Outbound Spam Monitoring
The Mail Assure filters are extremely effective at blocking a large percentage of outbound spam/viruses, to prevent issues with your network reputation. However, it is essential that you are proactive in stopping the abuse at its source by suspending any spamming customers/accounts. If such accounts are not suspended/blocked, there may eventually be a spam run which is missed by our engines. You can prevent any such spam escalations (or other type of attacks from abusive customer accounts), by ensuring the account is locked down before it starts to cause real issues. Our systems allow you to quickly and easily identify such abusive accounts, before any third-party issues occur.
There are a number of ways that spammers can be monitored via our systems.
Best Practise for Smarthost Users
Ensure all your smarthost authentication users are grouped as part of a single administrative domain (e.g. out.yourcompany.tld)
Configure your sending MTA to always include an end-user identification header
Set your outgoing Mail Assure user account to use this identity header
Manually/automatically locate abusive identities and shutdown the main spam source (and temporarily lock down the identity via our identity management as an immediate measure).
Managing Outgoing Spam
Outgoing Log Search
You can view outbound blocked messages from the Admin, Domain or Email Level Control Panel using the outgoing log search:
- Select Outgoing > Logs.
- In the Query Rules panel, filter using Status > is one of > Quarantined.
- Click Show Results to list all matches.
Manually Lock Identity from Outgoing Log Search
You can choose to lock a sender based on their identity header from this page:
- Locate the relevant message and select Lock Identity from the dropdown:
- In the prompt, enter a reason for locking this sender and click Confirm.
You can also lock the Outgoing user from here (by selecting Lock user in the dropdown). This would prevent any outbound mail being sent from that outgoing user (IP or domain).
Outgoing Reports page
You can view senders/Identities in grouped format using the Outgoing Reports feature from the Admin or Domain Level or Control Panel.
- Select Reporting > Outgoing Reports.
- Select the relevant domain if accessing from the Admin Level.
- Enter the Period.
- In Classification, select Rejected (or Accepted if you wish to see accepted emails and not quarantined ones).
- In the Group by dropdown, select identity.
- Click Show. to display all results.
Manually Lock Identity from the Outgoing Reports Page:
- Click the lock icon next to the identity.
- To unlock the identity, click the lock icon again.
You can choose to auto-lock senders based on their Identity header. For this to work, there must first be a configured Identity.
To start autolocking senders based on this you need to make sure the option Lock Identities Automatically:" is set to "Yes" in the outgoing user settings page:
- Select Outgoing > Manage users.
- Locate the outgoing user you want to configure, and from the dropdown, select Edit. The Outgoing user settings page is displayed.
- Ensure the Lock identities automatically option is set to Yes:
Identities will be locked when a certain amount of spam, phishing or virsues is seen in a short time frame.
The locked identities can continue to be seen via the log search and outgoing reports page.
An ARF report is sent each time an outgoing spam message is blocked, and will contain a copy of the original message including headers. For information on how to set this up, see Configure the Abuse Report Address.
Many larger companies already process ARF reports originating from external sources such as AOL. You can simply set your administrator address to point to your existing ARF parsing infrastructure, so your existing abuse handling systems automatically receive and process our datafeeds.
If you do not have an ARF parser yet, we recommend that you set up a system to handle your incoming ARF reports. We can recommend the free opensource software Abuse.IO for this. Alternatively you can e.g. use a simple python file that can parse the contents of the ARF reports. Your sysadmins will know how best they can utilize this and parse the data that they need.
Using ARF automation also allows you to accept ARF feed from third-parties, to further improve your abuse handling and to deal with abuse that does not (yet) use our outgoing filter.