Whitelists and Blacklists
These are lists of senders who are always
allowed (whitelisted) or always denied (blacklisted) the ability to
deliver messages. These whitelists/blacklists are less useful now
than they were when spam first became a problem, but they can be
helpful in some circumstances. Depending upon how they are
implemented, whitelist/blacklist checks can happen at one or more points along a
message's journey. For example, list checks can happen at the edge
of the network, at the POP/IMAP server, or at the email client.
Whitelists or blacklists can be enforced within
most MTAs at different times in the transfer of the message. Such
times include prior to the connection being accepted by the server,
after the connection has been accepted but before delivery to the
recipient, and at email recipient delivery time. Some of the more
common fields that can be whitelisted/blacklisted include
-
From/To username or domain
-
Server name, domain, or IP address
All modern MTAs have good support of
whitelisting and blacklisting. Many of the anti-spam packages
covered in this book have their own whitelist/blacklist support.
McAfee SpamKiller for Mail Servers even has hierarchical
whitelists/blacklists, allowing the administrator to override
certain client-listed items.
Whitelists/blacklists are an integral part of
many anti-spam solutions and are an added feature of others. For
example, POPFile's "magnet" feature is a whitelist/blacklist. In a
challenge/response system, after an email address is "known" to the
system, it is whitelisted so that the sender needn't go through
the authentication process on subsequent messages. SpamAssassin
gives you the ability to whitelist senders automatically.
Header Checking
Another common method of determining a
message's legitimacy is to perform header checks when the MTA
accepts the message. Some of the tests that can be done here
include
Valid From Address
One way spammers conceal their true identity is
by forging their From address. You can defeat this trick by
requiring your mail server to check the validity of the From
address's domain. Of course, spammers can counter this technique
by using valid From addresses, but many do not bother.
Sender Policy Framework (or
SPF) is an attempt to standardize the process by which a From
address is considered legitimate. This is accomplished by
publishing special DNS TXT records indicating that mail with a
particular From address should be coming from a certain set of
email servers. More information on SPF is available in Appendix A and at http://spf.pobox.com.
DNS Checks
Similar in nature to the valid From address,
many spammers use servers with no forward or reverse DNS entries or
servers whose forward entry does not match the reverse. Mail
originating from servers with incorrect DNS setups like this can be
stopped with the appropriate setup in most MTAs. Be aware that
strict DNS checking may stop some legitimate email from getting
through to users, though.
Strict Header Checking
Email standards are defined by Request for
Comments, or RFCs. RFCs are the basis for how the entire Internet
interoperates at a low level. Email-specific RFCs specify how
sending email servers connect to recipient servers in order to
transfer their messages. Older versions of Sendmail are lax in
interpreting RFCs. For example, Sendmail version 8.8 and earlier
are very lenient in their default acceptance of parameters to the
MAIL FROM: and RCPT TO: commands. Other rigorous
header checking techniques include requiring HELO/EHLO,
accurate parameters to HELO/EHLO, etc. Many MTAs can
control how strict the server should be when accepting inbound
messages. Making these sorts of changes may reduce spam but can
also cause problems for legitimate email delivery from
misconfigured systems.
Blacklists and Whitelists
Blacklists and whitelists can be defined in all
modern MTAs. These lists can take the form of servers, domains, or
IP address ranges and can be static (defined locally on the server
in a text file or database) or dynamic (for example, domain name
system block lists or DNSBLs). When used at mail transfer time,
DNSBLs can reduce the amount of spam coming into a mail system.
However, use these lists with caution because they can end up
blocking legitimate messages if the block lists are too strict.
Content Filtering
The ability to scan email for certain
spam-identifying characteristics is an excellent method to reduce
spam. Content filters often generate a score for a message that
helps the end
user decide how to handle the message, rather than automatically
rejecting or sidelining the message. The user utilizes the email
client filtering capability to move messages identified by the
content filter to a junk email folder.
The downside of content filters is the effort
required to keep them current. Spammers constantly tweak their
messages to get past content (and other) filters.
Bayesian Analysis
Bayesian analysis is a special form of content
filtering, in which statistical analysis of the message components
(including headers) takes place. Bayesian analysis is a
particularly accurate way of identifying whether a message is spam.
Refer to Chapter 7,
"Introduction to Bayesian Filtering," for an introduction to
Bayesian analysis and Chapter 8, "Bayesian Filtering," for Bayesian
solutions. Chapter 9,
"Email Client Filtering," has a section on POPFile, which is
usually implemented on email clients such as Microsoft Outlook
Express. The Bayesian analysis can actually work as a complex
filtering mechanism to replace the filtering capability typically
included in the email client itself.
|
