Monitoring

FOSE has implemented a lot of different mechanisms to mitigate the spam problem. These include, but are not limited to, the following:

  1. Routing all mail from non-customer domains that is marked as spam through the NDR pool.

  2. Changing (1) and routing all spam from customer or non-customer domains through the NDR pool. We realized that this was necessary when we discovered that customer email accounts get compromised all the time.

  3. Adding more outbound IPs to spread the risk around a larger set of IP addresses.

  4. Monitoring the number of 550 notifications that we receive from 3rd party mailers.

  5. Subscribing to 3rd party feedback loops and monitoring the spam complaints that their users generate.

All of the above solutions have helped manage the problem of outbound spam, but the one that has had the greatest impact by far is the last one – monitoring 3rd party feedback loops. In this regard, it isn’t even close.

Large webmail providers allow mail senders to sign up for a feedback loop, or FBL, by registering your set of outbound IPs with them. When one of their users logs into their web account, they can click “This is Spam.” When they do, the web mail provider looks at who the mail came from, and if it’s yours, they send a copy of the mail back to you, via SMTP, in abuse reporting format (ARF). From there, you can monitor the email inbox by parsing through it and observing spikes in behavior.

This means that you have to go through that inbox and look for spammers. You must determine which customer sent you the spam message and then take action appropriately. We parse through it every hour and keep careful statistics on who is sending outbound spam. Full automation of this process has been elusive, but luckily, we have been able to take some fairly reliable short cuts in order to figure out when we are spamming, backtrack it to a customer, and take steps to cut them off. Cutting off a spammer is a big priority because outbound spam can still go through the regular outbound pool, and that is poison for our service.

 

image

The entire process of monitoring our outbound spam via the feedback loops is called the Spam Early Warning Report, or SEWR[1] for short. The SEWR report parses through the inbox and sends a summary via email. A second report, SEWR Alarm, sends alerts when it detects an anomaly and identifies when a customer is spamming and sending it outbound through us. It is a condensed version of the SEWR report and uses statistical analysis to generate alerts.


[1] A fitting acronym, considering the quality of the mail that goes through there.