No matter what email server or spam filter you’re using, there are a few quick and easy things you can do to reduce spam and related malware attacks on your network. Use the list below as a guide to important steps to take to protect your user from spam.
Your first line of defence, whether or not you have a spam filter, is to use a Realtime Block List (RBL) provider to reject any email from known spam servers. This alone will reduce spam email by 70–90%, depending on your industry. It will also reduce the load on your email server or spam filter, as well as your network, as the email is rejected before it’s downloaded, which could save you significant bandwidth. I recommend using zen.spamhaus.org as it is the most up to date, with the best spam-blocking and lowest false-positive rates. Best of all, setting up your email server or spam filter to use an RBL should only take you a few minutes.
If you make sure that only email using correct SMTP is accepted, you'll block most spambots. Ensure that you require HELO (EHLO) with a Fully Qualified Domain Name and preferably a resolvable hostname too. As with using an RBL, this check is done prior to accepting the email, so it will reduce the load on your spam filter, email server, and network. This will only take a few minutes to configure in your email server or spam filter.
A note here: Individual organisations may occasionally need to whitelist suppliers or customers with incorrectly configured email servers to allow their email to be accepted. This will work to significantly reduce spam for individual organisations, but may not be appropriate for MSPs.
Spammers often send email to a range of possible email addresses such as “admin@”, “info@”, and may also use a dictionary of names to get email into individuals’ email inboxes. Reject email that is not addressed to genuine email addresses by either uploading your valid email addresses as a CSV to your mail server or spam filter or using Microsoft Active Directory integration if possible.
Again, as with using an RBL and SMTP handshakes above, RV prevents the email being downloaded, saving you bandwidth and reducing load on your email server and network. This may take a little longer to implement if you need to get your valid list of email addresses, convert them into CSV format and upload them to your email server or spam filter, but it will be worth the effort due to the amount of spam it will block.
Note that all three of these solutions complement each other and can be implemented on most email servers – even without having a spam filter. If you’re not using these, you’re potentially wasting your bandwidth, opening your network to unnecessary risk and causing yourself a lot of wasted time and effort dealing with the effects of spam – such as the CryptoLocker virus. Make half an hour this week to implement these three, and you will probably save yourself weeks of work over the next year.
The rest of the steps here are only relevant if you have a spam filter (commercial or open source, on site, or in the cloud).
Very few organisations ever need to have .exe files delivered via email. Block them, and in the few cases where they’re required, create an alternative method of delivery that ensures safety with a minimum of bureaucracy. Make sure that you are blocking by MIME type, not file extension, as very few spammers will use the actual .exe file extension, but will rather disguise the payload file as a PDF, image, spreadsheet or doc.
If you don't have a spam filter, you need to have good endpoint anti-virus protection in place. If you do have a spam filter, make sure you’re using anti-virus scanning and that the AV engine and signatures are up to date. Most spam filters will allow you to automate and set the update frequency. My personal opinion is that if you have AV in your spam filter you can use a different AV for endpoint protection to get the benefit of redundancy. No matter how small the benefit of having different engines is, it still beats having all your eggs in one basket. You need to have endpoint AV, and the market for spam filters and endpoint AV is diverse and competitive enough that you don’t have to pay a premium to use two suppliers. Of course, YMMV, so please feel free to share your opinion in the comments!
Use URIBL and SURBL to check that URLs in the body of the email aren’t known malware or phishing websites.
Most spam engines will have this built in and it's usually not configurable. This is where a significant amount of spam is captured, based on a large database of recent and historical spam provided by the spam-fighting community. SpamAssassin is an excellent resource for accurate, up-to-date spam signatures.
Most spam engines use a Bayes engine, which is trained to recognise spam. (Bayes was a statistician, and his methods are widely used for classification – in this case: “spam” vs. “ham.”) Incoming email is scored based on the spam pattern library, bad attachments, bad links and end user feedback (the "Spam" or "Junk" button in the email client). The Bayes engine then learns to recognise new spam, and also to forget old spam patterns that might now block legitimate emails.
Most spam filters will give an incoming email a score based on the content and attachments. It’s up to you, the systems administrator, to decide the right spam score threshold for your organisation. This is something that takes a little trial and error to get right, but usually only needs to be done during the first week or two after deployment. Your spam filter providers should give you a trial period to validate that you can get this right for your organisation and help you configure their spam filter to get the optimum block rate and minimum false positive rate possible with their product. Make use of your free trial period to ensure you get this working.
Provide a way for your end users to improve your Bayes engine by manually tagging any spam that gets through your filter as "Spam" or "Junk", and also for correcting false positives.
A good email usage policy that teaches and warns of the risks and consequences of spam, malware, viruses and phishing gives your end users the knowledge they need to help catch the remaining few scams that get through. This alone could save your organisation from financial ruin. One could easily make the case for having this be No. 1 on the list, particularly because so many give this little attention.
There’s a lot of negative sentiment about "users" and how the sysadmin's job is to protect them from themselves. Instead of giving up on them as a lost cause, equip them with the armour and ammunition they need to join you in protecting their data. Use the big bad CrytoLocker as a scare tactic if need be, but make sure that everyone knows the potential risks in clicking a link in an email and to be suspicious of any email from the bank (or any other organisation critical to your business) asking for details they should already have – like usernames, passwords, account numbers, social security numbers, etc.
If you provide the tools and they’re not used, you at least have a leg to stand on when the crud hits the fan. "I told you so" is not much use once the business is bankrupt, but at least your career won't end with the company if you did everything you could reasonably be expected to do to protect the network and prevent intruders entry. Good luck in your continued fight to end cybercrime!
Sign-up for email updates...