Enterprises, universities, and service providers (like; ISPs, marketing email service providers, application services, SaaS, hosting providers) need to be concerned if their systems send spam. There is an even worse problem; the provider’s mail platform may have been infiltrated by cybercriminals, allowing them to leverage the platform for sending spam and phishing or breaching user communications. Breaches like this, also make it easier for the cybercriminal to move laterally on your network and other portions of your network and business operations.
This article will walk you through the best security practices to check if your server is sending spam. So here we go.
Check your mail server logs first, then look at blocklists second
1. Monitor your outbound mail logs
The two most significant cyber security indicators of a server sending spam for a mail administrator are increased bounces or NDRs (Non-Delivery Reports) or the lengthening of your servers’ outbound email queues. Both occur when IP addresses or domains are blocklisted for a compromised server, user’s machine, or a web account. Thus, you should regularly monitor your email server’s Linux var log or your Exchange Server’s System Manager if you want to tell if your exchange server is sending spam that blocklists have identified.
Things you should be looking for include:
- Logs showing increasing rates of NDRs are typically caused by one or more blocklists blocking your IP address or domain.
- Increasing outbound email queues due to delivery deferrals are similar to the condition above. Additionally, you might get an alert from your mail server. Microsoft Exchange, for example, sends an “SMTP Server Remote Queue Length Alert.”
Both of these are indicators of a more significant problem and how to check if my mail server is sending spam. The best practice is to immediately pause your outbound mail flow to find and fix the problem, so other mail servers are not rejecting your email and let your delivery and inbox rates get back to normal.
2. Check spam blocklists
Next, you need to check for block listings.
- Check MX Tool Box or Multi RBL to see if another blocklist is blocking you. Suppose it turns out to be limited to UCE Protect or a few hobbyist blocklists, blocking your range. In that case, your problem is likely “reputation-based” and an issue that has built over time, not a configuration problem (open relay), hacked email server, or hacked email accounts.
But be aware, not every blocklist acts the same. If you don’t see Abusix or Spamhaus blocking the traffic, it might be one of the few blocklists like UCE protect and SORBS that will punitively block a network range or even an entire ASN for a hosting provider or ASN. They do this, irrespective of who else might be using IP addresses in the same neighborhood. If you get blocked by one of these two lists (UCE and SORBS) and not by other blocklists, you or your hosting provider have a severe network abuse problem.
3. Implement all the following mail cyber security best practices
While the steps above are the quickest way to get back on track, the following are solid cyber security practices, you need to secure your user’s email effectively and your mail server and lower spam and phish. If you provide mail as a service (like an ISP, hosting provider, business email provider, CRM, and email marketing service provider) and aren’t taking these steps today, you are placing your business in jeopardy.
Block spam before it leaves your network, and password reset the user accounts that are blocked
Block emails being sent by your users, similar to what you would do with inbound email, but using a different set of rules. Take a look at the article Inbound and outbound protection – What’s the difference and how to get it right.
Seriously, don’t just send bad stuff. You are hurting your delivery and your users by not using your system to alert them and protect them. Users using a compromised computer or a hacked account want to know.
Bad actors sending garbage, need to know too. If you keep noticing them, they will bail and go to another provider before their stuff gets out, which doesn’t care as much as you.
As an enterprise, educational institution, hosting provider, or ISP, if you add outbound spam filtering, you will be able to:
- Block connections to your mail server from remote users using infected machines.
- In your filters, block messages using identified spam domains or zero reputation domains commonly associated with phish, as well as short or online storage URLs (don’t block the domains, only the URLs) that have been associated with spam.
You save yourself from being blocked by not allowing these compromised systems and messages associated with spam emails to transit your mail server.
For any user you block, immediately do a password reset and notify the user, telling them why their mail was blocked. If it’s a connecting IP address with a problem, you should inform the user that the connecting IP (router or machine) was compromised. If it’s a message that is blocked because of content, tell them that is why you did the password reset, just in case their account was compromised. Truthfully, they will thank you for caring for their security.
Lastly, the users and bad actors that get repeat password resets are simple to see in your reset logs. This helps you see the problems and address them according to the policy you decide to use.
Manage your postmaster address, and password reset the user accounts that are returned as NDRs.
Look for NDRs to fake recipients returned to your postmaster@ address. This shows nefarious use of your domain on your network. See RFC5321 and Microsoft’s Exchange Server Support Article for more information.
If a message has been returned to the postmaster address, tell the user why you did the password reset, just in case their account was compromised. Truthfully, they will thank you for caring for their security.
Lastly, the users and bad actors that get repeat password resets are simple to see in your reset logs. This helps you see the problems and address them according to the policy you decide to use.
If you are a hosting provider, ISP, or University, Abusix’s AbuseHQ can manage these reports for you.
Verify the authenticity of your mail server and make a take-down request to the network hosting the unauthentic MTA
Make sure you aren’t getting your domain blocked because someone else is using it spoofing you, or you don’t have a man-in-the-middle attack. A domain without SPF, not signing your outbound email with DKIM, no DMARC DNS TXT records allows a cybercriminal to fake your identity and cause your domain to be blocked.
Spoofing your CXX executives or employee email addresses, as well as a man-in-the-middle attack, allows a cybercriminal to send messages to your employees or modify customer messages. Both are very dangerous.
Look at your SPF, DKIM, and DMARC DNS TXT records to check and see if the records are accurate.
To your DMARC record, add the following tags to get reports:
- “rua=mailto:[email protected]:”
This tag tells the receiver where to send daily reports for the failures. If you are a hosting provider, ISP, or University, and this address is your abuse@ address or alias to the address, - “fo:”
This tag lets mailbox providers know you want samples of messages that fail. - “1:”
This is an essential option to add under fo: as this tells the receiver to send a DMARC report if any authentication mechanism (SPF or DKIM) failed “pas.”.
Signup for “Feedback Loops” (FBLs) and action users with a high complaint/emails sent ratio
Some think of feedback loops as something you subscribe to if you are sending marketing emails. No sir. They are valuable to anyone running a mail server or providing campus, hosting, internet connectivity services.
If you are an enterprise, you should be using a mail system, CRM, or email service provider to manage the unsubscribes. If you subscribe your corporate mail server to an FBL service, you will find the rogue department or employee spam causing your issue. You will also see the employees with compromised systems or accounts sending spam so that you can do a password reset on their accounts and notify them of the issue.
In summary
If you have a problem with delivery, follow the first two steps: Monitor your outbound mail logs and check spam blocklists.
Longer-term, implement solid cyber security techniques:
- Block spam before it leaves your network and monitor the outbound filtering failures.
- Manage your postmaster address.
- Verify the authenticity of your messages and monitor the failures using DMARC.
- Lastly, signup for “Feedback Loops” (FBLs) and monitor complaint volumes by the user.
Follow these cyber security tips, and your users will thank you for running a safe mail operation.
If you are running a shared messaging service as an ISP, Hosting Service, SaaS, or social networking provider, talk to us about Guardian Mail & Guardian Ops. By design, we make your inbound, outbound mail server, and network abuse far more manageable.
