MAIL FROM or to check whether the IP address of the sender of email claiming to come from mondomaine.com is one of the addresses reported by the domain manager mondomaine.com as an address authorized to send mail.

The downside is that at present the benefit of the SPF query field is low because few areas have filled.

Another disadvantage is that the interpretation of SPF may be wrong in some cases where the user mail forwarding.

Finally, the SPF as such is not sufficient. Transmitter spam may well buy their domain names and declare fields SPF for its fields. SPF proponents emphasize the need for reputation management.

Avoid uncontrolled relay

Unless you have a good reason to do otherwise, it is advisable not to leave open mail relay on the internet. A reasonably configured mail server should accept to relay that to the few areas needed (This is in no way a limitation on the type of messages that you can send or receive. This is a limitation on the use that third parties may make of the server to send mail to other parties).

Identify mail servers

Normally the deployment plan of a computer should specify which machines are intended to serve as a mail relay.

A provider of Internet access in its technical documentation indicates the server that makes available to its subscribers.

If allowed, the network scanner to find open port 25/tcp.

Some ISPs offer a service on routing protocols, such as BGP instance. Issuers have spam therefore possible to identify ranges of IP addresses for which no route is set, then declare the roads to the beaches and issue of spam from these beaches.

There are lists of IP address ranges unallocated. No traffic should come thereof.

A good practice is the filtered input and output of the network address ranges.

Techniques based on the behavior of the user

Using volatile addresses

Some tools collect spamming email addresses that they find on the compromised machine on which they are installed. In particular, such software can search mailboxes. A subscriber to one or more mailing lists would be an ideal target for such tools because a large mailing list with multiple publications per day is a source of many e-mail addresses stored on many machines Internet users.

To reduce the risk that e-mail address is collected under such conditions, it is recommended to use disposable email addresses to post to mailing lists or newsgroups in a blog or forum.

There are many on the internet providers that offer free mailboxes. Do not hesitate to create multiple mailboxes (one per use).

Give “garbage” addresses

Many sites require an email address for confirmation of service requested by example. Most of the time the service is confirmed by other means, provide an email address is both unnecessary and dangerous (if the site editor is unscrupulous as to address management that request or if the site is compromised and the database of addresses is stolen).

Do not hesitate to give an email address called “trash” in this type of site. This is to give an address (which can be created for the occasion) that we never recover.

Do not give the address of someone else

Each user should choose for himself his use of his email addresses.

We must avoid the email address of a third party in a form that you fill in its place without its prior agreement, or by giving its address in the form of a website like “send to a friend “or electronic postcard.

One way to protect the addresses of third parties who have confidence in you giving, is to e-mail recipients in the fields such as invisible Bcc (blind carbon copy or BCC), rather than the To and CC. It is therefore important that you have a lot of recipients in a message.

Avoid harvest email addresses

There are tools to collect email addresses without worrying about the consent of the owner. This is especially tools that extract email addresses published on the site. So that addresses are collected in this way should be avoided to publish the addresses of the sites.

It is best to publish only functional addresses rather than addresses.

There are tricks to publish email addresses in the hope that they fall collection tools:

  • – Replace the text of the address by an image that contains this text;
  • – use a riddle that requires a human being to extract the address.

Never reply to spam

Respond to an email is to confirm to the sender of spam the address to which he sent a message exists. Indirectly, is to expose oneself to receive many more emails.

Do not answer is not enough. Must still configure your mail reader does not respond to it instead of the player:

  • – do not send acknowledgment of receipt;
  • – prohibit the reader to upload images or other objects at remote sites;
  • – prohibit the execution of code JavaScript .

Back to home page –>  http://www.sbcgloballogin.org/