Quantcast
Channel: aaron-kelley.net » E-mail Security
Viewing all articles
Browse latest Browse all 2

Deployed Postini and still getting spam? Spammers may be bypassing Postini altogether.

0
0

So, to combat spam, I recently deployed Postini at my workplace.  We qualified for the K-12 promotion to it is awesome to have good spam handling for free.  We currently use FirstClass as our mail server, and I’d rate it’s built in spam-handling mechanisms as “poor-to-none.”  (We are eying Google Apps mail as a replacement in the next year or so.)

So, after finally getting Postini deployed and enabled for all accounts, the Postini stats report that just over 50% of incoming mail is being tossed out as “blatant spam,” with over 25% of the remaining mail being quarantined as “potential spam.”  This is with Postini on the default lowest aggressiveness setting.  So, assuming the worst case (“all incoming mail is spam”, which is almost true), our users are already receiving less than 37.5% as much spam as they used to.  Once we’re satisfied that things are working fine, I’ll bump up the aggressiveness.

Anyways, I noticed that my FirstClass inbox was still being bombarded by spam messages (a few per hour), most of them obviously spam.  Why weren’t these being blocked by Postini?

Checking the headers on these spam messages, I noticed that they weren’t being routed through the Postini servers.  This means that the spammers are ignoring the MX records for our domain and delivering mail directly to the FirstClass server.  They must have cached the old MX record and kept using it after we switched it to point to a Postini server, because what spammer wants to send mail through Postini if they have the choice?  Anyway, yuck.

Turns out that this is not an unknown problem.  I find it pretty interesting, though.  I didn’t know that spammers did this since I had never bumped into this situation before; just another pretty smart thing that the spammers are doing to get around your efforts to stop them.

Anyway, the solution in this case is to set the mail server (the FirstClass server in this case) or a firewall in between your mail server and the Internet to only accept connections from where it should be coming from.  Seems simple enough?  We are actually routing the mail through Google Apps, so the answer was to only allow connections from addresses that Google’s SPF record says that mail should be coming from.

209.85.128.0/17
216.239.32.0/19
64.233.160.0/19
66.249.80.0/20
72.14.192.0/18
66.102.0.0/20
74.125.0.0/16
64.18.0.0/20
207.126.144.0/20
173.194.0.0/16

Anyway, I set these filters in our firewall and, presto, no spam messages all weekend.


Viewing all articles
Browse latest Browse all 2

Latest Images

Trending Articles





Latest Images