This month I thought I could feel smug, deploying Postfix, with greylisting (Postgrey), and the Spamhaus block list (SBL-XBL) has reduced the volume of unsolicited bulk commercial email one of our servers was delivering to our clients by 98.99%.

Alas greylisting is a flawed remedy, it merely requires the spambots to act more like email servers and it will fail, and eventually they will. Greylisting may scale to big email servers, but it doesn’t scale to a lot of the population using it.

Designing and deploying a new email system requires one to spend time thinking about the types of abuse, and how best to address it. I chose greylisting, and block lists, as the resulting false positives tend to be revealed promptly, these methods don’t require end user interaction, and there are no “spam folders” where misclassified emails go quietly unread. Just don’t everyone start using it, please.

The Megaphone

The email problem we suffer currently is due to a small number of spammers, and a very large number of machines that are compromised and made to do the bidding of the spammers. Think small number of people, with a mighty large “megaphone”.

The problem is the “megaphone”.

Any solution to the supposed “spam problem” that doesn’t deal with the large number of compromised boxes will at best move the problem elsewhere. If we all deploy effective antispam measures without dealing with the megaphone, we can enjoy spam free email, but don’t be surprised when your website suffers a distributed denial of service attack, or your preferred instance messaging, or VOIP service, is full of spam.

Think Clearer

How does this help us? Well we should use this to allow us to focus on the solutions that address the underlying problem. Consider this informal response to “Operation Spam Zombies” from a man with more than a little experience of the ISP business:

Link to Google Groups

I’m sure the author wouldn’t claim it to be a deeply thought out response, but he immediately splits the proposals between those that address the underlying problem, and those that just make the clients email problem worse by making email harder to use legitimately.

When AOL Sneezes

When AOL attempted to suppress spam by blocking outgoing SYN packets to port 25, they got some good press, but PCs in their network were still responsible for a large amount of the email spam arriving here. The reason, the spammers were spoofing the SYN packet, and modified the zombies to start spamming when the acknowledgement was received, and were thus able to revive that part of the megaphone that AOLs actions had intended to deny to them.

Some of those PCs are probably still running rogue software, they just aren’t sending email (since AOL promptly closed that loophole). No doubt the criminals who control them have found other ways to make money out of them, let us hope it doesn’t involve keyloggers and bank account details.

I don’t mean to single out AOL, they came to my attention because they are bigger than everyone else, so even small issues with their system can feel like a torrent if it is directed your way. They have certainly done a lot to address the issues of spam both going into, and out of, their networks.

Those in the industry know where the real rogue ISPs are, let me merely put some perspective ny noting that a certain Korean ISPs network attempts to send us more email purporting to come from AOL, than AOL do.

Conclusions

Consider all antispam proposals in the light of the underlying security problem. You may use your resources more wisely, and the solutions will work better.

Don’t focus overly narrowly on email, it really isn’t the problem. Where an email “fix” is required consider a cheap tactical fix like “greylisting” to allow people to concentrate on the core problem.

I feel less smug now.

One of the basic tenets of both war, and security, is that it is almost impossible to defend against an opponent with far greater resources, we have to deny those resources to our opponents, before we can hope to win the war.