Wednesday, February 28, 2007

How smart is your spam filter?

Managing an anti-spam solution is an unglamorous job for any e-mail administrator, but it's less enjoyable when your software is broken. Case in point: My company uses GFI's MailEssentials, which in some respects does a decent job filtering spam. It offers a feature common to many spam filters: Directory harvesting protection. Directory harvesting protection is a countermeasure designed to prevent spammers from figuring out the names of legitimate recipients.

However, MailEssentials' directory harvesting feature appears to have been an afterthought, because the program only checks recipient validity after it accepts a message. The program does offer a "Generate a Non Delivery Report (NDR)" option, but this is a fake NDR (aka a delivery status notification, or DSN) because it's only sent after your server has accepted transmission of a misaddressed message.

Why is this behavior a bad thing? First, if the NDR option is disabled (the default), a sender that misspells an e-mail address is never notified that the recipient name is not valid. This is good for spammers (you don't want them to know your valid addresses), but it's not good for valid senders (they're never notified that the address doesn't exist). So, you decide to enable the fake NDR feature. This is even worse, because it lets spammers exploit your server to send backscatter.

What's backscatter? Backscatter is spamming via DSNs. Imagine this scenario:
  1. Spammer sends a message to your server. The "from" address is the address he's spamming, and the "to" address is a non-existent recipient on your server.
  2. MailEssentials accepts the message, then determines that the recipient doesn't exist.
  3. MailEssentials generates an NDR to the fake "from" address.
The spammer has just successfully exploited MailEssentials to send backscatter--ironic because MailEssentials is a product designed to fight spam. Not very smart. It's also frustrating because I've explained this to GFI and they have not been responsive to the problem.

The right way to reject invalid recipients is to do it during the SMTP conversation, before the message even gets transmitted. This way, the sending server is forced to deal with the failure. This way of doing things has two good side effects:
  1. Your server spends a lot less time dealing with mail sent to invalid recipients.
  2. Legitimate users that misspell an e-mail address will get an NDR from their own server (not yours).
Some mail servers have this functionality built-in: Exchange 2003 and later, for example. (Earlier versions of Exchange are not as smart.) However, this means that your Exchange server must sit directly on the network perimeter, a configuration that's generally considered a bad security practice.

The point is that you should not rely on GFI MailEssentials to be your only spam filtering solution. I opted for a smarter product: Vamsoft's Open Relay Filter Enterprise Edition (ORFEE). Like MailEssentials, it uses Microsoft's SMTP server, but unlike MailEssentials, it lets you filter mail during the SMTP conversation. It can do address lookups in an Active Directory domain and reject recipients before the e-mail gets sent. ORFEE can also delay server response on invalid recipients (sometimes called tarpitting), discouraging spammers that are attempting to harvest your directory. You get all the benefits: Legitimate senders are notified if they send to a non-existent recipient, the spammers will most likely not tolerate the delays when they attempt to gather valid addresses, and they can't use your server to send backscatter.