How to avoid being Blacklisted and kill spam at the same time

[The_Librarian]

So you're a sysadmin, and one of your tasks is to ensure the smooth flow of email.

Simple?

Not quite.

The simplest thing is to install the email server and add users. After that, there's several considerations you will have to look at - or risk getting blacklisted.

Every term will have a link next to it, so you can read more on that.

1. Backscatter. http://en.wikipedia.org/wiki/Backscatter_%28email%29

Cause

Authors of spam and viruses wish to make their messages appear to originate from a legitimate source to fool recipients into opening the message so they often use web-crawling software to scan usenet postings, message boards, and web pages for legitimate email addresses.

Due to the design of SMTP mail, recipient mail servers receiving these forged messages have no simple standard way to determine the authenticity of the sender. If they accept the email during the connection phases then, after further checking refuse it - for example because they believe it to be spam they will use the (potentially forged) sender's address to attempt a good-faith effort to report the problem to the apparent sender.

Mail servers can handle undeliverable messages in three fundamentally different ways:

Reject. A receiving server can reject the incoming email during the connection stage while the sending server is still connected. If a message is rejected at connect time with a 5xx error code then the sending server can report the problem to the real sender cleanly.

Drop. A receiving server can initially accept the full message, but then determine that it is spam, and quarantine it - delivering to "Junk" or "Spam" folders from where it will eventually be deleted automatically. This is common behaviour, even though RFC 5321 says: "...silent dropping of messages should be considered only in those cases where there is very high confidence that the messages are seriously fraudulent or otherwise inappropriate..."

Bounce. A receiving server can initially accept the full message, but then determine that it is spam or to a non-existent recipient, and generate a bounce message back to the supposed sender indicating that message delivery failed.

Backscatter occurs when the "bounce" method is used, and the sender information on the incoming email was that of an unrelated third party.

How to fix this :

Ensure that your mail server does not bounce emails for nonexistent users.

In Microsoft Exchange 2003 it is quite easy to set : Open Exchange System Manager, navigate to Global Settings - Message Delivery.
Right-click on Message Delivery, select Properties.
Click on the "Recipient Filtering" tab. Tick the "Filter Recipients who are not in the Directory" box.
What will happen now is that, when the server receives mail for an unknown user, it terminates the connection with a specific code, resulting in the originating email server producing an NDR without your server having to do anything (in a nutshell).

Most modern email distributions (Linux etc) have this option on as default, but it won't hurt to make sure.


2. Spam from a workstation (AAAUUUUGGGGHHHH )

This is the biggest problem all sysadmins have - as you won't know which workstation is sending out the spam initially. And you all know how users love to open attachments that say "Free games" or "Naked Lara Croft pictures" etc...

But if you apply some of the best practices, you should be able to narrow it down considerably.

- Block port 25 SMTP outgoing for all workstations (except the mail server - for obvious reasons!). If somebody complains his/her private email is not working, tough. Corporate emails is more important than private emails anyway. However, this might cause problems with visitors etc who need access to their email server(s) - but this can be overcome by having them SMTP via your server.

- Get a second ADSL line for web browsing only, and make this the default gateway on all the workstations (except the mail server). This means that, should a spambot get active, the spam will go out via this gateway and not via your email gateway. This will also help should a visitor (or user) need to access private emails etc.

3. Make use of free DNSBL's : http://en.wikipedia.org/wiki/DNSBL

Basically, a DNSBL is a list of machines who tend to send out spam. What happens is, if you make use of such a service, the source IP of all incoming mail is compared to the IP's on the DNSBL list, and if it matches, the email is dropped.

All dial-up IP's are on such a list, and it do make a huge difference.

Also, if you filter out messages first this way, then your secondary email filters will have much less work to do (and subsequently have lower CPU overheads).

The ones I'm using at present is :

Spamhaus zen - zen.spamhaus.org
SpamCop - bl.spamcop.net
SORBS - dnsbl.sorbs.net and spam.dnsbl.sorbs.net

There are a whole lot of others. Keep in mind that the free services are provided "as is" - if your server can't reach the DNSBL, then the spam might go through.

Paid services is supposed to offer better latency etc, but it's up to you to decide.

[The_Librarian]

4. Set up mail-filtering software

This will be to catch the straggling few bits 'n bytes that still make it through the DNSBL lists - most usually from other, compromised email servers.

I'm looking at ASSP in order to filter out the last few bits of spammy emails. More to follow later.

If anybody got experience with ASSP, do post it up here, I won't mind

You can also have a Postfix mail filter before your Exchange box - basically it gets all the mail first, do the processing on it, and forwards the rest to the Exchange server. This is an ideal solution if you really don't want to install any extra software on your Exchange box.


5. Other solutions - please post!

[PsyWulf]

Postini or hosted Antispam like Mailmarshal Service-provider edition can be used at a small fee per month. Benefit of the postini service is the possiblity of integrating it with Googleapps and having a fully redundant mail delivery system