MAP is Spam’s Simple Answer

Steven Trupp, president of Bohemia, NY-based ICS Network Systems, has been observing the spam problem for some time. The company’s Mail Sentry Gateway service, which provides anti-spam, anti-virus, and anti-relay protection for corporate networks, processes a great deal of email traffic. Of necessity, it built its own spam fighting solution.

The company’s Mail Authentication Protocol (MAP) simply checks to see whether an email received at a server with the MAP milter plugin has a valid sender address. MAP validates the complete sender address at the MX host for the sender’s domain (or the domain’s A record host if no MX record is published).

On November 13, 2003, for a typical client, MAP rejected about 50 percent of the company’s mail (presumably letting some spam through). Of that, 31 percent was rejected because the MX host for the sender’s domain confirmed the sender’s address was false. 26 percent of rejected mail was forged as coming from Hotmail, Yahoo, MSN, or AOL. Another 26 percent was rejected because MAP could not connect to an SMTP server at the sender’s domain. 11 percent of rejected mail was blacklisted. The remaining 6 percent was on hold due to various errors, possibly benign, returned by the MX host.

Trupp says the mail catches the vast majority of spammers, who are not willing to include a valid sender address in their spam. “You cannot just use any fake email address appended to a valid domain to get around MAP,” he says. He adds that spammers find that faking email addresses gets around a surprising number of filters.

Trupp says that traditional anti-spam measures are being foiled by proxy spam. Whether individuals are actually being paid to spam from their home accounts, or whether their home accounts and PCs have been taken over, he does not know, but he suspects the former. He is certain that a significant amount of spam now comes from home PCs running their own SMTP engine. The source IPs are clearly those assigned dynamically to individual subscribers by the large broadband providers, especially cable ISPs. This new source of spam is increasing at an alarming rate.

Because spam has changed from being a high-volume, single source problem to being a small-volume, multi-source problem, traditional blacklists don’t work anymore. Spammers no longer send from their own domain. “Spammers are soliciting people to work from home for money,” he says. And in the current economy, he believes many would accept the offer.

MAP includes whitelist and blacklist features. Trupp says whitelists are useful, but users sometimes get frustrated with the blacklists. He says that spam coming off the cable networks has a valid, dynamic IP address. Blacklisting that IP address has little or no effect on spam. “Some customers get frustrated because there’s stuff they don’t want to see, so they add 800 IP addresses to the blacklist in the first week, and it doesn’t change much.”

Nevertheless, some high-volume spammers still exist, and they will be frustrated by MAP. “Some spammers will send 1,000 emails in a single connection and use multiple connections. If the spammer has not provisioned an MX host that can actually receive a return email, each time he connects and I connect back to the MX host to verify an address, he waits 20 seconds for MAP to time out. Spammers face the same penalty that I’m incurring by checking them.”

After implementation, Trupp advises customers to wait for several days collecting statistics on how the MAP engine handles the customer’s traffic. The MAP engine will probably be blocking some mail it shouldn’t.

Customers need to learn which mail types need special treatment. “If someone’s using for recruiting, they may need to whitelist the address that receives the mail about because a lot of it will come from domains other than Monster, such as AOL.”

MAP’s future seems to lie in becoming a component of another anti-spam solution, or a complement to several. Blocking forged mail pretending to come from large, known ISPs could be a business by itself, and is a useful idea.

Pricing and availability
MAP is available now directly from ICS as a milter plugin (pricing not public at press time) or as a component of the company’s Mail Sentry Gateway service.

The price for Mail Sentry Gateway is $250 for up to 50,000 messages per month. Trupp says that since the software relies on his servers, he has to charge based on his costs. “We’ve had no pushback from customers since we switched from per-user to per-message pricing, even from customers whose invoice amounts tripled.”

Related reading