Eliminating the threat of spam email attacks

SpamAssassin interacts with the mail server and analyses each email message using multiple methods of detection. Integrity analysis examines mail message headers and bodies to identify the common characteristics of spam. Heuristic rules detect spam messages by testing all content and producing scores for spam and non-spam criteria. The more spam-like elements the system detects, the higher the score, indicating the message is likely spam and should be handled as such.

For more information: In this SearchSecurity.com Q&A, application security pro Michael Cobb examines if blacklists and whitelists stop spam. Security expert Mike Rothman examines how the emergence of reputation-based systems is simplifying the battle against spam. In this tip, security expert Joel Dubin examines if the CAN-SPAM Act has effectively cracked down on spamming activities.

SpamAssassin consists of two main components: A message filter and a rules engine. The message filter incorporates backend code and the user interface, and performs several tasks -- including reading in messages, parsing into an internal format and rewriting messages. The rules engine handles the processing of hundreds of rules over the message content. The engine determines the final message score, and whether or not the message should be auto-learned via the Bayesian system and the other rules utilized. Despite the parsing and processing -- using a weighting system to intelligently determine if a message should be considered spam -- SpamAssassin is amazingly fast, handling thousands of messages with ease.

SpamAssassin also uses internally generated blacklists and whitelists from external sources, providing for known bad and good mail handling. The "AutoWhiteList" feature adds intelligence by dynamically adjusting the whitelist based on history. For instance, if a sender typically sends non-spam emails, and then happens to send a message that looks like spam, SpamAssassin uses it's history report to move the message score back toward a non-spam average -- adjusting the overall spam rating to compensate for the message being sent by a known sender.

Content filtering identifies key words or phrases, including purposefully trans-coded and obfuscated URLs. DNS block-lists, which are available on the Internet, allow SpamAssassin to block known spam senders. SpamAssassin also makes use of third-party plug-ins. For example, in a prior article I noted that Clam AntiVirus can provide SpamAssassin input if a message contains a virus, adding to SpamAssassin's weighted spam score.

SpamAssassin is available for Linux, Windows and Mac OS X platforms. If you run a mail server, you shouldn't do it without SpamAssassin.

About the author:
Scott Sidel is an Information Systems Security Officer (ISSO) at Lockheed Martin

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Guest Commentary,   Application and Platform Security,   Open Source Security Tools and Applications,   Scott Sidel's Downloads,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Guest Commentary Google hacking exposes a world of security flaws Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? Microsoft needs a reality check Open Source Security Tools and Applications Screencast: How to launch an OpenVAS scan Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 SSH key compromise shuts down Apache website Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Rootkit Hunter demo: Detect and remove Linux rootkits When to use open source security tools over commercial products Screencasts: On-screen demonstrations of security tools Maltego demo: Identifying a website's trust relationships Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com) Open Source Hardening Project  (SearchSecurity.com) SnortSnarf  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.