I'd guess that the biggest spam headache we all face is false positives--messages that are inadvertently flagged as spam. False positives can be a significant problem, particularly for businesses. After all, you don't want business associates to think you're ignoring them.

I recently wrote in the Security Matters blog about my findings with one particular mail server's various filters (at the URL below). The system uses a dozen filters to help eliminate unwanted email. One thing to keep in mind about filters is that what works for one entity might not work as well for another. You should try several filters and monitor your systems to determine what works best to eliminate the particular types of unwanted mail you receive.

http://www.windowsitpro.com/Article/ArticleID/49465

That said, my findings for the organization in question might be interesting to you. After observing the filters process more than 254,000 messages, I found that the most effective one for this particular organization is a simple language filter. The filter drops messages written in character sets that aren't used by the organization. Language filters might not be appropriate for every business, particularly those that have international relations, but many businesses might find such filtering useful.

The second most effective filter is an IP blacklist filter. IP blacklist filters query blacklist service providers about a given IP address, including the address of the message sender and any addresses that relayed a particular message along its delivery route. If the result of the query shows that the IP address is on the service provider's blacklist, then the probability is high that the message is spam. Some blacklist service providers also track addresses that are known to send viruses, Trojan horses, worms, back doors, and other sorts of malware. These blacklists can be useful in helping you keep such nuisances off your network.

A reader of the Security Matters blog asked which blacklists are used by the organization that I wrote about, so I thought I'd share those names here. The list of blacklist service providers is ordered based on the success rate of discovering blacklisted IP addresses:

sbl-xbl.spamhaus.org

blackholes.five-ten-sg.com

dnsbl.sorbs.net

t1.dnsbl.net.au

bl.spamcop.net

no-more-funn.moensted.dk

sbl.csma.biz

cn-kr.blackholes.us

cbl.abuseat.org

multihop.dsbl.org

list.dsbl.org

Another type of blacklist filtering is simple Uniform Resource Identifier (URI) filtering. Message content is scanned to locate all URIs in the body. Then those URIs can be checked against URI blacklist services to see whether any belong to known spammers. At the time I conducted my tests, I knew of only one URI blacklist provider, Spam URI Realtime Blocklists (SURBL), whose DNS address is multi.surbl.org. Since then, I've learned about another URI blacklist service provider, URIBL.COM, whose DNS server address is multi.uribl.org. I just started using URIBL.COM last week, so I'm not yet sure how well it performs.

Keep in mind that blacklist filters can also produce false positives. However, most people agree that using a blacklist filter is highly effective. Other types of filters you might investigate or write your own scripts for are ones that check for weird spelling patterns (such as "s.A v.e. B 1 g.!!!") and SMTP header validators that check for standards compliance.

For an explanation of how blacklist filters work, see "Dynamic Blacklists Demystified," at the first URL below. For links to other articles about blacklist filters on our Web site, use the second URL below.

http://www.windowsitpro.com/Article/ArticleID/45907

http://windowsitpro.com/search/index.cfm?Action=Search&incdocsets=3&sortby=date&qs=blacklists

Jeff Makey publishes a monthly report that shows which IP blacklist services perform best for his environment. Bookmark his report page URL (listed below) and check out the report once in a while--over time, you might learn about new IP blacklist service providers that you didn't know existed.

http://www.sdsc.edu/~jeff/spam/cbc.html