|
|
7.7 Pitfalls
If your site supports dial-up clients or machines that are assigned
an IP address on startup, you should prevent such machines from
sending mail directly to the outside world. If you fail to take this
precaution, you might find such machines sending spam email that you
can neither detect nor control. The easiest way to limit mail access
to the world is with a firewall or router. Make it your published
policy to always configure your firewall or router to prevent access
to port 25 for all but your main mail hub machines. This prevents
dial-up clients from sending mail directly to the world. Instead,
they will be required to send all email by way of your mail hub
machines—which PC mail-reading software can easily be
configured to do.
On your mail hub machines you will need to use any of the appropriate
methods discussed in the relaying section (Section 7.4) to enable the hub to relay messages outward
for your dial-up clients. By requiring that all outbound email from
dial-up clients be relayed through your mail hub, you enable your hub
to impose limits on sending rates, to limit the number of recipients
per envelope, and to log all email transactions. In brief, this puts
you in position to detect spam attempts by your customers.
A common technique used by spammers is to lie about the true host
that was used to send the offensive email by manufacturing headers
that mislead the end recipient. Such headers can range from falsely
made-up Message-Id: headers, to misleading
Received: headers. As an ISP, it is your
responsibility to ensure that all mail passing through your hubs is
truthfully labeled. One way to do this is to ensure that all
hostnames in headers are fully canonical.
One sure way to know if your site is spamming is to receive and read
email from people who complain about receiving such spam. You should
always read mail addressed to Postmaster. As an
added precaution, you should also create an alias for the address
abuse and read that mail too. Complaints will also
be sent to webmaster about HTTP problems, and to
hostmaster about DNS problems. You should accept
and read all mail that might indicate a problem needing attention.
If you are running an old version of sendmail
and have not yet upgraded, beware that you might be running a site
that will relay email to anywhere in the world. Called
"promiscuous relaying," this could
get your site listed with DNSBL sites. Try to upgrade soon.
|
| |
|
|
|