Resources

Newsflash

Notice: ClamAV May Need to be Updated

Starting from 15 April 2010, ClamAV will contain a special signature which disables all clamd installations older than 0.95 – that is to say older than 1 year. . To read the full Notice, please click here.

Search

FSL Company Blog

Outbound Email

Posted by: admin in Untagged on Jul 27, 2010

A variety of mechanisms can generate email that appears to come from your site. These include:

User generated mail
Applications that send email
- List Servers
- MTA error messages
- Email enabled applications

Third Party Senders
Forged Emails

You need to be aware of all the mechanisms your site uses to generate email so you can:

Configure email leaving your site to be generally accepted at other sites.
Exercise controls over outbound messages that will prevent messages originating at your sites from being blacklisted.
Effectively trouble-shoot any delivery failures from your site

All outbound email should be sent from your site using an MTA that can scan for viruses before the message leaves your site. It's also becoming more and more important to be able to quickly spot any systems in your infrastructure that may be infected with spambot or phishing software.

Scanning outbound email for viruses is a relatively simple and non-controversial policy to implement. But, as a practical matter, it is difficult to implement a policy that rejects or tags email from your site as spam or phishing emails. You will hear very quickly if even one email is sent out falsely tagged as a spam or phishing attack but that doesn't mean you can't detect a spammer on your network.

Rate and Connection Limiting

Spammers have a common trait that they can't hide. They must send out a massive number of messages to be effective. Whether it's a bogus ISP account or a hijacked computer, if it starts sending spam it can be detected by looking at the rate that it's sending out emails. A simple way to quickly detect a spammer is by checking outbound messages for massive amount of email suddenly coming form one source.

By limiting the number of messages sent by a single IP or address over a relatively short period of time, you can quickly detect and stop an infected system from getting your site blacklisted. Preventing a site from getting blacklisted is one of the most important jobs an email administrator can perform. Just imagine telling your CEO that most email to your customers will not be delivered because your site has been blacklisted. Then tell them that you don't know exactly how long it will take to get off the blacklist.

BarricadeMX and BarricadeMX Plus can be configured to control connection rates, concurrent connections and message volumes related to time periods.

Rate-Connect is used to specify the number of connections per minute a host is allowed to make in a specific period of time. A default rate limit can be set and exceptions or different rates can be set for specific IP addresses, Domains or email addresses. If an SMTP client connects too frequently, in excess of this limit, then the incoming connection is dropped. Correctly configured MTAs will retry to deliver the message later.

Concurrent-Connect is used to specify the maximum number of concurrent connections an SMTP client is permitted at any one time. A default number of concurrent connections can be set and exceptions or different limits can be set for specific IP addresses, domains or email addresses. If an SMTP client exceeds the allotted number of connections, then new incoming connections are dropped. Correctly configured MTAs will retry to connections and will be allowed to connect when the number of concurrent connections is below the set limit.

Msg-Limit-Connect:[domain /IP], Msg-Limit-From:[email address] and Msg-Limit-To:[email address] can be used in BarricadeMX to limit the default number of messages a SMTP client, sender, or recipient can send/receive in a given time period. The default limits can be easily overridden for specific SMTP clients.

A message limit is given as:

messages '/' time [unit]

Typical examples would be:

A default limit of 100 messages per hour:

Msg-Limit-Connect: 100/H

But allow 192.168.123.10 to send 500 messages per hour

Msg-Limit-Connect: 192.168.123.10 100/H

And allow jim@xyz.com to send only 2 per minute:

Msg-Limit-From:jim@xyz.com 2/M

The time unit can be one of week, day, hour, minute, or seconds. A negative number for messages will disable any limit.

It will take some experience and expertise to set limits on outbound email which are low enough to trap spammers but loose enough to allow normal clients to connect without interruption. You will need to do some experimentation and perform careful monitoring during the initial configuration period to determine suitable limits for your site.

User Generated Email

Your users may typically send email using a single Mail User Agent (MUA), but many sites today allow users to originate email using a variety of mechanisms, which may include:

In - office: Desktop programs such as Outlook, Thunderbird or Exchange that connect to office Mail Hubs or web mail servers.
Out - of - Office: Desktop programs that connect to office Mail Hubs
Out - of - Office: Desktop programs that connect to user's ISP using Outlook, Thunderbird, etc.
Out - of - Office: Web mail Servers
Out - of - Office: Mobile phones and PDAs

Typically the differences of how the end user ‘s MTU connects is of little importance except when the user connects from Out - of - Office.

Often the road warrior or home user connects to a public network to send or receive office related mail. In many cases the user's ISP will block port 25 traffic from leaving the subnet and the only way to send mail when connected to that network is to send it through the IPS's email server.

This does not present a problem unless the user sets up their MUA to "forge" the return address as their email address at work AND your site publishes Sender Policy Framework (SPF) records. If this happens, any email that is sent to a site that blocks emails that fail SPF checks will be rejected. Why? Because the server that sent the email, apparently from your site, will not be a server listed in your site's SFP records.

A simple way to provide secure and reliable email services for off-site workers is to setup your email gateway to provide authenticated email submission services on port 587. An outline of how to setup these services maybe found at http://devhen.wordpress.com/2006/05/01/howto-sendmail-smtp-auth/ .

Users can then connect with a username and password and to deliver messages that will be relayed by your servers. This eliminates and problems with SPF checks and port 25 blocking on their local subnet.

Other Systems That Send Mail

Many systems at a site may be configured to send email. Web servers and email list servers are two of the most common email enabled servers but any server may be configured to use email for reporting and monitoring the server's health. A spammer can compromise any server that is connected to the Internet and not properly protected. The most common take-over target is a poorly secured web server but any server that is not kept up-to-date can be compromised.

Forcing email from all email enabled servers through a "smart relay" mail gateways that can be used to limit messages and connections is a good way to prevent and detect spammers from using and abusing any of your systems.

It's very important for your network to only allow outbound port 25 from designated mail servers. Make sure that any systems that need to send mail to the Internet use properly configured mail gateways as smart-hosts. To further prevent problems, your mail servers should not use a shared IP address with other NAT clients.

BarricadeMX smtp-strict-relay

BarricadeMX may be configured to only allow outbound messages that have a From: address where the domain matches one of the domains that that you route email for. Since most spambots use a forged From: address, this will prevent spam or scams sent by a compromised system from leaving your site, causing your site to be blacklisted.

Configuring Your Outbound Gateway

Any system that delivers or forwards email must be correctly configured or email from that system may be rejected. Following a few simple rules will ensure that properly configured email servers will accept your email.

Your server:

Must be configured with a hostname that is a Fully Qualified Domain Name (FQDN) in a Top Level Domain (TLD)
Must have DNS "A" and "PTR" Records. The hostnames of the A and PTR records do not have to match but both must exist.

And please take time to review to our Best Practices document:

http://www.fsl.com/images/docs/Best_Practice_Brochure.pdf

If You Do Get Blacklisted

If you suspect your site's email server or URI / URLs that are used in your email messages have been blacklisted, you'll need check with a site that can check as large number DNSBLs to see it your site is listed.

One site that can check your mail server's IP address against multiple DNSBLs is:

http://www.mxtoolbox.com/blacklists.aspx

Your domain name can be blacklisted also. To see if your domain or a URI / URL which contains you domain name, you can check:

https://admin.uribl.com/

The site http://www.dnsbl.info can also be used to see it the IP addresses of the servers that send mail for you site are listed on any of commonly used DNSBLs.

If your domain is actually on a black list, you'll need to visit the website of the site that has blacklisted your site. There are typically specific things to look up and then certain steps to be followed to get your site de-listed. While the specifics vary from site to site, typically they follow this pattern.

You need to find out specifically why your IP address or domain was listed.
You need to make sure that the reason your site was listed has been corrected
You the need to follow the Sites directions for getting your to de-listed.

It might not even be your fault that your domain is listed. Your site can be blacklisted if your ISP assigns you a dynamic IP address in a subnet that the ISP has certified should not be sending email. If this happens, your ISP will need to assign you a new IP address.

If your ISP has had the subnet containing your IP blacklisted because of spam, malware or phishing activity, you may be an innocent victim of your ISPs mistakes. When these or similar errors occur, there is little you can do on your own to get off the blacklist. Your ISP will need to fix the underlying problem and then work to get the subnet and your IP de-listed

If the problem that got your site blacklisted is a configuration error, a spammer account on your network or a compromised customers system in your network, then you must first find and correct the error or shutdown the compromised system. Typically this is as simple as correcting a system configuration or stopping the offending traffic with a network block. Failure to correct the problem before asking the DNSBL blacklist be removed will only further delay getting the block removed.

Each DNSBL has their own rules and procedures that you must follow to get your site off their black list. Fortunately, the major sites that are most often used to block rather than SpamAssassin score incoming emails do have simple, fair and fairly fast procedures for getting a site block lifted, if you correct the problem first and follow their rules.

That's it for this week. Next week we'll look at what happens when mail arrives at your site. Until then your comments and questions are welcome.

Steve Swaney

steve@fsl.com

[ Back ]