LinuxMagic - OpenSource - Anti-Spam
Best Practices for ISP's and Network Operators
There are many great online resources to 'Best Practices for ISP's and Network Operators' and many of these apply to the prevention of both inbound and outbound spam. We suggest that you read them, in addition to these hints and recommendations, to help you stop the proliferation of Unwanted Bulk Email (UBE).
We have even created a dedicated section for Email Best Practices
Top 10 Suggestions for Email Operators
- Stop all access attempts from IP Addresses with no reverse DNS at the connection level
Statistics show that approximately 20% of the most abusive attackers come from IP Addresses with no reverse DNS. Why let them connect to your SMTP daemon or worse accept anything they send you? Save your bandwidth and overhead, and block them. Often these are BotNets attempting to guess passwords, perform dictionary attacks, or send spam. Either the sender doesn't know how to set up a mail server, or they are up to no good. Most large ISPs block them at the connection level.
- Stop all SMTP traffic, that has reverse DNS, which reflects home PC connections (ie. 0.0.127.mydialup.bigisp.com).
Statistics show that over 50% of the most abusive attempts come from these type of connections. Make sure your SMTP daemon can tell the difference between inbound and customers emails - separate connections, SMTP AUTHENTICATION. Inbound mail should not come from an IP with that form of address. This can lower both your bandwidth and overhead, as well as provide 'Zero Day' protection against any new forms of spam.
- Don't bounce email wherever possible (valid user checking and virus scanning).
Senders are usually forged, and the only way you can notify a sender is during the SMTP connection. Do virus scanning, valid user checking, etc, all at the SMTP level. If you don't - you are adding to the problem, and you may find that your server gets blacklisted by others because of too many bounces.
- Provide inbound connection limits on all services
Hackers are always trying to brute force accounts, so protect all your services, not just your SMTP. A great technique is to set a default limit, and every time a password fails, count that as ten or 20 regular connection attempts. As well, by limiting your rates, you can catch abusers before they fill up your users' mailboxes, or overwhelm your servers.
- Provide outbound rate limits on SMTP traffic
This is the tool that would help most ISPs as more and more hackers compromise legitimate email accounts to send spam. Too many people still use 'test' and 'email' for passwords. As well, smarter trojan programs can use keyboard loggers to steal even the best passwords, or sniff the network for POP passwords which are sent via plain text. Without this you will find your email server blacklisted at some time point or another.
- Enforce SMTP authentication
Many ISPs still allow customers to relay outbound mail without SMTP authentication, which means that any trojan, or connection on your network can now send spam through your server at will. Too many ISPs don't want to ask their customers to change, but you can start the process now. Explain to them it helps stop infected PCs from spreading spam and that they will benefit from it.
- Set up your Mail Server correctly (DNS, and HELO)
Far too many smaller companies have mail servers that either do not have a correct reverse DNS that shows who they are, or have a misconfigured server identification (HELO). There are many "Best Practices" documents on this, but if you don't comply, don't complain when your email gets blocked by others.
- Avoid Quarantining Email as much as possible
This may be controversial, but hopefully you aren't blocking legitimate mail anyways. However, this can save you a lot of support calls, as well as overhead and bandwidth. Of course, if
you are using filtering tools, this may be necessary, but you should try to block more, and filter less. When you block, the sender will see the reason the email got stopped, and can address
it with their email administrator, instead of you having to answer to your customers. If you quarantine mail, and if it is spam, the sender believes the email got through, will send more, and
maybe even sell the email address. And remember, if email data retention becomes law, do you want to store quarantined spam for who knows how many years?
- Do not allow Default Catch All Addresses
This used to be a handy feature, however now that spammers run dictionary attacks, and send from random addresses, it is easier to catch spammers when they fail valid user checking.
When using default catch all addresses your servers will be hit extra hard.
- Avoid acting as a backup MX for other companies
First of all, the internet email protocols ensure that if a server is down, that other servers will queue mail and wait for your servers to come on line anyways, but when you
are running as a backup MX, spammers tend to hit that first, before the main server, on the belief that the spam protection will be less. Also, you cannot run valid user
checking, and other normal recommended spam checks easily. If you have to run as a backup MX for customers' own mail servers, DO NOT use your main mail server for this.
You are better off running a permanent filtering service for your client, which can also act as a backup, rather than running in secondary mode.