Deep header parsing of emails
Idea shared by Dale Harris - 12/20/2015 at 6:39 PM
From what I understand, what I'm after is called deep header parsing.
Can SmarterMail be made to check all mail servers involved with the delivery of an email against an RBL please. I am finding that a large amount of the spam that we are receiving has actually been relayed to us.  I believe that SPAMmers are doing this in several ways:
1)    SPAMmers are either using open relay mail servers (less commons now)
2)    Creating Gmail, Outlook, Yahoo, or other online webmail provider accounts, and then relaying through them, or
3)    They use stolen mail identity credentials from someone and then using those credentials to relay through.
If email servers could check all the email servers in the email header using all the existing SPAM filtering technologies, then I personally believe SPAM filtering could be more effective without a risk false positives.  Also, it would make maintaining the RBLs a lot easier, as they would only really need to target the sources, rather than the last email server who sent the message.  Country filtering would also be more effective as it could target the source of the message rather than the last email server which is most likely based in USA.
It's still no excuse for good security, but if security fails, then we need smart preventative tools.  Checking the email header wouldn't require a new standard to be introduced, just using the existing information more wisely.

2 Replies

Reply to Thread
SmarterMail is already capable of this, but you'll need to setup the RBL tests, along with rDNS, SPF (and not just a generic, but specific to the IP address used by the domain), DKIM, and DMARC. Once you do that, you'll be in great shape.

See my antispam document at: https://portal.chicagonettech.com/kb/a171/smartermail-antispam-settings-document.aspx
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
So if an email has bounced through several email servers before reaching our email server, then will SmarterMail check each of the relay servers within the email header?  I found 2 spam today so far, and I've checked both of their headers.  Both emails have passed through at least one relay server, and just visually checking the IP addresses, I can tell that one email's original source IP address is from a region that I reject.
It's all well and good using probability and RBLs, but probability won't necessarily block some of the newer well crafted email messages, and RBLs won't block messages that have been relayed via Google, Microsoft, Yahoo, Symantec and a lot of other web-based mail services.  If RBLs could be used to target the original source of the email, not just looking at the last hop when the email was received, then RBLs would become more effective again.  Instead of having to use multiple RBLs to improve the probability, and using RBLs that include possible safe sites, it should be possible to use RBLs that give definitive answers about an IP address.  I believe that it should be easier to get a definitive answer if an email is SPAM by checking all relay IP addresses in the email header.  As more people use more hosted email services, it going to get harder to stop SPAM using RBLs because they won't block the big companies.  However RBLs can be used to block the original source, or VPN connection, or relay server(s) used in sending the message if all IP addresses are checked with the email header.
Probability can make things look good or bad.  I much prefer to know that something is definitely from a SPAM source and is rejected.  Once the majority of SPAM is totally blocked, then I'm happier to start using probability to reduce it further if required.  I find my users are getting easier to fool and SPAMmers are getting a lot smarter and craftier designing emails.  Laws of probability says that I will get a user triggering a virus from an email (even from a junk mail folder), so the more I can eliminate the better my odds should be.  If you rely upon the laws of probability all the time, then you are guaranteed to get valid email in the junk mail folder.  Then you have users to won't check the junk mail folder because as the name implies, it junk mail, or you get users who then will check everything and you're back to the start again trying to prevent users getting junk mail.
As for grey-listing, I think it's a complete waste of time against professional SPAMmers as they automatically retry anyway.  The only benefit is that during the grey-listing period, the SPAMmer's IP address may register on an RBL which it didn't earlier.
So this goes back to my original point, why not check all IP addresses (where it was received from and the relay servers) in the email header, against RBLs, country filter lists, etc, to prevent SPAM outright, instead of relying upon probability.  The other thing against using lots of RBLs to improve the probability score is that if your organisation, like where I work, is located where internet speed and bandwidth isn't very good, then you can't afford to continually run checks for anything.

Reply to Thread