Date: Fri, 18 Jun 2004 19:20:30 -0300
From: "Romulo M. Cholewa" <rmc@....eti.br>
To: <bugtraq@...urityfocus.com>
Subject: RE: Is predictable spam filtering a vulnerability?


Greetings,

spam filters are a really big concern for most customers we have. They sure
hate spam, know that it statistically means that their employees will loose
some time filtering it out, not to mention those evil spam that carry
malicious code or point to malicious sites.

Content filtering is really tricky, and most of those customers try to avoid
it. They do it because they don't want to risk blocking  a legitimate
message in favor of 10 blocked spams.

TBH, most of them employ 2 basic spam filtering techniques: source domain
filtering and realtime blackhole lists (RBLs).

The source domain filtering has some concerns. The biggest one is the fact
that most spam today forge the source email address, trying specifically to
avoid such mechanism. But they don't choose wisely (hope spammers won't read
this message) and usually choose borked email domains making it easier to
filter them out. Currently, some customers have lists of as much as 20.000
blocked domains and emails. what is really strange is the fact that it
proves to be an effective way of blocking spam, so far.

The RBLs are now widely available, and some of them are more aggressive than
others.

Together, filtering by source domain / email address (with wildcards, such
as addresses with *no_reply*@*, *buycheap*@*, even *spam*@*), subject, and
RBLs prove to be around 60% effective (empyrical observation). Those
customers that employ content filtering increase their filtering rate to
around 70% with their desired settings, but also the amount of legitimate
emails blocked.

But bear in mind that those who do any sort of filtering have someone
actively monitoring incoming emails to keep up 2 date with filtering rules.
There is no way of employing a tool that does the job unnatended, or the
current tools are not capable of this (at least, not for now).

One of the actions we do to reduce such occurences with border / gateway
smtp filtering is to have some "loose" rules for internal messages, or
making internal messages don't pass the border smtp gateway. Internal emails
are treated differently than those coming from the outside, and all clients
using the corporate email systems from the outside use specific
authentication mechanisms to treat them as internal, in most cases.

One thing that content filtering really does help is to avoid malicious code
to be dropped to an internal inbox, and also, those emails that point to
malicious sites or downloads. Here in Brazil, it's really common to receive
bank scams trying to fool the user into loading a spoofed page to gather
users and passwords. There are groups specialized in this tactic.

Regards,

Romulo M. cholewa
Home: http://www.rmc.eti.br
News: http://www.rmc.eti.br/news
PGP key id 0x7F8A3B40



] -----Original Message-----
] From: Aaron Cake [mailto:aaron@...pm.com] 
] Sent: Thursday, June 17, 2004 11:19 AM
] To: bugtraq@...urityfocus.com
] Subject: RE: Is predictable spam filtering a vulnerability?
] 
] > During a recent email conversation with several participants, we 
] > discovered that the email service of one participant 
] silently dropped 
] > legitimate emails that happened to contain certain combinations of 
] > words common in spam. I believe this sort of filter is common 
] > practice, and in fact even in place for some of my own email 
] > addresses.
] >
] > However, this experience made me think: isn't predictable spam 
] > filtering in general a vulnerability that could be used as a hoax 
] > device?
] 
] Certainly. I have brought this issue up with several other 
] ISPs who insist on blocking my personal domain because I'm a 
] "little guy". They can't prove that I don't spam, so they 
] default to blocking everything that comes from me instead. 
] AOL is the biggest and perhaps most annoying offender.

(...)

Powered by blists - more mailing lists