Having the right tools and knowing how to use them is the most fundamental rule in getting any job done. Anti-spam is no exception, effective filtering boils down to having the right technologies and employing them correctly.
Working in the development of two anti-spam products, the latest being IMF Tune, helped me accumulate quite some practical experience in this area. As always you see how some fundamental mistakes can disarm excellent technologies blocking their filtering power. On the other hand there exist some very simple tricks of the trade that can greatly improve filtering effectiveness.
So this inspired me to start this column and discuss practices that can degrade or improve filtering effectiveness. In the first instalment we discuss two common whitelisting blunders.
1. Don't whitelist your domain
We start immediately with one of the most classic traps rookies regularly fall into. All emails sent by our organization are of course legitimate. So if the sender address is from our domain this can be whitelisted, right? This logic makes sense to anyone not aware of spoofing.
Spammers forge sender addresses all the time. They can very easily set the sender using an address from our own domain. Indeed this is probably the most classic spoof. For example spammers and malware distributors will forge the administrator address in order to convince users to open their emails. They are well aware of the domain whitelisting mistake discussed here and will regularly try to exploit it.
The same logic applies to whitelisting single sender addresses (as opposed to the entire domain). A good number of spam emails are submitted using the same address for the sender and the recipient. Thus mailboxes whose address is listed in a sender whitelist are exposed to the same problem.
The most important point in this discussion is the fact that this type of whitelist is often unnecessary. To begin with, an organization should have complete control on all hosts that are legitimately allowed to send emails using its domains. This is fundamental as a compromised machine can cause great damage to the domain reputation. The most obvious consequence is to end listed in RBLs.
Users necessitating access to their email from outside should do so using an authenticated interface to the Organization's email servers. By accessing mailboxes directly through OWA or a VPN connection we bypass perimeter filtering altogether.
Another option is to use authenticated SMTP connections. Authenticated connections are normally ignored by anti-spam filters.
The third option is IP whitelisting. It is not uncommon to find applications that generate emails using the organization's domain. For example a mailing list application may use SMTP relaying to distribute newsletters. A fax server might also distribute faxes via email in this manner. In these cases IP whitelisting is the best solution for bypassing filtering.
2. Watch-out from whitelisting financial institutions, banks and organizations with popular brand name products.
The second rule for today is a close relative of the first. Again these types of whitelists are the favoured targets of spammers and phishing attacks. The most typical example is the whitelisting of newsletters from large software vendors. If a highly popular newsletter includes some signature that never changes, then spammers will be very tempted to use that to their advantage.
Final Tips
So today we started our anti-spam gold rules series with a look at some whitelisting malpractices. If you found today's tips interesting, you will also want to have a look at an earlier article, Use and Abuse of Anti-Spam White/Black Lists.
I will continue feeding this column with more points as I encounter these in my daily support work. All of my clients are hereby warned that their erring will be published for the benefit of all. And if you have your own golden rule to contribute do drop us a comment please.