Tuesday, February 18, 2014

10 tips to avoid being listed on a RBL ( mail )

I'm working a uphill battle with a client of mine,  that has piss-poor management of their address and mail uses.

For any of the dozen class C that they have, they typically are listed on the  Multi-RBL checklist by at least  4 or more RBLs.

You can check a majority of the common RBLs at the following link.

http://www.anti-abuse.org/multi-rbl-check-results/


And any of the RBL that are queried, will sometimes shows the address or even the whole range as listed or bad;

eg ( spamrats )





or

Okay so I put together a few tips, that could  help you avoid going to dog house & listed as a bad sender of email.


1: First crafted a SPF record

This is a must do, and will helps you if some one forges mail from one of your domain(s).

Please list a SPF  & regardless if you even plan to send mail from that domain. Here's a few domains I own, & that I never planned on sending mail from. So I also crafted a  DNS TXT spf record  that list my preferences for mail sending   ( "-all" ).

This will  helps against  mail-filtering devices that inspects & validates the domains  1000gigabit.com/net and for any senders that might want to forge mail for these 2 domains.

2: Ensure you have NO open-mail relays

Yes the age old abuse of open-relays, should no be over looked. If you don't know what a open relay is, than follow this link;
http://en.wikipedia.org/wiki/Open_mail_relay

Your mail-sender  program will probably have methods for you to check and correct open-relay. Allow mail to only be relayed by client networks that you support & allow.


3: Make sure your mail attachments are virus free


Yes, please  help with keeping the internet clean and healthy


What this means ;

" Me and you, need to inspect our mail attachments and/or enforce  AV/Malware detections on our  clients side ". 

The former is easy if you have a mail-sender that has AV detection and inspects all MAIL sent from the server. Optionally,  you can use a Firewall that has  AV detection ( a firewall from fortigate/paloalto/etc for example ) and direct all mail thru the firewall before sending to  the internet.

see these two examples of possible AV inspection ;
( relay with AV all mail is allowed from the client outbound and not directly  )











( firewall  Fortigate  with security inspections  or email filtering )


The green-line =  post AV inspected mail traffic


4: Rate and throttle your outbound mail sessions,  to avoid being throttle by the recipient domain mail-gateway/firewall

Send mail and beaware of the number of mail you send per hour and to each destination.

5: Act responsively to ALL abuse claims.

Any size able organization should have a abuse-security team or abuse-personnel. This also means we need to correct and keep up to date  SOA contacts, WHOIS contact, and other technical email address.  ( It does not make any given sense to list a invalid contact )

This team or individual, should always monitor the inbox for new claims or complaints and act professionally and responsively to any claims of abuse.

I've worked with numerous ISP over the last  20 years and I can count on  2 hands, how many times the contact was incorrect or the inbox was not even reviewed or monitored.

Be a good organization and monitor your technical/admin/abuse email contacts daily or weekly at minimum.

6: Enrolled any authorized mailer-devices into a RBL monitor

Their's a few free and a few paid  RBL monitoring service. All will alert you to a possible RBL listing, and they typically  scan every 12-48 hours,  depending on the levelof  service you subscribed to. Find one or two and have them monitor your email servers ip_address.

7: If your a big agency or ISP, request a mutual mail-sender-usage policy and ask to be white-listed or  less restrictive limits against your authorized mail-senders

Big organization like AOL, Google and MS and others, will work with you to ensure your mail get thru.  So if you send like a million or more mail sessions per day to one domain, try to work out a mail-usage acceptance policy. They might  do any of the following;
  •  1: reduce or eliminate any mail-sender  grey-listing
  •  2: reduce or eliminate certain AS checks
  •  3: reduce or eliminate  certain  reputation throttling policies
  •  4: white list  your senders address

8: Review all logs for any tell-tale signs like deferred or temporary  bounces, mail in a dead queues

Yes your "maillogs" and "mailqueues" , will provide feedback to any potential mail problems. You should be monitoring these daily.


9: Ensure you  meet all common practices for mail-senders
  •      (DNS)   PTR installed
  •      ( DNS ) FQDN  matches PTR
  •      Ensure your MTA  uses proper EHLO/HELLO
  •      avoid differences with regards to the mail-replay and mail-from headers
  •     Proper mail headers creation
  •     mail data envelope size is conservative ( yes don't try to send a 200mb attachment  and watch the number of mail headers  you add to a mail message.... bigger is not always better )

10: The final & most  important tip, don't send SPAM

Yes what this means; "   if you use mail for intended recipients , in a conservative manner, and do not send unsolicited mail".  Then you will most likely never get on a RBL list.

I can't even tell you the number of times, a remote party has email or called  me to ask why we are not accepting any mail from them.

If you get on a RBL, there's probably a good reason and you probably have something out of wack or you deserved to be listed on the RBL. So don't blow off the RBL listing and blindly request a removal. Fix/Correct the issues and re-monitor the address.

Also don't blame  the RBL maintainers. I had a gentlemen threatening to fly to my location and beat/shoot-me ,  because a RBL,  I was working with,  had flagged his addresses as possible senders of SPAM ( he  was a openrelay btw ).

Yes keep this thought in mind ;  "  the RBLs DOES NOT BLOCK YOU. The recipient mail-gateway that your sending mail to is BLOCKING YOU " .

The RBL listing is nothing more than a suggestion &  based on analysis feedback and reports from numerous  recipients that your are SENDING SPAM or have a Open mail-relay.

Fix the damm problem!


I hope these 10 tips,  helps you to have a happy mail sending experience



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
          o
       /     \
.

No comments:

Post a Comment