How e-mail works
To help you understand how spam is sent and how SpamStopsHere blocks it, let us explain the basics of how email is sent on the Internet.
Let us assume that your email address is john@yourdomain.com and that someone sends you an email message.
The sender's server will query the public DNS (Domain Name Service) system for the "MX" records for the domain yourdomain.com.
The answer to the query will typically consist of a single "MX" record, such as:
yourdomain.com MX priority=10 mail1.bighost.net
In this example, the domain yourdomain.com is probably being hosted by the company Bighost.net and mail1.bighost.net is the hosting company's mail server. Basically, this record is telling the public that all email for the domain of yourdomain.com should be delivered to the mail server mail.bighost.net, which has been assigned to handle email for the domain.
The sender's mail server then connects to mail1.bighost.net and sends it the message. The Bighost.net mail server then delivers the message locally to your john@yourdomain.com inbox and holds the message until you log in and check your email.
Going into a bit more detail, mail servers do not connect using names such as mail1.bighost.net, but rather using IP addresses (such as 64.123.38.149). So the sending mail server actually first does an "A" record DNS look up for mail1.bighost.net. This "A" record will contain the IP address of the mail1.bighost.net server. Internet traffic can only be routed by IP address, the names are just for us humans.
The receiving mail server records in the header of your email message the IP address of the sending mail server. It also records the sender's supposed email address.
Spammers often use a fake reply email address and even a fake name for their mail server. However, they cannot fake the IP address of their mail server.
More about "MX" records
If your domain's web and email is hosted by a third party company, then more than likely that hosting company has set up your MX records for you. If your domain's web or email is hosted on your own servers, then the person (probably you) in charge of them or the IT department, set up the MX records.
While most domains have just one "MX" record, your domain can have multiple MX records. After you sign up for our service and receive our confirmation, you activate the service by adding three more MX records to your domain. The MX records might then be:
yourdomain.com MX priority=5 yourdomain-com.relay1a.spamh.com
yourdomain.com MX priority=6 yourdomain-com.relay1b.spamh.com
yourdomain.com MX priority=10 mail1.bighost.net
yorudomain.com MX priority=20 yourdomain-com.relay1c.spamh.com
When a mail server sends email to your domain, it first attempts to send it according to the MX record with the highest (lowest number) priority. If the two servers fail to establish a connection, the sending mail server tries the next highest priority MX record, until it goes through all of the MX records.
In the example above, "yourdomain-com.relay1a.spamh.com" has the highest priority and will therefore receive all mail (unless there is a connection failure). As described later, this is our mail "relay" which filters your email for spam. After we filter your email, it is then relayed back to your actual mail server, "mail1.bighost.net" in this example, set in the Control Panel. Because your actual mail server is a private configuration setting, it doesn't even need to be in the MX records, as you will read later.
A nice feature of MX records is built-in "auto-failover". If the highest priority mail server goes off-line, mail is automatically sent to the next highest priority mail server.
Therefore, if the primary anti-spam relay for your domain should go off-line due to a system failure, maintenance, or any other reason, the backups automatically take over. In the unlikely event the primary two relays for your domain went off-line, email would be sent directly to your "real" mail server. So you wouldn't lose any email, it just wouldn't be filtered for spam.
When our service is activated, you will have to change, or authorize the change of your MX records. We cannot do that for you; only you and possibly your hosting company have (legal) access to your MX records.
When changing MX records, keep in mind that the changes do not take place instantly because many DNS servers will have cached the old entry. Therefore, the changes must "propagate" through out the Internet's many DNS caches. The suggested time to cache a record "look up" is set by the "TTL" (Time-To-Live) value for your MX records but some senders' DNS caches will take a bit longer to update. A typical TTL value is 43200 seconds (12 hours) or 86400 seconds (24 hours). After the MX record changes are complete, some email will start being filtered immediately. Even more will be filtered after the TTL is past but the majority might not be filtered for up to 72 hours. This is because some DNS caching servers don't honor TTL values, but cache records for up to 72 hours.
If you don't know how to change your MX records, that is no problem. This probably just means that someone else takes care of that for your domain. We will email you the necessary information and you can simply forward the request to them (probably your email hosting company or IT department).
More about the anti-spam relays
The page "How it works" describes how our service blocks spam based on URLs, content, countries and black-lists. This is an explanation of how the relays work.
When your service is activated, you will be assigned three "relays" (servers) which must be added to your MX records. One is the "primary" relay and the others are the "backup" relays.
Since spam filtering is certainly desirable, but not mission critical, you might think that having a backup relay is overkill. There are several reasons why every customer gets backup relays:
- It allows us to perform maintenance work on one relay without disrupting your service.
- As described later, for maximum spam blocking, you can remove your "real" mail server from the MX records. In that case, a backup relay is needed for maximum reliability.
- For your peace of mind and ours. We recognize that email is now critical to any business.
- To allow us to do some load balancing.
Each relay is a dedicated server that we rent from large data centers with redundant fiberoptic internet connections, 24/7 monitoring, UPS and generator backup and physical security. For maximum reliability, the primary and backup relays assigned to each customer will reside in different data centers, owned by different companies, in different regions of the United States.
In addition to the primary and backup relays, we also have ready-to-run standby servers. Therefore, if a primary/backup relay fails, another server will quickly take its place.
When using our service, the weakest link in your email reliability is probably the reliability of the DNS servers that hold your MX records. Domains are supposed to have two DNS servers, but unfortunately both servers are often in the same room on the same Internet connection.
The SpamStopsHere.com website is database driven and resides on another dedicated server, separate from the relays. This server handles all account information, including any changes you make via the "Members" control panel. Every five minutes, this server automatically updates the databases on the relay(s).
Suggested Configuration Settings
There are four actions that you can take on email that is caught by our filters as spam. These are configurable in the Domain Control Panel after signing up.
MODIFY SUBJECT: Specify a string to insert at the beginning of the subject line, for easy viewing or spotting of spam messages in your regular inbox.
FORWARD: Specify an email account at your domain where you would like the email message forwarded to.
Instead of fully blocking spam, it can be re-directed to a special spam mailbox at your domain, e.g. spam@yourdomain.com. This lets you examine it to ensure that no legitimate email is being blocked.
Make sure you set up the email account that you specify before using this option. Also remember to monitor the mailbox so that it doesn't get full to the point where it no longer accepts any new messages and starts queueing up on our server as undeliverable.
REJECT: You can reject the message at the SMTP layer with a rejection message. You are no longer notified about the existence of the email, but the sender is notified that the message was not delivered. In the case of a false positive, the sender can contact you by another method. In most cases, instead of our mail server accepting the email message for delivery from the sender, we will reject the message at the SMTP layer. This results in a spammer getting the rejection message even if they are using a fake reply email address. You can customize the rejection message. This is the recommended option due to its protection for false positives.
DELETE: This will just delete the email message. You aren't notified, and the sender isn't notified. It's just forgotten about.
URL/PHone # Filtering and Phrase Filtering: Although you might choose to initially use either the "Modify Subject" or "Forward to" methods, so that you can review the messages marked as spam and get a feel for the reliability of our service not to accidentally block any legitimate emails, the "URL/Phone # Filtering" and "Phrase Filters" use databases that we manage and it is very rare for them to cause false positives. We recommend using "REJECT" as the action for these.
Pattern Matching: Pattern matching uses heuristics to identify characteristics of spam and is a useful addition to block spam that is not UCE or does not contain a URL. Because the filter uses heuristics, it does have a higher rate of false positives than the URL/Phone # Filter and Phrase Filter. However, the false positives are usually messages composed in a non-standard way. Because this filter is used to block so much spam, even though it's prone to false positives, we recommend using "REJECT" as the action for these.
Real-Time Blacklists and Country Blocking: The "Real-Time Blacklists" use databases that we do not manage, but we offer their use to our customers. Although all of them are enabled by default, they do cause the majority of the false positives for those using them. Therefore, we recommend that you use the "MODIFY SUBJECT" action for email caught by them. By default, these filters modify the subject with either "[Foreign Sender]" or "[Blacklisted Sender]" for the reader's informational purposes. If you find that someone sending you email has their IP address blacklisted, we highly recommend having the sender investigate the cause and contact the blacklist for removal. More than likely, there are thousands of Internet email users worldwide that are subscribed to the same blacklist. The blacklists are enabled by default because they offer some level of repuation information to the recipient. These filters typically identify less than .1% of spam email messages and would cause 1% of legitimate email to be false positives if used to identify spam. However, if these notices cause you or your users concern, we recommend unsubscribing from them. Remember that each message has a header with the name of the blacklist that identified it.
Here are the false-positive error rates (blocked legitimate emails) that we expect with different parts of our service:
| URL/Phone# Filtering | 1 in 1,000,000 (perhaps even better) |
| Phrase Filtering | 1 in 1,000,000 (probably even better) |
| Real-time blacklists | 1 in 1000 |
Here is the amount of spam we expect our service to block as additional levels of filtering are enabled:
| URL/Phone# Filtering (only) | 90% - 96% or better |
| + Phrase Filtering | 97% - 98% or better |
| + Pattern Matching and Additional Filtering | 98% - 99% or better |
Note: This assumes that no messages are bypassing our relays, as described next.
Therefore, we suggest the following configuration:
| URL/Phone# Filtering (only) | Enabled and set to "REJECT" |
| Phrase Filtering | Enabled and set to "REJECT" |
| Pattern Matching | Enabled and set to "REJECT" |
| Country blocking | Enabled and set to "MODIFY SUBJECT" |
| Real-time Blacklists | Enalbed and set to "MODIFY SUBJECT" |
Options to stop even more spam (Optimal MX Records)
Adding our anti-spam relays to your MX records will typically stop 95% of all spam. By implementing the options described here, you can typically stop 98% - 99% of all spam.
Some "sneaky" spam is not sent to the highest priority MX records, but rather to the lowest priority MX records. This is an attempt to bypass spam filters, such as ours, since the "real" mail server is typically listed in the lowest priority MX record. (This probably can't happen with open relays, but only with spammers that have modified the mail server software just for this purpose.) This is often the most offensive, vulgar spam of all.
One method of reducing this sneaky spam is to "sandwich" your real mail server between our relays as in the following example MX records:
yourdomain.com MX priority=5 yourdomain-com.relay1a.spamh.com
yourdomain.com MX priority=6 yourdomain-com.relay1b.spamh.com
yourdomain.com MX priority=10 mail1.bighost.net
yorudomain.com MX priority=20 yourdomain-com.relay1c.spamh.com
Notice that both the lowest and highest priority MX records point to our service. This is the intial configuration that we recommend when signing up.
While this "sandwiching" helps, some sneaky spam will still bypass our service and hit the real mail server directly.
The solution to stopping this spam, is to remove your "real" mail server from the MX records, leaving only our relays, as in the following example MX records:
yourdomain.com MX priority=5 yourdomain-com.relay1a.spamh.com
yourdomain.com MX priority=6 yourdomain-com.relay1b.spamh.com
yorudomain.com MX priority=20 yourdomain-com.relay1c.spamh.com
Note: If your domain uses an ISP's mail server, the ISP may not allow you to remove their mail server from your MX records. Making these changes might interfere with the successful handling of your email by your ISP's mail server. You should check with them before attempting it.
Since your email then depends entirely on our servers, you will appreciate that we provide all customers with a redundant configuration on our end. While our service is designed to provide the highest reliability, we still ask that you follow these implementation guidelines:
- Wait at least a few days after activating our service before removing your mail server from the MX records.
- Confirm that our service is working by examining the headers of typical email messages. You should see that your mail server received the message from our relay.
- While the change shouldn't cause even a single email to be lost, plan on making the MX change during a quiet period. Then make the change, wait for amount of time set by the TTL value (typically 12 hours), and test by sending email from another domain, e.g. Yahoo or Hotmail. If it doesn't seem to work, please call us for technical support and/or restore the original MX records.
It is not necessary to contact us or even to make any changes to your SpamStopsHere control panel when removing your mail server from the MX records
To completely stop aggressive spammers from directly hitting the mail server, some of our customers have configured their firewall or email server to only accept mail (traffic to your email server's TCP port 25) from our servers. If you wish to do this, please use the Firewall Feature in the SpamStopsHere Control Panel, which when enabled will cause all of your filtered email to come from a specific list of IP addresses.
