How to fight Spam?

Expanding our article on the functioning of webmail, this time we’ll focus on spam, why it exists, how to fight it and what to do to prevent it from reaching our mailboxes, and what we do to prevent it from reaching the mailboxes of our customers.

What is SPAM?

Spam is unsolicited email with commercial content sent to gain new customers or advertise a new service. Spam does not include advertising messages sent from sources in which you provided your data, such as newsletters. These types of messages are not and should not be blocked because only customers who have subscribed to the mailing list of the organization or shop receive them. This type of message usually in the footer should contain a link to the form which will allow us to unsubscribe from this list, in the case of English it will be for example “Unsubscribe”, however, be careful when clicking on this link because it may happen that it is a spam message which will take us to a page that contains viruses or will try to extract our login data.
An example can be a message from allegro containing information about new auctions. A person who sees this will think that this is how it should be and will want to unsubscribe from the list will click on the link at the bottom and will be redirected to a page that looks very much like the original one but will be unencrypted or with a typo in the url e.g.: a11egro.pl (one instead of “l”). Watch out for such accidents by hovering your mouse over the links before clicking it.

Fight against spam

RBL lists

That is, blocking IP addresses from attempting to send messages if it is on the RBL list. It works on the principle that if a computer connects to our server it automatically checks quickly through the DNS system whether this IP is on the black list, if the remote computer will want to log on to our computer (authorization) it will be accepted and it will be able to send mail. If he is blacklisted and wants to forward a message to a mail account on our server, he will be rejected.
RBL lists very often contain Internet providers for private persons, what protects servers from receiving spam from computers, which by means of viruses try to send spam for other Internet users often without knowledge of the computer owner. Blocking such IP addresses permanently would end up with almost all users in Poland being cut off from sending mail, so the server still gives a chance for the user to log into the account and send a message from the server as a user.

SPF

SPF is a DNS entry in the TXT record that conveys information about which computers are authorized to send mail for a given domain, for example our domain roan24.pl contains the entry v=spf1 +a +mx +ip4:178.33.3.224 -all (easy to check with the command in Linux dig roan24.pl txt). What does it mean? that for a given domain only a server with ipv4 178.33.3.224 and servers with entries a and mx can send mail. Our server accepts mail on ipv6 address but sends only on ipv4, because it happens that ipv6 is not reachable despite being in dns zone.
You can create such an entry for any domain, and it’s a good way to fight against impersonating other servers on the web and pretending to be someone else, which can make your trust increase (or decrease).

DKIM

A slightly more advanced solution than spf, this involves the sending server signing the email, then anyone can retrieve the public key and verify that the signature is correct. Downloading the DKIM key is done… via DNS :-), the key for roan24.pl can be downloaded via Linux command: dig default._domainkey.roan24.pl txt. Note that our key has a selector default other services may have different selectors, such selector is given with the signature, this makes that having a few servers we can give each other different selector and not affect the quality of service and immediately know from which server the message comes. More extensively on DKIM and the problems associated with it.

GrayList

That is, greylisting – used by many mail providers works by blocking mail from an unknown addressee with error message number 4xx example: “451 4.7.1 Greylisting in action, please come back later”. Of course blocking with error number 4xx is only temporary, it means that our message could not be delivered now and to try again in some time. Therefore a well set up server will reconnect in e.g. 10 minutes, then the recipient’s server will also accept the message because it remembers that someone already planned to send such a message. Which does not mean that further spam checking will not reject it.
Why is that? This is related to the fact that often spammers, when they have a computer from which they send spam, go for quantity, which means they often try to send a message to a recipient only once, if it fails, it is difficult to go further before the computer is blocked by RBL. That’s why the time e.g. 10 minutes before address comes off the grey list may be enough to update some RBL lists with spammer’s ip address and block it without overloading the server.
Thedisadvantage of this solution is that in order for a message to reach the recipient at least the grey-list time must elapse, which is usually 5~10 minutes. However, you need to remember that the sender’s server can be set to do the first retry in e.g. 30 minutes, which significantly extends the time of message delivery. We personally don’t use this solution, large services will often use it in conjunction with a locally held list of user contacts.

Content – Annexes

Often servers will block attachments that are too large or unsuitable – e.g. contain a virus. An additional determinant is hiding extensions, where in Windows systems the extension is not displayed by default, which causes the file zdjęcie.jpg.exe to be displayed as zdjęcie.jpg, where after clicking on it, the photo is not displayed but the virus is launched. Therefore the server blocks double extensions, especially pdf, xml, exe, bat and com. Note that not all double extensions are bad, such as tar.gz where you are dealing with an archive of files (.tar) which are additionally packed with gunzip (.gz).
In addition, the system can block all files of certain types, for example, executable files exe, com, bat, etc. That’s why you should zip the file before you send it. Such a file will still be unpacked by the server and scanned for viruses, but it is assumed that if a user has to make more than 2 clicks to install a virus, it should be safe. Even the best security measures will not work if the user does not react in time.

Content – content

That is, if the content contains a lot of links, which often contain a hidden url (one address is visible, another address is hidden). It contains a lot of special characters, or suspicious java script code, which has to run malicious software after the message is opened, then such messages will be rejected without even going to the spam folder, but the sender, even if it is a spammer, will be informed about this fact, in case it is a normal message, and the sender is unaware of the virus, and in the background of the message its code will be attached to the message.

Summary

What doesn’t kill you makes you stronger and so our server receives on average one message per second, 80% of which is spam which is immediately rejected without reaching our clients’ mail accounts, the remaining 20% goes to the spam folder because they are not dangerous but may contain messages desired by the client. Dangerous messages are rejected without informing the recipient the only information about the rejection is sent to the sender.