| |
 Why is no internet email going in or out? Why are users getting email that is clearly not actually from the person that sent it to them? Why are users getting NDN messages for email that they clearly never sent out?
Most likely, the answer is one of the various email virus worms that are working there way through the internet. This may not always be the case.
In many cases, it's because a setting of Internet Services was changed from the defaults. Internet Services default screenshots can be found at the following links:
Why is no email going in or out?
This could be due to a variety of reasons outlined below:
Outbound internet email not getting out:
If no email or only some email is going out, ensure the following:
1. On the Basic Internet Setup form, General tab, that the Internet Connection setting is set to Continuous. If it is set to Intermittent, change it to Continuous and restart Internet Services. (Some clues that this is set incorrectly are: a) no email going out at all, b) no outbound SMTP sessions at all on the Internet Services Monitor, c) history of messages in the Internet Mailbox show no activity)
2. That the primary DNS in Basic Internet Setup and the secondary and tertiary (if any) DNS in Advanced DNS are configured to point to DNS servers.
3. That the machine that Internet Services is running on can get out to the Internet on port 25.
Failure of DNS to resolve email domains to IPs in an acceptable period of time. DNS servers resolve human-friendly domain names to computer-friendly IPs and back. This functionality is outside of FirstClass and thus in certain situations outside our ability to resolve. Try changing the primary DNS in Basic Internet Setup to a different server and restarting Internet Services. In addition, your settings in Advanced DNS may be set incorrectly. For example, setting the retries to 100 and the timeout to 60 seconds could make a small hickup in DNS connectivity turn into a major show stopping email issue.
SMTP retry interval and number set too aggressively in Advanced Mail, SMTP tab. The standard default which should not require changing is 60 minutes for the interval and 2 for the number of retries. If it is anything other than this, we recommend resetting it back to the default and restarting Internet Services.
Outbound email or total internet sessions set too low. Check the Internet monitor to see if the outbound email sessions or total internet sessions are being maxed out. If they are, try increasing their maximums by 50% (i.e. from 50 to 75) and restarting Internet Services. The settings can be found in Basic Internet Setup in the Mail and Service tabs.
On Mac OS X setups where the server and Internet Services are operating on the same machine, it is very likely that slow email delivery is a result of an incorrect MTU setting of 16384. See the OS X tuning recommendations for details on setting the MTU to the correct value of 1500.
Worms or virus generated email may be to blame. See the section Viruses and Worms below.
Inbound internet email not coming in:
Failure of UCE/Spam RBL list servers to resolve inbound email queries in an acceptable period of time. This can add time to the processing of email that, if receiving fast enough, could quickly saturate sessions. To isolate if this is the cause, try disabling RBL in the Basic Internet Setup form on the UCE/Spam tab, then restart Internet Services.
Inbound email or total internet sessions set too low. Check the Internet monitor to see if the inbound email sessions or total internet sessions are being maxed out. If they are, try increasing their maximums by 50% (i.e. from 50 to 75) and restarting Internet Services. The settings can be found in Basic Internet Setup on the Service tab and in Advanced mail on the Limits tab.
Worms or virus generated email may be to blame. See the section Viruses and Worms below.
If you are using UCE/spam RBL lists, ensure that those lists are valid. Try disabling RBL and restarting Internet Services and seeing what the result is.
For example, a recent RBL server was reconfigured to cause any server that still utilizes it to reject ALL inbound email. This is not a FirstClass issue.
NB: If the above situation persists, then you should review the settings of the various forms in Internet Services on the admin desktop and possibly reset them to the defaults. The default 7.1 and 8.0 internet services settings are at the bottom of this tech note. Click on each image to enlarge.
When making changes to these forms, you will have to restart the Internet Services application for the changes to take effect.
Email virus worms
Due to the open nature of internet email, it is possible for malicious programs such as viruses or worms to replicate and transmit themselves using internet email. Steps can be taken to reduce the exposure to these viruses and worms, however much like SPAM they can only be curtailed, no steps will result in the blocking of 100% of all virus, worm, and SPAM email. Recently, virus worm generated emails are becoming more prevalent. The following steps can help prevent the spread of these worms:
1. Emphasize the use of the FirstClass client over third party email clients. Most email worms exploit the fact that third party email clients store their address book on the local workstation, which the FirstClass client does not do. Operating system address books should also be avoided, such as the Windows Address Book.
2. Use active antivirus scanners on all your workstations and keep them up to date.
3. Do not run active antivirus scanners on your FirstClass server. Also do not scan the post office on your FirstClass server. This can damage your post office. For more information on the why, click here.
4. Use an antivirus gateway between FirstClass Internet Services and the Internet. For more information on antivirus gateways, please contact an antivirus vendor such as Symantec.
5. Avoid using network shares with common names, such as share, shared, or archive.
6. Keep up to date of attacks by checking such sites as dshield.org (Dshield), grc.com (Gibson Research), or www.sarc.com (Symantec Antivirus Research Center) frequently.
Several new mail viruses have been released lately, which may cause users to receive NDNs (non-deliverable notifications) in their mailboxes for messages they didn't send. There have also been messages claiming to be from administrator or support email accounts on the users' domain asking the user to run the attachment for one fake reason or another.
If a user launches one of these virus infected attachments, the system is then infected. The virus begins to scan the user's machine for email addresses, which it can pull from a variety of sources; address books from programs such as Outlook Express (FirstClass is not affected by these viruses), cached web pages (asp, php, pl, html, etc) from various locations. It then starts sending out messages both to, and claiming to be, the email addresses it finds.
For example, Mr. "A” opens an email attachment with a virus. Mr. A's workstation becomes infected and the virus reads the address book or operating system and randomly picks two addresses: Miss B, and Dr. C [ Mr. A apparently communicated with these two individuals in the past, or visited websites containing their email addresses] The virus proceeds to propagate itself by using its own self generated email server (it does not use your email application to do this) to send a message to Dr. C and making it appear as though it came from Miss B. Note that, although the email is originating from Mr. A's computer, Mr. A's name is not in the email as the sender. This is known as email "spoofing".
The recipient's (Dr. C's) email server receives the email and detects the presence of a virus. Immediately, it sends an email back to the sender (which the FROM address indicates is Miss B), informing Miss B that a virus has been detected in the email she sent to Dr. C. Of course Miss B did not send this email; it originated on Mr. A's infected computer.
For more information about Email Viruses please visit your Anti-Virus solution provider’s website, such as www.sarc.com and read up on the current threats.
What else can be done?
The FirstClass Internet Services filtering options (introduced in 7.1, if you do not have this update, please find it here) can be utilized to deal with much of the SPAM email your server receives.
Configure your server to use Real-Time Blackhole Listing (RBL), which allows your server to communicate with a RBL provider (a company with a database of known spammer IP addresses), and check inbound email communications for known spammers.
Rules based filter system:
FirstClass comes with a good set of rules based filters
Rules.Attachmentblock. This filter is used for stripping out attachments by type, or by name. For example, *.exe would block all files with the .exe extension, whereas virus.exe would just strip out that particular filename, while allowing other .exe files to pass through.
Rules.Subjectblock. This document is used to scan the subject lines of all inbound mail. If a match is found (either a single word, or a phrase), the message is flagged as "high" spam level. This will cause FirstClass to flag the message as junk; by default it will still be delivered to the user (flagged as junk mail), but a few modifications to the rules.mailrules can cause messages caught by the subject block to be outright rejected.
Rules.mailrules. The most customizable document, but not the easiest to edit. This document subjects every inbound message to a series of tests (does the message have an Message ID, is the subject all in capital letters, do any of the words found in the subject line appear in the rules.subjectblock) and scores the email based on the probability that it is spam. Each message will be flagged as either No, Low, Medium, High, or Extreme level of spam. All values and rules are customizable; you will find a tech note on the Rules.Mailrules filter here.
From here the inbound email would then be passed to the end user (or conference ) where another set of customizable rules is available. For example, a user could configure a mail rule that would check the sender's address for the word "mother", and if found, would set the message priority to Urgent, change the message icon to an exclamation point, and page the user. Another example would be setting a mail rule to Delete Silently all mail from spammer@spam.com.
Utilized correctly, FirstClass gives both the administrator, and the end user, a great deal of control over SPAM.
Unwanted Email
A less serious cause of mail flooding is unwanted email. The receipt of unwanted or unsolicited email containing objectionable material has become a large concern to many email Administrators, and the end users. Some questions we are often asked include "How did they get my email address?", or "The user says they didn't send the email".
How exactly did the spammer get your users' email addresses?
This can happen in many ways:
- Any time you input your email address to any website (forms, registrations, buying products, general inquiries, etc), you run the risk of your email address being intercepted, and being added to the Spammer's database.
- Using the "To remove yourself from our mailing list, click here" link contained in many SPAM messages often has more than the desired effect; while it may get you removed from that particular list, it also confirms to the spammer that your email address is an active and valid one, which might then be added to other lists and/or sold to other spammers.
- SPAM received via HTML: Many SPAM messages include multiple images in the body of the message, and yet the message size is very small. This is possible because the images are not actually sent via email; the message is designed to download the images from a specified website when it is opened (this is called Remote Loading). While this significantly decreases the overhead for the spammers sending these messages, the main reason this is done, is because it is another way of confirming active mail accounts. When a message of this type is opened, most mail clients automatically download the requested images, thereby confirming your email address to the spammer. For this reason, the FirstClass Client does not support remote loading.
- Spider a Website. This is an old way to harvest email addresses, and is still used today. If you or your organization has any mailto: links found on your website, these spiders will troll your website looking for these links, and will add them to their database as they go. That is why some addresses (School Principals and CEOs for example, as their addresses are generally listed on their school/company website) get a lot more email than others. We suggest that you either not place mailto: links directly on your website or use something like Java Script to hide the links in the HTML Source Code.
- Chain Letters: We've all seen forwarded jokes that seem to have been making the rounds for years, as many people forward this type of message to everyone they know. However these messages are also a prime source of email addresses for spammers. The jokes might be funny, but the SPAM you get as a result is not.
- Email Signatures. A lot of us include our email address on our email signature lines, which can also be harvested via many mail viruses. A lot of the current viruses read not only Microsoft Outlook's (and Outlook Express's) address book, but also read any and all web pages (ASP, PHP, pl, html, etc) looking for addresses. If your email signature is on one of these pages, spammers may get it. We suggest that you not use your email address in mailto: link format, but perhaps something like, support(at)firstclass(dot)com.
Unfortunately it's quite easy to end up in a spammer's database, and you have very little chance of ever getting that address removed.
Internet Services for FirstClass 7.1 Defaults
Basic Internet Setup
        Advanced Mail
NB: Does not take into account if you are using an SSL certificate for your site or if you are routing outbound email through another server.
       Advanced News
 Advanced Web & FTP
NB: Does not take into account if you are using an SSL certificate for your site.
  Advanced Directory
NB: Does not take into account if you are using an SSL certificate for your site.
   Advanced DNS
  Internet Services for FirstClass 8.0 Defaults
Basic Internet Setup
             Advanced Mail
NB: Does not take into account if you are using an SSL certificate or Norton Antivirus Scan Engine for your site or if you are routing outbound email through another server.
        Advanced News
 Advanced Web & File
NB: Does not take into account if you are using an SSL certificate for your site.
    Advanced Directory
NB: Does not take into account if you are using an SSL certificate for your site.
  Advanced DNS
 Internet Services for FirstClass 8.3 Defaults
Basic Internet Setup
             Advanced Mail
NB: Does not take into account if you are using an SSL certificate or Norton Antivirus Scan Engine for your site or if you are routing outbound email through another server.
        Advanced News
 Advanced Web & File
NB: Does not take into account if you are using an SSL certificate for your site.
    Advanced Directory
NB: Does not take into account if you are using an SSL certificate for your site.
   Advanced DNS
  | ||