Ask the Expert

Will using whitelists and blacklists effectively stop spam?

We use an IronPort device on our perimeter, and we check email content for viruses and spam. A part of our organization insists on using global whitelisting to bypass quarantine procedures. This, however, seems like a security risk, since it will expose IP addresses and lead to IP spoofing. Are we correct in our assumptions?

    Requires Free Membership to View

Blacklists and whitelists are very blunt instruments with which to combat spam or malicious emails. Creating either list is time-consuming, but a white-listed sender's system, in particular, can easily be compromised. Should this happen, your email system would allow spam from the mail server until the sender from the whitelist is removed. Does the department in your organization know for sure that the newsletters would actually be stopped by IronPort? It would be worth testing. Also, if the messages are quarantined, it is just a matter of approving any newsletters that are genuine and allowing them to be forwarded to the intended recipient, a minor inconvenience if compared to allowing exceptions to your mail security policy. If one department can force an exception, others are bound to try and follow suit.

IronPort is certainly a leading email security device. I like IronPort's C-Series mail gateways, which use Bounce Address Tag Validation (BATV). One spam attack that IronPort prevents is known as "joe-job," or a misdirected bounce attack. To execute this attack, a spammer sends emails with the intended recipient's address spoofed as the return address. This causes mail systems to inadvertently bounce the spam to the real victim. Bounce Address Tag Validation safeguards outgoing mail, adding an encrypted verification check to the SMTP FROM: field that makes it easier to distinguish between real addresses and fake bounced ones. What's great about this type of verification is that, unlike other email authentication technologies, it can be effective, even if other mail servers are not required to adopt it.

While I can't speak to your concerns about exposing IP addresses, it may help to know that each mail server that processes a message inserts a Received: header at the top of its list. The header includes the sender's IP address and provides a continuous track of a message's route. So, even if the sender uses a false email address when contacting the receiving server, modern mail transfer programs record the correct IP address of the sender. Thus an email message's "Received:" headers show how it has been routed to its destination. The IP address of the sender is more or less the only part of an email message that cannot be faked. It is next to impossible to spoof the IP address for the duration of the SMTP conversation. This is why IP addresses are a key component in combating antispam efforts and identifying known bad or good senders.

More information:

  • Learn how to stop spam from ruining your mailing lists.
  • Read about spammers' latest technique: image spam.
  • This was first published in December 2006

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: