topic Re: How to protect against spam in Operating System - Linux

How to protect against spam

Chan Choth PUTH — Tue, 10 Sep 2002 02:55:35 GMT

Dear Sir or Madam,

I have a problem with spam that always send to my organization. It uses my organization email address and then send to my organization that means it uses open@forum.org.kh and send to open@forum.org.kh. Do you have any idea how to protect against this spam? I have attached the message source to you. Thank you so much for your assistance.

Best regards,

Choth

Re: How to protect against spam

I_M — Tue, 10 Sep 2002 08:04:35 GMT

Hi

Does your server have multiple nics? Say 1 for internal and 1 for external.
If so, you may set ipchains / iptables rules not to receive incoming packets with internal address by your external NIC.

Regards,

Re: How to protect against spam

U.SivaKumar_2 — Tue, 10 Sep 2002 08:13:09 GMT

Hi,
mansari , Spamming is done through , open mail relays easily using SMTP commands.
spammer connects to your SMTP server from internet gives mail from: address as the user
in your domain ( fake address ) and mail to:
address as valid user in your domain.
Now if your mail server is not properly configured , it will accept the mail and will
sent to valid user with fake from address with
undesirable contents.
So packet filtering with ipfilter will not stop this.
Choth , what is the mail server you using ?
Configure it in such a way that it will not
accept mail from internet with sender domain
as your own domain. And also your mail server
should only accept mails meant for only your
own domain.

regards,
U.SivaKumar

Re: How to protect against spam

I_M — Tue, 10 Sep 2002 08:50:08 GMT

Thank you kumar,

I thought this is a "mail rely type spam". But now i understand that "from" and "to" are same.
So as you said, sendmail program have to handle this type of spam.
I have no idea how...

Regards,

Re: How to protect against spam

U.SivaKumar_2 — Tue, 10 Sep 2002 09:11:14 GMT

Hi,
This is a wonderful link which speaks about our topic.

http://www.usenix.org/publications/library/proceedings/lisa97/full_papers/22.harker/22_html/main.html

Also do this test on your mail server and get
back with results.
The most direct way to determine whether a sendmail daemon is an open mail relay is to try to use it as an open mail relay. We'll refer to the machine being tested as the target machine. We'll connect to the sendmail daemon on the target machine and type commands to it. To do so, telnet to port 25 of the target machine from another machine for which the target machine should not relay mail. The clearest example would be to connect from an internet service provider outside of IU. You might also connect from central machines. For example, to test muckraker.polysci.indiana.edu you might telnet from steel or from a machine in the ships cluster.

telnet muckraker.polysci.indiana.edu 25

The target machine will print a greeting, and the first thing that you will do is announce yourself. If you were coming from steel -

HELO steel.ucs.indiana.edu

The daemon will express its pleasure at meeting you and wait for input. Next we will tell it who mail is from.

MAIL FROM: hoagyc@steel.ucs.indiana.edu

The daemon should indicate that "Sender ok", and it will expect to be told who should receive the message.

RCPT TO: mortimer@hotmail.com

At this point, the daemon should reply with "Relaying denied". If it does not and it says that it is waiting for data, you have an open mail relay on your hands. To gracefully quit, enter the command

quit

regards,
U.SivaKumar

Re: How to protect against spam

Steven E. Protter — Tue, 10 Sep 2002 16:42:55 GMT

There is a lot you can do about spam.

Here is a summary.
Turn on your firewall. Take a look at the configuration of /etc/sysconfig/ipchains

This has a listing of the ports and what to do with the data.

Make sure its running and blocking ports.

You probably need to accept some kind of incoming mail, so you need to work with the sendmail configuration.

There is an important file called /etc/mail/access

It contains entries like this.
localhost RELAY

It can contain entries like this:

spammer REJECT

It can even reject with nasty little notes back to the spammer. Even if they've used a relay in use, there will e a response and the sysadmin will either figure it out or see his /var filesystem fill up, brining down his machine.

Quite effective.

After adding entries to this file, you'll need to run the m4 macro to integrate these changes into your sendmail configuration. Here is a complete script that does this and allows you to put some goodies into your sendmail.mc file making spam harder to get into your organization.

I always use the posix shell, because I'm primarly an HP-Ux geek.

#!/bin/sh

# A script designed to rebuild all relavent mail databases after a configuration
# change.
#
#

newaliases
cd /etc/mail
makemap -r -v hash access.db < access
makemap -r -v hash domaintable.db < domaintable
makemap -r -v hash genericstable.db < genericstable
makemap -r -v hash mailertable.db < mailertable
makemap -r -v hash virtusertable.db < virtusertable
cp /etc/sendmail.cf /root
m4 /etc/mail/sendmail.mc > /etc/sendmail.cf

echo "You need to edit the sendmail.cf file for localhost et al"
sleep 3
vi /etc/sendmail.cf
/etc/init.d/sendmail restart

The edit step reminds me to do a customization on the /etc/sendmail.conf file prior to running the daemon. I require customization to make my mail have the right hostname after this process. The sendmail.mc macro domain breaks my sendmail.conf file(lol).

The restart stuff is self evident.

Are we done? Hardly.

You need to consider what you are doiing about popmail. If your users are getting their mail into Microsoft mail clients with popmail, there is no need to open up port 110 to the world. Open it up only to your local network.

Now try this command at the command line.

sendmail -v -d38.2 youraddress@aol.com

You will see that AOL actually validates the domain name before it lets mail in.

You can nail a lot of spammers if you figure out how they do that.

Good Luck and feel free to contact me directly if you need further assistance. I learned sendmail the hard way, and still haven't turned on popmail.

Re: How to protect against spam

Malycha — Wed, 11 Sep 2002 06:41:43 GMT

Hi!
I had this problem some weeks ago with my private pop3-account. I searched up the web an found the following solution

http://sourceforge.net/projects/mailfilter

It is a nice program to define your own filter based on a line-defined description and it removes the mails directly on the server. You need not load down the message and filter it on your own machine. And it can check more than one account on it's own!

Regards
MM

Re: How to protect against spam

Craig Kelley — Wed, 11 Sep 2002 13:33:11 GMT

I use spamassassin:

http://spamassassin.taint.org/

With this procmail rule:

--- procmail cut here ---
MAILDIR=/home/ink/mail

:0:
* ^X-Spam-Status: Yes.*
caughtspam
--- procmail end here ---

This puts all my potential spam in a mailbox called "caughtspam", which I can occasionally check. For my users, I run spamassassin and simply have it alter the subject line of the message so that users can filter out spam with e-mail rules, if they want to. You have to tweak some of the default rules of spamassassin (whitelist), so it takes a week or two of fine-tuning before it does a really good job.

Re: How to protect against spam

Craig Kelley — Wed, 11 Sep 2002 14:31:25 GMT

Ooops, I accidentally truncated my procmail rule! The MAILDIR variable should point to where you keep your mailboxes. The first rule actually runs spamassassin on all incoming mail, and the second rule filtes all caught spam messages into the custom mailbox. You can raise and lower spamassassin's threshold for identifying spam (see the man page for Spamassassin::Conf) Here is my .procmailrc in full:

MAILDIR=/home/ink/mail

:0fw
| spamassassin -P

:0:
* ^X-Spam-Status: Yes.*
caughtspam

Re: How to protect against spam

Vincent Fleming — Wed, 11 Sep 2002 15:59:00 GMT

I've had good luck with the access database... but it always needs updating as new spam domains are created.

With /etc/mail/access, you can specify whole domains that should be rejected, like this:

spamdomain.com

In the man pages, there are lots of examples.

The biggest bang-for-the-buck came from rejecting those "web mailers" such as yahoo.com, hotmail.com, excite.com, etc. It seems that a lot of spam uses these as return addresses, even if they aren't actually delivered (or sent) from that service.

The next biggest effect I saw was from eliminating all 2-letter domains, such as anything ending in .tw .fr .ru and the like. In the access database you just specify:

fr
tw
ru

I actually wrote a simple shell script to generate all possible two-letter combinations and put all of them in the access database. These domains are all from outside the US, and since I don't have anyone I know of internationally that I need to email with, it works fine for me.

Between the two, I eliminate about 99% of my spam. Every once in a while I get a persistant spammer with return addresses other than the above, and I add them manually.

Good luck!