New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Prevent SPAM at host level
FlorinMarian
Member, Host Rep
in Help
Hello!
Currently, at hazi.ro, in Romania, SMTP is not allowed at all (it is blocked at the host level).
We would like to let customers send emails, but we want to keep under control how many emails they can send in a certain time interval.
I am interested to know from other providers or experienced users, if they are so kind as to share this information with us, what limit is tolerable to avoid spam but also to have satisfied customers.
Also, I would like to know what would be the best method to achieve that limitation considering that we do not have access to the mail servers themselves. (I was thinking about iptables and suricata that could do a good job)
Thanks!
Comments
You can't really as a provider, unless you install some kind of actual MTA/SMTP relay for them.
Outgoing traffic over SMTP is normally encrypted to the big hosts such as Gmail, so limiting it would require the users to use your certificate, and then some SMTP trickery to set them the limits.
Why do you want to limit the actual number of emails, but not spam?
Keep blocking outgoing 25, and allow all authenticated ports. That's what all VPN providers do,
and should be no different in your case as well. This should drastically limit the opportunistic spam
attempts.
how much money will you give to teach you that?
Of course, SPAM is our target, but the fact that you can't send, for example, more than 120 emails per hour has much lower effects than having no limit and managing to send several tens of thousands of emails before you get caught .
This is the big problem when you offer services for 1-2 euros per month, the damage caused costs much more than the subsequent suspension of the service.
This post is in the "Help" category, not "Sales". If you don't know/can't/don't want to help, move on - we'll look for you when we're willing to pay you.
Of course, SPAM is our target, but the fact that you can't send, for example, more than 120 emails per hour has much lower effects than having no limit and managing to send several tens of thousands of emails before you get caught .
This is the big problem when you offer services for 1-2 euros per month, the damage caused costs much more than the subsequent suspension of the service.
I totally get it, but make it opt-in, as in unblocking SMTP only via ticket, and only for "verified"
users, as in CC/Paypal but not crypto, or prepaid ones for 6+ months. Chances are spammers
will just buy 1 month with BTC, squeeze it to the max and move on. If you require extra steps to
have it enabled, it should deter them from attempting in the first place.
Rate limiting is impossible when you are just a storage provider and a pipe to the internet.
When you offer shared hosting, it's a totally different story, but when you offer unmanaged VPS
you can't do much in iptables. Well you can prevent blatant abuse, such as list-bombing, by only
allowing single host at a time on SMTP ports, but not the number of emails itself.
You can limit the number of outgoing SMTP connections per hour as well, but that's a slippery
thing, you will get annoyed in tickets that stuff breaks.
Just require users to have services with you for at least 3 months.
Most (or all) spammers wont wait that long, your customers will get benefit.
You can later add option to verify themselves earlier, but you would need a lot if work to do with huge risk of getting spammers into your network. Its not worth it at your current scale.
Well, you cant implement such a thing which is GDPR compliant. So you have to sign a contract with everyone. Then you can setup an smtp relay (also proxmox mail gateway is capable of that) which only accepts mail from your IP Range and forward them.
Be extremely hard. Make it take time. Make it annoying, maybe combine this with a deposit to open the port, that the user gets back when cancelling the service.
It dosen’t have to be impossible to spam in order to stop spammers from using your service, it just has to be harder than most other hosts, then, you’re not interesting to them.
I don’t know what VPS panel you use, but I’d also try to force certain security practices when it comes to opening Port 25.
In best of worlds, these security requirements would apply to the VPS itself, AS WELL AS, their mail setup.
Maybe it’s not verifyable, but have a form about how everything’s set up, and approve those to follow common guidelines like random generated SMTP passwords, fail2ban, SSH key for SSH, non-default SSH port.
When the organizatiom (yours) is on the smaller side with no real and effective guidelines for spam, as well no real relationship with the major blacklists, one IP on one major blacklist quickly becomes time-consuming enough to eat up profits of A WHOLE LOT of VPS/clients.
Also, enablinf Port 25, clients expect the IP to not be listed on Proofpoint, and thereby not being able to said any mail to iCloud for example.
And Proofpoint don’t really care about anything if you’re not ”their client”.
So in all honesty, maybe rethikk this.
Vultr has quite a strict policy, and I had to spinup probably 50-60 servers to get one not blacklisted in any major way, and they’re probably even working on their IP rep.
Maybe offer an included mail service with every VPS client, set it up according to needs, and maintain a relationship with mail services, and actually filter outgoing spam, algoritmically and manually.
Or, of course, just try to integrate a provider such as MXRoute to this included for free solution, and have @jar block your spamming clients, and never think of this again.
Sure you can. Use iptables hashlimit and you can limit outbound connections on certain ports (e.g. 25). This requires no further access to their data than you already had.
I purposed it above, but it doesn't really limit the number of emails, only connections.
You could bomb the same message with 1k users in BCC over the same connection.
iptables as an anti-spam measure is like eating a soup with chopsticks.
That's your opinion. In practice it works well against your run of the mill "rent a VPS and blast out as much mail as possible" spammer.