A White Paper: E-mail DNS Records, Spam, & Spam Filtering In Shared & Dedicated Hosting Environments
Answering the questions:
What is a spam filter?
What does a spam filter do?
How does a spam filter work?
What is an MX DNS Record?
Do website hosting servers and e-mail hosting servers have to be the same server?
Jodi L. Golisek, President, Sigma One Group
Andrew Bagnato, Senior Systems Engineer, SaaS Security Mail Systems
Timothy Jackson, Network Systems Engineer, Webroot
Google Applications Team (Postini Integration)
Noteworthy Mentions: See also Outlook Rules To Handle Spam
Electronic Mail, which is often called e-mail, has fast become the most utilized means of communication in both the domestic and global business world, and commonplace to people's everyday life. For that reason, it is vital for users to understand e-mail. This 200 foot birds eye's view can help accomplish that.
Free and Branded E-mail
A free e-mail account can be obtained at a variety of portals, such as Yahoo.com, Google (Gmail), or HotMail, to name a few. Free e-mail is great - it's free - but its major flaw is that it cannot be secured or filtered. Although, since Google acquired Postini, Gmail now offers an enterprise email solution based on GMail that can be branded, and subsequently secured.
is simply e-mail provided under the umbrella of a domain name. It takes the form of firstname.lastname@example.org, where email is the user's electronic mail account, and domain is the user's domain name (i.e. SigmaOneGroup.com). For more information about domain names, see Understanding Domain Names.
Also see Understanding Domain Name Records.
A Domain Name's Mail Records - MX Records
Domain names are leased from ICANN from a distributor or through a reseller. Some of the top licensed and approved domain sellers are ENOM, Register.com and NetworkSolutions; recently, GoDaddy has also been approved recently. Those companies are charged with the responsibility of assigning unique domain names and maintaining processes on the web through which resellers' accounts roll up to the approved licensing company should the reseller dissolve or fail to manage the domain name.
When a domain license is acquired, several DNS records are assigned to the domain name. You can think of a domain name as an umbrella under which there are many components, each of which acts independently and is independently assigned to work in unison under the guise of a single domain name. Some of the key records to any domain name are its A records (address to the website), its MX records (address for its mail exchange), its NS record (name server), and CNAME record, which often is used to assign a particular IP (Internet Protocol) address to a particular server so that it can be found on the web. An IP address is a series of numbers broken down into classifications separated by periods, and looks like this: 188.8.131.52. The CNAME - a canonical name record is often assigned at the web server level to translate the IP address into words that make sense, such as the domain name. The domain name is assigned to the A record so that the IP address is translated to the domain name address.
The mail records (MX) are assigned independent of the A records; they can be on the same server, but if the mail is secured or filtered, it is more likely that the MX records will point to an entirely different mail server for filtering, even if the filter is referred to as being "at the server level". At the server level simply means that the process is invoked at the server, rather than at some other point. Mail can also be secured in the same vein - by sending all mail to a secure mail server for encryption. There are some companies on the horizon that allow a person to secure mail on their desktop by sending it through an encrypted mail server that does not require the end user to also have a key to unlock the secured mail. In most instances though, encrypted mail is encrypted by the sender, sent, and unencrypted by the recipient; both of whom share a common key to lock and unlock the mail.
In the section about domain name records, you can find information about each record of a domain name. In summary, domain names consist of multiples of records, each handling a particular procedure. The A record is the address record for the website. The A record must point to the location where a website is hosted in order for that website to be found by users when they type in the website's associated domain name.
MX records are mail address records. Where the A record guides a person to the address of a website, the MX records tell mail servers where to deliver mail. The two are independent of one another.
aside, domains using databases will likely have a different address for the database, just as it does for the mail and website.
If you don't know your mail server address, you can look it up. Simply type "MX LookUP" in Google's search box, and select the link associated with your query.
Filtering Mail For Spam
Today, most webhost servers offer spam filtering programs, such as Spam Assassin, and virus detection programs, such as Dr. Web. The UNIX Plesk package used predominately across the web provides both such animals. And in almost all situations, those two programs will sufficiently handle the common spam e-mail on the web today.
In some situations, in which a particular client, website or e-mail account has been victimized by spam assaults (which are illegal under federal and state of Wisconsin criminal harassment
laws), spam increases to such a tremendous volume that it trips the spam detection program and shuts it down.
Unlike many programs, Spam Assassin gives no warning when it has been shut down; rather, it just lets the spam flow through to the end users. The same can be true for desktop overflow spam detection programs, such as CA's desktop program; however, CA believes that it is the storm virus (or a copycat) that causes its program to shut down without notice.
All servers with Sigma One Group have filters at the server level.
Terminology can be confusing. The programs just mentioned are truly SERVER FILTERS. They reside on and work directly on the server. Additional commercial filters are not SERVER filters, but rather SERVER SIDED APPLICATION FILTERS. To use a commercial server sided application, email is directed to the application filter from the server (hence server-sided), filtered and returned to the server for you to download.
If you receive a substantial amount of spam, you may want to use a commercial server-sided spam filtering application. Postini, which was recently acquired by Google, is one such system. Another of the very top rated systems is available from WebRoot. Engineers from both places have contributed to this content.
Barracuda and Symantec also provide server-sided spam filtering, as does CA - Computer Associates.
When you embark upon changing the procedures by which you receive mail, there are a few key points to keep in mind. First, the mail can still come and go through the process that you have been using in the past if you use Outlook or some other mail program to send and retrieve your e-mail from a mail server. In most instances, the readers that this article targets process mail with Outlook, some with ThunderBird, and some will receive mail on their BlackBerry phones. A filtering process will not change the manner in which mail is retrieved, but you may be required to reset your password when the system is invoked. That requirement is a good Information Technology management procedure, as all e-mail passwords should be changed once every 6 months (if not every 3 months).
If we are working with you on filtering your mail, we will require a password reset to coincide with invoking the filter application to maintain the highest level IT security and management procedures.
The reasons that this IT Management process exists are many, but the main ones include good password management processes and security issues.
The changes to the MX records to filter inbound mail occur on the domain host server. No changes are usually required to the mail records on your computer when you invoke an inbound mail filter. Do not update your website address records (A records) when you update MX records to make your mail go through a filtering process. You only need update your website (A records) if you are moving your website. See below - spam and servers.
However, if you also filter outbound mail, you will be required to change the address to which you first send your mail in order for the mail to go out. Outbound mail filters can secure your e-mail, and prevent e-mail hijacking. E-mail hijacking occurs when a spammer uses your e-mail address without your permission either physically by accessing an open e-mail relay on your mail server, or by spoofing your -email address - which is illegal under Wisconsin laws. If you are working with Sigma One Group, and an outbound mail filtering process is being invoked, you will receive instructions for how to change your mail path to send e-mail before the outbound mail filter is invoked.
Delays & Sporadic E-mail Services
When an email filtering process is invoked, the results are not immediate because it takes time for the process to be invoked at the server level. Each domain has TTL settings, which determine how long dynamic settings for the current domain records and paths to those records exist before they expire and reset. Changing MX records on a mail server will not change the delay (TTL), nor will changing the TTL setting speed up or delay the process. (Some tech's would argue this point, but we are erroring on the side of what is right to do). The new mail record path must resolve to the new mail host, and until such time that it does, mail may be delayed (but it will not be lost) or mail may be sporadic. If you experience delays or sporadic e-mail access, be patient; there is nothing that anyone can do to change it - once the mail records are changed, the process by which they resolve to the new mail host is out of everyone's hands and it cannot be stopped or rushed. Once the old TTL setting expires, all mail will flow through the mail filter.
Mail Filter Rules
Commercial spam filters from the top spam filtering companies are intended to be "turn-key", meaning that they come with built in rules to detect the majority of spam and commonly known viruses. In some instances, an Information Technology department will increase the detection levels, which will result in more spam (and good mail) being quarantined so as to determine which rules need to be invoked above and beyond the default rules to ensure the best quality (least amount of spam) experience for the end users. In other instances, the IT department will use the product out of the box, and ask for feedback from the end users to build rules around the end user's received spam to catch it at the filter. If you work with Sigma One Group, we recommend a combination of both methods tweaked to fit your personal needs so as to require the least amount of wasted time on your behalf.
However, every situation is different, so it is best to discuss the situation and come up with the best game plan.
Spam & Servers
Although the top spam filtering applications do a great job of removing the majority of spam from an inbound e-mail box, they can't delete it all without risking delays to important messages. They also cannot filter out spam sent through
alternative means, which we see no need to describe here and merely educate spammers. Suffice it to say that spammers can circumvent the filters, which will result in the end user receiving spam that did not pass through the filter. This problem often occurs in shared hosting environments - which means that a website is hosted on a shared server, rather than a dedicated server. Even if the website uses static IP address, which means that one IP address is dedicated to a single (or few) websites, spammers can still circumvent the filter. The only way to lock down your e-mail and prevent the majority of spam from getting through is to control the firewall. Where shared hosting environments share a firewall, no single website hosted there is usually allowed to lock down the firewall to pass only your e-mail. On a dedicated server, with a dedicated firewall, the server administrators can lock down the firewall to pass only your e-mail, which prevents spammers from sending mail around the filters.
At the end of the day, no system will prove perfect. The more restrictions you put in place, the most industrious the spammers seem. Industry wide, the norm runs around 90%-95%, although some reach higher levels at 98%-99% for spam free e-mail.
On some servers, more than one spam filtering can be used to prevent spam from passing around the commercial spam filters. If you are new to spam detection and management, you should consult with us or one of the fine engineers we have listed above to configure your spam filters and server spam detectors appropriately.
If you haven't heard, Sigma One Group is moving - virtually. Sigma One Group is pleased to announce its move to a highly secure dedicated mail and web server environment under IBM's strong arms.
For more information, please contact Sigma One Group.