Stupid Spam-Fighting Tricks: Sucker Moves To Avoid
Fighting spam is a tough job, but somebody's gotta do it. Unfortunately, you've got time and budget concerns on one side, users on another, and a burning desire to reduce spam without deleting, rejecting, misdirecting, or delaying a single piece of legitimate mail. The sheer magnitude of the problem has fostered an army of solutions providers, ready to sell you products, solutions, philosophies, and fixes of the future, whether they cost money, devotion as a True Believer, or just a glance in the other direction as a few legitimate senders are blocked and important letters get kicked under the counter. Here's a poke at some of the lesser forms of anti-spam administration, by some of the higher forms of E-mail admins, programmers, and experts.
Stupid Black Listing
"Don't put all of your trust in something unauthenticated and not being run by an authorized organization," says Dr. Neal Krawetz, senior researcher for Secure Science Corporation's External Threat Assessment Team. "Black lists are being managed by arbitrary groups of volunteers, and there are innocent mistakes."
Krawetz says spammers and hackers have infiltrated the groups of volunteers. "Who's checking over the data submitted? No one, essentiallythere's no quality assurance." According to Krawetz, Monkey.com, a black list provider, was run out of business by a huge denial-of-service (DOS) attack, and its last act was to put up a black list that blacklisted everyone in the worldlarge corporations, everyone. "It caused an Internet-wide denial of service that lasted almost 24 hours, because a large number of ISPs who used SpamAssassin and that type of tool were downloading a list from Monkey.com," says Krawetz. "There is a list called spamhaus I can't E-mail. Unless you know the individuals, you can't get to them to submit or complain. As much as I don't want to see government run a black list, a government would have checks and balances. These are kids playing God."
Stupid Gray Listing
One of the main system administrator tricks is gray listinga combination of black listing and white listing that works something like a challenge/response. According to Secure Science CEO Lance James, the stupid thing is this: "What if you have two challenge/response people, and their messages loop back and forth, stuck in identifying each other?"
Stupid Server Mistakes
"Many ISPs that use Windows-based servers, instead of refusing potential spam at the time it's delivered, will attempt to send a bounce message later," says Robert Dinse, president of Eskimo North, a national ISP. "If it's refused at the time delivery is attempted, it goes back to the correct originating server, even if the address is forged, because that server is being refused. But if it attempts to bounce after the fact, it tries to send to the forged address. Spam is virtually always forged, and so is most virus E-mail. The result is that people get large quantities of bogus bounce messages for mail they didn't originate."
Is Dinse just picking on Windows? "I don't know that there isn't some broken UNIX software out there, but almost every server that I've looked at that does this has been Windows-NT based," he comments.
Stupid Range Blocking
"One common method for attempting to block spam is to block IP ranges," says Bill Schindler, partner in Abiliba Network Services, LLC. "Some service providers attempt to pattern-match the reverse-lookup of the incoming IP address to common dial-up (i.e., dynamic IP) naming patterns. (Dial-up usually has the IP address embedded in the reverse-lookup name.) They may also manually blacklist IP ranges they believe are dial-up only, or primarily owned by spammers," explains Schindler.
"It seems logical. Dial-up addresses shouldn't be running mail servers. So, blocking dial-up ranges should stop a lot of spam," he continues. So what's the problem? "ISPs selling business DSL (and other business broadband services with static IP addresses) often use the same patterns as dial-up. And many of those ISPs won't delegate the reverse DNS or set the reverse name to the domain that's using that address. Therefore, small businesses who've never sent spam are suddenly finding their mail servers blacklisted by large ISPs."
Stupid Assignment Trick
"Admins are the wrong people to deal with spam," says Dan Kaminsky, senior security consultant at Avaya Enterprise Security Practice. "We're geeks, and we try to find tech solutions to deal with spam. Look at the Justice Department. If it's Viagra spam, there are food and drug laws. Mortgage spam has finance laws. Porn has obscenity laws. For nearly everything that's spam, there are laws; get law enforcement to solve the problem. You don't have to examine the network packets! Caveat for network admins: They're not necessarily doing it wrongthey're the wrong guys to be doing it."
Stupid Negligence Trick
"If you're managing spam in an enterprise, you don't want to leave it to the users," says Brad Myers, network engineer/consultant at Myers Networking in Los Gatos, California, "because they don't know that if they open a spam message it just helps propagate further spam."
Stupid Port 25 Trick
"Several service providers are now blocking port 25," says Abiliba's Schindler. "They have it set up so the only way for their users to send mail is to go through their dumbprovider.net mail server. The intent is to block users from spamming the universe, but the service provider doesn't have any SPF records, so users' mail looks suspicious to servers that check SPF records. Dumbprovider.net redirects all mail to its own serverforcing legitimate users to spoof themselves."
Stupid Mail Jail Tricks
Isolating users from all suspected spam is stupid, according to Bradford Bingel, managing director of ITM3 in Walnut Creek, California. "It sounds well-intended, but sometimes even the best spam filters flag important messages as spam, so preventing a user from receiving it may cause major repercussions," says Bingel.
"A better strategy is to filter and deliver spam to an alternate mailbox," Bingel continues, "which the user can check within a set timeframe, after which the suspected spam will be deleted automatically. In today's litigation-happy business climate, that strategy gives users the option and responsibility of checking all E-mailincluding spamwhile virtually absolving IT of making a final determination regarding what E-mail is and is not delivered to users."
Stupid Postponement Trick
"The spam problem isn't going away, and postponing a decision to implement a spam-blocking solution bears a real cost in terms of lost productivity and loss of efficiency," says Les Kent, president of Progent Corporation of San Jose, California. "Users get so much spam it overwhelms them. They don't check their E-mail; they miss messages; it lowers the overall effectiveness of what E-mail can do. Making the investment [in spam blocking] saves money for the overall organization."
Stupid Rules Trick
"Some rules make sense, like blocking .exe and .com attachments," says ITM3's Bingel. "Some rules are questionable, like blocking .zip, .doc, and .xls files. But some rules don't make any sense, like blocking messages containing more than five attachments (so security threats and spam always come with lots of attachments?) or blocking messages that contain the words solicit or resume (perfectly acceptable words, in most contexts)."
Bingel particularly dislikes spam rules that block E-mail messages containing the word resume. Resume means both the job hunting tool (as in "Please accept my résumé") and recommencing a suspended activity (as in "We'll resume our discussions later"). As Bingel points out, the latter is perfectly acceptable within the context of business communications. "Maybe some E-mail admins should take an English lesson?" he wonders.
Stupid "Draw Binky" Trick
Another stupid trick is a character-recognition test, according to Secure Science's Lance James. The test uses a graphic that includes alphanumeric characters for a human to distinguish and key in, to prove that he's not a program. "You can write a program that would automate solving the testfill the picture up and find the letters. There was a challenge on Slashdot and someone broke it," says James.
Stupid Envelope-Sender Rejection Trick
"Some mail administrators violate RFCs by refusing to accept mail that has an empty envelope sender (<>), which is not the same as the From ID," says Abiliba's Schindler. "Sometimes spam has an empty envelope sender. However, mail admins need to finger spam by some other method, because it's an RFC requirement to accept empty envelope senders."
A delivery status notification (DSN) is a status messagewith an empty envelope sender addresssent to inform a sender of delivery problems or delivery failure, and whether there will be a further attempt to deliver. "If you block those status messages, your users will never know that a message didn't go through," says Schindler.
The Ultimate Stupid Spam-Blocking Trick
"The ultimate Stupid Spam-Blocking Trick is that the service provider forgets the purpose of the Internet: communication," says Schindler. "Instead, they think the purpose of the Internet is to block spam, so they get crazy. They do the equivalent of arresting everybody on the street because somebody on the block shoplifted."
Schindler's advice: Admins have to remember that every time you block an address or a server or a domain, you're stopping communication. "You have to ask yourself, 'Am I also blocking valid communicationcommunication my users want to receive?'"
Now goand be ye smart!