Fourteen Best Practices for Combatting SpamWritten by Casper Manes on October 31, 2012
Any administrator looking to support any kind of email system, whether it’s based on Microsoft Exchange, Lotus Notes, Sendmail, or any of the other excellent third party messaging systems that are available, needs to deal head on with the problems caused by spam, phishing and malware. I’ve found that no matter what kind of system I am managing, and whether it was a corporate email system, an ISP type system hosting email for consumers, or even just a personal email system for my own domains, there are several best practices that I follow each and every time. Since they serve me so well, I wanted to share them with you. So, in no particular order of importance, here are my 14 best practices for combatting spam.
1. Ensure you are not a part of the problem
Right after I install a system, but before I create an MX record or even open up TCP port 25 on the firewall, I make sure that my email server is not configured to allow open relay. I’ll review the install and configuration instructions that come with the product, and then I will use TELNET to connect to my server’s SMTP service and try to relay mail through it to make sure it won’t.
2. Get a second opinion
Once I open up TCP port 25, I will use one of the excellent web based services to further and more thoroughly test my server to make sure it won’t relay for spammers. MXToolbox has a quick and easy test you can use, and MailRadar has very thorough battery of tests you can run. If neither of them find an issue, you should be good to go.
3. Install anti-virus software per the mail system’s recommendations
While not all spam is malware, and not all malware comes from spam, I like to think of them as closely related and address them here. You want to install and maintain anti-virus software on your mail sever to protect its operating system, but most anti-virus software when installed with default settings can cause significant problems for email servers. Get your mail server vendor’s recommended settings and exclusions, and ensure your anti-virus software is considered to be compatible with your mail application.
4. Install anti-virus software to scan email
Anti-virus software installed for your operating system doesn’t scan inbound and outbound mail. That means it doesn’t protect your users from malware in messages or attachments. You need both anti-virus software to protect your server, and anti-virus software to filter email. Don’t have one without the other.
5. Enable any built-in anti-spam capabilities
Most email systems include some form of anti-spam agent or process. Size your servers so that they can handle the CPU and RAM requirements of their included anti-spam capabilities, and use them. Defense in depth is all about the layers, and if you have protections built-in to your system, you should take advantage of them.
6. Don’t rely solely upon those built-in anti-spam capabilities
There’s a very rich and diverse third party market out there full of anti-spam solutions. You want to use one to improve the protections you are providing to your users. What’s built-in to your email system should be the last line of defense, but not the only one. Whether you use a cloud-based solution, or one you install on-prem, look for solutions that can easily plug in to your email system using SMTP routing so you don’t have to install additional software on your servers.
7. Scan both inbound and outbound messages
It’s just as important to scan your outbound messages as your inbound. Whether by accident, or because of malware, you don’t want your users to do anything that might get your system labeled as a spammer.
8. Set reasonable limits on messages
Maximum number of recipients whether inbound or outbound; maximum number of messages sent in a particular timeframe; maximum attachment sizes; don’t allow a free for all. Set limits that will support the needs of your users, but that can reduce the impact a spam message might have.
9. Protect against directory harvesting attacks
Configure your system or use third party applications that detect and block DHAs so spammers cannot probe your system looking for valid email addresses.
10. Tarpit suspect connections
Many email systems can detect suspect connections, and tarpit them to slow them down, and minimize the amount of spam they can send. Check your documentation and take advantage of this, as it’s one way you can “fight back” against a spammer.
11. Use SPF records
Ensure you have a good SPF record, and set it to hard fail so others will be able to reject spoofed email from your domain. Use SPF on your servers and urge your partners to also use hard fail.
12. Require your users only use opt-in lists
Don’t become part of the problem by buying contact lists. Require that all mass communications from your users are to email lists that are opt-in, confirmed at least annually, and that are easy for people to unsubscribe immediately and without further nagging.
13. Mask email addresses on the website
14. Use contact forms
When possible, don’t post email addresses online at all. Use contact forms with CAPTCHAs so that customers can easily get in touch, but that don’t require any email address to be exposed.
I always try to follow this fourteen best practices whenever I set up or manage an email system, even on my personal domain at home. What about you? What are some of the other best practices you use to help fight spam? Leave a comment and let us all know some other effective ways to fight spam.