1 Page 1 of 5 Articles Fighting SPAM in Lotus Domino For many administrators these days, the number one complaint from the users and managers is unsolicited s flooding the system, commonly called SPAM. SPAM can cause many issues for admins, including slow SMTP and mail server performance, wasted network bandwidth, and increase disk space usage. It can even cause other personal issues at the workplace by end users falling for SPAM illegal "get rich quick" schemes and creating an uncomfortable environment by users receiving messages containing pornography and other inappropriate workplace materials. This does not include the millions of dollars companies waste with loss of productivity from SPAM and the money they spend having to fight SPAM. In 2001, an average internet user received 571 pieces of unsolicited and the FTC expects the number to rise to more than 1500 by Personally I receive on average over 30 messages per day and know of people who receive hundreds. If an average employee spends just 7 minutes a day with SPAM s, that translates to a loss of 30.3 hours off loss productivity a year, almost an entire work week! Currently in Domino R5, there are only a few things that you can do to limit SPAM. Fighting SPAM requires that not only your servers be configured to fight SPAM but your end users understand how to not cause SPAM to be generated in the first place. In Domino the first and most important thing to eliminate SPAM is to deny relaying on the server. A relay is SMTP server that allows any e- mailer to route messages through your server to a foreign destination. Being an open relay can not only cause your server to be flooded with s, but can get your company blacklisted from receiving s by your customers and business associates. To check if you are an open relay is very simple. In Windows 2000, you can open the command prompt window and telnet to your mail server on port 25 by issuing the following command (note that you should use the hostname or IP address of your Domino SMTP server. This is a good way to test SMTP issues you may be having too so pay attention!): C:\>telnet smtpserver.yourdomain.com 25 After you issue the command you should receive a response that looks like: 220 smtpserver.yourdomian.com ESMTP Service (Lotus Domino Release 5.0.9a) ready at Fri, 15 Mar :44: At the prompt, issue the helo command to identify your domain. For our relay test, you will want to use a fictitious outside domain, such as test.com. You should receive a response as follows: >helo test.com 250 smtpserver.yourdomain.com Hello test.com ([ ]), pleased to meet you Next, you will type the mail from: command to identify the senders address. I usually use Make sure that this address uses the same domain in your helo command. You will receive a 250 response that your sender is OK. >mail 250 Sender OK Afterwards you want to identify your recipient with a rcpt to: command. Here is where you will see if you're an open relay in Domino. In my example, I am coming in from the domain test.com and sending to the domain yahoo.com. The message is not intended for a recipient on your server, thus I am relaying a message to yahoo.com. >rcpt 250 Recipient OK If you get a Recipient OK response, you are an open relay! You should receive a response like this if you are not allowing relays: >rcpt 554 Relay rejected for policy reasons. You will also get a message in your Log file under Miscellaneous Events to alert you if a SPAMer is trying to relay through your server: 03/15/ :04:25 AM SMTP Server [0C90:0004-0BD8] Attempt to relay mail to rejected for policy reasons. Relays to recipient's domain denied in your configuration. There may be many a reason though you are an open relay: 1. You have other applications in your environment that generate SMTP messages and relay them through your SMTP servers. 2. You have POP and\or IMAP users that need to send outbound SMTP messages through your server. 3. You have other SMTP servers behind your firewall in your environment and they use your Domino server to send messages to the outside world. If you have no reason for any servers to relay through your Domino servers and have no outside POP\IMAP users, you can simply deny relaying as follows: 1. In your Domino Directory (NAB), under the Configurations view open the configuration document for your SMTP server. If you do not have one, create a new one for your SMTP server. 2. Click the Router\SMTP tab, click the Restrictions and Controls tab finally the SMTP Inbound Controls tab. You should be looking at the following screen:
2 Page 2 of 5 3. There are two Deny messages fields. By placing a * in the field, you are blocking any type of relaying through the Domino server 4. If you have servers that need to relay through your SMTP server, add the IP addresses or hostnames to the Allow field. Note that you will not need the * in the deny fields if you use an allow field, since you are only allowing specific servers. If you use IP addresses here, you will need to put them in [brackets]. If you do have POP\IMAP users and need to have an open relay, you can do 2 things to prevent relays. You can either list all of your POP\IMAP users as users allowed to relay through your domain by adding them to the Inbound Sender Controls on the SMTP Inbound Controls Tab of the configuration document. Obviously, this would be very hard task to administer in a large POP\IMAP domain, and wildcards do not work here.
3 Page 3 of 5 In order to get around this, you should setup a separate server that authenticates SMTP inbound connections. This is done in the server document under the Ports\Internet Ports\Mail tab for your server Under the SMTP Inbound section, you should disable Anonymous connections and enable Name & Password authentication. In your POP\IMAP client, you would then check the option for SMTP server authentication, and use the same username and password that you use to download your mail (a username and internet password in the user's person document). See your POP\IMAP client documentation to get more information about authentication with a SMTP server. By enabling this field, you are now requiring anyone who wants to relay to know a username and password on the system. The reason that you cannot do this for your primary SMTP server is that all SMTP servers would have to authenticate with you. It would be impossible to have every SMTP server that ever connects to your server given an account on your system. Now that we have closed down relays, is there anything else that can be done to prevent SPAM? Yes there is. If you have a low traffic domain and you can afford the overhead, you can enable a reverse DNS lookup of all incoming messages. In Domino, there are two fields that can do this in the SMTP inbound control tab. By verifying the connecting hostname, you are asking Domino to verify that the hostname that the sender is using. By verifying the sender's domain, Domino looks at the domain in the Mail From command and sees if it a legitimate domain. The problem that this can cause is that they add overhead to the server by having to verify all SMTP messages that come inbound. Another issue is that a company who does not have there DNS configured properly or uses a proprietary SMTP load balancing system (like aol.com) may cause Domino to block legitimate . Finally there is one other setting you can use in Domino. In the configuration document of your SMTP server under the Router\SMTP tab under the Basics tab your have a field called Address Lookup.
4 Page 4 of 5 You have 3 choices in the drop down box: Fullname then Localpart, Fullname only, Localpart only. The Default is Fullname the Localpart. This setting is similar to the SMTP_EXACT_MATCH_ALL=1 in Domino 4.6. For example, we have a user called Tony Soprano. In the $Users view (a hidden view in the Domino Directory), your name is listed in many variations. For example, in Domino if a user has a unique first or last name, Domino will deliver to them. While this is a good feature, it allows SPAMer's to randomly generate s to your domain and hoping that a few will get delivered. If Tony is an end user and he has the internet address field populated in the person document with and a shortname of tsoprano, only the following addresses would get delivered: The following would not work with Fullname only enabled: As you can see, this will limit only exact fullname matches to get delivered, and would not allow a SPAMmer to send to A- and get SPAM into your domain. Even with top of line servers, blacklists and tight Domino controls, SPAM is an issue that needs to fought with educated end users. Here are some policies and procedures that you should follow to help cut down on SPAM traffic. 1. Never use company mail for personal use. Tell end users to use a web based mail system (like Yahoo or Hotmail) or an ISP account for any non work related s. 2. Never respond to a SPAM message, or click the "Remove me from this list" link in the message. I have even seen network admins fall for this. Do you realize that by clicking this you have just increased the value of your address to a SPAMer? Your address is now a verified address and gets sold at a premium by SPAMers! 3. Never use your work address on a public message board or news group. SPAMers have software that can collect these addresses and use them to send you SPAM. 4. Create a mail-in DB in Notes that users can forward SPAM to so you can collect SPAM messages. It is my personal recommendation that you use a SendMail server as your primary SMTP server that Domino relays all mail through. While Domino can handle the traffic, it does not have the features that SendMail offers you to control SPAM and filter messages. Luckily in Domino 6, there will be some new and exciting features to help control SPAM. Domino 6 already features blacklist support and rules to control message handling. So far my testing has been very promising with these new features, and I am still hoping for even more with the Gold release. Stay tune for an upcoming article on the new features in Domino 6 for fighting SPAM!
5 Page 5 of 5 Copyright 2001/2002 Michael Granit Published: 03/18/2002
4. Client-Level Administration Introduction to Client Usage The Client Home Page Overview Managing Your Client Account o Editing Your Client Record View Account Status Report Domain Administration Page
Powered by Table of Contents Web Mail Guide... Error! Bookmark not defined. 1 Introduction to Web Mail... 4 1.1 Requirements... 4 1.2 Recommendations for using Web Mail... 4 1.3 Accessing your Web Mail...
Dell KACE K1000 Management Appliance Service Desk Administrator Guide Release 5.3 Revision Date: May 13, 2011 2004-2011 Dell, Inc. All rights reserved. Information concerning third-party copyrights and
Ecessa Proxy VoIP Manual Table of Contents Introduction...1 Configuration Overview...2 VoIP failover requirements...2 Import VoIP Authentication...3 Add a user manually...3 Setup...3 Hosted setup...3 Example
39 Anti Spam Best Practices Anti Spam Engine: Time-Tested Scanning An IceWarp White Paper October 2008 www.icewarp.com 40 Background The proliferation of spam will increase. That is a fact. Secure Computing
The Beginner s Guide to G-Lock WPNewsman Plugin for WordPress: Installation and Configuration Summary G-Lock WPNewsman is a nice WordPress plugin for collecting subscribers using the confirmed opt-in method
June 17, 2013 Web Mail Guide Version 5.0.1 Client Services Table of Contents 1 Introduction to Web Mail... 4 1.1 Requirements... 4 1.2 Recommendations for using Web Mail... 4 1.3 Accessing your Web Mail...
Cox Business Premium Online Backup USER'S GUIDE Cox Business VERSION 1.0 Table of Contents ABOUT THIS GUIDE... 4 DOWNLOADING COX BUSINESS PREMIUM ONLINE BACKUP... 5 INSTALLING COX BUSINESS PREMIUM ONLINE
IceWarp Unified Communications VoIP Service Reference Version 10.4 Printed on 13 April, 2012 Contents VoIP Service 1 Introduction... 1 The Big Picture... 4 Reference... 5 General... 5 Dial Plan... 7 Dial
Evaluation Guide Powerful & Immediate Business Web Security via the Cloud Contents 1 Introduction & Product highlights 2 Set up & Configuration 3 Managing your WebTitan Cloud Service 4 Reporting 5 Support
IceWarp Unified Communications Reference Version 11.1 Published on 11/4/2014 Contents... 4 About... 5 The Big Picture... 7 Reference... 8 General... 8 Dial Plan... 9 Dial Plan Examples... 12 Devices...
JangoMail Tutorial Mastering the JangoMail Messages Tool With JangoMail, you can compose and send your messages from the section labeled, Messages. Start by clicking Messages in the navigation bar. Click
IceWarp Unified Communications IceWarp Outlook Sync User Guide Version 10.5 Printed on 20 December, 2012 Contents IceWarp Outlook Sync User Guide 1 Installation... 2 Installation Pre-requisites... 3 Installation
BEST PRACTICES FOR SCSP POCS Best Practices for Critical System Protection Proof of Concepts Version 1.0 1 1. UNDERSTANDING SERVER RISK... 4 1.1. HOW TO PROTECT YOURSELF: DEVELOPING SERVER HARDENING CONFIGURATIONS...
McAfee SIEM Alarms Setting up and Managing Alarms Introduction McAfee SIEM provides the ability to send alarms on a multitude of conditions. These alarms allow for users to be notified in near real time
1 SerialMailer Manual For SerialMailer 7.2 Copyright 2010-2011 Falko Axmann. All rights reserved. 2 Contents 1 Getting Started 4 1.1 Configuring SerialMailer 4 1.2 Your First Serial Mail 7 1.2.1 Database
Trouble Shooting SiteManager to GateManager access If you are unsure if a SiteManager will be able to access the GateManager through the corporate firewall, or you experience connection issues, this document
Citi Secure Email Program Receiving Secure Email from Citi For External Customers and Business Partners Protecting the privacy and security of client information is a top priority at Citi. Citi s Secure
Symantec Encryption Management Server Administrator's Guide 3.3 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
NEFSIS TRAINING SERIES Nefsis Dedicated Server version 5.2.0.XXX (DRAFT Document) Requirements and Implementation Guide (Rev5-113009) REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER Nefsis
Barracuda Load Balancer Administrator s Guide Version 2.3 Barracuda Networks Inc. 3175 S. Winchester Blvd. Campbell, CA 95008 http://www.barracuda.com Copyright Notice Copyright 2004-2008, Barracuda Networks
Iomega EZ Media and Backup Center User Guide Table of Contents Setting up Your Device... 1 Setup Overview... 1 Set up My Iomega StorCenter If It's Not Discovered... 2 Discovering with Iomega Storage Manager...
This guide is designed to provide some insight in to managing your Hosted PBX account. The topics in this guide are as follows: Your Role Contacting BullsEye An Overview of Hosted PBX functionality istrative