Articles
Fighting SPAM in Lotus Domino
For many e-mail administrators these days, the number one complaint from the users and managers is unsolicited emails flooding the system, commonly called SPAM. SPAM can cause many issues for admins, including slow SMTP and mail server performance, wasted network bandwidth, and increase disk space usage. It can even cause other personal issues at the workplace by end users falling for SPAM illegal "get rich quick" schemes and creating an uncomfortable environment by users receiving messages containing pornography and other inappropriate workplace materials. This does not include the millions of dollars companies waste with loss of productivity from SPAM and the money they spend having to fight SPAM.
In 2001, an average internet user received 571 pieces of unsolicited email and the FTC expects the number to rise to more than 1500 by 2006 http://digitalmass.boston.com/news/2002/02/12/spam.html. Personally I receive on average over 30 messages per day and know of people who receive hundreds. If an average employee spends just 7 minutes a day with SPAM emails, that translates to a loss of 30.3 hours off loss productivity a year, almost an entire work week!
Currently in Domino R5, there are only a few things that you can do to limit SPAM. Fighting SPAM requires that not only your servers be configured to fight SPAM but your end users understand how to not cause SPAM to be generated in the first place.
In Domino the first and most important thing to eliminate SPAM is to deny relaying on the server. A relay is SMTP server that allows any e-mailer to route messages through your server to a foreign destination. Being an open relay can not only cause your server to be flooded with emails, but can get your company blacklisted from receiving emails by your customers and business associates. To check if you are an open relay is very simple. In Windows 2000, you can open the command prompt window and telnet to your mail server on port 25 by issuing the following command (note that you should use the hostname or IP address of your Domino SMTP server. This is a good way to test SMTP issues you may be having too so pay attention!):
C:\>telnet smtpserver.yourdomain.com 25
After you issue the command you should receive a response that looks like:
220 smtpserver.yourdomian.com ESMTP Service (Lotus Domino Release 5.0.9a) ready at Fri, 15 Mar 2002 10:44:02 -0500
At the prompt, issue the helo command to identify your domain. For our relay test, you will want to use a fictitious outside domain, such as test.com. You should receive a response as follows:
>helo test.com
250 smtpserver.yourdomain.com Hello test.com ([127.0.0.1]), pleased to meet you
Next, you will type the mail from: command to identify the senders email address. I usually use [email protected]. Make sure that this email address uses the same domain in your helo command. You will receive a 250 response that your sender is OK.
>mail from:[email protected] 250 [email protected]... Sender OK
Afterwards you want to identify your recipient with a rcpt to: command. Here is where you will see if you're an open relay in Domino. In my example, I am coming in from the domain test.com and sending to the domain yahoo.com. The message is not intended for a recipient on your server, thus I am relaying a message to yahoo.com.
>rcpt to:[email protected]
250 [email protected]... Recipient OK
If you get a Recipient OK response, you are an open relay! You should receive a response like this if you are not allowing relays: >rcpt to:[email protected]
554 Relay rejected for policy reasons.
You will also get a message in your Log file under Miscellaneous Events to alert you if a SPAMer is trying to relay through your server: 03/15/2002 11:04:25 AM SMTP Server [0C90:0004-0BD8] Attempt to relay mail to [email protected] rejected for policy reasons. Relays to recipient's domain denied in your configuration.
There may be many a reason though you are an open relay:
1. You have other applications in your environment that generate SMTP messages and relay them through your SMTP servers. 2. You have POP and\or IMAP users that need to send outbound SMTP messages through your server.
3. You have other SMTP servers behind your firewall in your environment and they use your Domino server to send messages to the outside world.
If you have no reason for any servers to relay through your Domino servers and have no outside POP\IMAP users, you can simply deny relaying as follows:
1. In your Domino Directory (NAB), under the Configurations view open the configuration document for your SMTP server. If you do not have one, create a new one for your SMTP server.
2. Click the Router\SMTP tab, click the Restrictions and Controls tab finally the SMTP Inbound Controls tab. You should be looking at the following screen:
3. There are two Deny messages fields. By placing a * in the field, you are blocking any type of relaying through the Domino server
4. If you have servers that need to relay through your SMTP server, add the IP addresses or hostnames to the Allow field. Note that you will not need the * in the deny fields if you use an allow field, since you are only allowing specific servers. If you use IP addresses here, you will need to put them in [brackets].
If you do have POP\IMAP users and need to have an open relay, you can do 2 things to prevent relays. You can either list all of your POP\IMAP users as users allowed to relay through your domain by adding them to the Inbound Sender Controls on the SMTP Inbound Controls Tab of the configuration document. Obviously, this would be very hard task to administer in a large POP\IMAP domain, and wildcards do not work here.
In order to get around this, you should setup a separate server that authenticates SMTP inbound connections. This is done in the server document under the Ports\Internet Ports\Mail tab for your server
Under the SMTP Inbound section, you should disable Anonymous connections and enable Name & Password authentication. In your
POP\IMAP client, you would then check the option for SMTP server authentication, and use the same username and password that you use to download your mail (a username and internet password in the user's person document). See your POP\IMAP client documentation to get more information about authentication with a SMTP server. By enabling this field, you are now requiring anyone who wants to relay to know a username and password on the system. The reason that you cannot do this for your primary SMTP server is that all SMTP servers would have to authenticate with you. It would be impossible to have every SMTP server that ever connects to your server given an account on your system. Now that we have closed down relays, is there anything else that can be done to prevent SPAM? Yes there is. If you have a low traffic domain and you can afford the overhead, you can enable a reverse DNS lookup of all incoming messages. In Domino, there are two fields that can do this in the SMTP inbound control tab.
By verifying the connecting hostname, you are asking Domino to verify that the hostname that the sender is using. By verifying the sender's domain, Domino looks at the domain in the Mail From command and sees if it a legitimate domain. The problem that this can cause is that they add overhead to the server by having to verify all SMTP messages that come inbound. Another issue is that a company who does not have there DNS configured properly or uses a proprietary SMTP load balancing system (like aol.com) may cause Domino to block legitimate email. Finally there is one other setting you can use in Domino. In the configuration document of your SMTP server under the Router\SMTP tab under the Basics tab your have a field called Address Lookup.
You have 3 choices in the drop down box: Fullname then Localpart, Fullname only, Localpart only. The Default is Fullname the Localpart. This setting is similar to the SMTP_EXACT_MATCH_ALL=1 in Domino 4.6. For example, we have a user called Tony Soprano. In the $Users view (a hidden view in the Domino Directory), your name is listed in many variations. For example, in Domino if a user has a unique first or last name, Domino will deliver to them. While this is a good feature, it allows SPAMer's to randomly generate emails to your domain and hoping that a few will get delivered. If Tony is an end user and he has the internet address field populated in the person document with
[email protected] and a shortname of tsoprano, only the following addresses would get delivered: [email protected]
[email protected] [email protected]
The following would not work with Fullname only enabled: [email protected]
[email protected] [email protected] [email protected]
As you can see, this will limit only exact fullname matches to get delivered, and would not allow a SPAMmer to send to
[email protected] and get SPAM into your domain. Even with top of line servers, blacklists and tight Domino controls, SPAM is an issue that needs to fought with educated end users. Here are some policies and procedures that you should follow to help cut down on SPAM traffic. 1. Never use company mail for personal use. Tell end users to use a web based mail system (like Yahoo or Hotmail) or an ISP email account for any non work related emails.
2. Never respond to a SPAM message, or click the "Remove me from this list" link in the message. I have even seen network admins fall for this. Do you realize that by clicking this you have just increased the value of your email address to a SPAMer? Your address is now a verified address and gets sold at a premium by SPAMers!
3. Never use your work email address on a public message board or news group. SPAMers have software that can collect these addresses and use them to send you SPAM.
4. Create a mail-in DB in Notes that users can forward SPAM to so you can collect SPAM messages.
It is my personal recommendation that you use a SendMail server as your primary SMTP server that Domino relays all mail through. While Domino can handle the traffic, it does not have the features that SendMail offers you to control SPAM and filter messages. Luckily in Domino 6, there will be some new and exciting features to help control SPAM. Domino 6 already features blacklist support and rules to control
Copyright www.dominozone.net 2001/2002 Michael Granit Published: 03/18/2002