Spam Free Email

So if open relay are bad, then what is the proper way to have things setup?

For the most part there are two different ways that email server are setup to be closed relays.

First off most email servers can easily be configured to only accept email from client software from specific IP addresses. This allows the email server to accept anything from any IP address on the Internal network, while rejecting anything from the outside world. When receiving email from another email server the receiving server should only accept email for a list of known email domains. This is usually a pretty short list.

The second way is to have the email user authenticate themselves before the email will be sent. This is a handy thing to do if you have users with laptops outside of your office that will be sending email as though they were inside you office. This is also nearly mandatory for anyone who is considering implementing SPF on their server and domain.

I don’t even know how many time this problem has been brought up or how many articles have been written about this, but it never seems to get fixed. That problem being Open Relays.

An open relay is an email server that will send email from any client software anywhere on the Internet. When the Internet was first designed this was not a concern. In fact this was most likely a very useful feature, if your mail server was down you could send you email through someone else’s. Easy, convenient and completely insecure

Once the Internet was converted to be used as a commercial environment this became a problem. Now any person with a computer can send a million email message to an email server that is an open relay and then the resources of that server are used and abused to send out those messages.

To make this a bit clearer, if a spammer sent one 100Kb message to an open relay and it was destined to go to one million people, then that 100Kb message would be sent out 1,000,000 times. So the spammer send out 100Kb of data and the abused email server sent out 100,000,000Kb or 100,000MB of data.

Not only does the person who owns the open relay get taken advantage of, but now the people who have been sent those spam massages have another piece of spam to deal with.

I mentioned SPF a few weeks ago in an early blog on this site. SPF, or Sender Policy Framework, is a technology that allows for a reverse DNS lookup of mail servers.

In the current way that the domain name system (DNS) works you have a record called an MX (Mail eXchange) record. This record points to one or more mail servers that accept email for that domain. You can also place a priority on each MX record setting up the order in which email servers should be tried.

SPF adds a new record as a TXT record in DNS. This record primarily describes where email from a given domain can come from. So while the MX record is the way for the sending email server to validate where to send the email to a SPF record is a way for the receiving email server to validate where the email is coming from.

So what does this do for spam and viruses?

In my humble opinion SPF has the ability to cut spam and viruses by 80% to 90% or more.

How many spam messages do you get from an email address that is not valid? All of these would go away unless they were sent through the correct email server for that domain name.

How many viruses forge email headers and look like they can from a friend of yours, even though they really came from a computer someone else in the world? These would all go away.

From a business perspective, this would eliminate all of the bank card scams, where the email looks like an official correspondence from citibank or even ebay but they are really scammers trying to get your credit card data.

So what is it going to take to make this a reality? It’s going to take the support of everyone who is in the tech field controlling any email server and/or the people who control their projects. The more people who publish SPF records and the more people who add SPF support to their incoming mail servers the faster this will become a reality.

Just think of all the time and money you and your company could save if you didn’t have to worry about 80% of the spam or viruses anymore. It’s worth it, it just needs to be done.

For more information about SPF check out http://spf.pobox.com/

In the past week while I was trying to fight off a rather large spam/virus attack I decided that I wanted to see who well the RBL lists that I was using was blocking spam. As it turned out I wasn’t blocking spam very well with the RBL and I really needed to use a different RBL.

The way I was evaluating the IP addresses was by using http://www.senderbase.org/ They have a great tool that will search multiple RBLs and tell you which ones an IP address is on.

Now I just needed to know which RBLs would block the IPs that were sending the spam to my servers.

So I decided that I needed to check the IP addresses in my log files against senderbase.org. Doing this by hand would have been a daunting task. But a quick script using regular expressions made a a snap.

Regular Expressions are a simple way to search for some very complex patterns. in this case I was looking for the tell tale signs of an IP Address.

An IP address has four octets separated by dot or periods. So I know that each number of the four numbers can be from 0 to 255 and there are four number with three dot between them.

Here is the regular expression that I came up with to find these IPs:

[0-2]*[0-9]*[0-9].\.[0-2]*[0-9]*[0-9].\.[0-2]*[0-9]*[0-9].\.[0-2]*[0-9]*[0-9]

The basics on how to read this is that the first number can be from 0 to 2 with 0 to as many characters as possible. The second number can be from 0 to 9 with as many characters as possible. The third number can be from 0 to 9 with at least one number necessary. Then there is a period and the pattern starts over again.

This regular expression will catch things that are not IP addresses. Like many programs, including sendmail, will make their version numbers look like this format.

It also might be prudent that make the first part of the regular expression only look for digits from 1 to 2 instead of 0 to 2.

This is a very quick and dirty example of how to do this and I am positive that there are many more elegant ways of using regular expressions to find IP addresses, the bottom line is that this one worked very well for me.

So what was the rest of my script? I did a conditional loop to go through each line of the qmail log file, checked to see if any IP addresses were already collected in my list of IP addresses and then presented a web page that listed the IPs with a direct link to senderbase.org.

Now I am able to check through my log files to see if an IP address that recently sent me email should be blocked by an RBL that I am not using right now. If I notice enough of them, I will add a new RBL to my list and watch the spam dwindle away

So how do spammers get your email address?

I’ve already mentioned email harvesting. Where a spammer uses a computer program to spider (surf) the web and collect any valid email addresses they can find. They also do this on usenet as well.

The Whois database is another way for people to grab email addresses. They look at who owns the domain name and collect the email addresses that way.

Some companies will sell your email address after you have bought items from them. This is more common then people want to know about.

I have even seen evidence of major online email services selling the email addresses on the non-members who send email through their system. Meaning that if you send email to a member from outside the system they can collect your email address and sell it to interested people. Remember, they have privacy agreement with this member, not with the people who email their members.

I do believe that many spammers use viruses to do this dirty work for them. They will setup a honeypot computer and and few email accounts and let the computer get infected with an email worm, or type of virus, then collect the data about email addresses that the worm collects as it tries to send itself across the web.

Those are just a few off the top of my head. If you think of anymore please email me or post them on the forums.

Okay, sorry for no blog yesterday, but I spent most of yesterday and today trying to figure out why my server was so slow.

Turns out that my email server currently has 155,000 messages in the queue that are no good and timing out over the next few days. The kicker is that every time the mail server (qmail it’s the best) tries to clean up the queues it makes the server store up IO blocks because it takes so much hard disk activity to look through 155,000 messages.

So every minute or two my server takes a 10 second break. I’m not happy.

I’ve changed some setting and added a few more RBL lists to my server settings, but it got me thinking that there should be a few more RBLs out there. A really good anti-virus or worm RLB would be great. Something that will put an IP address in for 24 to 48 hours every time an email message with a virus goes through the mail servers. I saw one out there, but it didn’t look like it was very well supported.

Then I got to thinking about an anti-hacker RBL. Any time you can detect a port scan or something of the like from an IP address it could end up in a specific RBL.

Now here’s the next idea for all this. I want a firewall that will use an RBL to block IP addresses from accessing anything inside my network. If you are on the anti-spam, anti-virus or hacker RBL lists it would simply block all traffic to and from my network. That would be nice …

I was going through my inbox this morning after I woke up. Today seemed to be a light day for spam and no real email for me. I got 91 spam message in under 10 hours and 0 real email messages.

How long can this continue before people simply stop using this email accounts?

I know a few people who want to change their email account but cannot because of the number of business and personal contacts that they would have to inform.

Then you make one mistake or get taken advantage of once online by someone selling your email address and you are back to square one again.

Something has to change before email is no longer a viable form of communication, or has that already happened?

Yesterday I was looking through the subject lines in my inbox and I gave a thought to look up the keywords on overture. You can find a great utility to look up keyword prices and similar keywords at http://www.pixelfast.com/overture/

Anyway the three I looked up were:

Hair Loss
Lose Weight
and
Debt Consolidation

To my surprise lose weight was the lowest at $1.87, the hair loss at $6.09 a click. Judging by the number of debt consolidation and refinancing spam messages I get it did not surprise me that debt consolidation was $10.00 per click.

This goes back to the point that the only real way to stop spam is to remove the profit from it. If a spammer can make $5.00 per click (most services pay out about 50%) then the only way to stop them is to 1) don’t click on their links, 2) report them to the company that they are using to make money and 3) gets laws in place that allow everyone to sue spammers in civil court.

If everyone where to dedicate effort into making that happen spam would come under control pretty quickly.

I after doing a bit of research I’ve decided to follow the lead of the Realtime Blackhole Lists and use a DNS based system for the SpamHoneyPot.com data. I’ve already started building a dedicated DNS server for this and I hope to have a BETA version of the DNS stuff done over the weekend.

I seems to be easier then I thought it would be so the only thing that would prevent this is if I end up having too much fun in my own life

Ever wonder why spammers always seem to stick to the same few topics? Sex, real estate, prescription drugs and gambling seem to be the ones that I see the most. The answer, as always, comes back to money.

A quick look at 7Search.coms top 100 paying keywords at http://7search.com/scripts/searchterms/top_paying.asp?n=100 will give you a quick idea on why spammers stick to their topics.

At the time of this writing the top keyword is ‘online casino’ paying out $5.04 a click. In fact the top 55 keywords are all about gambling. We then get into real estate and home loan related keywords mixed in with the casino words.

A quick look over at overture puts the payout for ‘online casino’ at just over $3 and the google adwords stats are even larger than that.

So if you accidentally click on one of the links inside of a spam message it is possible that you will earn a spammer typically as much as half of that, or possible $2.50 or more per click.

If we get 100 people to perform the action (remember our 1%/1% rule) on each spam message and the only action they have to do is click then a spammer could potentially earn $250 per spam batch they send out.

Bottom line, do a google search on the topic if you really want to know, but if you don’t want spam anymore stop clicking on their links.