Level -
Method
|
How they work
|
Why a mailer gets blocked
|
Example Programs |
| SMTP/ Email Relay |
Real Time Black Lists
|
IP address on an incoming email is compared against a list of IP addresses belonging to:
known spammers, suspected spammers, spam software companies, and spam hosts (allow spammers to use their servers)
|
Recipients complain that you are spamming them.
You are using an external mail server or email delivery provider who is, supports, or mails for a known or suspected spammer.
You are using an ISP who does not agree to shut-down a suspected spammer.
|
MAPS
Spamhaus
SPEWS
+ over 300 others
|
Reverse DNS Lookup
|
IP address is used to lookup Domain Name Server. If Reverse DNS is not enabled, mailer is suspect.
|
Not having Reverse DNS Enabled
|
www.dnsstuff.com
|
Enterprise / ISP White Lists
|
Enterprise/ISP maintains a private list of approved mailers.
|
ISP adds you through formal verification process (not easy or widely done)
Enough recipients advise their ISP/Company IT department your mail is not spam.
|
N/A not published
|
Open Relay Hijacking
|
Identifies mailers using an Open Relay to mail
|
Not eliminating all Open Relay on your servers. Spammer hijacks it.
|
ORDB
http://www.dnsbl.sorbs.net/
|
Insecure Version of FormMail/ Hijacking of FormMail
|
Identifies servers with insecure version of FormMail
Identifies mailers hijacking them as mail servers
|
Using an insecure version of FormMail on your website.
|
To view latest FormMail info:
http://www.scriptarchive.com
|
Multiple Relays
|
Identifies mailers using multiple relays to mail
|
Relaying mail across multiple internal relays before mailing the message.
|
Integrated into other programs. Verify your compliant with
http://www.rfc-editor.org
|
Volume Filters
|
Stops mail based on high volume. Typical of a Directory Harvest or Denial of Service Attack
|
Mailing high volumes.
Mailing repeatedly to bad addresses (e.g. you may appear to be a Directory Harvest attack)
|
Configured at ISP / corporate level.
|
Identity-Based Filtering
|
Certificates (and certificate-like)
|
The senders identity is validated by looking up the sender's digital certificate.
|
N/A these are not blocking mechanisms.
|
Habeas, Trusted Sender
|
Content Filters
|
Key-Word Matching
|
Searches for specific text (phrases and words) that identifies unwanted mail. |
Email message contains one of the keywords or phrases (with simple key-word matching, any one word is enough to get filtered out).
|
McAffee SpamKiller,
Surf Control
|
Heuristics-Based Filters
|
Applies a set of rules to analyze an email message to determine the likelihood that it is spam.
|
Email message breaks enough of the rules to have a high enough score to be considered spam.
|
Message Labs,
Spam Assassin
|
| Hashes/ Signature-Based Filters |
Maintains a database of "hashes" of previously identified spam messages and compares incoming emails to this database. Messages that match are blocked.
|
User complaints that the email you sent them is spam.
Sending email to a Spam Trap (meaning you are spamming)
|
Bright Mail,
SpamTrap |
Bayesian Analysis
|
Algorithm that is trained to differentiate textual attributes of spam and non-spam messages. Each attribute is weighted and applied to total probability score
|
The unique combination of positive and negative characteristics about your email, are enough to flag you as spam either by the individual or the ISP/enterprise (usually employed at end user level)
|
GFI Mail Essentials
SpamProbe
|
Other Filters
|
| Collaborative or Community - based Filters |
End users vote on which messages constitute spam. The # of votes needed is not usually published and differs by program.
|
Recipients complain you are spamming them.
|
Cloudmark Spamnet, Spamcop
|
Challenge/ Response Filters
|
Requires senders to verify their authenticity before the email is delivered to the recipient. The sender receives an email to which they must respond.
|
You fail to respond to the challenge. Mail remains quarantined.
|
Spam Arrest, Choice Mail
|
Anti-Spam Methods & Checks