PC Magazine's Editors Choice & Top Pick for the SMB
How it worksFree TrialVIP RewardsCompare all vq Products
Company Products Features Partners Support The Lab Contact Us Home
 Vanquish Forum Index  FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Preventing 550 errors (Server Validation List)

 
Post new topic   Reply to topic    Vanquish Forum Index -> vqSA/vqNow Admin Community
View previous topic :: View next topic  
Author Message
tortoise62



Joined: 16 Aug 2006
Posts: 11

PostPosted: Sat May 05, 2007 5:10 pm    Post subject: Preventing 550 errors (Server Validation List) Reply with quote

I use the enterprise appliance - which works fantastic for our vaild email accounts. By monitoring the SMTP logs, I found that there were nearly 32,000-550 errors for the month on our Exchange server.

We employ recipient filtering on our Exchange server, along with tarpitting to prevent directory harvesting.

Interestingly, 28 invalid email addresses were the target of over 29,000 of the delivery attempts. The 28 addresses were a combination of once-vaild accounts as well as seemingly random accounts.

Q: Would it be wise to add these invalid accounts to our Vanquish appliance to prevent unwanted connections to our email server? The Vanquish appliance is hosted offsite.
Back to top
View user's profile Send private message
--VQ--
Site Admin


Joined: 06 Jan 2003
Posts: 590

PostPosted: Mon May 07, 2007 9:14 am    Post subject: Reply with quote

The vqSA email security appliance includes a Validation List (in some update versions, this list is called Server-Allow or Global Allow. We strongly recommend that vqSA admins activate this feature in the left frame. It immediately and efficiently blocks all attempted connections from senders with an invalid recipient address. The process of blocking a connection draws a fraction less of the resources of an otherwise invalid address - and even creates immunity from most dictionary attacks.

We can envision only one scenario in which you may wish to turn Validation List OFF. If you have users who prefer to use Catch All addresses for which they cannot create individual vqSA user addresses - nor even place onto the separate validation list. This is is rare. It would only be the case for users who "invent" addresses for every venue and cannot access a computer to create them when giving them out -- unlikely, because to make the catch all feature useful, they would still need to place the address onto their List-Server Allow List.

If you turn off the Server Validation list, the total capacity of your vqSA will be greatly diminished during Denial-Of-Service and dictionary attacks.
Back to top
View user's profile Send private message Visit poster's website
tortoise62



Joined: 16 Aug 2006
Posts: 11

PostPosted: Mon May 07, 2007 1:25 pm    Post subject: Reply with quote

I can't seem to find any documentation on this Validation option in either the User Guide or the Appliance Guide.

Does this utilize SenderID or domain keys? How exactly does this work? I certainly don't want to prevent any email from being delivered to an authorized account.

An explaination would be greatly appreciated!
Back to top
View user's profile Send private message
--VQ--
Site Admin


Joined: 06 Jan 2003
Posts: 590

PostPosted: Mon May 07, 2007 1:32 pm    Post subject: Reply with quote

It was my oversight that there was no link to an explanation of the feature. It is here in this same vqSA Admin forum.

Incidentally ALL valid and registered email addresses are automatically part of the server validation list.

I regret that it has not yet been incorporated into the vqSA Admin user guide.
Back to top
View user's profile Send private message Visit poster's website
tortoise62



Joined: 16 Aug 2006
Posts: 11

PostPosted: Wed May 09, 2007 9:43 am    Post subject: Reply with quote

I read the link, but I am still curious as to how it works...

Just exactly what happens when I make this selection? Do I need to list every contact on my Exchange server to prevent their messages from being bounced?

Is this process similar to Microsoft Exchange's recipient filter - used to prevent directory harvest attacks?

[/i]
Back to top
View user's profile Send private message
--VQ--
Site Admin


Joined: 06 Jan 2003
Posts: 590

PostPosted: Wed May 09, 2007 6:05 pm    Post subject: Reply with quote

The Server Allow List is a surprisingly simple feature. It simply rejects any SMTP connection in which the delivery address is not registered with the server. This completely avoids the more intensive exchange of a typical 2-stage remote server connection.

For example, if a spammer pretending to be Bob@Earthlink.net wants to send mail to Sue@YourDomain.com, the communication between mail servers goes like this. (I am condensing some steps):
  • [Earthlink]: We are about to deliver a message from our user "BOB" to your user "Sue".
  • [VQ]: Connection refused.
The sender is left knowing that we exist - but is completely cut off before completing the connection. The process becomes even more effective when you combine tarpitting. That is, the process of gradually slowing down future attempts as the number of bad addresses continues. Eventually, the process ties up very large resources at the spammer and very few resources at the recipient.

Without a Server Allow List, the connection uses far more resources - especially when a security service is in the pipe. In fact it results in 4 full message transfer connections instead of zero! First, a full connection and email delivery takes place. Then, we relay the message to your server. After queues flush out, your server realizes that the message has an invalid delivery address. It attaches and error message and passes it back through our server which must create a new email back to the apparent sender (most likely a fake address - or a innocent victim).

The fast-disconnect method is also much more polite for legitimate senders. Depending upon their email program and provider, some senders will see an error line instantly within their email program (telling them of an incorrect address) - rather than wait for return email.

The immediate blocking of a delivery agent without a valid envelope is not unique. But we are asking that you allow us to move this address validation task up the chain (i.e. to your security server). This significantly reduces load on both servers.

Incidentally, a Harvest attack is not possible on a vqSA server - at least not until someone develops an exploit that gets around all that we have developed. But every domain is subject Dictionary attacks and DOS attacks (Denial of Service). Perhaps this is what the Exchange filter is intended to thwart.

Let's please shift further explanation or discussion to a phone call. That would be more efficient for this level of Q&A. This thread makes a good defacto FAQ.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Vanquish Forum Index -> vqSA/vqNow Admin Community All times are GMT - 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2003 phpBB Group