multirater.com logo tf: 866-multirater  p: 425.867.9232  
 
[ services | clients | about 360 | projects | privacy | proprietors ]
[ projects | siop presentations | spam protection ]

Spam Protection

In an effort to reduce spam for our customers, we have a set of filters in place that allows us to constantly update our anti-spam system with new rules. In addition to this filtering system we are also using Blacklists. Below is a brief explanation of the types of filters and blacklists we use. If you have had a message bounced and you don't think it was correct or one of your customers is complaining of being bounced, first read the error message that is likely found in the email that was bounce. This message probably will direct you to the site of the vendor that hosts the blacklist we are using. There you will see information supporting why the email was bounced. If there is still a problem, email us or call. We will be glad to help identify the problem and will likely be willing to help get the problem fixed.

If you feel that legitimate email is being bounced please let us know. We can either whitelist your email address/domain and or IP address ranges, or remove the rule and or rules if there are too many false positives. If you or your service provider is in one of the blacklists we utilize you will need to have them contact the blacklist operator to be removed. We make every effort to reject only spam, however there are times where legitimate mail will be bounced. It is the trade off in the ongoing war against spam.

Why Black Lists?

We have started using outside "blacklists" to handle incoming spam for several reasons. The biggest reason is that our mail servers and filters are spending more time processing spam mail, than legitimate mail. This means massive mail delivery slowdowns, delays sending and receiving mail, and heavy processor and ram load on our machines.

Another reason we have resorted to blacklists is because very little spam makes it through these filters (and any that comes to our spam traps, gets immediately reported to SpamCop ).

Of course, there are bound to be some "false positives", and we deal with these on a case by case basis. However, nearly everything we block appears to be spam.

Below are listed the current black lists we use. They are loaded and check in the order they are listed.

  • bl.spamcop.net
  • sbl.spamhaus.org
  • spamtrap (email addresses we have set up to lure spammers in)
  • blacklist.jippg.org
  • dnsbl.njabl.org
  • relays.ordb.org
  • dev.null.dk
  • opm.blitzed.org

What filters are in use?

No Message-ID Filter
This filter will bounce any message that has no Message-ID and is not from a host that is allowed to relay or has used SMTP AUTH. This can be useful for blocking spam as often spammers leave out the Message-ID header to try and hide the origin of their messages. No legitimate sites should be sending messages without Message-ID headers as section 3.6.4 of RFC 2822 requires that messages SHOULD have a Message-ID header.

Filtre & Go
This filter allows for any string filtering in the email envelope, header, or body. Unfortunately, filtering on text strings is beginning to generate a fair amount of false positives. So this filter has been moved down in the list and is in jeopardy of being removed. Although there are currently about 230 rules, they basically fall in to 4 categories of rejection;
  1. attachments - illegal attachments came with the email
  2. spam - checks for what we determine to be strings indicative of spam
  3. worms - worms that either send the email or attach themselves to the email itself
  4. language - the least preferred but currently none of our customers receive Japanese or Chinese email in their respective native tongues.

Route Address filter 1.0.1
This filter will bounce any recipient that has a % or ! in it, or starts with an @.

Period Patrol Filter
This filter will bounce any message that contains more than 8 consecutive periods in the message subject.

Host Hame Filter
This filter checks the SMTP HELO/EHLO name to see if the sending mail server is pretending to be our email server. No legitimate email server would do this. We are checking for several forged email servers as well.

Host Syntax Filter
This filter checks the SMTP HELO/EHLO name to make sure it is compliant with relevant standards, and refuses mail from any host that isn't compliant. The relevant standards are section 3.5 of RFC 1034 (Internet Standard 13), section 2.1 of RFC 1123 (Internet Standard 3, which refers to RFC 952), section 4.1.2 of RFC 821 (Internet Standard 10) and sections 4.1.2 and 4.1.3 of RFC 2821. This filter will block hosts with underscores in their HELO/EHLO name, those hosts are not compliant with these standards.

Happy99 virus filter
This filter will bounce any message with an X-Spanska: header starting with "yes". Version 1.1.1 fixes the filter to not be so strict about line ends.

Papa virus filter
This filter will bounce any message with an Subject: header starting with "Fwd: Workbook from all.net and Fred Cohen".

Bulk Mailer Filter
This filter checks the headers of messages for the signature of a common bulk mailer program.

Bulk Mailer2 Filter
This is another filter that checks the headers of messages for the signature of a common bulk mailer program. It can be used in conjunction with the original Bulk Mailer filter, as they match different signatures.

Host Name Filter
This filter checks the SMTP HELO/EHLO name against the one in the STR# resource. This can be useful for blocking dictionary attacks that always use the same HELO/EHLO host name, and for blocking spam that always uses your servers IP address as the HELO/EHLO host name.

What Attachments do you block?

These filters will bounce any message that contains a file with a particular extension. These filters work well at blocking PC email viruses and this is why we use them. For instance, there is no reason to be sending a .exe file through email as an example. The filter checks all MIME parts for a Content-Type header with a "name" parameter that ends with the extension or a Content-Disposition header with a "filename" parameter than ends with the extension. They also check for uuencoded attachments and check for unusual headers that Outlook and Outlook Express will interpret as being executables. Finally the CLSID filter blocks attachments with names that end with a }.

  • .bat
  • .com
  • .exe
  • .htm
  • .html
  • .lnk
  • .pif
  • .scr
  • .vbs
  • CLSID


return to top
Seattle time is 12:27:03 pm on Saturday, February 04, 2012. You are using CCBot/1.0 (+http://www.commoncrawl.org/bot.html) at 38.107.179.234.