If you are having your email forwarded from GreenNet to you via SMTP, we recommend you restrict the range of servers your local office mail server accepts mail from. This restriction may be implemented in a firewall or in your mail server, to prevent malicious email servers or spammers connecting directly to your system.
The overall procedure is to allow port 25 connections from GreenNet and block them from elsewhere. (The DNS entry "mail.gn.apc.org" or the address from which you receive most email should suffice to identify GreenNet, but contact us if you want to know the full IP address blocks we use)
The problem
Suppose you have a GreenNet account using our mail filtering service, and want to distribute email to users via an Exchange server or Outlook web access. Initially, the MX records for your domain might look like:
example.org IN MX 50 office.example.org.
Of course, no email will then come via the filtering service, so if you are controlling your own DNS (rather than have us register the domain on your behalf which is included in the spam filtering service) you might add the GreenNet servers at a higher preference:
example.org IN MX 10 smtp-gate.gn.apc.org.
example.org IN MX 20 mail2.greennet.org.uk.
example.org IN MX 50 office.example.org.
Now most email is directed through the spam filters, because the records numbered 10 and 20 should be tried first, with the 50 only if both those servers are temporarily overloaded. However, you notice that a fair amount of spam is still getting through. Why? Because a lot of spammers deliberately send to the lowest-priority (highest numbered) mail exchanger, reckoning that anti-spam systems will be less intensive there. You can test this is what is happening by looking at the headers of received spam. Indeed this can create a lot of backscatter, or misdirected bounces, which is annoying for internet users in general and not what we want to send out from our servers. So what is needed is just the primary and secondary servers that do the filtering:
example.org IN MX 10 smtp-gate.gn.apc.org.
example.org IN MX 20 mail2.greennet.org.uk.
So that's sorted then? All email will now be filtered? Well maybe, but maybe not. You might still get some attempts to send directly to office.example.org
because some spammer seems to have kept a record of servers associated with a domain, or scanned a range of IPv4 addresses to find any open port 25 and got the domain from the banner.
Restricting using Microsoft Exchange 2010
(Microsoft Exchange 2007 is similar.)
- Start the Exchange Management Console, under Start, All Programs, Microsoft Exchange, Exchange Management Console
- Go to server configuration, then Hub Transport then look under Receive Connectors at the bottom of the window
- Click the properties of the receive connector you are using
- Go to the Remote Network Settings page (assuming this is a Custom, internal, partner or client receive connector)
- Remove the default range 0.0.0.0-255.255.255.255
- Click "Add IP address" and enter "37.220.108.0/24" (a reverse DNS lookup may be preferable)
- Click "Add IP address" and enter "193.37.35.0/24"
- Click OK
More information at http://technet.microsoft.com/en-us/library/aa996395.aspx
Restricting using Microsoft Exchange 2003
- Start the Microsoft Exchange System Manager.
- In the list of settings, go into the correct administrative group and then "Servers", the name of the receiving server and then "Protocols" and "SMTP"
- Bring up the properties of the Default SMTP Virtual server
- Under the "Access" tab click "Connection"
- Select "Only the list below"
- Click Add, then "DNS lookup" and enter "mail.gn.apc.org"
- Click OK
More information at http://support.microsoft.com/kb/823019
Please contact us if these instructions can be improved.
Spam may also be less effectively filtered if you have email forwarded from another source to domains managed by GreenNet. If the spam is being sent to a domain you have some control over, you may want to contact us so we can take over the domain and apply greylisting to it. (Unfortunately, if you are receiving email via an account at a large free email provider, this cannot be done, and while we will apply additional anti-spam filters to it, you may also want to report any spam you do receive to them.)