Open Mail Relays in Janet
Open relays allow any combination of origin and destination address, and are frequently abused by advertisers and others to distribute UBE. This will usually overload an organisation's mail server, affecting its ability to handle legitimate mail, and often leaves the organisation with a flood of complaints and error messages to deal with. Sites that are frequently abused as relays may be added to blocklists used by many network operators and ISPs to reject all e-mail and other traffic. Advice on preventing relaying is available from the MAPS website:
Janet has subscribed to some MAPSSM services on behalf of all Janet customer organisations and they are encouraged to use the RBLSM. Guidance notes on how to use these services are available to assist managers or administrators of mail services within Janet-connected organisations from https://community.jisc.ac.uk/library/janet-services-documentation/dns-al...
E-mail and Security Issues
Unfortunately, most UNIX® systems are delivered with the sendmail server installed and running. All too often this will be an old version with known security or configuration problems. The first task in securing an e-mail system is therefore to disable all these unnecessary services and install extra protection at the network level, to help avoid problems that will undoubtedly spring up in future. For those hosts that do need to provide a mail service there are less powerful alternatives to sendmail available, which may be sufficient for many situations while also being easier, and therefore less error-prone, to set up. Further information about security issues may be found on the Janet CSIRT web pages.
All the usual network level threats and consequent countermeasures apply to computer and networking equipment associated with e-mail provision. As with other application services, there are also issues specific to the nature of mail and the way it is used and abused on the Internet.
General Countermeasures
Ensure that an intruder cannot take control of mail systems by:
- limiting connections with packet filters at firewalls and routers
- disabling unnecessary services on servers and workstations
- configuring servers to accept connections only as authorised
- installing patches and updates promptly for operating systems, mail and other applications and anti-virus software.
Specific Threats and Countermeasures
Monitor the service to establish what is a normal level of activity, and to recognise signs of overload before they cause difficulty. Document actions that might need to be taken if a problem occurs which requires disconnecting the mail server.
Unsolicited Bulk E-mail for their Own Users
Consider configuring the mail server to consult one or more DNS Block Lists about the source IP address before accepting each connection. The Janet mirror of the MAPS RBL+™ is one such list conveniently available for organisations connected to Janet.
Relaying Through the Mail or Proxy Servers by Bulk Mailers
This can lead to overload, damage to reputation and blocking of mail to other places. Consider restricting access to TCP port 25 (SMTP) so that e-mail traffic can only travel by the intended route through the network. Similar considerations apply to TCP port 587, which RFC 2476 assigns for message submission.
For other issues surrounding e-mail relays, see the separate Janet documentation at https://community.ja.net/library/janet-services-documentation/janet-csirt
Open proxies are systems not primarily for mail use that accept some sort of inward connection and allow it to set up an ongoing connection that may be a mail transfer. Typically the incoming connection is web or HTTP on TCP port 80, and it is intended that client computers within the network can send all their web requests through it. SOCKS on port 1080 is another proxy protocol. Other ports are sometimes used, and an incorrectly configured web server can show the same behaviour.
Elimination of open proxies follows much the same pattern as elimination of open relays: examination of possible paths through one or more systems in the network and careful configuration and checking of firewalls, servers and client computers.
Introduction of Viruses and Other Malicious Software Through E-mail
If possible, use anti-virus software to scan incoming messages both at the mail server and on client computers; keep it up to date and regularly scan all the computers as viruses may arrive by routes other than e-mail.
Trojan Software Performing Bulk Mail Abuse
Software introduced into servers or client computers as a worm or virus by user indiscretion or by some intrusion may act as a proxy or may originate bulk mail on its own. Such rogue software installed through a system compromise can be very hard to detect on the machine affected, but routine monitoring of patterns of network traffic can alert the administrator to an incident and the headers of any mail sent will normally give some pointers to the source. It will often be necessary to rebuild a machine after such damage, and then try to find how the intrusion occurred to reduce the likelihood that it will happen again.