Keeping Your Server Off Black Lists

From Computer Tyme Support Wiki

(Difference between revisions)
Jump to: navigation, search
(Avoid wildcard or catchall email accounts)
(Always use a TO address)
Line 61: Line 61:
Email should be addressed TO someone and have a TO header. Although it might be legal not to include it, not having a TO header increases your chances of being blocked.
Email should be addressed TO someone and have a TO header. Although it might be legal not to include it, not having a TO header increases your chances of being blocked.
 +
 +
=== Never reject email on a 4xx error ===
 +
 +
Some email servers bounce email when the other server sends a 4xx response. A 4xx error is a tempory error and it means "I'm not ready to receive your email at this time, come back later". Your server should do a reasonable number of retries before giving up.

Revision as of 17:54, 28 August 2009

Contents

Preventing your email server from being blacklisted

Most spam filtering companies do the best they can to pass good email. Often there are problems where good email gets blocked. One of the factors that contributes to good email getting blocked are email servers that aren't properly configured. Doing it right makes a big difference and many easy steps can keep you from getting blacklisted. And it makes your server a candidate for white listing which will get you through some spam filters faster. We at Junk Email Filter encourage you to follow these guidelines to help us and our competitors deliver your good email.

Getting your Reverse DNS correct

One of the biggest things you can do is you get your reverse DNS correct. And to really do it right you need to have Forward Confirmed Reverse DNS set correctly. This is a very big step towards getting your email delivered correctly so it's worth putting out the effort to get it right.

Reverse DNS (RDNS) is a host name that is returned when looking up an IP address. For example, lets say that your domain is called mydomain.com and your IP address is 1.2.3.4. The first step is to set a PTR record for 1.2.3.4 that returns mail.mydomain.com. Often you won't have control over this directly but your hosting provider does. Ask them to set your RDNS for your IP address.

But setting the RNDS for your IP is just half of the job. The RDNS returns a host name for your IP address. But to do it right that host name that is returned has to point back to the original IP. This is what is called Forward Confirmed RDNS or FcRDNS. The host name is an A record and more likely under your control.

1.2.3.4 -> mail.mydomain.com - PTR Record
mail.mydomain.com -> 1.2.3.4 - A record

Once your FcRDNS is correct then you can be white listed by host name in addition to by IP address. So spam filters block IPs with no RDNS and some even block you if FcRNDS isn't correct. But even if you aren't blocked then bad or missing RDNS counts against you and makes it more likely that your email will me mistakenly listed as spam.

Setting up your office email server

One problem that gets servers black listed is that small offices use the same IP address for their email server and the web traffic for the office computers. Small businesses often use a DSL service and just has one IP address and uses a small router to share that IP for several office computers.

The problem occurs when someone gets a virus that starts sending spam. The virus spam comes from the same external IP as your email server and your whole office is black listed. And it takes a lot of effort to clean yourself off everyone's black list even after you get rid of the virus. In fact - if this should happen to you it might be easier to ask your provider for a new IP rather than to try to get delisted from all the lists.

But - if you can avoid being listed in the first place that's even better. And setting up a firewall correctly can prevent you from being black listed even if someone gets a virus. Here's some tips to do that.

First - if you have more than one IP address make sure the email server has a different IP than the office IP. That way the polluted IP will be different than your email server.

If you are considering buying a DSL router or wireless router you might want to buy something a little more expensive than the cheapest thing out there. However a lot of inexpensive routers have powerful features so what's important is the features. What you need is the ability to set what ports are allowed to access what computers. The important port that email is sent on is port 25. That's the one to pay attention to.

Blocking outgoing traffic on port 25

The main trick is to block outgoing port 25 traffic on all computers except for your email server. That way a virus infected computer can't send email from your IP because it is blocked. Your users will be able to talk to your email server and it will send the email for them. I recommend using port 587 (submission) for this rather than port 25. 587 is a standard port for sending email from users to servers and is less likely to be blocked by the firewalls of others in case your staff is traveling and needs to connect to your email server for outgoing email. Generally port 587 email requires authentication (a password) and a virus wouldn't know the password to send email.

On the incoming side, if you are running a Windows based email server in particular you want to block all ports except for the ports that the email server needs to work. That will protect your email server from other port attacks should your server be vulnerable. Generally ports 25, 110, 143, 587, 993, and 995 should cover everything.

These setting will allow you to surf the web without the web surfing you. The important point here is that if your firewall is set up correctly it can block the email from virus infected computers. It creates a layer so that even if you have virus problems it still won't get you black listed.

Keep computers updated

Often vulnerabilities are found and fixed and if you download and install these updates you will be reasonably protected. However if you don't do the updates then the bad guys will find you and you'll get hit. So do the updates and hope for the best.

Server configuration Settings and Practices

Setting up your server can be done in a variety of ways. many of these ways don't follows the SMTP rules. Some do follow the rules but are not the best way to do things so that your server doesn't look like a spam source.

Setting your HELO string correctly

If you have a HELO setting set the helo name to some legitimate host name that actually exists. If your HELO is "sparky" you're likely to be rejected as spam. But if your HELO string is "mail.mydomain.com" then that would be a good HELO string. The best practice is for the HELO to match the RDNS of the sending IP. The HELO should never be anything that ends in .local because those are local IP addresses.

Avoid wildcard or catchall email accounts

People often set up wildcard or catchall accounts to catch any email that does not match other email accounts. Although it's legal to do this it's not a good practice. Many servers use sender address verification to verify good email addresses. If you have a catchall account then all addresses will appear to be good. This attracts spammers to spoof your domain for sending spam because your domain will pass sender verification. If a spammer spoofs you, servers might start rejecting your good email because of the volume of spam received from the spammers spoofing your domain.

By restricting your list of good email addresses to a finite list your domain will be less attractive to spoofing. And email sent to addresses that don't exist will be rejected what should reduce the burden on your spam filter to determine if these email are real or not.

Make sure your FROM address actually exists

Often web applications that send email use a from address like apache@mydomain.com and if the email address doesn't exist (can't receive email) then it fails verification and the email is bounced. And email address used to send email should verify as a good address on your system even if it is ultimately a blackhole account. So if you are sending from do-not-reply@mydomain.com make sure that email address works on some level.

Always use a TO address

Email should be addressed TO someone and have a TO header. Although it might be legal not to include it, not having a TO header increases your chances of being blocked.

Never reject email on a 4xx error

Some email servers bounce email when the other server sends a 4xx response. A 4xx error is a tempory error and it means "I'm not ready to receive your email at this time, come back later". Your server should do a reasonable number of retries before giving up.

Personal tools