8 things that make your mail look like spam

In the comments of last week’s Wednesday question John B. asked

Can you elaborate on specifics of “configure machines to not look like spam ware”?

There are a lot of things that spamware does that is different from a lot of standard MTAs. Here are a list of things that may make your mail look like it is running spamware to a receiving server.

  1. Using weird values for HELO/EHLO, like a bare IP or “localhost.” Both a bare IP and a non fully qualified domain name are violations of the SMTP spec. This is something a lot of poorly written spamware does, and there is no valid reason for a server to be doing either.
  2. Rotating HELO/EHLO values. Some poorly written software is configured to use a HELO/EHLO value pulled from the mail from address. If there are multiple domains sending mail from a MTA, this can cause different SMTP sessions to have different HELO/EHLO values. There is also spamware that will rotate through HELO/EHLO values as a way to avoid filters.
  3. Ignoring or incorrectly processing bounce messages. Spamware is notoriously bad about complying with the SMTP spec. For  instance, some spamware never retries on a 4xx response, but always retries on a 5xx response. This behaviour drove some receiving MTAs to overuse 4xx responses. However, correctly managing rejections is a feature of well configured software.
  4. Have incorrect time. There is a famous bit of spamware from the late 90s written by someone who didn’t understand timezones. There was a forged received line in the spamware that used EST -600 as a timezone. EST is never -600, and a lot of filters became quite sensitive to time issues. Make sure your server knows what time it is and correctly reports that time when sending mail, especially if there is an internal handoff.
  5. Domain fruit salad in the headers. There is spamware out there that will use a different domain for every part of the header. One domain in the Mail From: another in the visible From: a third in the rDNS, a fourth in the HELO value, a fifth in the internal handoffs, a sixth in the messageID, a seventh in the abuse reporting line, an eighth in the List-unsubscribe value. While there are valid technical reasons not to have every domain in the headers be identical, there are places where they should match, and spreading so many domains through the headers makes a sender look like it’s either spamware or a spammer trying to avoid filters.
  6. Hidden text in the body of the message. Spammers hide text in the body of the message, either in very-light-grey on white text, or in HTML style comments. There’s no problem with having a few comments in the HTML of a message but when those comments are longer than the actual text of the message, then there’s a problem.
  7. Fake, broken or otherwise invalid HTML tags. Spammers use fake HTML tags to confuse filters. They’re also notoriously bad about using correct tags. Make sure all HTML in the message is valid HTML.
  8. Encoding plain text in Base64. Another fabulous (well, not really) spammer trick is to use Base64 encoding to hide their plain text. This means a lot of filters are sensitive to encoding practices. Some filters even crack the encoding to see if there is anything that needs encoding in the email. If there isn’t, then the encoding is treated as filter evasion.

That’s a short list of things that legitimate mailers should never do. There are others, but the underlying issue is to comply with the SMTP spec and don’t do things that attempt to bypass and avoid filters.

Related Posts

Can I assume consumer and business filtering is the same?

Today’s question comes from Steve B.

I wondered if you know much about hosted email providers such as google apps, Microsoft and yahoo.
I have seen a rise in number of people using them to provide their corporate email service.   I am using the same logic that the rules governing delivery to gmail will effect those using google hosted email for example.  For Microsoft i have  been using Hotmail due to the SmartScreen filters.  Would you agree with that logic?

Read More

What causes Spamhaus CSS listings

Today’s Wednesday Question comes from Zaib F.

What causes the Spamhaus CSS listing in your experience other than Sender using multiple sets of IPs, to look as if they are a valid sender. Do you think a Spamtrap plays a role?

Read More

Phones part of SMS botnet

Spammers have been moving into the phone market for a long time. Just recently security firms have discovered an Android  botnet. This botnet sends viruses over SMS, and when a link in the SMS is clicked, the phone is infected with the virus which then sends more SMS.
The technology for blocking and reporting SMS spam is comparable to email blocking technology 10 or 12 years ago. There just aren’t many tools for people to use to control this spam. M3AAWG is addressing mobile spam, but it still seems that the volumes are increasing without much recourse. Even the 7726 reporting number doesn’t seem to stop the spam (nor remove per-text charges).
At least in the beginning of the email spam problem, we didn’t have botnets. Now, at the beginning of the curve for SMS spam, we already have self replicating botnets. I’m afraid the good guys might be behind on this issue.
Then again I might just be cranky because SMS spammers woke us up at 4:30 am.
Infoworld article
TNW article
PCWorld article

Read More