Using SAF to shield your MX from spammer abuse

Spammers use networks of 'bots' to systematically troll trough Internet addresses and port numbers. If you have a mailserver exposed to the Internet, the spammers will always find your server... the important thing is to ensure your mailserver is secure against various forms of spammer attack.

Two common types of spam vulnerabilities are 'open relay', and permitting 'Delivery Status Notifications' or other failure notices. While the former is more serious, both methods involve tricking your mailserver into relaying spam, or encapsulating spam inside of an error, where it ultimately arrives in an innocent party's Inbox.

Any modern mailserver is immune to relay or failure notice attacks, while obsolete mail servers are not. Good security practices include staying up-to-date on software releases, and 'hardening' your servers against attack. Failure to address security vulnerabilities will endanger your access to TZO services, to the Internet in general (spam victims will also complain to your ISP), hurts your reputation, and as spam victims may nominate you for distributed Internet blacklisting your mail could suddenly be 'refused' by many ISPs and mailservers.

In some cases, budgets or Intranet-software dependencies make upgrading the mailserver a difficult proposition. Some older mailservers were designed for 'work group use only' on a trusted LAN, and were never suitable for being exposed to the Internet in the first place. Restricting or segregating such servers to Intranet use is a good solution, as it removes the insecure server from the reach of the Internet.

Hiding your mailserver behind the firewall does create a problem - how will inbound mail for your domain get past your firewall and reach your server? One solution is to use additional TZO services, Store And Forward (SAF) or Spam and Virus Filtering (SVF) to accept as your MX record. To enable SAF/SVF to deliver email to your server, you will need to relax your firewall to permit (whitelist) the TZO SAF/SVF server IP addresses.

SAF/SVF is particularly useful at protecting against open relay attacks, dictionary (address harvesting), and 'joe job/backscatter' attacks which trick servers into relaying spam inside of failure notices.

Without protection against basic attacks, your servers can be used to attack other servers. If your mailserver is both exposed to the Internet AND out of date (Exchange 5.x and Exchange 2000 spring to mind) some server hardening must be considered. If the mailserver uses TZO Outbound Mail Relay (OMR), then the outbound spam will attempt to go through TZO, will be detected and the account will be suspended until a solution is in place.

Other solutions besides SAF

The benefits of SAF/SVF go far beyond protecting an insecure email server, but in the interest of fighting spam we should mention there are other methods to shielding an older server. We do not know much about use of these approaches, so this advice comes 'as is'. One solution is a Windows based SMTP proxy such as Wingate. Another solution involves 'server appliances and SMTP firewalls', such as Barracuda or IronPort. A do-it-yourself solution involves building a SMTP firewall from a Linux or FreeBSD server, using popular mailservers such as Exim or Postfix (there are even Perl scripts which can be plugged into Postfix/Exim that can use the internal mailserver to verify recipient addresses, and so offer protection dictionary attacks being used to cause your server to relay spam inside of 'failure notices').