Spam Filters – CompTIA Security+ SY0-401: 1.1

Few things are more frustrating than having to sort through an email inbox that’s full of unsolicited email. In this video, you’ll learn about spam filters and some common methods used to separate the legitimate email from the spam.

<< Previous Video: Protocol AnalyzersNext: Web Application Firewalls >>

No one likes to receive unsolicited emails. It’s one of those things that can fill up your inbox, and receiving all of this spam also creates overhead on your email servers and of course the bandwidth coming into your organization. You probably have something like this in your environment, where there is information coming in from the internet, and all of those emails would go to a central mail relay on the inside of your network that then sends that information off to the mailboxes that you ultimately access.

So this is a great place to be able to stop the spam. If we stop it at the mail gateway or the mail relay, then we can prevent it from ever showing up in your inbox. And there’s a number of different ways to do it. Some people will do it on the mail relay itself, other folks prefer to outsource that to the cloud. There are many companies that will provide for email filtering before it’s ever sent to your mail relay which means that you can spend time on your system managing other parts of your email, rather than dealing with spam filtering.

There are many methods that these spam filters used to determine whether an email message is legitimate or whether it is simply unsolicited spam email. One very common way is to have a white list. You would only be able to receive emails from people that were on the list. If you’re not on the list, then those emails are never delivered into your inbox.

Another way to analyze a piece of email to determine if it’s spam or not, is to examine the protocol itself that’s used to transfer the mail from one mail gateway to another. We do this using SMTP. This is the simple mail transfer protocol, and there are certain standards that are used to transfer this. If it’s a spammer, they may not be using the exact standards. And when you look at the details of what’s being sent, you may be able to filter out email because it’s not directly following those standards.

Another determination you can make is to look at the sender of the email, and then compare that to the IP address of who’s actually sending it. If you’re expecting an email that’s coming from an associate who’s in the same country as you, and yet the IP addresses from somewhere halfway across the world, a reverse DNS can easily start showing those discrepancies. And perhaps it might be a decision to categorize that as spam, rather than something that might be legitimate.

The process of sending a mail between mail servers is completely non-interactive. There are no human beings at either end of that particular line of communication. So if there are delays that occur, we never really see those as the end user. One of the things the spammers are doing, of course, is sending as many emails as possible in a very short period of time.

So one way to frustrate that process is to do something called tarpitting. Tarpitting is an intentional slow down of the communications process between these mail servers. So as the spammer’s trying to send that mail in, you just take another couple seconds before you ever reply back to what they’re doing. The spammers are expecting that machine to respond back in milliseconds, and instead you’re taking many thousands of milliseconds to respond. And in some cases, the spammer will stop the process and move on to someone that they can use a very fast transfer method against.

So by simply slowing down the conversation, you may be able to prevent a lot of the spam you might normally get. In some cases, the spammers are simply making up names and sending them to email addresses in your domain. So instead of filling up your mail server with a lot of unknown users, or perhaps responding back to the spammer saying you don’t have the right name and they can simply try something else, you can just simply block it right there.

Filter out anybody who is not a legitimate recipient and instead of informing the sender that name doesn’t exist, they don’t hear anything back from you, and the spammer has no idea whether they’re spam email ever made it to the end user or not.

Whether you’re filtering out your spam with an on-site server or you’re using a cloud based service, these methods can help you eliminate a lot of the spam that might be incoming to your environment.