Barbarians At The Gate - Stopping Spam In Its Tracks

Karl Nyberg
Copyright (C) 2001 Grebyn Corporation

escom@grebyn.com
Grebyn Corporation
P. O. Box 47
Sterling, VA 20167-0047
703-406-4161

Abstract

This article reports on an eight week test of the Active SMTP appliance from ESCOM Corporation (http://www.escom.com) as a deterrent to spam transmission. In use during this period of time, the appliance successfully quarantined over 99.87% of the spam (8 spams passed, 6408 quarantined). Some 135 messages that were quarantined by the appliance but classified as desirable messages by the users were forwarded through the systems review and process system.


The Test Environment

The test environment consisted of the mail server for a number of top level domains, including primarily GREBYN.COM, formerly a dialup shell account service. In September of 1993 all dialup customer accounts were sold to Digital Express. The only remaining accounts were for individuals who had relationships with the corporation running the service. This left only 10 addresses that were valid for receiving email during this time. Any quarantined mail for any of the remaining 94 recipient addresses was included in the spam count without inspecting the content because there was no reason (other than spam) for anyone to send mail to those addresses.

The appliance was set up to not automatically blacklist hosts and cleared out the mechanism that performed such daily multiple connection blacklisting every ten minutes, rather than every day. All connections were logged and all quarantined mail retained for analysis. Only sites that successfully processed spam during this period were added to the blacklist (after notification of the offending site).

At various times, filters had been placed on specific IP addresses in routers and firewalls in an attempt to preclude spam. All such filters were removed prior to beginning this test.

The collection of "trusted" hosts and per-user whitelists, already in place, were not modified during this test period. This information facilitated the flow of legitimate email and did not affect the filtering of junk mail.

Results

During the 8 week period, some 10,127 connections for delivery of mail were received. Of those, 482 were from "trusted" hosts, while 1094 were from addresses matched in the user whitelists. Of the remaining, the ASMTP appliance processed 6543 connections with characteristics such as bad from addresses (662), bad domain (473), mismatched from addresses (1258), dialup detected (380), open relays (1197) or other syntax errors and timeouts during the exchange. (Included in the last category, for example are 494 connections that were QUIT before data was transmitted in the SMTP stream - a common mechanism used to attempt email "address reaping".)

During this time there were no complaints from the users that any of their correspondents had contacted them via alternate means to inform them of their inability to send mail to them because of the use of the ASMTP appliance. (As opposed to a separate test period when it was turned OFF and one of the users complained:

"I guess ASMTP hasn't been running lately, because I've gotten a burst of spam."

Prior to the installation of the appliance, the only mechanism for dealing with mail was to retrieve it, classify it and delete it. Now, rather than time spent on completely negative activities, quarantined mail is classified (a batch job runs daily to remind users that they have quarantined mail) by users on an as-needed basis.

There were 8 messages passed through during this time that were classified by the users as potential spam. Of these, one appeared to have potentially just been misaddressed mail (it was in a language that nobody was able to read) and the others were 5 hosts that were blacklisted with a note to the offending companies of the situation regarding their behavior. It was interesting to not that no further communication (email or via alternate means, such as telephone or paper mail) was received.

Analysis

Of the greater than 10,000 connections received during this time, only 8 resulted in messages classified by the users as true spam were passed by the ASMTP appliance. During this period, the system successfully blocked 6400 spams, comprising almost 300MB (some 250MB of it for former users) of mail traffic, an average of 3MB per day. This is in comparison with a daily average of about 200KB - 300KB of quarantine during normal operations when hosts are blacklisted and unknown domains (bad DNS information) and various other rejection criteria are applied and connections are rejected immediately.