No-cost solutions in the anti-spam ecosystem

Like the rising cost of postage stamps, increasing complexity in e-mail is inevitable. In the early, halcyon days of the Internet, SMTP connections flowed like a mountain spring and mail filters were used solely for mail organization. Now, the water is brackish, and mail filters are an absolute necessity.

But whose filters? Given the extraordinary volume of e-mail that most organizations receive, care and feeding of e-mail whitelists and blacklists is sporadic at best, and it’s usually done only to address an acute problem. Subscription services such as Postini can alleviate this problem from an inbound perspective, but that’s only half the battle.

Free DNS blacklists such as spamhaus.org and spamcop.net provide an interactive service to enable inbound mail servers to match the IP address of the server delivering mail against a list of known spamming servers via a simple DNS query. If a positive match is returned, the mail is rejected.

Many organizations also rely on whitelists, which are simply lists of domains, addresses, or SMTP relay IP addresses that are always allowed to deliver mail. In most infrastructures, this is a list of domains that are close partners with the company, and ancillary addresses or domains that would be caught in a spam filter but are valid.

The remaining list-based protection form is greylisting. A greylist rides the boundaries of the blacklists and whitelists, using interpretive back-end code and SMTP status flags to create dynamic whitelists and blacklists.

All three approaches have their place in the modern enterprise’s battle against unwanted e-mail, but as with many well-intentioned schemes, caution should be exerted to protect the innocent, particularly when it comes to blacklists.

The vigilante approach

Although quite plentiful, DNS blacklists have had their share of controversy. Given enough subscribers, a listing on a DNS blacklist can render e-mail useless for the target. Of course, this is the whole idea, but it’s not uncommon to find a site listed in a DNS blacklist that really doesn’t belong there.

The reasons for this are varied. Direct reporting of a spamming IP address to a DNS blacklist may result in not just that IP but the whole netblock appearing on the list. Shared hosting suffers from a variant of this problem, as a single violating user can cause many sites to be blocked because they all originate from the same IP address. In other cases, end-users of large ISPs may decide to mark legitimate mailing-list mail as spam rather than unsubscribe from the list. Thus, that server may be blacklisted, at least from that ISP.

The lists themselves vary in focus and scope. The largest, sorbs.net, spamhaus.org, and spamcop.net, use general spamming guidelines to determine a host’s status. Rfc-ignorant.org goes a step further and lists mail servers that violate RFC 821 and 2821, which govern SMTP communication. Unfortunately, there are quite a few legitimate mail servers that violate these RFCs due to poor design and implementation, and anyone using those servers is likely to be listed by rfc-ignorant.org even if they’re not spammers. Certainly, those sites should be running compliant servers, but subscribing to this DNS blacklist can hamper otherwise legitimate communications.