Keeping Your Server Off Black Lists
From Computer Tyme Support Wiki
(→Server configuration Settings and Practices) |
(→Do not send spam) |
||
(10 intermediate revisions not shown) | |||
Line 34: | Line 34: | ||
On the incoming side, if you are running a Windows based email server in particular you want to block all ports except for the ports that the email server needs to work. That will protect your email server from other port attacks should your server be vulnerable. Generally ports 25, 110, 143, 587, 993, and 995 should cover everything. | On the incoming side, if you are running a Windows based email server in particular you want to block all ports except for the ports that the email server needs to work. That will protect your email server from other port attacks should your server be vulnerable. Generally ports 25, 110, 143, 587, 993, and 995 should cover everything. | ||
- | These setting will allow you to surf the web without the web surfing you. | + | These setting will allow you to surf the web without the web surfing you. The important point here is that if your firewall is set up correctly it can block the email from virus infected computers. It creates a layer so that even if you have virus problems it still won't get you black listed. |
=== Keep computers updated === | === Keep computers updated === | ||
Line 44: | Line 44: | ||
Setting up your server can be done in a variety of ways. many of these ways don't follows the SMTP rules. Some do follow the rules but are not the best way to do things so that your server doesn't look like a spam source. | Setting up your server can be done in a variety of ways. many of these ways don't follows the SMTP rules. Some do follow the rules but are not the best way to do things so that your server doesn't look like a spam source. | ||
- | === HELO === | + | === Setting your HELO string correctly === |
- | If you have a HELO setting set the helo name to some legitimate host name that actually exists. If your HELO is "sparky" you're likely to be rejected as spam. But if your HELO string is "mail.mydomain.com" then that would be a good HELO string. | + | If you have a HELO setting set the helo name to some legitimate host name that actually exists. If your HELO is "sparky" you're likely to be rejected as spam. But if your HELO string is "mail.mydomain.com" then that would be a good HELO string. The best practice is for the HELO to match the RDNS of the sending IP. The HELO should never be anything that ends in .local because those are local IP addresses. |
+ | |||
+ | === Avoid wildcard or catchall email accounts === | ||
+ | |||
+ | People often set up wildcard or catchall accounts to catch any email that does not match other email accounts. Although it's legal to do this it's not a good practice. Many servers use sender address verification to verify good email addresses. If you have a catchall account then all addresses will appear to be good. This attracts spammers to spoof your domain for sending spam because your domain will pass sender verification. If a spammer spoofs you, servers might start rejecting your good email because of the volume of spam received from the spammers spoofing your domain. | ||
+ | |||
+ | By restricting your list of good email addresses to a finite list your domain will be less attractive to spoofing. And email sent to addresses that don't exist will be rejected what should reduce the burden on your spam filter to determine if these email are real or not. | ||
+ | |||
+ | === Make sure your FROM address actually exists === | ||
+ | |||
+ | Often web applications that send email use a from address like apache@mydomain.com and if the email address doesn't exist (can't receive email) then it fails verification and the email is bounced. And email address used to send email should verify as a good address on your system even if it is ultimately a blackhole account. So if you are sending from do-not-reply@mydomain.com make sure that email address works on some level. | ||
+ | |||
+ | === Always use a TO address === | ||
+ | |||
+ | Email should be addressed TO someone and have a TO header. Although it might be legal not to include it, not having a TO header increases your chances of being blocked. | ||
+ | |||
+ | === Never reject email on a 4xx error === | ||
+ | |||
+ | Some email servers bounce email when the other server sends a 4xx response. A 4xx error is a tempory error and it means "I'm not ready to receive your email at this time, come back later". Your server should do a reasonable number of retries before giving up. | ||
+ | |||
+ | === Use good passwords === | ||
+ | |||
+ | Sometimes hackers send spam through your server by guessing weak passwords of account on your server. If you have an account abe@nydomain.com with password "abe" you will be hacked. Avoid common words and shoult passwords. Mixed case, numbers, spaces, and punctuation characters make your passwords stronger. | ||
+ | |||
+ | === Avoid short timeouts === | ||
+ | |||
+ | Sometimes the recipient email server uses delays or takes a long time to process email. Your server should allow for the recipient to be slow without timing out. | ||
+ | |||
+ | === Avoid sending email too fast === | ||
+ | |||
+ | If you are sending a lot of email to one recipient server try to avoid sending it too fast. Sometimes you might overload a small server or you might be mistaken for a spammer. | ||
+ | |||
+ | === Clean your email lists of old bad email accounts === | ||
+ | |||
+ | If you have a big email list clean out the bad accounts. Email list management programs like Mailman are self cleaning. They remove list members after a message bounces a number of times. You could accidentally get black listed by sending email to dead email accounts. | ||
+ | |||
+ | === Always close your connection with the QUIT command === | ||
+ | |||
+ | Some email distributors try to send email faster by skipping the QUIT command to close the connection. Don't do that! It will likely get you black listed because more spam traps are looking for that QUIT. | ||
+ | |||
+ | === ISPs should use a different domain for sending their internal email === | ||
+ | |||
+ | If you are an ISP use a different domain for email from you than they public uses. For example, yahoo.com is for yahoo users. But email from the company comes from yahooinc.com which is a different domain. If you have internal email servers that send out billing and never spam - and you have users who sometimes spam - use different servers so that your business server would get blacklisted because one of your customers misbehaved. | ||
+ | |||
+ | === Do not send spam === | ||
+ | |||
+ | This should be obvious but if you send unsolicited email to a large number of people who don't want it then those people are going to complain and when enough people complain about your email then your server is going to end up on a black list. So even though you might have bought what you think is a good list or you have a cause that you think is so important that everyone should hear it, if you get a lot of complaints then you are defeating your ability to send email. | ||
+ | |||
+ | = What to do if your server is blacklisted = | ||
+ | |||
+ | Sometimes it happens that you were hacked or otherwise compromised and your server got blacklisted. What do you do. You have 2 choices, you can either go to each blacklist and get removed, or you can change your IP address. Some blacklisting services provide an easy form to get removed. Others do not. There are times when it is nearly impossible to get off of black lists. So sometimes just changing your IP is the easiest solution. If you change your IP address, be sure to remember to get your RDNS correct. |
Latest revision as of 14:42, 7 October 2009
Preventing your email server from being blacklisted
Most spam filtering companies do the best they can to pass good email. Often there are problems where good email gets blocked. One of the factors that contributes to good email getting blocked are email servers that aren't properly configured. Doing it right makes a big difference and many easy steps can keep you from getting blacklisted. And it makes your server a candidate for white listing which will get you through some spam filters faster. We at Junk Email Filter encourage you to follow these guidelines to help us and our competitors deliver your good email.
Getting your Reverse DNS correct
One of the biggest things you can do is you get your reverse DNS correct. And to really do it right you need to have Forward Confirmed Reverse DNS set correctly. This is a very big step towards getting your email delivered correctly so it's worth putting out the effort to get it right.
Reverse DNS (RDNS) is a host name that is returned when looking up an IP address. For example, lets say that your domain is called mydomain.com and your IP address is 1.2.3.4. The first step is to set a PTR record for 1.2.3.4 that returns mail.mydomain.com. Often you won't have control over this directly but your hosting provider does. Ask them to set your RDNS for your IP address.
But setting the RNDS for your IP is just half of the job. The RDNS returns a host name for your IP address. But to do it right that host name that is returned has to point back to the original IP. This is what is called Forward Confirmed RDNS or FcRDNS. The host name is an A record and more likely under your control.
1.2.3.4 -> mail.mydomain.com - PTR Record mail.mydomain.com -> 1.2.3.4 - A record
Once your FcRDNS is correct then you can be white listed by host name in addition to by IP address. So spam filters block IPs with no RDNS and some even block you if FcRNDS isn't correct. But even if you aren't blocked then bad or missing RDNS counts against you and makes it more likely that your email will me mistakenly listed as spam.
Setting up your office email server
One problem that gets servers black listed is that small offices use the same IP address for their email server and the web traffic for the office computers. Small businesses often use a DSL service and just has one IP address and uses a small router to share that IP for several office computers.
The problem occurs when someone gets a virus that starts sending spam. The virus spam comes from the same external IP as your email server and your whole office is black listed. And it takes a lot of effort to clean yourself off everyone's black list even after you get rid of the virus. In fact - if this should happen to you it might be easier to ask your provider for a new IP rather than to try to get delisted from all the lists.
But - if you can avoid being listed in the first place that's even better. And setting up a firewall correctly can prevent you from being black listed even if someone gets a virus. Here's some tips to do that.
First - if you have more than one IP address make sure the email server has a different IP than the office IP. That way the polluted IP will be different than your email server.
If you are considering buying a DSL router or wireless router you might want to buy something a little more expensive than the cheapest thing out there. However a lot of inexpensive routers have powerful features so what's important is the features. What you need is the ability to set what ports are allowed to access what computers. The important port that email is sent on is port 25. That's the one to pay attention to.
Blocking outgoing traffic on port 25
The main trick is to block outgoing port 25 traffic on all computers except for your email server. That way a virus infected computer can't send email from your IP because it is blocked. Your users will be able to talk to your email server and it will send the email for them. I recommend using port 587 (submission) for this rather than port 25. 587 is a standard port for sending email from users to servers and is less likely to be blocked by the firewalls of others in case your staff is traveling and needs to connect to your email server for outgoing email. Generally port 587 email requires authentication (a password) and a virus wouldn't know the password to send email.
On the incoming side, if you are running a Windows based email server in particular you want to block all ports except for the ports that the email server needs to work. That will protect your email server from other port attacks should your server be vulnerable. Generally ports 25, 110, 143, 587, 993, and 995 should cover everything.
These setting will allow you to surf the web without the web surfing you. The important point here is that if your firewall is set up correctly it can block the email from virus infected computers. It creates a layer so that even if you have virus problems it still won't get you black listed.
Keep computers updated
Often vulnerabilities are found and fixed and if you download and install these updates you will be reasonably protected. However if you don't do the updates then the bad guys will find you and you'll get hit. So do the updates and hope for the best.
Server configuration Settings and Practices
Setting up your server can be done in a variety of ways. many of these ways don't follows the SMTP rules. Some do follow the rules but are not the best way to do things so that your server doesn't look like a spam source.
Setting your HELO string correctly
If you have a HELO setting set the helo name to some legitimate host name that actually exists. If your HELO is "sparky" you're likely to be rejected as spam. But if your HELO string is "mail.mydomain.com" then that would be a good HELO string. The best practice is for the HELO to match the RDNS of the sending IP. The HELO should never be anything that ends in .local because those are local IP addresses.
Avoid wildcard or catchall email accounts
People often set up wildcard or catchall accounts to catch any email that does not match other email accounts. Although it's legal to do this it's not a good practice. Many servers use sender address verification to verify good email addresses. If you have a catchall account then all addresses will appear to be good. This attracts spammers to spoof your domain for sending spam because your domain will pass sender verification. If a spammer spoofs you, servers might start rejecting your good email because of the volume of spam received from the spammers spoofing your domain.
By restricting your list of good email addresses to a finite list your domain will be less attractive to spoofing. And email sent to addresses that don't exist will be rejected what should reduce the burden on your spam filter to determine if these email are real or not.
Make sure your FROM address actually exists
Often web applications that send email use a from address like apache@mydomain.com and if the email address doesn't exist (can't receive email) then it fails verification and the email is bounced. And email address used to send email should verify as a good address on your system even if it is ultimately a blackhole account. So if you are sending from do-not-reply@mydomain.com make sure that email address works on some level.
Always use a TO address
Email should be addressed TO someone and have a TO header. Although it might be legal not to include it, not having a TO header increases your chances of being blocked.
Never reject email on a 4xx error
Some email servers bounce email when the other server sends a 4xx response. A 4xx error is a tempory error and it means "I'm not ready to receive your email at this time, come back later". Your server should do a reasonable number of retries before giving up.
Use good passwords
Sometimes hackers send spam through your server by guessing weak passwords of account on your server. If you have an account abe@nydomain.com with password "abe" you will be hacked. Avoid common words and shoult passwords. Mixed case, numbers, spaces, and punctuation characters make your passwords stronger.
Avoid short timeouts
Sometimes the recipient email server uses delays or takes a long time to process email. Your server should allow for the recipient to be slow without timing out.
Avoid sending email too fast
If you are sending a lot of email to one recipient server try to avoid sending it too fast. Sometimes you might overload a small server or you might be mistaken for a spammer.
Clean your email lists of old bad email accounts
If you have a big email list clean out the bad accounts. Email list management programs like Mailman are self cleaning. They remove list members after a message bounces a number of times. You could accidentally get black listed by sending email to dead email accounts.
Always close your connection with the QUIT command
Some email distributors try to send email faster by skipping the QUIT command to close the connection. Don't do that! It will likely get you black listed because more spam traps are looking for that QUIT.
ISPs should use a different domain for sending their internal email
If you are an ISP use a different domain for email from you than they public uses. For example, yahoo.com is for yahoo users. But email from the company comes from yahooinc.com which is a different domain. If you have internal email servers that send out billing and never spam - and you have users who sometimes spam - use different servers so that your business server would get blacklisted because one of your customers misbehaved.
Do not send spam
This should be obvious but if you send unsolicited email to a large number of people who don't want it then those people are going to complain and when enough people complain about your email then your server is going to end up on a black list. So even though you might have bought what you think is a good list or you have a cause that you think is so important that everyone should hear it, if you get a lot of complaints then you are defeating your ability to send email.
What to do if your server is blacklisted
Sometimes it happens that you were hacked or otherwise compromised and your server got blacklisted. What do you do. You have 2 choices, you can either go to each blacklist and get removed, or you can change your IP address. Some blacklisting services provide an easy form to get removed. Others do not. There are times when it is nearly impossible to get off of black lists. So sometimes just changing your IP is the easiest solution. If you change your IP address, be sure to remember to get your RDNS correct.