Top 100 Opinions » eMail Spam

Invalid Pipelining of Messages

admin — Tue, 08 Dec 2009 10:34:36 +0000

According to the SMTP protocol, several SMTP commands can be placed in one network packet and “pipelined”. For example, whenever an email with a CC: header is sent several SMTP “RCPT TO:” commands may be placed in a single packet instead of one packet per command. The SMTP protocol actually requires that errors are checked and synchronization occurs at certain points. However, many spammers will send out everything in a single packet since they are least bothered by the errors and this method is more efficient. Some MTAs, which detect this pipelining, will reject such mail anyways.

HELO/EHLO Checking Of Connections

admin — Wed, 02 Dec 2009 10:31:56 +0000

According to the RFC 5321 section 4.1.4 “An SMTP server CAN verify that the domain name argument in the EHLO command actually is same as the IP address of the client and if it fails, the server SHOULDN’T refuse to accept messages on that basis”.Hence to be in compliance with the RFCs, rejecting connections must be based on additional information/policies.

Refuse connections from hosts that give an invalid HELO – for example, a HELO that is not a FQDN or is an IP address not surrounded by square brackets.
- Invalid HELO localhost
- Invalid HELO 127.123.0.1
- Valid HELO mydomain.tld
- Valid HELO [127.123.0.1]

Refusing connection from a host that gives an obviously fraudulent HELO – issuing a HELO using the FQDN or an IP address that is unable to match the IP address of the connecting host.
- Fraudulent HELO friend
- Fraudulent HELO -233975334

Do not accept email from a hosted domain when the sending host is not authenticated.

Denying any email whose HELO/EHLO argument does not resolve in DNS. Unfortunately, some system administrators administer the MTA to use a non resolvable argument to the HELO/EHLO command.

Greylisting of Incoming Messages

admin — Wed, 25 Nov 2009 10:26:08 +0000

Greylisting (or graylisting) is a technique of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will “temporarily reject” any email from a sender it does not recognize as a legitimate one. If the mail is legitimate, the originating server will, shortly stop for some time and tries again and if sufficient time has elapsed, the email will be accepted. If the mail is from a spammer it will probably not be retried since a spammer goes through thousands of email addresses and typically cannot afford costs involved to retry. Greylisting is based on the assumption that spammers and spambots will not retry sending their messages but will move on to the next message and the next address. This method is effective since a retry means the state of the message and the process must be stored inherently, which increases the cost incurred by the spammer.

Greylisting emphasizes on the technique of temporarily rejecting messages from unknown mail servers. A temporary rejection is recognized with a temporary error code 4xx that is recognized by all normal Mail Transfer Agents (MTA)s,which then proceed to retry delivery later.

The main advantage of greylisting is that there is no need of any modification from the user’s point of view. The benefits for the administrator are two fold: it takes minimal configuration to get up and start running, and rejecting email with a temporary 451 is very cheap in system resources.

Implementing Greeting Delay

admin — Wed, 18 Nov 2009 10:24:45 +0000

An SMTP server has introduced a deliberate pause before sending the greeting banner to the client. In client server architecture, the client is required to wait and it is not supposed to send the message to the server unless it receives the banner. However, many spam-sending machines begin to send out messages before the banner is received and the servers can detect this and drop the connection.

However, some legitimate sites also fall prey to this mechanism. The mechanism also has a tendency to interact badly with sites performing callback verification, since common callback verification sites have timeouts much shorter than those mandated by RFC 5321.

Callback verification, also known as callout verification or Sender Address Verification, is a technique used by SMTP software in order to validate e-mail addresses. The most common target of verification is the sender address from the message envelope (the address specified during the SMTP dialogue as “MAIL FROM”). It is mostly used as an anti-spam measure.

Enforcing Simple Mail Standards

admin — Thu, 12 Nov 2009 10:23:50 +0000

Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks. SMTP was first defined in RFC 821 (STD 15), and last updated by RFC 5321 (2008) which includes the extended SMTP (ESMTP) additions, and is the protocol in widespread use today.

Enforcing the requirements of the Simple Mail Transfer Protocol (SMTP) can be useful in blocking email from computers that do not comply with the RFC standards. Many spammers use poorly written software or are unable to abide by the standards because they do not have legitimate control of the computer sending spam (Zombie computers). By applying certain restrictions to the MTA a mail administrator can reduce the spam that passes through significantly.

No Use In Responding To Spam

admin — Wed, 04 Nov 2009 10:18:33 +0000

Some of the people advocate responding aggressively to spam; in other words, that means, “spamming the spammer”. The underlying reason is to make spamming less attractive to the spammer by increasing the spammer’s overhead. There are several ways to reach the spammer but then they may even lead to retaliations by the spammer.

There is no use in replying directly to the spammer’s email address. Clicking reply will not help since most of the sender addresses are either invalid or forged. But in some of the cases, however, spammers do provide valid addresses as in the case of Nigerian scams.

Target the computers that are used to sending spam. In 2005, IBM had launched a service to bounce spam directly to the computers that send out spam. Since the IP addresses are present in the headers of the address the messages can be sent back, thus eluding the problem of forged email addresses. However, in many scenarios, the IP addresses do not correspond to the computers of the real spammer but to unsuspecting users with unsecured or outdated systems, which are hijacked through malware and form a part of the Zombie network controlled by the spammer.

Spammers selling their ware need a tangible point of contact such as a telephone number of the customer or the web site containing web forms through which the customers can fill out orders or inquiries or may even “unsubscribe” requests. Since the probability of a positive response to spam is less than 1/10000 and if a very small percentage of people leave negative messages on the web site, the negative messages could easily outnumber the positive ones and the incurring costs for the spammer to sort them out. Also the increased cost of the bandwidth, which the spammer hasn’t called for.

Related Links:
Response time