Top 100 Opinions » Anti-Spam tips

Invalid Pipelining of Messages

admin — Tue, 08 Dec 2009 10:34:36 +0000

According to the SMTP protocol, several SMTP commands can be placed in one network packet and “pipelined”. For example, whenever an email with a CC: header is sent several SMTP “RCPT TO:” commands may be placed in a single packet instead of one packet per command. The SMTP protocol actually requires that errors are checked and synchronization occurs at certain points. However, many spammers will send out everything in a single packet since they are least bothered by the errors and this method is more efficient. Some MTAs, which detect this pipelining, will reject such mail anyways.

HELO/EHLO Checking Of Connections

admin — Wed, 02 Dec 2009 10:31:56 +0000

According to the RFC 5321 section 4.1.4 “An SMTP server CAN verify that the domain name argument in the EHLO command actually is same as the IP address of the client and if it fails, the server SHOULDN’T refuse to accept messages on that basis”.Hence to be in compliance with the RFCs, rejecting connections must be based on additional information/policies.

Refuse connections from hosts that give an invalid HELO – for example, a HELO that is not a FQDN or is an IP address not surrounded by square brackets.
- Invalid HELO localhost
- Invalid HELO 127.123.0.1
- Valid HELO mydomain.tld
- Valid HELO [127.123.0.1]

Refusing connection from a host that gives an obviously fraudulent HELO – issuing a HELO using the FQDN or an IP address that is unable to match the IP address of the connecting host.
- Fraudulent HELO friend
- Fraudulent HELO -233975334

Do not accept email from a hosted domain when the sending host is not authenticated.

Denying any email whose HELO/EHLO argument does not resolve in DNS. Unfortunately, some system administrators administer the MTA to use a non resolvable argument to the HELO/EHLO command.

Greylisting of Incoming Messages

admin — Wed, 25 Nov 2009 10:26:08 +0000

Greylisting (or graylisting) is a technique of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will “temporarily reject” any email from a sender it does not recognize as a legitimate one. If the mail is legitimate, the originating server will, shortly stop for some time and tries again and if sufficient time has elapsed, the email will be accepted. If the mail is from a spammer it will probably not be retried since a spammer goes through thousands of email addresses and typically cannot afford costs involved to retry. Greylisting is based on the assumption that spammers and spambots will not retry sending their messages but will move on to the next message and the next address. This method is effective since a retry means the state of the message and the process must be stored inherently, which increases the cost incurred by the spammer.

Greylisting emphasizes on the technique of temporarily rejecting messages from unknown mail servers. A temporary rejection is recognized with a temporary error code 4xx that is recognized by all normal Mail Transfer Agents (MTA)s,which then proceed to retry delivery later.

The main advantage of greylisting is that there is no need of any modification from the user’s point of view. The benefits for the administrator are two fold: it takes minimal configuration to get up and start running, and rejecting email with a temporary 451 is very cheap in system resources.

Implementing Greeting Delay

admin — Wed, 18 Nov 2009 10:24:45 +0000

An SMTP server has introduced a deliberate pause before sending the greeting banner to the client. In client server architecture, the client is required to wait and it is not supposed to send the message to the server unless it receives the banner. However, many spam-sending machines begin to send out messages before the banner is received and the servers can detect this and drop the connection.

However, some legitimate sites also fall prey to this mechanism. The mechanism also has a tendency to interact badly with sites performing callback verification, since common callback verification sites have timeouts much shorter than those mandated by RFC 5321.

Callback verification, also known as callout verification or Sender Address Verification, is a technique used by SMTP software in order to validate e-mail addresses. The most common target of verification is the sender address from the message envelope (the address specified during the SMTP dialogue as “MAIL FROM”). It is mostly used as an anti-spam measure.

Enforcing Simple Mail Standards

admin — Thu, 12 Nov 2009 10:23:50 +0000

Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks. SMTP was first defined in RFC 821 (STD 15), and last updated by RFC 5321 (2008) which includes the extended SMTP (ESMTP) additions, and is the protocol in widespread use today.

Enforcing the requirements of the Simple Mail Transfer Protocol (SMTP) can be useful in blocking email from computers that do not comply with the RFC standards. Many spammers use poorly written software or are unable to abide by the standards because they do not have legitimate control of the computer sending spam (Zombie computers). By applying certain restrictions to the MTA a mail administrator can reduce the spam that passes through significantly.

No Use In Responding To Spam

admin — Wed, 04 Nov 2009 10:18:33 +0000

Some of the people advocate responding aggressively to spam; in other words, that means, “spamming the spammer”. The underlying reason is to make spamming less attractive to the spammer by increasing the spammer’s overhead. There are several ways to reach the spammer but then they may even lead to retaliations by the spammer.

There is no use in replying directly to the spammer’s email address. Clicking reply will not help since most of the sender addresses are either invalid or forged. But in some of the cases, however, spammers do provide valid addresses as in the case of Nigerian scams.

Target the computers that are used to sending spam. In 2005, IBM had launched a service to bounce spam directly to the computers that send out spam. Since the IP addresses are present in the headers of the address the messages can be sent back, thus eluding the problem of forged email addresses. However, in many scenarios, the IP addresses do not correspond to the computers of the real spammer but to unsuspecting users with unsecured or outdated systems, which are hijacked through malware and form a part of the Zombie network controlled by the spammer.

Spammers selling their ware need a tangible point of contact such as a telephone number of the customer or the web site containing web forms through which the customers can fill out orders or inquiries or may even “unsubscribe” requests. Since the probability of a positive response to spam is less than 1/10000 and if a very small percentage of people leave negative messages on the web site, the negative messages could easily outnumber the positive ones and the incurring costs for the spammer to sort them out. Also the increased cost of the bandwidth, which the spammer hasn’t called for.

Related Links:
Response time

Keystroke logging: Types of Keystroke loggers

admin — Thu, 20 Aug 2009 14:53:10 +0000

Keystroke logging is a method of capturing and recording user keystrokes. Keylogging can be useful to determine sources of errors in computer systems, to study how users interact with systems, and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. Keyloggers are widely available on the Internet.

Types of keystroke loggers

Local Machine software Keyloggers: Are software programs that are designed to work on the target computers operating system? From a technical perspective they can be categorized into three categories:

Kernel based: This method is most difficult both to write, and combat. Such key loggers reside at the kernel level and are thus practically invisible. They almost always subvert the OS kernel and gain unauthorized access to the hardware, which makes them very powerful. A keylogger using this method can act as a keyboard driver for example, and thus gain access to any information typed on the keyboard as it goes to the Operating System.
Hook based: Such keyloggers hook the keyboard with functions provided by the OS. The OS warns them any time a key is pressed and it records it.

Creative Methods: Here the coder uses functions like GetAsyncKeyState, GetForegroundWindow, etc. These are the easiest to write, but as they require polling the state of each key several times per second, they can cause a noticeable increase in CPU usage and can miss the occasional key.

Remote Access software Keyloggers: Are local software keyloggers programmed with an added feature to transmit recorded data out of the target computer and make the data available to the monitor at a remote location? Remote communication is facilitated by one of four methods:

Data is uploaded to a website or an ftp account.
Data is periodically emailed to a pre-defined email address.
Data is wirelessly transmitted by means of an attached hardware system.
It allows the monitor to log into the local machine via the Internet or Ethernet and view the logs stored on the target machine itself.

Hardware Keyloggers – are used for keystroke logging by means of a hardware circuit that is attached somewhere in between the computer keyboard and the computer. It logs all keyboard activity to its internal memory, which can be accessed by typing in a series of pre-defined characters. A hardware keylogger has an advantage over a software solution; because it is not dependent on the computers operating system it will not interfere with any program running on the target machine and hence cannot be detected by any software.

Related Links:
Wan acceleration