Fight Spam with Early Talking Detection

| Dec 26, 2011 | SECURITY, TECH |

Synopsis

A good way to improve efficiency against spammers is to use early talking detection:

  1. you own a SMTP relay platform and you want to improve its efficiency on spam fighting
  2. your current MTA has no early talking detection feature and you want to be able to add one.
  3. you want to offload the early talking detection feature from your SMTP server to an other device in your architecture.

What is Early Talking Detection?

The picture below shows the SMTP “hello phase”, in 4 steps:
smtp_helo_phase

  • Step 1: the client gets connected to the SMTP server
  • Step 2: the server acknowledge the SMTP connection by a “220 service ready” message
  • Step 3: the client sends his identity (basicaly his domain name)
  • Step 4: the server welcomes the client and the client is now allowed to send a mail

Usually, spammers have no time to waste, so they do the TCP connection then send directly the HELO packet to the server.
The Aloha can hold the connection on the client side and monitors it for a few seconds.
Then you have 2 options:

  1. If the client “speaks” first, it means it’s a spammer, so the connection can be closed safely. No need to bother the server with it.
  2. If the client waits for the SMTP banner during the observation period, it means it looks to be a regular user. So we may accept its connection and let the client and server speaks together.

This way of listening on the connection to detect if client talks first is called early talking detection.

Diagram

In order to use the Aloha in front of a public SMTP relay platform, it’s recommanded to configure it in reverse-proxy transparent mode, also known as Destination NAT.
That way, the SMTP servers will be aware of the client IP address.
In that mode, the default gateway of the server must be the Aloha, or you must configure Policy Based Routing to redirect traffic from the SMTP server source port 25 to the Aloha.
smtp_diagram

Configuration

In ALOHA, use the Layer7 (HAProxy) load-balancing tab and apply the configuration below:

frontend ft_smtp
  mode tcp
  bind :25
  source 0.0.0.0 usesrc clientip
  log global
  option tcplog
# reject SMTP connection if client speaks first before 30s
  tcp-request inspect-delay 30s
  acl content_present req_len gt 0
  tcp-request content reject if content_present
  default_backend bk_smtp

backend bk_smtp
  mode tcp
  balance roundrobin
  log global
  option tcplog
# SMTP health check
  option smtpchk HELO mydomain.com
  default-server inter 3s rise 2 fall 3
  server smtp1 10.0.0.1:25 check
  server smtp2 10.0.0.2:25 check

Links

Updates:
(1) renaming and updating the article to describe early talking detection and not grey listing

SHARE THIS ARTICLE
Tags: ,

RELATED STORIES