10 Spam Fighting Tips for IT Managers
Tips to make sure your e-mail gets to the right place
By: Zac Mutrux
December 8, 2004
TechSoup, originally posted at http://www.techsoup.org/learningcenter/internet/page4812.cfm
Bob diligently worked on his proposal for weeks. When he finally finished it, he e-mailed it a day ahead of deadline, just to be safe. But when he called the organisation to see if they had received his report, he was met with silence and then a brisk "no."
What happened? His message had been placed in a junk mail folder by the company's spam filter. Fortunately, the organisation hadn't deleted his message and was able to fish it out of the junk mail folder, but Bob was one of the lucky ones.
Maybe you've had something like this happen to you or your organisation, or perhaps you weren't as lucky as Bob. That's why we've crafted this handy list of tips to keep your network safe and to assure that your e-mail arrives at its destination and doesn't get stuck in a spam filter.
- Do not allow unauthenticated relaying of mail through your server: If anyone in the world can send mail through your SMTP server: they will. Check your mail server software's online support knowledgebase for specific instructions on how to close an open relay. An open relay -- according to online dictionary site Webopedia -- is an SMTP e-mail server that allows a third party to relay e-mail messages, i.e., sending and/or receiving e-mail that is not for or from a local user. To learn about how to close an open relay, visit the MAPS site.
- Keep your mail paths short: A "mail path" is the route that mail travels from one host to another. A long mail path has mail bouncing from server to server on its way to its destination. The shortest mail path has two hosts involved: sender and recipient. Don't relay e-mail through other hosts if you can help it. If you have a mail server, send mail directly from it instead of relaying through your ISP's SMTP server. If you decide to implement this tip, be sure to follow the next tip, too.
- Give your mail server a fully qualified domain name: If you're sending mail from your own SMTP server, make sure it has a domain name on the public Internet that matches your e-mail domain. You'll look like a spammer if you're sending mail from the domain somenonprofit.org, but the apparent IP address of your mail server resolves to "generic-dsl-user.big-telco.com."
- Require strong passwords, even for e-mail accounts: If your users have weak e-mail account passwords (for instance, using "password" as a password), spammers can guess them and use the hijacked account to send spam through your server. A strong password is at least seven characters long, doesn't include the username or dictionary words, but does include a combination of uppercase letters, lowercase letters, numbers, and punctuation marks. If your mail server allows you to enforce password policies, do so.
- Secure your wireless access points if you permit unauthenticated relaying of mail originating from your internal subnet: In plain English that means, if anyone on your internal network can send mail through your mail server without having to first provide a password, it's time to password-protect your wireless access points. Otherwise, you could find yourself victim of a drive-by spammer -- someone who drives around with a laptop and looks for unprotected wireless networks in order to send spam. Unless you have high security requirements, there is only one step necessary: enable WPA or WEP on the access point. Most Wi-Fi software will easily let you do this.
- If you send your own bulk e-mail to connect with donors and constituents, consider listing your mail server IP on a commercial whitelist: Here are three examples:
- Work with your staff to improve their bulk-mailing practices: If your communications department or programme staff sends out e-mail to many recipients, help them to increase their delivery rate and at the same time, reduce your chances of being mistaken for a spammer. This article from Click Z is a good place to start.
- Limit the number of outbound non-delivery reports ( NDRs) your server is permitted to send in a given period: This will reduce your exposure to a reverse NDR spam attack. While fake NDR messages are sometimes sent by spammers, limiting the rate of outbound NDRs will not stop them. To clarify, there are two kinds of NDR spam: faked NDR messages are sent directly to a recipient, while reverse NDR messages are "bounced" off a server in response to a spoofed message "from" the intended recipient. The latter type of NDR works like this: Jack Spamking wants to send spam to Susan User. To do this, he crafts his spam message so it appears to come from Susan and sends it to an invalid e-mail address he knows does not exist at a third party's mail server. The message is then "returned" to the apparent sender -- Susan -- in the form of an NDR. Susan then sees the legitimate NDR, wonders why a message she sent did not arrive, and opens the message. This closes the delivery loop as Susan sees the spam message sent by Jack. The Tek-Tips Web site has an article called "story" about combating NDR attacks.
- Register your domain name as a trademark: If a spammer (or other miscreant) abuses your domain name to send spam that appears to come from your domain, you will have legal recourse under trademark law. "How to Trademark a Domain Name" at AllBusiness.com has more information on how to do this.
- Keep your mail server up to date with security patches and anti-virus software: Sometimes hackers and spammers team up to break into servers for the purpose of sending spam. Pay attention to the overall security of your mail server and network to keep from being an easy target.