IBM AH0QXML, Lotus Domino 6 User Manual

ibm.com/redbooks

Lotus Domino 6
spam Survival Guide
for IBM

Tommi Tulisalo

Ted Chappell

Beth Anne Collopy

Kris Hansen

Greg Kelleher

Mark Ramos

Bruce Walenius

Avoid, block, and manage spam with
server mail rules and mail file rules

Anti-spam features of Domino 6

Third-party anti-spam
products

Front cover

Lotus Domino 6 spam Survival Guide
for IBM ^

January 2003

International Technical Support Organization

SG24-6930-00

© Copyright International Business Machines Corporation 2003. All rights reserved.

Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.

First Edition (January 2003)

This edition applies to IBM Lotus Notes 6.0 and IBM Lotus Domino 6.0.

Note: Before using this information and the product it supports, read the information in
“Notices” on page v.

© Copyright IBM Corp. 2003. All rights reserved. iii

Contents

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vi

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

The team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix

Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Definition of spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Categorizing spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 2. Preventing unwanted e-mail and spam . . . . . . . . . . . . . . . . . . . 7

2.1 Spam avoidance techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.1.1 Passive harvesting attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.1.2 Avoiding harvesting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1.3 Confusing the harvesters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.1.4 Inform Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.2 How to block spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2.1 At the gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.2.2 At the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.2.3 By the end user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.2.4 Selecting the best approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.2.5 Managing the ongoing anti-spam campaign . . . . . . . . . . . . . . . . . . . 15

2.2.6 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 3. Domino 6 anti-spam architecture . . . . . . . . . . . . . . . . . . . . . . . 17

3.1 The Domino messaging environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.2 Domino 6 messaging components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.2.1 SMTP Listener/Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.2.2 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.3 Domino 6 anti-spam configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.3.1 Server configuration features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.3.2 User configuration features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.4 Common problems and solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 4. Domino 6 Server anti-spam features . . . . . . . . . . . . . . . . . . . . 29

4.1 How to detect spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.1.1 Examining the message properties. . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.1.2 Separating legitimate e-mail from spam based on content . . . . . . . . 31

4.2 Controlling connections from spammers. . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.2.1 DNS Blacklist filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

iv Lotus Domino 6 spam Survival Guide for IBM eServer

4.2.2 Inbound Intended Recipients Controls . . . . . . . . . . . . . . . . . . . . . . . 36

4.2.3 Disable routing mail to groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

4.2.4 Inbound connection controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.2.5 Inbound sender controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4.3 Controlling delivery of spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.3.1 Server mail rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.4 Controlling use of your server as a relay. . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.4.1 Inbound relay controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.4.2 Inbound relay enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

4.5 Protecting your Domino server from active address harvesting attacks . . 62

4.5.1 SMTP harvesting attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

4.5.2 Spam mail bombing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

4.5.3 Direct SMTP RCPT TO harvesting . . . . . . . . . . . . . . . . . . . . . . . . . . 62

4.5.4 Defending against active attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Chapter 5. Using mail file rules to prevent spam . . . . . . . . . . . . . . . . . . . . 65

5.1 Distinguishing between spam and legitimate e-mail . . . . . . . . . . . . . . . . . 66

5.2 Mail file rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

5.2.1 Setting up mail file rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

5.2.2 Developing anti-spam mail file rules . . . . . . . . . . . . . . . . . . . . . . . . . 71

5.2.3 Viewing mail rules and the evaluation sequence . . . . . . . . . . . . . . . 77

5.2.4 Monitoring mail file rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Chapter 6. Third party anti-spam products. . . . . . . . . . . . . . . . . . . . . . . . . 81

6.1 Anti-spam products for Notes and Domino . . . . . . . . . . . . . . . . . . . . . . . . 82

6.1.1 spamJam for Lotus Notes and Domino. . . . . . . . . . . . . . . . . . . . . . . 82

6.1.2 SpamEraser for Lotus Notes and Domino 6 . . . . . . . . . . . . . . . . . . . 85

6.1.3 iQ.Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

6.1.4 ScanMail for Lotus Notes with eManager . . . . . . . . . . . . . . . . . . . . . 89

6.1.5 XM SpamStop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

6.1.6 Other anti-spam products for Notes and Domino . . . . . . . . . . . . . . . 94

6.2 Anti-spam server and gateway products and services . . . . . . . . . . . . . . . 94

6.2.1 BrightMail Anti-Spam 4.0 from BrightMail, Inc. . . . . . . . . . . . . . . . . . 94

6.2.2 ActiveState PureMessage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

6.2.3 Trend Micro Inc. products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

6.2.4 Other anti-spam server or gateway products and services. . . . . . . . 98

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Referenced Web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

IBM Redbooks collections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

© Copyright IBM Corp. 2003. All rights reserved. v

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:

IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION

PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.

COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to IBM for the purposes of
developing, using, marketing, or distributing application programs conforming to IBM's application
programming interfaces.

vi Lotus Domino 6 spam Survival Guide for IBM eServer

Trademarks

The following terms are trademarks of the International Business Machines Corporation and/or Lotus
Development Corporation in the United States, other countries, or both:

AIX®
AS/400®
Domino™
DB2®
IBM ®
IBM eServer™

IBM ^
iNotes™
iSeries™
Lotus Enterprise Integrator™
Lotus Notes®
Lotus®

Notes®
Perfor m™
QuickPlace™
Redbooks (logo)™
Redbooks™
S/390®

The following terms are trademarks of other companies:

ActionMedia, LANDesk, MMX, Pentium and ProShare are trademarks of Intel Corporation in the United
States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.

C-bus is a trademark of Corollary, Inc. in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure
Electronic Transaction LLC.

Other company, product, and service names may be trademarks or service marks of others.

© Copyright IBM Corp. 2003. All rights reserved. vii

Preface

In this IBM Redbook we describe how you can use IBM Lotus Domino 6 to
prevent and manage “spam.”

We begin by describing and categorizing spam, which is the commonly used
term for unsolicited commercial e-mail. We discuss ways to prevent spam,
outlining different techniques available to avoid and block spam.

We then explain how anti-spam control and management work can be divided
between servers, between server tasks, and between administrators and end
users. We also describe the anti-spam architecture of the Domino 6 messaging
environment.

Anti-spam features of Domino 6 are presented in detail. They include the ability
to control connections from spammers and the delivery of spam, and protecting
against the use of your server as an open relay. We also discuss using mail file
rules and server mail rules to prevent spam.

Finally, we highlight some of the business partner products available to further
address the spam problem. These products fall into two categories: those that
run on a Domino server, and those that operate as separate anti-spam servers
and gateways. We include a number of examples of each type, along with
references to help you obtain more information directly from them.

This redbook is written primarily for Lotus Domino administrators who want to
prevent and manage spam in their environments. It is also useful as a basic
introduction to the topic of spam.

The team that wrote this redbook

This redbook was produced by a team of specialists from around the world
working at the International Technical Support Organization, Poughkeepsie
Center.

Tommi Tulisalo is a project leader for the International Technical Support
Organization at Cambridge, Massachusetts. He manages projects whose
objective is to produce redbooks on all areas of Lotus Software products. Before
joining the ITSO in 2001, he was an IT Architect for IBM Global Services in
Finland, designing solutions for customers, often based on Lotus software.

viii Lotus Domino 6 spam Survival Guide for IBM eServer

Ted Chappell is a Managing Principal and co-founder of Eagle Technology

Consultants LLC, an IBM Premier Business Partner, where he has worked for the
past five years. Ted has ten years of experience in information technology
working on various platforms. His most recent work includes the development of
SpamEraser, Eagle Technology Consultants' anti-spam tool for Lotus Notes and
Domino. Ted holds a BA degree in math and economics from Emory University in
Atlanta, Georgia. Ted can be contacted via e-mail at tchappell@eagletc.com; his
company’s Web site is http://www.eagletc.com.

Beth Anne Collopy is a Senior Technical Instructor working in the Worldwide
Product Introduction and Technical Support Organization within Lotus Software
Group. Her primary responsibility is providing instructional training on Notes and
Domino to individuals within the Lotus Customer Support Organization. She
joined Lotus in 1997 and supported Domino Mail and Messaging until moving to
the Performance and Learning Group in 2001 as a Instructor. Prior to joining
Lotus, she worked as a Network Manager and as a Notes Administrator
(beginning with Release 3).

Kris Hansen is a Chief Technology Officer at eWorld Enterprise Solutions, Inc. in
Honolulu, Hawaii. He has nine years experience working with Lotus Domino
infrastructure and development and is an IBM Certified Solutions Advisor,
Solutions Designer, and a Certified Lotus Professional in Lotus Domino
administration. His areas of expertise include systems architecture, messaging
infrastructure, UNIX administration, Domino administration and development,
and DB2 and WebSphere Application Server implementation on UNIX platforms.

Greg Kelleher is the product manager for Windows and Linux platforms at Lotus
software.

Mark Ramos is a co-founder and the chief technologist of Granite Software. He
was the primary developer of Granite's flagship product, ZMerge, a data
integration tool and past winner of the Lotus Beacon Award. He developed the
SNA APPN network driver for Lotus Notes/Domino and the Text Connector for
Lotus Enterprise Integrator (LEI). He has over 20 years of IT experience,
specializing in Notes API development. Most recently he directed the
development of Granite's newest product, spamJam, an anti-spam product for
Domino. More information about Granite Software can be obtained from their
Web site: http://www.gsw.com

Bruce Walenius is a Critical Situation Manager for the Lotus Software Group;
his geographic area of responsibility includes Europe, the Middle East, and
Africa. Bruce has worked for IBM for ten years, all of it in the support
organization. He started in 1993 as a software support specialist in Canada
before transferring to Lotus France in 1998 to become first a Lotus Support
Account Manager, and then the Critical Situation Manager for EMEA West and

Preface ix

EMEA South. He currently resides in Paris, France, and holds a degree from
McGill University in Montreal, Canada.

A number of people have provided support and guidance. In particular we would
like to thank Jon Johnston, Creative Business Solutions, for all his help in
putting together the third party products chapter; and Richard Schwartz, RHS
Consulting, for reviewing the redbook and making valuable suggestions
regarding its content and structure.

Thanks to the following people for their contributions to this project:

Matt Chant, Mike Gagnon, Meredith Lovett, Brian Richards - IBM Westford Lab

Diana Ermini, Javier Izquierdo, Joseph John, Ted Niblett, Steven Preston, Jon
Raslawski, Jeffrey Slone, Carol Sumner - Lotus Software

Dieter Stalder - STDI Consulting

Kristin Baker - Eagle Technology Consultants

Libby Schwartz - e-Pro Magazine

Andy Yett - Metal Logic

Anthony Barker - XM Technologies

Jeani Boots, Rolf Rennemo - Trend Micro

Jacquelyn Thrasivoulos - GROUP Software

Alison Chandler - ITSO Poughkeepsie

Become a published author

Join us for a two- to six-week residency program! Help write an IBM Redbook
dealing with specific products or solutions, while getting hands-on experience
with leading-edge technologies. You'll team with IBM technical professionals,
Business Partners and/or customers.

Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you'll develop a network of contacts in IBM development labs, and
increase your productivity and marketability.

x Lotus Domino 6 spam Survival Guide for IBM eServer

Find out more about the residency program, browse the residency index, and
apply online at:

ibm.com/redbooks/residencies.html

Comments welcome

Your comments are important to us!

We want our Redbooks to be as helpful as possible. Send us your comments
about this or other Redbooks in one of the following ways:

򐂰 Use the online Contact us review redbook form found at:

ibm.com/redbooks

򐂰 Send your comments in an Internet note to:

redbook@us.ibm.com

򐂰 Mail your comments to:

IBM Corporation, International Technical Support Organization
Dept HYJ Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400

© Copyright IBM Corp. 2003. All rights reserved. 1

Chapter 1. Introduction

The focus that Lotus has placed on spam prevention in Domino 6 is recognition
of how important the issue is in e-mail communications today. A deliberate
design goal of new Domino 6 features was to block the “front door,” that is,
provide spam control and avoidance capabilities at the server and mail router
rather than at the end-user mailbox. Why? Studies have shown that end-user
managed spam costs 10 to 20 minutes of productivity per person per day on
average. Other messaging clients/servers have not yet recognized this burden,
and force users to constantly monitor and remove spam mail from their inboxes,
or attempt to define filters to try to catch it. This is all reactive behavior. Domino 6,
on the other hand, puts many tools at the server, reducing the risk that spam ever
arrives in users’ inboxes.

In this chapter we provide an overview of spam, including a general definition, as
well as a discussion of some of the categories of spam and the problems they
can pose in an organization.

1

2 Lotus Domino 6 spam Survival Guide for IBM eServer

1.1 Definition of spam

What is spam? How do you know if you have been spammed? In a very broad
sense, spam is the reception of unsolicited commercial e-mail. That does not
mean that if you receive an unexpected e-mail from a friend that you have been
spammed.

Spam is designed to flood the Internet with mass mailings, attempting to reach
the largest audience possible. Most often spammers are merely trying to sell a
dubious product, such as diplomas to unaccredited universities, get-rich-quick
schemes, or discounts on prescription drugs. In a real world example, spam is
the equivalent of receiving flyers, mailers, contest entries, and other such junk
mail items routinely sent to thousands of households without the residents having
explicitly requested them. The difference, for the average spammer, is not having
to pay printing fees or postage, which makes spam infinitely less expensive than
traditional junk mail.

A very important aspect of what constitutes spam is that spam has negative
effects on those who receive it. Spam is the only form of advertising that is more
expensive for its audience than for the advertiser. It is not simply a case of getting
a few extra mail messages a day and taking a minute or two to delete them.
Spam is not targeted at any specific group or person. It is sent to everyone.
Therefore, it can be a very expensive nuisance. Consider the fact that service
providers charge for time spent accessing the Internet. If you receive five spam
messages a day, you will waste a minute or two deleting the messages. But what
if you received 50 messages a day, or 100? What if everyone in your company
received 50 messages a day? And without even considering the loss in man
hours, what about storage costs?

Advertisers pay very small sums of money to acquire huge spamming lists and
lists of e-mail addresses. These lists are gathered from various sources, often
with questionable methods, and sold to anyone who wishes to send out spam.
Advertisers then use these lists for spamming, trying to reach the broadest
audience possible.

1.2 Categorizing spam

Spam generally falls into one of 6 categories:
򐂰 Advertisers trying to sell a product or service to as large an audience as

possible.

򐂰 Mailings designed to cheat or mislead unsuspecting or gullible Internet mail

recipients with incredible get-rich-quick schemes.

Chapter 1. Introduction 3

򐂰 Hoaxes. E-mail chain letters requiring you to perform an action or suffer

serious consequences.

򐂰 Fake virus warnings, forged messages, or deceitful mail attempting to get the

recipient to respond in a certain way.

򐂰 Mail trying to entice you to visit certain sites, often pornographic, or of very

questionable nature.

򐂰 Malicious mail designed to interrupt regular Internet traffic or flood mailboxes

or mail routers.

Each one of these categories of spam is trying to make the recipients react in a
certain way, most often to their own detriment. Let's look at each one of the
categories more closely:

򐂰 Advertisers trying to sell a product or service to as large an audience as

possible.

– This is the most common type of spam.
– The idea is to reach as large an audience as possible. Statistics show that

more than 99% of people who receive these types of offers delete them
without opening them. However, if a spammer sends their message out to
1 million people, and only 1 out of 100 people actually read the message,
the spammer is still reaching an audience of 10,000 prospective clients.

– Some of the most widely distributed advertisement-type spam mailings

include offers to reduce or enlarge various body parts, invitations to buy
prescription drugs at discount prices, and offers to refinance your home
loan.

򐂰 Mail designed to cheat or mislead unsuspecting or gullible Internet mail

recipients with incredible get-rich-quick schemes.

– There are many known examples of this type of scam. For example,

someone is stuck in a war-torn country but has managed to secrete
millions of dollars into a Swiss bank account, and only needs you to send
them airfare and you will be entitled to a percentage of the treasure.

– Another example of get-rich-quick spam is the pyramid mailer; “Just send

5 dollars to this person for this report, and move your name up one rung
on the letter. Then send it out to as many people as you can.”.

– Some other spam which falls into this category is not so obvious. For

instance, a reputable-sounding investment firm believes a certain stock is
hideously undervalued and urges you to buy it while it is low. The mail is
made to look as professional and as serious as possible.

All of these examples are messages which are designed to deceive the end
user.

򐂰 Hoaxes: e-mail chain letters requiring you to perform an action or suffer

serious consequences.

4 Lotus Domino 6 spam Survival Guide for IBM eServer

– This type of spam is often referred to as a Virus Hoax or Mail Hoax.
– This type of mail covers a very broad category from the “If you don't

forward this to 5 people in 5 minutes, you will have 5 years of bad luck,” to
the “Microsoft e-mail beta test will pay you 245 dollars per person to whom
you forward this mail,” to “little Johnny is going to die but wants to be in the
Guinness Book of World Records for having received the most e-mail
before he passes.” This type of message plays on the recipient's gullibility.

– Hoaxes are trying to trick you into sending out as many warnings as you

can to as many people as you can.

– If you are ever in doubt as to the authenticity of a suspicious mail, you can

browse an extensive list of mail hoaxes by visiting this site:

http://hoaxbusters.ciac.org

򐂰 Fake virus warnings, forged messages, or deceitful mail attempting to get the

recipient to respond in a certain way.

– Although similar to the previously described type, this spam can have

more serious consequences. Often it derives from spammers posing as
legitimate companies, for instance, “Microsoft Official Virus Warning” or
some such thing. Microsoft, or any other reputable company, does not
send out unsolicited virus warnings, nor unsolicited mail trying to get you
to upgrade drivers on your operating system (do not confuse this with the
Automatic Update feature of Windows Operating Systems). The spammer
will tell you there is a new update to prevent a virus, and will try to get you
to download an actual virus in its place.

– Another common example is spammers posing as legitimate mail

domains, often soliciting funds for a cause. For instance, the spammer
may say that they are collecting money for disaster relief in the wake of the
9/11 tragedy, or trying to raise money to build a new wing for a cancer
ward. Reputable charities do not use spam to solicit funds.

– Another common example is a mail message leading an unsuspecting

person to believe they have won a valuable prize, and asking them to
“Simply call this number to claim your prize.” The number is often an
overseas 809 area code, billed at extortionate rates per minute, with the
goal of simply keeping you on hold for as long as possible.

– A further example of a spam message designed to deceive, is the one

arriving with a few names in the TO: field which very closely resemble your
own mailing address, leading you to believe that a simple typo allowed you
to be the lucky recipient of a fabulous offer. These spams may start

something like “As requested, here is....”, or “Thanks for getting back to

me, here is that site I was talking about......”. Do not be misled; if the mail

was not solicited, don't answer it.

Chapter 1. Introduction 5

򐂰 Mail trying to entice you to visit certain sites, often pornographic, or of very

questionable nature.

– Mail of this nature is often directly to the point. “Wanna see more of me?

Click here.” or “I can't believe it, you have to see this! Click here.” This type
of spam is often paid for by the site in question. Advertising rates for big
commercial sites are very high, for the simple reason that a great many
people will see them.

– If an unscrupulous site can demonstrate through an independent source

that they have a very large hit rate, they will entice advertisers hoping to
sell products or services via their site. The more people who innocently
click on the link, the higher the hit counter will soar. Many spammers also
take advantage of the fact that HTML mail can contain moving images. For
instance, “Click on the Monkey to win $10,000” and when you click on the
monkey then you are sent to the site the spammer intended.

򐂰 Malicious mail designed to interrupt regular Internet traffic or flood mailboxes

or mail routers.

– This last category is the type of spam the average person will be least

likely to come across. It consists of malformed messages designed to
disrupt mail services, often by attempting to crash SMTP routers. There
are an infinite number of possible combinations of mail messages that a
spammer can create. They can deliberately send empty attachments, bad
headers, looping addresses, incorrect control characters within critical
routing fields, or any of a myriad of other things to attempt to cause mail
blockages.

– Mail routing applications such as Lotus Domino have very robust SMTP

defenses in place to avoid and prevent these types of attacks. Defensive
code included in the product will reject malformed messages which could
have provoked error conditions. Normally, mail needs to conform to a strict
standard in order to be accepted. If not, the SMTP router will simply reject
it. However, hackers, crackers, and malicious spammers are constantly
changing the methods they use to attempt to disrupt services. Inevitably,
an unprotected system will eventually fall prey to this type of message.

For more information about what constitutes spam, see the publicly available
RFCs located here:

򐂰 RFC2505 (http://www.ietf.org/rfc/rfc2505.txt?number=2505)
򐂰 RFC2635 (http://www.ietf.org/rfc/rfc2635.txt?number=2635)

6 Lotus Domino 6 spam Survival Guide for IBM eServer

© Copyright IBM Corp. 2003. All rights reserved. 7

Chapter 2. Preventing unwanted e-mail

and spam

Many users and administrators will agree that unwanted e-mail and spam is a
problem for them. Where they don't always agree is on what approach to take to
circumvent this disruption.

One philosophy is to stop spam before it reaches the user; this avoids wasting
the user's time dealing with rules or managing it at all. At the extreme end of this
spectrum, the risk of having spam arrive in the user's mailbox outweighs the
potential for false positives and the undelivered (real) mail associated with that ­All mail is suspect and scrutinized by the server for point of origin and content.
Any messages not measuring up are discarded.

Another philosophy is to let everything in and have the user sort out what is spam
and what is real. The admin adopts a laissez-faire approach at the server level.
Point of origin and content are not scrutinized, but the users are given tools to
deal with unwanted mail.

Many environments use a blend of the two philosophies to achieve the optimum
spam prevention for their organization, and what constitutes the best anti-spam
campaign differs from one organization to another.

In this chapter we discuss some basic spam avoidance techniques, and how to
select the right approach in your environment. One highly effective way for your

2

8 Lotus Domino 6 spam Survival Guide for IBM eServer

users to not receive spam is to have them avoid having their e-mail addresses
added to a spammer’s list in the first place. We discuss how spammers usually
accumulate these e-mail addresses and how you can help your users protect
theirs.

2.1 Spam avoidance techniques

From a server point of view, the most efficient way to handle spam is not to have
it delivered in the first place. This is why, as a Domino server administrator, it is in
your best interest to help inform your users about how to avoid getting on spam
lists in the first place. If they do this effectively it can save time administering
spam rejection tools.

Most users, when confronted with spam, will not understand why they are getting
it. Some users definitely get more spam than others, though, so we know that
there is some user behavior that correlates to the amount of spam that they will
receive. The best way to understand the behavior to avoid is to look at how most
spammers get e-mail addresses in the first place.

2.1.1 Passive harvesting attacks

In this section we introduce some passive harvesting techniques that spammers
use to obtain e-mail addresses. To learn about how to protect your Domino 6
server from harvesting attacks, see 4.5, “Protecting your Domino server from
active address harvesting attacks” on page 62.

Web harvesting

Spammer Web robots or “bots” operate like Web search engine bots, except they
look specifically for xxxx@domain.com patterns in the Web page text. When an
e-mail address pattern is found they store it with other e-mail addresses for use
in bulk mailing. You can defend against spammer Web-bots by obfuscating mail
addresses when they are placed on Web pages. The best option for defense is
placing e-mail addresses into graphics. Alternatively, you can hide them inside
javascript, or simply provide human-recognizable alterations to the address that
make it invalid for e-mailing, or make it more difficult for the Web-bot to recognize
any e-mail address pattern.

Usenet harvesting

Spammer news-bots use a concept similar to that used by Web search engine
bots. Spammers can subscribe to any usenet group. Then after downloading
posts from a usenet group, the news-bots look for xxxx@domain.com patterns in
posted message content and headers. When an e-mail address pattern is found

Chapter 2. Preventing unwanted e-mail and spam 9

they store it for use in bulk mailing. The best defense against spammer
news-bots is to simply provide human-recognizable alterations to the address
that make it more difficult for the news-bot to recognize any e-mail address
pattern.

Listserv harvesting

Spammers develop programs that subscribe to list servers as any other user can,
but they never send to the subscribed list. Instead they capture other list
subscriber's e-mail addresses over time. The best defense against Listserv
harvesting is to simply provide human-recognizable alterations to the sending
and reply address to make them more difficult for an automated list-bot to
recognize any e-mail address pattern.

2.1.2 Avoiding harvesting

Advise your users to avoid having their e-mail addresses harvested by employing
the following techniques:

򐂰 Have a personal or “junk” account from a free provider that is used specifically

for newsgroup or commercial Web site interaction.

򐂰 Do not post their address on newsgroups or public Web discussions.
򐂰 Avoid publishing their e-mail address in public “people finder” directories or

Instant Messaging directories.

򐂰 Avoid using standard e-mail addresses for domain name registration

contacts; instead, create accounts specifically to manage registration contact.

򐂰 Have users avoid using “e-invite” or “postcard” services with their

organizational e-mail address: these services often sell or solicit to the e-mail
addresses that they gather.

򐂰 Make sure that users know to read the privacy statements on Web sites that

they provide information to.

Your public Internet site is also a target for address harvesting; here are some
tips to make your Web site difficult for spammers to target:

򐂰 Do not create public directories available on the Internet without some form of

protection from harvesters. Consider making this area a “sign in” area
requiring some form of authorization, or confusing harvesters (as described in
the next section).

򐂰 Be selective about which addresses are provided as contact points for the

organization and try not to make them easy picking for spammers.

򐂰 Have public feedback mail delivered to a “mail in” mailbox so that spam

doesn't clutter up a user's mailbox.

10 Lotus Domino 6 spam Survival Guide for IBM eServer

2.1.3 Confusing the harvesters

The e-mail harvesters are programs that gather e-mail addresses of a specific
format. If the format of the address does not meet the criteria of the program it
will not be gathered for spam usage.

Mailto tags

One area where you may want to employ this tactic is on your public Internet site.
Harvesters are notorious for going after any address in a mailto: tag. One way to
protect your addresses on the Web site is to write the mailto: tag with a
hexadecimal e-mail address rather than an ASCII address. All browsers can
understand these addresses while harvesting programs will not pick them up.
Here is an example of an address converted to hexadecimal:

ASCII: <a href=mailto:me%40mydomain.dom>me@mydomain.dom</a>
Hex: <a href= mailto:%6d%65%40%6d%79%64%6f%6d%61%69%6e%2e%64%6f%6d> Email
me</a>

Here is an example of a perl script that will convert ASCII addresses to hex:

#! /usr/bin/perl
# Little perl program to convert ascii email addresses to hex
# to avoid spam harvesting from mailto: tags

my $addr = shift or die "usage: $0 email\@address.dom\n";
$addr =~ s/(.)/ sprintf('%%%2x',ord($1)) /ge;
chomp($addr);
print "$addr\n";

Address obfuscation

If you are posting to a newsgroup or to a Web discussion board where you
suspect that your address may be gathered, consider

munging. Address

munging involves changing your real e-mail address in a way that will make it
unavailable for harvesting. Normally this involves adding a "NOSPAM" or some
other text string that other people will know to remove before sending mail to that
address. Harvesting programs are often not smart enough to distinguish between
a munged address and a real address. An example of such an e-mail address is
john.example@NOSPAMibm.com.

2.1.4 Inform Users

The more users know about the cause of their addresses being picked up by
spammers, the greater the chance that they can avoid getting on the list.

Chapter 2. Preventing unwanted e-mail and spam 11

Educating users about how to avoid giving their addresses to potential spam
sources will help reduce the amount of spam that comes through your systems.

Have a mail policy

Have a mail policy that includes the sending of spam. While you are working very
hard to stop spam from arriving, it's good to make sure that none of your users is
a source of this type of mail. Make sure that users know what the rules are with
e-mail and what constitutes productive use of e-mail in your environment. In
some environments, inboxes are cluttered with jokes and other non-work related
e-mail. If jokes are important to your organization, consider creating a discussion
database for these types of messages; it can help to reduce the clutter.

Also consider using a discussion database or custom database for internal
classified ads. Some users can find the ads and the subsequent threads that can
follow the ads distracting in their inbox. If users want to be notified, you can use
an agent that sends a daily summary of the new items that are in the database.

Users should never respond to spam

People that send spam are looking for a response. Advise your users of this and
what the costs of spam are. Chances are, they are aware of it and dislike it as
much as you do—but make sure that they know never to purchase anything from
an unsolicited e-mail. A key reason that spam is a problem is that people
continue to respond to it; if there were no buyers there would be no sellers. Make
sure that your users are not adding to the problem by responding to the e-mail at
all. This includes the “opt out” links that are often just used to verify whether or
not a valid address has been found.

Ensure that your users understand that many unsolicited e-mail offers are
hoaxes or confidence tricks. Some examples to note are the “Nigerian bank
transfer” scam, and the “Timmy is trapped in the well” hoax. Explain to your users
that if an offer or e-mail seems too good to be true, it's probably spam. And many
“cries for help” or “secret recipes” are just scams to try and create e-mail chaos
and generate more spam.

How to communicate with users about spam

Probably the best way to find out how spam impacts your users is to conduct a
survey. Combine a survey with an information campaign: inform users about
what spam is and how to avoid it while finding out whether it is a problem for
them or not. Knowing how much of a problem spam is for your users will help you
gauge how aggressive a stance to take on stamping it out.

12 Lotus Domino 6 spam Survival Guide for IBM eServer

Here is an example of a spam information message that you can modify and
send to your users:

Dear users,

The Information Systems department is interested in reducing the amount of
unsolicited commercial e-mail (aka spam) delivered to our organization. We
would also like to find out whether spam is a concern for you, as this will
help us determine the best approach to take when configuring our systems to
reject spam.

How to Avoid Spam

The best way for us not to receive spam is to prevent our e-mail addresses
from being gathered by those that send spam. Here are some ways that you
can help:

– Never respond in any way to unsolicited commercial e-mail. Responding can

make your address a target for more spam - this includes any “opt out”
links which are often used just to verify that yours is a valid address.

– Avoid giving out your e-mail address on Web sites or discussions.

Consider using a personal e-mail address or a free e-mail address for
non-work-related correspondence.

– Disregard chain letters or other spam that encourages you to send

messages to others.

– If you send mail to several external users, consider putting the

addresses in the “bcc” field so that all of the addresses are not visible.

If you are careful and avoid having your address get on the spam lists you can
avoid having spam delivered to our organization.

Sincerely,

Your Domino Administrator

2.2 How to block spam

If spammers manage to get your users’ addresses, you may need to select an
approach that configures your systems to block spam. As previously mentioned,
there are two major philosophies when it comes to dealing with spam. The
“gateway” approach forestalls spam by rejecting it based on either content or
address origin when it reaches the organization's entry point. The “user”
approach delivers all mail, even spam, and provides tools to the user so that the
user can decide what is spam and what is mail. These approaches are not
mutually exclusive, and the “right” approach depends entirely on your
organization and your users. You will want to engage some server-based spam

Chapter 2. Preventing unwanted e-mail and spam 13

blocking techniques if you are looking to take an aggressive approach against
spam.

2.2.1 At the gateway

It is possible to subscribe to third party services or purchase network devices that
aim to stop spam even before your mail server receives it. These services often
act as a mail relay, and screen incoming mail for content or origin. Many ISPs
and other service providers offer this as a service with a cost per megabyte of
spam. Keep in mind that subscribing to these services may require a change to
your mx (DNS mail delivery) records which, if not handled correctly, could cause
a loss of mail during the transition. If you plan to use a third party or gateway
device or service, be sure that you are aware of the technology that is used and
the potential for false positives or friendly mail rejections. The ideal configuration
rejects all spam while allowing all real mail through. Even if your organization
employs some sort of spam gateway, it may also be a good idea to use other
methods of spam rejection.

2.2.2 At the server

Stopping spam at the server and sending a rejection can be a very effective way
of dealing with these messages. There are several configuration areas in Notes
Domino 6 that can be set to help reject spam, both at the SMTP listener level and
at the Domino router level. At the listener, the following options are available in
Domino 6:

򐂰 Inbound Relay Control and Enforcement
򐂰 Inbound Intended Recipient Controls
򐂰 Disabled SMTP Routing to Groups
򐂰 Inbound Connection Controls
򐂰 Inbound Sender Controls

At the router, the server can be configured to deal with spam using server-based
mail rules. These rules can be used to filter out specific recipient addresses or
other specific criteria.

Inbound authorization settings can be used to reject known spam originators or
known open relays. Open relays are servers that are configured to allow the
sending of third party messages, including spam. You should always configure
your server to not allow open relaying of mail to help fight spam. New in Notes
Domino 6 are server mail rules and DNS blacklist support. Using server mail
rules you can reject messages based on content (including recipient and
originator.) If your server is configured with DNS blacklist lookups enabled, when
a message arrives an external directory is consulted (much like a DNS lookup)
and if the sender’s address is found in the directory, the message is considered

14 Lotus Domino 6 spam Survival Guide for IBM eServer

spam. The spam can then be quarantined or rejected depending on your
preference.

Also new in Domino 6 are intended recipient controls. With this restriction in
place only users that exist in the Domino directory can receive mail.

The settings and components of Domino 6 spam prevention features are
discussed in detail in Chapter 4, “Domino 6 Server anti-spam features” on
page 29.

2.2.3 By the end user

Some administrators prefer to adopt a hands-off approach and have the gateway
and server deliver all mail whether solicited or not. Users that want to reject mail
are advised to use mail file rules to filter the signal from the noise. This can be an
effective strategy where spam is not a serious problem and occurs only
occasionally. Keep in mind that spam is a moving target, and originators’
addresses and the content often changes; user's mail rules can sometimes
require frequent updates to stay on top of these changes.

Managing spam at the user level with Notes 6 involves creating mail file rules.
These rules can be very targeted and aggressive since the user has the control
here, and they can decide what they want to discard and what they want to
retain. If they do create false positives, they can retrieve them or adjust the mail
rules accordingly. Chapter 5, “Using mail file rules to prevent spam” on page 65
discusses this in detail.

2.2.4 Selecting the best approach

Spam may not be a big problem for you; maybe you have yet to receive an
unsolicited e-mail message. Your users, however, may be wading through
hundreds of useless messages a day. Consult your users and find out how much
of a problem spam is for them. Consider sending out a survey to find out how
many unsolicited e-mail messages they receive, how tolerant they are of false
positives, and how willing they are to manage mail rules. If your users are fed up
with spam and wish to make it a high priority, we recommend a server-based
approach. If your users do not see spam as a major problem, are quite adept with
Notes Mail rules, and are highly sensitive to false positives you may want to
consider a user-centric solution. The best approach to employ in your anti-spam
campaign is the one that fits for your organization.

After you have selected your approach and implemented your new configuration,
re-evaluate the situation with another survey or follow-up with some of the key
users. You may want to conduct this survey periodically to make sure that the
approach that you have selected is still appropriate.

Chapter 2. Preventing unwanted e-mail and spam 15

2.2.5 Managing the ongoing anti-spam campaign

Due to the nature of spam, there is no single configuration setting or secret
notes.ini variable to toggle to have all spam delivery rejected. This is due to the
constant change in the spam content, addresses, and the spammers
themselves. The most effective way to keep your anti-spam configuration
relevant is to monitor your results periodically and revise your configuration
based on new information.

Determine how much time to allocate

Based on how much of a priority spam prevention is in your organization, and
how much of a problem it is to users, you can decide how much time to assign to
your anti-spam efforts.

If blocking spam is your top priority (this usually results from upper management
receiving some particularly offensive spam) then you should plan to put aside
some time daily or weekly to review how effective your configuration is. You may
want to start out by monitoring your new configuration daily and tweaking the
configuration based on the results. After a few days of this you can move to a
weekly analysis. After several smooth weeks you might consider moving to a
biweekly schedule. There are some tasks that you should perform infrequently to
avoid impacting users. These tasks include surveys, user-based rule changes,
and e-mail policy reviews.

How to analyze the effectiveness of your configuration

The daily or weekly tasks should include the following:
򐂰 Review the mail log and see how many rejections you are getting. (You can

use log analysis to filter for “rejected.”) As these numbers increase your
configuration is becoming more effective. Also scan these rejections for
potential false positives.

򐂰 Scan the mail logs and look for mail with known “spam-like qualities” getting

through. Things to look for include messages being sent to a large number of
users, subjects such as “make money fast”, and known spam sender
addresses. You may identify addresses or messages that your rules have
missed.

򐂰 Talk with users that are known to receive large amounts of spam, or analyze

the logs to see whether spam intended for them is being rejected.

򐂰 After reviewing your server rule hits, identify rules that are not being triggered

and consider revising them. For those rules that are being triggered, look for
ways to make them more effective and scan for false positives.

16 Lotus Domino 6 spam Survival Guide for IBM eServer

More infrequently, it's a good idea to review your overall spam approach to see if
it is still appropriate. You might want to re-survey your users periodically to see if
the situation has improved from their perspective.

It's also a good idea to occasionally appraise the technology landscape to see
what the new approaches are to spam detection and prevention. There may be
new Domino updates available or new techniques recommended to deter spam
delivery.

2.2.6 Summary

The old saying “An ounce of prevention is worth a pound of cure” is especially
prescient when related to spam. Users that avoid providing their e-mail address
to spammers receive less spam. Web sites that are careful to make themselves a
difficult target for harvesters also result in less unsolicited mail. With enough
prevention effort, spam should be a rare occurrence. If it does arrive, there are
several methods of handling it: gateway-based, server-based, and user-based.
The right approach depends on the stance that your organization takes when
dealing with spam and how much of a priority it is for you. A solid spam
prevention configuration needs to be monitored and adjusted over time. Reserve
some time every week to analyze the effectiveness of your anti-spam
configuration, and periodically revisit your approach to ensure that it is still
consistent with what is required. Overall, much can be done to avoid and reduce
spam delivery.

© Copyright IBM Corp. 2003. All rights reserved. 17

Chapter 3. Domino 6 anti-spam

architecture

This chapter describes the components of the Domino messaging architecture
that allow you to prevent and manage spam. As you begin using Domino to
prevent spam, it is important to understand the messaging infrastructure and the
components where it’s possible and appropriate to intercept spam.

Private Notes/Domino networks are well controlled and do not originate spam
mail. The public and open nature of Internet e-mail has led to an explosion of
spam, so for purposes of spam analysis, we focus on Internet-originated
messages and how the Domino messaging components process those
messages.

This chapter discusses:
򐂰 How anti-spam control and management work can be divided between

servers.

򐂰 How the different anti-spam measures are divided between Domino server

tasks.

򐂰 How the control over anti-spam measures is divided between the Domino

administrator and the end-users.

򐂰 Common problems and recommended solutions.

3

18 Lotus Domino 6 spam Survival Guide for IBM eServer

3.1 The Domino messaging environment

While every Domino installation is different, and many do use a single Domino
server to handle all tasks related to e-mail, a division of tasks between multiple
servers is typical of most larger environments. Generally, there are a number of
Domino servers on an internal network that users connect to in order to access
their mail, and one or more external Domino servers that are responsible for
connections to the Internet for inbound and outbound SMTP e-mail.

Some of the anti-spam features in Domino 6 must always be implemented on the
external Domino servers that handle the actual SMTP connections, some must
always be implemented on the internal servers, and some of the anti-spam
features can be implemented on either the external or internal servers—or even
on additional dedicated servers that are located “in between” the external servers
and the internal servers in the network topology.

The features that must be implemented on the external servers are:

򐂰 DNS blacklist filtering
򐂰 Inbound relay control and enforcement
򐂰 Inbound intended recipient controls
򐂰 Inbound connection controls

The features that must be implemented on the internal servers are:
򐂰 User mail file rules

The features that may be implemented on either internal, external or other
dedicated servers are:

򐂰 Inbound sender controls
򐂰 Disabled SMTP routing to groups
򐂰 Server mail rules

Figure 3-1 shows one such typical Domino network. A network such as the one
depicted here is an ideal configuration for establishing control of spam via the
Domino 6 anti-spam measures described in this redbook.

The implemented strategy to fight spam in the example Domino environment is to
stop spam at the Domino server.