Dears,
I'm a system administrator of an ISP. Our IP address space is black listed because many of our clients are sending out spam and we don't have an anti-measure in place at the moment. Therefore, we are planning to block all traffic destined to TCP port 25 and get our clients to use a mail gateway that is operated by the ISP. I have installed and configured sendmail, MailScanner and Spamassassin. But the problem is that in order to allow our clients to send through our mail gateway, we must grant Relay permission to them. I'm not sure if this is the best practice to fight against spam. All clients in this case can now configure their MSPs to use any email address even if it does not really belong to them and then send forged emails through our mail gateway.
Your recommendations are highly appreciated!
Thanks

Very good.
Is your configuration passing all relayed e-mail through spamassassin? What do you do with e-mail evaluated as spam? Are you dropping it? Rejecting it while the SMTP connection is still open?
Well, this is how the SMTP protocol works. Anyone can send an e-mail with any From address they want. There's not much you can do about it as an ISP. But forged e-mail is *not* the reason you get to the blacklists. Spam is the reason. And if you will be catching spam on your relay, you're going to be fine.

Robert

Hello Robert,

Thanks for your reply!
Yes, all relayed emails are passed through Spamassassin. I have configured MailScanner to store emails evaluated as spam in quarantine.

Actually, I thought the same,there is not much I can do about it, I just wanted to know whether my configuration is what an ISP should typically do.

I have another question, I will appreciate if you help me with your opinion about it. I added a Yahoo mail account on my Outlook and used our ISP's mail gateway as the outgoing mail server. Then I have sent several email messages to my Gmail, but unfortunately Gmail put all the messages into the Spam folder! I have checked the messages headers and found out that MailScanner installed on our ISP's mail gateway added the following headers to the message:

X-yoursite-MailScanner: Found to be clean
X-Spam-Status: No

Which apparently means that it considered the messages to be clean. Why did Gmail consider the message as spam? Is it possibly because Gmail mail exchanger did MX record lookup on yahoo.com and found out that our ISP's mail gateway, which it received the messages from is not a valid mail exchanger of yahoo.com?

Thanks!

One thing that I might suggest is that you want your clients to perform SASL authentication before being allowed to send mail. This will at least prevent open relay syndrome and give you a better record of who sent what when. It will also have a psychological effect in that your clients will not feel quite so anonymous in sending mail which will cut down on the spam.

With respect to: My guess is that yes, one of the problems you could face is that, the from field in the envelope shows that the message was from user@yahoo, but it did not come from a yahoo mx, which is typically a sign of spam being passed through an open relay. Alternatively, they could have done a lookup on the your IP that made the connection, tried to look up your MX record or SPF record and found inconsistent or no information and decided that the originating system is not a legitimate mail server.

Yes, there are approaches and protocols to overcome the "weakness" of SMTP in terms of spoofing. You can look up DKIM and SPF. Maybe you could even consider implementing them in your setup!

Robert