Andy's Technical Notes Main Security Page

Administrator level spam avoidance

While there is no one thing that can stop all spam, there are a number of things that can each stop a bit of spam. So are some basics to get your started.

This is intended for administrators of email systems.

1) Make sure your system is secured from being a spam source or route.
    If your users send out mass mailings, then their addresses will get on spam lists. Educate your end users. See the Users document as a basis.
    If your system is an Open Relay, then you will help propagate spam and as part of it get on spam lists. Close all Open Relays!

2) Make sure your system can prove it is who it claims to be as that will prevent your outbound messages from being blocked by the very measures many others will be using to block spam as outlined in #3
Make sure that
    - all SMTP hosts have open relay turned OFF!!! This may include making sure you are patched up to date.
    - All sending and receiving SMTP IP addresses have an A, MX, and PTR records set in your DNS, with the servers' host names actually matching those A records.
    - All end users can only send email through the servers (ideally that your Firewall doesn't allow SMTP from other than hosts/servers that meet the above criteria)
More detail available at our How to deal with being blocked as spam page.

Tools for checking; (by 'records' we are talking about DNS)
    - DNSreport checks basic health of your DNS for inbound messages, also use it for anyone having problems sending to you. Very easy to use as you just enter your domain name in the top left tool called DNSreport.
    - NSlookup A standard commandline tool on all Operating Systems that lets you check specific DNS records. i.e. Check the PTR record of your mail server's IP address. Knowing how to use the commandline version is useful, but there are much easier options. CentralOps is a nice on-line one, and I use NirSoft's DNSDataView when ever I can.

3) Only accept messages from sources that can be confirmed are who they say they are
    - Each email system describes this differently such as the humanly understandable "Reject mail if sender's identity cannot be verified" to the technically ambiguous "reverse DNS look-up". Turning these on will certainly stop a large amount of incoming spam and email worms, BUT it will also block real mail from places that have not completed step 2 for themselves. A strong recommendation is to help your partners & clients with their own step 2 before you turn on any of these step 3 steps, and then be prepared to help others with their step 2 after you turn on your step 3 steps.
    - Any (old) systems that don't have this feature better be behind an antispam system.

4) Add in an anti-spam utility
 This will be a bit less work than #3 and will cover a different set of spam so they can be very complimentary or really get in each other's way depending on the product used. This field is currently very crowded with a wide range of capabilities that may or may not match the vendors' promises. Most common way is to use a 'cloud' service in front of your email system. This is a constantly changing category so you do have to stay on your toes as I've had to do some fast migrations for clients when the option they were using ceased operations, so always have an idea on what your next one might be.
    - Beware of using external Black Lists (RBL), as the spammers have been actively trying to shut them down, which can lead to your system not being able to receive messages because it can not contact your chosen Black List. While valuable for reducing the tide, make sure your system doesn't stop processing mail when an RBL it is using goes away. Also regularly check that any RBL you are using is still working properly as I had a number of clients be shut off from receiving mail when a prominent RBL was shut down.

  Other relevant links worth reading for a high level view of this issue:
You've got spam! Now what?


Last updated 2020-04-06