Top 10 Suggestions for Email Operators
Top 10 Suggestions for Email Operators
- Stop all access attempts from IP Addresses with no reverse DNS at the connection level.
Statistics show that approximately 20% of the most abusive
attackers come from IP Addresses with no reverse DNS. Why let them
connect to your SMTP daemon or worse accept anything they send you? Save
your bandwidth and overhead, and block them. Often these are BotNets
attempting to guess passwords, perform dictionary attacks, or send spam.
Either the sender doesn't know how to set up a mail server, or they are
up to no good. Most large ISPs block them at the connection level.
- Stop all SMTP traffic, that has reverse DNS, which reflects home PC connections (ie. 0.0.127.mydialup.bigisp.com).
Statistics show that over 50% of the most abusive attempts come
from these type of connections. Make sure your SMTP daemon can tell the
difference between inbound and customers emails - separate connections,
SMTP AUTHENTICATION. Inbound mail should not come from an IP with that
form of address. This can lower both your bandwidth and overhead, as
well as provide 'Zero Day' protection against any new forms of spam.
- Don't bounce email wherever possible (valid user checking and virus scanning).
Senders are usually forged, and the only way you can notify a
sender is during the SMTP connection. Do virus scanning, valid user
checking, etc, all at the SMTP level. If you don't - you are adding to
the problem, and you may find that your server gets blacklisted by
others because of too many bounces.
- Provide inbound connection limits on all services
Hackers are always trying to brute force accounts, so protect
all your services, not just your SMTP. A great technique is to set a
default limit, and every time a password fails, count that as ten or 20
regular connection attempts. As well, by limiting your rates, you can
catch abusers before they fill up your users' mailboxes, or overwhelm
your servers.
- Provide outbound rate limits on SMTP traffic
This is the tool that would help most ISPs as more and more
hackers compromise legitimate email accounts to send spam. Too many
people still use 'test' and 'email' for passwords. As well, smarter
trojan programs can use keyboard loggers to steal even the best
passwords, or sniff the network for POP passwords which are sent via
plain text. Without this you will find your email server blacklisted at
some time point or another.
- Enforce SMTP authentication
Many ISPs still allow customers to relay outbound mail without
SMTP authentication, which means that any trojan, or connection on your
network can now send spam through your server at will. Too many ISPs
don't want to ask their customers to change, but you can start the
process now. Explain to them it helps stop infected PCs from spreading
spam and that they will benefit from it.
- Set up your Mail Server correctly (DNS, and HELO)
Far too many smaller companies have mail servers that either do
not have a correct reverse DNS that shows who they are, or have a
misconfigured server identification (HELO). There are many "Best
Practices" documents on this, but if you don't comply, don't complain
when your email gets blocked by others.
- Avoid Quarantining Email as much as possible
This may be controversial, but hopefully you aren't blocking
legitimate mail anyways. However, this can save you a lot of support
calls, as well as overhead and bandwidth. Of course, if
you are using filtering tools, this may be necessary, but you
should try to block more, and filter less. When you block, the sender
will see the reason the email got stopped, and can address
it with their email administrator, instead of you having to
answer to your customers. If you quarantine mail, and if it is spam, the
sender believes the email got through, will send more, and
maybe even sell the email address. And remember, if email data
retention becomes law, do you want to store quarantined spam for who
knows how many years?
- Do not allow Default Catch All Addresses
This used to be a handy feature, however now that spammers run
dictionary attacks, and send from random addresses, it is easier to
catch spammers when they fail valid user checking.
When using default catch all addresses your servers will be hit
extra hard.
- Avoid acting as a backup MX for other companies
First of all, the internet email protocols ensure that if a
server is down, that other servers will queue mail and wait for your
servers to come on line anyways, but when you
are running as a backup MX, spammers tend to hit that first,
before the main server, on the belief that the spam protection will be
less. Also, you cannot run valid user
checking, and other normal recommended spam checks easily. If
you have to run as a backup MX for customers' own mail servers, DO NOT
use your main mail server for this.
You are better off running a permanent filtering service for
your client, which can also act as a backup, rather than running in
secondary mode.
No comments:
Post a Comment