NTYC SPAM and Intrusion Information

NTYC.NET

The Bare Bones Place. for those that need more than bare bones service, at a bare bones price!

SPAM and Intrusion Information

Our Incoming Spam Policy

With the constant acceleration of the distribution of unsolicited email, known as UCE, UBE, or simply SPAM, we have instituted some pretty extreme measures to limit the amount of SPAM getting through our servers, as well as system intrusion attempts.

Prior to August 2011, we were blocking entire countries from our mail server. This has proved to be more of a problem, with network addresses being added and changed frequently. Although more labor intensive, we have decided to use "Realtime Black Listing" (RBL) to block mail from notorious SPAMMERS.

Spamassassin has been installed and implemented to filter out email that contain common methods and signatures of of Spammers, using a scoring method. This will never guarantee you will never get SPAM, but it will surely filter a good majority. We are also in the process of creating a fairly easy method so our users can maintain their own white lists and black lists without affecting the service of other users.

Spamassassin has been in use on our mail servers for a few years, and I can personally attest that I haven't had one message flagged as SPAM that was from a legitimate source or a false positive. Therefore, our policy has changed from modifying the subject line to identify a message as suspected SPAM and delivered to your mailbox, to simply deleting the mail as its flagged. Once our user based interface is installed, you can override the way SPAM is handled for your own mailbox.

Our Intrusion Policy

After analyzing our server log files for many years, some recurring intrusion attempts have been shown to display some common methods. Rather than spending tons of money on commercially available intrusion detection systems, I have applied a very simple solution that seems to work quite well. It doesn't stop all attempts, but stops the most common methods of "brute force attacks".

Unfortunately, this could lead to some problems for our web and domain users. You have only 1 attempt at accessing your web via ftp or secure shell access (simple telnet is not available on our systems). If for some reason you misspell your user id or password, your IP Address will be blocked. Currently, I have to manually reset this, but a semi-automated method will be implemented after the first of next year.

Update - August 2011

With the accelerated sending of SPAM, UCE, and phishing and trojan attacts, we have created an RBL (Realtime BlackList) of IP Addresses, and associated IP Addresses of offending email hosts, providers, and in some instances, entire networks.

For those that are technically minded, we use a few monitoring services to track and determine the reputation of these hosts and providers.

http://www.senderbase.org, http://bgp.he.net and a few others.

We have found that more than 60 % of all mail received by our servers is rejected by Spamassassin. This is in the range of tens of thousands of connections per day to our mail servers. The downside of this is that for each connection, our servers are receiving the mail and in many cases, Spamassassin has to make an inquiry to its master list, which uses our bandwidth and slows our system. Also, all connections to our mail servers are logged, whether mail is blocked, rejected or received. When an incoming email is flagged as SPAM or HAM (HAM doesn't score as SPAM, but in most cases proves to be SPAM), a secondary list is created and analyzed.

Regarding Senderbase, any mailhost that has a reputation score of "Poor" or "Neutral" is further investigated, and depending on their network/provider, we will block (or reject) entire domains, subnets and/or networks. A particular host's address status may change on a weekly or monthly basis, but once blocked in our list, they stay blocked!

As we create our RBL, we will attempt to add them to our "Blocked Addresses" page, as well as a list of statistics of our mail server activity regarding total mail server connections, confirmed SPAM, possible HAM, and supposed legitimate email. Keep in mind that mail marked as "legitimate" may still be SPAM that didn't score high enough to be rejected.