How to prevent spammers from using your mail server as their own

To most server administrators, this will be common knowledge. When we write about CMS or Web CMS, we think of WordPress, Joomla! or Drupal and what you can do with those systems. But we never think of the servers on which these run, and the many ways people with bad intentions can use them to harass or hurt others. Here’s at least one tip to prevent spammers from using your mail server as their own.

The term “open relay” refers to a mail server that allows mail to be sent (relayed) through it without the use of any checks and balances to that relaying process in the form of authentication, network access control, etc. But even when your server is not an open relay, you may still have one or more compromised email accounts.

If you see an increase of activity in your server’s root or log messages, take heed. It could be that a spammer is working with a compromised account. I had one when my ISP migrated my old dedicated server to a new, faster one. Apparently, he set up a couple of test email addresses to see if everything had gone well. Unfortunately, he didn’t secure them with a good password.

The results were dramatic — and I wouldn’t have believed this if I hadn’t seen it with my own eyes. In no more than 30 minutes the spammer succeeded in relaying 80,000 messages through that address. At first, I didn’t know what to fix first, so I blacklisted his IP-address. That stopped the flood… for about a quarter of an hour. Another IP-address started relaying.

In the end, I managed to stop the entire process by removing the test addresses altogether, but in some cases that might not help and you would need to set up a firewall to keep the Huns out. Except for badly protected email addresses, spam can find its way through your CMS / Web CMS as well. For example, poorly secured PHP scripts that allow mailer functionality can be a source of spam.

Especially WordPress plug-ins can be a major pain in this sense. My advice: never use a plug-in that insists on sending email unless you’ve carefully gone through the support forums for that plug-in and found no complaints in that area. Of course, plug-ins that are new are risky…

Except for more drastic measures like tuning a firewall, reset passwords for email if they do not meet these criteria:

  • At least one (1) Upper Case character
  • At least one (1) lower case character
  • At least one (1) number
  • At least one (1) symbol (e.g. !@#$%^&*)

Passwords should be at least 8 characters long, preferably longer. Never, ever make a password the same as your username, or any variation thereof and don’t use common words like “god”, “secret”, “password” or “love”.

Additionally, don’t use email addresses that are common like “info@,” “test@,” “admin@,” because those can encourage hackers to try to break into such accounts. If such an account is necessary, instead of setting up a real account for a common name like this, set up a forwarder and point it to another address. That way there’s absolutely no way the common
address will ever become an issue security-wise.