Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I run an email server for personal use (and friends and family). I'm running Qmail and I like it a lot. However, spam volumes have been increasing and I want to do something about it. However, I am not interested in a solution that deals with spam after it has been accepted by my server (could be wrong, but I think Spam Assassin is an example of this). Also, I do not want a solution that bounces messages (I think Badmailfrom is an example of this) because often the "From" is invalid (resulting in double-bounces) or is set to my own domain by the spammer.
I do not have a full grasp of how the smtp protocol works, but I understand there is a handshake betwen smtp servers prior to delivering a message. I would like a solution that causes my MTA (qmail) to cease communicating with the other server as soon as it is identified as being a spam server (ie. maybe by IP address or some DNS query using Spamhaus or some other list, maybe even a locally stored list). I like this approach because it makes the sending server "suffer" maybe by timing out, while my server ceases wasting CPU effort as soon as the spam server is identified.
Does such a solution already exist out there? If so, where?
You've got the right idea. Blocking that crap before it comes in the door is the best idea. But to be honest, to do what you're wanting is not for the feignt of heart. I've heard about people doing it, but never seen a howto that explains what needs to be done. My feeling is that only experienced admins are the ones doing this. You probably want to search the archives of the qmail mailing list and see if there are instructions you can follow for this, but I haven't seen any in the year I've been using qmail.
The only thing I can recommend is what I've done. Start by looking at patching qmail with the "qregex" patch. If you can find a patch that combines the "mfcheck" patch too, that would be nice. You also want to get the badmailfrom-env patch.
When you have applied these patches, you'll be able to stop a good chunk of spam using a few simple methods described here...
This is pretty much what I've done, and it cut my spam down considerably. I've setup several filters in tcp.smtpd for a bunch of major ISPs, like comcast, aol, charter.com, verizon, and many others.
If their reverse dns is for Comcast.net (for example) you don't want people faking an email address to be from Yahoo or Hotmail... obviously this is bogus, since Hotmail (for example) is web-based only and there's NO WAY they can be sending a hotmail message from a system that reverse DNS shows to be Comcast. Usually this is spam.
Of course you WILL be blocking a small percentage of legitimate mail if the sender is using a domain they control... like if somebody has a domain like yourdomain.com and trying to send a message to your server using their Comcast account, the rules I have setup will block their message. But honestly... this is rare for me... usually it's junk they are trying to send.
These patches also provide a new control file called "badhelo" and inside that file, you should put the IP address of your server and any domain names you control, with the exception of your server's domain name. This resulted in blocking a bunch of spam for me too.
You'll have to look at some mail headers for some spam you've received and find out if checking the HELO is really useful in blocking spam for you.
As it turns out this was dead simple to implement and it works great. In fact, I am shocked at how well it works. Spam has seemingly been stopped dead while all the good stuff is still getting through.
Here is what I did. First of all you must have ucspi-tcp installed to enable you to run rblsmtpd. Fine I had done that when I originally installed Qmail. All I did was add one thing (see red text below) to this file: /var/qmail/supervise/qmail-smtpd/run
My new "run" file looks like this:
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" ]; then
echo QMAILDUID, NOFILESGID, or MAXSMTPD is unset in
exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp rblsmtpd -r sbl-xbl.spamhaus.org /var/qmail/bin/qmail-smtpd 2>&1
All I did was add rblsmtpd -r sbl-xbl.spamhaus.org. That's it. Spamhaus provides info on how to test if spam blocking is working. It is and I can see it in the logs.
Furthermore, this implements exactly what I wanted. Essentially, the SMTP converstation is initiated in the usual way from the spam server. My server then identifies that server as being blacklisted (through the spamhaus service) and terminates the conversation. As I understand it, the spam server gets a message indicating it's been identified on spamhaus, then the conversation is cut off by my server. No spam gets delivered.
All I can say is "wow". I just started using your suggestion tonight and in only a few hours I have blocked a HUGE majority of my spam. I think I may end up throwing away all my other spam control methods and just use this one alone.
The only thing that bothers me... I'm wondering how many of these are false positives. I'm sure there must be. But on the other hand, I'm thinking that since a URL is being sent out whenever messages are blocked, it puts the onus on the admins of these other servers to get their system removed from the database, so that makes me feel a little better.
Anyway, thanks again for this excellent tip. If this is as good as it seems, I think everyone should be using this.
This has basically solved my spam problem. It's not perfect, but I estimate it's blocking upfront about 95% of the spam arriving at my server. As for false positives, I think you have no reason to be concerned. My research tells me Spamhaus is reputable and is rarely blocking legitimate email servers.
I find virus-generated "spam" is still getting through. The offender is usually unaware they have an infected machine. I believe these are usually windoze boxes running Outlook. Spamhaus would not normally list these ip addresses. Usually, the owner will be someone you (or one of your users) knows. The unwanted virus email gets generated using email addresses either from the Outlook address book or gleaned from emails. My solution is to contact the offending ISP. Sometimes that works. WHen it does not, I have been adding the ip address to a deny line in my /etc/tcp.smtp file and tcp.smtp.cdb (I think I have those filenames correct). This blocks email from that ip address and doesn't cause any other problems. You can even still recieve legitimate email from that location because the user would rarely be sending legitimate email from their own ip address -- they'd almost always be using some legitimate smtp server provided by their ISP and that server's ip address would not be blocked.
Glad the rblsmtpd solution works for you, Donboy. I am extremely pleased with it also. I agree, everyone should use this. It really works. Spamhaus deserves most of the credit. I assume there are other blacklists that work as well.
Wow, you are a true convert to this method! I thought about doing that, but I wondered if accessing so many blacklists with the arrival of every piece of mail might slow things down noticeably. What do you think?
Here's another minor tip. Be careful what info you provide for your WHOis contact. I have discovered spammers are grabbing my domain contact email address from whois. Here's what I did: I set up a domain like test1.mydomain.com (MX record). THen I posted whois contact address as email@example.com . Within about a month I started getting lots of spam for various addresses at test1.mydomain.com (not just firstname.lastname@example.org -- many non-existent addresses too leading to double bounces) even though I never gave out any addresses for that domain. So, then I deleted that MX record and set up another as test2.mydomain.com . Spam dries up ... for a while until they discover the new domain. Not an ideal solution, but another piece in the puzzle to block spam.
Hey Donboy, I am curious ... from your logs can you tell if you are getting spam being blocked by blacklists below the first 2 or 3 on your list? If so, which ones are being hit? I ask because you now have me thinking of adding some more to my list -- maybe 2 or 3 more anyways. I am guessing Spamhaus gets most of them, correct?
I've been running this way for a couple of weeks now and everything seems fine... no apparent slowness at all. Course I guess it all depends on how much traffic your mail server is getting to begin with. I mean, if you're getting 100k messages per day, I'm sure it will start to show.. seems logical. Mine is only handling about 5k per day... maybe an average of one message every few seconds during peak times.
And yes, Spamhaus is getting most of them, but occasionally there are others catching spam too. I would say the "blackholes" are the next runner up as far as which ones are catching the most.
With the qregex patch, I am able to stop mail that is destined for certain hosts. So if they are trying to send mail to a non-existant account I can block it completely so they are unable to send mail to that account and its rejected in the smtp conversation instead of going into my queue and becoming a double bounce.
It's basically a locally built whitelist that requires first-time emailers to confirm their address one-time before messages from their email address will get delivered to users on your server. Once confirmed, all future mail from that address gets delivered without a challenge.
I am not going to implement this approach at this time because I fear people would not respond to the one-time challenge. However, if this method became widespread on the internet it would force spammers to include a real FROM address or else messages would not get delivered. That would help both by decreasing anonymity and by creating more work for the spammer (the challenge).
This method would help greatly if the big ISPs adopted it and it became widespread. I believe it's superior to blacklists. However, for now, I will stay with the blacklists on my smalltime server.
Yeah, I've seen that... and I kinda wanted to do this myself, but the install looked a little too involved, so I'm going with what I have for now. I've heard that using this method is outstanding for killing spam, because the spammers usually don't look at any of the responses they get from sending out their junk... they just send out a zillion spams and hope they hit their targets and don't bother looking at what is bounced or returned to them... so this method is really the best for controlling spam. Someday I think this will be the mainstay for email because ever since the CAN-SPAM thing was passed by the government, spam is getting worse because it almost endorses spammer methods.
If you decide to tackle this, let me know... I'm very interested in how its done... maybe you can even write up a howto... if you did, I think it would become a lot more widely accepted if it was easy to install.
You mean badmailto... it works after applying the qregex patch. You can search and find it easily on Google. I believe the latest is qregex-20040317.patch.
Once you get it, CD into the qmail source directory. Do a patch -p1 qregex-20040317.patch and you will be patching qmail-smtpd.c. If you have already applied any other patches to qmail-smtpd.c , you may get an error. If so, you'll have to apply the patch manually.
Stop qmail (be sure it's completely stopped! run qmailctl stat to be sure) and then run make setup check and it will patch your qmail installation. Now you can create a file called /var/qmail/control/badmailto and put the addresses you want in there.
Lastly do qmailctl start and it will begin working. You can test by doing tail -f /var/log/qmail/qmail-smtpd/current and watch for that address being blocked.
Basically my problem has always been that I have lots of mail for this one account for many years and it was never anything but a spam haven, so now whenever mail comes to my server that is bound for that address it gets blocked at the smtp conversation and never gets in the door.
I also recommend double-checking ALL of the RBL sites I have listed in post #7 above, since they may change over time. For a while, sorbs was completely out of business because of ddos attacks. If you're calling for an RBL site that is not in service, you are just bogging down your mail server while it checks a dead address, and you are clogging up the internet with bogus DNS checks that are not needed.
In addition to the other RBL sites listed, I also have had success using bl.spamcop.net which I found to be very useful.