Blog , 10 Sep 2021

Inbound and Outbound Protection – What’s the Difference and how to get it right?

Steve Freegard,

Sr. Product Owner Abusix Intelligence

When it comes to mail server protection, most people only think about inbound protection, meaning that only incoming messages will be checked to protect your users against email-borne threats, but what about outgoing messages that are sent by your own users? Shouldn’t they also be checked? We think so, yes! Let’s dive into the differences and how Abusix Mail Intelligence blocklists can help you with both, inbound and outbound protection:

Inbound Protection

For inbound protection, you would use Abusix Mail Intelligence on your mail exchangers. The “combined” blocklist will take care of IP blocking from our main blocklists (black, policy and exploit). This will get rid of the vast majority of bad traffic early on in the SMTP conversation, saving you bandwidth and resources, whilst anything left will be content scanned with domains blocked using the dblack domain blocklist and our various hash lists used for anything else.

Lastly, your content filtering can use our “Newly Observed IP” and “Newly Observed Domains” lists for additional metadata for scoring.

Outbound Protection

Unfortunately, outbound protection is much more difficult because you have far less context to work with as these are messages from your own users (albeit with potentially compromised accounts or malicious sign-ups) sent directly to your servers and will likely be authenticated in some way.

Additionally, outbound messages have a higher quality of service, so rejected messages or delays in processing are noticed far more quickly than on inbound mail. 

For outbound protection, you would use the Abusix Mail Intelligence Authentication Blocklist (AuthBL) on any connections from authenticated users. You would then reject any connection if their IP address is found on the list.

If you find the authenticated blocklists blocking users that have successfully authenticated, then these accounts are likely to be compromised and you should notify your abuse team so the account can be secured (typically via a password reset).

Aside from this, all outbound mail should be scanned in the same way as inbound and content scanned with domains blocked using the dblack domain blocklist and our various hash lists used for anything else.

How to Get Outbound Protection Right

Outbound spam can adversely affect your reputation, causing your own mail server to be blocked, which can affect all of your customers that are sending mail through your system. It’s important that you get this right and we have a few recommendations to get you started.

Segment inbound vs. outbound system

Firstly, we strongly suggest that you segment inbound vs. outbound systems. Keep them on completely different hosts because you’re going to want to have different scoring and policies between the two.

You’ll want to be more aggressive with outbound scanning as there is less metadata to work with and you’ll want to enforce very strict rate limits.

Only allow messages with a return path

One of our biggest recommendations is to only allow messages with a return path (mail from) containing a local domain. 

For example, if a customer buys space on your server for the domain xyz.com, then only allow them to send mail from the domain xyz.com. Don’t allow them to send mail from other domains like  gmail.com.  This prevents a whole class of outbound abuse e.g. an account being used to send phishing mail from @bankdomain.com

Check SPF outbound before the message leave your system

Another recommendation would be to check SPF outbound before the message leaves your system. Using your own IP address, check the message from the receiver’s perspective and reject any outbound messages that fail, or soft-fail, the SPF check.

Don’t check outbound IPs against our policy list

One thing you shouldn’t do with Abusix Mail Intelligence is to check outbound IPs against our policy list (this includes our “combined list” as the policy list includes it). 

The policy list is designed to list every IP on the planet that isn’t running a mail server. This means that your clients, that are using their mail clients to connect and send email, will run afoul of that. It’s just not designed to be used on outbound mail.

Check all IPs against AuthBL

In addition, check all IPs against the AuthBL and reject anything with a positive result. This should ensure that you catch any compromised accounts and bots that are trying to send mail through your hosts. Lastly, check the message body URLs against the domain blocklist (dblack) and, if your software is capable, against the hash lists. Hard reject any positive results.

All the steps above should give you the best outbound protection you can get. If you are still unsure of how to use both inbound and outbound with your mail server, please feel free to reach out to our team or go ahead and start your free 14-day trial to experience Abusix Mai Intelligence inbound and outbound protection in action! 

Share
Linkedin Icon Twitter Icon Facebook Icon E-mal Icon

Products & Tools

Type

Topic

Get in touch

Talk to us

The quickest way to get in touch with the team is via our online chat feature at the bottom right of this page. Alternatively, feel free to email us at [email protected] or send us a message via our form.

Is your IP blocked?
To get that resolved, please use our lookup-service and follow the instructions in order to delist your IP/domain.