Preventing your domain name being used by spammers

When we design web sites for clients we will often get involved in helping buy the domain name, choosing an ISP and setting up email addresses alongside all the other internet related resources. In building the site we will want to make it as visible as possible on the internet. In doing so we potentially attract unwanted attention in the form of spammers.

There are a number of good ways to avoid spammers trawling your site for email addresses and plenty of ways to ensure that spam is kept out of your own in-box. For the former we've often used Spam Vaccine, and for the latter I personally favour Spamfire , both from Matterform and both work on a mac.

This week I've been made aware of other people's favourites in a rather disturbing way - bounce-backs from emails we never sent to people we don't even know.

How did this happen? Because, while all the above is fine for protecting your own email address from the effects of spammers, it doesn't do much to protect the rest of the world from spammers using your domain in their spam emails. Which in turn doesn't do much for your company's reputation and could potentially mean unwarranted blacklisting for your domain.

Year's ago when we were managing our own SMTP server we experienced an avalanche of spam email traffic through our server on it's way to the rest of the world because our server was acting as an open relay. This lapse in security could have gone unnoticed but for the volume and timing of the traffic - the flood brought our server to a standstill in the middle of the working day. Although a review of the log files showed that much of the traffic had traversed our server during the night. We quickly bolted that door and thought,job done.

Recently we've seen spammers tacking on any old name in front of the @ symbol followed by one of our domain name suffixes. I hate to think how many people received a spam email last week with our domain name attached. Judging by the number of bounceback's it runs into the thousands. And if any of you are reading this, a thousand apologies.

A quick call to our ISP provided a solution in the form of an SPF record - essentially a listing in your DNS detailing which servers can send email on behalf of our domain. Those that are not listed get recognised as forgeries and are automatically rejected before they hit anybody's inbox. And I'm pleased to say it's working.

If you're experiencing this type of Spam, speak to your ISP or take a look at the SPF website.

And for those of you wondering about the most popular mail box spam protectors...
...based on our recent bounce-back experience they were: mailEnable and SpamArrest. The former is an SMTP mail server platform and the latter a web based mail filtering service. If anyone has any other suggestions experiences or observations, please feel free to add a comment to this post. No spam please.