lotus



previous page: Anti-SPAM Techniques: Reputation Control
  
page up: Anti-SPAM, Anti-Phishing and Anti-Viruses Techniques
  
next page: SPAM, Phishing, Virus-related Blogs, Mailing lists and
    Forums

Anti-SPAM Techniques: Transparent SMTP proxy




Description

This article is a part of the series on undesired email (spam, phishing, viruses, etc.). The material covers the Poisons and the Remedies.

By Stas Bekman.

Published: May 15th 2006

Anti-SPAM Techniques: Transparent SMTP proxy

Most Anti-SPAM solutions work as following: they accept the email, then analyse its contents, and then depending on whether that mail is thought of as a undesired email or not, it's either discarded (or put into a quarantine) or delivered to a user. A transparent SMTP proxy will not accept the message unless it passes its criteria. Let's discuss the advantages of this approach.

Once a conventional anti-spam product decides that the message is a undesired email, it often bounces it (sends it back to whoever is listed in the From: header of the message). Most SPAM emails arrive with forged headers, so in the best case nobody will see the bounce. In the worst case it'll bounce to an innocent person, whose address was used in a forged From: header, who may not only have to spend their time dealing with it, they may also get affected by a virus if such was present in the original message. In fact, recently spammers started to use the bounce technique to actually deliver spam, bypassing certain filters, which won't test bounce messages. This sometimes creates an effect of email bombing, since if your address is used in the forged From: header, then suddenly you will start receiving tons of bounces.

For many organisations once an email is received, it has to be stored for a long period of time (sometimes years). Discarding undesired email before it's received saves a lot of resources, disk space and everybody's time of course!. It also reduces the risk of virus propagation. From discussions with email system administrators, it's clear that not having a quarantine is a blessed feature.

Since conventional anti-spam products accept the email, the spammers will continue hammering the same email addresses, since they can't tell whether the message was delivered or not (they assume that it was successful). This is because the headers are usually forged, so they never see the bounces. A transparent SMTP proxy tells the spammers right away that they weren't successful at delivering their emails, so in theory they should have dropped those email addresses from their databases.

Legitimate users benefit from an immediate feedback provided by transparent SMTP proxies, since if for some reason the message wasn't delivered (e.g. their email was mistakenly classified as SPAM) - they don't have to guess and re-send their email multiply times, or even worse call the recipient to ask whether they have received their email. Here they know right away whether there was a problem. They can then contact support, to figure out what went wrong.

Transparent proxies are just that, transparent -- they are seen by the mail servers as an email gateway. Therefore they work with any already installed mail server (sendmail, qmail, exchange, postfix, etc.) So in the case you aren't happy with your mail server and you decide to switch horses, you can still use the same transparent proxy.

Certain transparent proxies implement connection management, ensuring that no matter how big is the spike coming from the outside (e.g. a virus outbreak or a DoS attack) the backend mail server will not receive more connections than it can handle, so the sysadmins can sleep soundly at nights and go safely hiking on the weekends.

Finally, some transparent proxies can implement throttling - where the certain SMTP connections are slowed down. Spammers usually quickly give up (since they need to deliver huge volumes of email), whereas legitimate senders don't mind to wait a few minutes. We find this solution to be more effective than grey listing, since it ensures a prompt email delivery, compared to the latter which may take up to 4 hours to deliver, badly affecting certain users. Throttling is hard to implement in the non-SMTP proxy solution, since each throttling connection holds up a usually heavy-weight process or thread, whereas a proxy can be implemented as a very efficient asynchronous IO solution which can juggle thousands of connections at once.

Vendors

Here are some vendors whose solution is based on a trasnparent SMTP proxy (including open-source solutions):

 

DspamPD (http://caspian.dotconf.net/menu/Software/DspamPD/)
(OSS) is a transparent smtp proxy that passes mail through DSPAM (http://nuclearelephant.com/projects/dspam/) and/or ClamAV.

ASSP (http://assp.sourceforge.net/)
(OSS). The Anti-Spam SMTP Proxy (ASSP) Server project is an open source platform-independent SMTP Proxy server which implements whitelists and Bayesian filtering to rid the planet of the blight of unsolicited email (UCE). UCE must be stopped at the SMTP server. Anti-spam tools must be adaptive to new spam and customized for each site's mail patterns. This free, easy-to-use tool works with any mail transport and achieves these goals requiring no operator intervention after the initial setup phase.

NoSpamToday! (http://www.nospamtoday.com/server/)
(Commercial) flexible filter chain architecture makes it an extensible multi-purpose SMTP/POP3 Proxy, offering complete email security and a lot of advanced options in today's mail processing.

MailChannels, Corp's TrafficControl
(Commercial) is a transparent SMTP proxy for big organisations, supporting white and blacklisting, Bayesian and heuristical content filters, as well as collaborative filtering. Its main distinction from other solutions is that it provides connection management and traffic shaping in a transparent SMTP proxy.

smtpprox (http://bent.latency.net/smtpprox/)
(OSS) is a trivial transparent SMTP proxy, an SMTP server and client combination. It uses its own SMTP server and client modules which are designed to expose every step of the protocol dialogue to the calling program, which provides for the greatest flexibility in hooking in envelope and content controls and scanning.

eWall (http://www.sssolutions.net/ew/)
(Commercial) is a programmable gateway for any mail server. It supports major antivirus software as well as various anti-spam techniques (SPF, SURBL, DNSBL, Greylisting, Harvester detection, country block and more). (Windows 2000/XP/2003 only)


 

 

Please notify me if you know of others.

Related Links

I couldn't find any related 3rd party information on transparent SMTP proxies on the net (other than the vendor sites). So I wrote one for wikipedia If you know of any such resources, please let me know. Thank you!

Continue reading about other Remedies or jump to the email-related Poisons section.















TOP
previous page: Anti-SPAM Techniques: Reputation Control
  
page up: Anti-SPAM, Anti-Phishing and Anti-Viruses Techniques
  
next page: SPAM, Phishing, Virus-related Blogs, Mailing lists and
    Forums