Why Spamhaus is the best approach to fighting spam
The spam problem is evolving and while overall spam volumes are down, the problems are getting worse. No longer just a nuisance wasting resources and time, spam is now a primary threat vector and a heavily targeted point of infection into organizations.
Today’s spam causes the following security problems:
- Infected files accepted by your systems contain Trojans and malware, compromising your PC’s or servers.
- Outbound spam from your infected hosts damages your email reputation and prevents your email from being delivered.
- Interrupted email flow threatens your communication and lowers employee productivity.
Email administrators need up-to-date, accurate and cost effective solutions that stay current with ongoing threats while keeping email flowing smoothly.
Best Practices worldwide require an accurate and up-to-date source of threat data – Real Time Black Lists (RBL’s) – to improve anti-spam effectiveness. Real Time Threat Data from Spamhaus delivers critical protection that dramatically improves your email filter’s accuracy and effectiveness.
Spamhaus continues to innovate – continuously adding key additions such as the PBL, DBL, and CSS in the past 18 months.
Spamhaus’s extensive, unparalleled expertise worldwide enables insight, visibility and coverage across all segments and geographies. In use by two-thirds of the world’s ISP’s and protecting 1.7 billion email users worldwide, Spamhaus is a critical piece of the Best Practices approach to stopping spam from reaching your organization.
This white paper, sponsored by SecurityZones and Spamhaus, focuses on the Best Practices approach used by modern spam filters. It describes the key reasons why Spamhaus’s Real Time BlackLists are used by thousands of companies around the world: Spamhaus RBL’s improve the accuracy and effectiveness of anti-spam systems worldwide.
Spam is Evolving and You Must Keep Up
The problem of spam is changing. It represents anywhere from 70% to 85% of all email sent across the Internet, down from the peaks of three years ago. But does that mean that we can all relax? No! Not by a long shot! It is more complex than it was only three years ago and your email filters must keep up.
No longer just a nuisance, spam creates real problems.
Spam has evolved from a nuisance to a critical threat to your operations. All organizations rely on email as a critical means of communication. In addition to spam posing a security threat, the threat of incomplete or interrupted email flow is a significant threat to your company’s operations.
- It causes infections, security breaches and serious financial losses The greatest shift in spam during the past three years has been the transition from advertising products to using it as a vector for malware infection through infected attachments or links to sites containing malware.
This malware is used for a variety of purposes: hosting phishing sites, hosting malware, launching denial-of-service attacks, breaking into social networks, stealing confidential files, and redirecting emails to unauthorized 3rd parties.
Spam gangs are run by professionals, and they want your money. They are doing everything they can to get it.
- It makes it harder to send email
If a spammer succeeds in compromising accounts within your organization, they will make it more difficult for your organization to send emails to the rest of the Internet. How? One of spammers’ favorite techniques is to send spam from legitimate, but compromised, accounts. Some of this spam email ends up in spam traps and your organization can easily end up on a black list. This means that your email messages sent may be rejected; your critical legitimate email may also be blocked.
Getting onto an IP blacklist is very costly. You will not be able to send outbound email to important people, and it will take your IT administrators much effort to get delisted.
- It reduces employee productivity
Email is crucial to modern business. But without a good spam filter in place, email is useless. Nobody can spend time sifting through dozens of messages looking for the ones that are useful. People would stop using email. Either way, not using email, or spending time trying to sort through spam, costs employees productivity.
- The bottom line: spam creates significant security and operational issues
The more spam that enters your organization, the more email servers, network bandwidth and support resources that are required. This drives up the cost of managing a network and messaging system.
Global Best Practices
Because of the increasing complexity of the spam techniques and problems it creates, there are a variety of best practices that an organization should implement to thwart it.
A blacklist, sometimes referred to as a blocklist or Domain Name System Black List (DNSBL), is the first line of defense in modern spam filters. There are two popular types of blacklists:
- The first is an IP blacklist which is a list of IP addresses that spammers send mail from. These are lists of known spammers or lists of IPs that are sending high volumes of spam (they are part of a botnet). If an email arrives from an IP that is on a blacklist, the mail should be rejected without accepting the message. This provides significant improvements to your antispam filters’ effectiveness by eliminating 80-90% of all spam at SMTP connect time. It also saves on network bandwidth and storage since your organization doesn’t have to spend time on more expensive content filtering.
- The second most common type of blacklist is a URL blacklist. This is a list of domains that are known to belong to spammers or have appeared in spam messages sent to spam traps. Spam filters then scan the message and if they contain a domain on the URL blacklist, use that as a weight in the content filter decision.
Accuracy is Critical! An inaccurate blacklist will cause false positives and legitimate mail will not go to its intended recipient. As much as spam is unwanted, missing legitimate mail is worse because the consequences of missing a legitimate mail are greater; business critical messages, emails from friends, and other missed opportunities are byproducts of inaccurate blacklists. Any blacklist an organization uses must be accurate and absolutely minimize false positives.
A whitelist is a list of IP addresses of known legitimate senders of email. Spam filters can use this list to skip filtering if an inbound mail arrives from a sender on list whitelist. This serves two purposes:
- It saves network resources by not spending performing expensive content filtering on it.
- It reduces false positives by not accidentally ever marking it as spam.
Best Practices Approach – Why Use Blacklists?
Organizations should implement a filtering strategy that uses blacklists as the first line of defense. This makes mail servers more responsive because they are not wasting CPU cycles processing the large volume of spam that would otherwise have been accepted, and reduces latency in overall message delivery.
How Spamhaus Defeats Spam
Spamhaus is an international organization whose mission is to track the Internet's spam gangs, to provide dependable real-time anti-spam protection for Internet networks, to work with law enforcement agencies to identify and pursue spammers worldwide, and to lobby governments for effective anti-spam legislation. Founded in 1998, Spamhaus is based in Geneva, Switzerland and London, UK and is run by a dedicated team of 25 investigators and forensics specialists located in 10 countries.
Spamhaus maintains five lists that contain the real-time data used to fight spam:
- Spamhaus Black List (SBL)
The SBL is a list of IP addresses that are controlled by known spammers. The SBL includes the Composite Snowshoe List (CSS).
- Exploits Black List (XBL)
The XBL is a list of IP addresses of computers that are infected with malware and relaying spam.
- Policy Black List (PBL)
The PBL is a list of IP addresses that should not be delivering unauthenticated SMTP email. It is key to pre-emptively blocking the vast majority of botnet-spam.
The SBL, XBL and PBL are included together as the Zen composite list.
Spamhaus has continued to innovate, adding additional lists:
- Domain Black List (DBL)
The DBL is a list of Internet domains that have been seen in spam. The DBL contains malicious URLs which are completely spammy, and a list of URL shorteners that can be used as a weight in a content filter.
- Spamhaus White List (SWL)
The SWL is a list of IP addresses of known good senders and need not be spam filtered.
How To Use Spamhaus in your Email Filtering Solution:
It is easy to add Spamhaus to nearly all email filtering systems. It can be included as a first as first stage filter for SpamAssassin, or all other open source email filter systems; by adding Spamhaus directly to your email filtering appliance; or by adding directly to your email system such as Exchange, Postfix or Sendmail.
Spamhaus should be deployed in two phases:
- Phase 1 – Reject mail from IPs on the blacklist
The first phase is to run the Spamhaus ZEN blacklist (the SBL, XBL and PBL combined) on the inbound mail server and reject all mail from IPs on this list without accepting the message. The ZEN list will block on average 75% - 85% of all inbound email traffic.
- Phase 2 – Check for domains on the DBL
The next stage is to examine the content of the message in your spam filter and extract all of the URLs in the message. Then, the URLs are checked against the DBL and if it matches, the spam filter uses this as a weight in the final decision.
- Phase 3 – Check the SMTP properties of the message [optional]
The DBL can next be used to compare against sender’s domain in the SMTP MAIL FROM, against the domain in the HELO, and against a domain found in the reverse DNS record of the sending IP. If any of these match, the mail can be rejected without accepting the rest of the message.
- Phase 4 – Check for domains that point to the SBL [optional]
The next stage is to take the URLs from phase (2) and determine which IPs those domains point to (i.e., determine the domains’ A-records). The IPs are then checked to see if any of them point to IPs in the SBL. If so, this is used as a weight in the spam filter’s decision.
Why Use Spamhaus?
- Spamhaus is Highly Effective and Extremely Accurate
Using Spamhaus alone blocks over 98% of spam with 0% false positives. This is nearly on par with full commercial solutions, at a fraction of the price. It is frequently used in conjunction with existing antispam appliances and services.
- Spamhaus improves your Accuracy and Effectiveness
By using Spamhaus’ blacklists, your mail server can save valuable resources by not wasting resources on junk mail that nobody wants to receive:
- You don’t have to store spam on your servers, and therefore need fewer of them.
- You don’t have to waste bandwidth on spam.
- You have fewer calls to technical support from users complaining about spam or malware.
- Spamhaus is Reliable
Your email filtering solution must be dependable. Spamhaus is highly reliable and has never had a service interruption.
- Spamhaus is Trusted
Spamhaus is the #1 most trusted and widely used blacklist in the world today. It is used by over 1.7 billion users worldwide – by security vendors, large corporations and education institutions – in order to keep their mailboxes clean.
Spamhaus delivers on its promises and its passion – to help protect the Internet and users from spam.
Is Spamhaus Free?
Spamhaus began in 1998 as a passion to address the growing spam problem. The service used to be free but to ensure it remains a sustainable, high quality initiative, Spamhaus has created a Usage Policy. The reasons for this are the following:
The free use public servers are constantly overwhelmed by a tremendous volume of queries.
Free is not a sustainable business model for a high quality service which organizations rely on.
However, Spamhaus is still free – and always will be – for small, non-commercial use. Spamhaus merely asks commercial users to contribute to the fight against spam. This charge for the service is used by the anti-spam community to help fund the Project.
Spamhaus Usage Policy is based on level of Use:
- No charge (for non-commercial use with fewer than 100,000 queries per day)
- Fee-based (for commercial use, or if more than 100,000 queries per day)
Numerous organizations continue to use Spamhaus without a license; many do not realize that the service is extremely inexpensive, as shown in the following figures:
Spamhaus Annual Pricing
501 to 1,000
1,001 to 5,000
5,001 to 10,000
$10,001 to 20,000
$20,001 to 50,000
50,000 to 100,000
Why Use the Spamhaus Datafeed?
The Spamhaus datafeed enables fully licensed, compliant and unrestricted access to Spamhaus via two access methods:
- Spamhaus Datafeed Query Service (DQS)
The DQS permits access to restricted Spamhaus Query Servers. The DQS servers provide faster responses, are updated more frequently and include full customer support.
- Spamhaus Rsync Datafeed Service (rsync)
The Rsync service provides a complete copy of the entire Spamhaus database, downloaded and stored locally, in your own environment. This local copy will be updated continuously via rsync.
The Datafeed Services have several advantages:
- Faster Performance – For rsync users, queries are done locally instead of querying Spamhaus’ DNS servers over the public Internet. Local queries provide far better performance
- Full support – Full technical support is available by phone and email. You get immediate escalation to Spamhaus backline support team.
- Continual Upgrades – Spamhaus continues to add new features at no additional cost. In the past 18 months, Spamhaus has added the PBL, DBL, Composite Snowshoe List (CSS) and SWL.
- Trial Service – A free 30-day trial of the Spamhaus Datafeed Service is available.
Case Studies: Real-World Examples
Spamhaus is a very effective enhancement to anti-spam systems in a wide variety of organizations including ISPs, universities, enterprises, hosted email and anti-spam services, and commercial anti-spam appliances.
The following three examples are of customers that have implemented Spamhaus, along with their results:
- A large ISP using Spamhaus as upgrade and replacement to current anti-spam provider
- Tier 1 ISP with over 12 million email users and managing 45 million domains.
- Spamhaus benefits:
- Spamhaus stops more than 80% of spam at SMTP connect time, saving the ISP more than $350,000 annually by reducing the number of filtering servers and replacing other service vendor solutions.
- Total Cost Savings: $331,400; Spamhaus Cost: $18,600
- ROI in excess of 1,800%.
- A mid-sized corporation adding Spamhaus to an email appliance
- 20,000 email users on a commercial, well known, antispam appliance
- Spamhaus benefits:
- Spamhaus eliminated the need for an expensive upgrade: $28,000
- Improved accuracy and effectiveness: priceless
- Reduced IT Support (0.1 FTE): $5,000
Total Cost Savings: $33,000; Spamhaus Cost: $5,700
- Per senior management: “Prior to using Spamhaus, we seriously considered replacing this appliance, as we were receiving far too much spam, and an intolerable amount of False Positives! The addition of Spamhaus enabled us to retain the current appliance, saving us thousands of dollars… and more importantly deliver acceptable email service to our end users. An imperative was to improve the security and protection for our users, from phishing and malicious email. Spamhaus is a great addition.”
- A Small Business adding the Spamhaus Datafeed to SpamAssassin
- 250 email users running Exchange and using SpamAssassin messaging filters.
- Spamhaus Benefits:
- Avoid need for Expensive Commercial Appliance: $1250; Spamhaus Cost: $250
- As one technical manager at this company noted, “A year ago, I was receiving VAST amount of spam. You helped me to configure, test, and approve… now we receive almost no spam. I stress this point very much, that there are ABSOLUTELY NO FALSE POSITIVES AT ALL. The results speak LOUD for themselves. Will I continue to use Spamhaus? ABSOLUTELY!”
- Avoid need for Expensive Commercial Appliance: $1250; Spamhaus Cost: $250
The Spamhaus Project is an international non-profit organization whose mission is to track the Internet's Spam Gangs, to provide dependable real-time anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spammers worldwide, and to lobby governments for effective anti-spam legislation. Founded in 1998, Spamhaus is based in Geneva, Switzerland and London, UK and is run by a dedicated team of 25 investigators and forensics specialists, located in 10 countries.
securityZONES provides data from the leading security research organizations worldwide. The real time threat intelligence provides protection and security from Internet threats. Used by leading organizations worldwide – Internet threat data, delivered as real time datafeed, will improve your defenses and security for your enterprise and your users.