Spamhaus for Extra Mail Server Security

[Gadi Evron <ge () linuxbox org>]

Here's something I recently wrote, which I'd like to share with you.

Spamhaus For Extra Mail Server Security

Posted by Gadi Evron, Sep 10, 2009 04:26 PM

Spamhaus, the anti-spam organization, provides a reliable list of 
compromised computers -- bots -- used to send spam. This list can be 
used as an extra layer of security for your email server, among other 
purposes.

By filtering with this blacklist, millions of mail servers worldwide 
manage to stay operational. At the same time, email remains a viable 
communication medium in spite of the load spam emails put on the 
infrastructure.

There's never a good time to discover you can't use email, especially 
while flying around the world on business. This recently happened to me; 
I was unable to send email, and the error message baffled me. It claimed 
my IP address was on the Spamhaus ZEN blacklist.

Blacklisting is supposed to be enabled only for other servers trying to 
connect to mine, so why was the server blocking me, a user, when I 
authenticated and tried to email?

Turns out the problem was due to a configuration error. But I liked it; 
the bug became a feature.

Because I'm among very few users using this server, the inconvenience 
was negligible. If I am willing to not email while connecting via 
insecure networks, then I gain an extra layer of security.

Millions of bot-infected computers are far less likely to be successful 
in compromising the server because they can't access much of its 
functionality. Given that most Internet attacks are performed via bots, 
I feel this raises the security level of the server at the price of 
being slightly inconvenienced when on the road.

I cannot IP filter an SMTP server to be available only from certain 
locations -- as if I even wanted to limit myself in such a way. By its 
very nature as a public service, it needs to be available to the world 
if I am to receive email from others. And this extra security helps 
increase my assurance level.

This solution won't work for everybody. Perhaps you are not willing to 
inconvenience yourself, or perhaps you use a busier server and can't 
decide on such a measure for the other users. But it works for me.

Of course, there are many varied solutions for secure email. This 
bug-become-feature just made mine better.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.