Best Practices Why Outgoing Spam Filtering Can And Should Be Done Transparently By Ken Simpson | 7 minute read Web hosting providers can find it challenging to ensure a clean IP reputation. Unfortunately, the internet itself is not free of misinformation about outgoing email filtering. In this blog post we challenge three suggested alternative methods for cleaning up your IP reputation Three suggested alternative methods for cleaning up your IP reputation 1. Blocking port 25: Web hosting clients should not be restricted from using a port that is lawful to use (unless you’re spamming, of course). Most providers we talk to would not consider blocking port 25, for fear of losing customers. Still, this option is often promoted as a quick solution to the spam problem. Here’s why port 25 blocking is not a good idea: Lawful customers are inconvenienced – Most web hosting clients are not spammers. By blocking port 25, you’re removing functionality that they can use lawfully. This is a great way to turn away customers. Because of the first point, exceptions are made – Because lawful customers will complain if you block port 25, most providers who use this strategy end up having an exception policy. Spammers are excellent at getting on to the exception list, after which they will spam away and ruin your reputation. Blocking hides the real problem – Spam is only one type of abuse undertaken by cybercrooks inhabiting web hosting infrastructure. If you block port 25, you’re shutting off a valuable source of intelligence that can tip you off to bad customers who may also be hosting malware, command and control systems, launching DDoS attacks, and more. Spammers take root on customer machines, compromise email accounts and WordPress plugins, and use sophisticated techniques at obfuscating their identity in order secure hosting resources. Fortunately, it’s possible to filter outgoing email transparently using software. Done properly, transparent SMTP filtering is scalable, lawful, and effective. 2. Redirecting port 25 to a smart-host relay: Many vendors suggest that hosting companies redirect their customer’s outgoing port 25 traffic to a so-called “smart host” server where it can be queued and inspected before delivery through dedicated email relay IP addresses. This approach has several problems: It breaks Transport Layer Security (TLS) – Mail servers think they are talking to an actual receiving email server, such as smtp.gmail.com, when in fact because of network redirection, they are talking to the smart host provided by their web hosting provider. Even if the smart host machine responds with a valid TLS certificate, the certificate will not match the certificate of the destination machine (i.e. smtp.gmail.com), causing some mail servers to raise an error or even fail to deliver the message. It breaks continuity – Traffic redirected to a smart-host relay must be queued before delivery. Because the smart-host relay can’t possibly know whether the actual receiving mail server will accept the message, it queues every message submitted by web hosting clients. But then what happens if the receiving mail server (i.e. smtp.gmail.com) rejects the message? The smart-host relay must then generate a non-delivery receipt (NDR) back to the purported sender of the message. But the sender isn’t expecting an NDR, because they thought they were talking directly to the receiving system, which apparently said the message was accepted. It has chilling privacy implications – Because messages must be queued by the smart-host relay server, a copy of the message is stored to disk temporarily. What happens if that disk is compromised and its contents are stolen? 3. Leave port-25 open, and respond to abuse complaints Some providers think they can just let their clients send spam, so long as the provider responsibly handles the ensuing abuse complaints from email receivers. We strongly recommend handling abuse complaints in a robust manner; unfortunately, this won’t keep your network off of blocklists: Abuse complaints are slow to arrive – Only a small fraction of email recipients will click the “report spam” button, generating an abuse complaint. And, it takes time for the spam to reach their inbox and generate that feedback. A spammer leveraging a powerful web hosting machine can send tens of thousands of spam messages before the first abuse complaint arrives. Blocklists frown on this technique – Email receivers and their partners, the blocklist operators, expect service providers to do far more than just responding to complaints. Providers who allow spam to exit their network are likely to wind up blocklisted unless they can clearly demonstrate that they are proactive about stopping outgoing spam. It’s just not enough to say you handle abuse tickets when they come in. Valuable intelligence is lost – Abuse complaints are often heavily redacted, making it difficult to track down the actual perpetrator of the spam. Receivers eliminate the recipient address and other valuable information that can help you identify which entity within your network was responsible. Without knowing who is responsible for spam, you don’t know whose account to shut down. The Ultimate Solution The ultimate solution that actually works is to combine effective abuse handling with effective transparent filtering, and to give clients the option of a smart-host to deliver email if that approach works better for them. MailChannels offers this combination for web hosting providers: MailChannels Dedicated – Powerful and scalable transparent SMTP filtering software that runs on the service provider network, securely intercepting outgoing email and analyzing it in real-time without queueing messages to disk. MailChannels Outbound – Now available for resale to web hosting customers, this cloud-based smart-host relay gives web hosting customers an effective way to get their email delivered, while blocking spam and notifying customers of security issues such as compromised accounts. Now, let’s deal with the legal side of transparent SMTP filtering Since the Edward Snowden revelations, service providers are nervous about implementing security technology that could be construed as violating the privacy of their customers. Yet, it’s crucial to have the capacity to detect and block spam, phishing, and malware in the outgoing email stream, because if a provider does not block malicious email traffic, then they will find their IP address space blocked extensively by email receivers. Fortunately, MailChannels recently commissioned a leading German privacy law firm, Büsing, Müffelmann & Theye, to write a legal opinion explaining how providers can lawfully perform automated inspection of outgoing email to rid their network of spam. Turns out, it’s perfectly legal – even in Germany – to filter outgoing SMTP traffic. There are a few minor requirements that have to go in to the provider’s terms of service, but otherwise, there is nothing wrong with automated transparent filtering. But what about TLS? In a transparent SMTP filtering system, email streams that are encrypted using TLS are handled in one of the following ways: Pass-through The first option is to simply ignore TLS-encrypted email traffic, letting it pass through uninspected. This option has the advantage of providing the maximum privacy for customers, but the downside that it will not capture and block spam that is sent over encrypted links. Filter out STARTTLS The second option is to have the transparent SMTP filter “filter out” the RFC3207 STARTTLS extended SMTP response from downstream mail servers, effectively preventing the sending mail server from using TLS. This option forces all traffic from the customer’s mail server to be sent in-the-clear, raising legitimate concerns about privacy if the link between the customer’s machine and the transparent SMTP filtering machine could conceivably be tapped for inspection by a third party. Provide TLS using a provider certificate Finally, the transparent SMTP filter can offer TLS using a certificate owned by the provider, inspect the email traffic, and then re-encrypt with TLS for the final leg of delivery to the receiving mail server. In this case, the customer’s mail server enjoys an encrypted TLS session, with the contents of the session being decrypted by the transparent SMTP filtering server for automated inspection. The final leg, which transits the public internet, is re-encrypted using a TLS session with the receivers TLS certificate, where it can enjoy certain guarantees of privacy. Web hosting providers must take measures to reduce spam from their network. Fortunately, transparent SMTP filtering, when used in combination with effective abuse complaint handling, is a lawful and effective way to detect and eliminate spammers from your web hosting network.