What is VDS?

ISPmanager control panel

Documentation

Software packages for VDS

FAQ

>> Email spam protection. Anti-Spam Techniques

- What are Anti-SPAM Techniques?

- How do I set up or configure Greylisting?

- How to setup the DNSBL antispam?

What are Anti-SPAM Techniques?

There are a number of services and software systems that mail sites and users can use to reduce the load of spam on their systems and mailboxes. Some of these depend upon rejecting email from Internet sites known or likely to send spam. Others rely on automatically analyzing the content of email messages and weeding out those which resemble spam. These two approaches are sometimes termed blocking and filtering.

DNS-based Blackhole Lists, or DNSBLs, are used for heuristic filtering and blocking. A site publishes lists (typically of IP addresses) via the DNS, in such a way that mail servers can easily be set to reject mail from those sources. There are literally scores of DNSBLs, each of which reflects different policies: some list sites known to emit spam; others list open mail relays or proxies; others list ISPs known to support spam. Other DNS-based anti-spam systems list known good ("white") or bad ("black") IPs domains or URLs, including RHSBLs and URIBLs.

Another method is "callback". Since a large percentage of spam has forged and invalid sender ("from") addresses, some spam can be detected by checking that this "from" address is valid. A mail server can try to verify the sender address by making an SMTP connection back to the mail exchanger for the address, as if it was creating a bounce, but stopping just before any e-mail is sent.

If you are receiving your email by SMTP direct from the Internet and find that you are receiving an unacceptable amount of spam you can veryfy "names legality". In SMTP, the HELO command is used by the sending host during an SMTP transaction to identify itself to the receiving host. SMTP does not actually require the HELO name to be the host's real name, or even to be in the correct format for a host name. It's extremely common, if not universal, for hosts sending spam to use fake HELO names.

Another approach to undesired email filtering is to use SPF (Sender Policy Framework). SPF verifies the authenticity of the sender's FROM adress by performing a DNS query to verify that the sending server is authorized to send email on behalf of that address.

You can also reduce your comment spam with comment timeout. This plugin automatically disables comments on older blog entries after a certain period of time. It also gives you an option to automatically keep them open for longer wherever there is an ongoing discussion.

The most popular antispam protection is a Bayesian filter that statistically calculates the probability that each inbound message is spam. Because it is measuring probabilities, the Bayesian approach considers all the content in an email, both good and bad. The Bayesian filter-based engine is automatically trained and updated via a spam database that is uploaded to the server, and/or trained manually on your local network. When Bayesian mail content analysis technique is used, it's the statistics that do all the work. The problem here is that a Bayesian filter requires training - so when you just start it for the first time, you need to feed it with your good mail and with your undesired email (telling it whether it's a good mail or not). From that point on a Bayesian filter will try to decide what's spam and what not and sort the email to different folders. You still need to constantly review both folders and make sure that you tell the filter if you've spotted misplaced email (i.e. sometimes it will miss a spam, and sometimes it'll put a valid email into a spam folder). Assuming that you receive emails that are quite homogeneous in nature - in a relatively short time it'll starting making less and less mistakes. However since spammers are trying to outsmart statistics, they come up with gibberish content emails which often times cause a miss and you get a spam in your INBOX.

So, now let's look at these techniques in detail.

Black Listing (RBL). Also known as RBL (Realtime Blackhole List). It's maintained by system administrators who, using various spam detection tools, report bad-behaving IP addresses (e.g. open relays or hosts that were detected to spend undesired email, have no registered DNS record, etc.). This information goes into a central database, and is then shared by those who want to use it. So rather than trying to filter each email separately, here all email coming from a blacklisted IP is rejected as soon as the connection is established. There are many RBLs available. Some are more aggressive (blocking whole net blocks), whereas others are more flexible. One way to deal with false-positives here is to try to query several RBLs and then make a decision based on whether they all agree or not. This is a very good approach, as it requires almost no resources from the receiving system, since the rejection happens before any data is received. The main problem is that sometimes a legitimate IP is reported and legitimate traffic can't make it through. Usually the reason for this is that someone has sent SPAM mail from that IP hurting all other users who also use that domain.

Greylisting. The idea is to temporarily reject mail from unfamiliar senders based on the observation that some unsolicited bulk mail is sent via open proxies and other mechanisms that do not involve proper mail transfer agents (MTAs). Greylisting deliberately delays incoming mail the first time it is received from an unrecognized sender sending from a specific host. Subsequently, that sender's email from the same host is accepted without delay. Most spam is sent by virus-infected machines that try only once. Greylisting eliminates such spam. Greylisting works by catching the "spambots" that send the most spam. Greylist filters flog the code common to these spambots and then ping back the sending server to try again. Since spambots are seldom set up to retrieve this type of rejection and act on it, the mail they've tried to send you the first time is tarred and feathered with the spam brush.

The above methods allows to cut off about 90% of spam right on the mail delivery stage. Then it is delivered, pass all mail through the spamassassin content-filter. The SpamAssassin technology heuristically examines each message against hundreds of time-tested rules and checks. Each message receives a score based on the likelihood that it is spam. This filtering is completely automated, but spam-scoring thresholds are customizable. It also integrates directly with the Bayesian filter and offers many additional features, such as complete spam message reporting, header reporting and much more.

There are a lot of other solutions for spam filtering. But none of them can guarantee 100% accuracy. And you will have to take all the same preventive measures. Mind some donts to avoid spam. Do not select short or very easy usernames or aliases, as these are far more spam prone than slightly longer and more unusual ones. Underscores, hyphens and periods are also recommended as part of your username. It is crucial not to use valuable email addresses anywhere where it is visible to others (whom you don't know). Never leave your email address behind in guestbooks, petitions, webpages, or similar where spammers might collect your address. If you must publish your email address, use a disposable one or at least obfuscate your address using for instance words instead of the special characters ("AT", "DOT", etc). Do not use real email addresses for signing up for (free) downloads of any kind online. Do not open suspicious-looking email or attachments. It might contain harmful viruses that can infect your computer and use it to send spam. Do not make purchases based on spam messages you receive, thus eliminating the spammers' economic foundation. Do not use the same email address too much. Vary by using email aliases or disposable addresses. Do not use message preview if it displays scripts and external images. The email might send information back to the sender. Do not use the same username on several domains -- it makes it easier for spammers to find you on other services.

ISPmanager supports GreyListing and Black Lists.

table of content | top

How do I set up or configure Greylisting?

The port milter-greylist is already included in ISPmanager and Soft2006 templates. That means that Greylisting is enabled by default for all customers automatically. Each email account can opt out completely from Greylisting by following these steps:

Add the below line into the file /etc/rc.conf and milter-greylist will run automatically as you start your VDS:

miltergreylist_enable="YES"

Run milter-greylist:

/usr/local/etc/rc.d/milter-greylist.sh start

Change sendmail configuration by modifying /etc/mail/yourhostname.mc (yourhostname is the name of your VDS). If there is no such file on your VDS, you will need to execute the following command:

# cd /etc/mail
# make

add the below lines into the file (after the text containing there)

INPUT_MAIL_FILTER(`greylist', `S=local:/var/milter-greylist/milter-greylist.sock')
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
define(`confMILTER_MACROS_ENVRCPT', `{greylist}')
define(`confINPUT_MAIL_FILTERS', `greylist')

change mail-server config and restart it by

# cd /etc/mail
# make
# make install
# make restart

check how it works (in /var/log/maillog must be added the following type of records when trying to send remote email to your VDS email addresses)

Mar 11 23:49:45 host sm-mta[79692]: l2BFmwMk079692: Milter: to=user, reject=451 4.7.1 Greylisting in action, please come back in 00:03:00

Select the SPAM Protection icon and check if there is Greylisting. In case you can't find it, restart ISPmanager by killall ispmgr.

You can maintain your whitelists and blacklists from the Greylisting Settings page. You may add individual e-mail addresses or entire domain names to either list.

You can at any time choose to enable or disable your greylisting settings by following the below steps. Go to Domain names or Mail boxes, and select ON or OFF greylisting in the domain/mail box settings.

The disadvantages to greylisting are the short delay in message delivery. In addition, greylisting can have trouble with mailers who switch SMTP server addresses before the initial numeral has passed (default 15 minutes).

table of content | top

How to setup the DNSBL antispam?

To setup DNSBL's (public blacklists) in ISPmanager, from the top menu's click the Spam Protection tab

Find dnsbl blocking > dnsbl block lists , and ckick Add new dnsbl block list. Then, you need to select a DNSBL (or two). A good comparison is available. Find one with a policy you agree with, which is fairly thorough but not so aggressive that it's unusable. For instance, xbl.selwerd.cx is so aggressive it is considered unusable by many; FlowGoAway, on the other hand, is targeted only on Flow Network mail and isn't effective as a general filter. We would suggest you bl.spamcop.net, dnsbl.njabl.org or dnsbl.sorbs.net.

As it was above said, some of the DNSBL disadvantages include the fact that legitimate e-mail might be blocked if it originates from a server that is listed in the blacklist. Additionally, DNSBL has been subject to Denial of Service (DoS) attacks in the past, so you may experience a delay in receiving e-mail.

table of content | top