Admin Alert: A Lotus Notes Adjustment for Fighting Spam
May 19, 2004 Joe Hertvik
When you’re in charge of an organization’s Lotus Notes-based e-mail system, you’re going to spend a lot of time thinking about and fighting spam. Spammers are notorious for sneaking e-mail into all kinds of companies, but if you have a Notes 6.0.x server, there’s one simple adjustment you can make that just might cut down on the amount of unwanted e-mail your users receive.
I found this particular setting when my Domino 6.0.1 users started experiencing a dramatic increase in the amount of spam making it to their desktops. Even users who didn’t normally receive spam were getting several unwanted messages a day. After analyzing sample e-mails, I found one common thread: that most of the new spam violated our company’s standard Internet e-mail addressing format:
But these e-mails were mostly addressed to and received by our users in two formats:
I contacted Lotus support and found that, by default, Domino separates and services its Internet addresses into two categories. The first category is full name addresses, which consist of full Internet addresses that are explicitly listed in a “person” document (addresses like email@example.com). These addresses are usually listed in the Internet Address field of a person document, but they can also appear in either the User Name or Short Name/UserID fields of such documents.
The second category of Notes Internet addresses are local part addresses. By default, when an e-mail is received in the system, the Notes router searches for an exact full name match first, then it also searches the Domino directory for a match on the local part of the incoming e-mail address. The local part of an Internet address is the phrase or word before the @ sign. So if an e-mail is addressed to firstname.lastname@example.org, the local part of the address would be the word john.
These definitions are important for this particular spam problem because, if you define a person document for a user named John Doe with the following values:
Internet Address = john.Doe@company.com User name = John Doe John Doe/Company
Then e-mail addressed to the following Internet addresses could be delivered to John’s mailbox: John.Joe@company.com, email@example.com, and Doe@company.com.
Once e-mail with these addresses is received, the router delivers it to John’s mailbox according to the following process. If the incoming address is john.Doe@company.com, the router matches the explicit full name value in the Internet address field and delivers the e-mail. If the incoming e-mail is addressed to either firstname.lastname@example.org or Doe@company.com, the router will match the local parts of the incoming Internet address (the words to the left of @) to the words John and Doe in the user name field, and it may also deliver that e-mail to his mailbox.
This means that John Doe really has three addresses in the system, one explicit Internet address and two assumed Internet addresses, based on combining the local parts of his name with one of the server’s domain names. The only thing that would stop a local-part-addressed e-mail from being delivered to John would be if there was another person document in the Domino directory that had the same local parts in its user name field. When the Domino router finds multiple matches for a local part address, the router will register an error and the incoming e-mail will not be delivered.
All of which leads back to our spam problem and the simple setting change that solves it. My company’s increase in receiving spam was because certain spammers had stepped up their efforts by sending out tons of e-mail to Internet addresses that matched local part addresses on the system. Spam messages were being addressed to, for instance, email@example.com or firstname.lastname@example.org, and to any number of addresses that contained a common first or last name combined with my domain name. When the incoming spam matched a local part address that was unique on my system, the spam was delivered to that user’s mailbox. When the spam matched multiple users with the same local part address, the e-mail was held in the Domino mail file with an error message. Either way, the increase in received e-mail was starting to clog our system.
If you’re having a similar problem with your Notes installation on an iSeries- or a Windows-based Notes 6.0.x server, here’s the procedure we ran to turn off local parts addressing on a Notes system and reduce this type of spam.
Open the Domino Administrator and review all person documents to ensure each person’s full name Internet addresses are contained in either the Internet address field or the user name field of the appropriate document. Only one full name address can be contained in the Internet address field, but several alternate full name Internet addresses can be listed in the user name field. If you have any local part addresses to which Internet e-mail is routinely delivered, convert that address to a full name address in the user name field. Once local part addressing is turned off, the router will no longer deliver e-mail to an address that doesn’t contain a full name address.
Though it’s not a necessity, I also recommend that you move any full name Internet addresses listed in the short name/user ID field of a person document to the user name field, because there may be situations when the Domino router may not be able to match addresses found in that field.
Review all group records in the Domino directory that contain entries in their Internet address fields in order to ensure that those entries contain full name addresses only. Convert any local part addresses in the Internet address field of a group record to full name addresses.
Go into the configuration document for the server and click edit configuration.
Click Router/SMTP and Basics in the configuration settings.
Change the address lookup field on the “Router/SMTP Basics” screen from full name then local part (the default) to fullname only.
Load the new settings into the router. This can be done by stopping and starting the router by using either of the following sequences from the system console:
Tell router quit <wait for the router to shutdown> Load router Or: Restart task router
The new router setting can also be loaded by updating the router’s routing table through the following Tell command:
Tell router update config
Once you’ve completed these steps, the Notes router will only accept e-mail that matches a full name Internet address defined in the Domino directory.
Changing a Notes server’s address lookup field is simple, but it can significantly reduce unwanted e-mail.