Major ISPs Publish Anti-Spam Best Practices

wayne writes "The ASTA, an alliance of major ISPs, has just published a set of best practices to help fight spam. The list of ISPs include the likes of AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast. The recommendations include such things as limiting port 25 use, rate limiting email, closing redirectors and open relays, and detecting zombies. For details, see the ASTA Statement of Intent (pdf) or any of the ISP's antispam websites."

Don't forget SPF

Several large ISPs are backing SPF. I even noticed my ISP, Verizon, who tend to be quite lazy and stupid when it comes to spam (and other things), have added an SPF record.

press release on yahoo gives more info

[brian+ferullo]

Summary of ASTA Recommendations

don't put exchange as the first stop

[vg30e]

Most of exchange problems occur when you have an exchange server being the SMTP gateway. IF I were you, find a product to be the SMTP gateway that doesn't use anything made by Microsoft. There are also serious problems using the IIS SMTP service to talk to exchange. So, in short, get another kind of SMTP gateway to run the SMTP service, and then run Exchange behind it forwarding all mail to your non-microsoft gateway.

Re:What about my personal mail server?

[thedillybar]

>Is there a guideline that can help me figure out what steps I need to take to harden my mail server?
Basically don't relay mail for any user who you don't know (either by IP address or by SMTP authentication). Relaying is accepting mail for another domain and passing it on. If the server is the MX server for your domain, you must accept mail addressed to that domain regardless of whether or not you know the sending party.

>I will be using either Postfix or Microsoft Exchange.
I use sendmail, and I know that the "default" prevents unauthorized relaying. The latest version of Postfix or Exchange will almost certainly do the same. After you make any configuration changes, just verify that an outside machine can't send mail to another domain.

Whichever SMTP software you run, I'd recommend joining some comp.mail.* newsgroups.

*cough* *cough*

*COUGH* bullshit *COUGH*

Out of this list of ISPs (AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast), AOL is the ONLY ISP who is actively working in the antispam community - seriously. They've got a single contact for dealing with it and they are keeping their ax sharp and swinging it whenever needed.
All of those other 'posers are lying thru their teeth. Yahoo, MSN/Hotmail, Earthlink, Comcast? Antispam? They'd choke if they tried to say, "We're antispam". It's sad now that AOL has made a solic effort that they're going to be painted with the same brush as those other spam-havens.

Re:Penalties

[Animats]

Exactly. That's what California enacted as law, and what the Direct Marketing Association successfully blocked by pushing the CAN-SPAM act through.

The California law made the "beneficiary" of the spam responsible for it. And anybody could sue. That would have made hiring a spammer very risky.

Broadly defining the "beneficiary" could go even further. The credit card service provider, and the bank behind them, could be held responsible for spam if they processed a transaction resulting from spam. They profit from it, after all. A good lawyer could make the case now that they bear some responsibility, especially if they assist in any way in concealing the identity of the spammer.

We really need to go after the payment end of spam, not the sending end.

Re:Mail admin here, my solution was port 26

[harlows_monkeys]

I do run authentication and SSL is on its way, but care explaining why port 587 would be any better than, say, 26?

Because port 587 is the one specified in the Message Submission RFC (RFC 2476).