Off we trot to the Reg Library to select some popular whitepapers for review. This week we mainline on email security, or to be more precise, email insecurity. Image spam: the threat returns We were unaware that using pictures to evade spam detectors had peaked in 2007 and then fell away as security software vendors upped their …
MessageLabs and SMEs
Actually, make that SEs - family businesses with less than 10 employees.
I am not having a pop at MessageLabs' credentials, but their offering is so out of kilter with what real-world small businesses can afford that an alternative (admittedly possibly less robust) workable solution is needed.
So, for any SE being bombarded by spam, this is my solution, but I welcome other suggestions and do not claim mine to be the best.
Keep in mind that it is NOT an option to simply change the email address being spammed. Too much has already been spent on marketing it (stationery/website/brochures/ads/signage etc).
Also bear in mind I am talking about computer-illiterate/phobic owner-managers (they do exist, believe me) and I want a quick, cheap and effective solution.
So here is how I go about it:
First, create a new account on the SE's domain, with a near-unguessable account name, e.g.
Second, sign-up to SpamCop and use the new J4VvnQzZ3qM9upHeW94xyyyHw@anyco.com account as the forwarding address for 'clean' mail. Total cost, pennies over the year.
Third, redirect all incoming mail addressed to the spammed email account the SpamCop account.
Fourth, crank up all of the SpamCop filters for all options.
Fifth, enable auto notification of Held Mail reports.
Those are the basics, but there are tweaks to be made over the following weeks (mostly whitelist entries).
What I find most appealing about this solution is that I can sort it all out for a client from hundreds or thousands of miles away, and do not have to change anything on their system, other than walk them through adding J4VvnQzZ3qM9upHeW94xyyyHw@anyco.com as a new account.
As stated, all constructive suggestions for easier/better ways to remotely solve a customer's problem invited.
The additional point I will make is that I noticed the inline and remote image techniques at the same time as the MessageLabs report identifies. To begin with they all got through. They have (for my clients anyway) since fallen back to zero, while the boys from Lagos are now back on top. We would like to think that reporting every single one as spam via the SpamCop service has, in some part, brought that about.
Disclosure: I like SpamCop; I am not a stooge or employee, and benefit not a jot if anyone else tries this method.
Re: MessageLabs and SMEs
> "As stated, all constructive suggestions for easier/better ways to remotely solve a customer's problem invited."
Implement greylisting on their mailserver.
These days, if a spam email makes it to my mailbox I tend to read it out of curiosity.
Another alternative solution to the spam question
The problem with solutions such as Symantec Message Labs or the alternatives is that everyone's definition of spam is subtly different. Which means that they never get it completely right.
My solution is to use email suppliers who understand the email process, and how to defeat spam. Suppliers such as Fastmail.fm or Lavabit.com. Because they make effective use of techniques such as grey listing, spam is rare anyway. Then use an email client with built in Bayesian filters, such as Pegasus Mail. The way you train the filter will ensure that spam removal is tailored to your own tastes, and not that of some large Merkin company.
Works very well for me.
For the MX systems I run for my clients, apart from those originators who are whitelisted we invariably reject-on-first-delivery-attempt.
The spambots rarely if ever make a second delivery-attempt.
Of course we also have a blackhole-MX set to a value around 80 - on the basis that anything which deliberately chooses that rather than the MX=10 option is clearly trying something naughty.
And we populate the transient deny-list for the proper-MX servers from the 'tried high-numbered MX' fail-list.
Ah, what fun.
Greylisting is of little benefit these days. In my own logs I see the same hosts re-attempting delivery of identically addressed spam every couple of hours - greylisting would only delay the first of these and the rest would sail right through.
On my spam mix, the most effective and least cost single measure is Spamhaus CBL which stops around 45% of it before HELO. Rejecting mail from hosts with no rDNS takes care of almost all the rest, though this latter isn't advisable for ISP level filtering as it can give false positives. SPF takes care of the attempts to forge local domains and a check on resolvable sender domains catches a good few percent as well. The 5% of remaining mail goes through SpamAssassin which stops the final 1% of spam, leaving me 4% of genuine clean mail.
Morphing image spam differently for each mail isn't a new technique, the spammers introduced it about two years ago and it became very widespread in order to get round spam-image checksummers.
Just disable HTML + images in your mail client. I use gmail which automatically blocks images.
You just click the ones you want to see unless you add the sender to the whitelist. Easy peazy. Why MS and Netscape ever thought that rendering html in emails would ever lead to something good is beyond me.