YOU ARE ISP AND YOUR NET RANGE GOT
We really feel sorry for you because this should not happen to respectable
professional ISPs, and we do our best to prevent this.
Here are 4 things that we recommend in order to stay off the UCEPROTECT-Blacklists and the Backscatterer List:
1. Do not use abusive techniques on your systems, and also tell your customers with their own servers not to do so.
The following techniques are considered abusive, even though some seem to have become very popular.
Sender callouts (also known as Sender Verify or SAV) or any other kind of
Simply use common sense before turning on any new technique. If a technique
or procedure makes your system capable of being a part of a DDOS against others,
then you should not use it.
2. Ensure that large amounts of garbage cannot be sent through your mailservers / smarthosts.
Spammers will always try to send millions of emails for it to be worthwhile, it
is a numbers game for them. On the other hand, you will not find many end users
having a genuine need to send more than a few hundred, or at most a few thousand,
emails per day per account.
Therefore it is advisable to establish appropriate transmission limits on all
smarthosts. Users who have demonstrated that they do not abuse your infrastructure,
and who claim to have a higher need, can easily be given higher limits or even
A much better approach is to detect abusers by monitoring your outbound mailservers logs with automated scripts.
It is very unlikely that regular users will send email to more
than 10 undeliverable recipients per hour.
Users sending email to multiple undeliverable addresses within a short time
frame are almost always spammers, therefore you should shutdown those accounts
automatically and promptly.
UCEPROTECT-Appliances and Software has that feature, but it shouldn't be a big deal for any expirienced Unix Admin to build something like this by running a simple script that monitors the smtp-log and interacts with a database.
Use for e.G MYSQL and define a database where entries will be counted down 1 per hour and being removed if counter is 0.
Now let your script monitor your outgoing maillog and add every user to the database with a score of +1 which manages to send a mail which results in a 550 "No such user" at the targetsystem.
As soon as a User has a score of 10 temporary disable his smtp access by giving 450 errors to him.
What will happen then?
If a brave user just did misspell an emailaddress nothing will happen, he will get a counter of 1 in your database for the next hour, nothing else.
If a spammer sends his crap, he will have tons of invalid addresses in his database and so he will get over your limit within some seconds or latest minutes and then he will no longer be able to send mail for an hour.
After an hour his counter goes back to 9 and he can send emails again, but that will not help the spammer, because he will almost immediatly get to 10 again by sending mail to the next invalid user, resulting in another hour of waiting ...
Furthermore it should be no problem to filter all outgoing emails for viruses or other malware on each smarthost.
3. Ensure that your dynamic / dialups / homeusers cannot be abused as spam zombies.
Block all outgoing connections from client dynamic / dialups / homeusers to destination-port 25 TCP UNIVERSE if that destination is not your mailrelay / smarthosts and
force them to connect to your mailrelays / smarthosts or smtp-submission instead.
Then, if a user's computer becomes infected by malware, propagation will be
impossible or at least contained very quickly.
This way, any damage stays within limits and it will be unlikely that blacklists become aware of your system.
Your Homeusers will not be affected by this, because they can still use external mailsystems by using the SMTP-SUBMISSION Port 587 which is in common use since 10 years meanwhile.
For details about SMTP-Submission Port 587 see RFC 2476 which was published in 1998 and which is supported by almost all Freemailers and Webmailservices around the globe.
There is no logic reason why a homeuser with a dynamic IP should have the chance to connect to destination port 25 outside your networks, other than allowing spammers to abuse his computer as spambot.
DSL and Cable Providers which fail to block connects from their homeusers to destination port 25 are almost always at risk to end up in our Level 3, which means all their IP's will be blacklisted and therefore they will run in trouble with their business customers too.
Please also read Informations at MAAWG why to block Port 25.
4. Get clue about new customers, secure your servers and prevent open relays and open proxies at your dedicated line customers
and at customers with static IP addresses.
Check your new customers before giving complete /24 nets to them.
Use public databases as http://www.domaintools.com to check history for your new customers domains.
If they had multiple other hosters within a short timeframe before or if they have multiple brand new domains then you should be very carefull before allowing them to send unlimited emails.
If you are running a datacenter then secure your servers so that even dumb customers can't get hacked so easy.
A good idea to realize this is to install MODSECURITY on all servers.
Modsecurity is free and it can prevent the usual attacks against unpatched servers running insecure scripts, if configured well.
You can get Modsecurity here: http://www.modsecurity.org
Examine the IP addresses of customers with ‘statics’ regularly (e.g. weekly)
with automated scripts for known weaknesses. Temporarily shut down those IP addresses
that you find to have exploitable security holes that can lead to email abuse.
You will immediately have less work in your abuse department and less problems
On a long-term basis this will also maximize your profits...
We all know that you do not earn money with a flat-rate customer if his/her
computer is busy 24/7 dispatching spam, viruses and worms to the world...
If you are actively preventing his/her computer from sending the crap, it is
very unlikely that this customer will be able to send the traffic in other ways
Note that, if every service provider worked in this way, there couldn’t
be a spam nor a virus problem on this planet.
If you need technical assistance on making your network unattractive for
spammers, or if you still search for a really efficient spam protective system
for your infrastructure, do not hesitate to contact us.
We strongly recommend that you should also read and follow the suggestions from Anti Spam Technical Alliance (ASTA) which can be obtained from it's founding members:
AOL,Earthlink,Microsoft,Yahoo! or you can download ASTA Informations here at UCEPROTECT-Network.