Understanding email server connection checks

One of the reasons I'm fanatical about Rackspace as a hosting partner is that if you're unsure about something, you know you're able to ask an expert and get a top-notch response to your quandary.

I was recently speaking with another host who was talking about greylisting their emails -in short this is the process of rejecting the first email from a given email address/server and waiting for it to be (automatically) resent by the server later as unlike genuine email servers, most spam servers do not try to re-send an email if it's rejected by a server. We're not able to greylist our emails so I thought I would check that our spam filter settings were up-to-date.

The guys at Rackspace had a look through our spam filter settings and recommended we disabled the statistical filters as they were somewhat outdated technically and increase our connection checks -more importantly, deleting the email after it fails a number of checks. Historically I've been adverse to deleting emails on the server as there's no way to recover them so I asked how accurate connection checks were and thought I would share their easy-to-understand response about what the connection checks do.

Tim,

In order to understand the unlikelihood of false positives for this case, you must first understand what each check does.

Verify HELO/EHLO domain.

This will create a test in which the domain passed during the HELO/EHLO is used to perform a DNS query to verify that the domain specified has an A record or an MX record. (All valid domains should have a valid HELO/EHLO domain, only mis-configured and spam mail servers fail this test)

Perform Reverse DNS Lookup for Connecting Server.

This will create a test in which the IP address of the connecting server is used to perform a reverse DNS lookup to determine the domain name. If a domain has a valid PTR record, the message is accepted. (Not all valid domains have a PTR record)

Verify MAIL FROM Address.

This will have the "From" address of the connecting server verified for each message to ensure that the user is a valid user on the mail server. If the user or server does not exist, the message is identified as spam. (This is a definite give-away that the message is a spam message).

We can then set the delete threshold to 4. The "Delete message after X matches" will delete the message after it matches 3 of the above rules and/or black lists. This will almost guarantee that the message is spam. If the message fails all Verification checks, it is spam. If the message fails 2 connection checks and a DNS Blacklist check, it is spam. If an email fails both DNS Blacklist checks, and 1 verification check, it is spam. You are pretty much guaranteed that a message is spam. If you want to make extra sure, you could set the delete threshold to 4 that way it will have to fail all verification checks and one blacklist, or both blacklists and two verification checks.

Thank you,

Roberto M Chapa

Author

Tim

comments powered by Disqus