Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More Email Tips

Published: 2006-08-20
Last Updated: 2006-08-20 02:49:51 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
After Brian posted his Tip of the Day on email policies, we received an excellent set of ideas from reader David.  Here's what he said, and they are pretty good tips.  Thanks, David!

1) Use throw-away addresses for web-registrations, and other similar venues.  A good way is to own your own domain, setup a catch-all forwarder for email to that domain, and then use the company name as part of the throw-away address ( for Amazon,, for TomsBestDeals, etc).  This allows you to instantly recognize what the email is about, who sent it, or who sold it to a third party.  Also, it seems spammers clean their spam lists of their own domains and customers' names, so this approach automagically keeps you off spammer lists.  For those without domains, there are free services, such as

2) Use a simple filter for your inbox:  If sender is NOT already-known (in address book, or in previous recipients), file in a New-Contacts folder.  This leaves your inbox clean of spam, without worrying what the spam actually looks like.  A quick scan through the New-Contacts folder can reveal new contacts and spam.  Additional rules to identify specific problem spam (and send to a Spam folder) can also be applied.  New contacts can be either replied to (so they become "previous recipients"), or added to your address book.

3) Use a variation of (2) for company-wide filtering:
    a) Don't accept email for unknown addresses.  This forces the outside server to create any bounce messages, and if that server is a spammer, the spam disappears.
    b) Depending on the company needs, either don't accept email from unknown addresses, or limit what a previously-unknown address can do.  Use your logs to populate a "previous recipients" database, a "known-good-sender" database, and a "known-bad-sender" database.  The known-bad senders get rejected, the known-good senders get very relaxed thresholds (can send more mail per second, etc), the previous-recipients get somewhat relaxed thresholds, and everyone else gets restrictive thresholds (only 1 message per minute, for instance).  Adjust to taste.

4) Do as much filtering based upon "protocol" as possible (as opposed to filtering based upon message content).  Spammers change message content constantly.  Spammers cannot do their jobs unless they send lots of copies of the same message really quickly.  This generally means multiple recipients per message, and multiple short messages per connection.  This also means there is likely to be a greater than 1% rate of bad addresses, as spammers' lists are not generally perfect.

5) Encourage TLS and DKIM use.  Spammers tend to use botnets, which are unlikely to use TLS or various encryption/signing methods.

0 comment(s)
Diary Archives