Menu

0918ELSEMC Manage your security lists

0918 (27) ELSEMC (18)
Nicolas HAHN
Attachments
0917_greylist1.png (65639 bytes)
0917_listmgnt1.png (23030 bytes)
0918_elsemc7.png (18989 bytes)

The Official X-Itools ELSEMC 0.9.18 User's HOWTO

Edited by Nicolas HAHN < hahnn@x-itools.com > / < hahnn@erios.org >

This page for version: 0.9.17
Top: ELSE Messaging Center Documentation | Previous: Search in your emails

Manage your security lists

Manage your security lists
Security lists: manage your greylist, blacklist and whitelists

In this last section, we describe how you can manage various security lists like:

  • Greylist
  • Blacklist
  • Whitelist
  • RAWL

Those lists are your personal lists, as a messaging services user.

For all kind of lists except Greylist and RAWL feature, that's the same Web User Interface. This WUI allows you to manage your list, adding and removing items in them.

The greylist is specific in the way that the user doesn't have much power on it, only the system has. But, the ELSEMC give you the possibility to see the sender email addresses that were not able to pass the greylist barrier, in order to add them in your whitelist.

We'll explain how you can manage a basic list like the blacklist for example, knowing that this is the same principles to manage the other lists, and we'll finish by explaining what is behind the greylist and RAWL buttons. But first, we'll provide you with an essential information, about the order in which various lists are evaluated, between your personal lists, and the global lists managed at higher level at the scale of the global messaging system.

Order of evaluation

It's important to know in what order the type of lists (we name them "policies") are evaluated. Normally, if a rule match a policy, the next policies are not evaluated. Below, you'll see the global lists that are managed by the SMTP administrators or architects using the ELSE, as well as the users personal lists that every user can generate and manage:

  1. RTAAM
  2. Auto-cleaner
  3. Global Holdlist
  4. Global Blacklist
  5. User's Blacklist
  6. Global Whitelist
  7. User's Whitelist for recipients
  8. User's Whitelist for senders
  9. Greylisting and auto-whitelisting engines

Please note this order might be modified in the futur.

What can we learn here? For instance if a messaging administrator created an entry in the global blacklist, and this entry match a sender email address you want to receive the e-mails from, then even if you register this sender e-mail address in your personal whitelist, you'll never be able to receive his e-mails, because the global blacklist is evaluated and will match the email before your personal whitelist is evaluated.

But, as another example, if the Greylisting engine doesn't finally authorize a sender to send you e-mails, then if you add the sender e-mail address in your personal sender whitelist, you'll finally get his emails because your personal whitelist is evaluated before the greylist engine.

Sender Blacklist

What is it?

A blacklist is a list of e-mail addresses (or part of e-mail addresses) - we'll call an entry of the list "an item" - that the user want to forbid reaching his mailbox. If the sender e-mail address of an e-mail match an item of the blacklist, this e-mail will be rejected by the SMTP server and will never be delivered in the user's mailbox.

List management

In order to manage your sender blacklist, click on the "Sender Blacklist" button to make the list manager displayed on your screen.
List management
List manager: remove and add items in your list

The way the list manager works is basic.

On the left side, you've the data grid. This grid contains the items already registered in your list. The grid is composed of two columns:

  • A Pattern column showing what is the text pattern that will be searched for a match with the sender e-mail address
  • a Triggered column showing the number of times the item already matched with emails, since this item has been introduced in the list

This data grid can be downloaded as en Excel file if you click on the "Download" button at the top of it.

On the right side is a small interactive interface allowing you to enter a new pattern, selecting the right operator, and adding it to the data grid on the left.

So, you've two operators available:

  • Exact match means that your pattern will have to be exactly the same as the sender e-mail address for the e-mail to be effectively blacklisted. For instance, if you want to reject e-mails sent by your.devil@heaven.sky, you have to register this exact pattern in the field.
  • Contains means that your pattern represents a part of the sender e-mail address. Any e-mail with a sender e-mail address containing this pattern will then be rejected. For instance, if you want to reject any e-mails sent by domain @ad-server.com, then you can register ad-server in the field.

Once you've entered your pattern and selected the right operator, just click on the "Add" button in the middle of the window to register it in your list.

If you want to remove an item from the list, click on it and click on the "Remove" button.

Please note that any change to the list is immediate.

Sender Whitelist

What is it?

This list is the opposite of the blacklist.

A whitelist is a list of e-mail addresses (or part of e-mail addresses) - we'll call an entry of the list "an item" - that the user want to authorize reaching his mailbox. If the sender e-mail address of an e-mail match an item of the whitelist, this e-mail will be accepted by the SMTP server and will be delivered in the user's mailbox.

Recipient Whitelist

What is it?

This list is the same as the sender whitelist, except it works on the recipients of an e-mail, not on the sender.

A whitelist is a list of e-mail addresses (or part of e-mail addresses) - we'll call an entry of the list "an item" - that the user want to authorize reaching his mailbox. If the recipient e-mail address of an e-mail match an item of the whitelist, this e-mail will be accepted by the SMTP server and will be delivered in the user's mailbox.

Greylisting

What is it?

Greylisting is a kind of ultimate weapon against unsolicited e-mails, and SPAM.

Basically, a greylister like the GreyLSE will consider three parameters - called a triplet - to take a greylisting decision:

  • the sender e-mail address
  • the recipient e-mail address
  • the IP address of the SMTP server sending the e-mail

For every e-mail, the greylister will check if this triplet is existing already in its database. If it exists, that means the same sender wrote an e-mail to the same recipient that has been sent to him via the same SMTP server, and this e-mail has consequently all the chances to be authorized by the greylister.

If it doesn't exist, the greylister will instruct the SMTP server to refuse the e-mail with a temporary error code (400 serie). Then the sending SMTP server is supposed to try to send the same e-mail again at regular intervals. The greylister is configured to accept an e-mail having the same triplet after some minutes. So, next time an email will come having the same triplet and considering the retry is made some minutes after, it will be accepted.

Greylisting considerations

This strong defense provided by the greylister is very efficient and introduce only some minutes of delay in the e-mail delivery process.

This is a strong defense because legitimate SMTP servers are (or should be) configured to try to send a failed e-mail several times over several hours if not days. But in the case of SPAM bots or SPAM servers, the interest for those servers and evil people behind is to send as much as e-mails as possible trying to be "furtive" enough to not be detected and blocked. Consequently, they send SPAM using every time a different triplet:

  • the sender e-mail address is randomly generated
  • the recipient e-mail address is of course a valid address in order to be able to reach you
  • it is send each time by a SMTP server having a different IP address

By the way, as two components of the triplet are modified each time, SPAM e-mails have no way to cross the defense offered by a greylister.

The main spammers of the planet, unfortunately, come from very well-known internet services providers (ISPs) on one hand like Hotmail (really the worst), Google or wanadoo, and from East countries like Russia, China on the other hand.

There is another issue in the way that "Grand public" ISPs don't offer professional messaging services to their customers. That means, if we take Hotmail, Google or Wanadoo as example again, their servers will try to deliver the e-mails of their users only once. So if the e-mail is refused by a greylister somewhere on the planet, their servers will never try to send it again and the e-mail is lost (well, bounced in fact). This behaviour, from my point of view, is a bad implementation of what should be the standard in term of messaging services, but that's only my point of view... On the other side, they do it to protect themselves, to protect their infrastructure, and to protect the other users on internet. Imagine some attackers use their giant infrastructure to pollute internet, using their servers to send MASS SPAM everywhere, servers that would be configured to try to send deferred e-mails again and again... Then internet would be permanently under extreme congestion and very vulnerable. That's just an example of potential consequences.

Professional messaging services, like Google Postini for instance, have SMTP servers acting as they should: they will try to send the e-mails again if it was rejected (deferred) with a temporary error code. That's why, I consider that every company in this world, should use only professional services, and not rely on grand public services, whatever is the size of the company. A lot of them, and a lot of small size companies, don't do it, and that makes the defenses against messaging services attacks very fragile for the world.

So, all of that lead us to something we would like to not do: that force us to whitelist domains well known to protect spammers in our greylisting engine, like hotmail.com, google.com or wanadoo.fr, just because if we don't do it, the greylister would never accept the few legitimate emails sent by all people using those domains.

The best way would be probably to let the user's of your company to whitelist their contacts in such kind of domains, and let the greylister do its job.

Greylisting and you

Greylisting is a process that cannot be controlled by end-users.

However, and probably (we believe) for the first time, the ELSEMC will give the end-users the possibility to have an overview on the actions made by the greylister (the GreyLSE).

Thanks to this possibility of getting information, end-users can directly know what are the senders that tried to send them an e-mail, that they never received (because the sender is in the case explained in the section just above: "Greylisting considerations").

So, by clicking on the "Greylist" button, you'll get a new data grid as you can see below:
Greylist activity
Greylist activity: check if some of your senders were blocked and whitelist them

This grid shows you every sender e-mail address that send you an e-mail only once. All senders listed there are using SMTP servers that didn't tried to send the e-mail several times after a temporary rejection by the greylister.

In theory, all sender e-mail addresses in this list are spammers. But it can happen some legitimate sender are in this list. If this is the case, you can click on the green button on the right of the sender e-mail address to add it to your sender whitelist. If you do that, the item will be removed from the greylist, and next time this sender will send you an e-mail, you'll receive it because greylister will be bypassed.

This list shows you the last 500 entries. So, it's good to take a look once a day to this list at least, to be sure to not miss legitimate emails.

Please note that depending of the sender ISP, it might not having warned that an email he sent you finally never reached you. So if you see a legitimate sender and add him to your whitelist, it may be good you send him an email basically saying you know he tried to send you an email, but as you finally haven't received it, requesting him to send it to you again.

RAWL feature

What is it?

We're going to explain what is RAWL by taking a simple example.

You are a messaging services user. As such, you send emails to your contacts. In messaging "terms", those contacts are recipients.

Now let's say your messaging infrastructure is well protected (using the ELSE :-)), and consider you send an e-mail to a recipient outside of your company messaging domain: god_do_not_forgive@heaven.sky

Then this recipient decide to answer you, for the first time. That means he will send you an email: he will become the sender and you'll become the recipient.

Unfortunately, the email he sent you has been delayed by the greylisting capabilities of the GreyLSE; It can even not be delivered to you if the messaging server of your contact is not configured correctly.

That's what RAWL feature is for.

The "Enable RAWL" button is a toggle button. Click on it to enable or disable it.
When enabled, every time you'll send an email to some recipients, those recipients will be automatically whitelisted as senders to avoid their emails to be delayed by the GreyLSE when they will answer you.

RAWL means Recipient Automatic White Listing.

Top: ELSE Messaging Center Documentation | Previous: Search in your emails
This page for version: 0.9.17

Related

Wiki: 0917ELSEMC Manage your security lists
Wiki: 0918ELSEMC Documentation for Users
Wiki: 0918ELSEMC Search in your emails

MongoDB Logo MongoDB