Today was an unwanted day of tinkering with and explaining spam defenses. Spam comes in many formats. The two that affect me the most are email spam and comment spam.
Email Spam
At the office, I have many layers of spam defenses. One of those layers are DNSBLs. DNS Stuff maintains a list of roughly 275 block lists that are used to publish lists of IP addresses linked to spamming.
When a message is sent to a @lambdachi.org address, our server first asks 10 of these 275 DNSBLs if they consider the sending computer is recently a source of spam. If so, the message gets blocked before ever reaching the next level of spam filtering.
Up until the last few weeks, the DNSBLs Lambda Chi Alpha uses have done wonders in keeping the bad guys at bay. But recently, our IT department has received an increase of staff and members reporting their frustrations of being blocked (called false positives).
Educating our members and our staff about why they might get blocked has led to this posting earlier this week, along with taking the time to respond to each user’s concerns.
My concern is that as spammers increase their use of botnets (a collection of compromised computers spewing out spam), DNSBLs will lose their effectiveness because they will end up blocking legitimate users.
The consumer Internet service providers like Comcast, Bellsouth, and Earthlink provide services for thousands of computers they have little control over. When just one of their customer’s computers becomes infected by a botnet and starts spewing out spam, the DNSBLs block the ISPs IP address, which ends up blocking the rest of their clients from accessing our mail server.
The more DNSBLs block legitimate users, the less reliable they become. Sure, they keep the spammers at bay but at the cost of blocking good guys too. If the consumer ISPs did a better job of cleaning up their own networks and blocking their customers who appear to be infected by a botnet, then we’d all be better off.
Comment Spam
Last week, “whoo” of village-idiot.org released a WordPress plugin called wp-spamhaus. Comment spam is just as big of a problem as email spam. In the past 12 months, I’ve removed more than 15,000 unwanted comments from this site alone.
Whoo’s plugin first checks Spamhaus, a leading DNSBL provider, if the IP address of the computer requesting access to a website is listed as a source of spam. Instead of blocking email spam, her plugin migrates the block to website access. If the spammer can’t view your website, they can’t leave behind comment spam.
It’s another nice layer to add to comment spam defenses, but may also fall plague to the botnets and false positives.
Users don’t like it when their email gets blocked or if they can’t access a website. It doesn’t matter if their own computer is compromised and infected with a botnet, or if their neighbor’s computer is, they don’t understand and may even take it personal.
The saddest thing about botnets and DNSBLs is that the machines spammers use to attack your network are the very same machines your users use to access your network. By blocking the bad guys, you also keep out the good.