background image

56

 

Lotus Domino 6 spam Survival Guide for IBM eServer

You may find that you have certain hosts that are allowed to relay off this Domino 
server. You could then add these hosts (name or IP address) to the “Allow 
messages only from the following internet hosts to be sent to external internet 
domains” field. Only hosts that are explicitly added to the Allow field will be able 
to use this server as a relay. 

Internal hosts (those within the same Internet domain) are exempt from relay 
checking by default. Any host determined to be part of your local internet domain 
will be allowed to relay off this Domino server, regardless of the setting 
described.

In Domino Release 5, in order to restrict internal as well as external hosts from 
relaying, you would need to set the notes.ini variable 

SMTPAllHostsExternal=1

This variable treated all connecting hosts as external hosts and all hosts were 
subject to relay checking. This allowed Administrators to close down the relay 
capability within Domino for all hosts, including internal hosts. If it was 
determined that an internal host needed to relay though the Domino server, this 
host could be placed in the “Allow messages only from the following internet 
domain to be routed to external internet domains” field. 

Conflicts between the destination and source restrictions

Domino 6 handles the conflict that can occur between the destination and source 
fields differently than R5 did. In Lotus Domino 5, Deny entries took precedence 
over Allow entries; in Lotus Domino 6, Allow entries take precedence over Deny 
entries. 

For example, let’s say that you allow relays from the following host and deny them 
to the following domain:

Allow from hosts: 9.95.91.51
Deny to domains:  yahoo.com

On a Domino 5 server, because the Deny entry takes precedence, the named 
host, 9.95.91.51, cannot relay to denied destinations. In the example, the 
Domino 5 server cannot relay to any address in the yahoo.com domain.

On a Domino 6 server, in the event of a conflict between entries, Allow entries 
take precedence. By giving a specific host “Allow” access, you allow that host to 
relay to any destination. In the example, the host 9.95.91.51 can relay to the 
yahoo.com domain even though the domain is explicitly denied as a relay 
destination.

Similarly, the following configuration denies relays from a specified host and 
allows them to a specified domain:

Deny from hosts:  myhost.iris.com
Allow to domains:  hotmail.com

Summary of Contents for AH0QXML - Lotus Domino Messaging

Page 1: ...for IBM Tommi Tulisalo Ted Chappell Beth Anne Collopy Kris Hansen Greg Kelleher Mark Ramos Bruce Walenius Avoid block and manage spam with server mail rules and mail file rules Anti spam features of...

Page 2: ......

Page 3: ...Lotus Domino 6 spam Survival Guide for IBM January 2003 International Technical Support Organization SG24 6930 00...

Page 4: ...rs Restricted Rights Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp First Edition January 2003 This edition applies to IBM Lotus Notes 6 0 and IBM Lotus Domino 6 0...

Page 5: ...erver 13 2 2 3 By the end user 14 2 2 4 Selecting the best approach 14 2 2 5 Managing the ongoing anti spam campaign 15 2 2 6 Summary 16 Chapter 3 Domino 6 anti spam architecture 17 3 1 The Domino mes...

Page 6: ...mail 66 5 2 Mail file rules 68 5 2 1 Setting up mail file rules 68 5 2 2 Developing anti spam mail file rules 71 5 2 3 Viewing mail rules and the evaluation sequence 77 5 2 4 Monitoring mail file rul...

Page 7: ...n this publication at any time without notice Any references in this information to non IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web si...

Page 8: ...oration in the United States other countries or both Microsoft Windows Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States other countries or both Java and all...

Page 9: ...ght some of the business partner products available to further address the spam problem These products fall into two categories those that run on a Domino server and those that operate as separate ant...

Page 10: ...otus Domino infrastructure and development and is an IBM Certified Solutions Advisor Solutions Designer and a Certified Lotus Professional in Lotus Domino administration His areas of expertise include...

Page 11: ...Ted Niblett Steven Preston Jon Raslawski Jeffrey Slone Carol Sumner Lotus Software Dieter Stalder STDI Consulting Kristin Baker Eagle Technology Consultants Libby Schwartz e Pro Magazine Andy Yett Met...

Page 12: ...to us We want our Redbooks to be as helpful as possible Send us your comments about this or other Redbooks in one of the following ways Use the online Contact us review redbook form found at ibm com r...

Page 13: ...hown that end user managed spam costs 10 to 20 minutes of productivity per person per day on average Other messaging clients servers have not yet recognized this burden and force users to constantly m...

Page 14: ...y form of advertising that is more expensive for its audience than for the advertiser It is not simply a case of getting a few extra mail messages a day and taking a minute or two to delete them Spam...

Page 15: ...tive clients Some of the most widely distributed advertisement type spam mailings include offers to reduce or enlarge various body parts invitations to buy prescription drugs at discount prices and of...

Page 16: ...d virus warnings nor unsolicited mail trying to get you to upgrade drivers on your operating system do not confuse this with the Automatic Update feature of Windows Operating Systems The spammer will...

Page 17: ...type of spam the average person will be least likely to come across It consists of malformed messages designed to disrupt mail services often by attempting to crash SMTP routers There are an infinite...

Page 18: ...6 Lotus Domino 6 spam Survival Guide for IBM eServer...

Page 19: ...sociated with that All mail is suspect and scrutinized by the server for point of origin and content Any messages not measuring up are discarded Another philosophy is to let everything in and have the...

Page 20: ...acks In this section we introduce some passive harvesting techniques that spammers use to obtain e mail addresses To learn about how to protect your Domino 6 server from harvesting attacks see 4 5 Pro...

Page 21: ...dress on newsgroups or public Web discussions Avoid publishing their e mail address in public people finder directories or Instant Messaging directories Avoid using standard e mail addresses for domai...

Page 22: ...6d Email me a Here is an example of a perl script that will convert ASCII addresses to hex usr bin perl Little perl program to convert ascii email addresses to hex to avoid spam harvesting from mailt...

Page 23: ...response Advise your users of this and what the costs of spam are Chances are they are aware of it and dislike it as much as you do but make sure that they know never to purchase anything from an unso...

Page 24: ...e mail address or a free e mail address for non work related correspondence Disregard chain letters or other spam that encourages you to send messages to others If you send mail to several external u...

Page 25: ...jection can be a very effective way of dealing with these messages There are several configuration areas in Notes Domino 6 that can be set to help reject spam both at the SMTP listener level and at th...

Page 26: ...hey want to discard and what they want to retain If they do create false positives they can retrieve them or adjust the mail rules accordingly Chapter 5 Using mail file rules to prevent spam on page 6...

Page 27: ...this you can move to a weekly analysis After several smooth weeks you might consider moving to a biweekly schedule There are some tasks that you should perform infrequently to avoid impacting users Th...

Page 28: ...am Users that avoid providing their e mail address to spammers receive less spam Web sites that are careful to make themselves a difficult target for harvesters also result in less unsolicited mail Wi...

Page 29: ...ino networks are well controlled and do not originate spam mail The public and open nature of Internet e mail has led to an explosion of spam so for purposes of spam analysis we focus on Internet orig...

Page 30: ...tures can be implemented on either the external or internal servers or even on additional dedicated servers that are located in between the external servers and the internal servers in the network top...

Page 31: ...trator you can implement mail rules on the server to protect against viruses and eliminate as much spam as you can The end users of your organization can take further actions to manage spam by creatin...

Page 32: ...mino 6 to help you control spam The Domino 6 anti spam components are activated at three different points during the reception of an incoming message Spam can be controlled by 1 The SMTP Listener when...

Page 33: ...n page 29 The SMTP Listener uses the configuration settings to determine if an incoming connection should be accepted Once a connection is established the SMTP Listener checks additional information i...

Page 34: ...has provided the message size as a parameter on the mail from command the inbound file size restrictions are performed messages that are too large are rejected 5 Originating SMTP server sends the RCPT...

Page 35: ...trols can and should be used to block all mail to or from specific users and domains The Server mail rules allow more flexibility and control by allowing you to specify additional conditions to be tes...

Page 36: ...e verifies that mail received by your SMTP server is actually intended for a local user in your domain When enabled all messages received via SMTP are looked up based on the value of the RCPT TO field...

Page 37: ...features Mail file rules allow the individual end user to isolate messages by sender address domain subject or even by message body content When creating anti spam mail file rules with the Notes clien...

Page 38: ...your server X A specific e mail address is sending a large amount of spam to your server X External servers spammers are using your server as a relay X X X Messages are sent to users that are no longe...

Page 39: ...ist filters Check inbound connection and look up host in DNS blacklist log and reject message if determined to be from a known spamming site Messages are sent to users that are no longer with your com...

Page 40: ...the Domino Directory Inbound sender controls If this continues deny messages from this domain A new virus has been identified and reported on the Web but it has not been incorporated into your vendor...

Page 41: ...o Release 5 We start by discussing how to detect spam messages Then we describe features that are available to control connections from spammers DNS Blacklist filters Intended Recipient Controls Disab...

Page 42: ...certain fields you can implement intended inbound recipient controls or even deny connections from certain hostnames or IP addresses 4 1 1 Examining the message properties By analyzing the properties...

Page 43: ...ons from this host category If you have a large quantity of dead or held messages that appear to be invalid addresses in your domain sent from the same domain you may have been under a harvesting atta...

Page 44: ...Relays do not have any security imposed on their systems allowing any user to send mail from their systems These open relays leave their systems open and could be used by a spammer to flood the Intern...

Page 45: ...ltiple DNSBL sites Domino will perform queries to all sites until a match has been found If the connecting host is located in the first DNSBL site specified the search is complete and remaining DNSBL...

Page 46: ...found in the first DNSBL site Domino will then look to all subsequent DNSBL listed if applicable This feature is not enabled by default but it is extremely useful in environments that have Domino as t...

Page 47: ...Using the Custom SMTP error message response for rejected messages you can create your own error message In the previous example custom error handling is enabled and will result in a delivery failure...

Page 48: ...Domino Directory Configuration of Inbound Intended Recipient Controls 1 In the Administration client click the Configuration tab and expand the Messaging section 2 Click Configurations 3 Select the co...

Page 49: ...nfigured directories to determine whether the specified recipient is a valid user If all lookups complete successfully and no matching username is found the SMTP server returns a 550 permanent failure...

Page 50: ...receive mail from the internet you could add their explicit Internet address e mail address to the Deny messages intended for the following internet addresses list Likewise for those that you will al...

Page 51: ...TP although all mail addressed to groups will be blocked regardless of the origin of the message Mail sent to groups by Notes users will be sent because Notes client does a group expansion before send...

Page 52: ...ents field is added to the message containing the members of the group now expanded to the contents of the group Users or spammers attempting to send to any group name defined in your Domino Directory...

Page 53: ...you want to control the hosts that can be connected to this server If the allow field contains entries then only these hosts IP addresses would be allowed to connect to the server The opposite is true...

Page 54: ...s can be used to control the hosts that are allowed or denied a connection to this Domino server via SMTP Hostnames and IP addresses are allowed in these fields If you choose to use IP addresses be su...

Page 55: ...lowing internet addresses domains settings work very similar to most of the other Allow Deny fields These will allow you to specify the names addresses of the external hosts that you will accept or re...

Page 56: ...omains using the inbound sender controls the sending server will receive a 554 SMTP response and will not be allowed to transfer the message The message is never accepted by the Domino server nor is i...

Page 57: ...t After a message is placed into a mail box by the SMTP server server mail rules are applied by the router before delivering messages any further It is most powerful to deny messages from know spam so...

Page 58: ...e control over which messages are delivered in your environment With these rules you can filter out known spam senders messages that contain questionable content or even prevent your own users from se...

Page 59: ...r anti spam features 47 Figure 4 9 Where to set up server mail rules 5 Double click the document or click the Edit Server Configuration button to put the document into edit mode 6 Click New Rule to cr...

Page 60: ...be turned on once you save it 8 In the Conditions section of the new server mail rule specify the ways of identifying the mail that you want the rule to act upon a First choose a field for the rule t...

Page 61: ...recipient Figure 4 11 Choose the field to be examined by the rule b Each field can be tested for the following conditions contains does not contain is is not Figure 4 12 Specify the criteria for the f...

Page 62: ...d that they will be related to the previous condition in one of two ways AND OR Figure 4 14 Add the condition 10 Move to the Specify Actions section of the Server Mail Rule dialog box There are five p...

Page 63: ...ernal Notes sender receives an immediate dialog box that the message has been rejected The message never leaves the user s mail file For an SMTP message the router informs the connecting SMTP system t...

Page 64: ...4 18 You can delete prioritize enable and disable the server mail rules Figure 4 18 Manage server mail rules Usually server mail rules are created to isolate or deny certain types of messages from re...

Page 65: ...subject contains music OR subject contains cd OR subject contains credit OR subject contains phone OR subject contains movie Except when Subject does not contain free Move to database quarantine nsf d...

Page 66: ...through no direct fault of your system This can happen if you have a relay open you allow anyone relaying mail off your server and a spammer has used your server for relaying spam messages You need t...

Page 67: ...ers will be denied When you place an entry in the deny field only those domains listed will be denied all other domains are allowed If entries exist in both the allow and the deny fields the entries i...

Page 68: ...ver this host could be placed in the Allow messages only from the following internet domain to be routed to external internet domains field Conflicts between the destination and source restrictions Do...

Page 69: ...inistration client click the Configuration tab and expand the Messaging section 2 Click Configurations 3 Select the configurations settings document for the server you want to administer and click Edi...

Page 70: ...find that your domain is being reported as an open relay you would want to close down the capability The settings shown are the correct representation of a closed relay The following two tables show...

Page 71: ...you can choose to allow or deny your POP or IMAP users to relay This new field allows authenticated users to use the Domino server as a relay for messages to the Internet POP or IMAP users have to con...

Page 72: ...the desired changes to the inbound relay enforcement fields and click Save Close This section has 3 fields Perform Anti Relay enforcement for these connecting hosts Specifies the connections for which...

Page 73: ...local Internet domain This field provides an exception mechanism so that POP3 and IMAP users will be able to send internet e mail through this server Exclude these connecting hosts from anti relay che...

Page 74: ...s by tracking subject sender and recipient information Addresses for which the spammer receives non delivery reports can be removed from their spamming list other addresses are maintained as valid spa...

Page 75: ...u can reduce the effectiveness of this type of address harvesting by using the Domino 6 ini setting SMTPMaxForRecipients The SMTPMaxForRecipients setting will not stop harvesting but may slow it down...

Page 76: ...l box for dead and held messages Typically these messages are just spam junk and can be deleted but occasionally you may see a true addressing error a slight misspelling of a true recipient in your ma...

Page 77: ...ver Your end users can build anti spam mail file rules that are much more specific and aggressive Building anti spam mail file rules should be seen as an additional measure in the overall solution to...

Page 78: ...message Example 5 1 Page source of a sample spam e mail message Received from a3mail lotus com 9 xx xx xx by cammail01 lotus com Lotus Domino Release 6 0 with ESMTP id 2002110613302032 41715 Wed 6 No...

Page 79: ...s in to be removed from this list and they site some U S Federal Law IMPORTANT You may remove yourself from this mailing by utilizing our automated removal system at http 210 192 108 35 remove html Th...

Page 80: ...o helping prevent spam mail file rules can be used to manage your legitimate e mail messages In this section we concentrate on anti spam mail file rule development 5 2 1 Setting up mail file rules Use...

Page 81: ...marks for the criteria you enter As an example you could select sender and contains and then enter Alice to filter all messages sent to you by Alice French Alice Stearns and anyone else named Alice O...

Page 82: ...lect addresses from an address book If you selected Set expire date enter a number and select days weeks months or years If you selected Change importance to select an importance level You can combine...

Page 83: ...tive As an administrator you should also look to incorporate rules that users may have in their individual mail files that would eliminate spam for the whole organization if implemented as server mail...

Page 84: ...ur example on their own mail file would have to periodically review all of the Incoming folders The user must review the content of the Suspicious folder for false positives that is desired e mails th...

Page 85: ...that might be used to categorize them as spam so that they are deleted or placed in the suspicious folder in the future Denying mail from certain addresses Some spammers use certain e mail addresses...

Page 86: ...le that automatically denies all mail from domain spamsrus com Figure 5 4 Deleting all mail from spamsrus com If you decide at a future time that you want to accept e mail from a specific address at s...

Page 87: ...so be present in an e mail from an unsatisfied customer These issues must always be considered when putting mail rules in place because false positives desired e mail that has been classified as spam...

Page 88: ...are scanning the body of incoming mail to see if it contains the words unsubscribe and offer If an e mail contains both of these words the rule files it in our Incoming Suspicious folder Filing e mail...

Page 89: ...ple rules and their sequence in the mail file rules view Move Up and Move Down action buttons at the top of the rules view can be used to change the sequence Figure 5 9 Rules view showing rules in the...

Page 90: ...ess you want to search for Figure 5 10 Searching the Domino Server Log Mail Routing Events In Figure 5 10 we are searching for an address that we are denying mail from in a mail file rule Since we hav...

Page 91: ...hey are not will at best cause a nuisance and at worst will cause missed or lost business Select your text phrases carefully Scanning for text that is too broad in scope can cause false positives For...

Page 92: ...80 Lotus Domino 6 spam Survival Guide for IBM eServer...

Page 93: ...m products This chapter introduces some of the third party products available to help you in addressing the spam problem We have divided the products into two categories Anti spam products that run on...

Page 94: ...ng important e mail Configuring spamJam spamJam allows mail administrators to define spam filters at the corporate level to prevent true spam like pornography while allowing individual users to define...

Page 95: ...ndle mail that has been determined to be spam Dump and log databases With spamJam administrators track and view spam via log and dump databases The log database contains a listing of all incoming mail...

Page 96: ...r desired messages Depending on the various levels of Master configurations end users have a wide array of spam classification options that they can control according to their level of technical exper...

Page 97: ...w or recover intercepted spam messages spamJam runs in Domino R5 and Domino 6 environments and is supported on all Domino server platforms For more detailed information or for an evaluation copy of sp...

Page 98: ...h one block list for the entire organization the list is centrally controlled by an administrator Users can contribute to the blocking lists SpamEraser integrates with the Server Configuration documen...

Page 99: ...r are visible in Figure 6 6 Figure 6 6 This is Spam button in the mail file In order to prevent messages from mistakenly being construed as spam the application also features an Exception List functio...

Page 100: ...te of products the iQ Suite for e mail security and organization A number of products are available for Microsoft Exchange and Lotus Domino servers The securiQ product line contains the following e ma...

Page 101: ...Server based protection of encrypted e mail When used in conjunction with securiQ Crypt securiQ Wall offers centralized content checking for encrypted inbound and outbound e mail Flexible tailoring i...

Page 102: ...il content filtering and mail and bandwidth management The spam filtering is based on a spam rule database with filter rules to identify the spam mail These rules are used by the content filter of eMa...

Page 103: ...ly choose to quarantine the blocked e mail and notifications can also be enabled for testing purposes Figure 6 9 Mail filter rule configuration After you save the new rule it will be listed in the vie...

Page 104: ...rements SpamStop allows a company to have per user or per department settings to accommodate different languages non western characters special department circumstances and so forth Stopping messages...

Page 105: ...pam products 93 Figure 6 11 through Figure 6 13 show some sample screens from the SpamStop product Figure 6 11 User customizable Figure 6 12 Uses over 300 checks with point system Figure 6 13 Workflow...

Page 106: ...t filtering connection management and other related functionality as a service Some vendors also provide products and services that prevent directory harvesting and denial of service attacks as well a...

Page 107: ...mail system at the gateway level protecting against productivity loss network downtime and vulnerability of informational assets caused by unsolicited or malicious e mail PureMessage spam filter The P...

Page 108: ...uch as You were sent have received are receiving You re receiving 0 15 message e mail s because if you want wish care prefer not to don t do not want wish care to be contacted again receive any s more...

Page 109: ...rScan Messaging Security Suite InterScan Messaging Security Suite provides comprehensive virus protection flexible policy based content filtering and easy to use management tools to help monitor and c...

Page 110: ...ts and services Postini Perimeter Manager from Postini Corporation http www postini com services corporations html EasyLink MailWatch from EasyLink Services Corporation http www easylink com services_...

Page 111: ...Web sites These Web sites are also relevant as further information sources Lotus Developer Domain http www lotus com ldd Especially articles Notes spam mail filtering Mail file rules by Graig Lordan...

Page 112: ...tp www spamhaus org The Open Relay Database ORDB DNS Blacklist service provider http www ordb org OsiruSoft Research Engineering DNS Blacklist service provider http www osirusoft org How to get IBM Re...

Page 113: ...trators and end users 23 Anti spam products for Notes and Domino 82 Anti spam server gateway products services 94 Anti spam strategy labor estimates 15 Avoiding harvesting 9 B Blocking spam 12 Bots 8...

Page 114: ...ample 58 Inbound relay controls 24 54 configuration 57 configuring 55 managing conflicts 56 settings 55 Inbound relay enforcement 59 configuration 60 excluding hosts from anti relay checks 59 Inbound...

Page 115: ...vention features 13 SMTP communication sequence 22 SMTP error message for rejected messages 34 SMTP harvesting attacks 62 SMTP mail handling 20 SMTP mail routing 19 SMTP Server 21 SMTPExpandDNSBLStats...

Page 116: ...rver Troubleshooting 25 31 79 U User configurable anti spam features 65 V Verify that local domain recipients exist in the Dom ino Directory 24 36 63 Viewing the page source of e mail messages 66 View...

Page 117: ...0 2 spine 0 17 0 473 90 249 pages Lotus Domino 6 spam Survival Guide for IBM eServer...

Page 118: ......

Page 119: ......

Page 120: ...t techniques available to avoid and block spam We then explain how anti spam control and management work can be divided between servers between server tasks and between administrators and end users We...

Reviews: