Edmund A. Hajim  School of Engineering and Applied Sciences

Blocking SPAM on HSEAS Hosts

Introduction

SPAM has become an increasingly annoying problem for many members of HSEAS. For some people, SPAM represents the majority of their email. SPAM is a problem in many ways; it not only wastes our time and offends (in some cases) our sensibilities, but also endangers our computers and network. SPAM is often used as a transport mechanism to introduce viruses, Trojan horses, and worms. While these most often affect systems running Windows, Macintoshes are not immune, and it is conceivable to cause damage on a UNIX host (although less likely due to partitioning of privileges).

The rest of this document describes what SPAM protection we can offer as system administrators, and what you can do to further protect yourself. As an historical aside, we no longer offer SpamAssassin service; it was a good tool, but was a very heavy hit on the performance of the mail server. It is very important that you read the short section on work habits.

System level protection

Our mail transport programs are setup to provide some SPAM protection. First, we are configured to not allow arbitrary hosts from using our servers as mail relays. This prevents our systems from being used by Spammers to send SPAM to any arbitrary email address. Unfortunately, it doesn"t protect us from Spammers forging a valid local address and sending spam to other local addresses (which may redirect their mail to off-site addresses). It also is the reason you cannot use our mail servers from home for sending to all addresses (you can send to local addresses only).

Additionally, our mail servers can be told to either discard or reject any mail from certain addresses. While this sounds good, it is really of limited usefulness; the blocking is an all or nothing type of filter, and thus if we block a host, then no mail from that host can get through. Since Spammers come from common sites (e.g., ,yahoo.com, hotmail.com, earthlink.com etc.) that conduct a lot of legitimate mail transactions with us, we cannot block those addresses. Also, Spammers tend to move their source address frequently; as soon as we block one address or host, the Spammer switches to another, so we"re always playing a game of catch-up.

In mid-2004 we purchased a SPAM appliance, and consolodated our email services ontoa single server. All inbound mail passes through the SPAM appliance before it is (possibly) delivered. Is this effective? Yes, indeed. We have very few false positives (good mail tagged as SPAM), and have found that on any given day, between 80 and 97% of all incoming mail is either SPAM or virus-infected. If your curious, go to the Reports section of our web site to see the results of the SPAM filtering.

IMPORTANT! If you think that mail you have expected has been blocked incorrectly, contact problem@seas.rochesester.edu

Personal protection

There are SPAM-Blockers - programs that work with your Email client progmra (e.g., Eudora, Outlook) like antivirus or spyware blockers. Make sure any such product you plan to purchase will work with your preferred mail program. All the filtering takes place on your local system. These products may work well (or not), and of course have the same issues regarding false negatives and false positives as does any such product.

Always have a good up-to-date antivirus program on your PC or Mac. The UR offers Trend Micro antivirus at this time for about $5-7 per year per host - an incredible bargain. Symantec/Norton is also excellent, albeit a little more costly. We recommend Trend for Windows, and Symantec for MacOS. Trend should automatically keep itself up-to-date, both software and virus definitions. Symantec can be scheduled to do a "Live Update" of software and definitions on a weekly basis. However, the system must be up and running at the scheduled time for this to work. We had to work on virus-infected hosts that had Symantec protection, but had scheduled the update for 3am - at which time that system was never on, and thus the virus definitions were months out of date (and there are about 1000-2000 new viruses appearing every month).  Antivirus wonn"t protect you directly from SPAM, but it can ameliorate the effects of Trojans and viruses in SPAM, and may protect you against some of the viruses and Trojans that harvest addresses and other information from your system.

As of June, 2006, the University of Rochester is dropping Trend Micro in favor of the Sophos product line. The Sophos antivirus products are very good, and it will be easy to upgrade from Trend or Symantec. Sophos also offer protection for Windows, MacOS, and several flavors of Linux.

In addition, the free version of Grisoft's AVG antivirus software is very good, and might be a good choice for home systems and laptops running Windows.

Work Habits

Many people ask why they have been targeted for SPAM. The usual answer is that your address has been harvested. How has it been harvested? Your address can be harvested from many places.

Last modifed: Thursday, 07-Apr-2011 09:22:52 EDT