No-cost solutions in the antispam ecosystem

Mail filters are becoming an absolute necessity, but caution should be exerted to protect the innocent, particularly when it comes to blacklists

Like the rising cost of postage stamps, increasing complexity in e-mail is inevitable. In the early, halcyon days of the Internet, SMTP connections flowed like a mountain spring and mail filters were used solely for mail organization. Now, the water is brackish, and mail filters are an absolute necessity.

But whose filters? Given the extraordinary volume of e-mail that most organizations receive, care and feeding of e-mail whitelists and blacklists is sporadic at best, and it's usually done only to address an acute problem. Subscription services such as Postini can alleviate this problem from an inbound perspective, but that's only half the battle.

Free DNS blacklists such as spamhaus.org and spamcop.net provide an interactive service to enable inbound mail servers to match the IP address of the server delivering mail against a list of known spamming servers via a simple DNS query. If a positive match is returned, the mail is rejected.

Many organizations also rely on whitelists, which are simply lists of domains, addresses, or SMTP relay IP addresses that are always allowed to deliver mail. In most infrastructures, this is a list of domains that are close partners with the company, and ancillary addresses or domains that would be caught in a spam filter but are valid.

The remaining list-based protection form is greylisting. A greylist rides the boundaries of the blacklists and whitelists, using interpretive back-end code and SMTP status flags to create dynamic whitelists and blacklists.

All three approaches have their place in the modern enterprise's battle against unwanted e-mail, but as with many well-intentioned schemes, caution should be exerted to protect the innocent, particularly when it comes to blacklists.

The vigilante approach

Although quite plentiful, DNS blacklists have had their share of controversy. Given enough subscribers, a listing on a DNS blacklist can render e-mail useless for the target. Of course, this is the whole idea, but it's not uncommon to find a site listed in a DNS blacklist that really doesn't belong there.

The reasons for this are varied. Direct reporting of a spamming IP address to a DNS blacklist may result in not just that IP but the whole netblock appearing on the list. Shared hosting suffers from a variant of this problem, as a single violating user can cause many sites to be blocked because they all originate from the same IP address. In other cases, end-users of large ISPs may decide to mark legitimate mailing-list mail as spam rather than unsubscribe from the list. Thus, that server may be blacklisted, at least from that ISP.

The lists themselves vary in focus and scope. The largest, sorbs.net, spamhaus.org, and spamcop.net, use general spamming guidelines to determine a host's status. Rfc-ignorant.org goes a step further and lists mail servers that violate RFC 821 and 2821, which govern SMTP communication. Unfortunately, there are quite a few legitimate mail servers that violate these RFCs due to poor design and implementation, and anyone using those servers is likely to be listed by rfc-ignorant.org even if they're not spammers. Certainly, those sites should be running compliant servers, but subscribing to this DNS blacklist can hamper otherwise legitimate communications.

That said, the most popular DNS blacklists have been honing their service over the past few years and offer significantly more accurate results than previous incarnations. In fact, services such as spamhaus.org and sorbs.net offer freely available lists that don't just blacklist known spammer netblocks, but also list known dynamic IP netblocks used by carriers for home broadband connections, hosts running open proxies, buggy Web code that can be co-opted to send spam, and lists of hosts that have been identified as zombies and are spamming at the whim of a botnet controller.

How popular are these DNS blacklists? Steve Linford at spamhaus.org estimates that the spamhaus network receives between 80,000 and 100,000 queries per second, and that doesn't count the number of large entities that don't use the public servers, but have arrangements to pull the DNS blacklist databases to local servers on a scheduled basis, which significantly reduces the amount of queries to the public servers.

Join the newsletter!

Error: Please check your email address.

More about AOLCygnusEFFPLUSPostiniSpamCopSun MicrosystemsVIAVigilante

Show Comments

Market Place