We'd like to thank our customer, Scott Blystone for submitting this article. The solution is primarily intended for customers that use shared hosting that can not make their mail server only accept inbound email from our service.
I have been using SpamHero for a while now with very good results but I was still getting a substantial amount of spam which bypassed my MX records and was sent directly to the IP address of my mail server. Since I use a popular cPanel hosting reseller account instead of hosting my own mail server there was little I could directly do to prevent this type of spam. Filters helped some but not enough.
After careful consideration and thought I was able to come up with what I consider to be a completely effective solution to this problem. It's a bit complex, I admit, but it works very very well. SInce implementing this solution a few weeks ago I have only received a total of (count 'em) three spam messages on my entire domain and all its domain aliases! And the three messages that I did get were ones that SpamHero itself missed.
Here are the steps I took to achieve this happy state of affairs:
- Configure SpamHero as instructed in the online documentation. Pay close attention to any special requirements outlined therein for your specific hosting and/or mail server setup. Make certain that the only MX records you have defined are those recommended by SpamHero itself.
- Allow some time to verify that your SpamHero setup is functioning properly and delivering email to your email accounts and aliases as expected.
- Make sure that either the catch-all feature is enabled or that you have manually defined all email recipients used on your domain(s) in the SpamHero control panel. Again, verify proper functionality before proceeding further.
- For each actual email account on your domain go into your hosting company's control panel and create a corresponding new account. For instance, if the email account is named george@mydomain.com create a new account named george.filtered@mydomain.com. Do not define these new accounts as valid addresses within SpamHero. This will prevent any mail sent directly to these accounts from reaching your new inbox(es).
- Set up these new email accounts within your customary email client. For the login address use the complete name of the new account (i.e.: george.filtered@mydomain.com), but make certain you use the original email address when specifying the account email address. You need to be using an email client that supports this ability. Most (but not all) do indeed support it. Do not at this time delete the original email account.
- Next, log into SpamHero and go into the “Settings” section. Next, select the “email recipients” option, then click the "edit" link, after hovering your mouse over an email address. You will need to modify the setting for each address. As in the previous example you want the address george@mydomain.com to be forwarded to george.filtered@mydomain.com. This will change the “Envelope-To:” email header for each email message received and thus redirect it to the new account(s) you created in step #5. Again, make certain that you do not include your new email account(s) as an acceptable SpamHero alias. You do not want any messages sent directly to george.filtered@mydomain to actually be received in your email client. By setting things up in this manner you insure that the only way an email message can reach this new email account is via the new forward/redirected alias that you have just modified within SpamHero.
- If you are using cPanel hosting you will need to add one additional alias named cpanel. This will allow you to receive any automatically-created cPanel administrative messages to your address. Setup this alias with special forwarding as described in the previous step. Use whatever valid email account you like. The creator of this document uses the address admin.filtered@mydomain.com.
- After you have completed these steps you might want to wait a day or two to ensure that all mail is directed to the new email account you created in step #5 and not to the original email account.
- If you are using IMAP rather than POP for retrieving mail you will need to migrate any stored messaged from the old account(s) to the new account(s). In most email clients you can simply drag the email folders from the old to the new account(s). If you have a large amount of mail, a slow Internet connection or your mail host is slow this might take some time. Make certain that you have allowed enough time for this process and that all email messages exist in the new account(s) before deleting the original folders in the old account(s).
- You must now delete the original email accounts from both your email client(s) and within your hosting firm's control panel.
- The next steps assume that you are using a hosting firm that uses the popular cPanel software. These steps can also be modified slightly for other types of hosting accounts. The important thing here is to close all the gaps which might possibly allow any email messages to reach your inbox(es) from any source other than directly from SpamHero itself.
- Next, log into your cPanel or other control panel. You absolutely must remove any “catch-all” forwards or default addresses. If you're using cPanel go into the “Mail” settings and double click on the “Default Address” icon. Make certain that no default address is set for any domains utilizing SpamHero. You either need to return a bounced message to the sender or else use the advanced settings to deliver un-routed mail to “:blackhole”. Even though cPanel suggests the former, I personally recommend the second option. You're being a better Internet citizen that way by not generating a lot of spurious Internet traffic that just ends up getting automatically rejected by spammers anyway.
- Also, under the cPanel or other control panel you should go into the “Forwarders” Section and carefully remove all email address forwards (domain forwards are needed if you have defined domain aliases within SpamHero.) on the domain(s) for which you are using SpamHero. The desired end result is that you have a situation whereby SpamHero (and not your hosting company) controls all address forwarding. This final step closes the final “hole” allowing you to receive any messages sent by any clever spammers who look up your domain's IP address and thus send spam messages directly to your mail servers.
- Now, the only messages that can possibly get through to you come either directly from SpamHero (and are thus filtered) itself or are sent to one of your filtered email accounts (i.e.: to george.filtered@mydomain.com). And since you never give out the filtered address (i.e.: george@mydomain.com) to anyone at any time no one can possibly know that these are the only address on your domain(s) that will directly accept unfiltered mail! Just make certain that your email clients are set up to show your email address as the original address (i.e.: george@mydomain.com). I also highly suggest that you create SPF records for all your domains.
There are three additional caveats.
- First of all, if you use the same filtered address (i.e.: george.filtered@mydomain.com) to log into your SMTP server the address can many times be found in the header section of any messages you send with the same account and unscrupulous spammers could thereby once again send valid messages directly to the IP address of your mail server. In order to avoid this situation I suggest that you create an additional account(s) on your domain(s) such as smtpout@mydomain.com and use only this account to send outgoing messages. (You can also use a separate SMTP-only account from a different provider). This way your filtered address (i.e.: george.filtered@mydomain.com) cannot possibly appear in any message headers! Do not create a SpamHero email recipient for this address(es). If any spammer gets the SMTP login address from the header of any of your email messages and sends any spam to that address SpamHero will automatically reject it!
.
- The second caveat involves any contact form on your web site that might send email to any address on your domain(s). Most hosting setups will automatically route such messages directly to their own servers. If your hosting company does this such mail will most likely bounce. I suggest that you use an outside forwarding address (i.e.: an address hosted somewhere else) and then set that address to forward into your original address (i.e.: george@mydomain.com). This will effectively work around any such limitations.
.
- You need to either set up your hosting configuration to use external rather than internal DNS lookups or else instruct your own internal users to send any internal mail directly to the filtered address (i.e.: george.filtered@mydomain.com). Failure to do one of these two things will cause any internally-sent messages to simply disappear.