We're Not Spammers, Honest
September 14, 2013 4:46 PM   Subscribe

My company's email domain has apparently been triggering spam-blocking filters at other companies sporadically for the last several months. We're not in the habit of sending out spam emails, so I need to find a way to uncover where any spam is coming from, stop it, and get ourselves off of whatever blacklists we're on (preferably without paying unreasonable ransoms for the privilege).

We only really know about this because every once in a while someone will get a failure notice when they try to send an email to a customer or vendor. My Google searching has uncovered this whole blacklist business, so I guess that's what's going on. The thing is, I have no reason to believe that any of our employees are sending out spam, and I haven't figured out any way to locate any rogue spambot activity that might be using our domain to send junk out (or make it look like it's coming from us).

The only other issue we've had like this was a couple of months ago when we started getting error messages telling us that we'd gone over the limit of 150 sent messages in an hour. Obviously my first thought was a hacked email account, but nobody reported anything abnormal with their respective accounts. (It is possible, though, that a dormant account belonging to a former employee might have somehow been compromised.) Around the same time, two people got a rash of spam emails that looked like failure notices for bounced messages originally sent from their accounts, but with spam links scattered through the body text. There was nothing in the Sent folders to indicate that the account had actually sent the original spam. I assumed at the time that it was just junk designed to look like bounced emails to freak the target out. The flood of failure notices stopped after we changed the passwords on those two email accounts, and we haven't had the 150-messages error since then.

Our hosting company has told me that they don't have a way for the domain owner to monitor email traffic in and out, so I can't just go to an admin console somewhere and look for abnormal activity. I could add every email address on the domain to my Thunderbird to check their Sent folders, but that's obviously tedious and there's no guarantee that anything would be showing up in the Sent folders.

So questions: Could someone have hijacked our email domain to send out spam mail, whether directly or using some kind of mirror/spoofing/hax? How can I find out what's going on given the above constraints? And can anyone tell me more about these spam blacklists, which look an awful lot to me like scams when they make you pay them to remove your domain?

Oh hey, and I also literally just learned that SMTP port 25 is blocked by many ISPs, and of course that's what we've been using by default. So could that be getting us blocked whether or not there's any actual spam going on?
posted by Starling to Computers & Internet (9 answers total) 4 users marked this as a favorite
 
You can check your server IP or domain against common blacklists. What SMTP server do the Thunderbird clients use - a relay server inside your company? Your ISP? Your domain provider? A third-party email provider like Google or Microsoft?
posted by djb at 6:10 PM on September 14, 2013


Best answer: I'm going to start by saying that this is a really messy question, which is indicative of broader problems, and I'll pick out a few points before making some general recommendations.

There was nothing in the Sent folders to indicate that the account had actually sent the original spam.

There doesn't have to be. That's entirely client-side, and given a) you were getting warnings about sending too many emails; b)the bounces went away when you changed the passwords, a spambot probably got into an account and used your SMTP server as a de facto relay, which is going to get you blacklisted. Email passwords are often shoddy.

I also literally just learned that SMTP port 25 is blocked by many ISPs, and of course that's what we've been using by default.

You're sort of misunderstanding this. Many ISPs filter port 25 traffic so that it either goes to their own SMTP servers or gets blocked if it doesn't go to their servers, but that's usually done more for residential accounts, and it shouldn't contribute to blacklisting.

Your company needs to get some email hygiene fast. Reset everyone's passwords on Monday. If they whine about not getting their email, tough. Audit for dormant accounts and kill them. Start enforcing strong passwords and make sure your users are using the SMTP server associated with the mail domain. That last bit isn't strictly necessary, but it means you have a single point of origin to distinguish crap coming from your own servers vs joe-jobs pretending to be you.

Plug your MX into a blacklist check. Perhaps sign up for ongoing monitoring. Some large mail recipients (Yahoo, AT&T) are quicker to blacklist than others, and have their own set of criteria aside from the distributed blacklists.

It may well be time for you to switch to a dedicated mail hosting provider that will provide you with the kind of logging you need.
posted by holgate at 6:13 PM on September 14, 2013 [2 favorites]


I'm not a tremendous expert on e-mail, but I can make a few observations:

- if you were getting the 150+ messages and the bounce messages, that does strongly suggest that the actual accounts were compromised, especially since they stopped once the passwords were changed. You wouldn't find them in the sent mail folder of the mail client, as the spammer is using your account credentials but not your mail client.
- E-mail tends to be a wretched hive of scum and villainy (i.e. a security problem), so I'd suggest the following for starters [on preview, holgate said about the same stuff, only better, so consider this a lengthy THIS]

-- disable all unused e-mail accounts. Turn them into forwarders, delete them, don't let unused accounts sit around.
-- Make sure all active employees are using strong passwords. Assign them yourself, get with them and plug them into their mail clients.
-- if possible, I'd move the e-mail function over to a service like Google apps. This involves changing some MX records, signing up for the account, and recreating all the e-mail accounts. It's quite a transition, but I trust the security on a service like that a lot more than I do my own web server.

I wouldn't pay anyone to get off a black list. What I believe happens is that reputable blacklists will either accept a remove request, or perhaps it will age off with time if you keep your act together.
posted by randomkeystrike at 6:22 PM on September 14, 2013


Jeff Atwood's blogs has some tips for this.

But really, things you have said like "I could add every email address on the domain to my Thunderbird to check their Sent folders, but that's obviously tedious and there's no guarantee that anything would be showing up in the Sent folders" indicate so deep of a misunderstanding of email that you should probably read a book or hire an expert.
posted by wayland at 6:33 PM on September 14, 2013 [3 favorites]


Yeah, the fundamental problem here is that you're in way over your head, which is fine, because not everyone needs to understand the wretched business of deciphering bounce messages or parsing mail logs or sending "pretty please unblock us" requests to large mail providers.

What you do need is some kind of email security policy that's actively enforced, along with a mail provider that gives you a pretty thorough admin-level overview of what's going out and coming in, and it appears that your existing hosting company (BlueHost? some other commodity provider?) doesn't have those capabilities.

Google Apps would probably be the easiest leap, but whether your company wants to shove its mail archives into Google's maw is another issue.
posted by holgate at 6:55 PM on September 14, 2013


Don't want to hog the thread, but I glanced at your previous question and did a bit of hypothesising: if a coworker's machine was infected with malware, there's a possibility that it could nab email credentials from client configs (or a keylogger) and either blast away through the SMTP port from that local machine, or just distribute the creds around a botnet that could then send mail through your MX.

If you followed the instructions in that best answer, but forgot to change the network-service passwords for the user of the affected machine, then you might be okay going forward with a fresh start and a better overall security/hygiene policy. But if there's malware still lurking around, no amount of password security is going to help you.
posted by holgate at 10:50 PM on September 14, 2013


Best answer: Lots of potential issues that can contribute to this. Mxtoolbox.com that others have linked to for blacklist checks has many other great diagnostic tools for mail servers.

First thing to check is that you are not an open relay, meaning anyone on the internet can connect in on port 25 and send mail through your server. The "smtp test" on MX Toolbox will check that.

Make sure to fix your security issues before requesting removal from any blacklists, or you'll just get right back on. The lists are generally pretty lax about removing you the first time, but get more strict if they have to add you back.

Check the "PTR" test and make sure your external IP address has a reverse record tied to your primary .com/.net/.org whatever it may be domain name. Lots of big mail providers will reject messages from servers without proper PTRs in place. You'll have to contact your ISP to add that record.

Another major factor is your internal network. Viruses and malware love to blast out spam when they find the right host. You should have a business class router/firewall that will allow you to block outbound port 25 to only your mail server. That will keep workstations with viruses from sending out spam. I second what other people have said about changing passwords, enforcing complex passwords, and deleting old accounts as well. You could get something like a Barracuda web filtering appliance, which would provide logging details to isolate exactly what computers are trying to send spam. The web filter will also cut down on people getting viruses by restricting access to known bad websites.

An outside mail hosting solution might be a good option, depending on many factors. That's not going to be a quick short term fix though, as it's not something you want to jump into without careful planning. An outside spam filtering solution would be a pretty easy thing to add. Most hosted spam filters will have outbound filtering (called a smarthost). You'd then lock down port 25 on your router to only their servers, and nothing could get around the filter. A few options are Red Condor, AppRiver, and Postini. Those will really cut down on spam coming in or going out.
posted by mgr at 11:03 PM on September 14, 2013


The problem might be external to you, and actually reside with another customer of your hosting company-- essentially your hosting company only has a handful of SMTP servers, which everyone uses, they might have aliases (mail.yourdomain.com) to make things nicer for you to setup but the physical machine and therefore network address are the same.

If another client is sending out a bunch of crap, that can trigger that SMTP server to be put on the blacklist, and therefore cause you and all other clients using that exit-point to be caught by it. If your hosting company has a forum, it's worth asking the other clients if they're having the same issue, at the same time.
posted by Static Vagabond at 5:47 AM on September 15, 2013


Response by poster: Thanks for all of the suggestions. It is pretty clear that I'm in over my head, so I'll have to go over all of this with our actual IT guy tomorrow. Our domain isn't actually on any blacklists according to the search at MXToolbox, but we'll have some work to do to shore the system up.
posted by Starling at 4:03 PM on September 15, 2013


« Older Movie suggestions   |   How to give our cats an outdoor screened porch... Newer »
This thread is closed to new comments.