|Tweet Follow @spamhaus||
Spamhaus Botnet Summary 2016
Network Hijacking on the Rise
Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs
More Domain Stats: The 10 Most Abused Registrars
SBL/ZEN DNS lookups to return DROP/eDROP status
Spamhaus Presents: The World's Worst Top Level Domains
Verizon Routing Millions of IP Addresses for Cybercrime Gangs
Brazilian internet users suffer SoftLayer's security fail
Older News Articles:
Spamhaus News INDEX
Nowadays many companies and organizations (non-profits, units of governmental and educational institutions, etc) believe that running their own mail servers has become an impossible task, due both to the large amount of inbound spam and to the continuous attempts by spammers to send outbound spam through their mail servers. Companies often lack in-house technical resources to configure and run a mail server properly and deal with these threats. For these reasons, many organizations decide to outsource their email service to external entities.
However, outsourcing does not come without costs, even when the outsourced service appears to be "free". Hidden costs include:
These disadvantages are important. For small organizations that need reliable, confidential email systems, the choice of whether to outsource or not can be a tough one.
Running a secure, spam-filtered mail server for a small organization is not terribly difficult, if these guidelines are followed:
In the remainder of this article we discuss each of these points in turn.
CHOOSE A GOOD ISP OR HOSTING PROVIDER
Unfortunately people and companies rarely consider how an ISP or hosting provider handles spam and abuse issues when choosing what company to use for Internet service or to host a server. ISPs vary tremendously in how well they keep under control spam and abuse on their network. When you manage your own mail server, it is critically important that your ISP does not allow spam and abuse to flourish on its network. If it does, then you may encounter delivery issues when sending email. Your servers might also come under increased numbers of hacking attacks because many hackers concentrate their efforts on networks that lack effective spam and abuse policies or a properly-staffed and competent abuse department. Furthermore, if a security hole has allowed your server to become a vehicle of abuse, you would really appreciate your ISP to notify you in a professional and timely way rather than ignore the issue.
To verify that an ISP or hosting company is properly handling spam and abuse on its network, you can use use a number of resources to check the reputation of its IPs and domains, and determine how well it responds to abuse reports sent to its RFC-mandated abuse contact email address.
First, you can check the CBL Statistics by Domain list to see if the ISP is on it, and if so at what ranking. A small or medium-sized ISP or web host should not appear on this list. A large ISP or web host should not be highly ranked if it does appear. A high ranking indicates that the ISP sends a great deal of spam from malware-infected servers, or hosts malware on its servers that can infect other computers. An ISP whose networks do not appear or are not highly ranked usually has sufficient abuse management resources and good practices, enabling it to detect compromised servers and end-user computers. Such ISPs also act quickly to notify infected users, fixing problems rather than allowing them to linger.
Second, the SBL has two resources for vetting an ISP or host. You can check the SBL's World's Worst Spam Support ISPs page to see if the ISP is listed. If it is, avoid it. An ISP that appears on this list is either ignoring spam and abuse on its network or is actively complicit. If the ISP does not appear on the list of worst spam supporters, check for open SBL listings within the ISP's IPs by opening the following URL, substituting the ISP's domain name for "example.com":
Some ISPs use multiple domain names. In most cases the Spamhaus database will automatically redirect the search to the correct domain name, and display the SBL listings for that ISP. Only top-level networks show up in the SBL; ISPs that obtain their IPs from another ISP or network service provider (NSP) usually do not appear under their own names. If you can't find an ISP that you are considering, before you assume that they run a clean network, you should try searching for the domain name of their upstream provider or upstream providers.
The results page for this type of search displays a short synopsis of all active SBL listings assigned to that ISP with their creation dates. A large ISP often will have a few listings, but even large ISPs should have only a few SBLs, and the listing dates should be recent (within the past week or two at most). You might also see a few informational SBL listings: listings for a single IP that ends with ".0/32". Don't ignore these SBLs just because they do not block active IPs. Informational SBLs document real problems on IPs that Spamhaus is not listing outright to prevent large numbers of false positives. They are not less serious than other SBLs.
If an ISP has more than a few SBL listings, or has SBL listings that are weeks or months old, then you can usually conclude that the ISP is not effectively preventing and managing abuse on its networks.
Third, you can check the following recommended third-party resources to find out whether a specified IP or domain is listed in public blocklists (ours and others) and to assess the reputation of a specified IP range or domain:
Finally, you should test the abuse contact email address (the "abuse@" email address at the ISP's domain) to see whether it exists and whether you receive a timely response. You can do this by sending email to that email address asking a question about an abuse-related issue. For example, you could ask what resources the host has in place to help customers whose servers are hacked or compromised. If the ISP fails to answer the email within a few days, or if the message is rejected for any reason, they may also ignore other email to their abuse contact. If the ISP answers, that should be definitely taken as a good sign.
Remember that, in addition to accepting spam and abuse complaints, the abuse team at an ISP should take proactive measures to ensure that it finds out about any spam or abuse on its network and can take quick action to stop it. A good ISP abuse team subscribes to feedback loops -- automated near-real-time spam reports offered by a number of large ISPs and anti-abuse organizations. A good ISP abuse team also configures its network to discourage spam, watches its network for signs that an IP or server is sending more email than it should or receiving high levels of traffic to unexpected web URLs or unexpected ports. An abuse team is expected to handle spam complaints and abuse reports, and supervise issues until they are resolved.
For example, if a server at an IP address on the ISP's network is infected by spam-sending malware, an abuse desk should see the spike in traffic from that server. If the spam is sent to a large ISPs that offers a feedback loop, or to honeypot email addresses owned by a reputation service, the abuse desk should notice the increased spam in the feedback loops that it subscribes to. A power user (such as somebody who runs their own mail server) might also report the spam to the ISP abuse contact. Because of these and other resources, the ISP abuse team should be aware of the situation and able to shut down the infected server quickly to prevent further spam and further risk to innocent users until the server is secured.
Look with suspicion at ISPs whose abuse issues are handled by the same team that handles ordinary customer support issues. Effective management of abuse requires a different skill set than customer support. The goal of a customer support representative is to resolve problems that the customer has with the service. The goal of an abuse team is to resolve problems that the customer is causing to the community. Because of the different and possibly even conflicting focus of the two teams, abuse and customer support functions should be separate even at a small ISP. A medium-sized or large ISP should have a completely independent team responsible for security and abuse. This team should work in close contact with administration and sales, and be able to terminate abusive customers and prevent repeated signups of such people.
Consider changing your ISP if your current ISP does not appear handle abuse and security issues properly. You do not want to find your email blocked because your ISP tolerates spam and abuse on the same network that you use. Like driving a car without insurance, ignoring abuse issues appears cheaper initially, but can prove to be extremely expensive in the long run.
REJECT AS MUCH INBOUND SPAM AS POSSIBLE
The Spamhaus Project offers several IP address and domain databases that, if properly used, lower the amount of inbound spam reaching mailboxes to a very low level, without blocking any significant amount of legitimate mails. If mail volumes are not very high (see the usage terms), these databases can be freely used.
It is, however, very important that they are used properly. This boils down to:
All these three components should be considered as absolutely necessary. No new installation should be made without these three components in place.
See also: Effective spam filtering.
PREVENT OUTBOUND SPAM
Emission of spam is caused by either a person or unit within the organization that decides to send spam, or by a security problem that allows other people to send spam from your IP address. The first case does not have a technical solution, however, all employees working in marketing should be fully aware that all the email addresses used for bulk mailings should have specifically requested to receive emails about your products or services through a confirmed opt-in procedure (for further informations see our mailing lists page and the Marketing FAQs). In this note we want to address the second case, which is far more common.
The overwhelming majority of spam caused by security problems falls into one of the following four categories (that sometimes partially overlap):
While scanning the machines using antiviruses is always a good thing, nowadays a lot of malware manages to escape detection by constantly changing. The best thing to do is to set up things so that they are simply unable to send mail outside thanks to firewalling. Our CBL FAQs give several suggestions in this direction, giving a special attention to the case where NAT is used and trojans may have a direct negative impact on your legitimate mail flow. Basically you should not allow any machine which is not the mail server to initiate SMTP connections (port 25 as the destination) toward external hosts. Only the mail server should be able to send mail. This measure will make trojans that bypass the mail server simply ineffective.
If your mail server allows it, define per-user limits in the amount of mails that can be sent using authentication in a certain amount of time.
Besides mail servers, all the devices in your LAN (including routers) should not have accounts with the default or a very simple password, independently from the protocol they use (telnet, ftp, ssh, etc): any unauthorized login is a potential source of abuse.
Again, keeping good security of web applications and user passwords should help to prevent this occurrence. The article Stop spammers from exploiting your webserver! discusses the main issues related with the web server security. The real winner is to make it impossible for the web server to send mail directly, forcing all outgoing mail generated by web applications to pass through a SMTP wrapper using authentication and writing relevant injection informations into the message headers.
MONITOR THE LOGS!
Spend a small fraction of your time, or set up automated mechanisms based for instance on email counts and fraction of undelivered messages, to keep your mail server monitored. Discovering a problem and taking corrective actions quickly and before the IP address or domain reputation starts to deteriorate may actually save you time and decrease the impact of an incident on your normal mail flow.
Do not forget that spam sent through a web server will leave traces in the web server logs rather than the mail server logs, and that spam sent by malware normally bypasses the mail server and leaves no traces in any logs.
We believe that an in-house mail server remains a viable solution for small organizations, and it should be the preferred one when privacy/confidentiality issues are considered important. While it remains true that there must be a system administrator knowledgeable in operating the mail system, this task should not be considered overwhelming once the points above are given consideration. All considered, running your own mail server may turn out to be a very good investment.
Spamhaus News Index
Spamhaus in the media
Spamhaus Official Statements
Permanent link to this news article:
A Survival Guide for the Small Mail Server
Subscribe to RSS News Feed
Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.