LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 06-01-2004, 12:23 PM   #1
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Rep: Reputation: 35
Blocking spam with qmail


I run an email server for personal use (and friends and family). I'm running Qmail and I like it a lot. However, spam volumes have been increasing and I want to do something about it. However, I am not interested in a solution that deals with spam after it has been accepted by my server (could be wrong, but I think Spam Assassin is an example of this). Also, I do not want a solution that bounces messages (I think Badmailfrom is an example of this) because often the "From" is invalid (resulting in double-bounces) or is set to my own domain by the spammer.

I do not have a full grasp of how the smtp protocol works, but I understand there is a handshake betwen smtp servers prior to delivering a message. I would like a solution that causes my MTA (qmail) to cease communicating with the other server as soon as it is identified as being a spam server (ie. maybe by IP address or some DNS query using Spamhaus or some other list, maybe even a locally stored list). I like this approach because it makes the sending server "suffer" maybe by timing out, while my server ceases wasting CPU effort as soon as the spam server is identified.

Does such a solution already exist out there? If so, where?

Thanks,
Paul
 
Old 06-01-2004, 01:41 PM   #2
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
You've got the right idea. Blocking that crap before it comes in the door is the best idea. But to be honest, to do what you're wanting is not for the feignt of heart. I've heard about people doing it, but never seen a howto that explains what needs to be done. My feeling is that only experienced admins are the ones doing this. You probably want to search the archives of the qmail mailing list and see if there are instructions you can follow for this, but I haven't seen any in the year I've been using qmail.

The only thing I can recommend is what I've done. Start by looking at patching qmail with the "qregex" patch. If you can find a patch that combines the "mfcheck" patch too, that would be nice. You also want to get the badmailfrom-env patch.

When you have applied these patches, you'll be able to stop a good chunk of spam using a few simple methods described here...

http://projects.standblue.net/softwa...lfrom-env.moto

This is pretty much what I've done, and it cut my spam down considerably. I've setup several filters in tcp.smtpd for a bunch of major ISPs, like comcast, aol, charter.com, verizon, and many others.

If their reverse dns is for Comcast.net (for example) you don't want people faking an email address to be from Yahoo or Hotmail... obviously this is bogus, since Hotmail (for example) is web-based only and there's NO WAY they can be sending a hotmail message from a system that reverse DNS shows to be Comcast. Usually this is spam.

Of course you WILL be blocking a small percentage of legitimate mail if the sender is using a domain they control... like if somebody has a domain like yourdomain.com and trying to send a message to your server using their Comcast account, the rules I have setup will block their message. But honestly... this is rare for me... usually it's junk they are trying to send.

These patches also provide a new control file called "badhelo" and inside that file, you should put the IP address of your server and any domain names you control, with the exception of your server's domain name. This resulted in blocking a bunch of spam for me too.

You'll have to look at some mail headers for some spam you've received and find out if checking the HELO is really useful in blocking spam for you.

HTH, sorry if it doesn't.
 
Old 06-02-2004, 09:49 AM   #3
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
As it turns out this was dead simple to implement and it works great. In fact, I am shocked at how well it works. Spam has seemingly been stopped dead while all the good stuff is still getting through.

Here is what I did. First of all you must have ucspi-tcp installed to enable you to run rblsmtpd. Fine I had done that when I originally installed Qmail. All I did was add one thing (see red text below) to this file: /var/qmail/supervise/qmail-smtpd/run

My new "run" file looks like this:
---------------
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" ]; then
echo QMAILDUID, NOFILESGID, or MAXSMTPD is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp rblsmtpd -r sbl-xbl.spamhaus.org /var/qmail/bin/qmail-smtpd 2>&1
--------------

All I did was add rblsmtpd -r sbl-xbl.spamhaus.org. That's it. Spamhaus provides info on how to test if spam blocking is working. It is and I can see it in the logs.

Furthermore, this implements exactly what I wanted. Essentially, the SMTP converstation is initiated in the usual way from the spam server. My server then identifies that server as being blacklisted (through the spamhaus service) and terminates the conversation. As I understand it, the spam server gets a message indicating it's been identified on spamhaus, then the conversation is cut off by my server. No spam gets delivered.

This is great.

Apollo
 
Old 06-02-2004, 10:26 AM   #4
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
Excellent! I will certainly try this. Thanks for the tip!
 
Old 06-02-2004, 11:56 PM   #5
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
All I can say is "wow". I just started using your suggestion tonight and in only a few hours I have blocked a HUGE majority of my spam. I think I may end up throwing away all my other spam control methods and just use this one alone.

The only thing that bothers me... I'm wondering how many of these are false positives. I'm sure there must be. But on the other hand, I'm thinking that since a URL is being sent out whenever messages are blocked, it puts the onus on the admins of these other servers to get their system removed from the database, so that makes me feel a little better.

Anyway, thanks again for this excellent tip. If this is as good as it seems, I think everyone should be using this.
 
Old 06-16-2004, 09:17 PM   #6
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
This has basically solved my spam problem. It's not perfect, but I estimate it's blocking upfront about 95% of the spam arriving at my server. As for false positives, I think you have no reason to be concerned. My research tells me Spamhaus is reputable and is rarely blocking legitimate email servers.

I find virus-generated "spam" is still getting through. The offender is usually unaware they have an infected machine. I believe these are usually windoze boxes running Outlook. Spamhaus would not normally list these ip addresses. Usually, the owner will be someone you (or one of your users) knows. The unwanted virus email gets generated using email addresses either from the Outlook address book or gleaned from emails. My solution is to contact the offending ISP. Sometimes that works. WHen it does not, I have been adding the ip address to a deny line in my /etc/tcp.smtp file and tcp.smtp.cdb (I think I have those filenames correct). This blocks email from that ip address and doesn't cause any other problems. You can even still recieve legitimate email from that location because the user would rarely be sending legitimate email from their own ip address -- they'd almost always be using some legitimate smtp server provided by their ISP and that server's ip address would not be blocked.

Glad the rblsmtpd solution works for you, Donboy. I am extremely pleased with it also. I agree, everyone should use this. It really works. Spamhaus deserves most of the credit. I assume there are other blacklists that work as well.

Apollo
 
Old 06-16-2004, 09:24 PM   #7
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
He he he... yeah, I may have gotten a little carried away with mine, but here's what I'm using now...

-r sbl-xbl.spamhaus.org \
-r relays.ordb.org \
-r virbl.dnsbl.bit.nl \
-r dnsbl.njabl.org \
-r http.dnsbl.sorbs.net \
-r socks.dnsbl.sorbs.net \
-r misc.dnsbl.sorbs.net \
-r smtp.dnsbl.sorbs.net \
-r web.dnsbl.sorbs.net \
-r spam.dnsbl.sorbs.net \
-r zombie.dnsbl.sorbs.net \
-r cn-kr.blackholes.us \
-r brazil.blackholes.us \
-r comcast.blackholes.us \
 
Old 06-16-2004, 09:55 PM   #8
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Wow, you are a true convert to this method! I thought about doing that, but I wondered if accessing so many blacklists with the arrival of every piece of mail might slow things down noticeably. What do you think?

Here's another minor tip. Be careful what info you provide for your WHOis contact. I have discovered spammers are grabbing my domain contact email address from whois. Here's what I did: I set up a domain like test1.mydomain.com (MX record). THen I posted whois contact address as apollo@test1.mydomain.com . Within about a month I started getting lots of spam for various addresses at test1.mydomain.com (not just apollo@test1.mydomain.com -- many non-existent addresses too leading to double bounces) even though I never gave out any addresses for that domain. So, then I deleted that MX record and set up another as test2.mydomain.com . Spam dries up ... for a while until they discover the new domain. Not an ideal solution, but another piece in the puzzle to block spam.

Apollo
 
Old 06-16-2004, 10:16 PM   #9
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Hey Donboy, I am curious ... from your logs can you tell if you are getting spam being blocked by blacklists below the first 2 or 3 on your list? If so, which ones are being hit? I ask because you now have me thinking of adding some more to my list -- maybe 2 or 3 more anyways. I am guessing Spamhaus gets most of them, correct?
 
Old 06-16-2004, 11:17 PM   #10
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
I've been running this way for a couple of weeks now and everything seems fine... no apparent slowness at all. Course I guess it all depends on how much traffic your mail server is getting to begin with. I mean, if you're getting 100k messages per day, I'm sure it will start to show.. seems logical. Mine is only handling about 5k per day... maybe an average of one message every few seconds during peak times.

And yes, Spamhaus is getting most of them, but occasionally there are others catching spam too. I would say the "blackholes" are the next runner up as far as which ones are catching the most.

With the qregex patch, I am able to stop mail that is destined for certain hosts. So if they are trying to send mail to a non-existant account I can block it completely so they are unable to send mail to that account and its rejected in the smtp conversation instead of going into my queue and becoming a double bounce.
 
Old 06-17-2004, 09:16 PM   #11
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Have you heard of this?

http://tmda.net/challengeresponse.html

It's basically a locally built whitelist that requires first-time emailers to confirm their address one-time before messages from their email address will get delivered to users on your server. Once confirmed, all future mail from that address gets delivered without a challenge.

I am not going to implement this approach at this time because I fear people would not respond to the one-time challenge. However, if this method became widespread on the internet it would force spammers to include a real FROM address or else messages would not get delivered. That would help both by decreasing anonymity and by creating more work for the spammer (the challenge).

This method would help greatly if the big ISPs adopted it and it became widespread. I believe it's superior to blacklists. However, for now, I will stay with the blacklists on my smalltime server.

This may be the future.
 
Old 06-17-2004, 09:29 PM   #12
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
Yeah, I've seen that... and I kinda wanted to do this myself, but the install looked a little too involved, so I'm going with what I have for now. I've heard that using this method is outstanding for killing spam, because the spammers usually don't look at any of the responses they get from sending out their junk... they just send out a zillion spams and hope they hit their targets and don't bother looking at what is bounced or returned to them... so this method is really the best for controlling spam. Someday I think this will be the mainstay for email because ever since the CAN-SPAM thing was passed by the government, spam is getting worse because it almost endorses spammer methods.

If you decide to tackle this, let me know... I'm very interested in how its done... maybe you can even write up a howto... if you did, I think it would become a lot more widely accepted if it was easy to install.
 
Old 06-17-2004, 11:50 PM   #13
J.W.
LQ Veteran
 
Registered: Mar 2003
Location: Boise, ID
Distribution: Mint
Posts: 6,642

Rep: Reputation: 87
Very cool information in this thread. I'm using SA with pretty good results, but based on your exchange it sounds like Badmailfrom is worth checking out. -- J.W.
 
Old 06-18-2004, 12:22 AM   #14
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
You mean badmailto... it works after applying the qregex patch. You can search and find it easily on Google. I believe the latest is qregex-20040317.patch.

Once you get it, CD into the qmail source directory. Do a patch -p1 qregex-20040317.patch and you will be patching qmail-smtpd.c. If you have already applied any other patches to qmail-smtpd.c , you may get an error. If so, you'll have to apply the patch manually.

Stop qmail (be sure it's completely stopped! run qmailctl stat to be sure) and then run make setup check and it will patch your qmail installation. Now you can create a file called /var/qmail/control/badmailto and put the addresses you want in there.

Lastly do qmailctl start and it will begin working. You can test by doing tail -f /var/log/qmail/qmail-smtpd/current and watch for that address being blocked.

Basically my problem has always been that I have lots of mail for this one account for many years and it was never anything but a spam haven, so now whenever mail comes to my server that is bound for that address it gets blocked at the smtp conversation and never gets in the door.
 
Old 10-14-2004, 08:01 AM   #15
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
Just as a follow up, I'd like to say that I have found this thread to be extremely useful. I've been directing people to come here when setting up the qregex patch or rblsmtpd.

The qregex patch can be found here...

http://www.arda.homeunix.net/store/qmail/

Also, don't use all the individual sorbs.net RBL sites I'm listing above. You can now use dnsbl.sorbs.net and that covers all of them. REF: http://www.dnsbl.us.sorbs.net/using.shtml

I also recommend double-checking ALL of the RBL sites I have listed in post #7 above, since they may change over time. For a while, sorbs was completely out of business because of ddos attacks. If you're calling for an RBL site that is not in service, you are just bogging down your mail server while it checks a dead address, and you are clogging up the internet with bogus DNS checks that are not needed.

In addition to the other RBL sites listed, I also have had success using bl.spamcop.net which I found to be very useful.
 
  


Reply

Tags
greylist, qmail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking SPAM in Sendmail jomy Linux - Networking 4 03-23-2005 01:19 AM
Spam assassin with qmail Rhiannon Fedora 0 05-04-2004 04:57 AM
Sendmail: blocking spam pk21 Linux - Software 1 08-21-2003 05:28 AM
filtering spam in Qmail? IceNineJon Linux - Software 2 07-05-2003 02:35 PM
blocking forum spam with snort rule? JustinHoMi Linux - Security 1 02-04-2002 05:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 10:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration