|
Howto block and filter SPAM and Viruses.
(Requires a mailserver.)
A practical example explained using Postfix and DSpam.
I am feeling it´s just about
time again to make a contribution to the GPL community.
This article explains how to
set up a nearly spam free SMTP server.
I hope you´ll enjoy it.
(Hier klicken für die deutsche Version.)
History:
I have always been generous
with spreading my e-mail addresses around the net as I fail to see the reason
why I should hide from spammers.
I don´t think it is very
efficient either. I would rather be able to control them and not
run away from them anyway.
It happened 10 years ago
that it was just about unbearable how much spam found the way into my post box.
This is why I installed assp .
This approach had reasonable
results for a couple of year, before "professional spammers" started
to optimize their strategies.
Whereas commercial spam
software invented some sophisticated filters, I just taught assp the following:
- Delay the connection establishment for 2
seconds.
- Say Ehlo.
- Wait for an answer.
- Wait 2 more seconds.
- Go on...
|
It turned out, that
professional spammers didn´t have the time to wait.
This worked for a couple of
years and it´s fairly easy to integrate in assp.
Even the spam figure itself,
i. e. the number of spam attempts went down.
Spammer really seemed to have
wiped me out of their data bases.
How to proceed:
With each new SMTP server –
I for myself install around two productive servers a year – you keep on
learning and have to become familiar with current technologies.
It happened in November 2006
when I installed a new server and got a blatant amount of spam.
My accounts alone were flooded
with about 10 spam mails in 10 minutes (24*60=1440 spams per day).
This included the supposedly
“latest” investment advices (May 2007), by the way.
(Can´t be that new, can
they…?)
What should I do?
The answer is obvious: Have a look
and optimize until the problem is gone.
I spent about two weeks with a
life analysis of the log file and came to the following conclusion.
Solution:
The problem we face is
rooted in mental attitude.
There are a lot of people who
complain about spam these days among them some of my clients with me as the
responsible person for their web servers.
The problem lies in their very
own requirements:
“I do not want to lose any
mail whatsoever".
With this approach there is no
possible strategy to the problem as spam is mail itself.
Blocking vs. Filtering:
Most decision makers don`t
get the difference between two different types of mail.
Most of the postmasters don´t
realize, that this is the problem they should communicate to their managers.
They don´t get it themselves:
|
Mail
that is being delivered via SMTP:
- The connection to the sender has been
established.
- Until here we have the chance to block.
- In this case the buck is passed to the
spammer, provided we are successful in recognizing them.
- We end up only with a log file entry.
- The spammer loses time and is aware of
that.
- This tends to result in him becoming
annoyed.
- It is even possible that you will be
deleted from their data bases.
- If we are wrong and are blocking a real
mail, the sender and their postmaster will be informed of the reasons we
block their mail.
- No mail gets “lost”.
- Or to say in real world words: The
postman cannot deliver a letter, because the postbox is closed.
|
|
Mail
that got delivered via SMTP and made it to LMTP:
- In this case it´s already too late.
- For the sender the mail was delivered
successfully.
- A later rejection is nearly impossible.
- From this point on all you can do is
filtering.
- In any case, the sender will assume that
his mail has been delivered successfully.
- The spammer will keep you in his data
base and possibly sell your address on to others.
- Filtering can´t be more than a last
resort.
- And eats up system resources.
- And requires human interference.
- And can cause you throuble, as mails get
"lost".
- The postman has delivered his letter.
|
Common practice however is,
that all mail, advertisement included, is accepted by default – to be filtered
by a spam filter of the SMTP server whilst being handed over to the IMAP server
or – worse – by the MailClient´s spam filter.
Far too late!
You are not interested in
letters without a valid return address, are you?
Why bothering accepting such
mail then?
Or don´t you have one of those
stickers on your postbox at home which says: “No advertisement, please!”.
Technical
Implementation:
First you check who you are talking with,
how the
sender responds to SMTP EHLO.
Make a view checks.
if the server respond corresponds to the
sender´s e-mail-address.
The EHLO DNS resolution and
the IP address of the connected server should coincide. And so on.
Spammers, however, mostly say
something like EHLO <friend> or at most a FQDN fantasy name.
This is also true for the
sender`s email address,
which should correspond to the
IP address of the connected system.
So far, I only had trouble
with ebay`s advertisement mails.
They are sent from a .Com Server claiming to be responsable for a .De Mail-Server.
I can´t accept that.
I informed ebay about the
problem with no reaction so far.
Well, if they ignore me I can
do the same...
But even this mail makes it to
its destination eventually.
Please take into account that
I am not talking about DNS reverse resolution (PTR), which wouldn´t work with
virtual servers.
I am just talking about MX
and/or A records, which can be set for any TLD.
I am pretty sure, that it´s
exactly here, where most of you have trouble.
You are afraid of losing mail.
BUT: This shouldn´t be a
problem, as:
- The sender gets informed, that his mail
was rejected and why it was rejected.
- The postmaster gets informed, that a
mail of his client was rejected and why it was rejected.
- Such a mail is virtually 100 % spam.
|
Well, it is true that most
blondes are afraid of “mailer deamons” because they are afraid of daemons and
of IT and maybe some other things…
Postmaster, however, are able
to understand such messages. At least they should, if they call themselves
postmaster…
It should be pretty
embarrassing for them to admit that their SMTP server looks like a spammer.
Especially considering the
possibility of business mail getting lost, because the recipient uses a filter.
With this approach, there
is no mail getting lost:
The problem is caused by
the sender, who acts like a spammer.
Sounds hard, but that`s
just the way it is.
(For the future, i plan an article listing those bad boys).
Why should I accept mail from
so. like that in these times full of spam?
The sender can still use a fax
machine if he has sth. important to say :-)
SMTP-Auth is implemented to
allow users to send mails remotely without any problems.
Postfix goes with this
configuration:
strict_rfc821_envelopes = yes
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname
smtpd_client_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/client_checks,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
check_policy_service inet:127.0.0.1:2501,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
To be seen unter Postfix Configuration -
UCE Controls.
This eliminates 90 % spam.
1440*10% = 144 spam mails per day
Another 90 % can be
eliminated by gray listing.
That is: In doubt
just say:
“Please come back in 5
minutes.”
144*10% = 15 spam
mails per day
That leaves us with about
1–2 % of the original spam mail to make it into our system.
Until now we have only
blocked, there is no filter yet.
Only these 1–2 % are accepted.
You can elimination 95–98 %
of the rest with a good spam filter.
Bad ones have a hit rate of
only about 90 %.
I use DSpam as DSpam allows a
different configuration for each user.
Some people want to get gay
mail, others don`t ...
It really doesn`t make sense,
if everyone has the same rules.
Unfortunately I haven´t been
able to set up a working blocking with DSpam yet, something that seems feasible.
I don´t need it anyway as 15*5%=1
Spam per day.
Conclusion:
One or two spam mails per
day as opposed to 1440 is not out of reach.
For somebody like me,
who maltreated his email addresses in such a way that they are know by any
spammer.
What tends to be forgotten is
a healthy blocking strategy, before mails get to the spam filter.
The guts to say to idiot: “No,
not like this”.
1440*90%= 144 Spam
mails per day
would be the result for a heavy user with a perfect filter, but without a
reasonable blocking strategy.
Without RBLs there isn´t much
difference in the number of spam mails.
Just the number of mails that
goes through grey listing will be significantly higher.
There are no significant
changes to the end results however.
Only the number of mails,
which have to wait 5 minutes, will be significantly higher.
Web links:
A guy who seems to know what he is talking about:
and has done some real work. My approach is only a combination
of existing solutions.
http://www.postfix.org/docs.html
http://dspam.nuclearelephant.com/
Diese Beiträge könnten Dich ebenso interessieren:
|
