With the prevalence of spam circulating the globe in massive amounts, it becomes increasingly important for administrators to understand the potential causes of their IP address ending up on a blacklist. Spammers employ all kinds of tricks to try to send out as many spam messages as possible without revealing their identities. They do this through various techniques such as social engineering, employing malware, botnets, forging of message headers, and exploiting weaknesses in email systems or network infrastructures. For the spammer, it’s basically a numbers game. It costs next to nothing to send out thousands of spam messages, and if even a small handful of people click on a link or purchase a product advertised in a spam message, the spammer can profit. If your email infrastructure is not properly secured, then you risk being infected with malware and becoming part of a spam botnet. Even if your server is not infected with malware, if your firewall and mail server security settings are not configured properly, your IP address could wind up on a blacklist. To protect yourself from being blacklisted, consider the following recommendations:
- Require strong passwords – It is common for spammers to perform dictionary attacks on mail servers. A dictionary attack uses a large list of words that are commonly used as passwords to try to guess a password and take over an account. To combat this, your users should always use strong passwords. Passwords such as “password1” should be avoided. Users should use passwords that contain both uppercase and lowercase letters, numbers, and symbols. In MDaemon, you can require strong passwords via the Accounts | Account Settings | Passwords menu.
- Require SMTP Authentication – We recommend requiring all users to use SMTP authentication. In MDaemon, go to Security | Security Settings | Sender Authentication | SMTP Authentication. Then, check the box “Authentication is always required when mail is from local accounts.” Make sure “…unless message is to a local account” is unchecked. In SecurityGateway, these settings can be found under Security | Anti-Abuse | SMTP Authentication.
- Do not allow relaying – Relaying occurs when mail that is neither to nor from a local account is sent through your mail server. It is very common for spammers to exploit open relays; therefore, you should ensure that your server does not relay mail. In MDaemon, go to Security | Security Settings | Relay Control, and check the following three boxes:
– Do not allow message relaying
– SMTP MAIL address must exist if it uses a local domain
– SMTP RCPT address must exist if it uses a local domain
We do not recommend checking the exclusion boxes on this screen.
In SecurityGateway, these settings can be found at Security | Anti-Abuse | Relay Control.
- Make sure you have a valid PTR record that matches your outbound public IP to your mail server name or fully qualified domain name or FQDN (mail.example.com). Your ISP can create this record for you. A PTR record allows receiving servers to perform a reverse DNS lookup on the connecting IP address to verify that the server name is actually associated with the IP address from where the connection was initiated.
- Set up an SPF record – SPF (Sender Policy Framework) is an anti-spoofing technique that determines if an incoming email from a domain was sent from a host that is authorized to send mail for that domain. This is basically the opposite of an MX record, which specifies hosts that are authorized to receive mail for a domain.
- Configure the IP Shield – IP Shielding is a security feature that allows you to specify IP addresses or IP address ranges that are allowed to send mail for a particular domain. You should configure your IP shield to only accept mail from your local domain if it came from an authorized IP address (such as one on your local network). This feature can be found under Security | Security Settings | IP Shield. For your users who may be sending email from outside of your network, you can configure exceptions by checking the box “Don’t apply IP Shield to authenticated sessions.” In SecurityGateway, the IP shield can be found under Security | Anti-Abuse | IP Shielding.
- Enable SSL – SSL (Secure Sockets Layer) is a method for encrypting the connection between a mail client and the server. In MDaemon, go to Security | Security Settings | SSL & TLS. Click on MDaemon, and check the box “Enable SSL, STARTTLS, and STLS.” Also, make sure you have a valid certificate in the blank below. More information on configuring SSL can be found in this knowledge base article:
Make sure all mail clients are communicating with the mail server over the SSL ports (587 – MSA, 465 – SMTP, 995 – POP or 993 – IMAP).
In SecurityGateway, these settings can be found under Setup/Users | System | Encryption.
- Enable Account Hijack Detection – The account hijack detection feature can be used to limit the number of messages an account can send in a given period of time. This feature applies to authenticated sessions only, and is used to prevent a compromised account from being used to send out massive amounts of spam and risk getting your server blacklisted. In MDaemon, this setting can be found under Security | Security Settings | Screening | Hijack Detection. In SecurityGateway, it can be found under Security | Anti-Abuse | Account Hijack Detection.
- Enable Dynamic Screening – Similar to account hijack detection, dynamic screening can be used to block connections from IP addresses based on the behavior of activity coming from those IPs. For example, dynamic screening can be used to block connections from IPs that fail a specified number of authentication attempts, or IPs that try to connect a specified number of times in a given period of time. In MDaemon, this feature can be found under Security | Security Settings | Screening. In SecurityGateway, it can be found under Security | Anti-Abuse | Dynamic Screening.
- Sign Messages with DKIM – DomainKeys Identified Mail (DKIM) helps protect email users against email address identity theft and email message content tampering. It does this by providing positive identification of the signer’s identity along with an encrypted “hash” of the message content. With DKIM, a private & public key are created. The public key is published to the signing domain’s DNS records, and outbound messages are signed with the private key. The receiving server can then read this key from the DKIM-Signature header of the message, and then compare it with the public key in the sending domain’s DNS records. For more information on DKIM signing in MDaemon, please see the following knowledge base article: http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=KBA-02577. In SecurityGateway, these settings are located at Security | Anti-Spoofing | DKIM Signing.
- Trusted Hosts & Trusted IPs – Make sure only hosts or IPs that you trust are listed on the Trusted Hosts and Trusted IPs screens. Trusted Hosts and trusted IPs are exempt from various security settings, so if any IPs or hosts that you do not completely trust are listed, your server may become vulnerable to relaying and sending out spam. In MDaemon, this feature is located under Security | Security Settings.
- Block port 25 outbound on your network – Configure your firewall to only allow outbound connections on port 25 from your mail server or spam filter appliance. No other computers on your network should be allowed to send outbound data on port 25. If you suspect that you have a device on your network that is sending out spam over port 25, then see my post “Tracking Down a Spambot” for more information.
- Configure your firewall to log all outbound activity on port 25 from all machines on your network – to help track down any machines that may be relaying mail.
- Use a static IP– Various problems can arise from using a dynamic IP on your mail server. If the server loses its internet connection, then comes back online with a different IP address, your DNS records will still point to the old IP address. If another computer gets your old IP address, then other problems can arise. For example, if the computer has a properly configured MTA on port 25, then your mail would be bounced. If the computer has an open relay MTA on port 25, then your mail will be relayed by this machine. If the machine is on a blacklist, your mail will be lost. For these reasons, we recommend using a static IP on the mail server.
If you follow these recommendations, your chances of being blacklisted are greatly reduced. These practices will help ensure that you are not relaying mail, that your communications are encrypted, that users are authenticated, and that spambots have not been able to send out mail from your network.