PC Magazine's Editors Choice & Top Pick for the SMB
How it worksFree TrialVIP RewardsCompare all vq Products
Company Products Features Partners Support The Lab Contact Us Home
 Vanquish Forum Index  FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Some spammers cache original email server IP

 
Post new topic   Reply to topic    Vanquish Forum Index -> vqSA/vqNow Admin Community
View previous topic :: View next topic  
Author Message
--VQ--
Site Admin


Joined: 06 Jan 2003
Posts: 590

PostPosted: Wed Dec 14, 2005 2:35 pm    Post subject: Some spammers cache original email server IP Reply with quote

Deal with Spammers Who Cache Old MX Record or Write to Secondary Record

Spammers send mail directly to the IP address of the server previously associated with your mailbox - even though it is no longer listed on your MX record. They also send spam to the servers listed on secondary MX or A records - hoping that a mail server is present and is configured to accept mail for your domain. This forces spam along the path it was previously accepted. The spammer knows that you may have added security into a pipe that still delivers to the same server and that you may not unable to change the IP address of a shared server.

If your mail server is open to the internet and has the same IP address it had before adding vqSA or vqNow, some spam will bypass your security measures. This is evident by the lack of a gray control stripe at the top of incoming mail. How can you avoid this trickery? The first two tips may be difficult for a hosted mail server that has many different domains, but keep reading. Our Admin users have added other techniques below:
  • Accept mail only from the Vanquish security server. For vqNow: 64.130.238.106 and 74.94.168.18. This solution may be a problem for servers that also host non-vqNow mailboxes.
  • Accept mail only on an alternate port - not port 25. (Inform us of this, so that we can deliver to the proper port).
  • Create a rule that discards mail to users that do not have a header beginning: "X-VQ-Reason:" [details]. This solves the problem completely, because all protected mail has this header, even if it is released from the Held Mail.
    NOTE: This tag is not the real sender-signed bond. That's in a different section. It is conceivable - but unlikely - that an enterprising spammer could both cache your MX record and also forge this header, but only if he suspects that you are using our security process.
  • Block mail that arrives on port 25 if it is intended for a protected domain. We will always relay through the alternate port.
  • If all of your clients are using your vqNow or vqSA service, change the IP address of your mail server.
  • Use two IP addresses: One for your legacy users and one for those moved to Vanquish. These can coexist on one mail server running two SMTP processes, but it may be easier to route traffic if they are on two separate PCs.

__________________________


Paul Daniel adds this tip. Paul is admin for WAC (operator of Lodinet.com)...

Phil, Here is how we are currently handling this problem.

We have a Redhat box running rinetd and all mail A records point to this box. The mail server was given a new ip address and the MX records are pointed to the Vq box. From the Redhat box we just port forward. This has stopped the spam from reaching our mail server.

Now there was one problem we found with this setup. Our web servers do not Auth SMTP so we set them to point the to mail server with a made up A record. Like forms.domain.com.

Hope this is helpful --Paul Daniel


Last edited by --VQ-- on Tue Jul 20, 2010 10:43 am; edited 12 times in total
Back to top
View user's profile Send private message Visit poster's website
--VQ--
Site Admin


Joined: 06 Jan 2003
Posts: 590

PostPosted: Fri Oct 20, 2006 3:49 am    Post subject: Reply with quote

Added by Michael at Ne'qwa Art (Neqwa.com)
Hi Paul,

In addition to getting Spam that gets through without a Vanquish Header, I also get email from 2 employees (.neqwa.com)without a header. All the other employees come through with the Header. Everyone is on my Allow list. What do you think is happening?

Also, I think I should probably do the following:

Create a rule that discards all mail to users that does not have a header beginning: "X-VQ-Reason:" This solves the problem completely, because all protected has this header, even if it is released from the Held Mail.

Is this done in Vanquish, my email server or my Outlook? How do I do this?

Thanks for your continued assistance. -Mike
Back to top
View user's profile Send private message Visit poster's website
--VQ--
Site Admin


Joined: 06 Jan 2003
Posts: 590

PostPosted: Wed Jun 27, 2007 1:10 pm    Post subject: Reply with quote

Question
My email accounts are hosted by hosting service (the shared mail server is not exclusive to my domain). What can I tell my email host to avoid the problem of spammers circumventing the vqNow or vqSA security service.

Answer: First, let's explore how a spammer can address mail direct to your email service. Suppose you are writing to (bob@bar.com). When you press the send button, your ISP does these things:
  • Contact a DNS server to determine the IP address for bar.com
  • Knock on the door of the recipeint mail server and checks if they still accept mail for bar.com
  • Hand off mail for the user, Bob
If your email service has very recently sent a previous message to bar.com, they don't bother to check the DNS server. They rely on their own cache for the delivery IP address. The recipient DNS or MX record tells senders for how long they may rely on their cache or even their local DNS server, rather than checking with the authoritative DNS server. This "Time to Live" is usually set to 1 hour or 1 day.

But spammers intentionally save old DNS records, especially if they sense that the mail was delivered to a valid email address (either it did not bounce or they used a web beacon which confirms that it was opened or previewed). They use these old DNS records and also the servers listed on your secondary records just in case you have subsequently added a security process into the delivery pipeline. Is it clever? You bet! Spam has been raised to an art form.

First, get rid of secondary MX records. You should have only 1 MX record (priority 10). Point it to www.vqnow.com or your own vqSA security appliance. Then tell your email host:
  • I have set my MX record to route incoming mail through a 3rd party server. But this new server will still deliver mail to my existing mailboxes on your server. (It is just pushed through the outside server first.)
  • Spammers have cached my old IP address. They are sending direct to your server in an effort to bypass the new route.
  • I wish to stop users from circumventing the interim security server. There are several ways to accomplish this (best choice is at the top):

    • Use a different IP address or mail server for my domain. Then, the spammer will no longer know the direct route because it does not appear on my records. -OR-
    • Accept mail only if it comes from the security server. (For vqNow, it is 64.130.238.106 and 74.94.168.1Cool. This is a perfect solution, but a shared hosting service may not be able to set trusted IP addresses for individual clients.
    • Accept mail only on an alternate port -- not port 25. -OR-
    • Filter out any mail that does not show the the above IP address (or the words "vqnow.com") in the header. -OR-
    • Simply filter out any mail that does not have the header "X-VQ-Reason:"
    • Finally, the least preferable way of doing this is for you to do (d) or (e) within your own email software.
If the mail does not have a Gray Control Stripe it is most definitely spam. Legitimate senders do not save old MX records. That's how they send mail that arrives without a stripe.


Last edited by --VQ-- on Tue Jul 20, 2010 10:44 am; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
--VQ--
Site Admin


Joined: 06 Jan 2003
Posts: 590

PostPosted: Tue Sep 23, 2008 9:51 am    Post subject: Create a rule that discards "slip-around" spam Reply with quote

How Can I Create a Rule to Stop Spam With no Control Stripe?
Asked by Syd Abrahams of Boca Scientific

A simple rule or filter is an instruction that discards mail that slips around the security server. The rule can be placed at your email server or hosted service, or it can be configured within the individual PC email programs that access your mail.

Setting a Rule at Your Email Server or Service

You may be able to setup a rule at the mail server. Log into your control panel and check the options that are available to you. We do not recommend doing this with a technician on a support phone call. It is very likely that they won't stick around to test it with you and you will probably have to go through the same procedure over and over whenever they reboot their server.

Setting a Rule Within your Email Program

Writing a rule (or filter) for you local PC is effective, but should be used as the method of last resort. This is because it consumes bandwidth, subtracts from your online quota, and requires configuation on any PC that accesses your mail. Considered alone, none of these drawbacks are significant, but any engineering purist would acknowledge that they add up to an inelegant solution.

Let's look at how to create a rule in your PC program. We will consider Outlook in this example, but the process is similar for any email program...

We wish to create a rule that discards mail that is missing the header X-VQ-Reason. Outlook offers the rule "If header contains "[phrase]...", but it does not offer "If header does [i]not contain [phrase]..."[/i]. But we can achieve the same thing by using a secondary rule. Create the rule this way:
  • If header contains "-", then delete it
    {of course, every email header includes a hyphen}
  • except if header contains "X-VQ-Reason"
    {this is where the Vanquish messages are delivered}
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Vanquish Forum Index -> vqSA/vqNow Admin Community All times are GMT - 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2003 phpBB Group