SecurityGateway saves administrators time by letting users manage their own quarantines!

Email spam quarantine

You’ve probably heard that the vast majority of  all email traffic is spam, but did you know the volume of spam as a percentage of all email traffic has gone down over the years? In April of 2014, spam made up almost 70% of all email traffic. The most recent records show spam at about 59% of all email traffic. While these numbers are down slightly, they are still quite significant, and thus email providers need to be armed with a variety of tools to combat spam.

For email administrators, one of the challenges of fighting spam is balancing tasks performed by the administrator with tasks that users can perform to take some of the workload from administrators. With SecurityGateway’s quarantine management features, users can be granted permissions to manage their own quarantines.

SecurityGateway can be configured to handle spam in various ways. Messages can be refused, quarantined, or accepted, and their spam scores can be adjusted accordingly. When messages are quarantined and held on the server, the administrator can determine whether, and how often, to send the user an emailed quarantine summary report. The administrator can also grant users permissions to view and manage their own quarantine folders in the SecurityGateway interface. The quarantine summary email allows users to release the message from quarantine, and whitelist or blacklist the sender. When the quarantine is viewed in the SecurityGateway interface, users have additional options, such as the ability to feed messages to SecurityGateway’s Bayesian spam learning engine. Giving users the ability to manage their own quarantines allows administrators to focus on other tasks.

We generally recommend using the Bayesian feature to mark a message as spam, rather than blacklisting the sender. Thus, to avoid any confusion, we’ve put together the following best practices guide on quarantine management in SecurityGateway.

Click here to view the new SecurityGateway Quarantine Management guide.

Following the suggestions outlined in this guide will help ensure that you receive the messages you want, and block the messages you don’t want.

If you have questions, let us know in the comments section below!

 

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Block Incoming Connections by Country with MDaemon’s New Location Screening Feature

Block connections by country with Location Screening
Block connections by country with Location Screening

As I announced recently in this post, MDaemon 17.5 has been released, with new security and collaboration features. One feature that our users will find particularly useful is the new Location Screening feature, which allows administrators to block incoming connections from specific countries. When you consider the scale and widespread distribution of global threats, blocking connections by country can provide the following benefits:

New spam domains, email zombies & phishing sites pop up all over the world every day. In fact, Cyren’s World Threat Map displays a handy visual representation of newly-discovered threats in real-time.

So if you know your company does not do business with certain countries, you can add these locations to MDaemon’s Location Screening feature and stop all traffic from these countries.

In previous versions of MDaemon, the best way to block connections by country was to use the DNS-BL feature, but with MDaemon 17.5, a new, intuitive check-box screen was added.  In this tutorial video, I show you how easy it is to configure Location Screening in MDaemon.

Do you have questions or feedback? If so, click on the “Leave a Comment” link under the title of this post & let us know!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

With today’s massive ransomware outbreak, here are a few reminders of how to avoid becoming a victim.

RansomwareAs I was coaxing myself awake this morning with my usual jolt of strong coffee, I checked my favorite news sites & was informed of yet another ransomware attack. This one, which is believed to have originated from Ukraine, was first thought to be a variation of last year’s Petya ransomware outbreak, but upon further investigation, it appears that today’s malware is a new type – a worm that some computer experts are referring to as “NotPetya“. This attack demands a smaller ransom (in comparison to other attacks) of approximately $300, and then begins to serve its primary purpose – to wipe files on the computer. According to researchers at Symantec, this attack used the same National Security Agency hacking tool, Eternal Blue, that was used in the WannaCry outbreak, as well as two other methods to spread the attack. According to information provided by this article on CNN, if you’ve installed all of the latest Windows patches, you should be safe from this particular strain of malware, however, by no means is this a reason to be complacent. Administrators and end users must still be mindful of safety precautions.

Due to the proliferation of Malware as a Service (MaaS), just about anyone with the desire and the funds can initiate a malware attack, making new & emerging threats a real concern for the foreseeable future. This presents a good opportunity to review best practices for avoiding ransomware – for end users, and for administrators via the tools available in MDaemon and SecurityGateway.

How can end users protect themselves from ransomware?

End users should be aware of the following 18 email safety tips, which originally appeared in this post.

  • Change your password often.
  • Use strong passwords. Never use a password that contains “password” or “letmein”.
  • Use a different password for each of your accounts. If you use the same password for your bank account as you do for your email account, you become much more vulnerable to data theft.
  • Don’t open an attachment unless you know who it is from & are expecting it. Many of today’s social engineering tactics rely on the ability to trick users into opening attachments.
  • Be cautious about email messages that instruct you to enable macros before downloading Word or Excel attachments. This article provides a good overview of why you should not enable macros in Microsoft Word.
  • Use anti-virus software on your local machine, and make sure it’s kept up-to-date with the latest virus definitions.
  • If you receive an attachment from someone you don’t know, don’t open it. Delete it immediately.
  • Learn how to recognize phishing
    – Messages that contain threats to shut your account down
    – Requests for personal information such as passwords or Social Security numbers
    – Words like “Urgent” – false sense of urgency
    – Forged email addresses
    – Poor writing or bad grammar
  • Hover your mouse over links before you click on them to see if the URL looks legitimate.
  • Instead of clicking on links, open a new browser and manually type in the address.
  • Don’t give your email address to sites you don’t trust.
  • Don’t post your email address to public websites or forums. Spammers often scan these sites for email addresses.
  • Don’t click the “Unsubscribe” link in a spam email. It would only let the spammer know your address is legitimate, which could lead to you receiving more spam.
  • Understand that reputable businesses will never ask for personal information via email.
  • Don’t send personal information in an email message.
  • Don’t reply to spam. Be aware that if you reply to a spam email, your reply most-likely will not go back to the original spammer because the FROM header in the spam message will most-likely be forged.
  • Don’t share passwords.
  • Be sure to log out.

How can administrators protect their systems from ransomware?

The battle against ransomware cannot be fought by users alone. Administrators must also take steps to lock down their email infrastructure. These best practices will help protect your network and users.

Best Practices for MDaemon Administrators

  1. Enable account hijack detection. This feature will automatically disable an account if a designated number of messages are sent from it via an authenticated session in a given period of time. When the account is disabled, the administrator receives a notification so that corrective action can be taken. Instructions for configuring account hijack detection can be found in this knowledge base article.
  2. Enable dynamic screening. Dynamic screening is a feature that blocks future connections from a connecting server or client based on its behavior.  Instructions for configuring dynamic screening can be found here.
  3. Configure the IP Shield. The IP Shielding feature allows administrators to assign an IP address (or IP address range) to email messages from a given domain. Messages claiming to come from a specific domain must originate from one of the approved IP addresses. Exceptions can be made for users connecting from outside of the network who are using SMTP authentication.  Click here for instructions.
  4. Require SMTP Authentication. This helps ensure that the user authenticates with a valid username and password. Instructions can be found here.
  5. Use DKIM & SPF to detect spoofing. DKIM uses a private/public key pair to authenticate a message. When an incoming message is signed with DKIM, a DNS record lookup is performed on the domain taken from the signature and the private key taken from the signature is compared with the public key in the domain’s DNS records. SPF uses a DNS record that lists hosts that are allowed to send mail on behalf of a domain.
  6. Enable DMARC & configure your DMARC record. DMARC (Domain-Based Message Authentication, Reporting & Conformance) allows domain owners to instruct receiving servers on how to handle messages claiming to come from their domain that did not pass DKIM and SPF lookups.  Learn more here.
  7. Ensure that all connections (SMTP, POP, IMAP), are using SSL. SSL (Secure Sockets Layer) is a method for  encrypting the connection between a client and server, as well as between to servers. Learn more here.
  8. Have a backup strategy. If by chance malware still manages to infect your network, your last resort is to have a reliable backup strategy. Ideally, you should have your systems backed up off-site and, for added safety, secondary backup data should be saved to media that is not connected to the network.

More information on these settings can be found in the following guide on best practices for protecting your users:

Email Server Settings – Best Practices

Best practices for SecurityGateway administrators

SecurityGateway provides an extra layer of anti-spam, anti-spoofing and anti-malware security, in addition to your mail server’s built-in security settings. These best practices will help keep ransomware and other malicious content from reaching your mail server. Each item includes a link with more information.

  1. Require strong passwords.
  2. Query a user verification source to ensure that users are valid.
  3. Require SMTP authentication to prevent unauthorized account access.
  4. Prevent unauthorized mail relaying.
  5. Protect your domain with IP Shielding.
  6. Require SSL encrypted connections.
  7. Configure backscatter protection.
  8. Don’t whitelist local addresses. If a spam messages was spoofed with one of your local addresses, this could allow the spam message to bypass various security features. This why it is recommended that no local addresses be added to your whitelist.
  9. Enable spam & virus Outbreak Protection.

These steps are discussed in more detail in the following guide:

SecurityGateway – Settings to Protect Your Mail Server

Of course, no system is 100% fool-proof, which is why user education is so important. Remember – your network and email infrastructure are only as secure as their weakest link. It is the responsibility of all parties involved – administrators and end users, to help ensure a secure messaging and collaboration environment.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Is spam being sent out from a local machine on your network? Follow these steps to track down a spambot.

Has this happened to you? Let’s say you’re the MDaemon administrator for your company, and you’ve noticed that somewhere, somehow, spam messages are being sent from within your network. Perhaps one of your PCs has been compromised. What do you do? Here are some tips to help you track the issue down.

First, make sure you have the option “Authentication is always required when mail is from local accounts” enabled (Security | Security Settings | SMTP Authentication). Also enable “Credentials used must match those of the return-path address” and “Credentials used must match those of the From header address.” Then, make sure “…unless message is sent to a local account” is unchecked to prevent intra-domain spam (between local domain users).

SMTP Authentication in MDaemeon
Make sure the appropriate boxes are checked to require SMTP authentication

Next, find out if the spam messages are coming in from an authenticated session. To do this, locate one of the spam messages & open it up in Notepad to view its headers (or you can open it in Queue & Statistics Manager). Does the message have an X-Authenticated-Sender header? It will look something like this:

X-Authenticated-Sender: SpammerUser@example.com

If this header is present, then that is the user who authenticated to send the message. The first thing you should do in this case is to change the account’s password via the Accounts menu in MDaemon. Even if the spamming is going through the user’s mail client, until you give the user the new password and they update their mail client the authentication credentials will be rejected and the spamming will be temporarily stopped.

In newer versions of MDaemon, we’ve added Account Hijack Detection, which will automatically disable an account if it sends a specified number of outbound messages via an authenticated session in a given period of time. We recommend enabling this feature. In MDaemon, it’s located under Security | Security Settings | Screening | Hijack Detection.

Account Hijack Detection
Account Hijack Detection

The next step is to look at the Received headers. Find the one where the message was received by your server. Here is an example of what this header would look like:

Received from computer1 (computer1@example.com (192.198.1.121) by example.com (MDaemon PRO v17) with ESMTP id md50000000001.msg for <UserWhoWasSpammed@example.com >, Fri, 13 Sep 2016 21:00:00 -0800

Find the connecting IP (192.198.1.121) in the above example. This is the machine that is sending out spam. Locate that machine to deal directly with the spambot on that machine.

If the message wasn’t authenticated or wasn’t sent from your local network, locate the Message-ID header and copy that value.

Message-ID: <123.xyx.someone@example.net>

Then open the MDaemon SMTP-IN log that covers the time when that message was received by MDaemon (based on the timestamp in the received header) and search for that Message-ID in the log (in the 250 response line when the message is accepted):

Thu 2016-09-12 20:00:00: –> 250 Ok, message saved <Message-ID: <123.xyx.someone@example.net>>

Look at the rest of transaction and see why the message was accepted/not rejected – spam score, DNSBLs, etc.

Also, if your external domain is listed in the Trusted Hosts list (Security | Security Settings | Trusted Hosts), try removing it from this list.

Check back often for more tips & tricks!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

New Feature: Email Health Check for Optimal Security Settings

Our latest version of MDaemon, MDaemon 17, comes packed with lots of new features for administrators and end users, including new password security, support for Let’sEncrypt, DropBox integration, message scheduling, and much more. Today, I’d like to demonstrate MDaemon’s new Health Check utility. With this handy new tool, administrators no longer have to go through each feature to verify that it’s configured for optimal security. This new tool will analyze all security-related settings, display each setting’s current value, its recommended value, and where that feature is located in the MDaemon interface. This tool offers administrators the flexibility to change all settings to their recommended value at the same time, or to select and change individual settings. In this tutorial video, I demonstrate how to use the new Health Check utility.

Need additional help? More guidance on the MDaemon Health Check utility can be found in this knowledge base article.

If you haven’t yet upgraded to MDaemon 17, check out the release notes and our previous blog post to see what you’re missing!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

10 Ways to Reduce Spam in Your Inbox

SpamBefore the invention of email, mail that arrived in your physical mailbox often contained pamphlets, sales brochures, credit card offers, and product catalogs. Much of this waste was thrown away and ended up in a landfill somewhere. Today, the equivalent and often more annoying nuisance is spam. Spam comes in many forms. Some examples include dubious product claims, miracle supplements, conspiracy theories, and offers of easy money.

Spam statistics are staggering. More than 100 billion spam messages are sent every day, representing around 85 percent of global email traffic.

So what can be done about this spam epidemic? There are numerous spam fighting tools in MDaemon and other mail servers, but server-side tools are only half of the spam-fighting equation. The other half is user education. With this in mind, here are 10 things users can do to reduce the amount of spam they receive.

  1. Unsubscribe – How often have you been asked by a store clerk for your email address or placed an order online? In either of these situations, chances are you may have ended up on a company’s mailing list. When you receive email from these companies, take the time to open the message and click on the Unsubscribe link. But first, make sure the email is in fact coming from a reputable company. If you’re not completely sure where the email came from, then report the message as spam instead of unsubscribing.
  2. Create a secondary email account – While we’re on the topic of retailers having your email address, you might also consider having a second email address that’s used solely for the purpose of store records or placing orders. This allows you to keep solicitations from these vendors out of your primary inbox.
  3. Keep your email address private – If your email address is visible on social networking sites like Facebook or Twitter, then it’s also visible to spammers. Spammers have tools that can easily detect visible email addresses and add them to their mailing lists. This is why it’s often recommended that, if you MUST use your email address on one of these sites, you mask it by changing its format. For example, type out “at” instead of using the “@” symbol.
  4. Before you join a list, make sure the list owner cannot sell your email address – If the list you’re joining has a privacy policy, read it thoroughly and make sure your information cannot be sold to a third party.
  5. Don’t reply to ANY spam or unsolicited marketing messages – Most spam messages use forged sender (return-path) addresses, so replying to a spam message will almost never result in the spammer getting your message. Replying to legitimate marketing messages tells the sender that your email address is valid, and thus, they may continue to send you spam.
  6. Never click on links – Often, when you click on a link in a spam email, it specifically identifies you to the spammer as having received the message. Not only can clicking links in spam messages identify you to the spammer; you can also end up getting infected with malware.
  7. Block Images – Even if you don’t click any links, an image opening in your email can alert spammers to a valid address. Spammers often try to be stealthy by inserting images that are only one pixel wide. If your mail client is configured to automatically open images, spammers can be alerted that your email address is valid. We recommend configuring your email client to automatically block images to reduce spam. You can always choose to view images in specific emails if you are sure the sender and content are legitimate.
  8. Make your email address unique – Spammers often use common names to try to guess email addresses. If your email address is unique, it makes it harder for spammers to guess your email address.
  9. Don’t fall for scams – If you receive an anonymous email from someone who appears to be in dire need, who promises you large sums of money for your small up-front investment, you may be witnessing the familiar Nigerian email scam, or one of many other variants. What are the odds that someone you’ve never met, who’s in a desperate situation, would contact you for help? Don’t fall for this scam.
  10. Never forward email from someone you don’t know – I often see email messages with some type of public service announcement, petition, or other bit of advice, and often, there’s a request to forward the message to your friends. Don’t fall for this, as it’s a prime opportunity for spammers to harvest email addresses.

Blocking junk email is not just the job of the mail server administrator. A well-informed email user can mean the difference between spam that is manageable and spam that is out of control. These ten tips will help you reduce spam, and help prevent you from becoming a victim to phishing or malware.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Get Aggressive at Fighting Spam by Re-training the Bayesian Learning Process in MDaemon

Fight spam with Bayesian Learning in MDaemon

In certain situations, it may be necessary to retrain your Bayesian Learning database. This can be necessary when spam messages are inadvertently placed in the Bayes non-spam folder, or when non-spam messages are placed in the Bayes spam folder.

To reset your Bayesian Learning and start training it again from scratch, you can perform the following steps:

1. Stop the MDaemon service.
2. Verify that the MDaemon executables (MDaemon.exe, CFEngine.exe, MDSpamD.exe, WorldClient.exe) have all exited memory using Windows task manager.
3. Rename the folder “/MDaemon/SpamAssassin/Bayes/” to”/MDaemon/SpamAssassin/Bayes.old/”
4. Re-launch MDaemon.
5. Go to Security | Spam Filter | Bayesian Classification, then click on the Learn button.

At this point, MDaemon recognizes that the Bayes folder isn’t there when the learn process is triggered, so it builds a new Bayes folder.

You will then need to feed Bayesian learning at least 200 spam and 200 non-spam messages (although the more the better) to start the Bayesian learning process again. Here is a knowledge base article on training the Bayesian learning process in MDaemon.

The Bayesian learning engine won’t process new messages until the administrator has taught it 200 spam and 200 non-spam messages. So even if an administrator were to manually press the Learn button OR have MDaemon learn automatically at midnight, the Bayesian engine  wouldn’t apply itself to new messages even though the new folder is created.

Once MDaemon recognizes that Bayesian learning has learned more than 200 spam and 200 non-spam messages, it will start applying what it has learned to new messages.

You can run a script to determine how many messages the Bayesian filter has learned from. This will come in handy for administrators who need to know how many more messages to feed the Bayesian filter. This process is explained in this knowledge base article.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •