Outgoing Spam Filtering

[bluerayconcepts]

We recently decided that we would fire up the outgoing filter side of our spam filter due to the continued blacklisting we were getting hit with. I had looked at this over the last year or so but it wasn’t till recently that we were able to actually move forward with this. After doing tons of research and annoying the support folks at our spam filter dealer for several days with questions that I had not been able to find answers to or with questions that the knowledge base articles left me with I decided that I had enough info to go ahead and move forward. I would think this would apply to any spam filtering service but our configuration was with Spam Experts and using CPanel as our control panel.

My main concerns dealt more with the email flow than anything else. I did not want to implement anything and then find out emails were not going out. Originally my plan was to only filter certain domains (those paying for outgoing) but ultimately decided that for the benefit of the greater good I would just filter everyone through a single IP. While this gives individual customers no access to outgoing information it would alleviate the amount of spam being sent and/or forwarded. If customers wanted access to information for their domain then we can easily shift their domain out of the main pool and into their own account.

Things of note:

1. When setting up the outgoing filter, every domain on your server will be getting sent out via the smarthost configuration to the filter.
2. Yes you can setup where some domains are filtered and some are not.
3. You will need to contact your specific filters Support Team to get your specific information
4. You will need to add the spam filters hostname they give you to your SPF record
5. After creating the IP authenticated user, set identification method to Envelope Sender.

Issues I ran into:

1. Email Forwards were broke. This turned out to be a timing issue. If I had done this a couple weeks prior it would not have been a problem, at least not till the update. But the WHM 54 update brought with it the implementation of SRS support for the Basic Exim Configuration. CPanel support said it should not have been on by default but unfortunately it was on after the update. The problem here is (as I understand it) that SRS rewrites the sender addresses so that the emails that are being forwarded appear to come from the forwarding mail server. While this is fine and dandy for normal operation to avoid it looking like the forwarded spam is coming from you, the way it rewrites the sender address makes the message fail. And since I was setting up outgoing filtering, I didn’t care since the filter should catch most if not all outgoing spam. Turning off SRS in the CPanel Exim Basic Configuration fixed this issue with outgoing forwarded email being bounced. This was the biggest issue and took a while to figure out.
2. Example of SRS enable sender address – SRS0=B6VOx=OH=originatingdomain.com=…dingdomain.com. Well that email address does not exist on the forwarding email server so the sender verification fails.
3. The other issue I ran into was with IPV6 enabled on my server. With IPV6 enabled on the server, I had to turn off “Send mail from account’s dedicated IP address” and turn on “reference /etc/mailhelo” and “reference /etc/mailips”. With IPV6 enabled on the accounts WHM put each dedicated IPV6 in the /etc/mailips file. This caused the mail to fail sending because of the : in the IPV6 address. This is something that will need to be fixed in the future by either CPanel or my specific spam filter provider as IPV6 becomes more prevalent. I am leaning towards CPanel as it would seem the server was the one having the issue sending via the IPV6 address and not the filter, but I may be incorrect.
4. Example of IPV6 sending issue – == recipientemail.com R=smarthost_dkim T=remote_smtp_smart_dkim defer
5. (-1): “”IPV6 first digits” is not a valid IP address for the “interface” option for remote_smtp_smart_dkim transport

I found this fix by accidentally looking for another problem that was I was having since the WHM 54 update. Which was being blacklisted by CBL. You can find the post here that helped me with that issue and happily the IPV6 issue – CBL blacklisted but no outgoing spam detected

At this point I cannot see any reason why you would not have outgoing spam filter enabled for your server. I wish I had done this long ago but hind sight is 20/20. While the single IP authenticated user does not give you granular control, it is a simple and cheap way to control outgoing spam and help keep your servers off blacklists.

If you have the same setup as I do Spam Experts and CPanel and are looking at possibly setting this up let me know and I can PM you the full version of this article which contains knowledgebase article links and a step by step walk through. I will not post here without admin approval as it may be considered marketing.

 

[ughosting]

We've had good experiences with Spam-Experts, but its cost for the budget conscious can be off putting, as they charge per domain.

On our shared servers rather than implement a heavy outgoing spam filter, we simple count the number of emails sent to "non-existent" recipients. (as they bounce back).
If a user sends more than X amount of mails to non-existent email addresses we suspend that email account until the user changes their password
If they get suspended too often, we "have words".
This also stops "overheard"/compromised POP/IMAP accounts in their tracks.

If a script does the same, we ban the sending of emails from any scripts in the same path, until an admin has "released" the path.

By keeping X low, you never get to the point where you get banned. Customers can send 1000s of mails without issue if they are behaving and spammers give up and leave pretty quickly.

Only a few lines of exim.conf code is required to perform these checks.

We've had very few complaints about email since we've done this.

 

[cheapdedicated]

Like Ughosting says, you may implement email counting on your server. Its pretty much as dynamic as you want it. U can count even how many CC or BCC or To that are in a mail to trigger the spam detection as you may wish. Email per minute or hour could also be manipulated to give reverts. Its endless.

 

[bluerayconcepts]

Been happy with it so far. We may in the near future setup the whole spam filter as a local appliance so that we can get access to some additional features but for now its working well.

Only thing to add is that any scripts that are sending mail unauthenticated (contact forms, etc) will get a lot of bounces. We have been going through and getting the customers setup on their forms and such with an authenticated email user.

Other than that been happy and going smooth and cost hasn't really been an issue as its cheaper than most filters out there.