Mail Server update and progress on Anti-Spam efforts

Sent 3/10/2006

—————————-

Greetings,

We would like to give you an update on the progress of fine tuning the new mailserver.

To date (12:01am 3/10/06) the server has received 78,809 messages (avg of 7,880 per day) and sent 11,022 messages since going on-line on 2/28/06 – 10 days ago. The total size of these messages have been 1.9 Gigabytes received and 2.3 Gigabytes sent.

We are certainly making progress on reducing the amount of SPAM that is making through the server and to the mailboxes.

Date Blocked Deleted
2/28/06 0 891
3/1/06 0 779
3/2/06 0 1,159
3/3/06 0 1,509
3/4/06 958 1,607
3/5/06 1,640 1,592
3/6/06 2,161 1,719
3/7/06 2,487 1,587
3/8/06 2,659 1,445
3/9/06 2,755 1,387

Sub Total 12,660 13,675

Total 26,335 spam emails NOT delivered (avg of 2,633 per day)!

How we determine if an email is SPAM.

When and email arrives the mail server first checks the address of the sending server to determine if it is to be blocked based on previous activity. If the sending server has been tagged as being a “heavy” spammer the email is rejected even before the server accepts it for consideration.

If the message passes this initial “blocked” list our server will then conduct further analysis of the email.

For example the address of the sending server is compared to nine different “Black-list” of known and identified servers responsible for sending SPAM. Depending on the Blacklist the message will be assigned a further weighted value ranging from 15 to 30. The Blacklist we are consulting and the respecitive values we have assigned for a match are:

List Value
AHBL 15
DSBL 15
NJABL 30
ORDB 15
PSBL 15
SORBS 15
SpamCop 15
SpamHaus 15
VISI 15

Here is a listing of the various Blacklists that are available for us to consult: http://www.declude.com/Articles.asp?ID=97

We also interogate the sending server to enquire if the address that is sending the email is valid using the “Sender Policy
Framework”. Depending on the response the message is assigned a further weighted score ranging from a “credit” of 10 to a deduction of 30.

Response Value
SPF-Pass -10 (a credit)
SPF-Fail 30
SPF-SoftFail 5
SPF-Neutral 0
SPF-PermError 0
SPF-None 5

More information on SPF at http://www.openspf.org/index.html

We also use Bayesian Filters. These are filters that “learn” what SPAM and Valid email “look-like”. If the filter “thinks” the email might be SPAM it tags is and assigns the message a value of 15

We also check that the sending server is who it says it is. If it fails this test (referred to as Reverse DNS) it is the message is assigned a value of 25. FYI, AOL will reject a message from a server that fails this one single test.

Finally after all these tests are performed on a message the total of any scores are tallied. If the total is less than 15 the message is delivered “unmolested”. If it has a score between 15 and 29 the subject line of the message is modified with the tag of “SPAM-LOW”. If the score is between 30 and 35 the subject line is modified to include the tag “SPAM-MED”. However, if the message has a score of 35 or greater the message is simply deleted. Additionally if the message receives a score of 45 or greater the sending server will be blacklisted by us and all mail sent from that server will be blocked/rejected before the message can even be delivered.

Here are a couple of common examples as to how the scoring works.

1. Sending server Reports SPF-None and the server is found on a Blacklist that we assign a weight of 15 to (will result in a score of 20 and the message is tagged with SPAM-LOW.

2. Sending server is found on two Blacklists (PSBL and SpamCop for example). This will result in a score of 30 and the message is tagged with SPAM-MED.

3. Sending server reports a SPF-None and is found on the NJABL Blacklist to which we have assigned a weight of 30. This will result in a score of 35 and the message is deleted.

4. Sending server fails SPF check and is found on two Blacklists to which we have assigned weights of 15 (SORBS and SpamHaus for example). Thus the total score would be 60. That server is now blocked from sending any mail for a period of time.

If you look at the headers of an email you will be able to see lines like:

X-SmarterMail-Spam: Reverse DNS Lookup, SPF_None

or

X-SmarterMail-Spam: SPF_Neutral, SORBS, SpamHaus SBL+XBL

Hopefully you are seeing a marked reduction in the amount of SPAM making its way to your mailbox!

Leave a Reply

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image