Tuesday, March 26, 2013

Hello or good-bye ! ( email refresher )

This post talks about the basic antispam protection that takes place way before anything else. A proper and legit mailer will have a valid FQDN that resolves.

Here's what' considered  general best mail practices;

  • upon connection, the domain give in the sender HELO/EHLO is not fully qualified domain = REJECT
  • if no HELO/EHLO is sent = REJECT
  • if the domain name given does not resolve = REJECT

Here's a snippet of bad senders from my mail gateway ;

2013-03-26,00:25:13,log_id=0300002085,type=spam,pri=information,session_id="r2Q5PDQq002084-r2Q5PDQr002084",client_name="1-163-25-112.dynamic.hinet.net [1.163.25.112]",dst_ip="10.150.252.150",from="f5470b3@noetzelnet.de",to="",subject="",msg="Invalid ehlo/helo domain. ( user )"
2013-03-26,00:24:55,log_id=0300002083,type=spam,pri=information,session_id="r2Q5Oscn002082-r2Q5Osco002082",client_name="121.247.65.175.static.pune.vsnl.net.in [121.247.65.175] (may be forged)",dst_ip="10.150.252.150",from="f2ab12cdf@sheldonpg.com",to="",subject="",msg="Invalid ehlo/helo domain. ( 121.247.65.175.static.pune.vsnl.net.in )"
2013-03-26,00:22:23,log_id=0300002079,type=spam,pri=information,session_id="r2Q5MM9l002078-r2Q5MM9m002078",client_name="178.91.242.79.megaline.telecom.kz [178.91.242.79] (may be forged)",dst_ip="10.150.252.150",from="ramroddedawd92@afes.com",to="",subject="",msg="Invalid ehlo/helo domain. ( 178.91.242.79.megaline.telecom.kz )"
2013-03-26,00:20:32,log_id=0300002075,type=spam,pri=information,session_id="r2Q5KWx6002074-r2Q5KWx7002074",client_name="windsorcars.plus.com [80.229.179.201]",dst_ip="10.150.252.150",from="4265598@maps.by",to="",subject="",msg="Invalid ehlo/helo domain. ( dsldevice.lan )"

Yes all of the above are bad senders, and either the domain or ip_address don't match, nor  resolve. To give you an ideal, my email filtering device picks up way over 99% of spam email attempts from just this process alone.

This is just one way to provide basic mitigation of bad senders.

Okay so how do you as email administrator to protect  yourself?

Simple,  ensure your mail sender or MTA has a valid domain name, and PTR dns record. The MTA ( mail transfer agent  ), should be legit if you want the world to accept email from you.

If your forged, mis-configured or flaw, than most proper secured recipients, will drop your connection and hence you mail attempts will never even get a chance.

Once  you have the above satisfied, than we can now use reputation scoring, session limits or other mail security policies , to allow mail. It's common to use some of these practice with mail security

  1. real time blacklist
  2. session limits based on connection attempts per sec
  3. greylisting
  4. whitelisting
  5. static blacklist
  6. recipient verification
  7. max message size limits
  8. max recipient counts limits
  9. throttling based on reputational scoring

With most email systems, all of  the above are used to some degree. But  the HELLO is the 1st step that you have to overcome. If you are not who you say you are,  than sorry



Ken Felix
freelance network/security engineer
kfelix  a-t hyperfeed.com dot com




    No comments:

    Post a Comment