Stopping Spam at the Gateway
Bandwidth-sapping spam is more than an annoyance; it's increasingly becoming a drain on the bottom line. Fortunately, administrators can fight back with technology that yields cleaner inboxes and fewer mail server meltdowns.
Well, that's clear enough. Why such strong feelings? Rosen explains spam "chews up a lot of bandwidth and disk space." And the non-stop disk I/O sucks down system resources and significantly stresses the mail server. And why is this so annoying? Because it directly interferes with their ability to perform as an ISP and that, in turn, is slapping down the bottom line. This isn't just Panix's problem. All ISPs and corporate networks face it.
So what can you do about it?
Stopping Spam at the Gateway.
The fundamental problem with anti-spam protection as David Ferris, president of leading e-mail researcher, Ferris Research, says is that "the ideal goal is: 100% effectiveness, with 0% false positives. An impossible ideal." Still, "most people will find high false positive rates, of the order of one in 1,000, quite acceptable." Unfortunately, the very, very best anti-spam programs when set to stop the most possible spam average one false positive in a hundred.
Still, both for the sake of end-users, not to mention the workload on your mail servers and network bandwidth, a network engineer must do the best they can.
The idea is simple. Determine the domain names or IP addresses of known spammers and their ISPs, and then block them. Typically, you subscribe to a blacklist listing and then use it at your gateway to refuse any mail traffic (SMTP or POP) from the spammers. Unfortunately, blacklists can also block perfectly fine users who happen to be at the same ISP, or just in the same IP address range, as a known spammer.
Worse still, blacklists are as subject to human error as any such listing and many users or their e-mail systems are unfairly tarred with a blacklist. Adding insult to injury, getting off some blacklists can be almost impossible for ISPs or individual owners.
SpamCop, for example, is infamous for being overaggressive in blocking possible spam sites. Another problem is that, when a spammer can change his e-mail address faster than you can change your underpants, the overall effectiveness of blacklisting drops enormously. For example, Giga reported in "MAPS Realtime Blackhole List Under Fire" that even well-respected the Mail Abuse Prevention System/Realtime Blackhole List RBL (MAPS/RBL), snags only 25% of spam, and can block 34% of good mail.
That said, careful use of blacklists can still be helpful from keeping spam from ever getting past your network perimeter. The Spamhaus Project, for example, has a reputation of accurate and up-to-date spammer lists and the Open Relay Database remains useful for identifying unsecured mail servers that can easily be used for spamming.
Whitelists sound like a good idea. Users simply refuse to get mail from anyone unless they've approved the specific message or the sender. This works in two ways. In the first kind, users simply block any message from someone who's not on their approved list. The other kind, software automatically replies with a verification message to emails sent from unknown addresses. These messages usually require the sender to send a message back showing that's a real person on the other end of the Internet
So it is that we have two kinds of whitelists but they have two problems in common. They're cumbersome and they don't always work. For example, if a user likes getting mail from Amazon.com or an e-mail list, he must set up rules to allow this. If a friend moves to a different e-mail address list, the user must update his whitelist. If someone in HR, not his friend at the company, sends him a job-offer, he may never see it.
The list goes on and on. Whitelists only sound like a good idea; they're much of a pain for most users to be worth considering. Worse still, from an ISP's viewpoint, they're very cumbersome since they can generate tons of mail asking spammers for response messages, which is likely to only cause more spam.
Page 2: Rule-based filters