ArticlesArticles Most Popular ArticlesMost Popular Articles
RSS Feeds
DrillDown Icon Table of Contents
DrillDown Icon 2020 Official Holidays & Support Schedule
DrillDown Icon IMPORTANT: End of Life of SHA1 on Windows Server 2003
DrillDown Icon IMPORTANT: Supported Operating Systems
DrillDown Icon PLEASE READ: Our Update Server IPs Have Changed
DrillDown Icon Support
DrillDown Icon modusGate for Microsoft Azure
DrillDown Icon modusCloud
DrillDown Icon Alleviating Spam – Best Practices
DrillDown Icon directQuarantine Technical Information
DrillDown Icon modusMail & modusGate Technical Information
DrillDown Icon Documentation & Release Information
DrillDown Icon Known Issues (non-release related)
DrillDown Icon Configuration Information
DrillDown Icon modusGate & modusMail
DrillDown Icon How-To: Configure TLS for POP, IMAP, SMTP
DrillDown Icon How-To: Install modus Web Components on a Separate Server
DrillDown Icon Info: Configuring modus with a Proxy Server
DrillDown Icon Info: BATV Default Subject Tags
DrillDown Icon How-To: Force Spam Updates
DrillDown Icon How-to: Repair databases that are missing objects such as indexes or constraints
DrillDown Icon How-to: Log Modus Logs to a *nix Host
DrillDown Icon How-To: Bypass Attachment Filtering TO: Certain Users or FROM: Certain Users
DrillDown Icon Info: What is an .ASY File Extension
DrillDown Icon How-To: Reduce Image Spam by Using Dynamic IP Blocklists
DrillDown Icon How-To: Enable Persist Sorting Order
DrillDown Icon Info: Fingerprinting Explained
DrillDown Icon Info: RBL Check After AUTH LOGIN
DrillDown Icon How-To: Configure ODBC for a 64-bit environment
DrillDown Icon Info: Quarantine Clean-up Process in Modus
DrillDown Icon How-To: Completely Uninstall Your Modus Product
DrillDown Icon Info: SNMP OIDs Used by Modus
DrillDown Icon Info: Testing SMTP Connections
DrillDown Icon Info: Upgrading From a Previous Version to Modus 5.x
DrillDown Icon How-To: Allow Users to Disable Quarantine Reports
DrillDown Icon How-To: Archive Messages in Modus
DrillDown Icon How-To: Attach Original Messages to Forbidden Attachment Notices
DrillDown Icon How-To: Change the Banner Greeting
DrillDown Icon How-To: Change the SMTP Parameters for the Customer Support Feature
DrillDown Icon How-To: Configure the Quarantine Database in PostgreSQL
DrillDown Icon How-To: Configure the Mailbox Directory on a Share
DrillDown Icon How-To: Delete Viruses and Forbidden Attachments from Quarantine
DrillDown Icon How-To: Disable Outbound Filtering for Specific Users
DrillDown Icon How-To: Disable Scanning for Trusted Sources
DrillDown Icon How-To: Effectively Set-up the Spam and Virus Performance Tabs
DrillDown Icon How-To: Enable Attachment Release from the Quarantine Reports
DrillDown Icon How-To: Improve the Speed of an Extended Database for Authentication
DrillDown Icon How-To: Increase the Maximum Number of Headers / Hops
DrillDown Icon How-To: Manually Compact the Quarantine Database in Access
DrillDown Icon How-To: Move ModusMail or ModusGate from One Machine to Another
DrillDown Icon How-To: Properly Test the Modus Scan Engine
DrillDown Icon How-To: Run Both MS and Modus SMTP Services
DrillDown Icon How-To: Configure the Modus Remote Console
DrillDown Icon How-To: Specify an SMTPDS IP Address
DrillDown Icon How-To: Switch Mailboxes from Registry to the Extended DB
DrillDown Icon How-To: Turn Off Corrupt Attachment Scanning
DrillDown Icon Announcement: ORDB has Shut Down
DrillDown Icon How-To: Upgrade modusMail & modusGate
DrillDown Icon Info: SCAV2 requires specific port to be opened
DrillDown Icon Sonicwall blocking Avira updates
DrillDown Icon Info: Help Improve modusGate
DrillDown Icon modusGate Only
DrillDown Icon modusMail Only
DrillDown Icon SQL Server Information
DrillDown Icon MySQL Information
DrillDown Icon Security
DrillDown Icon Sieve
DrillDown Icon Spam and False-Positives
DrillDown Icon Statistics and Monitoring Section
DrillDown Icon Web Components
DrillDown Icon Troubleshooting
DrillDown Icon Hardware & OS System Requirements
DrillDown Icon Tools
DrillDown Icon Other Product Technical Information
DrillDown Icon Professional Services
DrillDown Icon Newsletters
  Email This ArticlePrint PreviewPrint Current Article/Category and All Sub-Articles/Categories
 
How-To: Reduce Image Spam by Using Dynamic IP Blocklists

Product: All

Version & Build: 5.20+


Problem:  Image-Spam is getting through the scanning engine

Explanation: New techniques are being used by spammers camouflage the messages.  We are responding to these problems as quickly as possible.  However, the cat-and-mouse game continues and whenever we issue a countermeasure, spammers come out with something to counter this.


Workaround: Use Dynamic IP Blocklists

Most spam originates from compromised home computers (Bots) which are controlled by a single controlling entity (Botnet).  These machines become compromised through vulnerabilities in Windows that virus writers exploit and act as open proxies on unusual ports that are not usually blocked by ISPs.  Normally, no mail should originate from home computers other than mail sent directly by the end-users.

There are blacklists that list the IP ranges used by various ISPs to provide dynamic IP addresses to end-users.  A notable Dynamic IP range list is operated by sorbs.net.  

In the past, customers have been reticent to use these blacklists for two reasons:

a) Their own IP blocks may be listed

b) Their connectivity providers (virtual ISPs) may have their IP ranges listed

However, in Modus 4.35.480, we implemented a new feature where we can wait until the AUTH LOGIN has occurred (SMTP Authentication) before the RBL check kicks in.  Therefore, if your users already use SMTP Authentication to relay through you, they will not be blocked if they come from a blacklisted (or listed) IP.

It has become much safer to use the Dynamic IP-based blacklists:

  • Open the Modus Console
  • Go to Security – Real-time Blacklists
    • Enable Perform a lookup for the SMTP host in the Real-Time Blacklist
  • Click on IP Exclusion
    • Enter your IP ranges
  • Do not check Reject connection immediately if the host is blacklisted
  • Enable the Perform RBL check after mailbox authentication
  • Click on RBL Servers
    • Add dul.dnsbl.sorbs.net
      • If you're feeling adventurous, you could use dnsbl.sorbs.net
  • Click Apply
Stop and Start the SMTPRS service under System - Services

 

 

 

With these changes, more spam should be blocked, including image-based spam.  If you have any problems where an end-user cannot send mail through your server as a relay, add their IP address or IP range (class C) to the IP exclusions list.


Caveats:

With this configuration, the connection stays open longer for each IP that hits the machine on Port 25.  It's important, then, to monitor things carefully after enabling this feature to see if users experience problems sending mail through your server (as a relay).  

This configuration requires that people who send mail through your server do so through SMTP Authentication.  If this is not the case for your particular user-base, you should not implement this how-to unless you are sure that the majority of your users are using SMTP Authentication.

 

 

 

 

 

Modified 11/28/2014
Keywords: bot botnet SMTP auth blacklist RBL
Article ID: 1526