Rejected Messages, SPAM, Blacklisting, and a box of Kleenex.

[jskelley510]

Here's a little advice.

It doesn't take long for a spammer to find an open relay. If you don't know how to restrict relaying, shut down your email services and start reading about relaying mail. Use my misfortunes from over the years to help you avoid the simple things in life.

So, you got DSL, a static IP Address, and a free email server...

Lisle: (right after Madeline has drunk the potion) "Now, a warning." Madeline: "NOW a warning ???!!!!"

-- from Death Becomes Her

1) I've noticed that my newly created domain names are probed within 48 hours. An account name "myhouse" was hit dozens of times a week. Then a list of "common names" were probed. "john, jon, johnny, jonny, joseph, joe, joey, ...." Be aware that your newly created service is broadcast to the world. If you create a new domain with one of the popular registration companies, uncheck all the boxes relating to "share information with our partners or other services."

2) Buy a firewall. I like having a stand alone firewall vs. PC Software. SonicWall, Cisco, and many others have products under $500. It sounds like a lot, but trust me, you'll never regret it.

3) Authenticate! Authenticate! Authenicate! It's so easy to set up the client programs for authenticated SMTP. If there are programs that cannot use authenication, use static IP's and enter the IP in the access control or use DHCP and use a range in the access control. Sorry, I'm too much of a control freak and I use static IPs only. I have one collaboration service running that doesn't have authenicated SMTP and it really bugs me that I have a relayed IP. Yes, it's behind the firewall and MailEnable is really excellent, but I've been burned before.

4) Kill off the verbs. Turn off "VRFY" and "EXPN" in the SMTP settings. They can only end in tears.

5) Don't use a "catch-all." It can give a false positive relay. Plus, spammers see "<any bogus name>@acmepickle.com" as a "real" address and opens up the floodgate.

6) Kill off the common name: webmaster, sales, marketing, jobs, john, chris, etc. Common names are more likely to get spammed. If "sales" is a group name, then many people will be spammed.

7) Test your server for relaying. There are a number of services available, just Google: "email relay test." If you're not behind a firewall, or you have a catch-all, or your relay settings are reversed from/to grant or reject, be prepared to fail. These failures are recorded by the testing site and they limit you to 10 tests an hour.

8 ) Use the blacklist feature, but monitor your logs. I had a real email message get rejected because the IP of the sender was on a blacklist. I called the IT manager, she was baffled. Email was rejected from aol.com, pacbell.net. I told her to look in her logs, because some spam black listers will give you a URL of their organization. Like my prior experience, it took twenty minutes to fix the relay and two weeks to get off everyones list. It's really unprofessional to force your users to send mail using Yahoo mail to certain clients because you relayed mail.

9) Remove "mailto:" statements on your web pages. Virus now check browser cache for email addresses. I recommend using "Flash Text" from Macromedia's Dreamweaver.

10) READ YOUR LOGS! A warning! Everyone loves sausages... you just don't wanna know what's in it. However, you will learn a lot from what goes on inside SMTP.

Bonus) Work with a email package that has a forum like this!

Best of luck,

John

P.S. please add to this list!

[MailEnable]

John - Great advice. MailEnable is obviously not open relay when it is installed. When we changed the default settings to require authentication we were initially flooded with support queries regarding why people could not send mail and needed to authenticate- but now it seems the term "open relay" is a little more worldly (particularly to those who have been stung once).

Unfortunately, for every one stung, 100000 people feel the pain. We can only hope that our legal system directs itself away from people falling off chairs and to punishing abusers. Its still a crime to steal money from a bank if the door is left open isn't it?

BTW - RFC821 and its derivatives require postmaster@ account (as well as abuse@ account). Its likely that the remove of these accounts could cause more mayhem than the spam itself.

[jskelley510]

I'm not one to cause mayhem, so I took postmaster off my list of common names.

On the subject of newly created domains. I have one domain that I registered with one of the big registration companies. I neglected to uncheck the "share information with partners..." and within 48 hours, that domain was attacked. Everyday, almost every hour, a mail message is sent to "myhouse." This is a non-existing account, yet this is an example of the transaction. (my domain and server name have been replaced with acmepickle.com and SERVER1)

#Software: MailEnable SMTP Server Version 1.0a
Version: 1.0
#Date: 04/02/03 16:13:27
#Fields: date time c-ip agent account s-ip s-port cs-method cs-uristem cs-uriquery s-computername sc-bytes cs-bytes
03-04-02 16:13:31 209.8.161.68 SMTP-IN 209.8.161.68 472 MAIL MAIL+FROM:<video-fk-fest/-myhouse=acmepickle.com@www.fibreslide.com> 250+Requested+mail+action+okay,+completed SERVER1 43 68
03-04-02 16:13:34 209.8.161.68 SMTP-IN 209.8.161.68 472 RCPT RCPT+TO:<myhouse@acmepickle.com> 554+The+IP+Address+of+the+sender+(209.8.161.68)+was+found+in+a+DNS+Blacklist+SPAM+database+and+was+therefore+refused. SERVER1 119 32
03-04-02 16:13:34 209.8.161.68 SMTP-IN 209.8.161.68 472 QUIT QUIT 221+Service+closing+transmission+channel SERVER1 42 6

You see that the Blacklist works nicely, in other instances the error relates to the fact that there is no "myhouse" account.

[goolmoon7]

Each post helps define a bit more of the understanding for each of us. I have been working on those html forms > asp email scripts and reading back thru the posts helped a lot. I really hate asking support anything...I know they are busy, and besides most of the common questions & answers have already been discussed here in the forums.