7.7 Pitfalls

• If your site supports dial-up clients or machines that are assigned an IP address on startup, you should prevent such machines from sending mail directly to the outside world. If you fail to take this precaution, you might find such machines sending spam email that you can neither detect nor control. The easiest way to limit mail access to the world is with a firewall or router. Make it your published policy to always configure your firewall or router to prevent access to port 25 for all but your main mail hub machines.^[27] This prevents dial-up clients from sending mail directly to the world. Instead, they will be required to send all email by way of your mail hub machines—which PC mail-reading software can easily be configured to do.

  ^[27] There are many legal issues surrounding ad hoc filtering of customer access. You are strongly advised to consult with an attorney before applying such filters.

  On your mail hub machines you will need to use any of the appropriate methods discussed in the relaying section (Section 7.4) to enable the hub to relay messages outward for your dial-up clients. By requiring that all outbound email from dial-up clients be relayed through your mail hub, you enable your hub to impose limits on sending rates, to limit the number of recipients per envelope, and to log all email transactions. In brief, this puts you in position to detect spam attempts by your customers.

• A common technique used by spammers is to lie about the true host that was used to send the offensive email by manufacturing headers that mislead the end recipient. Such headers can range from falsely made-up Message-Id: headers, to misleading Received: headers. As an ISP, it is your responsibility to ensure that all mail passing through your hubs is truthfully labeled. One way to do this is to ensure that all hostnames in headers are fully canonical.

• One sure way to know if your site is spamming is to receive and read email from people who complain about receiving such spam. You should always read mail addressed to Postmaster. As an added precaution, you should also create an alias for the address abuse and read that mail too. Complaints will also be sent to webmaster about HTTP problems, and to hostmaster about DNS problems. You should accept and read all mail that might indicate a problem needing attention.

• If you are running an old version of sendmail and have not yet upgraded, beware that you might be running a site that will relay email to anywhere in the world. Called "promiscuous relaying," this could get your site listed with DNSBL sites. Try to upgrade soon.