Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1166
Views
0
Helpful
4
Replies

Best Practice for stopping unsolicited e-mails that are not detected as SPAM or Marketing?

Jason Meyer
Level 1
Level 1

‎03-08-2011 01:19 PM

I have roughly 40,000 mailboxes behind some IronPort appliances.   My question for all of you veteran SMTP admins is how do you handle situations where you have an individual sending multiple e-mails to one of your mailboxes?  It's not really a big enough of an issue to setup a content filter for the sending e-mail address, we don't have Blocklists roled out to everyone yet, so that's not a good fit, although I really like the IronPort quarantine with it's SafeList and Blocklist features.

What I'm looking for is do you even take the time to try to work with the sender and get them to stop sending the e-mails?

Do you bounce the e-mails back to the sender?

Setup a client side (Outlook) rule to just automatically delete the e-mails?

Just looking for some "best practice" or good advice on how to handle these minor issues.  The major ones are easy but it's these little ones that turn into administrative issues.

Thanks all, look forward to your input...

Jason Meyer

Labels:
0 Helpful
4 Replies 4

araudevain
Level 1
Level 1

‎03-16-2011 02:06 AM

Hi all,

Good question, I'm also looking for those tips, because I'm also facing these kingd of unsolicitated emails

Thanks

Arnaud

0 Helpful

exMSW4319
Level 3
Level 3

‎03-21-2011 10:56 AM

If the sender is mailbombing you (sending a large number of mails just to flood your mailbox) then that's clear network abuse; you ignore him and complain to his system administrator or to his upstream provider. As that's likely to take some time if it works at all, you also want a block in place as soon as you've recorded enough evidence to document the abuse.

There used to be a vulnerability in MS Small Business Server whereby some chump would send out a mail to over 500(?) recipients including at least two SBS boxes with the bug. Each box would then send a further copy of the mail, thereby creating a loop. Swift coding was necessary to protect one's own recipients from the deluge. (And that's a sales argument in favour of appliances versus outsourcing to the Cloud, by the way.) Strictly speaking, the abuse was the fault of the SBS systems administrators rather than the original chump, so careful header parsing can sometimes be necessary.

A more likely scenario is that you have someone who just keeps on sending the odd spam, week after week. Let's take the worst case; that it's addressed just to you, the sender's domain is reasonably fragrant (or at least impractical to block) and there's no headers or body phrases that you can add to a filter to create a general solution. You have to block the specific sender.

At the moment I'm doing this with a simple dictionary-driven rule. If I get a complaint from any of my mailbox owners and am satisfied that nothing else will workthen I simply add the sender's address to the dictionary. The rule is already in place and only requires a dictionary update. One hallmark of this type of case is that I have no qualms about simply dropping the mail, rather than sending some sort of NDR.

Sender-blacklist: if (mail-from-dictionary-match("blocked-senders", 1)) { drop(); }

Now at the scale you are discussing, this solution may not work. Is there time to properly examine each case, or will your colleagues simply start slamming addresses into such a dictionary? How quickly will the list grow to the point where it starts to consume an unreasonable slice of your CPU time? Indeed, I'm not sure how far such a solution will scale even if processing capacity is not an issue.

I need a review process to remove addresses from my dictionary, but then the same principle applies to any filter that uses specific static data. I try to keep records of every case where I include such data, and if I cannot find justification for a specific listing then I remove it at once.

0 Helpful

Mike Kwilosz
Level 1
Level 1
In response to exMSW4319

‎04-01-2011 08:09 AM

I too currently experience the same issue with my users.  One of our domains in particular receives an exorbitant amount of [MARKETING] email that they consider SPAM but is obviously not.  They send it into the spam address @ Cisco but I've tried to explain to them that Cisco won't do anything about this type of email because it's legitimate advertisements coming from legitimate sources.

I've taken the same step as previously mentioned and created a dictionary file that I fill with these unwanted emails sender addresses and then I simply have a content filter that drops this incoming email.  It's a nuisance to have to update the dictionary file all the time, but it appears to be the only effective way to handle this currently.  Currently I'm at about 1200 entries.

Is there a limit on how many entries you can have in a dictionary file?

Thanks,

Mike

0 Helpful

exMSW4319
Level 3
Level 3
In response to Mike Kwilosz

‎04-03-2011 06:42 AM

I don't know how large a dictionary can be before unreasonable share of the appliance's CPU time is consumed by the rule(s) using it. My own experience is on the smaller C-class machines so won't be much use to you. If it's any guide at all, the standard (v6?) HIPAA dictionary contains 1,195 entries.

Looking through the KB there are several items on performance. Rules always appear quite some way down the list of things to check, though there are warnings that regular expressions are expensive. I can't imagine that this includes the ? operator, as the profanity dictionary makes considerable use of it.

Considering your spam problem, are you sure you have 1,200 separate spammers who trip your [MARKETING] bar but have good SenderBase ratings? Have you analysed any of the headers to see if they have a common source? I have 25 manual entries in my HAT blacklist and a further 90 dictionary entries of host names that have remained consistent but are a little too motile or dispersed to be worth entering into the HAT, and that deals with a lot of our regular marketeers most of whom have distressingly high SBRS ratings.

You used the expression "legitimate advertisements coming from legitimate sources" - was that originally from yourself, you vendor or Cisco support? Although it's easy to define spam by its extreme cases, there is no generally accepted dividing line even after the direct marketing industriy's opinions are discounted and the mailbox owners' definition ("I wanted that! \ I didn't want that!") isn't going to fly for us.

Note to product development team - any chance of a multiuser subconcious telepathic interface?

0 Helpful
Customers Also Viewed These Support Documents