Tuesday, October 23, 2007

Free Challenge Response Software Overview

The Free Challenge Response based Anti SPAM software available at www.SpamResearchCenter.com is extremely easy to install and configure. The software basically acts as a local POP3 server that retrieves your email from your service provider (e.g. Comcast, COX etc.), processes the email and makes available the "clean" emails for delivery to your local email client (e.g. Outlook Express). You simply configure your email client to go to 127.0.0.1 (localhost) instead of your email provider.

ISP email -> Local POP3 (Challenge/Response) -> Local Email Client (Outlook Express)

Monday, October 15, 2007

Sender Address Verification (SAV)

We've discussed how to stop SPAM just before it gets to your INBOX by sending a challenge to the sender's email address. However, there is an event that, depending on your anti-SPAM software, can occur at the very moment the email message reaches your mailserver. This SPAM fighting mechanism is called Sender Address Verification (SAV).

Sender Address Verification is the relatively simple process of probing each mailserver, MX record, listed for a given sender's email address. The probe basically asks the mailservers whether or not the given sender's email address is actually handled by that server. This probe is performed until one of the mailservers gives a definite positive or negative reply.

In general, here's how the probe works. Let's say your mailserver (SMTP) receives an email that indicates that it's from "somebody@abcdomain.com". In trying to deliver the email to you, the remote mailserver connects to your local mailserver and issues a "MAIL FROM: somebody@abcdomain.com" command. However, if you have Sender Address Verification enabled, your mailserver doesn't just trust and take for delivery the email. Instead, it uses the domain portion of the originating email address (i.e. abcdomain.com) and queries the Domain Naming Service (DNS) about the Mail Exchange (MX) records for that domain. The DNS query would return something like the following:

10 mail.abcdomain.com
20 mail2.abcdomain.com

The Sender Address Verification would start by connecting to the first MX server (i.e. mail.abcdomain.com) using Simple Mail Transport Protocol (SMTP). It would then go through the steps of trying to send an email to the originating address (i.e. somebody@abcdomain.com). This "conversation" with the remote mailserver is the "probe" mentioned earlier. If the remote mailserver accepts the recipient address as valid for receiving emails, your local mailserver accepts the original email for delivery. Conversely, if the remote mailserver rejects the recipient address, your mailserver simply discards the email. This probe continues through the list of servers listed in the MX records until either a positive or negative response is received.

So, Sender Address Verification (SAV) stops SPAM at the mailserver level and, in turn, reduces the number of emails that have to be handled at the anti-SPAM Challenge/Response level.

Monday, October 1, 2007

AntiSpam - Filters vs. Challenge Response

Here is a quick comparison of the Filter (Rule Based) and Challenge Response AntiSPAM methods.

Tuesday, September 25, 2007

Can SPAM Laws

Senate Bill 877, dubbed the Can Spam Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) was signed by President Bush and went into effect Jan 1, 2004. It was intended to go after large spammers and carry tough consequences for sending unwanted and offensive e-mails.

The law states that spammers:


  • Can't use false headers (fake email addresses or IP address)

  • Must have a Legitimate Physical Address

  • Must have a Valid Return Address

  • Must include a Valid Subject Line indicating the message is an advertisement

  • Must, if applicable, indicate that the email contains sexually oriented material

  • Must have a valid method for consumers to get off bulk lists "opt-out mechanism"


However, companies can still send you email even if you don't want it!

Basically, the law doesn't stop SPAM. It simply requires spammers to label their emails as SPAM, provide a valid return email address and allow their recipients to "opt-out" of their mailings. The problem is that most of the SPAM we receive is sent from countries other than the United States. In addition, using an "opt-out" mechanism actually helps the spammers verify that your email address is valid. So, quite often, spammers will allow you to "opt-out" of one campaign just to add your, now verified email address, to another campaign. It's a never ending cycle. This law has obvious and easily exploitable loopholes. I'm sure we can all agree that we haven't seen a decrease in SPAM since this law went into effect.

For more information, visit the FTC Website.

Saturday, September 22, 2007

Auto-Responders and Challenge/Response

I wanted to address a comment that was made to a previous post regarding spammers using auto-responders to defeat the challenge/response method of spam control.

Theoretically, it does seem that spammers could simply set up an auto response for any emails addressed to them so that they could get around systems like challenge/response. However, the reality of it is that most spammers (close to 100%) do not use addresses to which a response can be sent. Therefore, challenges are never delivered to them. They intentionally use invalid return email addresses so that they do not incur the costs associated with the huge number of bounces (emails that cannot be delivered) they often generate. Using a valid return address to process all the bounces just to look for challenge messages to which they would then respond would incur great processing expense and , in turn, defeat their economies of scale. Furthermore, it would also make spammers easier to block, track down and report.

Bottom line, trying to thwart challenge/response systems in this manner would defeat the cost-effectiveness of the bulk-mailing process. Simple economics allow challenge/response systems to provide effective SPAM prevention.

Now, if spammers do decide to use auto-responders, challenge/response systems could fairly easily modify their, currently very simple, methods to make it more difficult for spammers to use such a method. The level of difficulty could increase as much as is necessary for the sender to prove their humanity and legitimacy.

The idea is to keep the challenge/response systems as simple as possible to avoid inconveniencing legitimate senders, while at the same time difficult enough to thwart an automated response system. At the present time, most challenge/response systems offer the ability to confirm by simply replying to an email or clicking on a URL. There is no evidence to suggest that a more challenging procedure is even close to necessary at this time.

Better yet, if spammers do resort to auto-responders, we've all won a huge battle for the internet community by raising the bar and forcing them to leave breadcrumb trails leading right back to their lairs. So, as the focus on legislation continues, and spamming becomes an increasingly illegal activity, who will take these great risks for such little reward?

Finally, I would like to thank the person that asked the auto-responder question and prompted this reply. Please keep the questions coming. I look forward to any and all opinions regarding the prevention of SPAM.