Prevent spam from being forwarded by your email server
Source: Internet
Author: User
For a network administrator, spam is not suffering from receiving spam, but trying to prevent spam senders from using your email server for relay forwarding. This is critical, because once they use your email server as a forwarding station, in addition to expensive Bandwidth Resources, server speed reduction, and heavy load on you, you may soon be confused by the "Blacklist". When this happens, your user's email may be sent out of service, you can only spend a lot of unscheduled time cleaning the system and getting rid of these prohibitions.
Of course, almost every network administrator is familiar with the concept of "open relay", its disadvantages, and typical solutions, these solutions have implementation methods such as restrictive relay services for some IP addresses or authentication required. However, many Network Management
The employee may not realize that the spam sender has become more sophisticated.
As a test drill, I set up several email servers last week and this week, using both Microsoft Exchange and some free SMTP/POP3 server software, I have also established my own protocol analyzer (clearsight) so that I can observe what happened. In the face of what happened, I must admit that I was quite shocked.
As you may have imagined, they soon discovered my server, even if I requested to authenticate the relay request, I soon began to see thousands of emails containing fake source addresses continuously passing through my Exchange server, and I could not even see any mail
Enter my local folder. At the same time, I also found that they have discovered and used a system bug (possibly related to the SQL Server ), in this way, my server will automatically generate the emails they need-No forwarding is required.
So I abandoned exchange and started using other free server software. However, this made my monitoring process more interesting and shocked me by the diversity of attacks. Although the attempt to relay always encounters the "503-this
Mail Server requires authentication (this mail server requires authentication) "returned information, I still soon saw junk mail again, they even guessed" Postmaster (mailbox administrator) "account password and use the email administrator identity
Send an email.
After I disable the "Postmaster (mailbox administrator)" account, I still see a lot of attempts to log on using forged SMTP commands, use the wrong email source address, and other things like sending several rset commands in a session (because many servers allow you some commands are invalid ). At this time, I realized that this is probably the reason why my server often disconnects a connection, because it has been set to receive the specified number of error commands, the connection will be disconnected, so I will set this value (specified number) very low.
I also noticed that most relay attempts come from the same IP address, so I blocked the IP address in my _ blank "> firewall. A few minutes later, I received a spam email with the same content from another IP address in different locations. I blocked this IP address again and sent it from the third source again. Obviously, they seem very happy to receive notifications of failed authentication when they are still connected, but once they cannot establish a TCP connection on port 25, they will immediately convert the source address.
When I chose to reject all emails from illegal domains, I found a very interesting side effect, although rejecting these emails seems to be a good thing for me, because these thousands of spam are from an e-mail address filled with ASCII code spam.
However, what I found was that even if my authentication request blocked spam relay attempts, my server still sent DNS (Domain Name Service) Requests for the domain names of these spam senders, as a result, a large number of DNS requests are generated. Worse, they continuously generate DNS requests and then send thousands of requests every minute, it is almost a DoS attack on the DNS server. In this communication condition, I had to cancel the rejection settings.
If you are monitoring the email server, I suggest you spend several minutes on a regular basis and use the sniffer tool to make sure your server is unavailable. I also encourage you to patch your system frequently, rename or disable all standard accounts to fully understand the security features supported by your server. Spammer has become increasingly tricky. We must be more experienced and never rely solely on identity authentication or IP address to defend against spam attacks.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.