Fourteen Best Practices for Combatting Spam

Written by Casper Manes on October 31, 2012

Any administrator looking to support any kind of email system, whether it’s based on Microsoft Exchange, Lotus Notes, Sendmail, or any of the other excellent third party messaging systems that are available, needs to deal head on with the problems caused by spam, phishing and malware. I’ve found that no matter what kind of system I am managing, and whether it was a corporate email system, an ISP type system hosting email for consumers, or even just a personal email system for my own domains, there are several best practices that I follow each and every time. Since they serve me so well, I wanted to share them with you. So, in no particular order of importance, here are my 14 best practices for combatting spam.

1. Ensure you are not a part of the problem

Right after I install a system, but before I create an MX record or even open up TCP port 25 on the firewall, I make sure that my email server is not configured to allow open relay. I’ll review the install and configuration instructions that come with the product, and then I will use TELNET to connect to my server’s SMTP service and try to relay mail through it to make sure it won’t.

2. Get a second opinion

Once I open up TCP port 25, I will use one of the excellent web based services to further and more thoroughly test my server to make sure it won’t relay for spammers. MXToolbox has a quick and easy test you can use, and MailRadar has very thorough battery of tests you can run. If neither of them find an issue, you should be good to go.

3. Install anti-virus software per the mail system’s recommendations

While not all spam is malware, and not all malware comes from spam, I like to think of them as closely related and address them here. You want to install and maintain anti-virus software on your mail sever to protect its operating system, but most anti-virus software when installed with default settings can cause significant problems for email servers. Get your mail server vendor’s recommended settings and exclusions, and ensure your anti-virus software is considered to be compatible with your mail application.

4. Install anti-virus software to scan email

Anti-virus software installed for your operating system doesn’t scan inbound and outbound mail. That means it doesn’t protect your users from malware in messages or attachments. You need both anti-virus software to protect your server, and anti-virus software to filter email. Don’t have one without the other.

5. Enable any built-in anti-spam capabilities

Most email systems include some form of anti-spam agent or process. Size your servers so that they can handle the CPU and RAM requirements of their included anti-spam capabilities, and use them. Defense in depth is all about the layers, and if you have protections built-in to your system, you should take advantage of them.

6. Don’t rely solely upon those built-in anti-spam capabilities

There’s a very rich and diverse third party market out there full of anti-spam solutions. You want to use one to improve the protections you are providing to your users. What’s built-in to your email system should be the last line of defense, but not the only one. Whether you use a cloud-based solution, or one you install on-prem, look for solutions that can easily plug in to your email system using SMTP routing so you don’t have to install additional software on your servers.

7. Scan both inbound and outbound messages

It’s just as important to scan your outbound messages as your inbound. Whether by accident, or because of malware, you don’t want your users to do anything that might get your system labeled as a spammer.

8. Set reasonable limits on messages

Maximum number of recipients whether inbound or outbound; maximum number of messages sent in a particular timeframe; maximum attachment sizes; don’t allow a free for all. Set limits that will support the needs of your users, but that can reduce the impact a spam message might have.

9. Protect against directory harvesting attacks

Configure your system or use third party applications that detect and block DHAs so spammers cannot probe your system looking for valid email addresses.

10. Tarpit suspect connections

Many email systems can detect suspect connections, and tarpit them to slow them down, and minimize the amount of spam they can send. Check your documentation and take advantage of this, as it’s one way you can “fight back” against a spammer.

11. Use SPF records

Ensure you have a good SPF record, and set it to hard fail so others will be able to reject spoofed email from your domain. Use SPF on your servers and urge your partners to also use hard fail.

12. Require your users only use opt-in lists

Don’t become part of the problem by buying contact lists. Require that all mass communications from your users are to email lists that are opt-in, confirmed at least annually, and that are easy for people to unsubscribe immediately and without further nagging.

13. Mask email addresses on the website

Don’t publish email addresses on your website that are easy to harvest. Use Javascript or other obfuscation methods to prevent spiders from harvesting email addresses.

14. Use contact forms

When possible, don’t post email addresses online at all. Use contact forms with CAPTCHAs so that customers can easily get in touch, but that don’t require any email address to be exposed.

I always try to follow this fourteen best practices whenever I set up or manage an email system, even on my personal domain at home. What about you? What are some of the other best practices you use to help fight spam? Leave a comment and let us all know some other effective ways to fight spam.

Comments

Jaysee November 2, 2012

This is an incredible list. I find the tips very easy to follow and truly practical. Perhaps it’s high time that everyone would create a checklist and have something like this posted in their cubicle or desk. This way there’s no way they will forget about their responsibilities when it comes to preventing or reducing spam. I personally agree with the first one. It’s how everyone becomes accountable. It’s funny how people tend to put all the blame to spammers and their IT administrators when they are the ones who also spread the spamming messages. A few of my friends sadly do that.

Albert Morrow November 5, 2012

I can definitely relate to the first one. Seriously, people, why do you believe in chain mails? Why do you think you will die simply because you did not forward the letter to X number of friends over X number of days? Here is the truth: no one has died yet for violating the cardinal rule of chain mail. For the past few months, I have been receiving this type of mail in almost all my active accounts, including my Facebook mail. And I am seriously getting real annoyed. I just think they are a terrible waste of mail space.

Princess Hill November 20, 2012

If I may add, don’t be a spammer. I’m one of the biggest believers of karma, you know, what you do to others will surely come back to haunt you, even more severely. Doing so also gives you a license to fight those who do conveniently. After all, you’re not trying to be self-righteous. I said these because an ex-friend who loved to share those chain mails sent me an angry e-mail once when I asked if she’s willing to buy some candles that I’ve been making. She basically labeled me a spammer and didn’t stop telling me that it’s a mortal sin in cyberspace. Well, look who’s talking.

  • (required)
  • (required)