STOCKADE - A network-level spam mitigation tool

Acknowledgement

This work was supported by a grant from the auDA Foundation in October 2006. The auDA Foundation a charitable trust established by .au Domain Administration Limited (auDA) to promote and encourage education and research activities that will enhance the utility of the Internet for the benefit of the Australian community.

Overview

Stockade is a TCP-layer tool for reducing the level of network traffic arriving at an SMTP server due to spammers. Stockade has initially been implemented under FreeBSD 6.2, with future plans to generalise to other *nix-like environments.

The Stockade blacklist server (blserv) operates at the network level as a filter. It sits 'in front' of your mailserver, rejecting incoming TCP connections from known (or suspected) spammers. The rejection is statistical in nature, based on the presumed likelyhood of a new connection's source being 'a spammer'.

Stockade is designed to collaborate with existing spam classification tools, such as SpamAssassin or SpamBayes. A set of tools are provided that enable external applications to register spam with the blacklist server, using a simple text-based protocol. See doc/protocol.txt for details.

A unique feature of stockade is the auto-rehabilitation of IP addresses that have previously been declared to be spammers. Blacklisted IP addresses initially have new TCP connection attempts rejected with 100% probability. Then, over time, stockade slowly rehabilitates the IP address - reducing the connection rejection probability a few percent at a time. If the source sends new spam in the future, the rejection probability goes back to 100%. Otherwise, the source is eventually rehabilitated (allowed to resume sending us emails) without manual operator intervention. A number of configuration options exist for mail server managers to adjust the rehabilitation process.

Stockade version 0.2 was released to the community in March 2007, and is licenced under the GNU General Public License

Illustration

The diagram below illustrates the flow of events in a simple case where three different SMTP clients attempt to transfer an email to a Stockade-protected mail server. The initial TCP SYN (connection establishment) packet from each client is treated differently, depending on whether stockade currently believes the source to be a probable spammer.

In this example source#2 is considered to be a spammer, and recives an immediate TCP RST (rejecting the connection attempt without bothering the SMTP Server at all). Source#1 (a non-spammer) and source#3 (a spammer not yet detected) are allowed to establish a TCP connection to the SMTP Server, and initiate the usual SMTP exchange. The mail server's existing anti-spam mail filter system then detects the spam coming from source#3, and informs stockade to update its list of sources to reject in the future.

Over time, stockade will slowly reduce the probability with which it sends a RST in response to a SYN from a previously identified spammer. Thus, if source#2 and source#3 were wrongly targetted (or mend their ways) stockade will eventually (after some configurable period of time) allow them to establish inbound SMTP connections again. This local rehabilitation side-steps one of the problems associated with centralised, 3rd-party black-lists not being updated in a timely fashion.

stockage diagram

Project Members

  • Malcolm Robb (Research Assistant and Author of stockade 0.2)
  • Grenville Armitage (Project leader)
  • Adam Black (Research Assistant)

 

Last Updated: Thursday 5-Apr-2007 16:45:44 EST | Maintained by: Grenville Armitage (garmitage@swin.edu.au) | Authorised by: Grenville Armitage (garmitage@swin.edu.au)