[Top] [Prev] [Next] [Bottom]




Anti-spam


Spam1 is a term given to unwanted or junk mail that is often broadcast by the originator to many recipients simultaneously. For example, mailing lists, get rich quick pyramid schemes, or for the purpose of advertising.

Furthermore, some spam originators can make use of other peoples' SMTP mail servers to redistribute their own messages, so that it appears that the message originated from that server; a technique known as mail spoofing. This technique of using a remote server to act as a mail relay for spam mail can result in serious inconvenience to the mail administrator.

See page 5-15 for more details on spoofing techniques and how you can configure MAILsweeper to detect messages that may have been spoofed.

MAILsweeper can be configured to detect and block spam mail using the following methods:

Blocking mail from specific hosts and preventing mail relay through your server is only available in MAILsweeper for SMTP systems.

For more details on how these features can be configured, see page 2-61.

Using AMUcheck

You can use AMUcheck to block junk mail from known sources, based on the sender's email address. For example, if you receive regular mailings from a list server you can specifically name that server, using one of the AMUcheck rules.

For example:

FROM listserver@company.com
  TO *@your_company.com DeleteJunk

Any message with the source address listserver@company.com can then be blocked and simply deleted, with no further action.

Using the above rule, communication with the rest of company.com is still permitted.

The following example shows how incoming junk mail can be blocked and deleted, using AMUcheck rules (defined in the file AUTHFILE.TXT).

In the example, all messages from listserver@company.com are blocked and then deleted.

In AUTHFILE.TXT:

RESPONSE allow 
...
RESPONSE DeleteJunk PRIORITY 3

FROM *@*
 TO *@* allow          ; Allow everything

FROM listserver@company.com
  TO *@your_company.com DeleteJunk

FINISH                 ; End of rules

If any message has a source address of listserver@company.com and a destination address of anyone at your company (*@your_company.com) then the <Response> generated by AMUcheck is DeleteJunk.

The DeleteJunk <Response> is defined in the first section of the file, using a RESPONSE statement.

In MIMESWP.CFG:

[Disposal]
DEFAULTDISPOSAL=Clean
...
DeleteJunk=JustDelete
...
LoadFailure=FailedLoad

The <Response> DeleteJunk has an entry in the [Disposal] configuration section. This entry maps the <Response> to a final disposition for the message. Assuming that DeleteJunk is the highest priority <Response> generated by validation, the final disposition for the message will be JustDelete.

The JustDelete disposition has a corresponding configuration section in the same file. This configuration section controls the disposal actions taken.

[JustDelete]

In this example the configuration section has no directives, so the message is deleted with no further action.

See the AMUcheck section on page 7-97 and the Disposal section on page 7-22 for more details.

There are some example authorisation files provided for each of the mail systems. These can be found in the EXAMPLES directory of the MAILsweeper installation.

Using lexical analysis

You can use lexical analysis to search incoming messages for expressions that frequently appear in junk mail.

For example:

"bargain"              10
"act now"               5
"fabulous"              4
"once in a lifetime"    2
"not to be missed"      4

Depending on the number of expression found, and their considered importance, the message may or may not be deemed junk and can be dealt with accordingly.

The following example shows how junk mail can be detected and deleted by searching the incoming messages for certain expressions that commonly occur in junk mail.

In VALIDATE.CFG:

[Validation]
F-PROT=VALEXE
FindJunk=VALLEX
ValidateAttributes=VALATTR

[FindJunk]
ExpressionList=C:\MSW\CONFIG\JUNK.LST
100=DeleteJunk

A new instance of the VALLEX validator is created, called FindJunk. It is defined it in the [Validation]section and a corresponding [FindJunk] configuration section is created in the body of the file.

The [FindJunk] configuration section specifies the name of the ExpressionList file containing the expressions to be searched for. In this example the file is called JUNK.LST. It also maps numeric values that may be obtained as a result of the search to <Response> values. In this example there is only one mapping, that is, 100=DeleteJunk. This mapping has a numeric value of 100 and a <Response> of DeleteJunk.

The <Response> generated by lexical analysis is determined by a numeric score obtained as a result of the search. In this example:

In MIMESWP.CFG:

[Disposal]
DEFAULTDISPOSAL=Clean
...
DeleteJunk=JustDelete
...
LoadFailure=FailedLoad

Each <Response> used in the [FindJunk] configuration section has a corresponding entry in the [Disposal] configuration section. In this example, there is only one, for the DeleteJunk <Response>. This entry maps the <Response> to a final disposition for the message.

Assuming that DeleteJunk is the highest priority <Response> generated by validation, the final disposition for the message will be JustDelete.

The JustDelete disposition has a corresponding configuration section in the same file. This configuration section controls the disposal actions taken.

[JustDelete]

In this example the configuration section has no directives, so the message is deleted with no further action.

In JUNK.LST (the ExpressionList file):

"bargain"              10
"act now"               8
"fabulous"              5
"once in a lifetime"    5
"not to be missed"      4

This file lists, amongst other information, the expressions to be included in the search.

Each expression is given a numeric value, depending on its considered importance. In this example, the expression "bargain" is considered more important than any of the other expressions when detecting junk mail. It is therefore given the highest value.

Each time an expression is found in the data being searched the associated numeric value is added to a score generated so far. At the end of the validation a final numeric score is obtained.2 This score is used to determine the <Response> generated, by comparing it with the entries listed in the [Findjunk] configuration section, as explained on the previous page.

See the VALLEX section on page 7-86 and the Disposal section on page 7-22 for more details.



[Top] [Prev] [Next] [Bottom]



1 Spam is a registered trademark of a meat product made by Hormel. Use of the term in the Internet community comes from a Monty Python sketch and is almost Internet folklore. Although the term spam is generally meant negatively, this is not in anyway intended to reflect upon the Hormel product!

2 A loading value may also be applied when calculating the final score, depending on the value of previously set attributes.

msw.support@mimesweeper.com

Copyright © 1998, Content Technologies Limited. All rights reserved.