Blocking Spam at the Source

Canal lock blocking water

Published September 2013

By Rick Lesniak

Keeping spam at bay is a never-ending progression of checks and balances. For a long time, UB’s Central email system administrators used firewalls, spam identification engines and enterprise level anti-virus software to protect the email system. This level of protection afforded UB the delicate balance between openness, typical of colleges and universities, and closing our systems to unauthorized use.

“The key is to stop spammers at the source.”
Saira Hasnain, Director of Enterprise Infrastructure Services (EIS)

Over time, people with malicious intent figured out workaround methods to bypass these barriers.  In response, system administrators needed to start closing the doors through a series of technology measures that increasingly required proofs. These measures, including closing down open email relay usage on campus and requiring password protection to send email through UB’s Central email system, have blocked the growing tide of spam that could—without warning—choke our campus networks.

But what if the spam comes from what seems to be legitimate sources?  The increasing sophistication of phishing emails puts UB’s Central email systems at risk through the unwittingly release of legitimate UBITNames and passwords by those who share their credentials.  Using those credentials, spammers from outside our network can appear as UB members making legitimate requests. (As an aside, I’ve heard IT staff debating whether an email was a phish or legit, so it’s not just the hapless being duped.)

Anti-spam, anti-virus, anti-phishing—these are all reactive measures that require identifying the “vector” and pushing out prevention definitions to update our safeguards.  Even if it takes just a few minutes for this to happen, it’s enough time for the infestation to plant itself in the system, and credentials to be stolen.  Just seconds later, those credentials are being used to drop huge amounts of what masquerade to be legitimate email coming from “one of us” on our own network, hogging huge amounts of network bandwidth and potentially UB’s Internet connection.

“The key is to stop spammers at the source,” says Saira Hasnain, CIT Director of Enterprise Infrastructure Services (EIS). 

When asked to describe the “source,” Saira talks about areas “out there” on the net—computers and networks—that are linked to spamming.  Since 1997, Real-time Blackhole Lists, or RBL’s, have been used by the Internet community to keep track of these areas so that Internet Service Providers, like UB, can refuse to accept their requests. This doesn’t come without controversy, however, since RBL’s blindly block all email requests from an IP address, legitimate or not. Central email system admins have enabled RBL’s at our email front door; if the email comes from a Blackhole, the front door stays locked.

The effect has been dramatic: on average, UB is stopping 4 million email requests, more than 85-92% of the incoming queue. There is a more subtle effect than not having spam show up on your inbox, however. Stopping spam at the front door means the Central email system will no longer need to determine the legitimacy of each of those messages, sort the good from the bad, and deliver them into our inboxes.  “We no longer need to process badness,” said Saira, “It’s bye-bye at the door.”

“RBL’s are not the end-all, however. It’s a moving target. They are another way for us to prevent spam. We’re likely to need more [ways],” Saira reports.  When asked what might be the next step, Saira spoke about the potential for rate limiting email at the individual level, “but how much bandwidth should an individual use for their personal or business related emails?”  That is a discussion for another day.