STOCKADE - A network-level spam mitigation tool
This work was supported by
a grant from the auDA Foundation
in October 2006. The auDA Foundation a charitable trust established
by .au Domain Administration Limited (auDA) to promote and
encourage education and research activities that will enhance
the utility of the Internet for the benefit of the Australian
Stockade is a TCP-layer tool for reducing the level of network
traffic arriving at an SMTP server due to spammers. Stockade has
initially been implemented under FreeBSD 6.2, with future plans to
generalise to other *nix-like environments.
The Stockade blacklist server (blserv) operates at the network
level as a filter. It sits 'in front' of your mailserver, rejecting
incoming TCP connections from known (or suspected) spammers. The
rejection is statistical in nature, based on the presumed likelyhood
of a new connection's source being 'a spammer'.
Stockade is designed to collaborate with existing spam classification
tools, such as SpamAssassin or SpamBayes. A set of tools are provided
that enable external applications to register spam with the blacklist
server, using a simple text-based protocol. See doc/protocol.txt for
A unique feature of stockade is the auto-rehabilitation of IP
addresses that have previously been declared to be spammers.
Blacklisted IP addresses initially have new TCP connection attempts
rejected with 100% probability. Then, over time, stockade slowly
rehabilitates the IP address - reducing the connection rejection
probability a few percent at a time. If the source sends new spam
in the future, the rejection probability goes back to 100%. Otherwise,
the source is eventually rehabilitated (allowed to resume sending
us emails) without manual operator intervention. A number of configuration
options exist for mail server managers to adjust the rehabilitation process.
Stockade version 0.2 was released to the community in March 2007,
and is licenced under the GNU General Public License
The diagram below illustrates the flow of events in a simple case
where three different SMTP clients attempt to transfer an email to
a Stockade-protected mail server. The initial TCP SYN (connection
establishment) packet from each client is treated differently,
depending on whether stockade currently believes the source to be
a probable spammer.
In this example source#2 is considered to be a
spammer, and recives an immediate TCP RST (rejecting the connection
attempt without bothering the SMTP Server at all).
Source#1 (a non-spammer) and source#3 (a spammer not yet detected)
are allowed to establish a TCP connection to the SMTP Server, and
initiate the usual SMTP exchange. The mail server's existing
anti-spam mail filter system then detects the spam coming from
source#3, and informs stockade to update its list of sources to
reject in the future.
Over time, stockade will slowly reduce the probability with which
it sends a RST in response to a SYN from a previously identified spammer.
Thus, if source#2 and source#3 were wrongly targetted (or mend
their ways) stockade will eventually (after some configurable
period of time) allow them to establish inbound SMTP connections
again. This local rehabilitation side-steps one of the problems
associated with centralised, 3rd-party black-lists not being updated
in a timely fashion.
- Malcolm Robb (Research Assistant and Author of stockade 0.2)
- Grenville Armitage (Project leader)
- Adam Black (Research Assistant)