This has been an enlightening response session. <smile> I appologize in
advance for the length of this bugger:
To Summarize, as is the custom, I'm giving my thoughts, the list of
suggestions, and the list of contributors...
Subject:
I requested help with blocking SPAM of the XXX variety one of my users
is recieving, at a rate of 2-3 notices per day. I asked if there were
any good ways to handle the problemt, and recieved 23 responses. I
expect at least 10 more by EOB tomorrow.
Overview of suggestions:
One of the responders requested this summary.
Another suggested that this is an off-topic request for Sun Managers.
(Following a recent series of off-topic flames on
WWW-Security@ns2.rutgers.edu, --I wasn't a participant--)
I understand and appreciate that POV (point of view)
No more need be said. :)
By far the largest group of responses said "Move to Sendmail 8.8.5" and
use the built-in blocking features for domains and servers.
Another large segment pointed to a "Blacklist" site that is operated to
warn SPAMMERS that SPAM won't be tolerated in a self-policing
heterogeneous world-internet. A milder (kinder/gentler?) site that
performs a similar function with less direct means was also suggested.
The idea is that anyone who uses my system to post their
unrequested junkmail is liable to pay rent on my system for
each occurance found. A number of sample "legalese" notices
are shown, and different methods of applying the notices
were discussed. Very thourough. Very time consuming.
procmail and Qmail were also suggested.
As mentioned in my request, the user is a POP3 client, POP pulls the
client's messages from the spool directory. Sendmail checks your
.forward file before putting messages in the spool directory.
The questionable mail goes to the mail spool directory, and therefore is
filterable using .forward and filter-rules. (or procmail)
Before I list the links and suggestions below, here's what I think my
strategy will be, and why:
First, collect the various sources of SPAM for about a week.
(the user has been trashing them as they come in, as many
are rather suggestive, and the user is sensitive to this
cr*p, so I need to build a list of the offenders.)
Second, build a .filter for the user that redirects all such
SPAM from these sources into a collection bin, where I can
set up statistical parsing, to build a case file.
Next, build the parsing tool with Perl or awk to grab the
vendor information from each heading, build a list of
occurances, classify the "ads" into mild, rude, and offensive,
then:
Parse the Blacklist and other lists mentioned in the links
below to find the actual sources of the SPAM.
Last, in the tone of the Anti-Spam Declaration described below,
I'll notify each of the vendors, their ISP's, postmasters, and
agents that can be identified, that we do not accept their
material, and that from that notice on, we will bill for
previously recorded instances as well as new ones, an amount
(TBD) for the time they've wasted on our systems, and
for my labor responding to their SPAM.
I know that there is little chance of collection, but as a strategem, it
gives us a history and point of reference to make claims of harassment,
as well as a few other nifty legal postures described in the links.
Thankyou for all the suggestions, and after this is all through, we'll
be discussing the upgrade to sendmail 8.8.5 for more expansive control.
To contributors, to shorten the summary, I cut liberally. Can you
fogive me? :) Thanks!
----------------------------------cropped suggestions:--------------
install Sendmail 8.8.5.
Check out www.sendmail.org/anitspam.html for some good info on this
topic
-------------------------
[CITE: 47USC227]
TITLE 47--TELEGRAPHS, TELEPHONES, AND RADIOTELEGRAPHS
CHAPTER 5--WIRE OR RADIO COMMUNICATION
SUBCHAPTER II--COMMON CARRIERS
Sec. 227. Restrictions on use of telephone equipment
(summary: In the US, it's illegal to send stuff via electronic means to
someone they haven't asked for, and a citizen can sue
the sender for actual damages or $500.00 PER OCCURANCE,
whichever is GREATER.)
[long and very legal doc cropped]
-------------------------
Look into procmail, it supposedly dove-tails into sendmail to handle
filtering mail.
-------------------------
See
http://www.junkbusters.com/
http://www.junkbusters.com/ht/en/junkemail.html
-------------------------
1) Recompile sendmail (you might want to upgrade to 8.8.5, too) with
TCP Wrapper Library Support. Result: No Host you choose to forbid
in /etc/hosts.{allow,deny} can *connect* to your Mailhost. (Don't
forget any MXes you might have.)
2) In Order to reject Mail naming specific Domains in the *Headers*,
use the following (rumoured to become a FEATURE() in future sendmail
Versions) in your mc Source:
LOCAL_RULE_0
R$* < @$*$=K . > $* $#error $@ 5.7.1 $: "Whatever Error Message"
R$* < @$*$=K > $* $#error $@ 5.7.1 $: "Whatever Error Message"
LOCAL_CONFIG
FK /some/file/which/lists/blacklisted/domains
Of course, this is relatively easy to fool.
3) While at it, enable FEATURE(local_procmail) and MAILER(procmail)
(the former allowing the User, the latter the Sysadmin to use
procmail to process incoming Mails, which is a quite powerful
Tool).
.forward gets applied whenever sendmail decides to try to deliver the
Mail into a local User's Mailbox. .procmailrc (with procmail being
made the local Mailer) is procmail's Version of it. If I remember
correctly, POP serves Mails out of normal User Mailboxes - which
would imply that .forward gets applied to them.
-------------------------
Check out http://spam.abuse.net/spam/ for multiple ways of blocking
SPAM.
Checkout news.admin.net-abuse.email for the current highlights on the
... spamming...
-------------------------
http://www.sendmail.org/antispam.html
http://spam.abuse.net/spam/tools/mailblock.html
-------------------------
http://www.informatik.uni-kiel.de/~ca/email/english.html
-------------------------
http://www.informatik.uni-kiel.de/%7Eca/email/check.html
http://www.nepean.uws.edu.au/users/david/pe/blockmail.html
http://www.cl.cam.ac.uk/spam/
-------------------------
You can use procmail in .forward (you deliver to the spool directory,
right?)
ftp://ftp.informatik.rwth-aachen.de/pub/packages/procmail/
http://www.jazzie.com/ii/internet/procmail/
-------------------------
http://digital.net/~gandalf/spamfaq.html
Also, you might want to (as many others have done) block IP connectivity
to cyperpromo.com and AGIS, both of whom are spam ISP's (well, AGIS does
some other stuff besides, but they have spam-friendly policies)
As a note, cyberpromo is run by the same guy who is credited with being
the annoyance that led to the junk fax laws. Gotta love it.
-------------------------
Much info on this can be found at the AntiSPAM site,
http://www.vix.com/spam/
-------------------------
Qmail is significantly more secure and faster than sendmail, and most
important for you, lets you specify a list of domains from which to
refuse mail (the badmailfrom list).
We are using qmail on Solaris 2.5.1 on the mail gateway at a 15,000
person company and have been quite satisfied with it.
Check it out at http://www.qmail.org .
-------------------------
Thanks to:
Mark Baldwin
Rick Fincher
Johnie Stafford
Jon Diekema
Phil Poole
Jochen Bern
Stephen Harris
Craig Raskin
Gnuchev Fedor
Mick Morgan
Claus Assmann
Michael Neef
Jeff Gelb
Michael Kohne
Reto Lichtensteiger
John Bradley
Derek Schatz
Carlo Musante
Benjamin Cline
mlroberts@dow.com
jstanley
Michael Gordon
Alfredo Sola
-- Jim Harmon The Telephone Connection jim@telecnnct.com Rockville, Maryland