Tuesday, October 23, 2007

Free Challenge Response Software Overview

The Free Challenge Response based Anti SPAM software available at www.SpamResearchCenter.com is extremely easy to install and configure. The software basically acts as a local POP3 server that retrieves your email from your service provider (e.g. Comcast, COX etc.), processes the email and makes available the "clean" emails for delivery to your local email client (e.g. Outlook Express). You simply configure your email client to go to 127.0.0.1 (localhost) instead of your email provider.

ISP email -> Local POP3 (Challenge/Response) -> Local Email Client (Outlook Express)

Posted by Brent Spencer at 9:17 PM 2 comments

Labels: , , ,

Monday, October 15, 2007

Sender Address Verification (SAV)

We've discussed how to stop SPAM just before it gets to your INBOX by sending a challenge to the sender's email address. However, there is an event that, depending on your anti-SPAM software, can occur at the very moment the email message reaches your mailserver. This SPAM fighting mechanism is called Sender Address Verification (SAV).

Sender Address Verification is the relatively simple process of probing each mailserver, MX record, listed for a given sender's email address. The probe basically asks the mailservers whether or not the given sender's email address is actually handled by that server. This probe is performed until one of the mailservers gives a definite positive or negative reply.

In general, here's how the probe works. Let's say your mailserver (SMTP) receives an email that indicates that it's from "somebody@abcdomain.com". In trying to deliver the email to you, the remote mailserver connects to your local mailserver and issues a "MAIL FROM: somebody@abcdomain.com" command. However, if you have Sender Address Verification enabled, your mailserver doesn't just trust and take for delivery the email. Instead, it uses the domain portion of the originating email address (i.e. abcdomain.com) and queries the Domain Naming Service (DNS) about the Mail Exchange (MX) records for that domain. The DNS query would return something like the following:

10 mail.abcdomain.com
20 mail2.abcdomain.com

The Sender Address Verification would start by connecting to the first MX server (i.e. mail.abcdomain.com) using Simple Mail Transport Protocol (SMTP). It would then go through the steps of trying to send an email to the originating address (i.e. somebody@abcdomain.com). This "conversation" with the remote mailserver is the "probe" mentioned earlier. If the remote mailserver accepts the recipient address as valid for receiving emails, your local mailserver accepts the original email for delivery. Conversely, if the remote mailserver rejects the recipient address, your mailserver simply discards the email. This probe continues through the list of servers listed in the MX records until either a positive or negative response is received.

So, Sender Address Verification (SAV) stops SPAM at the mailserver level and, in turn, reduces the number of emails that have to be handled at the anti-SPAM Challenge/Response level.

Posted by Brent Spencer at 10:07 AM 0 comments

Labels: , , ,

Monday, October 1, 2007

AntiSpam - Filters vs. Challenge Response

Here is a quick comparison of the Filter (Rule Based) and Challenge Response AntiSPAM methods.

Posted by Brent Spencer at 12:36 PM 0 comments

Labels: , , , ,

Tuesday, September 25, 2007

Can SPAM Laws

Senate Bill 877, dubbed the Can Spam Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) was signed by President Bush and went into effect Jan 1, 2004. It was intended to go after large spammers and carry tough consequences for sending unwanted and offensive e-mails.

The law states that spammers:


  • Can't use false headers (fake email addresses or IP address)

  • Must have a Legitimate Physical Address

  • Must have a Valid Return Address

  • Must include a Valid Subject Line indicating the message is an advertisement

  • Must, if applicable, indicate that the email contains sexually oriented material

  • Must have a valid method for consumers to get off bulk lists "opt-out mechanism"


However, companies can still send you email even if you don't want it!

Basically, the law doesn't stop SPAM. It simply requires spammers to label their emails as SPAM, provide a valid return email address and allow their recipients to "opt-out" of their mailings. The problem is that most of the SPAM we receive is sent from countries other than the United States. In addition, using an "opt-out" mechanism actually helps the spammers verify that your email address is valid. So, quite often, spammers will allow you to "opt-out" of one campaign just to add your, now verified email address, to another campaign. It's a never ending cycle. This law has obvious and easily exploitable loopholes. I'm sure we can all agree that we haven't seen a decrease in SPAM since this law went into effect.

For more information, visit the FTC Website.

Posted by Brent Spencer at 2:26 PM 2 comments

Labels: , , ,

Saturday, September 22, 2007

Auto-Responders and Challenge/Response

I wanted to address a comment that was made to a previous post regarding spammers using auto-responders to defeat the challenge/response method of spam control.

Theoretically, it does seem that spammers could simply set up an auto response for any emails addressed to them so that they could get around systems like challenge/response. However, the reality of it is that most spammers (close to 100%) do not use addresses to which a response can be sent. Therefore, challenges are never delivered to them. They intentionally use invalid return email addresses so that they do not incur the costs associated with the huge number of bounces (emails that cannot be delivered) they often generate. Using a valid return address to process all the bounces just to look for challenge messages to which they would then respond would incur great processing expense and , in turn, defeat their economies of scale. Furthermore, it would also make spammers easier to block, track down and report.

Bottom line, trying to thwart challenge/response systems in this manner would defeat the cost-effectiveness of the bulk-mailing process. Simple economics allow challenge/response systems to provide effective SPAM prevention.

Now, if spammers do decide to use auto-responders, challenge/response systems could fairly easily modify their, currently very simple, methods to make it more difficult for spammers to use such a method. The level of difficulty could increase as much as is necessary for the sender to prove their humanity and legitimacy.

The idea is to keep the challenge/response systems as simple as possible to avoid inconveniencing legitimate senders, while at the same time difficult enough to thwart an automated response system. At the present time, most challenge/response systems offer the ability to confirm by simply replying to an email or clicking on a URL. There is no evidence to suggest that a more challenging procedure is even close to necessary at this time.

Better yet, if spammers do resort to auto-responders, we've all won a huge battle for the internet community by raising the bar and forcing them to leave breadcrumb trails leading right back to their lairs. So, as the focus on legislation continues, and spamming becomes an increasingly illegal activity, who will take these great risks for such little reward?

Finally, I would like to thank the person that asked the auto-responder question and prompted this reply. Please keep the questions coming. I look forward to any and all opinions regarding the prevention of SPAM.

Posted by Brent Spencer at 3:57 PM 0 comments

Labels: , , , ,

Friday, September 21, 2007

SPAM Prevention Methods Explained

There are many ways to fight SPAM. The most widely used methods are Rule Based and Challenge-Response. A quick and concise overview of these two methods follows.

However, for those impatient readers, I'm guilty of this as well, the bottom line is that I am partial to the Challenge-Response method of SPAM prevention and strongly recommend the completely FREE software offered by The Spam Research Center. I have evaluated many different anti-SPAM programs, both free and paid, and I can honestly say that their software will not only stop close to 100% of SPAM, but it will also save you time and frustration.

Rule Based Systems

As the name infers, these methods use "rules" to determine what is and what is not SPAM. They generally look for specific keywords or content in the email. They may also use special algorithms or a distributed "community" approach where SPAM examples are sent in by users (the community) to central servers. The "community" can then use this ever-growing database to detect and block SPAM. However, because the "rule" databases are in a constant state of change in an attempt to keep up with or stay one step ahead of the "spammers", there is always the chance that valid emails will be mistaken as SPAM. In an attempt to avoid this situation, the emails are usually "tagged" as SPAM by adding a specific keyword to the email header, subject line or some other field. These keywords can then be included in email client (Outlook Express etc.) rules so that the questionable emails can be appropriately routed to special email folders for later inspection or deleted. Unfortunately, an additional burden is then put on the user to monitor "spam" email folders for falsely "tagged" emails. Although many of these Rule Based methods do reduce SPAM, the necessity of updating "rule" databases, the ever present possibility of valid emails being detected as SPAM and the time consuming need to review "spam" folder(s) makes these methods less than desireable.

Challenge-Response Systems

Although there is no perfect solution for eliminating SPAM, Challenge-Response methods have become increasingly popular. These methods are extremely simple and only require you to maintain a "white list" and a "black list". When an email is received from someone on your "white list", it is delivered. When an email is received from someone on your "black list", it is rejected and deleted. When an email is received from someone on neither of your lists, a simple "challenge" reply email is sent to them. When the unknown sender replies appropriately to the "challenge" message, they are added to your "white list" and their original and any future emails are delivered to your INBOX. The reason this method works so effectively is that "spammers" usually do not supply valid return email addresses and, if they do, there is usually a "robot" that sent the SPAM and it will not respond to your "challenge" message.

Summary

Both Rule Based and Challenge-Response methods have their PROS and CONS. However, taking everything into consideration, I feel that the Challenge-Response method is the best to date. With that said, I DO NOT feel that all implementations of this method are equal. Some Challenge-Repsonse software has the same shortcomings as those implementing the Rule Based method - "spam" folders to maintain and false positives.

I have evaluated many anti-SPAM solutions and can honestly say that I feel that Spam Research Center has the best challenge-response anti-SPAM software available today! This software has been thoughtfully designed and thoroughly tested to provide you with close to 100% SPAM protection without false positives. Better yet, the software is completely free!

I would be very interested to hear about any other free products that people have used with great success.

Posted by Brent Spencer at 12:36 PM 1 comments

Labels: , , ,

Subscribe to: Posts (Atom)