New Outgoing Mail Rules

[JPC-Nazmy]

Soon we will be applying new mail rules which will do the following :

1- prevent outgoing email with FROM address (both envelope and header FROM) that's from a domain not hosted on the server .

2- prevent specific subject lines for known spam words like viagr* etc.. for outgoing email .


Note: you must be aware that a small portion of contact forms and similar mailing scripts does send emails as FROM the mail submitted in the form (for example mail from johndoe@hotmail.com) in this case the mail will be blocked and you need to modify your script to send from a local domain on the server .


* We are discussing this rules now with our customers and once the role and benefits of this rules are clear enough we will apply them. You may comment on this at http://www.jaguarpc.com/forums/youve...iscussion.html

[JPC-Nazmy]

What made us think of these filters?

Upon studying the spamming occurrences for a while we found the following

1- Hacker gains access to account either through infected PCs or vulnerable scripts/plug-ins

2- Hacker upload web files which looks like paypal for example

3- hacker starts sending mails through php or perl script through our mailing system sending mail as from paypal asking you to check your profile as it has been limited , of course the link points to the malicoius pages he just uploaded

4- hacker collects paypal info when victims falls to the email

In some other scenarios hacker just upload mail sending scripts and start advertising Viagra or Nigerian (419) Scam.


Why are we applying such rules?

This kind of spam represents more than 60% of spam problems and its always a script kiddie (means he is not a real hacker he just tries a tutorial from some source or uses some kind of automated hacking programs/scripts ) and we found the way they are leaking spam mail from is by changing the mail headers "From Address" and leaving envelope "From Address" intact so log parsing and normal filters wont catch them .


How will your rules help preventing this spam?

By checking both envelope and header "From address" with domains residing locally on the server and stopping outgoing emails sent as if its FROM any remote domain this will prevent such spam from being sent and we will get a notification in logs that we can parse later to get hacked accounts , this will dramatically decrease IP blacklisting problems and increase reputation of our servers IPs .

Also by checking outgoing mail subjects against known spam lines like :

"your .*ebay .*business"
"(rolex|watch.?) .*rep[l|]i[ck]a"

and blocking such outgoing mails this will improve the system security even further .


On what type of servers is this to be applied on?

Only on shared and reseller servers.


Will we be notified if a message is blocked?

Yes a message will be sent to envelope "FROM address" usually username@servername.com to warn you about the incidence and reason.


Does this affect Reply-To headers?

Nope. Reply-To is not checked in this rules, you can still set them to an external domain .


What if my domain or an add-on domain doesn't have email addresses setup; will this get mail blocked?

No, we check the domain part only not the email address so if this domain is hosted on the server, the mail should pass normally regardless if you have setup email accounts or not.


Can we ignore the email if the TO address is local?

Unfortunately this can't be done as the TO field can accept many addresses unlike the FROM field so there can be many recipients some local and some remote in same message.


What kind of mails are affected by this new rules?

FormMail and alike contact form scripts which have "email" (FROM address) variable set to any remote domain whether depending on user/visitor input or hard coded.


What kind of mails are not affected by this new rules?

Normal mail traffic sent through desktop clients or webmail, mail forwards, cron job mail reports , any contact form sending mail with FROM domain hosted locally on server .