Intro:

This information is provided free with no warranty and no merchantibility or fitness for any particular use. 

These techniques employ standard hardware / software you almost certainly already have, therefore no big budgetary items are needed, etc.

You can control/prevent outbound spam/UCE with these 3 areas: 

1. DNS (often called a black art),
2. SMTP and MX logic, and
3. Firewalls

They do not have to be unnecessarily complex but many do not truly understand all 3 or how they can be combined very powerfully.

If you want to stop spam then stop it at the source, not at the recipient level where it has already done all of the damage (in terms of bandwidth, payload delivery, etc.).  How?  The same way companies protect themselves.  You have to understand the technical problems:

Spam thrives because:

1.  it usually gets sent unchecked/unregulated/unauthenticated
2.  it is often untraceable by the typical end-user and they also do not have the tools to validate it
3.  it could be sent through an open relay (a server that accepts mail from anywhere and sends to anywhere), this server is improperly configured
4. it is being sent from a "bot" computer that was hijacked for this purpose

Standards:

The Internet functions because of standards.  Typically our solutions are engineered to implement and support existing standards/RFCs so that it will be 100% compatible with everything and operate with absolute reliability.  This is no exception.  Every aspect of this information adheres to all known SMTP, DNS, TCP RFCs and works with old as well as the latest thing.  It works whether you are using windows, or *NIX, or OSX.  It works whether you are using a homebrew spamscanner or whether you're using an appliance.  It just works.

 

90% of it can be stopped in 4 steps:

 

1. All organizations that host a signficant number of connections to the Internet (ISPs, ESPs, corporations, etc.)  must have a firewall, if they don't they should not be connected to the Internet. Firewalls are not just for controlling what comes in, but also what is allowed out.
2. Then do some flow control:
   1. block all outbound port 25 connections (except for YOUR mail server).  This prevents your customers (say if you are an ISP) or employees from sending spam.
   2. Force your employees/users/customer that hang off your Internet connection to send mail through YOUR smtp server (I would not use Exchange/Lotus/etc for this).  YOUR server is called a "smart relay".   It is not to spy on your customers or employees, no.  Instead it makes sure of the following: 
      
      1. before the messages gets to the Internet it will be checked for proper headers with VALID "FROM" data,
      2. before it gets to the Internet it will be coming from a known mail server that can be trusted (YOURS). 
      3. it has already been virus/content checked by YOUR server before it gets to the Internet
      4. it prevents abuse of open relays because the sender can no longer chose which SMTP server they want to connect to
      5. it actually increases mail delivery performance globally because mail gets delivered in groups rather than tiny fragments (I can explain more later),
      6. it prevents an employee's hijacked computer from becoming a spam/bot because it cannot send.  The greatest benefit is that if any of it does get through the recipient mail administrator KNOWS FOR A FACT where it came from and can contact the originating email administrator who can then, for a fact, identify exactly who is sending it and stop it, terminate their account, turn them over to authorities for fraud, whatever, etc.
3. Force all inbound mail through a spam/UCE filter (e.g., spamassassin, barracuda, something).  [Note, we are not saying that you should force all of your customer inbound through your mailserver, just YOUR inbound at the "domain/subdomain" level.  They should have a setup like this on their network, frankly every business and ISP should be configured this way]
   
   1. You do this by configuring your PRIMARY MX as your real internal mail server and make it the highest priority MX. 
   2. THEN BLOCK IT ON THE FIREWALL SO NOBODY BUT YOUR SPAM CHECKER (which is visible to the outside world on port 25) can send to it (this is also your secondary MX).    You may have to configure a throttle on your firewall or spamfirewall if you have numerous external MX that don't filter out forgeries/relays/rfc-violations themselves.
   3. All attempts will fall back to the spam checker and any tertiary/quaternary MX hosts you may have floating externally.  (You may get complaints from third-party MX hosters like DNSmadelousy that don't do any kind of filtering and allow blatant forgeries, relays, and spam through because they claim they are only being an MX.  They will complain that you are backlogging their servers.  Ignore them).
   4. Also make sure to put in an MX record for the FQDN of your primary MX and of your SPAM CHECKER (secondary mx) otherwise Microsoft Exchange will have trouble sending to your domain from outside your network.
4. Make sure all your DNS records including A, PTR, CNAME, MX, and SPF (text record) are properly configured for forward/reverse.  It's critical because DNS is the lynchpin of routing via MX records and is the only way your systems can truly authenticate the name/ip address of an internal or remote system.

I have employed these techniques at some of the largest and most well known dot coms and ISPs in the world and they work.  Without any endorsement, when was the last time you actually received spam/UCE from an earthlink.net address???  They do what I've identified in #2 and they require their business customers to relay through their servers with SSL encrypted userid/password mechanism.  They do this for this very reason and it works very well.

If this stops 90% of it, the remaining 10% is absolutely traceable and can be easily controlled.

Thanks,

David Beecher

Engineering Team

TekOps, Inc.

 If you are having email issues, however bizarre perhaps we can help.  Give us a call we can do it all.