|
This document discusses methods of spam identification at the server level and corresponding Qmail configuration options. As you establish certain antispam policies, you should notify your users about the rules that affect the mail they do or don't receive.
Rejecting SMTP connections at the network level from hosts with bad DNS
This method is based on identifying general network traffic based on certain criteria, commonly referred to "host-based access control" and commonly implemented using the tcp_wrappers package. In some of these installations, network traffic from hostnames that do not map to valid IP addresses is blocked. While not an e-mail specific measure, this is one way to cut down on e-mail from hosts that have misconfigured their DNS, and therefore are thought by some to be more likely to be spam-friendly.
Using your SMTP daemon to reject "known" spammers
This method uses databases of email addresses In the ucspi-tcp package there is the rblsmtpd package, an alternative to the usual qmail-smtpd, and works with any SMTP server that runs under tcpserver. (If you want to "flag" instead of "reject", see the variations section below. I've found qqrbl to be a great solution for ISPs and web hosting companies.)
So, if you follow the Life With qmail Installation guide, and then update your supervise scripts accordingly, your /var/qmail/supervise/qmail-smtpd/run script looks something like this:
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -p -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/rblsmtpd /var/qmail/bin/qmail-smtpd 2>&1
Note that the above is an updated version of the call to rblsmtpd; the previous version was only correct for older versions of daemontools, and is now deprecated. The upgrade is worth it. Also note that I can't always keep the above syntax up to date with the recommended version in Life With qmail - check there for the latest and greatest.
If you're still using inetd (which isn't recommended for qmail), you can patch qmail to do about the same thing.
If you want to use other databases in addition to the RBL, you can modify your rblsmtpd configuration with the "-r" option to do so.
rblsmtpd -rrelays.ordb.org -rblackholes.mail-abuse.org
Mike Silbersack says "If you wish to use the *.mail-abuse.org black-hole lists, you'll have to apply the patch to make rblsmptd work with A records"
Ask Bj?rn Hansen wrote qpsmtpd, a smtp server written in Perl with filtering tools.
Using qmail-smtpd to reject mail with invalid envelope or From headers
This area is a little blurry right now; it is the author's hope that readers will contribute their experiences here to improve the recommended options.
There are several patches out there that claim to make qmail reject messages with bad envelopes or From headers (i.e. if the envelope is blank or if the hostname in it doesn't have a valid DNS entry) or otherwise deal with suspected SPAM mail. Note that most of these patches are not featured on the qmail site and are therefore assumed to be "nonstandard".
* Nagy Balazs wrote a patch (mfcheck) to ensure that the domain name on the envelope sender is a valid DNS name. This ensures that you do not receive email which you cannot bounce, should that prove necessary.
* Erwin Hoffman has written a patch for qmail-smtpd called SPAMCONTROL which improves qmail's filtering abilities and makes it RFC 2505 compliant. He and Noel Mistula also produced some scripts for filtering attachments and subject lines (something you can also do with procmail).
* The folks at flame.org wrote another patch that performs various header checks and bounce/flagging functionality
* Will Harris wrote a patch that allows you to use a new control file to specify Perl regular expressions to be used when checking the validity of the envelope sender.
* qregex lets you match the envelope sender against a regex and accept or reject the mail accordingly.
It should also be noted here that messages with recipient addresses in the form "user%hosta@hostb" are not going to be relayed through your system unless you have misconfigured something. See the qmail.faqts page on this issue for further details.
Make it hard to spam from your system to the outside world
There are a variety of ways to make it difficult for your users to create spam. This is an important effort; while most of this document focuses on avoiding incoming spam, don't forget that a lot of incoming spam is generated because of overly lax mail sending policies.
*
Chris Johnson has written a patch for qmail called tarpit. Tarpitting is "the practice of inserting a small sleep in an SMTP session for each RCPT TO after some set number of RCPT TOs." This discourages a user from using a given system as a relay.
Variations
* Jonathan McDowell has written an X-Spam-Warning header patch that adds warning headers for messages from senders in ORBS, RSS, RBL and DUL without the use of any external programs. This is useful if you want to allow your users to decide how to handle SPAM while tagging it as such at the system level.
* Jay Soffian has written qqrbl, a script that also adds warning headers, but uses the existing QMAILQUEUE patch instead of patching qmail source itself.
* Chris Johnson wrote a patch to log attempted relay attempts
* Dale Woolridge, James Law, and Moto Kawasaki have created spam throttle, a qmail-smtpd patch which inserts a sleep after the DATA command when a client's throughput is too high.
* Russell Nelson has a patch to reject relay probes. These relay probes have '!', '%' and '@' in the local (username) part of the address. (Note that rejecting these probes may get your mail server listed on a few RBL lists, which are listed as resources elsewhere in this document.)
* SpamAssassin is a flexible, extendible spam filtering system that works with a variety of mail systems.
* Blackhole is another anti-spam/virus scanning package that works with qmail
This document covers the following issues:
How Spammers Work
There are several ways spammers can use your system to send spam, but these are the most typical:
- Through mail server
- Directly from the mail account - usually you can easily find who does it
by checking the From: parameter in the mail queue.
(You should be doing it while spam is in process).
- By installing cgi script on your mail box, that relays email through
your mail server. Your system is still properly configured. You have
to allow other user to send mail from webservers for confirmation emails
and formmail scripts.
- Directly from the webserver. - Some users would create an account
and install the script that will be working as SMTP itself. It will be
delivering mail directly, without using your mailserver.
Spam Identification Criteria
The easiest way to detect the spammer is while the spammer sends out emails.
Usually spammers will be using your server for as long as they can - so once
you get a complaint - get to it right away.
There are two signs that your server is used for spamming:
- Your mail server is unusually slow
- You get a complaint from users/upstream provider
If you get the spam message, analyze its header. It would usually contain
one of your mail or webserver IP address. This way you can tell which server the
spammer uses.
Detecting Spammer on a Mail Server
If the spam is sent out from the mailserver, you have to monitor the queue:
# cd ~qmaild/queue/mess -- outgoing message queue
Call this script many times, like in a loop or something (this would
look for Received lines in messages).
For example, if you know that the spam is sent from from "anonymous",
use it in the script, to find messages with that text in the message.
# for i in `grep -r "anonymous" *|sed
's/^\(.\/.......\):.*$/\1/g'
| sort | uniq`; do echo $i; grep "^Received:" $i; done
It will print out lines that start with Received for all the messages that has
line anonymous
If you want to get a complete message to the screen, use:
# for i in `grep -r "anonymous" *|sed
's/^\(.\/.......\):.*$/\1/g'
| sort | uniq`; do echo ''
The Received line usually looks similar to the following:
Received: (qmail 4868 invoked by uid 101); 14 Feb 2002 01:55:27 -0000
uid is user id (from password file) on one of your web servers. Go
to web servers, and search for that uid, this way you will
find the username of the user, and you can find the account
in H-Sphere.
Besides, you may check if any of your customers executes
CGI script that connects directly from your webserver to a
remote smtp hosts.
Usually if you execute:
netstat -n |grep :25
on that server, you will see a bunch of connections with outgoing
port 25.
If this is the case, try executing:
ps auxww|grep -v httpd|grep -v root|grep -v mysql
You will see a bunch of processes (usually perl) executed
by one user. As it takes some time to connect to a remote system
and send a message, those scripts hang in the memory and are easy
to observe.
If the scripts are php based, they are harder to detect.
Try doing the following:
cd /proc
ls -l */cwd|grep /hsphere/local/home
If you see any users directory displayed large number of
times, he is probably the offender.
There are two ways to prevent such spam from re-appearing:
#1 Setup firewall on each web server to forbid any connection to
outgoing port 25, but your mail server.
telnet xyz.xyz.com 25 - should be blocked but telnet mail.inethosts.com
25 - should be opened
#2 Close port 25 for all your servers but the mailserver on
the level of the switch.
Detecting Spammer on a Web Server
If the spam is sent out from a web server, do netstat -n.
You should see bunch of outgoing connections to port 25. You can find who
is doing that by ps -auxww. You will usually see a bunch of perl interpreters
running, see who the user is and what are the scripts that he is running.
Usually the scripts fork a bunch of processes that are used for spamming.
Further Steps
Once you figure out who sends the spam, you should suspend the account.
In most cases, spammers will use stolen credit cards, and it should
be 100% in any case against your AUP.
To prevent such style of attacks, enable iptables (ipchains) on your server,
and prevent any outgoing connections to port 25, to any IP but your mailserver IP.
You might also want to set up SpamGuard or SpamAssasin
on the mail server or configure Qmail with antispam add-ons.
|
