Major ISPs Publish Anti-Spam Best Practices 252
wayne writes "The ASTA, an alliance of major ISPs, has just published a set of best practices to help fight spam. The list of ISPs include the likes of AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast. The recommendations include such things as limiting port 25 use, rate limiting email, closing redirectors and open relays, and detecting zombies. For details, see the ASTA Statement of Intent (pdf) or any of the ISP's antispam websites."
What about my personal mail server? (Score:4, Interesting)
Is there a guideline that can help me figure out what steps I need to take to harden my mail server?
I will be using either Postfix or Microsoft Exchange.
Take what they say with a grain of salt (Score:5, Interesting)
Blocking outbound port 25 (Score:5, Interesting)
My wife was not so lucky. She was unable to send email a few weeks ago when our cable modem provider instituted outbound port 25 blocking. Luckily it's really easy to set postfix up to listen for smtp on another port as well - one quick config change and she was back in business. I'm planning to install openvpn for Windows on her box one of these days.
Re:Whatever... (Score:3, Interesting)
What about laptops (Score:2, Interesting)
Is VPN the only way to make mail reliable and consistent on laptops?
Mail admin here, my solution was port 26 (Score:5, Interesting)
For a while the quick and dirty solution was to use webmail when in doubt but we needed something that people could live with and as much as I dislike M$ Outlook its a lot better than Horde, Neo, or Sruirrel Mail (IMO).
My 80% solution now is to handle SMTP on both ports 25 and, hehe, 26. So far so good, I'm able to go between the office and home on my laptop with no problems where as before Cox Cable wouldnt let me get to our SMTP server.
I'm wondering what other admins have had to do in this situation. I know I'm not alone here. And how do you think it will effect the propogation of spam in the future.
Re:Best practices,... published? (Score:5, Interesting)
That's why I run Unsolicited Commando [astrobastards.net]. It fills the inboxes of companies that pay for spam with spurious form fill-outs. I guess it's kind of like giving them a taste of their own medicine.
Re:Blocking outbound port 25 (Score:3, Interesting)
Openvpn rocks! I have started to use it for clients that I relay mail for, and back their systems up remotly. It works with Win32-Linux,Windows-Win32, Linix-Linux.
I run open VPN on my laptop and tunnel back to the mothership for access to all my local services at home too.
I have converted a few people using remote laptops over to it for various applications and it is pretty solid.
To stay on topic here, openvpn is a great tool to overcome the limitations of using many mail servers out there.
Re:Mail admin here, my solution was port 26 (Score:4, Interesting)
Um. Shouldn't you be fixing the problem, which is that you want these remote users to act as if they are part of your trusted corporate network? When you look at it this way, you realise that the best (and far more secure) solution is to be using an VPN into a DMZ that can access limited services needed for tele-commuters and road warriors.
target audience (Score:4, Interesting)
It's very hard for any mail administrator to block mail from these large domains, because so much of the legitimate mail comes from their actual servers (wherever these are). I'd be happy to reject all mail addresses from msn.com or yahoo.com, but my users would see a huge increase in false positives. It's a no brainer to drop messages addresses from dailyoffers.com because I don't see any legit mail addresed from this domain anyway.
Re:Don't forget SPF (Score:4, Interesting)
I wouldn't call Verizon "lazy and stupid" when it comes to spammers on their network. I would call them "criminally negligent".
They had a spammer's website on their network for over a month. The spammer was selling a product that was blatantly illegal (digital cable descrambler). The only possible way that their product could have been legal was if it did not function as advertised, and then they would have been committing advertising fraud, so either way they were breaking the law and Verizon was allowing it to happen on their network. After a MONTH of daily complaints about the site, it only disappeared AFTER I setup a webpage documenting Verizon's open support of criminal activity and started advertising it in my
No legal threats were ever issued to me. I guess that Verizon knew that I had truth on my side.
Where are the best practices (Score:5, Interesting)
Best practices can encompass the RFCs and extend them to, well, best practices.
For example:
Per RFCs every place a domain is used it must be fully qualified and resolvable. In addition, the EHLO is supposed to be the primary hostname of the sending machine.
Anti-spam best practice might say that the machine name must resolve back to the connecting IP. Even better, the reverse entry for the IP must include the correct hostname. This way a receiving machine can determine who the sender claims to be, that the DNS entry for that name matches the IP (anyone can spoof the header but it's lots harder to get to the DNS of a legit operation) and that the reverse DNS shows the correct hostname (which would be harder on those who have low-end connections where they don't have control over the reverse DNS entries but no problem for most IT operations - anyone with a small operation can send through their ISP anyway).
If the major ISPs required just these items to match there would be a brief period of pain while everyone scrambles to fix broken systems but the gains from stopping viruses and spam would be enormous and tracing back to and blocking the remaining spam would be easier.
I also saw nothing about information sharing among the large ISPs so they could quickly act against a spammer or quickly disable the web accounts to which the spam is directing people (carefully, of course, or fake spam could be a means of a DOS attack).
Similarly, there was no mention of blocking email where the from address doesn't match the ISP. A couple years ago I dealt with massive backscatter from spam sent by an Earthlink customer THROUGH the Earthlink server. I tried to get an answer from them on why they were allowing someone to send out email "from" our domain when they have no relationship to us. Silence. Sure this is a pain for some people but people who want legitimate extra services can sign up for them. It's not so different than paying for a static extra IPs. If you want to send from a different domain we'll unblock it for you for a small monthly fee after determining that you are authorized to represent that domain.
This just scratches the surface but all in all this "best practices" is a joke.
Earthlink != Best Practices (Score:3, Interesting)
But they recently stopped their server-side spam filtering (Spaminator(tm)) and replaced it with client-side plugins. Overnight I started receiving thirty spams a day to an account that I have NEVER used. Besides the general annoyance that they are shuffling off anti-spam responsibilities to the customer, their plugins are for Windows Outlook and webmail only. (They say it's for Mac as well, but that's only a euphemism for "you must use webmail"). This is unacceptable.
What Constitutes a Need For Mail Servers? (Score:4, Interesting)
So is it necessary for me to run a mail server? No, I could technically survive without my own. Would it be a travesty if I were forced to switch to cut off spammers? Hell yes!
So until they draw the line on who "needs" to run a mail server, I can't possibly support this concept (or at least the port 25 restrictions piece of it).
Re:What about my personal mail server? (Score:2, Interesting)
As least I can just log onto amazon and create me+amazon@myrealdomain.com without a thought.
Or, are you saying that mail to whomever1@whatever.com, whomever2@whatever.com will always forward on you you@myrealdomain.com?
It essentially is the same problem as having your "real" (final) e-mail address out there for the world to see... maybe worse, if you have it setup as a "catch-all." Filtered into a separate mailbox, you're still getting all the spam.
But, I think you'll agree, the solution isn't really in either of our setups... it is in nailing the spamming bastards to the walls. That would require better authentication/validation of sender identity and location. At least if we could trace the mail back to a real person, things would change in more of a hurry.
BTW, have you thought about implementing grey-listing in your postfix config? (Just in case you're not familiar: it associates a triplet with incoming mail... the sender, the receiver, and the originating IP). First time it sees a triplet, it logs it and rejects it with a 450 (temporary) error. Most spammers never bother with retries, so it can effectively bounce messages out. Real mail programs will retry... and on the second (and future) attempts, it'll just go through. Sure, it delays the mail a little, but it weeds out a *lot* of spam. 8)
Another point: web pages (Score:3, Interesting)
I understand that there is no silver bullet to end spam. But recommendation that this document does not address is the hosting of the web site advertised in the email. If spammers also could not find places to host their sites, the utility of spam (to the spammer) would significantly decrease.
The irony is that Yahoo appears to be fairly spammer-website friendly. They kill abusive Geocities pages fairly rapidly, but paying users appear to be basically bulletproof.
I've got one pet spammer (http://suburbanexpress.site.yahoo.net/) that's been hosted from Yahoo and spamming from an Ameritech DSL line since November, and neither will do anything about it.
Re:Another point: web pages (Score:2, Interesting)