Sembee Blog of Exchange MVP Simon Butler

Real Time Blacklisting

Blacklisting.
For some email administrators Blacklists are the greatest weapon against spam. It cannot be denied that they can have a significant effect on the amount of email that your server has to process, and they do meet the primary objective of spam detection - dealing with the email at the point of delivery, therefore  reducing back scatter. They are also free, and once setup require little to no maintenance by the administrator.

However personally I dislike blacklists. I don't like the idea of someone else (either human or computer) deciding on what email I should receive, based on lists and reports that I have no control over.
Furthermore, from a business perspective, using a blacklist may cause potential clients to be rejected, as one of my specialism's is the cleanup of servers that have been abused and are likely to be blacklisted.

However, if I could blacklist IP addresses that I know are trying to send spam to me, in real time, where I have complete control over all aspects of the filter, then that could be something of use. A new feature in Vamsoft ORF has introduced exactly that, and has actually got to the point where I have turned off the antispam features in Exchange.

I have written about Vamsoft ORF before, using it for Greylisting (http://blog.sembee.co.uk/archive/2006/09/18/24.aspx) and as part of an SMTP gateway configuration (http://www.amset.info/exchange/gateway.asp).

With the latest version at the time of writing, 4.3, they have introduced a feature called Honey Pot. The simple way that this works is to block IP addresses that attempt to send email to addresses in the Honey Pot list.
In the Vamsoft setup guide it gives you some ideas on how to publish the honey pot addresses, however I found that I didn't need to publish anything.
Going through logs on my backup SMTP gateway, which does recipient validation through Vamsoft rather than Exchange, I noticed that the same non-valid addresses were being used time and time again. These were addresses that I had NEVER used, would never be likely to.

IMPORTANT: The use of addresses that have never been used is the key here. Adding addresses that were in use will provide you with false positives, because that could be legitimate email. If you decide to follow this practise then ensure that you only use addresses that have NEVER been used.

Therefore what I did was turn off recipient validation on my primary SMTP point of entry and configured  that function to be done by Vamsoft ORF. This allowed me to see the addresses that were being sent to on that server as well. I was then able to compile a list to use as my honey pot.
I review the logs frequently to see if new email addresses are being tried, which can be added to the list of honey pot addresses.

This means I am using three tests for spam - recipient validation (which should be something that every site does) greylisting, and honey pot.

The effect was significant. I have been using this setup for a number of weeks and the amount of spam I am seeing in my mailbox or caught by IMF (so got through the initial greylisting and honey pot) is almost zero. One or two messages a week. I have actually now turned off IMF on my Exchange servers.

Why is this being so effective?
The simple reason this is being so effective is that the spammer's list of email addresses will contain a mixture of valid and invalid addresses. As soon as the spammer's server attempts to send an email to a non-valid address that is on my honey pot list, it is blacklisted. Even if that IP address subsequently tries to send to a valid address it will be blocked.
Combined with greylisting, which sends away the initial connection, the even if a legitimate address is used first, the spam doesn't get though. The first attempt is greylisted, then if the list of email addresses contains one of the bogus ones, then it gets blocked. The server attempts to deliver again after greylisting and its connection is blocked.

I also think this is more effective than regular blacklisting because it is in real time and is based on email received by my servers.

I have combined this with an SQL backed database for Vamsoft ORF so that both of my SMTP gateways share the same information, meaning that a blacklisting that is set by one server, is also used by the other.

Finally, I have also combined this with custom NDR text, that points people to a special page on my web site. This page explains what is happening, and other ways to contact me. If required, I can then white list to allow the legitimate messages through and take the spam hit for a short time.


Vamsoft ORF: http://www.shareit.com/product.html?productid=169362&affiliateid=200023740