[dba-Tech] Use of Blacklists on mail servers

Erwin Craps - IT Helps Erwin.Craps at ithelps.eu
Thu Feb 14 08:06:07 CST 2008 

Problem again is as always, that as soon as this kind of technology get
widespread, the spammers will adjust their software accordantly and
where back to square one.
So you better not tell this to everyone :-)



-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Gustav Brock
Sent: Thursday, February 14, 2008 1:47 PM
To: dba-tech at databaseadvisors.com
Subject: Re: [dba-Tech] Use of Blacklists on mail servers

Hi Erwin

Basically it is quite simple. Any decent mail server which tries to
deliver legitimate mail to your server behaves like a mature mail
server. Such a mail server communicates with your server when it
connects, and by analysing this communication pattern Spambunker
determines if the sender is "real" and is addressing a valid account of
the receiving domain. Those failing these tests are the bot machines and
the ultra-high volume mail transmitting engines the pro spammers use.
These engines fire off millions of spam mails and it could not be done
if they should behave and study the answers from the receivers and act
accordingly.

This is the key to the zero false positives and to the high capacity of
Spambunker as spam mails are not even received not to say stored. Of
course, some "amateur" spam may get through; this is typically spam sent
from a Yahoo or AOL type of account but these large providers are so
agile that such an account is closed quite fast. 
To give you an idea of how effective the filter is, I can tell that
without a filter I receive several hundred spams per day. Spam addressed
non-existing accounts of our domains are counted by the thousands per
day. With the filter in action I receive an average of two spams per
week.

One of our clients would receive about 20,000 spams per day without the
filer, and while it peaked at us the count was well above 100,000.

/gustav

>>> Erwin.Craps at ithelps.eu 14-02-2008 12:59 >>>
Hi Gustav

I just visited their website but it is not clear to me on what base they
decide to accept or refuse a connection?
How do they decide if a remote server is trusty or not?


The big advantage of this solution, but also for blacklists is of course
the bandwidth that is saved by refusing to accept an e-mail rather then
analysing an e-mail after receiving it.


Erwin



-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com 
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Gustav Brock
Sent: Thursday, February 14, 2008 10:29 AM
To: dba-tech at databaseadvisors.com 
Subject: Re: [dba-Tech] Use of Blacklists on mail servers

Hi Erwin

We used blacklist blocking for a while and later also a scanning
spamfilter but at some point about a year ago we felt we were under
attach as thousands and thousands of spam mails simply brought the
filter to its knees.
Our present solution is Spambunker which we installed at that time and
have worked with close to zero maintenance since. When it was installed,
it was like closing a door as it works from minute one; no learning, no
import of blacklists. Further, zero false positives and only modest
hardware is required for even a high-traffic mail server.

It is not free but offered at a fair price: 

  http://www.spambunker.ch 

As for the infected workstation, we have CounterSpy from Sunbelt
Software as first choice. Also Spybot Search & Destroy (free) and
TrojanHunter and the Trend on-line scanner.
These days we've found that traditional virus scanners are of limited
value if any at all. The trojan removers and blockers do the hard work.
Indeed, CounterSpy is very effective and with a good UI which most
normal users can grasp.

/gustav

>>> Erwin.Craps at ithelps.eu 14-02-2008 09:56 >>>
One of my clients got recently on a ip blacklist due to spam send from a
infected computer within the network, probably from end December till
last week.

Although I personally manage the network all computers had fully updated
virus scanners (McAfee) but I Installed Trend Micro halfway Januari so
posibly something went wrong migrating from one to another.

The Trojan was new and vicious and passed both virus scanners. Cause I
don't scan existing files (only write/modify) neither do a weekly scan
on desktops the Trojan managed to stay alive on this system... I do not
scan cause of user complaint of slow computers...

 

This brings up the discussion of using Blacklists like spamcop to me.

I looked into this matter 1 or 2 years ago and read several things about
it that Blacklists are not that good against spam and are a in forehand
lost fight against spam. Several  blacklists where stopping at that
moment, so I decided not to use the principle of a blacklist.

 

But, now I got forced in to the matter and noticed ISP are still using
blacklists. So I installed a blacklist on this customer server and on my
own server for evaluation purposes.

 

I already notices a major decrease in spam in my spam folder (I'm using
trend micro to detect spam), but the spam that is not detected by Trend
Micro is still getting in my inbox, I don't have the impression that
this is lowering, but I only installed it yesterday evening, I have to
be patient to see some real result.

 

My question is, what is the opinion and practical experience of the
people on this list that manage mailservers?

What about false positives?

 I want to know if I would need to configure blacklist by default on my
clients mail servers or not?

 

thx

 

Erwin Craps

Zaakvoerder 
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

More information about the dba-Tech mailing list