NinerNet Communications™
Blog

Corporate Blog

Why do I get so much spam?

14 February 2024 12:55:34 +0000

NinerNet hosts email. The one thing that this guarantees us is to receive complaints about spam. Unfortunately, we’re not a monolith like Google, so we need to reply to these. Try sending an email to support@gmail.com and see what you get. Silence.

So the point of this post is to try and help people understand why they get spam at all. This has nothing to do with your email hosting provider. Well, I can certainly guarantee that NinerNet is not selling your email address(es) to the spammers, otherwise we’d be rich! But we don’t need to sell your email address. If you create the email address your-common-first-name@your-domain-that-is-publicly-known.tld, bingo, the spammers have your email address. What about that support address above? That’s what’s called an RFC 2142 address. RFC 2142 (“Mailbox Names for Common Services, Roles and Functions”) outlines a list of email addresses that are supposed to exist on every domain, and one of them is support@. They are:

  • abuse@
  • ftp@
  • hostmaster@
  • info@
  • list@
  • list-request@
  • marketing@
  • news@
  • noc@
  • postmaster@
  • sales@
  • security@
  • support@
  • usenet@
  • uucp@
  • webmaster@
  • www@

You probably have one or more of those addresses on your domain. Congratulations! You’ve just painted a target on your back, or maybe seventeen of them to be precise.

Other ways spammers get your email address:

  • Websites: Don’t post your email address on the Web! Even on your own website. There are crawlers/spiders automatically collecting those addresses every minute of every day. If you post your email address on your own website, it will receive spam within days, maybe even hours!
  • Unscrupulous suppliers: This has always been a bugbear. Of course, if your supplier happens to have millions of customers, it would be tempting for them to sell your email addresses. Some disguise this as “sharing your information with trusted partner organisations”. Of course, their definition of “sharing” has a dollar figure attached to it, dollars they will never “share” with you.
  • Crackers: Ever had a virus on your computer? Your email address and the email addresses of all of your correspondents are probably not the only thing you’ve handed over.
  • Friends: You know that idiot friend or relative of yours that sends out joke emails with hundreds of email address in the “to” and “cc” fields? Yup, thanks Aunty Betty / Uncle Bobby.
  • Forwarding: This is one the things that has driven me crazy since the 20th century! It’s bad enough that your friend/relative has sent you the world’s funniest email joke in the history of humanity, but they copied it to a thousand of their closest friends and relatives by putting their email addresses — including yours! — in the “to” and/or “cc” fields so that everyone can see them! And then, to show how ignorant some of their friends and relatives are, some of them forwarded the same email with all of those addresses still exposed in the body of the message. Those email addresses are all then exposed to whatever malware comes along on any of the hundred or thousands of computers on which those emails are stored. But it’s not just ignorant friends and relatives that do this; I’ve seen supposedly professional IT people do this in professional, business emails!
  • Hacked databases: Related to the “unscrupulous suppliers” point above is the fact that the databases of said suppliers are hacked all the time.
  • WHOIS: If you’ve registered a domain, the domain registry likely has your email address in a publicly-accessible database called the WHOIS (“‘Who is’ the owner of this domain?”). Thankfully, when the GDPR was implemented in the European Union in 2018, the biggest registries in the world — the ones that run the gTLDs (generic top-level domains) — were forced to take their heads out of their nether regions and stop publishing that information. But sadly, some ccTLD registries still have their heads planted firmly where they’ve always been (can anyone say dot-zm?) and they still make this information freely available to spammers scraping the WHOIS, despite their feeble disclaimers.
  • Viruses and other malware: If one of your contacts’ machines or devices are compromised by a virus, one of the purposes of that virus is probably to spam you, or send copies of the virus to you.
  • Subscriptions: If someone is trying to get your email address for their newsletter, maybe they also want it to sell it.
  • E-cards: Awww, it’s so lovely to send your valentine (or wannabe valentine) a valentine “e-card” … or Christmas card, or birthday card, or …. You probably didn’t ask for their consent first though, so you’ve essentially just screwed (and not in the way you or your valentine want to on Valentine’s Day!) your valentine’s email address for the rest of his/her life, or the life of that email address.
  • Signing up for stuff: Whether it’s a free report or white paper or signing up for a class at a local community centre, you lose control of your email address the moment you give it out to anyone. Some websites exist simply for the purpose of collecting email addresses in this way, a cute, shiny bauble for your email address. Are you really going to read their hundreds of pages of terms and conditions to realise how your email address (and you) are going to be abused? Didn’t think so.
  • Phishing: Phishing emails essentially just try to trick you into doing something you normally wouldn’t do. Of course, they already have your email address from any of the methods listed here, but they want more than just your email address, and perhaps what they want are the email addresses of all of your contacts. Often they can get these if somehow you give them to them (LinkedIn) or they can get if you give them the password to your email account where you might have them saved.
  • Plug-ins and apps: Be very careful of plug-ins and apps that may be copying all of your contacts and sending them to whoever is controlling the app or plug-in. Be especially careful of apps and various social media websites (such as LinkedIn) that helpfully offer to send invitations to your contacts! We mention LinkedIn in this regard especially, for these three reasons:
  • Brute force: Besides the technique mentioned where spammers send to a list of common names on all domains, they can simply send to a@example.com, b@example.com and so on, and then start again at aa@example.com, ab@example.com and so on. The terms “brute force” and “dictionary attack” apply here.
  • Buying it: The other side of any of the above transactions happens when anyone who has obtained your address by one of the methods above sells it to willing buyers. You yourself have probably been spammed by people offering to sell you lists of email addresses, all of which would have been acquired by one or more of the techniques above.

If even one of the above applies to you, you have signed the warrant to have your email address spammed, but chances are that you have committed several of the above, compounding the problem. Again, it’s not your email provider’s fault that you get so much spam.

How can I receive less spam?

Two VERY effective ways to avoid spam are to use “supplier addresses” and rotating temporary email addresses. Let me explain both:

  • Supplier addresses: For many years I’ve operated a system of what I call “supplier addresses”. If I’m dealing with Twitter, for example — not that I use their name because they were mentioned in recent news about a data leak — I create the email address “twitter@mydomain.com”, and I only give that address to Twitter, nobody else. (Actually, don’t create a new email address, just create a free alias for the email address that will receive email from that supplier.) Yes, I have the email address my-common-first-name@mydomain.com, but the only people who get that email address are my family, friends and existing clients. Nobody else on the planet gets that address, and I certainly don’t enter it into a form field on a web page and I don’t post it on the Web! So if Twitter (in this example) sells my email address or is hacked, I know exactly who let my email address into the wild. To be frank, that hasn’t happened to me many times, but I quickly realised that it does happen, so the email aliases I create now all include a number (e.g., twitter123@mydomain.com). If the email address is compromised I just change the number and inform Twitter by changing it in my account with them and kill the old alias. My numbering follows a system, but you can make your own rules.
  • Rotating temporary email addresses: I link above to the service that NinerNet provides, but at this point it’s a very limited, non-automated service with very few customers. However, it’s not rocket science and you can do it yourself on your own domain. For example, if your primary address is bob@yourdomain.com, create a free alias for this month called “bob2402@yourdomain.com” on that address. I also create one for last month and one for next month, to ensure continuity when the month changes over. (The numbers in this example are obviously two digits for each of the year and the month.) Now you can give out the temporary alias to whoever you want with no concern at all about being spammed. Want to download that “free” white paper? Give them your temporary alias secure in the knowledge that when (not if) they start spamming you it will probably be after that email ceases to exist. Then at the beginning of next month, just delete one alias and create the next. In February I will have an alias for last month (2401), this month (2402), and next month (2403). On 1 March I will delete the January alias and create the April (2404) alias. If you have a contact form on your website for new customers to contact you, reply from this month’s temporary alias until they become a new client. At that point you obviously have to throw caution to the wind and start using your “real” email address, but you’ve already done a lot to hugely reduce the amount of spam you will receive from not following any precautions at all.

With a little imagination — but feel free to contact NinerNet if you need help — you can apply the above principles to all of the email addresses in your company, whether it’s just you or you have a thousand employees. They will drastically reduce the amount of spam you and your employees receive, before your email service provider’s anti-spam system even kicks in.

They key point here is that you need to practise “email hygiene”. How is your email hygiene?

Email restrictions reminder, Phishing

13 December 2022 05:00:02 +0000

As Christmas rapidly approaches, we’d like to remind you of two limitations to keep in mind with respect to sending email, and to implore you once again to take phishing scams seriously.

Sending limits

Within the last year or two we have had to implement a limit of sending to 300 email recipients per day per email account. This is a limit that hardly anyone runs up against, but it does happen. The reason for this is quite simple: email accounts are hacked when a computer or phone is compromised, and the person or organisation who has compromised the account then uses the account to send spam or phishing messages. If there was no limit on how many messages can be sent in a day they’d send millions! If this happens, our IP addresses are blacklisted and then none of our clients can send any emails outside of our network.

With this limit in place messages to only 300 recipients can be sent, and by the time the 24 hours are up a compromise will have been noticed, and the password for the email account can be reset. (We often notice these spam runs when they are in progress, and they are shut down before more than a few dozen are sent.) Experience has shown that if 300 such messages are sent, that seems to be just below the point at which damage to our IP addresses’ reputation is done. We experimented with a limit of 400, but damage was still done.

If you’re going to send messages to a few hundred or thousand of your customers we suggest the following:

  • If you regularly want to send that many emails we strongly recommend that you use a company such as Mailchimp.
  • If you have a one-time need to send a lot of emails, break your list up into groups of 300 (or just under 300) and send that many a day.

Please note that however you chose to send mass emails you must have documented proof that you’ve received permission from the recipients to send them non-personal emails like this. If you don’t have that permission, then don’t send them those emails. It’s quite simple. If you don’t have permission you cannot defend yourself against accusations of spamming, and you risk your account being suspended and removed.

Also note that the limit is the number of recipients. If you send an email to Bob, copy it to Jane and blind copy it to Jim, that’s 3 of your 300 recipients (not “1 message”). If you send another email to the same people, that’s now 6. If you send one email blind-copied to 300 recipients, you’re done for the day and you can go home. 🙂

Sending restrictions

We often see clients trying to send emails with restricted attachments. Our mail server stops emails with executable attachments (.exe files, for example, but there are more and it’s not the file name extension that determines if a file is executable) and documents that contain macros, or scripts that can be executed when the document is opened. These cannot be sent by email because they could contain malicious code. If you want to send these files to someone else we suggest that you either use what’s called the “sneakernet” — put the file on a flash drive and walk it over (perhaps wearing “sneakers”) to the person you want to give the file to — put the flash drive in the postal mail, or upload the file to a website or file upload service from where someone can download it.

Many office-type documents — spreadsheets, word processing documents, slide shows, etc. — contain macros (scripts), which you may or may not be aware of, and if you’re trying to send them they will not reach the intended recipient. Sometimes when you create a PDF file from an office document the scripts are embedded in the PDF, and those will be blocked for the same reason.

All email services — even the biggest ones — have these restrictions so that the email service as a whole can still be useful to the people that use it. If we don’t stop these kinds of emails from going out, the recipients’ mail servers will stop them from coming in.

Phishing

We desperately want to remind you yet again — we know, it sounds like a recording — about email scams, and in particular “phishing” scams. These scams happen. They happen to you. They happen to our clients. 2022 was a record year for our clients, and not a record to be proud of. Just among the clients we know of, over US$100 000 was lost as a result of phishing scams. This is shocking; this is heartbreaking. It doesn’t need to happen.

Treat every email you receive — even this one! — with suspicion. Rather than looking for signs that an email might be a scam, just assume it is! Then look for the signs that it isn’t a scam. Instead of memorising an interminable list of things to look for that show an email is a scam, instead simply ask the message to prove to you that it really is from the person who claims to have sent it, and that the request it contains is legitimate. Did NinerNet really just send you the email you received that is asking you to verify your email password, or upgrade to some service that we don’t even offer? No, we didn’t send that email. We just don’t send emails like that, and neither does any other mail provider … or bank, or life insurance company, or …. Almost nobody sends a legitimate email claiming that you have to pay an invoice in a different way to how you’ve been paying that company for years! Yes, your suppliers do change banks occasionally, but if they do they will give you plenty of notice, not send you a frightening message out of the blue demanding that you send them money to a different destination or have your service cancelled. It just doesn’t happen like that in the real business world. THINK! BE SUSPICIOUS!

You should learn more about email scams and phishing. Read these links:

If you have any questions about any of the above, please do let us know. Thank-you.

We will have one more email for you before the end of the year, with information we’re excited about because we hope it will improve our email infrastructure in 2023. We hope you’ll like it too.

Compromised email accounts are being accessed via webmail

29 August 2022 11:01:18 +0000

It is becoming more and more common, once an email account has been compromised by a computer virus or other malware, for the email account in question to be accessed through the webmail. When this happens, one or all of three things (and sometimes more) happen:

  • The criminal behind the virus/malware uses your webmail account to send spam or more viruses (the viruses will be stopped by our server though, but sometimes some spam will still get through),
  • The criminal poses as you (or one of your employees) and dupes your customers into sending payments to their bank account(s), and/or
  • The criminal creates filters in your email account to siphon off email to external email accounts they or their associates control.

While all are very negative and need to be stopped quickly — and this is why a compromised email account’s password must be changed, and the old password never used again — the last is particularly insidious as you might not use the filters, or you may not even know that they exist! Filters are a legitimate tool for people to use to handle some email in an automated fashion, and they have been around as long as email has been around.

The bottom line is that a compromised email account is a very serous matter. Your machines and devices need to be protected, by security software (anti-virus software, firewalls, encryption, anti-malware software, etc.), physically (access control, passwords, physical locks, etc.), and with education, knowledge and vigilance. If an email account is compromised the reason should be determined and the cause fixed or addressed in some other way. You then also need to examine the (now formerly) compromised account; one of the first things you should check is the integrity of the account’s filters. If unauthorised filters remain in place, the account is still compromised.

It is vital that you not gloss over an email account compromise as a “cost of doing business” and just carry on as usual after the inconvenience in your day. If you do not take all of the above steps your lack of action will come back to bite you in the buttocks, as Forrest Gump said. And this bite could cost your business in money, goodwill and business.

Another thing to consider is that the mail server’s control panel allows its users to designate any email account as a “domain admin”. We have always discouraged this, instead creating dedicated accounts for domain admins, but it’s a popular and widely used feature. However, consider this: If you designate bob@example.com as a “domain admin”, and Bob’s account is compromised, then the criminal behind the compromise will have access to all of the email accounts on the example.com domain. The results could be significantly more than just the inconvenience of having one email account compromised.

Something else for you to consider is how you can protect your employees from phishing emails. (Please see our “scams” section for many examples of scam emails, many of which are phishing emails.) Phishing emails try to get their recipients to click a link where they are asked to enter their email address and email password. Of course, none of us would be fooled by this, but many people a day are. How the page where people are asked to enter their log-in information looks depends on the nature of the email. If it was allegedly from a bank, the log-in page will be an exact copy of the log-in page for the bank they’re trying to present themselves as. If they’re trying to get your email password, everything will look like a webmail log-in page. It’s convincing. When you enter your log-in information, either nothing will happen, or your browser will be redirected to a legitimate webmail log-in page, but you won’t (of course) be logged in. In the meantime, your log-in information will be saved, and available for the scammer to use.

If this happens to you, you must immediately change the password on your account.

But back to the original question: How can you protect your company from your employees potentially falling for this phishing scam? One way is to not give your employees their email passwords. If they don’t have it, they can’t enter it in a phishing form. Of course, you need to weigh the advantages and disadvantages of this. A disadvantage is that you or your IT person will have to enter it for them when setting up their email account on their machine and/or phone, but the advantage is that they won’t be able to make the mistake of inadvertently providing their password.

If you haven’t recently, it’s probably a good idea to check the filters in your webmail account right now to confirm that you put them all there and that you still need them. And while you’re at it, change your email password too! Make sure it’s at least 12 characters long, includes upper- and lower-case letters, numbers and special characters. And use a password manager too. We use and strongly recommend KeePass.

Significant recent spam activity

16 March 2022 02:30:11 +0000

In the last 48 hours we have seen a significant increase in the number of email accounts that have been compromised due to the virus infection of a large number of our clients’ machines and/or devices. In one case that we know of, one of our resellers stated that they “have a company wide nightmare [of] machines spamming each other and everyone they have ever talked to via email.” This is not good. They have been working with their client to get a handle on this, and as of Tuesday their time this issue seems to be under control for them.

However, since then we have had multiple other email accounts compromised on multiple domains. Please note that email accounts are “compromised” when the machine or device on which the account is configured is infected with a virus. This is not under the control of NinerNet, but you and your employees and colleagues. Please ensure that you have updated anti-virus programs or apps installed, and please do not open attachments from unknown senders. Even attachments from known senders must be treated with extreme care, because viruses tend to come from other infected machines, and they could be the machines or devices of people you know.

Some reminders for all clients:

  • Please ensure you have anti-virus software (or an app) installed on all machines (computers) and devices (phones/tablets),
  • Please only open attachments after they have been scanned for viruses,
  • Please be extra careful of attachments sent from unknown senders, and
  • NinerNet’s mail server scans incoming and outgoing messages for viruses, but if the vendor of the software isn’t aware of the existence of the virus it may get through. If you also have anti-virus software installed, then that additional scan could make the difference between a normal day and an expensive day you’d rather forget.

At this point it looks like we nipped these outbreaks in the bud, so our mail servers are not in any additional blacklists. However, please do contact NinerNet support if you have any issues with outgoing email, or if you have any questions.

Thank-you.

Yet another note about scam emails

19 May 2021 07:36:15 +0000
Phishing scam email, 2021-05-12.

Phishing scam email, 2021-05-12.

The scam and phishing emails continue to come in. The most recent example is particularly aggressive. Please do not fall for it.

NinerNet would never send out an email this aggressive or threatening.

Please review our last two blog posts about these kinds of emails. They are all 100% scams.

Another one of these emails had this “from” field:

From: Domain@nc036.ninernet.net, Admin@nc036.ninernet.net

The footer of the emails also contains a note that states, “example.com Webmail Support”, where “example.com” is the domain in the recipient’s email address. This is all automated, and doesn’t make it any more legitimate.

If you have any questions or concerns, please do contact NinerNet support. Thank-you.

A couple of issues today

27 January 2021 10:28:08 +0000

We, as well as some clients today, have received phishing emails advising the recipients to follow a link to deal with emails that have been quarantined or “suspended” on the mail server. These emails are scams, and do not come from addresses on the niner.net domain. Do not click on the links, and delete the emails.

Secondly, we are aware that the primary mail server’s IP address is in at least one new blacklist as a result of our data centre being blacklisted. If email you send is bounced for this reason, please advise us and we will re-route email to that domain via one of our relay servers.

Please contact NinerNet support if you have any questions or need to report something. Thank-you.

Upcoming changes to mail servers

20 December 2020 12:52:47 +0000

The email world is constantly evolving. More to the point, spam is a never-ending arms race. We have made some changes to our email system, and in the New Year we will be making more.

So far all we have done is add a second alternative route for outbound emails. This gives us (and our clients) a third possible point from which emails can be delivered to your recipients. This action is the result of our data centres’ IP addresses finding themselves in more blacklists as a result of poor management, and the bad behaviour of their other customers.

Our use of this service will result in some very minor changes to the headers of some of these emails when viewed by the recipients. Almost nobody pays any attention to the headers of emails until there is a problem, but we are telling our clients this in advance so that you are aware of it.

There is nothing you need to change in your email programs or apps. The only thing you need to do is forward errors to us if a bounce message for an email you have sent refers to being blocked, as opposed to the destination address not existing or being full. If your email was blocked we can divert future emails to that domain via an alternative route. This option has always been available, but for the reason stated above we’re getting more reports now than in the past.

That addresses an immediate issue. Plans were already in progress for a scheduled upgrade to our primary mail server, but now they have an additional focus: We will be setting up a new mail server in another data centre where the reputations of their IP addresses are an explicit priority.

This plan will probably protect NinerNet for a couple more years. However, with the way the email world is moving, there are some predictions that all IP addresses will eventually be blocked from sending email except for a select few. I don’t believe I need to explain how this will concentrate power over email in the hands of a few, and how detrimental this will be, so we expect that reputable data centres will oppose this. Those are the kinds of data centres we want to work with, but we will maintain accounts with third-party relay providers just in case.

We will be posting more on the subject of email, specifically details of our migration, and information you need to know to ensure that your email will not be considered spam, either by us, our spam filters or your customers.

Please contact NinerNet support If you have any questions or concerns. Thank-you.

Business during the COVID-19 pandemic

19 March 2020 02:54:52 +0000

We know that some of you are no doubt weary of COVID-19 (coronavirus) news updates, but we’re prompted to make this brief statement.

NinerNet‘s operations are not currently, nor forecast to be, affected by this pandemic. We do have business continuity plans, but at this point they have not needed to be activated beyond following public health guidelines and directives. We have had communications from some (but not all) suppliers that they are implementing contingency plans to ensure the continuity of their own businesses, and therefore we do not anticipate we or you (our clients) will be adversely affected.

It’s important to remember that the vast majority of the relatively small numbers of people who have been affected so far have recovered. This means life will no doubt carry on as usual in the near future.

In the meantime though, as the operators of a service on which you rely for information communication, we want to remind you that the scammers and spammers never rest — in fact, through our spam filtering we know they are already at work, attempting to take advantage of fear. If you receive any email about the pandemic — offering rumours, cures, masks, hand sanitiser or even (in some parts of the world) toilet paper! — they are best ignored.

We very much appreciate your business. We hope you are staying safe and healthy, and we look forward to continuing to serve you for many years to come. If we can help you or your business in some way during this time, please do tell us how.

Here are some links that may help you get some factual information from your governmental health authorities:

Thank-you, and stay well.

Craig

Scammers never sleep

31 December 2018 10:02:41 +0000

If you thought you could get a break from scammers over Christmas, think again. This one landed in our in box on Christmas day, as is clear from the date the countdown starts!

From: greatroadnorth.com is about to expire. <no-replay@renewal-service.info>
Reply-to: “greatroadnorth.com is about to expire.” <no-replay@renewal-service.info>
Subject: Domain Administrator
Date: Tue, 25 Dec 2018 17:52:19 +0000
Return-path: <01020167e67ef75e-d5d2ee16-fd2f-457e-9a8d-00dba3dc6492-000000@eu-west-1.amazonses.com>
X-spam-score: 2.125

Tucows Domains Inc.
====================
IMPORTANT NOTIFICATION
====================
greatroadnorth.com
Date: 2018-12-25

Dear Domain Administrator,

The Domain SEO-listing shown below are set for renewal and need to be processed in the next 48 hours.

No need to worry, please go to this link and follow the instructions:
renewal-service.info/greatroadnorth.com

Your product details are listed below:
====================

Product Name:
SEO-Renewal for greatroadnorth.com
Expire Time:
48 hours from 2018-12-25
Renewal cost per annum:
$69.00

====================
Amount due: $69.00

PAYMENT INFORMATION
Information on how to renew your domain can be found here:
renewal-service.info/greatroadnorth.com

This offer is only valid for 48 hours as a courtesy to let you know that your domain is expiring soon and this search engine optimization offer will expire.
Should your domain name expire, there is going to be a signifcant drop
in search engine services for your website, email and any other associated services.
This domain seo registration for greatroadnorth.com limited time offer will end in 48 hours from 2018-12-25.

Thank you!

Sincerely,
Renewal department

====================

Note:
You received this message because you elected to receive notification offers. Should you no longer wish to receive our offers, please unsubscribe here. If you have multiple accounts with us, you must opt out for each one individually.

Some characteristics of this spam/scam:

  • Your name (available from the WHOIS) will be in the subject, along with a flag emoji to draw attention to the email.
  • The name of your legitimate domain registrar (also available from the WHOIS) will be at the top of the email, even though they did not send the email.
  • There is the usual very close deadline (48 hours), after which the world will end for you and your domain.
  • The plain-looking links in the email mask tracking links to the domain wizz.netvalue.io.
  • The scammer makes the unusual claim that not sending them money will cause “a signifcant [sic] drop in search engine services for your … email”. This, of course, is absolutely false, as your email traffic is not tied directly to search engine traffic anyway.
  • Sent through the best and biggest “bulletproof” spam hosting service in the world: Amazon.

Given the fact that most gTLD registrars (including the ones we use) have not pubished WHOIS information since May 2018, these scams are being sent to old mailing lists compiled before publishing stopped, and are out of date. (For example, the domain that is the subject of this email no longer exists.) Changing the contact email address on your domain and shutting down the old address is something you should consider doing.

Spam and virus filtering on the mail server

11 October 2018 15:15:22 +0000

Over the last five months we’ve been monitoring the effectiveness of the anti-spam systems on server NC036 with a view to setting the point at which emails are considered by the system to be spam. We have slowly lowered the cut-off point from the default of 6.2 to 3.0, and have found that at 3.0 the rate of legitimate email caught in the filter rises sharply. Therefore we have now set the default, server-wide level at 3.5. At this point we’re blocking about one thousand to fifteen hundred spams a day, and anywhere from a handful to a few dozen viruses a month.

You can set a different cut-off point for spam to your domain(s) as follows:

  1. Log into the mail server control panel.
  2. Click “Domains & Accounts”.
  3. Click the domain you want to manage.
  4. Click “Spam Policy”.
  5. Enter a different number in the “Classify mail as spam when score is >=” field.
  6. Click the green “Save changes” button.

In short, the lower you set the score the more spam is caught, but the greater the likelihood of legitimate email being classified as spam. Conversely, the higher the score you set the less spam will be caught and the lower the likelihood of legitimate email being classified as spam.

You can also manage other aspects of the spam filter on this page, but we recommend that you do not. The server-wide defaults are to enable all four checks (spam, virus, bad headers and banned files) and to quarantine spam and viruses. If you want to allow any of those four classes of undesirable emails through on your domain that’s your call, but you take full responsibility for the results. The results include everything from annoyance to compromised machines, devices and accounts. NinerNet does charge for time spent recovering and cleaning up compromised accounts.

Please note that the spam and virus filters monitor both incoming and outgoing email.

We strongly recommend, now that we have finished our evaluation, that you conduct your own evaluation of the situation with undesirable email on your own domain or domains. Once logged into the mail server control panel, please navigate to System -> Quarantined Mails. There you will find spam and virus emails to and from your domain(s) for approximately the last week. As mentioned above, if you find that too many legitimate emails are being classified as spam, you have two options: 1) Increase the score at which messages are considered spam, and/or 2) Whitelist any legitimate senders or domains that consistently receive high scores. To whitelist a “sender” (a single email address) or a domain or a domain and all of its sub-domains, follow these instructions:

  1. Log into the mail server control panel.
  2. Click “Domains & Accounts”.
  3. Click the domain you want to manage.
  4. Click “White/Blacklist”.
  5. Follow the instructions on the right of the page to add records to the appropriate whitelist, incoming or outgoing.

Please note that it might be tempting to add something like @yourdomain.com to the outgoing whitelist (thereby whitelisting all addresses on your domain), but we strongly advise you not to. If you do, and a machine on your network is infected with a virus or is compromised and starts spamming, the system will follow your instructions and let it all through. Please see above about our fees for cleaning up after a mess like this. The emails will likely be blocked on the receiving server anyway, and your domain possibly blacklisted. You don’t want you domain (or our mail server) blacklisted, so not whitelisting all of your users is a defence against getting your domain (and our mail server) blacklisted.

Something else to note is that it’s fairly pointless to blacklist spammers and virus senders. If you blacklist bob@example.com because he sent a virus that the virus scanner caught, you’ll also block the legitimate email he sends once he cleans up his machine and sends you an email to apologise. Similarly, spammers rarely use the same email address or domain more than a few times, so you’ll just be filling your blacklist with a lot of crap. Of course, if a persistent spammer keeps getting through the spam filter, then go ahead and blacklist them if they’re actually using the same email address or domain.

Please monitor your quarantine on a regular basis so that you notice trends and compensate for them. With our evaluation ended we will only occasionally monitor the quarantine to make human judgement calls about letting some emails through, as we have been doing over the last five months.

It is worth noting here a couple of points. One is that no spam filter is perfect. During our evaluation we have seen spam come in that was scored less than 3.5, and so will make it through the filter now that we have settled on a cut-off of 3.5. Another is that some legitimate email from senders hosted on this server — i.e., you and your colleagues and employees — has been scored above 3.5 and so has been (or will be) quarantined instead of being delivered to the sender’s mail server. This is why you need to keep an eye on the quarantine for the domains under your account, and if necessary release legitimate emails for delivery. This is how you release emails:

  1. Log into the mail server control panel.
  2. Navigate to System -> Quarantined Mails.
  3. Select the legitimate email or emails.
  4. At the bottom of the page select “release selected” from the “Choose Action” drop-down list.
  5. Click the green “Apply” button.

The emails will then disappear from the quarantine and will be delivered to the recipients. You may also select one of the other three “release” options if you want to release the email and add the sender to your whitelist if their email is consistently being scored highly. As mentioned above, it’s generally a waste of time to select one of the blacklisting options; there’s also no need to manually delete items from the quarantine, as they are rotated out after about a week.

With respect to your own emails being marked as spam, there are some glaring spam markers that we’ve seen commonly used that you and your colleagues and employees can avoid by following these suggestions:

  • Don’t use blank subjects.
  • Don’t use ALL CAPITALS subjects. If you do, keep in mind that your method of trying to get the recipient’s attention might fail completely if your message is blocked as spam.
  • Avoid using very short subjects.
  • Avoid using “Dear xxxx” in your salutations. Email is a less formal mode of communication than letters, and opening an email with “Dear” is a classic spam marker and will give your email enough extra points that it could push it over the cut-off score, especially when combined with other spam markers listed here.
    • Update: Thanks to a client for pointing out that “Dear Bob” or “Dear Mrs. Smith” are not scored as badly as generic salutations such as “Dear sir”, “Dear madam”, “Dear investor”, “Dear home owner”, “Dear winner”, “Dear beneficiary”, “Dear friend”, “Dear you@example.com”, etc.
  • Don’t send blank emails with only an attachment.

Please note that we don’t read your email. This data is gleaned from the spam reports and the reasons that certain messages were blocked because they were classified as spam.

This spam filter is much better than what we had on the old email server, and now you have access to the information it contains and control over how it works. If you have any questions or concerns, please contact NinerNet support. Thank-you.

NinerNet home page

Subscriptions:

RSS icon. RSS

General Information:

This is the corporate blog of NinerNet Communications. It's where we post announcements, inform and educate our clients, and discuss issues related to the Internet (web and email) hosting business and all it entails. This includes concomitant industries and activities such as domain registration, SSL/TLS certificates, online back-up, virtual private servers (VPS), cloud hosting, etc. Please visit our main website for more information about us.

Search:

 

Recent Posts:

Archives:

Categories:

Tags:

accounts receivable apple billing branding cira contact information domain registration domain registry of canada domain renewals domains domain sales dot-ca domains dot-zm domains down time droc email encryption facebook google happy hosting customers hosting transfer icann invoices iphone kwacha maintenance paying your bill paying your invoice quarterly kwacha rate review rates registrar transfers reputation scams search engine optimisation search engine optimization security seo service hours spam ssl ssl/tls support transparency wordpress zamnet

Resources:

On NinerNet: