How Spammers Fool Spam Blacklists - And How to Stop Them

Effectively stopping spam over the long-term requires much more than blocking individual IP addresses and creating rules based on keywords that spammers typically use. The increasing sophistication of spam tools coupled with the increasing number of spammers in the wild has created a hyper-evolution in the variety and volume of spam. The old ways of blocking the bad guys just don’t work anymore.

Examining spam and spam-blocking technology can illuminate how this evolution is taking place and what can be done to combat spam and reclaim e-mail as the efficient, effective communication tool it was intended to be.

One method used to combat spam is blacklisting. The goal of blacklisting is to force Internet Service Providers (ISPs) to crack-down on customers who send spam. A blacklisted ISP is blocked from sending email to organizations. When an ISP is blacklisted, they are provided with a list of actions they must take in order to be removed from the blacklist. This controversial method blocks not just the spammers, but all of the ISP’s customers. Blacklisting is generally considered an unfriendly approach to stopping spam because the users most affected by the blacklist are email users who do not send spam. Many argue blacklisting actually damages the utility of email more than it helps stop spam since the potential for blocking legitimate email is so high.

In addition to the ethical considerations, there are other problems with blacklists. Many blacklists are not updated frequently enough to maintain effectiveness. Some blacklist administrators are irresponsible in that they immediately block suspect servers without thoroughly investigating complaints or giving the ISP time to respond. Another downside is that blacklists are not accurate enough to catch all spam. Only about half of servers used by spammers, regardless of how diligent the blacklist administrator may be, are ever cataloged in a given blacklist.

Blacklists are used because they can be partially effective against spammers who repeatedly use the same ISP or email account to send spam. However, because spammers often change ISPs, re-route email and hijack legitimate servers, the spammer is a moving target. Blacklist administrators are forced to constantly revise lists, and the lag-time between when a spammer begins using a given server and when the blacklist administrator is able to identify the new spam source and add it to the blacklist allows spammers to send hundreds of millions of emails. Spammers consider this constant state of flux a part of doing business and are constantly looking for new servers to send spam messages.

When used individually, each anti-spam technique has been systematically overcome by spammers. Blacklists have some utility in stopping known spammers, but they may also block valid emails. Because of their limitations, blacklist data should only be used in conjunction with other sources to determine if a given message is spam. Grandiose plans to rid the world of spam, such as charging a penny for each e-mail received or forcing servers to solve mathematical problems before delivering e-mail, have been proposed with few results. These schemes are not realistic and would require a large percentage of the population to adopt the same anti-spam method in order to be effective.

The Solution
Reputation systems offer a comprehensive anti spam solution by dynamically updating black and whitelists based on sender behavior. These systems also automatically update and score messages thereby removing the burden from administrators. Today’s spammers are more clever than ever, so today’s reputation systems must be equally sophisticated. An effective reputation system must be dynamic, comprehensive, precise, and based on actual enterprise mail traffic in order to keep the spammers from gaining any advantage. You can learn more about the fight against spam by visiting our website at www.ciphertrust.com and downloading our whitepapers.