Here's what' considered general best mail practices;
- upon connection, the domain give in the sender HELO/EHLO is not fully qualified domain = REJECT
- if no HELO/EHLO is sent = REJECT
- if the domain name given does not resolve = REJECT
Here's a snippet of bad senders from my mail gateway ;
2013-03-26,00:25:13,log_id=0300002085,type=spam,pri=information,session_id="r2Q5PDQq002084-r2Q5PDQr002084",client_name="1-163-25-112.dynamic.hinet.net [1.163.25.112]",dst_ip="10.150.252.150",from="f5470b3@noetzelnet.de",to="",subject="",msg="Invalid ehlo/helo domain. ( user )"
2013-03-26,00:24:55,log_id=0300002083,type=spam,pri=information,session_id="r2Q5Oscn002082-r2Q5Osco002082",client_name="121.247.65.175.static.pune.vsnl.net.in [121.247.65.175] (may be forged)",dst_ip="10.150.252.150",from="f2ab12cdf@sheldonpg.com",to="",subject="",msg="Invalid ehlo/helo domain. ( 121.247.65.175.static.pune.vsnl.net.in )"
2013-03-26,00:22:23,log_id=0300002079,type=spam,pri=information,session_id="r2Q5MM9l002078-r2Q5MM9m002078",client_name="178.91.242.79.megaline.telecom.kz [178.91.242.79] (may be forged)",dst_ip="10.150.252.150",from="ramroddedawd92@afes.com",to="",subject="",msg="Invalid ehlo/helo domain. ( 178.91.242.79.megaline.telecom.kz )"
2013-03-26,00:20:32,log_id=0300002075,type=spam,pri=information,session_id="r2Q5KWx6002074-r2Q5KWx7002074",client_name="windsorcars.plus.com [80.229.179.201]",dst_ip="10.150.252.150",from="4265598@maps.by",to="",subject="",msg="Invalid ehlo/helo domain. ( dsldevice.lan )"
Yes all of the above are bad senders, and either the domain or ip_address don't match, nor resolve. To give you an ideal, my email filtering device picks up way over 99% of spam email attempts from just this process alone.
This is just one way to provide basic mitigation of bad senders.
Okay so how do you as email administrator to protect yourself?
Simple, ensure your mail sender or MTA has a valid domain name, and PTR dns record. The MTA ( mail transfer agent ), should be legit if you want the world to accept email from you.
If your forged, mis-configured or flaw, than most proper secured recipients, will drop your connection and hence you mail attempts will never even get a chance.
Once you have the above satisfied, than we can now use reputation scoring, session limits or other mail security policies , to allow mail. It's common to use some of these practice with mail security
- real time blacklist
- session limits based on connection attempts per sec
- greylisting
- whitelisting
- static blacklist
- recipient verification
- max message size limits
- max recipient counts limits
- throttling based on reputational scoring
With most email systems, all of the above are used to some degree. But the HELLO is the 1st step that you have to overcome. If you are not who you say you are, than sorry
Ken Felix
freelance network/security engineer
kfelix a-t hyperfeed.com dot com
No comments:
Post a Comment