Greetings, spam filters are a really big concern for most customers we have. They sure hate spam, know that it statistically means that their employees will loose some time filtering it out, not to mention those evil spam that carry malicious code or point to malicious sites. Content filtering is really tricky, and most of those customers try to avoid it. They do it because they don't want to risk blocking a legitimate message in favor of 10 blocked spams. TBH, most of them employ 2 basic spam filtering techniques: source domain filtering and realtime blackhole lists (RBLs). The source domain filtering has some concerns. The biggest one is the fact that most spam today forge the source email address, trying specifically to avoid such mechanism. But they don't choose wisely (hope spammers won't read this message) and usually choose borked email domains making it easier to filter them out. Currently, some customers have lists of as much as 20.000 blocked domains and emails. what is really strange is the fact that it proves to be an effective way of blocking spam, so far. The RBLs are now widely available, and some of them are more aggressive than others. Together, filtering by source domain / email address (with wildcards, such as addresses with *no_reply*@*, *buycheap*@*, even *spam*@*), subject, and RBLs prove to be around 60% effective (empyrical observation). Those customers that employ content filtering increase their filtering rate to around 70% with their desired settings, but also the amount of legitimate emails blocked. But bear in mind that those who do any sort of filtering have someone actively monitoring incoming emails to keep up 2 date with filtering rules. There is no way of employing a tool that does the job unnatended, or the current tools are not capable of this (at least, not for now). One of the actions we do to reduce such occurences with border / gateway smtp filtering is to have some "loose" rules for internal messages, or making internal messages don't pass the border smtp gateway. Internal emails are treated differently than those coming from the outside, and all clients using the corporate email systems from the outside use specific authentication mechanisms to treat them as internal, in most cases. One thing that content filtering really does help is to avoid malicious code to be dropped to an internal inbox, and also, those emails that point to malicious sites or downloads. Here in Brazil, it's really common to receive bank scams trying to fool the user into loading a spoofed page to gather users and passwords. There are groups specialized in this tactic. Regards, Romulo M. cholewa Home: http://www.rmc.eti.br News: http://www.rmc.eti.br/news PGP key id 0x7F8A3B40 ] -----Original Message----- ] From: Aaron Cake [mailto:aaron@xxxxxxxxx] ] Sent: Thursday, June 17, 2004 11:19 AM ] To: bugtraq@xxxxxxxxxxxxxxxxx ] Subject: RE: Is predictable spam filtering a vulnerability? ] ] > During a recent email conversation with several participants, we ] > discovered that the email service of one participant ] silently dropped ] > legitimate emails that happened to contain certain combinations of ] > words common in spam. I believe this sort of filter is common ] > practice, and in fact even in place for some of my own email ] > addresses. ] > ] > However, this experience made me think: isn't predictable spam ] > filtering in general a vulnerability that could be used as a hoax ] > device? ] ] Certainly. I have brought this issue up with several other ] ISPs who insist on blocking my personal domain because I'm a ] "little guy". They can't prove that I don't spam, so they ] default to blocking everything that comes from me instead. ] AOL is the biggest and perhaps most annoying offender. (...)
