News Letter, spammers, spf, surgeplus

Welcome to the NetWin Newsletter.

In this issue:

SurgeMail - How spammers work.
SurgeMail - Stopping spam config settings
SurgeMail - SPF -- New mechanism to drastically cut down on spam.
SurgePlus - Calendaring and File sharing with your mail server.

How spammers work!

We've done some research on spammers by poking around the underbelly of the
net. In news groups and mailing lists, spammers openly discuss and exchange
techniques so we did some eavesdropping :-), here is what we found;

Dictionary attacks:

Dictionary attacks are when a spammer hits your mail server with a bunch of
'guesses' based on a dictionary. Spammers get a list of common names and
variations and then start hammering a site and checking responses.

Most of the harvesters used to make up a few random ugly strings and check
the response to that to check for fallbacks/catchalls. If it was accepted
they would abandon the attack - this is no longer the case!!

Now, mostly, if a server accepts an address that address is marked as
positive and can expect to have spam delivered shortly after. This is
why having a catchall used to be a good idea, and is now a terribly bad idea.

One customer who had a global fallback, had over 1,700,000 addresses tried
over a 2 day period, all those invalid addresses now receive spam. These
spammers post address listings to each other, so you will soon have masses
of spam coming in. Once it starts it's almost impossible to stop because
from then on they dont check responses until someone does a new attack and
rechecks the lists.

Some of the spammers said they don't even bother checking any responses - now
they will just pick domains they think have a lot of users and then dictionary
spam them, knowing that at least a small percentage of their mail is bound
to hit successful addresses.

In the case of the user above, he might have to pull the plug on his domain
entirely because the amount of traffic coming in is costing him a fortune.

How can I defend against this?
The normal SurgeMail defaults prevent dictionary attacks fairly well, but
it's critical to avoid fallback rules - if your customers ask to have
such settings make it very clear they risk loosing their entire domain
to spammers if they get attacked while a fallback rule is in place.

Spammers still use open relays!
You might think that with all the RBL lists etc. the days of open relays
were long gone. However, people keep plugging new computers into the
internet and as it's very easy to enable a mail server on a new system
and create an open relay by mistake. Apparently thousands of people do
this every day, so as fast as the RBL's can block new open relays, the
spammers can find new ones, at any one time they know of thousands of
them that haven't yet been blocked by RBLs. And they only need a few dozen.

The top ways of harvesting addresses

1) USENET
2) Mailing lists
3) Websites
4) IRC (email addresses posted on irc, received spam in under 5 minutes of the p
osting, very efficient)
5) Dictionary attacks / DSN replies

Below you will read about the new SPF features in SurgeMail, these
are really good because they stop the spammers making use of open
relays etc. When SPF is enforced people can only send you mail if
they are who they say they are.

Anyway that's just a few tidbits we found interesting enough to pass
on, see below for config suggestions etc....

SurgeMail - Stopping spam config settings (implementing SPF)

In SurgeMail 2.0 we have a new spam system called 'ASpam' which replaces
the SmiteCRC module but does a very similar job. There are also some
new settings to enable, which improves spam detection by performing various
'tests' (like - is the from header a real mail account that we can
talk to - or not). To switch to the new system, change the following
settings in surgemail.ini (this can be done in the 'ASpam' page in the web admin

but for brevity we will just show the config settings.

Upgrade to at least 1.9 for 'ASpam' features, and at least 2.1c for 'SPF'
features.
https://netwinsite.com/ftp/surgemail

Remove the setting:
g_virus_filter cmd="smitecrc.exe" type=""

Add/change the settings below: (These are all described in the manual if
you need more info and be aware that these settings can cause messages to
bounce, particularly the setting g_spam_block "true")

g_orbs_list name="bl.spamcop.net." action="stamp" stamp="Spamcop, http:/
/spamcop.net/w3m?action=checkblock&ip=||remoteip||"
# replace the ranges below with your local trusted network addresses if
any
g_spam_allow "10.2.192.98-117"
g_spam_subject "4"
g_spam_userconfig "TRUE"
g_spam_internal "true"
# catcher addresses, email accounts on your domain that are hidden in we
b pages etc.
g_spam_catcher "fred@your.domain"
# Enable wide area url spam database (from netwinsite.com)
g_url_enable "true"
g_vanish_bad_bounces "TRUE"
g_verify_smtp "TRUE"
g_verify_mx "TRUE"
# List your trusted local addresses and mx servers etc.
g_verify_mx_skip "10.2.192.1-255"

Note: users will be able to control their spam settings when they login
via WebMail or if they login directly to the SurgeMail user CGI.

SurgeMail - SPF -- The new mechanism to drastically cut down on spam.

What is SPF?

Sender Permitted From is a system whereby you can register in your DNS
entries a list of servers which may send email from your domain, this
stops viruses and spammers pretending to send messages from your domain.

You should add SPF records to avoid being mistaken for a spammer.

SurgeMails implementation of SPF adds two powerful features not commonly
found:
1) You can implement a default SPF record for any domain that
does not have one, this is the 'strict' mode. It makes the system
very good at stopping spam as 80% of all spam uses faked from addresse
s.

2) When SurgeMail does block a message due to an SPF failure, the
user is given an address they can send to, to 'unblock' their server,
this means the occasional false positive is not critical it is just
minor inconvienience.

How do I implement SPF?

First upgrade to SurgeMail 2.1c

Settings for surgemail.ini
g_spf_mode "strict"

For a small business, or someone who wants to stop the spam dead, use these sett
ings:
g_spam_block_gateway "TRUE"
g_spam_block "true"

For an ISP etc you might want to just let users turn on SPF individually in the
user
config settings, in that case you just need the g_spf_mode "strict" setting.

See https://netwinsite.com/spf.htm

SurgePlus - Calendaring and File sharing with your mail server.

This new module provides a windows GUI and web interface for users
that will allow anyone with an email account on your server to upload
files to your mail server. The files can then be read as 'web
pages/files' directly from the server. This allows users to share
documents, photos, web pages, files of any kind or entire folders. All
with a simple click.

This feature can be enabled per domain, system or user.

A user 'quota' is used, so a users usage is limited. If you charge by
quota you will no doubt be able to sell more quota to users who like
this new feature :-)

Also this tool adds 'calendaring' features. Includes event scheduling,
full day/week/month/year views auto rescheduling (week/month etc) and
much much more.

To find out more about this see this page. https://netwinsite.com/surgeplus/

SurgePlus is available in the current release version (2.1c7) of
SurgeMail. Please note this module is licensed separately - sorry.