How to… Block Spam, Stop Spam, Fight and Filter Spam

Spam – How to Reduce and Prevent Spam

emailWhat is SPAM?

Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send — most of the costs are paid for by the recipient or the carriers rather than by the sender.

What do UKC do to block SPAM?

As your web host we do all we can to prevent spam at the server level. Every incoming email is checked against no less than 5 global anti-spam filter lists (such as SpamCop). Only if the sending mail server identity passes all five spam filter tests is the email passed on to the recipient. This minimises a hugh amount of spam – but unfortunately not all spam can be blocked. There are many steps that you can take that will further block spam.

Delete your Catch-all email address

Many spammers will use dictionary attacks on your domain name. By deleting your catch-all account (listed under aliases in your hosting control panel) only email sent to valid email aliases will make it through to your inbox. This can vastly reduce the amount of spam received and is singly the most effective step in spam blocking. Go ahead,reduce spam and delete your catchall email address now.

Do not expose your email address

Do your best to not expose your email address on the internet. Putting your email address on your website or posting it into public forums is a sure way of having your email address ‘harvested’ by a spam spider. Whenever your email address is exposed in a public location it is at risk of being picked up, try not to do it with your most important email addresses.

Install local anti spam filter software

We attempt block spam before it gets to your inbox using the top DNS Spam Blacklists (such as SPAMcop) however it is not possible to block all SPAM. For spam that does make it through to your inbox you should consider a PC based spam blocker or spam filter. This is usually software based and can be configured according to the type of spam you receive.

Use multiple email addresses

Sign up to a number of free email addresses and use these email addresses for newsletter subscriptions and other non-trustworthy locations, try not to give out your main email address except to your closest associates, friends and family.

Never open attachements from unknown sources

Attachments from people you do not know are BAD. They usually contain viruses, do not open them under any circumstances. Any spam containing attachements almost certainly will contain a virus of some sort.

Never reply to a spam email

Many spammers are looking for a valid response to their email which verifies that the email address is operational. Never reply to a spam email.

You’ve been redirected to our Spam Trap

emailYour email bounced with a message leading you here. Why?

We hate spam. To try to keep spam levels down, we’ve implemented a bunch of filters to block as much as we can.

Unfortunately, nobody’s perfect and we occassionally block email from our friends too. This page lists all of the messages our server sends when it blocks email so you can read about what the filter is and why you were blocked.

If you’re not a spammer and your email has been blocked, we’re sorry.  Please submit a whitelist request and we’ll fix our filters so you never get blocked again.

Error messages you might have come across

DENIED_RBL_MATCH

Refused. Your IP address is listed in the RBL

We are using the Real Time Blacklist mentioned above. You have to contact them in order to be unlisted. To check where your IP address is listed: MX Toolbox Blacklist Checker

DENIED_RDNS_MISSING

Refused. You have no reverse DNS entry.

Every server on the internet should have a reverse DNS entry, especially mail servers.

Our mail server checks for reverse DNS entries. Any email coming from a server without one is blocked. This stops a lot of email from servers that shouldn’t be sending email, such as virus-infected home computers, bot nets, anonymous servers all running from temporary IP addresses.

DENIED_IP_IN_CC_RDNS

Refused. Your reverse DNS entry contains your IP address and a country code.

Your server’s reverse DNS entry contains its IP address and ends in a two-character country code. For example, if your IP address is 11.22.33.44 and your reverse DNS entry is 11.22.33.44.example.com.us, our server is going to block your email. IP addresses in reverse DNS entries usually indicate servers that shouldn’t be sending email – just the kind of server a spammer would use.

Just change your reverse DNS entry to something meaningful to resolve the issue.

To look up your mail server’s reverse DNS, use this rDNS tool: Reverse DNS Lookup

DENIED_SENDER_NO_MX

Refused. The domain of your sender address has no mail exchanger (MX).

Your domain’s MX record either doesn’t exist or lists a name that doesn’t resolve AND your domain name doesn’t have an A record. This means no mail to your domain can possibly be delivered, including bounce messages.

DENIED_AUTH_REQUIRED

Refused. Authentication is required to send mail.

We do not accept any email unless the sender authenticates first. Reconfigure your mail client and try again. Ensure you are using SMTP port 587 to authenticate. Port 25 rarely works these days.

DENIED_IDENTICAL_SENDER_RECIPIENT

Refused. Identical sender and recipient addresses are not allowed.

You are attempting to send email both “to” and “from” the same address, which we don’t accept. In most cases, authenticating your connection will avoid this block.

ENVELOPE_SENDER_IN_BADMAILFROM_LIST

Refused. Your address is in our BadMailFrom list

Your email address (or domain) has violated a number of anti-spam filters and has triggered a time limited block. The block is automatically removed within 12-24 hours.

Catch-All | Delete Catchall | catch All Email

emailCatchall Addresses & Dictionary SPAM Attacks

Catchall (or wildcard) addresses are the addresses that receive all email for a domain, unless there is a specific address better suited to handle the incoming email. You may or may not have one on one of your domains. e.g.

Bloggs.com has two email addresses, “joe@bloggs.com” and “@bloggs.com” (the catchall). If a mail comes in addressed to joe@bloggs.com, it is delivered to the “joe@bloggs.com” mailbox. If a mail comes in addressed to sales@bloggs.com, it is delivered to the “@bloggs.com” mailbox.

With the ever increasing level of spam on the Internet, people are being more guarded with their email addresses. It’s therefore more difficult for spammers to obtain valid addresses to send their messages to. Rather than scour the WWW for a limited supply of well protected addresses, they’ve come up with a better idea: Find domains through search engines, and then send thousands of emails to common ‘local parts’ at those domains. (The ‘local part’ is the bit before the @ sign)

For example, they might find the bloggs.com domain through a search engine, or a domain registration tool, and then send to the following email addresses:

sales@bloggs.com, info@bloggs.com, webmaster@bloggs.com, john@bloggs.com, peter@bloggs.com, simon@bloggs.com, steve@bloggs.com, neil@bloggs.com, paul@bloggs.com, derek@bloggs.com, etc, etc.

There’s only a small amount of addresses listed here, but depending on the thoroughness of the spammer, there can be upwards of 20,000 variations for a single domain. And, because bloggs.com has a catchall email address – every single message will end up in the one mailbox..

Dictionary SPAM Attacks

This is called a ‘dictionary attack’, and is getting more and more popular with spammers. Quite often, they’ll send these messages out from a huge network of ‘zombie machines’ or ‘bots’, which are virus/adware infected home PCs. Because of this vast distributed network of infected machines sending the mail, there’s no reliable way of blocking the mail.

What’s worse is that some of the dictionary attacks check for ‘successful’ delivery, i.e. if a recipient is not refused at the destination mail server, then the recipient’s address is added to the ‘verified’ list, and possibly sold on to other spammers.

So now, the catchall mailbox at bloggs.com is overwhelmed with 20,000 messages, and because none of the mail was rejected, is on the list of ‘viable targets’ for another attack.

Recently, more and more domains that we host email for have been falling victim to dictionary attacks. A lot of them do not have catchalls, and the spammer’s mail is harmlessly bounced before even being allowed onto our servers, but a few domains have been effectively disabled for many hours, thanks to the catchall accepting the many thousands of email messages. Either the customer’s Exchange/Outlook server falls over under the strain, or the customer has to retrieve all the messages slowly, and then sift through, looking for legitimate mail. This isn’t limited to POP accounts either, as catchall forwards are affected. Both affect the performance of the servers, and impact the quality of service for your domains, and the domains of other customers.

How do I eliminate the SPAM generated from a dictionary attack?

The solution is to remove the catch-alls. We’ve disabled the creation of new catch-all accounts, as we believe that in 99% of cases, there is no need for them to be there. Any existing catchalls on the system have been left untouched, but you are encouraged to phase them out as soon as possible, before your domain finds its way onto a ‘viable target’ list.

Parked Domain Names

Login to your Domain Control Panel to disable the catchall for your domain name.

  • Login to https://www.uk-cheapest.co.uk/members
  • Select “Email Forwarding” from the Functions list
  • Select “Delete” on your [ CATCH-ALL ] alias
  • SPAM to your domain will be instantly reduced

Web Hosting Customers

The following documents will show how your catchall should be set

If you have any questions please contact the HelpDesk for support.

Update WordPress posts after site Move

Updating MySQL wp_posts to new URL or folder

When moving your WordPress site to a new folder or domain name, there is a little more you need to do than change the permalink structure and adding 301 into your .htaccess.

After performing the above steps you will need to make some database search and replace changes to get your data references 100% correct.

Change all references using old site URL:

UPDATE wp_posts SET guid = replace(guid, 'https://www.oldsite.co.uk/oldfolder','https://www.newsite.co.uk/newfolder');
UPDATE wp_posts SET guid = replace(guid, 'http://www.oldsite.co.uk/oldfolder','https://www.newsite.co.uk/newfolder');
UPDATE wp_posts SET post_content = replace(post_content, 'http://www.oldsite.co.uk/oldfolder','https://www.newsite.co.uk/newfolder');

If you installed SSL, an additional search / replace is required:

UPDATE wp_posts SET post_content = replace(post_content, 'https://www.oldsite.co.uk/oldfolder','https://www.newsite.co.uk/newfolder');

Change all references using old folder name:

UPDATE wp_posts SET post_content = replace(post_content, '/oldfolder/','/newfolder/');

How to Upgrade IGB NIC Driver

Upgrade IGB Driver to Fix Packet Loss Problems

The early versions of igb NIC/LAN driver were buggy, if your version look like this:

# ethtool -i eth1
driver: igb
version: 5.0.5-k

Any version under v5.2.15 is buggy and a simple ping test to your server will show packet loss issues, usually around 20%.

To upgrade the driver, use the following steps.

1) cd /root
2) wget http://sourceforge.net/projects/e1000/files/igb%20stable/5.2.17/igb-5.2.17.tar.gz
3) tar -xvzf igb-5.2.17.tar.gz
4) cd igb-5.2.17/src/
5) make install
6) rmmod igb; modprobe igb
7) rmmod ixgbe; modprobe igb
8) vi /etc/sysconfig/modules/igb.modules

and set 

modprobe igb

9) Following is the output ::

=========================

root@server [~]# modinfo igb

filename: /lib/modules/2.6.32-504.12.2.el6.x86_64/kernel/drivers/net/igb/igb.ko
version: 5.2.17
license: GPL
description: Intel(R) Gigabit Ethernet Network Driver
author: Intel Corporation, 
srcversion: 420A0DE22C6377FB9C68995
alias: pci:v00008086d000010D6sv*sd*bc*sc*i*
=======\\=================
=======================
root@server [~]# lsmod | grep dca
dca 7101 1 igb
=======================

Let’s see the active version after the upgrade:

# ethtool -i eth1
driver: igb
version: 5.2.17
firmware-version: 1.52, 0x800007ae
bus-info: 0000:01:00.1
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no

That resolves the issue. No reboot/restart is required.