Alleviating spam – Best Practices

Descripción del problema

This article describes how to optimize your Norman Email Protection (NEP) server configuration to prevent as much spam as possible from entering your system.

Solución del problema

This article assumes that NEP is the mail entry point so that it sees the IP addresses of the external sending mail servers.  It also assumes you do not have a gateway in front of the NEP server, pre-filtering mail, as it would show mail as coming from the gateway IP address.

Open the NEP Administration Console to configure the following:

Security – Properties – DNS Blacklists (DNSBL)

  • Enable Perform a lookup for the SMTP host in the Real-Time Blacklist
  • Click on DNSBL Servers and enter the following:
    • sbl-xbl.spamhaus.org
    • bl.spamcop.net
    • cbl.abuseat.org
    • See below for additional DNSBLs
  • Ensure that Reject connection immediately if the host is blacklisted is not enabled
  • Set the Cache values to 9000 (lookup results) and 240 (minutes)
  • Click on IP Exclusion and enter the IP addresses for all of your IP blocks
    • E.g. 10.10.10.0/24, 10.10.20.0/20, 10.10.30.25, etc.
  • Click on Apply

ADDITIONAL DNSBLs

Least Aggressive RBL Combination

sbl.spamhaus.org known spam sources only
cbl.abuseat.org composite block list

 

Moderately Aggressive RBL Combination

sbl-xbl.spamhaus.org combination of sbl & xbl
cbl.abuseat.org composite block list
dul.dnsbl.sorbs.net dynamic ranges
bl.spamcop.net spamcop block list

 

Very Aggressive RBLs

zen.spamhaus.org includes sbl, xbl + pbl
cbl.abuseat.org composite block list
dnsbl.sorbs.net full sorbs zone
bl.spamcop.net spamcop block list

 

  • Warning: using the Perform RBL Check after mailbox authentication function keeps the connection open longer
  • If you are not an ISP/xSP or you do not have dynamic IP range provisioning for your users, it may be better to reject the connection immediately

For a good list of comparative RBLs, use this link: http://www.sdsc.edu/~jeff/spam/cbc.html
If you want to completely block specific countries from sending you mail, information can be found here:

http://www.vircom.com/security/country-based-blocking/

Security – Properties – Connection Limits

  • Maximum simultaneous connection rate allowed for the same IP: enter 5
  • Total number of simultaneous connections allowed from the same IP: enter 5
  • Click on Apply

Security – Properties – Trusted Address List

  • Under SMTP Security Trusted Address, click on IP Address
  • Enter the enter the IP addresses for all of your IP blocks
    • E.g. 10.10.10.0/24, 10.10.20.0/20, 10.10.30.25, etc.
  • Click on Apply

NOTE: These options tell NEP to do connection-level verification for messages originating from the specified IPs or IP blocks. It does not prevent content filtering. It only prevents RBL checking or throttling by "Block Scan Attack" or "Connection Limits," etc., from being applied to the specified addresses.

Security – Properties – SMTP Security

  • Check Enable SMTP Authentication
  • Enable the following:
    • Do not advertise SMTP AUTH for these
      • In the IP Address list, enter the following 2 items:
      • !127.0.0.1 (the ! denotes not), and *.*.*.*
    • Force usage of fully qualified addresses in SMTP commands
    • Reject malformed addresses
    • Validate sender addresses
      • Set the Cache Size to 9000 entries
      • Set Keep in cache for 240 minutes
  • Click on Apply

Security – Properties – Block Scan Attack

  • Ensure that Enable Scan Attack Blocking is checked
  • Click on Slowdown the IP Connections
  • Disable Force a slowdown on IP connections and Close
  • Click on Block IP Addresses
  • Block IP for 240 minutes
  • Check After the number of invalid recipients reach and set the value to 3
  • Click on Close
  • Set the Cache values to 9000 (lookup results) and 240 (minutes)
  • Click on Apply

Security – Properties – Sender Reputation (or Sender Validation & Accreditation in earlier versions)

  • Enable Sender Reputation System (new in Norman Email Protection 5.0)
  • The recommendation is to quarantine messages with a 'bad' SRS reputation
  • Results are updated every 5 minutes
  • This option protects you from newly detected spam waves, and quickly delists IPs that have been removed from botnets
  • Enable SPF Support
  • Click on Apply
  • An SPF record is not required for this feature
  • Optionally, you could enable Perform a look up for the SMTP host in DNS
    • This is a reverse DNS lookup on the IP address of the sending server to check if it has a reverse PTR record
    • Historically, enabling this option caused more false-positives because many legitimate mail servers did not have reverse zones
    • However, as spam increases, more companies are turning this feature on, despite the risk
    • Most spam originates from IP addresses that are used for dynamic IP allocation which do not have a reverse PTR record (i.e. DSL or cable modem users with infected zombie machines)
    • Enabling this can be risky but will alleviate spam problems considerably – use with caution

Other articles of interest concerning reverse DNS

http://www.vircom.com/security/reverse-dns-checking-is-it-safe-to-use/

Spam – Preferences – Options

  • Set the Spam Scanning Level to STRONG
  • Click on Apply

Spam – Preferences – SURBL (Spam Links)

  • Check Enable SURBL
  • Under SURBL Servers, click on multi.surbl.org to highlight it
  • Click on Enable
  • Click on Add
  • Add a new SURBL: ph.surbl.org (known phishing links)
  • Click on Enable
  • Click on Apply

System – Properties – Services

  • Stop and restart:
    • SMTPRS
    • MODUSCAN

IMPORTANT SAFETY TIP

It is important that you never whitelist your own domain at the global or user level. It is also important that end-users never whitelist their own email addresses.

This is because spammers are in the habit of forging your domain in the “from” field. Whitelisting yourself means any email From yourself TO yourself will be whitelisted if the spammer is smart enough to forge your domain in the header “from” field.

Note that version 5.0 will automatically check for and ignore self-whitelisted addresses to ensure that the content undergoes spam scanning, to prevent potential abuse of your system.



Fecha de publicación:: 2013.01.10   Fecha de actualización: 2013.01.10