Spammers operate on the idea that they can buy eMail lists from other spammers, or they can create their own web bot or spider to crawl web sites looking for that ubiquitous at sign - '@'. You usually only see it in eMail addresses anymore as I can't remember the last time I had seen one in a item/price table -> 4@1.99 That @ sign is harvested along with the characters before and after up to the nearest white space. It is then placed into a list and sold or stored for further processing. As a matter of fact, the '4@1.99 will be harvested and probably will be put in a list.


Spammers also launch dictionary attacks on mail servers. They buy or create a list of names in alphabetical order and test a mail server attempting to send eMail to each name in the list at a specific domain....james@ jim@ jill@ john@ ... you get the idea. The mail server does its job by telling the spammer that a specific user is not known, while accepting mail for known users. OK, have the general idea? Now imagine a spammer at a tier one Internet connection: 1 hop to the Internet. That spammer is paying premium price for this type of access. A little more imagination provides that the spammer has a HUGE list. The spammer creates an application that grabs names from the list, then combines it with some sort of spam blurb, then blindly sends eMail to the list not waiting for the proper protocols or handshakes that mail servers/mail clients do. It is the basic 'dump all the eMail and be done with it' scenario. Hardware isn't much to handle what they are doing; a dual Pent 800 will run circles on a 155Meg per second fiber connection with the right net stuff. It gets worse. Enter the virus writers. They provide robot machines to the spammers at some dollar cost per machine. Robot machine, you ask? Hmmmm, could be yours -> remember that attachment that you opened and nothing happened? Well guess what? Your machine could possibly be 'in line' to receive 1000's of eMail addresses to blindly send out using YOUR return addy and YOUR Internet connection. I am sure that you have seen or heard of folks getting a bunch of bounce messages to eMail that they didn't send? We can help.

 

Blocking open relay spam or exploit sites is done at the mail server level. We use a couple of live DNS black holes that when presented with a unwanted site, the correct IP address is not returned, but a local non-routable address is; by which the eMail server knows not to accept mail. We check your incoming eMail by scanning for various words, phrases and different types of mail headers, then assign a 'weight' according to the number/type of things found. Please see SpamAssassin for more information. The email's subject is then modified according to the 'weight' of the stuff that is found. You can then determine what to do with it after that. If you are a windoz user, you can setup filters in Outlook Express to move spam to the trash bin when it reaches a certain weight level. In concert are a couple of other ways that we fight spam; graylisting, blacklists, exploits, and open relays. We use SpamHaus to detect and delete email from known spammers, the Exploits database which tracks IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of Trojan-horse exploits. and the open relay database for...duh open relays.

 

Graylisting is by far the most important widget to fight spam. Since we established its use, 70% of the spam that our users received just went away! Gone, finished, nota!

    To understand, some concepts need explained:
  • The SMTP was built for intermittent connections: Servers go down, networks go down, or both can be too busy to accept data.
  • Spammers are cheap.
  • Internet bandwidth is expensive.
With me so far? OK, SMTP is really useful in regards of transferring eMail from relay to relay. If one of the relay machines goes down, or is too busy to accept eMail, the sending machine queues the mail for later delivery. Graylisting uses this function to thwart the spammers. The FIRST email you get from an unknown relay/server is temporary failed ( TEMPFAIL ) for a short time. Normal SMTP operation would be to 'queue' the eMail then wait a predetermined amount of time before trying to retransmit. Spammers don't wait for this delay time as they don't queue the email that doesn't reach the final destination as it is time consuming and hardware expensive to wait on a few thousand eMails. This 'blindly sending of eMail' is what greylisting is made for. 70% reduction of spam tells it all! Note that we keep a database of 'known good eMail names, domains and IP addresses to check against. This data stays live for 33 days which permits you to receive eMail normally without delay. Remember that ONLY the FIRST unknown email/domain is tempfailed! After we have it in the database, mail flows normally as long as we are within the 33 day grace period. Each time an eMail/domain comes in the 33 day timer is reset. You can read the applicable wording in RFC2128 here if you wish.

 

We can help using the above! At least you should contact your current ISP and ask them what they are doing for you. Anybody can be an Internet Provider. I am an Internet Service Provider and just love seeing my customers eMail because of the amount of spam they are NOT getting! I as a small provider can keep up with the leading edge technologies of virus and spam fighting. The bigger guys have to have multiple meetings and conferences to decide what and when to actually do something for their customers! I have been doing just this since 1999; MSN, Hotmail, Yahoo and AOL have just come up to speed in 2004/5!