Kopfbereich

Direkt zum Inhalt Direkt zur Navigation Direkt zum Kontakt
Advertisement

Inhalt

How to block spam efficiently

Geschrieben von Ralph   
Hits: 17996

Howto block and filter SPAM and Viruses.
(Requires a mailserver.)

A practical example explained using Postfix and DSpam.

I am feeling it´s just about time again to make a contribution to the GPL community.
This article explains how to set up a nearly spam free SMTP server.

I hope you´ll enjoy it.

(Hier klicken für die deutsche Version.)

History:

I have always been generous with spreading my e-mail addresses around the net as I fail to see the reason why I should hide from spammers.
I don´t think it is very efficient either. I would rather be able to control them and not run away from them anyway.

It happened 10 years ago that it was just about unbearable how much spam found the way into my post box.
This is why I installed assp .
This approach had reasonable results for a couple of year, before "professional spammers" started to optimize their strategies.
Whereas commercial spam software invented some sophisticated filters, I just taught assp the following:

  • Delay the connection establishment for 2 seconds.
  • Say Ehlo.
  • Wait for an answer.
  • Wait 2 more seconds.
  • Go on...

It turned out, that professional spammers didn´t have the time to wait.
This worked for a couple of years and it´s fairly easy to integrate in assp.
Even the spam figure itself, i. e. the number of spam attempts went down.
Spammer really seemed to have wiped me out of their data bases.

How to proceed:

With each new SMTP server – I for myself install around two productive servers a year – you keep on learning and have to become familiar with current technologies.
It happened in November 2006 when I installed a new server and got a blatant amount of spam.
My accounts alone were flooded with about 10 spam mails in 10 minutes (24*60=1440 spams per day).
This included the supposedly “latest” investment advices (May 2007), by the way.
(Can´t be that new, can they…?)
What should I do?
The answer is obvious: Have a look and optimize until the problem is gone.
I spent about two weeks with a life analysis of the log file and came to the following conclusion.

Solution:

The problem we face is rooted in mental attitude.
There are a lot of people who complain about spam these days among them some of my clients with me as the responsible person for their web servers.
The problem lies in their very own requirements:
“I do not want to lose any mail whatsoever".
With this approach there is no possible strategy to the problem as spam is mail itself.

Blocking vs. Filtering:

Most decision makers don`t get the difference between two different types of mail.
Most of the postmasters don´t realize, that this is the problem they should communicate to their managers.
They don´t get it themselves:

Mail that is being delivered via SMTP:

  • The connection to the sender has been established.
  • Until here we have the chance to block.
  • In this case the buck is passed to the spammer, provided we are successful in recognizing them.
  • We end up only with a log file entry.
  • The spammer loses time and is aware of that.
  • This tends to result in him becoming annoyed.
  • It is even possible that you will be deleted from their data bases.
  • If we are wrong and are blocking a real mail, the sender and their postmaster will be informed of the reasons we block their mail.
  • No mail gets “lost”.
  • Or to say in real world words: The postman cannot deliver a letter, because the postbox is closed.

Mail that got delivered via SMTP and made it to LMTP:

  • In this case it´s already too late.
  • For the sender the mail was delivered successfully.
  • A later rejection is nearly impossible.
  • From this point on all you can do is filtering.
  • In any case, the sender will assume that his mail has been delivered successfully.
  • The spammer will keep you in his data base and possibly sell your address on to others.
  • Filtering can´t be more than a last resort.
  • And eats up system resources.
  • And requires human interference.
  • And can cause you throuble, as mails get "lost".
  • The postman has delivered his letter.

Common practice however is, that all mail, advertisement included, is accepted by default – to be filtered by a spam filter of the SMTP server whilst being handed over to the IMAP server or – worse – by the MailClient´s spam filter.
Far too late!
You are not interested in letters without a valid return address, are you?
Why bothering accepting such mail then?
Or don´t you have one of those stickers on your postbox at home which says: “No advertisement, please!”.

Technical Implementation:

First you check who you are talking with,
how the sender responds to SMTP EHLO.
Make a view checks.
if the server respond corresponds to the sender´s e-mail-address.

The EHLO DNS resolution and the IP address of the connected server should coincide. And so on.
Spammers, however, mostly say something like EHLO <friend> or at most a FQDN fantasy name.
This is also true for the sender`s email address,
which should correspond to the IP address of the connected system.
So far, I only had trouble with ebay`s advertisement mails.
They are sent from a .Com Server claiming to be responsable for a .De Mail-Server.
I can´t accept that.
I informed ebay about the problem with no reaction so far.
Well, if they ignore me I can do the same...
But even this mail makes it to its destination eventually.
Please take into account that I am not talking about DNS reverse resolution (PTR), which wouldn´t work with virtual servers.
I am just talking about MX and/or A records, which can be set for any TLD.
I am pretty sure, that it´s exactly here, where most of you have trouble.
You are afraid of losing mail.
BUT: This shouldn´t be a problem, as:

  • The sender gets informed, that his mail was rejected and why it was rejected.
  • The postmaster gets informed, that a mail of his client was rejected and why it was rejected.
  • Such a mail is virtually 100 % spam.

Well, it is true that most blondes are afraid of “mailer deamons” because they are afraid of daemons and of IT and maybe some other things…
Postmaster, however, are able to understand such messages. At least they should, if they call themselves postmaster…
It should be pretty embarrassing for them to admit that their SMTP server looks like a spammer.
Especially considering the possibility of business mail getting lost, because the recipient uses a filter.

With this approach, there is no mail getting lost:
The problem is caused by the sender, who acts like a spammer.
Sounds hard, but that`s just the way it is.

(For the future, i plan an article listing those bad boys).

Why should I accept mail from so. like that in these times full of spam?
The sender can still use a fax machine if he has sth. important to say :-)

SMTP-Auth is implemented to allow users to send mails remotely without any problems.

Postfix goes with this configuration:

strict_rfc821_envelopes = yes
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname
smtpd_client_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/client_checks,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
check_policy_service inet:127.0.0.1:2501,
permit

smtpd_data_restrictions =
reject_unauth_pipelining,
permit

To be seen unter Postfix Configuration - UCE Controls.
This eliminates 90 % spam.
1440*10% = 144 spam mails per day

Another 90 % can be eliminated by gray listing.
That is: In doubt just say:
“Please come back in 5 minutes.”
144*10% = 15 spam mails per day

That leaves us with about 1–2 % of the original spam mail to make it into our system.
Until now we have only blocked, there is no filter yet.
Only these 1–2 % are accepted.

You can elimination 95–98 % of the rest with a good spam filter.
Bad ones have a hit rate of only about 90 %.
I use DSpam as DSpam allows a different configuration for each user.
Some people want to get gay mail, others don`t ...
It really doesn`t make sense, if everyone has the same rules.
Unfortunately I haven´t been able to set up a working blocking with DSpam yet, something that seems feasible.
I don´t need it anyway as 15*5%=1 Spam per day.

Conclusion:
One or two spam mails per day as opposed to 1440 is not out of reach.
For somebody like me, who maltreated his email addresses in such a way that they are know by any spammer.

What tends to be forgotten is a healthy blocking strategy, before mails get to the spam filter.
The guts to say to idiot: “No, not like this”.

1440*90%= 144 Spam mails per day
would be the result for a heavy user with a perfect filter, but without a reasonable blocking strategy.


Without RBLs there isn´t much difference in the number of spam mails.
Just the number of mails that goes through grey listing will be significantly higher.
There are no significant changes to the end results however.
Only the number of mails, which have to wait 5 minutes, will be significantly higher.

Web links:
A guy who seems to know what he is talking about:

policyd-weight - A policy daemon for Postfix

and has done some real work. My approach is only a combination of existing solutions.

http://www.postfix.org/docs.html

http://dspam.nuclearelephant.com/


Diese Beiträge könnten Dich ebenso interessieren:

Letzte Aktualisierung ( Sonntag, 18. Juli 2010 )
 
Benutzer Bewertung: / 1
SchlechtSehr gut 
< Zurück
JoomlaWatch Stats 1.2.9 by Matej Koval
Powered by Gerstmann.Com