ArticlesArticles Most Popular ArticlesMost Popular Articles
RSS Feeds
DrillDown Icon Table of Contents
DrillDown Icon 2017 Official Holidays & Support Schedule
DrillDown Icon IMPORTANT: End of Life of SHA1 on Windows Server 2003
DrillDown Icon IMPORTANT: Supported Operating Systems
DrillDown Icon PLEASE READ: Our Update Server IPs Have Changed
DrillDown Icon Support
DrillDown Icon modusGate for Microsoft Azure
DrillDown Icon modusCloud
DrillDown Icon Alleviating Spam – Best Practices
DrillDown Icon directQuarantine Technical Information
DrillDown Icon modusMail & modusGate Technical Information
DrillDown Icon Other Product Technical Information
DrillDown Icon Professional Services
DrillDown Icon Newsletters
  Email This ArticlePrint PreviewPrint Current Article/Category and All Sub-Articles/Categories
 
Alleviating Spam – Best Practices

 

Product: All

Version & Build: All

 

 

This article describes how to optimize your modus server configuration to prevent as much spam as possible from entering your system.  This article assumes that modus is the mail entry point so that it sees the IP addresses of the external sending mail servers.  It also assumes you do not have a gateway in front of the modus server, pre-filtering mail, as it would show mail as coming from the gateway IP address.

 

 

Open the modus Administration Console to configure the following:
 
Security – Properties – DNS Blacklists (DNSBL)

 

  • Enable Perform a lookup for the SMTP host in the Real-Time Blacklist
  • Click on RBL Servers and enter the following:
    • Sbl-xbl.spamhaus.org
    • bl.spamcop.net
    • See below for additional RBLs 
  • Ensure that Reject connection immediately if the host is blacklisted is not enabled
  • Enable Perform RBL check after mailbox authentication
  • Set the Cache values to 9000 (lookup results) and 240 (minutes)
  • Click on IP Exclusion and enter the IP addresses for all of your IP blocks
    • E.g. 10.10.10.0/24, 10.10.20.0/20, 10.10.30.25, etc.
  • Click on Apply

 

Least Aggressive RBL Combination

 

sbl.spamhaus.org        known spam sources only
cbl.abuseat.org composite block list

           

  

Moderately Aggressive RBL Combination


sbl-xbl.spamhaus.org combination of sbl & xbl
cbl.abuseat.org composite block list
dul.dnsbl.sorbs.net dynamic ranges
bl.spamcop.net spamcop block list

 

Very Aggressive RBLs 


zen.spamhaus.org  includes sbl, xbl + pbl
cbl.abuseat.org composite block list
dnsbl.sorbs.net full sorbs zone
bl.spamcop.net spamcop block list

  • Warning: using the Perform RBL Check after mailbox authentication function keeps the connection open longer
  • If you are not an ISP/xSP or you do not have dynamic IP range provisioning for your users, it may be better to reject the connection immediately

For a good list of comparative RBLs, use this link:
http://www.sdsc.edu/~jeff/spam/cbc.html
If you want to completely block specific countries from sending you mail, information can be found here:
 

http://www.emailsecuritymatters.com/site/blog/best-practices/country-based-blocking/

 

Security – Properties – Connection Limits

 

  • Maximum simultaneous connection rate allowed for the same IP: enter 5
  • Total number of simultaneous connections allowed from the same IP: enter 5
  • Click on Apply

 

 

Security – Properties – Trusted Address List

 

  • Under SMTP Security Trusted Address, click on IP Address
  • Enter the enter the IP addresses for all of your IP blocks
    • E.g. 10.10.10.0/24, 10.10.20.0/20, 10.10.30.25, etc.
  • Click on Apply
NOTE: These options tell modus to do connection-level verification for messages originating from the specified IPs or IP blocks. It does not prevent content filtering. It only prevents RBL checking or throttling by "Block Scan Attack" or "Connection Limits," etc., from being applied to the specified addresses.
 
 

Security – Properties – SMTP Security

 

  • Check Enable SMTP Authentication
  • Enable the following:
    • Do not advertise SMTP AUTH for these  

        § In the IP Address list, enter the following 2 items:

        § !127.0.0.1 (the ! denotes not), and *.*.*.*

    • Force usage of fully qualified addresses in SMTP commands
    • Reject malformed addresses
    • Validate sender addresses
      • Set the Cache Size to 9000 entries
      • Set Keep in cache for 240 minutes
  • Click on Apply

 

 

Security – Properties – Block Scan Attack

 

  • Ensure that Enable Scan Attack Blocking is checked
  • Click on Slowdown the IP Connections
  • Disable Force a slowdown on IP connections and Close
  • Click on Block IP Addresses
  • Block IP for 240 minutes
  • Check After the number of invalid recipients reach and set the value to 3
  • Click on Close
  • Set the Cache values to 9000 (lookup results) and 240 (minutes)
  • Click on Apply

 

 

Security – Properties – Sender Reputation (or Sender Validation & Accreditation in earlier versions)

 

  • Enable Sender Reputation System
  • The recommendation is to quarantine messages with a 'bad' SRS reputation
    • Results are updated every 5 minutes
    • This option protects you from newly detected spam waves, and quickly delists IPs that have been removed from botnets
  • Enable SPF Support
  • Click on Apply
  • An SPF record is not required for this feature
  • Optionally, you could enable Perform a look up for the SMTP host in DNS
    • This is a reverse DNS lookup on the IP address of the sending server to check if it has a reverse PTR record
    • Historically, enabling this option caused more false-positives because many legitimate mail servers did not have reverse zones
    • However, as spam increases, more companies are turning this feature on, despite the risk
    • Most spam originates from IP addresses that are used for dynamic IP allocation which do not have a reverse PTR record (i.e. DSL or cable modem users with infected zombie machines)
    • Enabling this can be risky but will alleviate spam problems considerably – use with caution

Other articles of interest concerning reverse DNS
 
 


Spam – Preferences – Options


  • Set the Spam Scanning Level to Extreme
  • Click on Apply

 

 

Rules – Performance – Enable Attachment Size Verification
 
  • Do not scan messages with attachments greater than X kilobytes
    • This is a misnomer: it’s actually the message size that counts
    • The default size in recent modus versions is 950 kilobytes, but we recommend using a smaller size: 350 kilobytes
 
 

System – Properties – Services

 

  • Stop and restart:
    • SMTPRS
    • MODUSCAN


IMPORTANT SAFETY TIP

It is important that you never whitelist your own domain at the global or user level. It is also important that end-users never whitelist their own email addresses.

This is because spammers are in the habit of forging your domain in the “from” field. Whitelisting yourself means any email From yourself TO yourself will be whitelisted if the spammer is smart enough to forge your domain in the header “from” field.

Note that version 5.0 will automatically check for and ignore self-whitelisted addresses to ensure that the content undergoes spam scanning, to prevent potential abuse of your system. 

 

 

 

 

Modified 2/10/2017
Keywords: spam rbl connections cache reverse dns
Article ID: 1553