CommuniGate Pro
Version 6.4
 

Protection

The Internet is flooded with soliciting E-mail messages distributed to millions of E-mail addresses. These messages are known as "spam".

Spammers fill your user Mailboxes with a huge amount of unwanted messages, not only overloading your network and Server resources, but making mail retrieval very slow and difficult for your users.

Besides the methods described in this section, additional methods are described in the Denied Addresses section.


The CommuniGate Pro Server has Protection Options that can help you to deal with "spam".


Restrictions for Roaming (non-client) Users

Support for mobile users can be disabled on per-account and per-domain basis by disabling the Roaming option in the Enabled Services section on the Account Settings and Domain Settings pages. If this service is disabled for an Account, the Account user will able to connect only from the internet addresses included into the Permitted Login Addresses list.

Mail relaying for mobile users can be disabled on per-account and per-domain basis by disabling the Relay option in the Enabled Services section on the Account Settings and Domain Settings pages. This setup is useful when you give users Accounts on your Server, but you do not want them to be able to relay SMTP mail through your Server (they are forced to submit messages using the WebUser Interface or any other non-SMTP methods).


Return-Path Address Verification

Since your SMTP module can accept incoming TCP connections, spammers can send a lot of unwanted messages to your users.

To protect your site from spammers, the SMTP module can verify the Return-Path address (specified with the Mail From SMTP command) of incoming messages.

The SMTP module parses the message Return-Path (Mail From) address and rejects it if:
  • the Return-Path domain name is an empty string (no domain specified)
  • the Return-Path address is routed (via the Server Router) to the ERROR address

When the Verify HELO and Return-Path option is selected in the SMTP Service Settings, the SMTP module refuses to receive a message if:

  • the Return-Path domain name is specified as an IP address, and that address is not included into the Client Addresses list

If the connection comes from an address not included into the Client IP Addresses list, additional DNS verification checks are done, and the SMTP module rejects the Return-Path address if:

  • the Domain Name System does not have MX or A records for the Return-Path domain (an unregistered domain)
  • the Domain Name System has an MX record for the Return-Path domain, but it points to an A-record that does not exist (a faked domain)

The SMTP module uses the Router after it parses the Mail From address. If that address is an address of a local user, or the address is known (rerouted) with the Router, the Mail From address is accepted. This eliminates Domain Name System calls for the addresses "known" to the Server.

The addresses routed to the ERROR address are rejected, so you can specify "bad" addresses and domains in the Router.

Examples:
If you do not want to accept mail from any address in the offenderdomain.com domain, put the following line into the Router settings:
offenderdomain.com = error
or
<*@offenderdomain.com> = error

If you do not want to accept mail from all addresses starting with "promo" in the offenderdomain.com domain, put the following line into the Router settings:
<promo*@offenderdomain.com> = error

If the Return-Path domain cannot be verified because the Domain Name Server that keeps that domain records is not available, the module refuses to accept the message, but instead of a "permanent" error code the module returns a "temporary" error code to the sending system. The sending system will try again later.

You can tell the SMTP module to use SPF DNS records to check that messages with the specified Return-Path can come from the sender's network (IP) address.

You can tell the SMTP module to use the Reverse Connect method:
  • the SMTP module makes a connection to the server that receives E-mail for this Return-Path address
  • the SMTP module sends the Return-Path address to that server and checks the server response

If the server rejects this address, the SMTP module rejects the supplied Return-Path address, too.

Temporarily Blocked Addresses

CommuniGate Pro maintains its own "temporary Blacklist". Network addresses in that list are blocked for a certain time period only.

Temporarily Blocked IP Addresses
Debug after: and Block after: failed Logins in  
protocol errors in  
Blocking Time: Blocked Addresses Limit:
Temporarily UnBlockable IP Addresses
UnBlocking Time: UnBlockable Addresses Limit:

IP Addresses can be put into Temporary Debug IP Addresses list or blocked when the Server detects some activity from those addresses that can be qualified as suspicious:

  • too many protocol errors in SMTP receiving sessions (the number of errors is configured in the SMTP module)
  • addresses routed to the spamtrap address in SMTP receiving sessions
  • too many failed authentication (Login) attempts from the same address
  • too many protocol errors (misformed packets) in the packet-based protocols, such as SIP.
Debug after and Block after
Use these settings to specify when a Network IP Address should be debugged or blocked:
failed Logins in
maximum frequency of failed Login attempts: if there are more failed Login attempts from some IP Address during the specified period of time, this IP Address is blocked.
protocol errors in
maximum frequency of protocol errors or misformed packets: if there are more misformed protocol packets from some IP Address during the specified period of time, this IP Address is blocked.
Blocking Time
Use this setting to specify for how long an IP Address should be blocked.
Blocked Addresses Limit
Use this setting to specify the maximum number of IP Addresses the Server can block.

Note: addresses included into the White Hole Addresses list are never placed into the Temporarily Blocked Addresses list.

Note: in a Dynamic Cluster environment only the Cluster-wide Temporarily Blocked Addresses settings are in effect.

Temporarily UnBlockable IP Addresses
The Temporarily UnBlockable IP Addresses are a temporary analogue of permanent White Hole Addresses.
An IP address becomes temporarily unblockable as a result of successful authentication made from that address.
UnBlocking Time
Use this setting to specify for how long an IP Address should be unblockable.
UnBlockable Addresses Limit
Use this setting to specify the maximum number of IP Addresses the Server can not block.

Checking Network Address Status

Your IP tables can become quite large, making it difficult to check if a particular network address is recognized by the Server as a Client one, or as a Blacklisted one.

Use the Test Address panel located on the Client IP Addresses and Blacklisted IP Addresses pages:

Test Address: [10.0.1.89](host1.lan) is Trusted

Enter an IP address and click the Test button. The IP address status appears.

The status shows the IP address you have entered. It can have the Local prefix, if the address is the local address of your Server, or it can have the LAN prefix, if the address is included into LAN IP Addresses list.

The "reverse-resolved" name is displayed if the Server had to perform the "reverse-resolving" DNS operation to get the address status.

The address and optional name are followed by the address status:

Trusted
the IP address is a Client IP address.
TempTrusted
the IP address is processed as a Client IP address because some user (with the Relay Service enabled) has recently authenticated from that address.
Blacklisted
the IP address is blacklisted. If the address is blacklisted because it is included into some RBL, the name of that RBL server is displayed.
Regular
all other addresses.

Spam Traps

You can protect your site from incoming spam by creating and advertising one or several "spam-trap" E-mail addresses. The CommuniGate Pro Router detects a special local address, spamtrap. If your server receives a message, and at least one of its recipients is spamtrap@yourhost or at least one of its recipients is routed to spamtrap, the Server rejects the entire message.

You may want to create one or several alias records for "nice-looking" fictitious E-mail addresses and route those addresses to spamtrap:

<misterX> = spamtrap
<johnsmith@subdomain.com> = spamtrap

Alternatively, you can create Forwarders pointing to the spamtrap address.

Then you should do your best to help these addresses (misterX@yoursite.com, johnsmith@subdomain.com) to get to the bulk mailing lists used by spammers. Since most of those lists are composed by robots scanning Web pages and Usenet newsgroups, place these fictitious addresses on Web pages and include them into the signatures used when you and your users post Usenet messages. To avoid confusion, make the fictitious E-mail addresses invisible for a human browsing your Web pages and/or attach a comment explaining the purpose of these addresses.

Many bulk mailing lists are sorted by the domain name, and as a result many spam messages come to your site addressed to several recipients. These recipients are the E-mail addresses in your domain(s) that became known to spammers. When the fictitious, "spam-trap" addresses make it to those databases, most of spam messages will have these addresses among the message recipients. This will allow the Server to reject the entire messages, and they will not be delivered to any real recipient on your site.

When at least one of the incoming message recipient addresses is routed to the spamtrap address, the entire message is rejected, and the IP Address of the sending server is placed into the Temporarily Blocked Addresses list, unless this IP Address is included into the Client IP Addresses or White Hole Addresses lists.


Banning Mail by Header and Body Lines

You can specify a set of message Header and Body lines to be used to detect spam. When the server receives mail in the RFC822 format (via SMTP, RPOLL, POP XTND XMIT, PIPE modules), it compares each received header and body line with the specified lists. If a message contains one of the specified lines, the message is rejected.

You can use the wildcard ('*', asterisk) symbols in the Banned Lines you specify. Usually you should not use them, since you are expected to compose the "banned" lists by copying header or body lines from the known spam messages.

Message lines are compared to the specified Banned lines in the case-sensitive mode.

Each Header line can include the end of line symbols if the header field was "wrapped".

If a message header or body is encoded (using MIME or UU encoding), the lines are not decoded before they are compared to the Banned line sets.

To specify the set of Banned Lines, open the Queue pages in the Settings realm of the WebAdmin Interface, and click the RFCReader link.

Banned Header Lines

Banned Body Lines

To add a new line, enter it in the empty field, and click the Update button.

To remove a line, delete it from its field, and click the Update button.


Filtering Mail

When a message is received with the Server, a set of Server-Wide Rules is applied. These Rules can be used to detect unwanted messages and reject, discard, or redirect them.

For example, the following Rule can be used to reject all messages that have a missing To: header field:

DataOperationParameter
ActionParameter

You can create various filtering rules using all features of CommuniGate Pro Automated Mail Processing, including external filter programs started with the Execute Rule Action.


Relaying Rerouted Messages

Read this section if you need to provide special relaying features.

If you place an alias record into the Router table:

NoRelay:<user> = user@other.host
then all mail from strangers to that user will be rerouted to that other.host server. These messages will be treated as messages "from a stranger to a stranger", and they will be rejected.

To enable relaying, use the Relay: prefix:

Relay:<user> = user@other.host
<user> = user@other.host

When an address is being converted with such a record, it gets a marker that allows the server to relay messages to that address. If an address is modified with a record that has the NoRelay: prefix, this marker is not set, but it is not reset either - if it has has been set with some other Router record (see the example below).

The same situation exists if you want to reroute all mail for a certain domain to a different host (for example, if you back up that host).

Relay:clienthost.com = client1.com
Relay:<*@clienthost.com> = client1.com

When the address modified with the Router record is not a "simple address", i.e. it contains several routes, as in user%host1@host2, or <@host2:user@host1> - the Relay: prefix does not set the flag that allows message relaying. This is done because the host to which the rerouted message is relayed may "trust" all messages that come from your host, and relaying addresses with multiple routes would allow someone to relay messages to anybody through your host and that other host.

If the receiving server is well-protected, too, you may need a Router record that allows relaying of any address rerouted with that record. Use the RelayAll: prefix for those records:

RelayAll:<report-*@clienthost.com> = report-*@client1.com

Very often you do not want the Router records to be used for actual relaying - you provide them for your own clients only, to specify a special path for certain addresses/domains. For example, if you want mail to bigprovdier.com to be sent via a particular relay relay3.com, you should place the following record into the Router table:

NoRelay:bigprovdier.com = bigprovdier.com@relay3.com._via

Without the NoRelay prefix, any host on the Internet could send messages to bigprovdier.com via your Server. The NoRelay prefix tells the Router not to add marker to addresses in the bigprovdier.com domain, so only your own users (clients) can send mail to bigprovdier.com domain using your Server.

Note: you may have an alias record in your Router:

Relay:<joe> = joe5@bigprovdier.com

This record tells the server to reroute all mail addressed to joe@mydomain.com to joe5@bigprovdier.com. Since this record has the Relay: prefix, anybody in the world can send E-mail messages and Signals to joe@mydomain.com and they will be successfully relayed to the bigprovdier.com domain.
The joe5@bigprovdier.com address will be converted to joe5%bigprovdier.com@relay3.com._via and sent via relay3.com host: the second address transformation does not add the "can relay" marker, but it does not reset the "can relay" marker set during the first transformation:

Operation AppliedAddressMarker
Received (Original) addressjoe@mydomain.comNO
Main Domain (mydomain.com) cut-off:joeNO
Router Record:
Relay:<joe> = joe5@bigprovdier.com
joe5@bigprovdier.comYES
Router Record:
NoRelay:bigprovdier.com = bigprovdier.com@relay3.com._via
joe5%bigprovdier.com@relay3.com._viaYES
SMTP/SIP Module:
accepted for the host relay3.com
joe5@bigprovdier.comYES

Cluster Setup

When a Server is a member of a Dynamic Cluster, the WebAdmin Network and Queue Settings pages provide links that allow you to switch between the local (server-wide) and the cluster-wide Settings.

The cluster-wide Address Tables (Client IP Addresses, Unblacklistable IP Addresses) are processed as extensions of the server-wide tables: an address is considered to be listed if it is included into either the server-wide or into the cluster-wide table.

The cluster-wide "Banned" settings are processed as extensions of the server-wide settings: a message is banned if its header or body line is listed in the server-wide or in the cluster-wide settings.


CommuniGate Pro Guide. Copyright © 2020-2023, AO StalkerSoft