Blocking spam is an arms race between spam detection and detection avoidance techniques. Lately spammers had the upper hand but the tide has turned with new PTR record blocking techniques. This is how implementing PTR record filtering has reduced our spam to nearly zero.
There are two general methods of detecting and blocking spam, by IP address blacklists and by content analysis. Unfortunately spammers have long learned how to exploit the weaknesses of these methods. Exploiting content analysis was fairly easy. Ever receive image based spam or wonder why they contained random sentences? These are techniques are very effective in avoiding detection and poisoning spam keyword detection databases.
Circumventing IP blacklists was a tougher challenge. Spammers found the perfect way to stay ahead of the blacklists, Windows’ weak security and the growth of broadband adoption in the home. Millions of unprotected computers connected to the Internet were waiting to be exploited as spam machines. Automated exploit propagation allowed spammers to add zombies faster than system admins could blacklist them. Combined with excellent content filtering circumvention spammers had the spam equivalent of a nuclear bomb.
PTR record filtering, a new technique, has proven to be an effective defense against the horde of spam zombies. A PTR record is a reverse DNS entry, resolving an IP address to a host name. PTR filtering works by blocking messages coming from host names that match a specific pattern. This has a huge advantage over traditional blacklists because a single pattern can match thousands of IP addresses. In contrast a blacklist requires a person to add each individual IP address separately.
Let’s take a look at a real world example. I recently added PTR record filtering to Sutton’s spam firewalls. This simple regular expression “X-Barracuda-Connect: s\d+.*.*shawcable.net...” matches all of Shaw’s home cable connections. In 24 hours it blocked 730 spam messages that would have slipped past the traditional filters. By expanding and including patterns for other cable and DSL networks more than 19,000 false negatives were blocked.
Let me put that in perspective:
- We average about 400K to 500K emails entering our system daily (spam, ham, viruses, etc).
- Before PTR record filtering approximately 40K to 50K was allowed through daily.
- After, the number of allowed messages dropped between 20K and 30K a day.
- That is approximately a 40% to 50% reduction. That is huge.
As amazing the results are, they are still far from perfect. The current Barracuda firmware (3.4.10.087) has problems correctly resolving PTR records every so often. This is a major bug in their software and when fixed it will only make PTR based blocking that much more effective. Unfortunately this bug also affects the good servers so I can’t even tag messages with [BULK] for user level filtering.
With such a huge drop in allowed messages false positives are also a big concern. In my testing I haven’t seen any. There is a risk of blocking people legitimately using their consumer level broadband to send email. In my data I found this to be very rare. The amount of spam coming from zombie machines is so high that the trade off is still worth it. People who are savvy enough to run their own mail relay at home should hopefully be savvy enough to figure out why their emails are getting blocked, especially as PTR record blocking becomes more popular.
I’ve uploaded two CSV files containing the data exported from our firewall. The first contains info on all 19,000+ spams blocked by PTR filtering in the past 24 hours and the second contains the 730 blocked from Shaw. These should be useful if you’re curious about running your own analysis on the data.
[tags]spam, ptr, barracuda, email, dns, dns blacklists, image spam[/tags]
{ 4 trackbacks }
{ 6 comments… read them below or add one }
While it may be the holy grail of spam filters it causes no end of trouble to little guys like me who have to explain to their ISP’s help desk that setting up the PTR record is their job.
Since I wrote the entry I’ve stopped using PTR filtering. While it works out quite well it was way too much management work. I leave it to the Barracuda team and the DNS blackhole lists.
While it doesn’t catch as much of he spam, it is still quite effective.
I’m an ISP that cooked up my own home grown solution. There are some Techniques and Strategies on my website that may be of help
This is not really a valid anti-spam technique since since you catch too much valid email with the spam. Small businesses rely on their ISPs to set up the reverse DNS pointers correctly, and few ISPs have the technical chops to pull this off. If you doubt this, just call your ISP and ask them to configure the reverse DNS for your domain name and their IP address. As them to set up more than one for any given IP, and they’ll generally refuse.
Add to that the fact that many Mom and Pops work out of their homes using dynamic IPs and you have a real user nightmare.
This technique reduces spam because it blocks ALL email from non-matched sources. Just because the majority of email happens to be spam, doesn’t make it a legitimate methodology. It’s like bombing Detroit to reduce its crime rate. Sure the crime is reduced when the city is a pile of rubble, but you’ve missed the point … you’ve just made the city useless.
Harold,
Using PTR filtering as part of a multi-phase solution is actually quite effective. It depends though.
It is rare that a valid email address would come from a dial up or home ISP connection from a foreign country for us. So part of the solution would be to scrutinize these emails more, rather than dropping them completely.
The big ISPs (Shaw, Telus) here blocking outgoing port 25. This has pretty much killed the amount of spam coming from zombied machines on home ISPs.
I think it is inexcusable for an ISP (regardless of size) to not know how to set up a PTR record for their mail systems.
Interesting dialog. I have written my own software that could implement the technique if you choose, but I have not found it not necessary. I have virtually eliminated all spam from even getting to my mail server. I’m presently blocking over 99% of all incoming connections and false positives have been very manageable. http://www.SpamDike.com