How does a Server Admin handle spam?
Server administrators are not just part of the system, they are the "system" themselves enforcing zero-tolerance against spam. So how do they actually enforce the system? First and foremost is the foundation of a server. On how the abuse or abuse reporting system is setup and implemented.
1. To receive report emails, set up one dedicated email address for this purpose. Using an external address such as a @yahoo or @gmail account is preferable. This email’s sole purpose is to receive computer generated logs of abuse report made within 24 hours against allotted IP addresses. This email must not be published anywhere even in your WHOIS info, or in your published pages. When that email address is setup, go here: http://www.spamcop.net/w3m?action=ispsignupform click on "create an ISP account" then log in and click on "Request Reports" and type all allotted IP addresses under your account one IP per line, it's a good thing to specify all IP addresses on your other server accounts as well for centralized reporting. In this way when someone abuse one of your members, you will get it on your email address.
2. Open an account at groups.google.com and join these 2 specific newsgroups:
news . admin . net-abuse . policy http://groups.google.com/group/news.admin.net-abuse.policy?lnk=sg
news . admin . net-abuse . misc
http://groups.google.com/group/news.admin.net-abuse.misc?lnk=sg
This is where abuse report issues that are handled and resolved are being posted and spam abusers are reported live to all admin around the world . By subscribing to it you will be able to monitor every abuse report reported against an IP address, setup a filter in your email address to filter out your IP addresses and so it will end up in your inbox other reports are to be discarded directly to your trash folders for permanent deletion.
Once you have dealt with a spam issue, you need to report these issues on either ongoing or resolved and the abuser is terminated and removed from your server and banned. The reports submitted here needs to have full headers. Mostly web-based email system can be setup to do this, just click on "show full headers report" and copy and paste the whole abusive email message and paste it on these groups. That way you are saying in front of admin alike that you are enforcing zero-tolerance on all of your members and an active promoter of anti-spam laws in the internet.
3. Logon to WHM (Web Hosting Manager) and click on "Security" and then "Tweak Security" under "SMTP Tweak", click on "Configure" and make sure "Allow connections to localhost on port 25." is disabled. This SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers. Also it will help to check your mail queue manager a couple of times per day, login to WHM and click on "Email", click on 'Mail Queue Manager" if you see any suspicious looking email address there trying to send usually free web-based ones or generated randomly, and click on "Delete all messages in Queue." That only means that your system can't send it because it's not routable for it's IP address origin are questionable and not listed on your trusted IP's to send out email.
4. Login to WHM (Web Hosting Manager) and click on "Contact Manager" under "Server Contacts" menu. Make sure you placed "2 or 3" on Alert Priority Assignment right beside "Recently Uploaded Cgi Script Mail". This will email you on a daily basis (if there are uploaded pages or scripts) that are set to use your SMTP or mail on your server which could be the source of spam abusers to send out spam using your IP addresses. Setup a filter for it and it always is prefixed on the Subject: "[newmailcgi] Recently Uploaded CGI scripts" take note that even PHP form mail that are insecurely setup to send spam are also reported to your email address setup as contact manager on your server's WHM. Make sure to actively monitor this and when it happened to give ample warnings to the user who uploaded this.
5. Go to http://www.dnsstuff.com/ and under "Spam database lookup" type in your IP address and make sure there are no red areas or red rows on any spam database sites, this will confirm that your IP addresses are "clean" from spam. Run another test and click on http://whois.sc/yourdomain.com and see this result "Blacklist Status: Clear " it must always be that way, if it says listed, then you are listed on one or more spam database site and your IP address as one whose spam is originated and declared as spamvertised sites.
6. Go to http://www.dnsreport.com/ and run a DNS report on your domain and make sure the "SOA record" shows your email address dedicated to your domain on the "Hostmaster E-mail address:". Make sure your "Acceptance of abuse address" is setup as your email abuse@yourdomain.com. Make sure also that mail relaying is not enabled on your domain.
7. To disable mail relaying on your server, login as root via SSH to your server, nano or pico to this file : /etc/mail/spamassassin/local.cf make sure you write out or copy first a backup of it before doing any modifications, make sure the lines: trusted_networks XXX.XXX.XXX.XXX will contain each in one line the IP addresses allotted to your server, so whenever someone tries to "spoof" an email message using one of your domains or your client's domains to send spam, they will be rejected because obviously they will be running it on another IP addresses. Sites like proxy sites need to be included in the banned sites when you create your (TOS) terms of services or (AUP) Accepted User Policy.
8. If your mail queue logs are sending "forged" email address using admin@yourdomain.com to someone else, chances are your SPF (Sender Policy Framework) Record is not setup, so go to http://www.openspf.org/ and set it up. In the dns report scan you've done to your domain will also show this spf record if already set up.
9. Whenever an abuse report issue is sent either thru spamcop's abuse reporting system or reported by a human being, you have 2 email addresses that you need to check everyday or at the most thrice a day to make sure you are running "clean" IP addresses.
10. The last worst case scenario that need to happen to you is to receive an actual spam abuse report from a human or from a software generated abuse reporting system setup by spamcop, it should be dealt and enforced with zero-tolerance on the abusers and all headers (within 6 months old) need to be kept on your computer's hard drive. All abuse report's headers from humans need to be logged also, when copying and pasting a report make sure you require a valid proof such as a full header copy that you can enable on your web-based email system in the form of "show full headers" The spammer/abuser needs to be terminated and removed from your server as soon as possible and if possible hours away from an actual abuse report and need to be posted on the following groups:
news . admin . net-abuse . policy http://groups.google.com/group/news.admin.net-abuse.policy?lnk=sg
news . admin . net-abuse . misc
http://groups.google.com/group/news.admin.net-abuse.misc?lnk=sg
When you have done the steps above, it is likely that your server’s IP addresses are de-listed off the spam database for free. However, some do still ask for payments for de-listing the server’s IPs. Nevertheless, it is a good thing to know that your server is free from spam and can provide optimal service to your users.
|
By Location