by January 2, 2003 0 comments



Controlling spam is one of the biggest challenges that organizations and individuals face today. Spam is unsolicited bulk or commercial mail, some common examples being mail on get-rich quick schemes, breakthrough in stopping the ageing process, pornographic material and chain mail. Apart from being a nuisance, spam also leads to loss of employee productivity and precious Internet bandwidth. Another cause of concern is the growing amount of malware–viruses, Trojans, malicious scripts–being spread with spam. These are the biggest security risk to all organizations. It’s important, therefore, to understand the nature of spam and how it spreads in order to control it. 

Spreading roots
Spam is spread in a number of ways, the most common cause being registering at a public domain website or newsgroup. You could do that when downloading that interesting software you found on the Net, which requires you to fill in a registration form. Many sites collect such e-mail ids and market their databases to other companies, which makes it easy for spammers to get hold of your id. It’s best, therefore, to keep two separate e-mail ids, one for official use, and the other for such tasks. Also, be a little careful about the website you register at. 

Another widespread reason for spam outbreak is responding to such e-mail. Most spam mail provide information to unsubscribe from their mailing list. In this, usually an e-mail id is given to which you must send a reply with “unsubscribe” as the subject line. Don’t ever fall into this trap. Responding to such e-mail just confirms your exist for him to send you more
spam. 

Fight it on the desktop
Spam can be controlled at two levels: at the mail client or the mail server. Client-side control is about filtering unwanted mail either manually or by using a third-party utility. There are a lot of free and commercial software available for this, which carry a database of specific spam sites and common keywords found in spam. Most of them only work with POP3 mail clients, such as Outlook Express or Eudora. They plug in to your e-mail client and scan all incoming mail. Think of them as an enhancement to message rules in a mail client. The utility automatically moves spam to the trash folder or deletes it, depending upon what you’ve configured it for. Since all spam mail gets filtered before even being read, such utilities help prevent the spreading of malicious scripts, such as the I Love U worm. While these utilities help save time that would otherwise be wasted in sorting genuine mail from junk, it still takes a toll on the bandwidth. After all, the spam is being filtered only after being downloaded from the Internet. That’s where server-side spam control comes into picture. 

Block it out at the server
On the server side, one needs to set policies and filter out spam so that it never reaches the end user. Make sure that the server is not configured to relay mail openly because this will allow anybody, including spammers, to use your server to send e-mail to others. Most ISPs have blocked-mail relaying, which makes it easier to track spam sites. There are also services, such as the mail-abuse prevention system (http://mail-abuse.org) and spamcop (http://spamcop.net), which can be used to determine the blacklisted servers and block them. Using such services is a good way to block off the most common sources of spam. However, there are still other sources of spam that one needs to know about. 

Other than using relay servers, spammers can also try to fake their identity by using forged e-mail headers. Such forged e-mail headers can easily fool the spam-control software into thinking that the spam mail is completely valid with respect to its origins. This is where using the service of blocking spam sites doesn’t help and human intervention at this stage might be required. E-mail are sent using SMTP, which doesn’t support any sort of authentication. Consider a typical SMTP conversation between a client and a mail server. 

220 mailhost.rcvdserver.com ESMTP Sendmail 8.8.5/1.4/8.7.2/1.13; Tue, Mar 18 2002 14:38:58 +0530
(IST) 
HELO mail.senderserver.com

250 mailhost.rcvdserver.com Hello mail.senderserver.com [124.211.3.78], pleased to meet you 
MAIL FROM: test@senderserver.com
250 test@senderserver.com… Sender ok
RCPT TO: pcq@rcvdserver.com
250 pcq@rcvdserver.com… Recipient ok

DATA
354 Enter mail, end with “.” on a line by itself
Received: from alpha.senderserver.com (alpha.senderserver.com [124.211.3.11]) by mail.senderserver.com (8.8.5) id
004A21; Tue, Mar 18 2002 14:36:17 +0530 (IST)
From: test@senderserver.com
To: pcq@rcvdserver.com
Date: Tue, Mar 18 2002 14:36:14 IST
Message-Id: <rth031897143614-00000298@mail.senderserver.com>
X-Mailer: Xan v2.32
Subject: hi

The quick brown fox jumps over the lazy dog -pcqman
250 LAA20869 Message accepted for delivery

QUIT
221 mailhost.rcvdserver.com closing connection

You’ll notice in this conversation that there’s no authentication happening. The sender can enter anything at the HELO prompt during identification. The same applies to the MAIL FROM prompt. The only credible source of information is the Received tag as the sender has no control once the mail has left the source. So the IP address can be looked up by reverse DNS to identify the sender correctly. In this case, the IP address is automatically determined. So, one way to block this kind of spam is to check the headers. If there is a difference between the HELO response and the received string, then the mail is obviously spam and should be blocked. Generally, there’s a gateway or firewall between the source and target, so they also add their own payload on top of these headers. The lower most Received lines, therefore, should be looked into for confirming the sender’s identity.

Server-side software
The best way to understand anything is to see it in action. That’s why we set up a commercial e-mail filter software for SMTP servers to see how well it can control spam. A commercial package, Super Scout Email Filter, can filter mail based on various factors like content and attachments. Any discrepancy can be logged and analyzed later to identify the action to be taken. This does not have a built-in mail server, but it is, in fact, a mail-routing system.

Typically, this kind of mail filter is installed on a computer that lies between the MTA (mail transfer agent) and the gateway. By using such a configuration only the external mail (incoming or outgoing) are filtered. Internal mail are assumed to ‘productive’ and, therefore, not filtered. Before installing the software, you’ll need the IP address of the current mail host, the relay host if you are not using MX records, and, of course, the IP address of the email server’s MTA. Since it uses port 25 for mail transfer, which by default is used by most SMTP servers, we need to change the default port of the MTA to some other convenient port. 

The software has three main modules: administration, rules, receive and send service. Administration client can be separately installed. Installation is quite simple. Once every thing is set up, go to the Super Scout Email Filter icon, right click and fire up the e-mail monitor. By default, there is no filtering, so go to Menu>Tools>Rule Administration and enable the rules you want to activate by clicking on the corresponding check boxes. You can also create custom rules. Just create a new rule (rule->new) and modify it by dragging and dropping various objects, such as message size and content. The logic of the rule is automati cally created when the objects are dropped into the rules window. 

E-mail monitor has three partitions giving the details pertaining to the incoming mail, the filtering process and, finally, the log generated while forwarding the mail to the mail server. If some e-mail matches any of the rules, it is isolated and not forwarded to the mail server. This isolated mail can be analyzed later to see whether it was genuine or not. 

This e-mail filtering utility also sports a Web interface for viewing reports. These reports are stored on a database, which is configured during the installation process (MS Access or SQL Server). The Web interface uses JAVA applets so the Java runtime environment is a requisite. The installation process, however, does not detect the presence of Java runtime environment.

Ankit Khare

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<