Email Antispam

To prevent email spam (a.k.a. unsolicited bulk email), both end users and administrators of email systems use various anti-spam techniques. Some of these techniques may be embedded in products, services and software to ease the burden on users and administrators. No technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email vs. not rejecting all spam, and the associated costs in time and effort.

Detecting spam

– Checking words

People tend to be much less bothered by spam slipping through filters into their mail box (false negatives), than having desired email (“ham”) blocked (false positives). Trying to balance false negatives (missed spams) vs false positives (rejecting good email) is critical for a successful anti-spam system. Some systems let individual users have some control over this balance by setting “spam score” limits, etc. Most techniques have both kinds of serious errors, to varying degrees. So, for example, anti-spam systems may use techniques that have a high false negative rate (miss a lot of spam), in order to reduce the number of false positives (rejecting good email).

The content also doesn’t determine whether the email was either unsolicited or bulk, the two key features of spam. So, if a friend sends you a joke that mentions “viagra”, content filters can easily mark it as being spam even though it is neither unsolicited nor sent in bulk. Non-content base statistical means can help lower false positives because it looks at statistical means vs. blocking based on content/keywords. Therefore, you will be able to receive a joke that mentions “viagra” from a friend.

– Spamtrap

Spamtraps are often email addresses that were never valid or have been invalid for a long time that are used to collect spam. An effective spamtrap is not announced and is only found by dictionary attacks or by pulling addresses off hidden webpages. For a spamtrap to remain effective the address must never be given to anyone. Some black lists, such as spamcop, use spamtraps to catch spammers and blacklist them.

End user techniques

– Address munging

Posting anonymously, or with a fake name and address, is one way to avoid email address harvesting, but users should ensure that the fake address is not valid. Users who want to receive legitimate email regarding their posts or Web sites can alter their addresses so humans can figure out but spammers cannot. For instance, joe@example.com might post as joeNOS@PAM.invalid.example.com. Address munging, however, can cause legitimate replies to be lost. If it’s not the user’s valid address, it has to be truly invalid, otherwise someone or some server will still get the spam for it. Other ways use transparent address munging to avoid this by allowing users to see the actual address but obfuscate it from automated email harvesters with methods such as displaying all or part of the email address on a web page as an image, a text logo shrunken to normal size using in-line CSS, or as jumbled text with the order of characters restored using CSS.

– Avoid responding to spam

Spammers often regard responses to their messages—even responses like “Don’t spam me”—as confirmation that an email address is valid. Likewise, many spam messages contain Web links or addresses which the user is directed to follow to be removed from the spammer’s mailing list. In several cases, spam-fighters have tested these links, confirming they do not lead to the recipient address’s removal—if anything, they lead to more spam. This removal request of filing a complaint may get the address list washed. To lower complaints so the spammer can stay active before having to acquire new accounts and/or internet provider.

– Contact forms

Contact forms allow users to send email by filling out forms in a web browser. The web server takes the form data, forwarding it to an email address. Users never see the email address. Such forms, however, are sometimes inconvenient to users, as they are not able to use their preferred email client, risk entering a faulty reply address, and are typically not notified about delivery problems. Further, contact forms have the drawback that they require a website that supports server side scripts. Finally, if the software used to run the contact forms is badly designed, it can become a spam tool in its own right. Additionally, some spammers have begun to send spam using the contact form.

– Disable HTML in email

Many modern mail programs incorporate Web browser functionality, such as the display of HTML, URLs, and images. This can easily expose the user to offensive images in spam. In addition, spam written in HTML can contain web bugs which allows spammers to see that the email address is valid and that the message has not been caught in spam filters. JavaScript programs can be used to direct the user’s Web browser to an advertised page, or to make the spam message difficult to close or delete. Spam messages have contained attacks upon security vulnerabilities in the HTML renderer, using these holes to install spyware. (Some computer viruses are borne by the same mechanisms.)

Mail clients which do not automatically download and display HTML, images or attachments, have fewer risks, as do clients who have been configured to not display these by default.

– Disposable email addresses

An email user may sometimes need to give an address to a site without complete assurance that the site owner will not use it for sending spam. One way to mitigate the risk is to provide a disposable email address—a temporary address which the user can disable or abandon which forwards email to a real account. A number of services provide disposable address forwarding. Addresses can be manually disabled, can expire after a given time interval, or can expire after a certain number of messages have been forwarded. Disposable email addresses can be used by users to track whether a site owner has disclosed an address. This capability has resulted in legal jeopardy for sites that disclose confidential addresses without permission.

– Ham passwords

Systems that use ham passwords ask unrecognised senders to include in their email a password that demonstrates that the email message is a “ham” (not spam) message. Typically the email address and ham password would be described on a web page, and the ham password would be included in the “subject” line of an email message. Ham passwords are often combined with filtering systems, to counter the risk that a filtering system will accidentally identify a ham message as a spam message.[3]

The “plus addressing” technique appends a password to the “username” part of the email address.

Automated techniques for email administrators

– Domain Keys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators. A digital signature included with the message can be validated by the recipient using the signer’s public key published in the DNS.

All of our hosting packages have its DKIM enabled by default.

– Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is a simple email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is being sent from a host authorized by that domain’s administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged sender addresses, so publishing and checking SPF records can be considered anti-spam techniques.

All of our hosting packages have its SPF enabled by default.

SpamAssassin

SpamAssassin is the #1 enterprise open source email spam filter.

– Hybrid filtering

SpamAssasssin uses some or all of the various tests for spam, and assigns a numerical score to each test. Each message is scanned for these patterns, and the applicable scores tallied up. If the total is above a fixed value, the message is rejected or flagged as spam. By ensuring that no single spam test by itself can flag a message as spam, the false positive rate can be greatly reduced.

– Outbound spam protection

Outbound spam protection involves scanning email traffic as it exits a network, identifying spam messages and then taking an action such as blocking the message or shutting off the source of the traffic. Outbound spam protection can be implemented on a network-wide level (using policy-based routing or similar techniques to route SMTP messages to a filtering service). Or, it can be implemented within a standard SMTP gateway. While the primary economic impact of spam is on spam recipients, sending networks also experience financial costs, such as wasted bandwidth, and the risk of having IP addresses blocked by receiving networks.

– Statistical content filtering

Statistical (or Bayesian) filtering once set up, requires no administrative maintenance per se: instead, users mark messages as spam or nonspam and the filtering software learns from these judgements. Thus, a statistical filter does not reflect the software author’s or administrator’s biases as to content, but rather the user’s biases. For example, a biochemist who is researching Viagra won’t have messages containing the word “Viagra” automatically flagged as spam, because “Viagra” will show up often in his or her legitimate messages. Still, spam emails containing the word “Viagra” do get filtered because the content of the rest of the spam messages differs significantly from the content of legitimate messages. A statistical filter can also respond quickly to changes in spam content, without administrative intervention, as long as users consistently designate false negative messages as spam when received in their email. Statistical filters can also look at message headers, thereby considering not just the content but also peculiarities of the transport mechanism of the email.

All of our hosting packages have its SpamAssassin enabled by default.