| |
Tech note: Securing Internet Services 8.0
Introduction
There are many issues you may encounter when trying to run server machines connected to the Internet. These issues are a constant threat to the stability and useability of your servers. Defending your servers from Denial of Service (DoS) attacks, viruses, hijacking the server to relay spam email, and nuisance email requires a vigilance on the part of every FirstClass administrator. FirstClass Internet Services (IS) has traditionally provided the tools needed to combat these threats. However, with the introduction of Internet Services 8.0 these tools are even more powerful and easier for you to set up and maintain. Before we discuss the specifics of configuring Internet Services, let's look at some general approaches to security that can help you better secure your system's Internet Services.
Physically securing the server machine
The first step in preventing Internet Services abuse is to make sure that unauthorized individuals cannot tamper with the machine on which your Internet Services resides. These abuses include either physically disabling the machine or loading and reconfiguring software in a way that makes it vulnerable to attack. Even though Internet Services stores no data on the server machine's hard drive, thus keeping your data safe, such tampering can still compromise the stability and security of your Internet Services.
Securing the server machine from unauthorized use
Whether an unauthorized individual can walk up to a server machine or not, it is important to secure the machine from unauthorized use, since in many cases rogue logins can come across the network. This includes such obvious measures as setting good login passwords for the machine, setting up firewalls correctly, and disabling/securing remote administration facilities (like PC Anywhere). As of FC8, IS can run as a service on Windows NT and as a daemon on Mac OSX, allowing the admin to leave the machine with no user account logged in, thus reducing the danger of a "walk up" attack.
Securing the server from network attacks
The next step in preventing Internet Services abuse is at the operating system (OS) level. You should always run your OS vendor's latest security patches to prevent low-level network Denial of Service (DoS) attacks. Next, disable all other network protocols on the Internet Services machine, as any software that accepts network connections is a possible doorway into your system. When Internet Services is running, it should only use those network ports it is configured to serve. File sharing, network logins, network management protocols, and other web servers are all frequently exploited by hackers to gain a foothold on the machine.
Keeping "troublemakers" off your system
If an examination of your system logs reveals that certain IP addresses are testing your security, trying to infect your system with the "Code Red" virus, or "hogging" your system resources, you should consider blocking that IP address. Bad traffic comes from sites with lax security or virus infected personal computers, and these sites are likely going to be the source of inconvenience for some time. It's better to ban them than to let them experiment on your server. The new status tab of the IS monitor has an "Abuse" indicator light with IP address which allows you to see suspicious activity "at a glance" and block the offenders quickly and easily. Be careful when blocking IPs to be sure that they are not either a site you care about or an IP address handed out temporarily, for example by Dynamic
Host Configuration Protocol (DHCP) from a big ISP. There are quite a few good Internet sites that can be used to verify the origin of IP addresses.
Clamping down on SMTP relaying
If you don't require SMTP relaying on your machine then don't turn it on. If you need it, turn it on in the most restrictive way possible. Finding an "open relay" is the motherlode for spammers. This is because it "legitimizes" their junk mail by making it appear to be coming from your server and it allows them to use massive delivery lists since it is your bandwidth they are using. spammers are able to do this because many SMTP servers are incorrectly configured, allowing them to "bounce" or relay their spam off of a vulnerable system. As a result, efforts to track the real culprits are often thwarted as they move on to use the next unsuspecting system.
If your system is used to relay spam email you can expect any, or all, of these things to occur:
- high load on your server as these unwanted messages are processed
- damage to your organization's reputation as questionable material is seen coming from your site
- reduction or denial of your Internet services as ISPs and other Internet organizations begin to recognize you as a spammer.
Remember, unsolicited email uses your precious network bandwidth and server resources to deliver an unwanted, inconvenient, and in many cases offensive experience to your users. Your goal is to try to reject spam as early in the process as possible without actually blocking legitimate email.
Security tools available in Internet Services 8.0
As mentioned earlier, Internet Services 8.0 targets making it even easier for you to protect your system from abuse. As part of this effort, several of IS's default behaviors have been changed and the UCE/Spam tab on the Basic Internet Setup form has been significantly reworked. All of these changes are intended to make IS more secure "out of the box", to make it easier to stop spam from bothering your users, and to make it easier for you to stop attacks on your system before they tie up your system resources. Here is a summary of these new and enhanced security tools:
Temporary IP blocking lists *New*
Internet Services now supports the concept of temporary IP blocking lists. In older versions, the admin needed to add undesirable IP addresses and masks to the filters folder manually in order to block them. In IS 8.0, IP addresses can now be added to a temporary list which is held in IS memory, and from which items expire over time. This new facility can be accessed through new actions in the rules.MailRules document or from the status tab on the IS monitor form. The temporary block list can be viewed, have entries added and cleared by the administrator.
Blackhole support *New*
Functionally similar to the temporary IP block list, but separately maintained, IS 8.0 introduces the concept of "blackholing" IP addresses. A blackhole will capture any connection from the offending IP address and hand it off to a single, low-priority, IS task which discards any data sent while producing a slow, timed stream of characters to keep the connection alive. The concept here is one of actively fighting back against spammers, capturing their resources and slowing their ability to hit your site (and others). Due to it's adversarial approach, this option is under admin control, and can be completely disabled. Some RBL services request that admins implement this feature in order to use their service.
RBL hit caching *New*
A common spam assault on your Internet Services takes the form of a single SMTP server sending dozens (or hundreds) of spam messages into your system in rapid succession. Even if you are using an RBL service and the site triggers a block, the same server then reconnects and your system goes through the overhead of performing the same RBL hit again. In 8.0, IS will now cache RBL "hits" in the same way it cached DNS entries in older ISs, obeying the "time to live" data supplied by the RBL host. This eliminates the overhead of repeated RBL lookups while dealing with the spamming server appropriately.
Mail rules *Enhanced*
The Internet Services mail rules facility has been improved in FC8 by the addition of new actions which allow rules to place IP addresses in the temporary IP block list or the blackhole list. Also, admins have new rule conditions they can use to implement multiple subject block lists, allowing different spam scores depending on the type of words used. Message bodies can also be scanned for blocked words in FC8 IS, allowing content to be scanned before delivery. There is a new advanced regular expression parser for coding very advanced rule conditions, and numerous new functions and variables which give the rules author access to more information about the message being processed and the SMTP conversation that is in progress. Another new capability of the mail rules system allows rules to read data from the IS setup forms. This allows us
to make some of the built -in rules configurable from the Basic Internet Setup form, including: high, medium, and low spam score ranges, SMTP crosspost limit, NDN messages with spam scores above "Extreme", and NDN messages with blocked subjects.
Password attack detection on SMTP AUTH *New*
With the introduction of the temporary IP blocking list, IS now has the ability to protect the system from attack in an automated fashion. One of these new facilities, is password attack detection, which allows IS to temporarily block IP addresses which appear to be performing password guessing attacks. While all IS services have password guess protection, a special variant has been added to SMTP AUTH, since this is a target of many automated attacks. Using a "strike" based system, IS can decide to temporarily block an IP address after it makes repeated attempts to login using SMTP AUTH with an incorrect user ID or password. The strikes build up against a particular IP address, so even if the attack rotates through user IDs IS can block it.
System Abuse detection *New*
This feature alerts the admin (using the IS monitor) when suspicious activity is happening on the system. Suspicious activity is defined appropriately for each protocol IS supports and includes tracking of: number of connections used by a single IP, data transfer rate, frequency of connection, failed login attempts, and attempts to login to administrative accounts. This activity is tracked across protocols and, based on your IS setup, will warn the admin using the Abuse light on the Status tab of the IS monitor.
IS task lists *Enhanced*
The IS task list facility has been improved by the addition of IP addresses, time connected, and data transferred amounts beside each task entry. This allows the admin to more easily correlate unusual IS activity with the IP addresses causing the problems.
IP/domain filter lists *Enhanced*
In FC8 IS, IP filters can now contain ranges of addresses to block (e.g. 127.0.0.1-127.0.0.92), giving the admin additional flexibility when dealing with system abusers. FC8 IS also supports the use of wildcards and regular expressions in domain filter entries, further arming the admin in the fight against unwanted access.
The IS Monitor *Enhanced*
The Internet Services administrator's monitor has been significantly enhanced in FC8 to help the administrator perform routine maintenance tasks and monitor the status of Internet Services. Some of these enhancements include:
• Full "remote control" of IS menu commands, useful for console-less operation.
• New status indicators, including task load and Abuse displays allowing the admin to keep a finger on the "pulse" of their system.
SMTP attachment virus scanning *New*
Internet Services now supports the scanning of incoming/outgoing attachments for viruses using the Symantec AV Scan Engine. Inbound and outbound scanning can be separately enabled, and the text presented to users in each case can be set by the admin. Incoming attachments found to contain a virus are replaced by an attachment containing the admin configured text, outbound attachments NDN the sender with the admin configured text. Multiple virus scan engines can be attached to a single IS for high load situations.
HTTP server privacy *Enhanced*
Several Internet security organizations have expressed concern that the HTTP TRACE command may pose a privacy risk. Accordingly, in FC8 IS this command is now disabled by default.
IS can run as a daemon (OS X) or service (NT) *New*
As of FC8, IS can now run as a Mac OS X daemon or Windows NT service, allowing IS to be restarted automatically when the machine reboots and allowing the machine to be left without a user logged in. This helps secure the IS machine against "walk up" attacks in circumstances where the machine cannot be physically secured.
Preventing unwanted access
One of the basic security ideas expressed above is that of keeping the "troublemakers" off of your system. Between ever more aggressive spammers, automated hacking tools, self-spreading viruses, and plain old hackers, the amount of nuisance traffic has grown by leaps and bounds. In FC8 IS we've added numerous features and admin tools to help with detecting and blocking these abusers. The approach taken has been that of layers of protection, where the system has multiple security methods backstopping each other, allowing the administrator to pick and choose how they want to protect the system.
IP Filtering
An old favorite (but still powerful) tool for controlling unwanted access to your system is IP filtering. IP addresses can be blocked individually, using wildcards, or in ranges.
 This option is implemented at the lowest layer of IS's TCP listener code and simply blocks IP addresses from connecting to your IS on any protocol if they are listed in your Filter documents. Any connections from listed addresses are refused immediately, using the least possible processing power and system resources. This makes IP blocking especially useful for ridding yourself of "troublemaker" machines on the Internet, whether they are trying to hack into your system or deny service to your users. If you already have a hardware firewall, then by all means use it to protect your IS machine, since it offloads the effort to a dedicated resource. But for quick blocking of a troublesome address or for sites that don't run IS inside a firewall, this is a good option.
To configure your system to block out unwanted access, all you have to do is:
1) Select "Reject connections based on Filters".
2) Open the Filters folder located in the Internet Services folder on the administrator's Desktop.
3) Create a FirstClass document in your Filters folder listing the addresses you want to block.
For ease of use, we recommend naming the document something like "Blocked IPs" and listing
4) Open the IS monitor form, located in the Internet Services folder on the administrator's Desktop.
5) Do a "Get Config" (or restart IS).
If you need to block any new IP addresses in the future, all you have to do is open this document and add the new IP address or mask. Remember to do either a "Get Config" or restart IS after any additions to your document.
IP blocking syntax in your Filters document
IP blocking lines take one of three forms: a single IP address per line, an IP "mask" which can block groups of similar IP addresses, or in IP "range" that specifies a range of IPs to block. Here is an example Blocked IPs document:
# This is the Blocked IPs document containing the IP addresses we do not want connecting to our system
111.222.111.222 # blocks this IP address 111.222.111.222
111.*.*.* # a mask - this blocks every IP address that starts with 111.
# Note - 111.* is not a valid shorthand for 111.*.*.*.
111.222.111.200-111.222.111.222 # a range, block IP addresses from 111.222.111.200 through 111.222.111.222 inclusive
111/111.222/222.111/111.223/255 # an alternate range format, block IP addresses from 111.222.111.223 through 111.222.111.255 inclusive
Who to filter?
One of the tasks an administrator faces in using filter lists is figuring out which IP addresses to block. Once again we can use old favorite techniques and once again FC8 introduces some new ones to make your job easier. The classic tool is the FirstClass Server statistics file, which is controlled using "Admin->Statistics & Billing->Statistics Control".
Whenever the Internet Services UCE/Spam rules take effect and block a message from arriving in a user's Mailbox, an entry is added to your server statistics file:
Spam 1000000000 10/22/2001 12:27:54 PM localhost 127.0.0.1 terry@127.0.0.1 Sender Extra
^ ^ ^ ^ ^ ^ ^ ^ ^
| | | | | | | | |
| | | | | | | | - extra information **
| | | | | | | - reason code *
| | | | | | - email address
| | | | | - IP address
| | | | - host name
| | | - time
| | - date
| - FC user ID
- Stat keyword - for these entries, always "Spam"
* reason code is one of: Virus, Strikeout, MailRule, Sender, RBL, ReverseDNS, Host, RelayReject***
** extra info will contain: 1) for MailRule type - any NDN text sent
2) for RelayReject type - the address being relayed
3) for Virus type - the name of infected attachment and the virus found
*** RelayReject is not logged when all relaying is disabled
Since this isn't a Server white paper, we'll skip the detail except to say turn on all the stats that are appropriate for your site and periodically look them over using a text editor, your favorite spreadsheet program, or the new FC Log Analyzer program. The web logs that IS produces can also be read by the FC Log Analyzer, or other web server log analyzers.
The traditional IS tools for watching the system are the IS monitor and the IS Task List, both of which have been beefed up for FC8. The protocol tab of the monitor shows overall system activity...
 ...which can be crosschecked with a console Task List...
 ...and the new Security tab's abuse section...
 ...to identify the IP address of any potential troublemakers. The abuse monitor tracks a list of IP addresses that have engaged in suspicious activities: maintaining very low data transfer rates, using up large numbers of concurrent sessions, staying connected for very long periods of time, repeatedly using incorrect passwords, and connecting on many protocols simultaneously. The "score" represents the level of suspicious activity, with each occurrence adding to the score according to the severity. The administrator can manage the list of suspicious connections, clearing individual IPs that are deemed innocent or clearing the entire list to watch for new suspicious activity.
Temporary blocking (blacklisting)
The other interesting button on the abuse monitor is the "Block" button which allows the administrator to instantly place the suspect IP address in the temporary IP blacklist. Different from the IP Filter documents, this IP blacklist is held only in IS memory and the items in this it "time out" and are removed from the list. The behavior of the abuse list and IP blacklist are controlled on the "Basic Internet Setup->UCE/Spam->Abuse" tab.
 The first three fields control the abuse monitor, setting thresholds for when IP connections appear in the abuse list and when warning lights are turned on. The next field controls the autoblocking feature, which allows the administrator to have IS automatically block suspect IPs if they exceed a certain threshold score. We recommend admins keep the "Abuse autoblock level" set to "Disabled" until they are very comfortable with what IP addresses are appearing in the abuse list. The next field, "Abuse block time" sets how long an IP will remain blocked, whether through autoblocking or by the admin pressing the "Block" button on the Abuse Monitor. If you feel that accidental blocking is an issue at your site, reducing this value will reduce the "penalty time" suspected abusers get. The final
field, "Abuse reset interval", determines how long IS "remembers" a suspect IP address. Shortening this value makes it harder for IS to correlate suspicious activity from different times of day.
FC8 IS also provides the admin with tools for managing the temporary IP blacklist. On the "Control" tab of the Internet Monitor you can find a section labeled "IP blacklist" containing "Log" and Flush" buttons.
 IP addresses can only get into the blacklist through one of four actions: the admin presses the "Block" button on the "Security" tab, the admin has autoblock configured and the IP address in question exceeds the threshold score, the IP address is added to the list using a mail rule (see below) or the IP address is "struck out" (see below).
Using the "Log" button, the admin can have a list of the blacklisted IP addresses, reasons, and time remaining dumped to the console. At the same time the details of the strike list are also dumped. This console dump looks like:
--- Temporary IP Block List --
IP, Reason, Seconds remaining
192.168.120.107, 1, 279
--- End of Temporary IP Block List --
--- Strike List --
IP, Seconds since last strike, Number of strikes
--- End of Strike List --
Here is a list of reason codes and their explanation:
If the admin suspects that IP addresses are being blocked incorrectly, the "Flush" button can be used to remove all items from the blacklist. This action also clears all items from the strike list.
Striking out
The abuse list watches for suspicious activity based on a score which is calculated according to the nature and duration of the suspicious activity. This approach works well for our built-in abuse detection, but is somewhat complex for admins to use directly in things like mail rules. As a result FC8 IS also introduces the concept of "striking out" an IP address, giving it three chances (admin configurable) to mend it's ways, then blocking it. There are two actions that can register a "strike" against an IP address: the STRIKE action in a mail rule, or an SMTP AUTH attempt with invalid userID /password combo. The Strike List handling is configured on the "Basic Internet Setup->UCE/Spam->Junk" tab.
 This allows the admin to set the number of strikes, hold time, and reset time for managing the strike list. As mentioned above, the "IP blacklist" buttons on the "Control" tab also manage the strike list.
Fighting back (blackholing)
If all of the countermeasures described above sound a little too passive for your liking, you can enable FC8 IS's new blackholing feature. The principle behind this feature is that most automated nuisance programs that hit your system (spammers, hacking tools, virus spreaders, etc.) are actually pretty dumb and can't recognize that they might be having their time wasted. The idea of a blackhole is that once a "bad" connection is identified, you can hand it off to a single, low-priority task which does just enough TCP to keep the connection going. This costs your system little in terms of processing power, but ties up the spammer (or whatever) to prevent them from moving on to the next machine. If the whole Internet were doing this, spam would go way down, viruses would spread less quickly, etc. Some RBL providers insist that you
run some form of blackhole if you use their service.
On the downside, blackholing is an aggressive act, very annoying to those who it is performed on. If that person is a customer of yours, they may not be too impressed; if it's a hacker, they may redouble their efforts to damage your system. Blackholing is controlled on the "Connections" tab of the "Basic Internet Setup" form.
 This form allows the admin to choose the number of connections to hold, how long to hold them for, and what sort of "abuse" warrants blackholing. Setting the "Maximum number of connections to tie up" to "None" disables the feature.
FC8 IS also provides the admin with tools for managing the blackholed connections list. On the "Control" tab of the Internet Monitor you can find a section labeled "Blackholed connections" containing "Log" and Flush" buttons and a bar graph display of the number of connections currently blackholed.
 IP addresses can only get into the blackhole list by meeting one of the "Connections->Hold connections from" criteria. Using the "Log" button, the admin can have a list of the blackholed IP addresses, time held, and time remaining dumped to the console. If the admin suspects that IP addresses are being blackholed incorrectly, the "Flush" button can be used to remove all items from the blackhole list.
Summary
The new FC8 IS features for preventing unwanted access are a powerful addition to your administration "toolbox", but for various reasons some might not be appropriate for your site. Here's a quick summary of the access limiting features and how to disable them:
When considering a problem with an IP connection, the FC8 administrator should think about the states these connections could be in and the features that influence this. What follows is a summary of these states and how they are controlled:
It is now possible in FC8 IS to monitor the effectiveness of your IP blocking setup. On the "IS Monitor->Security" tab there is a section labeled "Connection attempts" which shows statistics on how many connections you are accepting and rejecting, both incrementally and in total.
 Preventing unauthorized mail relaying
The relaying tab allows the admin to enable/disable SMTP relaying. This tab now contains only the single checkbox "Disable all relaying...", the big switch which allows the administrator to disable all SMTP relaying through their IS.
SMTP mail relaying occurs when your IS receives a piece of email via SMTP that is not destined for a user on your FirstClass system. In this case, IS accepts the message and then passes it on, via SMTP, to another SMTP server somewhere on the Internet. There are two types of scenarios where you may need this type of setup:
• if your IS acts as the Internet contact point for a group of SMTP servers
• if you need to support POP3 or IMAP4 users on your system who send mail outside of your organization.
There are three basic relaying setups:
Your site does not need to relay
If your site does not have one of the two requirements listed above, then you should check the "Disable ALL relaying, including SMTP AUTH and trusted IPs" option on the Basic Internet Setup form - UCE/Spam tab.
 After you have checked this option, open the IS monitor form and do a "Get Config" or restart IS.
This setup is easy to administer and extremely secure, and your system allows absolutely no SMTP relaying. If you can, by all means use this setting.
Your site needs to relay for POP3 or IMAP4 users
If you need to support POP3 and IMAP4 users who send mail outside of your organization, then we recommend using SMTP AUTH, which is an extension to the SMTP protocol. This extension means that if a server wants to relay mail off of your SMTP server, then it must provide "credentials" (user ID and password authentication) so that you know it is not a spammer. Unless you've explicitly disabled relaying (as in the first configuration) then IS will do SMTP relaying for those that supply credentials. In older versions, IS allowed you to configure which FirstClass features an account had to have in order to relay. This has been replaced in FC8 IS with the new server feature, "Allow mail relay".
 Now instead of having a combination of features represent the ability to relay mail using SMTP AUTH, a user simply needs to have the "Allow mail relay" feature. This feature takes effect as soon as the form is closed on the server, and requires no "Get Config" or restart of IS. We recommend creating a priv group with this feature enabled, and adding your POP3 and IMAP4 users to this group.
Your site needs to act as the Internet contact point for a group of SMTP servers
If your site is in this situation you may find, due to the SMTP server software in use, that SMTP AUTH cannot be used by the hosts you need to support. For this reason, (and for reasons of legacy support) you can configure IS to use "trusted" IP addresses. The idea here is that a document in the IS Filters folder contains a list of "trusted" IP addresses and, for these addresses, IS will perform SMTP relaying.
This setup is pretty secure (since IP spoofing is pretty tough) but does require a fair amount of effort on your part if you have a large number of "trusted" addresses you need to add to your filter document. Be careful when creating your filter document as a mistake, such as entering the wrong IP address or worse, the wrong IP mask, can open you up to being used as a spam relay.
To configure a trusted IP relaying setup:
1) Open the Filters folder in the Internet Services folder on the administrator's Desktop.
2) Create a FirstClass document in your Filters folder listing the "trusted" IP addresses.
For ease of use, we recommend naming your filter document something like "Trusted IPs" and using the document only for "trusted" IP addresses. Other filter documents can contain "trusted" IPs, but if you keep them in separate documents it is easier to administer them.
3) Close the document.
4) Open the IS monitor form and do a "Get Config" or restart IS.
You can update your document whenever necessary but always remember to do a Get Config or restart IS to activate the new entries.
"Trusted" IP entries take one of three forms: a single IP address (prefixed with a '+') per line, an IP "mask" (again, prefixed with a '+') which can trust groups of similar IP addresses, or an IP "range" (again, prefixed with a '+') that specifies that IPs between value x and value y are trusted. Here is an example Trusted IPs document:
# This is the Trusted IPs document containing the IP addresses we are willing to relay for
+111.222.111.222 # trusts this IP address 111.222.111.222
+111.*.*.* # a mask - this trusts every IP address that starts with 111.
+111.222.111.200-111.222.111.222 # a range, trust IP addresses from 111.222.111.200 through 111.222.111.222 inclusive
+111/111.222/222.111/111.223/255 # an alternate range format, trust IP addresses from 111.222.111.223 through 111.222.111.255 inclusive
+111.222.112.223/255 # another alternate range format, trust IP addresses from 111.222.112.223 through 111.222.112.255 inclusive
It should be noted that "trusted" IP addresses override blocked IP addresses. If you need to block a group of IP addresses but trust a single IP within, you could do so as follows:
# Blocking a group, while trusting one of them
111.*.*.* # a mask - this blocks every IP address that starts with 111. ...
+111.222.111.222 # ...except for this one! This line trusts this IP address (111.222.111.222) even though it's IP neighbors are bad guys
What if I get "blacklisted" as an open relay?
Because of the proliferation of spam and the difficulty in combatting it, there are a number of organizations (including RBL suppliers) who aggressively identify open relay sites and add them to their blacklists. If your site is blacklisted, there are two steps you should perform:
1) Check your relay settings!
You probably got blacklisted because spam came from your site. Lock things down using the methods outlined in "Preventing unauthorized mail relaying" and try to isolate the problem. If you can't locate the problem, contact the blocking organization and ask for help.
2) Ask the blocking organization to retest your site after you've located and fixed your relaying problem.
If you follow the directions above you can make your site "relay-proof" and you will pass any well-written relay test. There are some organizations (ORBS being one) that use flawed relay tests that assume your mail host is "sendmail" and will behave like it in testing. If you have relaying clamped down and you still fail their test you have a few options:
- Reconfigure IS to act more like sendmail. The main issue with these tests is that IS absorbs some attempts to relay as if it might be delivering the message, when, in fact, it later NDNs it. Since the tests do not wait for the NDN, they are "fooled" into thinking the relay worked. By setting "Aliases only" on the Advanced Directory form, located in the Internet Services folder on the administrator's Desktop, you force IS to reject these efforts as they come in:
 Keep in mind, using this tactic comes at the expense of your needing to configure aliases (or setup automatic aliasing) for all of your Internet mail users.
- Inform the blocking organization that you are not relaying, and prove it to them by having them try to relay off your site to some destination account. The better organizations may respond reasonably to this sort of approach.
- Convince the sites you care about exchanging email with not to use their "flawed" service.
Reducing spam
Unsolicited email accounts for a lot of your of SMTP traffic. The experts argue about the percentage, but the 50-90% range seems to be accepted. With those kind of numbers it is clear that IS must continue to provide as many tools as possible for the administrator to use to deal with spam. Our approach has been to provide tools to recognize and either mark or block spam. Where possible, you should discard spam as early as possible in processing. Trapping and rejecting spam before it reaches the Server saves tons of processing for both IS and the server, making your whole system faster. Because of the importance of reducing spam, we have provided multiple overlapping features to help you deal with the problem. Since these features provide "layers" of protection, we'll describe them in order from the outer layer and work inward to
your Mailbox. Remember, the further out from the core server you can stop the spam, the better it is for your system's performance.
Filtering
As a first line of defense, you can add IP masks, IP ranges, IP addresses, domain names, and email addresses to FirstClass filter documents. Both the domain name and email address filter entries can now contain either wildcards or regular expressions, making these facilities much more powerful. Email will not be accepted from any sites or addresses listed in these blocking lists. Unlike pre-7.1 IS's, in 7.1 and higher, this feature is enabled automatically. To configure address filtering:
1) Open the Filters folder in the Internet Services folder on the administrator's Desktop.
2) Create a FirstClass document listing the addresses to block.
For ease of use we recommend naming the document something like "Blocked Addresses" and listing in it only the email addresses and domains you wish to block. Other Filters documents can contain blocked addresses, but if you keep them separated like this, it is easier to administer them.
3) Close the document.
4) Open the IS monitor form and do a "Get Config" or restart IS.
You can update your document whenever necessary but always remember to do a Get Config or restart IS to activate the new entries.
The format of the blocking list conforms to that used in various Internet anti-spam sites, with one entry per line and domains optionally prefixed with an '@', for example:
# This is a comment line
112.*.*.* # a mask - this blocks mail from every SMTP server who's IP address starts with 112.
123.123.123.123 # an IP block, the SMTP server at 123.123.123.123 cannot deliver mail to us
111.222.111.200-111.222.111.222 # a range, block IP addresses from 111.222.111.200 through 111.222.111.222 inclusive
111/111.222/222.111/111.223/255 # an alternate range format, block IP addresses from 111.222.111.223 through 111.222.111.255 inclusive
@spamdomain.com # a domain block, any server that declares itself part of spamdomain.com or any
# user@spamdomain.com cannot deliver mail to us
spamdomain2.com # same as above, slightly different syntax
jill1717@hotmail.com # this particular address appearing in either the SMTP MAIL FROM or RFC-822 From:
# header causes mail to be rejected
*.spammaster.com # domain wildcard - blocks all sub-domains of spammaster.com (to wildcard a single character, use '?'
regexp:[0-9]+.com # domain regular expression - blocks all numeric .com domains (the "regexp:" prefix signals IS to apply regular expression processing)
Reverse DNS lookup
This feature causes IS to take the IP address of any SMTP server that connects to it and query the configured DNS for an associated domain name. If no domain name is found, IS refuses mail from that server. Since this option relies on querying the DNS server on each inbound SMTP connection, make sure your DNS server(s) is functioning well in order to maintain good performance. Reverse DNS lookups are now cached to improve performance.
You enable this feature on the "Basic Internet Setup->UCE/Spam->Junk" tab by selecting the option:
 RBL (Realtime Blackhole List) lookup
This feature causes IS to take the IP address of any SMTP server that connects to it and query the configured RBL host(s) to see if the IP address is a known source of spam email. If it is, IS either refuses mail from that server or optionally tags it with an additional Internet header for later processing by the rules system. In general, the reduction in incoming spam more than pays for the additional latency of connecting to the RBL host in processing each connection. However, there may be a slight increase in the number of active SMTP inbound connections with this feature turned on. As a performance enhancement, FC8 IS now caches RBL positive results and uses a temporary (60 second) IP block to keep spamming sites at bay. To enable this feature:
1) Open the Basic Internet Setup form UCE/Spam->Junk tab.
2) Select "Enable RBL lookups".
 3) Fill in the domain name(s) of the RBL host(s) you want to use.
 4) Enter text in the "NDN text".
This field should contain the text you want rejected senders to see in their NDNs, for example,"Your site has been declared a source of spam email by myRBLhost.com, please contact them for further information."
 5) Close the form.
If you don't want to reject sites that fail the RBL lookup, you can optionally insert a warning header into the incoming SMTP message instead. To do this, just check the "X-RBL-Warning header instead of NDN" box.
 When operating in this mode, the contents of the "NDN text" field are inserted as the data portion of the "X-RBL-Warning" header in the offending message. In this case, you should replace the "NDN text" with something that identifies the RBL site that triggered the header, and is easy to parse. By doing this, you will make it easier for end users to write FirstClass server mail rules to process these messages.
It is now possible to monitor the health and performance of your RBL servers from the IS monitor. On the "Security" tab you can now find a section labeled "RBL statistics" where you can see how each of your RBL servers is performing.
 The "Off" button next to each RBL lets you temporarily disable lookups through that RBL service without permanently removing it from your configuration, useful for testing purposes or if one of your RBLs is under a DoS attack. The "Reset" button will reset your RBL stats.
Virus scanning
In FC8 IS we've introduced the ability for IS to scan inbound and outbound attachments to SMTP mail, looking for viruses. We use a third party anti-virus product, Symantec AV Scan Engine, to perform the scanning. This product is purchased separately and installed on it's own machine. IS is then configured with the IP address of that machine, and it uses a network connection to feed the attachment to it. The virus scanner then gives IS a pass/fail indication which we use to suppress the attachment if necessary.
 A list of virus scan engines can be configured for very high traffic sites, and IS will distribute load to them as required. IS's default behavior upon finding a virus in an incoming SMTP message is to replace the attachment in question with the warning text the administrator has set up. If an administrator would prefer to reject virus-laden messages altogether, a mail rule can be created that runs at "end of message" time and looks for the "X-FC-VirusDetected" header, NDNing the message if it finds it. For example:
.: IF (@SeenHeader("X-FC-VirusDetected")) NDN 550 "Sorry, no viruses wanted here, we've already got some!"
Rejecting spam using built-in mail rules
It is now possible for IS mail rules (contained in rules.MailRules) to use data from the IS setup forms. As a result, some mail rules tunings that used to require the administrator to edit the rules.MailRules file, can now be done from the "Basic Internet Setup->UCE/Spam->Mail Rules" tab.
 This form lets you tune the settings that generate low/medium/high spam scores on incoming messages. More importantly the administrator can now allow mail rules to NDN certain suspect messages, those with high spam scores or containing suspicious subjects, by checking the boxes on this form. While we don't ship in this configuration, we strongly recommend that administrators enable the NDNing of messages once they are comfortable with how the rules system is working at their site.
Crossposting limits
This feature lets you filter excessively crossposted traffic coming into FirstClass. Crossposting in NNTP newsgroups is considered poor form and is often an indicator that a message is junk mail of some kind. To set a limit, check "NNTP crossposting limit" on the "Basic Internet Setup->UCE/Spam->Junk" tab.
 In FC8 IS it is now possible to control mail rules from IS setup forms. As a result, the SMTP crosspost limit that is built into rules.MailRules can now be controlled from the "Basic Internet Setup->UCE/Spam->Mail Rules" tab.
 SMTP mail rules
In FC8 IS, we've continued to develop our SMTP mail rules, adding numerous features including message body content scanning. SMTP mail rules are defined using files in the Filters folder distinguished from the normal filter documents by their names, which must start with "rules." or "lists.". These files provide a scripting and configuration system that allows you to customize your IS's handling of potential junk mail arriving via SMTP. Let's take a look at this functionality by describing each file's name and |