Stopping Spam At The Sendmail® Mail Server
The challenge to the mail server administrator is to stop the spam without
blocking legitimate mail.
I think everyone understands that the spam problem is terrible, and I don't think
anyone would be surprised if they were told they've missed the occasional email
due to filters. The problem with filters is that spammers will find a way around them
and innocent mail will get caught in the crossfire. For example, if you block by
keyword, and your child is attending Middle$ex College in Massachusetts, mail
from them will be blocked by the boneheaded IT admins at your ISP.
You see, (and this is important), your average tech person is an idiot. If you've
ever spent any time on the phone dealing with them, you know what I mean.
Usually it's their second or third career, they are in most cases successful at
their previous job, and have educated themselves about their current job. Average
users are clueless about computers, and after enough people marvel over how
smart you are, your ego starts to swell and you start to think, "Hey, maybe I DO
know it all!". At that point, it's over. You always know better and that your way is best.
I speak from personal experience here.
So, fellow IT admins, a little advice: always listen to everybody and
always assume you're wrong, and you'll do better than otherwise.
Back to the topic:
The goal is to block the spam while being transparent to everybody else. I
am adamantly opposed to spam mail filters on the server. The mail server
admin has a duty to always keep mail coming and going, and to keep local
mail accounts private. Period. It's not for you to decide what the end user
gets, just as it's not for the Post Office to decide what snail mail you get.
First, reverse DNS checks.
Reverse DNS checks
In the old days, a person like you or me could set up a local Linux or
Windows server. Very convenient. To implement reverse DNS checks, you're
going to have to accept that those days are over.
If our big ISP players like TIme-Warner and Comcast (it's comcastic!)(!comcastic) wanted
to, they could almost completely end our spam problem. For example, Comcast
customers use an address like:
hsd1.sc.comcast.net
If those Comcastic geniuses would just block port 25 to all but their own mail
server, poof!, no mo spam from them.
My own ISP is great. It uses DHCP to assign my a dynamic IP. Here's a
typical example:
"adsl-75-9-216-67.dsl.crchtx.sbcglobal.net" at 75.9.216.67
And...they block outbound connections from my home to any port 25 except their
official mail server. And guess what? My server receives NO SPAM from
dsl.crchtx.sbcglobal.net! The crchtx part is Corpus Christi, Texas. I get no spam
from any other city/state combo they service. Very smart people. Hats off to
them. Three cheers. Huzzah! Twenty-three skidoo!
My server has been attacked from hargray.net a lot the past couple of weeks.
Here's a log snippet:
Oct 1 06:11:37 server sendmail[25762]: k91BBaqE025762: ruleset=check_rcpt, arg1=, relay=64.203.236.123.static-pool-1.pool.hargray.net [64.203.236.123]
So what is the logic in allowing static-pool-1.pool.hargray.net to connect out to
port 25? Why not restrict outbound connections to port 25 to the hargray mail server?
Step 1 - Configure the sendmail.cf file
So the first order of business is to configure my mail server. I generate the
sendmail.cf file thusly:
# consult the docs
OSTYPE(linux)dnl
DOMAIN(generic)dnl
FEATURE(access_db)dnl
FEATURE(virtusertable)dnl
FEATURE(genericstable)dnl
FEATURE(always_add_domain)dnl
FEATURE(blacklist_recipients)dnl
FEATURE(smrsh)dnl
FEATURE(`nouucp',`reject')dnl
FEATURE(`delay_checks',`friend')dnl
HACK(`require_rdns_2',`reject')dnl
MAILER(local)dnl
MAILER(smtp)dnl
Note that there are no black hole blocks. Black hole blocks are the work of Satan. Use
them at the risk of Eternal Damnation. Your users will hate you, as will animals and little
children. Your crops will wither. Your livestock will give sour milk.
This guy has a HACK to do reverse DNS checks that I really like. After many months I've
had no complaints of missed mail:
http://blogs.sun.com/roller/resources/jbeck/require_rdns.m4
The only thing this does is separate out the obvious spammers and the home-server types.
Former: die. Latter: sorry. Get with the times. Those days are should be over.
Step 2 - Set up the /etc/mail/access file
Next, and most troublesome, is the access file that blocks the cable modems, dsl modems,
and other illegitimate mail servers. Almost all of them are zombie machines with a rogue SMTP
server, and most spam comes from them. Show them no mercy.
Here is my own /etc/mail/access file
//www.fiveanddime.net/ss/etc-mail-access.html
It will never be finished as long as the major ISP's have no incentive to do their job correctly.
That's pretty much it, Mr. and Mrs. Administrator. Go forth and be fruitful. And model your own
server admin slogan after google: 'Do No Evil'.
http://informationweek.com/shared/printableArticle.jhtml?articleID=196701527
//www.blockacountry.com
Home Privacy Policy Terms of Use
© BRENT KEVIN KRKOSSKA
Comments? Good luck!
E-Mail:
www.fiveanddime.net
