Home | About Spam | About SpamBouncer | Downloads | Configuration | Reference | Resources

Overview | How it Works | Flowchart | Filter Types | Delivery Methods | Block Notifications | Reports

SpamBouncer Filter Types

All SpamBouncer filters fall into one of the following categories. The SpamBouncer filters for each of these things in the order shown below because certain types of spam or dangerous content have obvious and unmistakeable features. If that spam can be caught by looking for those features first, the SpamBouncer does not need to use extra computer resources to look for other, less certain spam signs.

Contents

• Virus
• Dangerous Code
• Spam Source
• Spam Haven
• Spam Software
• Suspicious Headers
• Blocklists
• Pattern Match

Virus

Email that contains body text strings which match the SpamBouncer's profile of a particular virus or class of viruses is classified as a Virus. The SpamBouncer analyzes incoming email for viruses before it checks your local whitelists (the NOBOUNCE, GLOBALNOBOUNCE, and LEGITLISTS files) because virus email often comes from an infected computer belonging to someone you know and regularly correspond with. Such email is sent by the virus or trojan without the computer owner's knowledge or consent.

The SpamBouncer does not analyze such email further and, by default, discards it. This is why:

• There are very few false positives with email classified as a virus.
• Virus-infected email is dangerous to many users who read their email on vulnerable computers. Most of these vulnerable computers are Microsoft Windows-based computers that do not have the most current security patches to the operating system or a current anti-virus program.
• Viruses often spread in waves. Large numbers of copies of a new virus or new version of an old virus can bombard your mail server and fill up your mailbox. By discarding such email outright, the SpamBouncer prevents your mailbox from filling up with useless virus-generated email.

If you do not want the SpamBouncer to discard email classified as a Virus, you can configure it to treat this email exactly as it does email classified as spam.

Return to Table of Contents

Dangerous Code

Email that contains an attached executable file, an active script, or other active content is tagged as dangerous, and is classified as spam. The SpamBouncer analyzes incoming email for dangerous content before it checks your local whitelists (the NOBOUNCE, GLOBALNOBOUNCE, and LEGITLISTS files) because this email can contain a virus or trojan. Email that contains a virus or trojan often comes from an infected computer belonging to someone you know and regularly correspond with. Such email is sent by the virus or trojan without the computer owner's knowledge or consent.

An email with an unknown virus or trojan is dangerous to users with vulnerable computers, just as a known virus is. Unlike the virus filters, however, the "dangerous content" filters can catch legitimate email, such as:

• Executable files. Some users send executable files to other users via email. A common type of executable file sent via email is a self-extracting archive, a file that consists of one or more other files that have been compressed so that they require less time to send to other users over sometimes-slow Internet connections. Unfortunately, the SpamBouncer usually can't tell a non-dangerous executable attachment from one that contains a virus or trojan that it hasn't seen before.
• Executable hyperlinks. Users constantly send each other links to various web sites. On an insecure computer, however, clicking certain types of links can download an executable program from the web site to your computer, and then run that program, with no further warning to you. This type of hyperlink is as dangerous as an attached executable file. Fortunately, the SpamBouncer can distinguish between the vast majority of safe hyperlinks and dangerous executable hyperlinks. Since there are few legitimate uses for executable hyperlinks, false positives are relatively rare.
• Microsoft Office files. Many users send email with attached Microsoft Office data files. All types of Microsoft Office files can contain viruses because the file formats support active scripting, and many types of viruses can spread via these files. Unfortunately, the SpamBouncer can't tell a Microsoft Word file or Microsoft Powerpoint presentation that contains an unknown virus or trojan from one that does not.
• Other Executable Document files. Other document files produced by various programs can contain executable code and therefore a virus, although such viruses are relatively rare. Unfortunately, the SpamBouncer can't tell a document file of this type that contains a virus from one that does not.
• ZIP Archive files. Many newer viruses spread via a ZIP archive file attached to email, instead of an executable file. Since many computers are configured to trust these archive files and open them, and since these archive files can contain code that executes automatically when they are opened, these files are as dangerous as executable attachments for many users.
• Embedded JavaScript. The JavaScript format was designed to be safe, but bugs in the JavaScript code and -- even more -- the implementation of JavaScript in the Microsoft Internet Explorer browser, mean that JavaScript code embedded in MIME-encoded email can be dangerous for some users.

Different users may be at different levels of risk from email that the SpamBouncer deems to have dangerous content. A user who reads email on a Macintosh- or Unix-based workstation is immune to most Windows-based viruses, for example. In addition, some users may frequently receive email that contains certain types of files (such as Microsoft Word documents), while other users rarely or never receive such email. Each user knows his or her own situation best. You can therefore configure the SpamBouncer to block or allow all types of dangerous content. By default, the SpamBouncer considers any attached executable file or embedded executable hyperlink dangerous, but does not block executable document files, archives, or embedded JavaScript.

Return to Table of Contents

Spam Source

A spam source is an email address, domain, or IP block used to send spam. Most spam sources are owned by or controlled by the spammer in question. The SpamBouncer classifies any email from a spam source as spam unless you have whitelisted the sender.

Return to Table of Contents

Spam Haven

A spam haven is a web URL, email address, telephone number, or postal address provided in the message body of a spam to allow the recipient to contact the spammer. The SpamBouncer classifies any email that contains a known spam haven in the message body as spam unless you have whitelisted the sender.

Caution! If you are an anti-spammer who discusses spammers with your friends, you had better put their email addresses in your NOBOUNCE file! Otherwise, some of your discussions are likely to trigger a haven domain filter.

Return to Table of Contents

Spam Software

Certain bulk email software is designed solely or primarily for spamming. Common features of spam software that have no legitimate use include:

• Open Proxy and Open Relay support. Spam software often uses open proxies or open relays to send email. This is to prevent system administrators from blocking spam sources at their routers.
• Filter evasion techniques. Some spam software sprinkles garbage -- such as random HTML comments, bogus HTML tags, pointless HTML tags, invisible font strings, etc. -- through spam, breaking up the words in the psam and (so spammers think) defeating pattern matching filters that look for certain text strings. Fortunately, most of these techniques themselves are quite easy for any spam filter to spot, and (unlike standard pattern matching techniques) don't normally result in false positives. (Hey, who said spammers were intelligent?)

The SpamBouncer classifies any email that is sent using a bulk email program whose only known purpose is to spam, or that contains features whose only known use is spamming, as spam unless you have whitelisted the sender. The SpamBouncer may also negatively score email that is sent using a bulk email program that lacks safeguards against misuse by spammers, but does not classify it as known spam unless the email also meets other criteria for spam.

Return to Table of Contents

Suspicious Headers

Certain email headers are frequently found in spam and rarely, if ever, in legitimate email. These can include missing or empty From: headers, From: headers with multiple email addresses in them, missing or empty Message-ID: headers, multiple To: headers, certain types of email tracking codes, and other types of malformed or unusual headers.

The SpamBouncer negatively scores such email, although it does not classify it as certain spam unless it also meets other criteria for spamminess.

Return to Table of Contents

Blocklists

Email that is sent from an IP address or domain on a supported anti-spam blocklist is negatively scored by the SpamBouncer. In a few cases, such email may be negatively scored sufficiently that it is blocked. The SpamBouncer never treats such email as spam, however, unless it also meets other criteria for spamminess.

Return to Table of Contents

Pattern Match

Email that contains body text strings which match one or more of the SpamBouncer's profiles of common spam content is negatively scored by the SpamBouncer, and may be blocked. The SpamBouncer never treats such email as spam, however, unless it matches multiple patterns or also meets other criteria for spamminess.

Return to Table of Contents

©1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 and 2005 by Catherine A. Hampton. All rights reserved.