Tips For Reducing Spam With SMTP Mail Servers
Background
Anyone that runs their own email server knows that managing spam is unfortunately an everyday part of having your own server mail server. Here we'll look at a few measures you can take to help reduce.
The Root Causes
First off, it's worth thinking about the reasons you get spam in the first place. I'm not talking here about the idiots that send it out, but more how they find out they can send mail to you.
To send email, you need a recipient address to send to and a mail server to receive it on behalf of the recipient address. Some of this is really just common sense. Some of the most common ways of getting addresses are as follows:
- + Look on the company website
- + Look at the format of other users email addresses and guess
- + Trojans and malware
- + Public website registrations
- + Hacking the mail server
- + Hijacking
Some of the problems maybe aren't down to you directly. They could be where you used your address. For example, if you enter your address into a forum, mailing list or blog where your address can be seen by others. Perhaps you're registered on a site that has been hacked. Maybe that's a more extreme example, but at a basic level it's not difficult for an unscrupulous operator to set a search bot going, harvesting email addresses from websites, so think about where you register your address. If you put an email address on your own website it will certainly attract a lot of spam.
Trojans and malware are a common source of addresses. One of the oldest issues with a virus was that it might read your address book and then spam all the email addresses found. Nowadays you can still be a victim of this kind of thing, just from hanging out in the wrong place - what sort of websites have you been visiting lately? Do you really know where that nice set of free ringtones is coming from? You friendly local hacker likes nothing more than to take advantage of operating system vulnerabilities and embed a nice little trojan in your favourite porn site. Just think about who you're dealing with here - get the picture? And when was the last time you applied all the service packs or Windows updates because that's how he got in in the first place.
Configuration bugs on mail servers are a nice easy one for your average hacker. There's a less well known one in Exchange for example, if you leave authentication enabled on the SMTP connector which is part of the default configuration, its possible to run a dictionary attack against the server,testing different user/password combinations for months before you find out that it's been hacked as you don't get notified as the administrator unless you make a point of trawling all the logs on a regular basis.
Many server administrators don't bother changing the default usernames, so it's a fair bet that there will be a user called Administrator on a Windows machine. And how many people still use "password" as a password? Come on guys, use your head!
Dealing With The Problem
Proactive & Reactive Measures
- + Keep your system up to date. Get the service packs. Sign up for the security newsletters from your operating system vendor, so you know about issues quickly.
- + Change your passwords regularly, make them hard to guess, long enough and complex enough that a program can't figure it out quickly, and don't use the default usernames if you can help it.
- + Have up to date antivirus, malware & spyware protection and perhaps something that checks websites you visit too. Turn on the phishing filters in your browser and think about where you are surfing!
- + Configure your DNS properly, and add an SPF record - see http://www.openspf.org/. This helps to stop a spammer from using your email addresses as a source for their spam.
- + Use a spam filter, or for an easier life use a third party spam filtering service like MailRoute from Applaud.
- + If you use a spam filtering service, only allow mail communications from their addresses and use a non-standard port.
- + Use a firewall - isn't it obvious?
- + Enable a local firewall on your machine that only allows outbound traffic from applications you authorise.
- + Remove email addresses from websites and your own site - use a contact form instead on your own site.
- + Check software manufacture's for configuration recommendations for their mail servers.
- + If you're on a corporate network, stop users from installing applications on their machines. Do they really need that toolbar, game or widget?
No, it's not exhaustive but hopefully this might set you down the right track. Like I said at the beginning, some of this is obvious but it's amazing how many companies I go in that don't take these basic precautions.