Posted by on 01 August 2012 03:23 PM
In this FAQ we will walk you through some options IceWarp administrators have to help protect your server from spammers and in the event your server is compromised by a spammer other options to help mitigate the damage they can cause.
In most cases we see the common method the spammer gains access to the server is using a hacked user account. This means the spammer has uncovered the username and password of an account on your server and is now using this to authenticate to the server and send their spam. This ensures they will never have any problems sending their mail through your server because the server will see this as a legitimate user authenticating and sending the message.
There are other methods as well. If a user PC or other server in the same subnet has a virus/trojan, the mail server itself is compromised or another server on the network is compromised. In almost all cases there are options you have to prevent or again, mitigate the damage with the only lost cause being the mail server itself being compromised.
We will break this into two topics, the first being preventing and the second being mitigating damage.
These options can help you make it much harder on a spammer if they come across your server.
1. Strong Password Policy - This is the best aid in preventing spammers from cracking user accounts. There are still methods spammers use to crack even the strongest passwords but the stronger the passwords employed the less likely it is they are cracked.
You can enforce the password policy by going to the [Domains & Accounts, Policies, Password Policy] tab in the Administration console. We understand in some cases enforcing a strict policy is almost impossible depending on the type of users you have and in these cases you should still enforce a policy but make it less strict. You should use the following options:
2. Remove Trusted Hosts - To ensure only your mail server is able to send mail without being authenticated you need to remove all other entries except for the IP/s your server is bound to. By default this would be the loopback address of 127.0.0.1. You can find this by going to the [Mail, Security, General] tab and here you will see "Trusted IP's & Hosts". In the event you need access to the mail server from other servers on the network then you can place the IP here but it is best to only do this if absolutely necessary and it should always be a single IP and not a range if at all possible.
3. Deny EXPN and VRFY - These can be used by a spammer to find and validate users on your server. These are now completely removed from the product GUI and can only be enabled using the API on a global level. The only location now this is still seen in the console is on the [Security] tab of any Mailing List you might have. The EXPN specifically allows anyone to find out what users might be listed on the mailing list and VRFY returns whether or not the user exists on the server. In the event VRFY is needed please consult the API doc or contact support for instructions on enabling this.
These are the main options that can help administrators stop spammers from gaining access to the server.
Minimizing Damage From Spammers
Once a spammer has gained access to your server they can wreak havoc on your mail delivery capabilities due to blacklisting, poor sender reputation and other reasons so it is vital to also employ options that can help minimize what damage the spammer is able to do. These are steps and options to take if finding yourself in this situation.
1. Find and remove the spammer - If you are hacked by a spammer is paramount you find and remove this spammer as quickly as possible. For more information on finding the spammer please reference the FAQ below on "Tracking And Removing A Spammer"
2. Send Out Limits - It is very responsible to set limits on the number of messages and given user can send out, this can be done globally (one limit for all users) or on a user by user basis. This feature will restrict a user from sending above the specified limit. In most cases the spammer will immediately try to send as much spam as possible before being found and removed and therefore this option can ensure only a small amount of mail is able to be sent before the limits are applied. The easiest way to set this limit is to double the average send out limit seen.
If you go to the [Status, Account Statistics] tab and run a report and view the [List] information then you can sort by the largest amount of sent items that day, month, week, etc. If the highest volume sender has 200 messages in one day then make the limit 3-400 and you should always be safe not to block a legitimate sender. There is a major difference between a spammer getting thousands of messages out or only a few hundred, the biggest one being blacklisting, once on a list it can be very cumbersome to get yourself removed. You can set this limit for users by going to their [Limits] tab.
3. Reject Mail Based On AUTH - This option is named "Reject if SMTP AUTH different than sender" and is found on the [Mail, Security, Advanced] tab and can in some cases block 100% of the mail the spammer is trying to send. It works in the following fashion, if a spammer connects and authenticates with User1@domain.com but then tries to forge the SMTP Sender to anything other than the user they authenticated with it will automatically reject the message entirely.
When enabling this option please keep in mind the only possible scenario this could cause a problem with and that is if you are ever authenticating as one user but sending out as another entirely different user. This does not affect aliases that are part of your account, you can AUTH and still send using the alias without problems.
These are the best options to use to help prevent and minimize the damage done by a spammer so it is recommended to carefully consider and employ all options to better secure your server in the event you have to deal with a spammer.
If you have any additional questions please contact firstname.lastname@example.org