Responsible Mail Server Operation
Improperly configured mail servers contribute greatly to the pervasive spam problem on the Internet, both for the addresses served by the mail server, and also those on the Internet at large. Improper configuration on a single mail server can result in:
- The mail server being used to relay spam
- Other mail server operators forced to choose between disabling certain anti-spam settings and accepting email from the improperly configured server.
The following is a list of best practices to implement proper controls on mail servers to allow effective and efficient anti-spam measures:
Relaying Internally
A common deployment scenario for mail servers has a mail exchanger accessible to the Internet which relays email to an internal mail server. All filtering should be performed at the mail exchanger to prevent an internal mail server from rejecting mail from bogus recipients, which results error messages being sent to 3rd party mail addresses.
The Internet-facing mail exchanger needs to be able to reject mail for invalid recipients. This may require some form of custom directory service integration between the internal mail server and the mail exchanger. The implementation of such an integration is entirely dependent on the technology used and the architecture implemented.
DNS Configuration
There are two key DNS considerations:
1. Ensure the forward and reverse DNS match for the mail server. A basic screen for spam is for a mail server without a reverse DNS entry. If all legitimate mail servers set forward and reverse DNS to match, further anti-spam control could be achieved.
2. Implement SPF records for the domain. This is a simple but key item that can drastically reduce the success of spam that is illicitly sent masquerading as a domain. This can help to prevent reputation and image damage created by spam sent without your ability to control it.
Use Valid Senders
Too often, organizations will send out automated email using an address that cannot accept email, because it is not a valid address. This is often done to ignore any bounces from invalid addresses and/or to not have to deal with the responses that come back from the message. DO NOT do this. These are tactics commonly used by spammers. Using such tactics will cause recipient mail servers to disable one of the single most effective anti-spam techniques - sender call-out verification.
The Basics
- Use a valid postmaster address
- Use dns blocklists
- Block dangerous file types
- Mail exchanger anti-virus is strongly recommended
These steps aren’t a panacea for spam, but establishing a baseline configuration for responsible mail servers will go a very long way to helping organizations effectively block spam without having to make choices between receiving mail from badly configured servers and using effective anti-spam techniques.
