|
In Part 1,
Using
Exchange Server components to fight SPAM, I went over how
to create and install your own spam filter by registering a VBScript
with the SMTP service for Exchange 2000. One of the features of
this filter was that it would query the Active Directory to see if
it should block e-mail from a specific host by checking for the
existence of a contact that matches the host IP. In this article I
will cover a VBScript that can be used to create these contacts in
the AD by processing all mail items in a folder or by reading in a
list of hosts from a text file.
The problems
relating to spam and the difficulty in blocking were covered in Part
1. In short the only way to block spam from a particular company is
by blocking any e-mail sent from their mail systems. In order to
block a system you need to know its IP addresses and tell Exchange
to not process mail from that system. Luckily the IP address of the
sending system is stored in each message that is received via SMTP.
So now you need to collect all of the messages that are from systems
you want to block. Then extract the IP address from each message
and then create the contacts in the AD, if you are using the script
in Part 1, to block future messages from those system. This can
take about a minute per message if done manually. In most
organizations the amount of spam received can be very large and if
you offer to help your users reduce the about of spam they get you
are going to quickly become overloaded with hosts that need to be
blocked. So to keep up with demand you are going to need to
automate the process. In addition, the spam filter we created in
Part 1 includes support to block e-mails based on content and
blacklisted IP addresses. If it blocks a message it logs
information on that message to a file. Therefore, you have two
sources of spam hosts that need to be processed to create the
required contacts in the AD to block future message from the hosts.
This is where this article and the attached script are designed to
help you out.
So what we need
is way to automate the process of looking at items in a folder or
file and create contacts based on the IP address read in. We should
also carry out multiple checks before flagging a host as a spamer to
prevent a known valid host from being blocked. The script included
with this article meets both of these requirements.
One of the most
effective methods of blocking e-mail is by not accepting e-mail from
a host that has been blacklisted. So this script will check several
of the public blacklist servers on the internet for each IP read
in. These servers are freely available to anyone who wants to query
them. There are over ten of these servers on the internet, that I
am aware of at least, that maintain lists of IP address that have
been blacklisted and allow DNS queries to them. When queried they
return a 127.0.0.x address if the IP queried upon is listed. In the
reference section at the end I included several links to
organizations that host blacklist servers. Many of these servers
work based off of community input, which means anyone on the
internet can submit a host to be listed on these servers. Luckily
this community input is pretty much limited to open relays, which
are then tested by the servers to see if they are actually open
relays. SMTP relaying is a key area that spamers take advantage of
and good percentage of spam is sent from mail servers that are
misconfigured as an open relay.
In an effort to
catch spamers themselves some of these blacklist servers post ?test?
e-mail address to many areas of the internet, like news groups and
web forms, that spamers are know to scavenge for e-mail address.
Then if the e-mail addresses receive e-mail they flag the sending
server as a spam host. In addition, most take reports from users
and after they receive a certain number of reports on a host they
will list the host. Many of these free sites are run by a few
individuals that take donations or provide additional levels of
services for a fee. It is these individuals who setup the rules on
their blacklist site that controls how a host is determined to be a
spam host or not. Since these are publicly available servers that
anyone can optionally use them. But there are no current laws or
government guidelines that control or limit what hosts these sites
choose to list. A key point to make clear is that the free, and
even the fee based, blacklist sites will contain valid hosts in them
at times. So no matter what method they use to determine if a host
is a spamer or not there will probably always be some sites listed
that aren?t real spamers. So you have a choice, either A) continue
to get 100% of all e-mail, including spam, or B) block a high
percentage of spam and possibly some legitimate e-mails by using
these blacklist servers. This script and
SMTPSPAMFilter.vbs, from Part
1, both use these blacklist servers. The function use by both
script,
BlackListed, is covered under the Supporting
functions and subs section of
this article.
The
SMTPSPAMFilter.vbs attempts to
bind to a contact in the AD with the same IP, or class C IP address,
as the sending server of an incoming message. If it succeeds the
script assumes that the message is spam and prevents it from being
sent to any users. If you let your users know that you have the
ability to filter out any e-mail coming from a certain host,
assuming it is spam, your will probably end up with a large number
of host that need to be blocked. So in the script being covered by
this article we are going to read in data from a folder, private or
public, or an input file and do a couple of checks to see if hosts
are valid and if they aren?t create a contact in the AD with a cn of
the sending host?s IP address or class C IP address. |
