> Articles >
To Deal With Spam: Part
1 | Part 2
Contributor: Andrew Ward
The second part of Andrew Ward's informative article
about the world of Spam (unsolicited email).
Heading For Trouble
Understanding headers can be a complex process since
it involves unpicking
them to find out where the mail originated - there
will be false trails and
unresolvable hosts. The overall objective is to identify
the abuse departments of the relevant ISPs and organisations
- usually, contactable via abuse@domain - and send
them details of the spam and a request to disconnect
the user or Web site.
Sometimes the message sent in these circumstances
is (incorrectly) referred to as a LART (Luser Attitude
Readjustment Tool), a fictional Unix command used
to disable or kill the account of a misbehaving user
(formed from loser + user). However, reading the headers
manually and then looking up the relevant hosts and
their owners can be a tedious process. If the only
intention is to report the spam, rather than garner
the sending host and mail server information to include
in filters, then there are automated tools on the
Internet to complete this task. One of the best, and
easiest to use, is http://www.spamcop.net.
Alternatively, messages with full headers can be forwarded
However the utmost care should be taken when using
automated tools such as
SpamCop. If an ISP receives a complaint about an entirely
innocent party then abuse complaints won't’t
be taken so seriously in future. The results that
SpamCop produces should therefore be carefully inspected
before issuing the complaints.
Note too that SpamCop, being an automated tool, isn’t
perfect. Sometimes it can fail to detect the originating
mail host, and manual work will be necessary to track
it down. You'll find some information
on deciphering message headers at http://spam.abuse.net.
If you require more detailed reference works, these
can be found at the following Web sites:
Remove Spam-Friendly Features
early mail servers were configured in such a way that
anyone outside an organisation could use them to relay
mail, thereby helping to conceal the origins of spam.
Instructions for configuring sendmail to close open
relays, and other measures to help prevent spam, are
Use External Services
there are details of the RBL (MAPS Realtime Blackhole
List), DUL (MAPS Dial-Up List) and RSS (MAPS Relay
Spam Stopper). These are intended for use by ISPs
and corporate network administrators to block mail
from blacklisted sites, sent directly from dial-up
IP addresses, and frpm open mail relays, respectively.
The MAPS (Mail Abuse Prevention System) site contains
details on how to use these tools with various different
The RBL works by creating deliberate network outages.
If spam originates from a traceable IP address, and
after persistent complaints the ISP has failed to
take the appropriate action, then the ISP may find
some or all of its IP addresses added to the RBL.
Organisations using the RBL can then choose to refuse
to accept mail from those IP addresses, or to take
whatever action is consistent with local site security
policies. Some administrators reject all mail coming
from such sites, and some will also direct any traffic
destined for such hosts to a local black hole.
Note that use of the RBL (and DUL and RSS) may result
in complaints from users that they can no longer receive
mail from certain domains, so this rather drastic
solution should be used with caution. Both the DUL
and RSS are excellent means of cutting down on spam,
and can be used in conjunction with the RBL or on
Use Filtering Services
Spam prevention services use a number of different
techniques. Filtering is not totally effective because
virtually all spammers except the most stupid design
their messages to overcome filters, but it can bring
about a noticeable reduction in the amount of spam
received. Of course, the drawback of an external service
is that yet another provider is inserted in the path
of incoming mail, which can only increase delays and
outages. One service overcomes these problems. Brightmail
installs a dedicated server at the customer premises
that works in conjunction with the existing mail server.
The Brightmail Server houses the collection of rules
that filter spam, and these are updated at frequent
There are also filtering services available for personal
use, for example at
Similar sites are http://www.spamkiller.com
and also http://spamcop.net.
Some filtering services, such as that operated by
SpamCop, optionally allow the user to reject all mail
that doesn’t come from a pre-approved sender.
Install Filtering Systems
Filtering can be carried out in two ways - either
at a point between the Internet connection router
and the mail server, or within the server itself.
The gateway solution prevents the spam from being
transported and housed in the internal network at
all, but the mail server solution doesn’t require
any additional hardware and provides a central point
of management for mail services. Another option is
to configure the Internet router itself to ignore
mail from IP number blocks that appear in the RBL
so the traffic never enters the network at all.
Add-on spam filters available include Spam Assassin
http://spamassassin.taint.org, Mail Marshal from
and MAIL sweeper from Baltimore Technologies (http://www.mimesweeper.com).
addition,mail servers can themselves be configured
to filter out spam. For example, Sendmail 8.9 and
later versions have built-in anti-spam rules, filtering,
and the ability to block known spammers and unresolvable
hosts. These and other features are explained in some
detail on the Sendmail Web site. New versions are
detailed at http://www.sendmail.org/.
One user reported that working over 13,051 email messages,
Spam Assassin - which identifies spam using text analysis
- failed to correctly identify eight out of 253 spam
messages, and also reported 12 false positives. Because
any filtering tool might sometimes report false positives
- that is, report a message as spam when it isn’t
- it is important that mail identified as spam is
not simply deleted. Instead it should be
put into a holding area where it can be manually inspected
by an administrator and forwarded if appropriate.
Alternatively, some schemes - such as Brightmail’s
- allow individual users to inspect their own “gray
mail” for false positives.
Mail Marshal works by filtering on content, using
the MAPS RBL, and domain
blocking using domains specified by the network administrator.
The Spam Manager and Spoof notifier within MAIL sweeper
work by content filtering and detection of email that
originates from a source other than the apparent sender,
To Deal With Spam: Part
1 | Part 2
article by Andrew Ward first appeared as a
guide at Tech Support Alert. In addition to
a well respected computer technology bi-monthly
newsletter, Ian 'Gizmo' Richards, editor of
provides many useful guides on his site that
delve into many technical issues relating
If you observe inaccuracies in our in-house
contributions or wish to contribute an article
or review to be included at AbleStable®
Although our contents are free to browse,
copyright resides with the originators of
all works accessed at AbleStable®, and
unauthorised copying or publication of our
site contents is strictly prohibited. To use
our specially selected premium content go
Syndication and Licensing.
AbleStable © 2002-2007
Material: AbleStable © 2002-2007