How does the POPcon PRO antispam feature work / why is it not 100% accurate?

The POPcon Antispam function is based (apart from the self-defined black- and whitelists for senders or words in the subject or mail text) on open internet DNS-Blacklists.

These DNS blacklist server list IP addresses (not email addresses!) that have been caught sending out spam before. POPcon checks incoming emails for whether or not they come from one of these IP addresses listed on the blacklist servers. The content of the email is not relevant to this check.

The blacklist servers on the other side get their information about spam senders from so called “spamtraps”. Spamtraps are email addresses that are not used for emailing at all but just sit there and wait for incoming spams. Various ways are used to make these email addresses known to spammers but not to normal users. Any incoming email is automatically checked for the IP address of the sender and that IP address is then listed on the blacklist server in real time.

You can add more antispam servers to POPcon’s list on the SPAM tab in the configuration. You could use this website: http://moensted.dk/spam/ to check some IP addresses of emails that got through undetected to see on which lists these IP addresses are already listed. Then add these lists to POPcon’s list of antispam servers to check. To find IP addresses of the email sender look in the mail headers (Outlook: VIEW, OPTIONS, Internet Mail Headers. Outlook 2007: Expand the Options section with the little arrow in the lower right hand to see the headers), check the Received…for headers for IP addresses.

False positives: Unfortunately spammers now often use DSL connections and even abuse other users’ computers on DSL internet connections to send out spams. This causes the IP addresses of public DSL carriers to often land on the blacklist servers as spam sender addresses. Even worse, using DSL means users get assigned a new IP address out of the carriers IP range once every 24 hours meaning that normal users sometimes get IP addresses just abused by a spammer during the last 24 hour period and email coming from this normal user then to the blacklists looks as if it is still related to the spammer. All the big carriers try to get their IP addresses removed frequently from the blacklists, but this takes time and in the meantime normal user’s email is sometimes tagged as spam – false positives.

Spam not detected: On the other hand it does take some time for a fresh IP address to get listed on the blacklist servers once a spammer starts to send out spam to his lists of millions of emails. During this time, the DNS blacklist method can not detect spam.

But even a text analysis that looks for certain keywords is not very accurate because the spam senders nowadays always “decorate” the notorious words like “v1-a.gr a” or even use non-OCR-able images instead of text.

Antispam will stay a hot topic and we will continue to work on this feature in POPcon. If you have any ideas on this please let us know at whishlist@servolutions.com.