Anti-Spam
As far as Unix mail server software goes, sendmail is a pain. But it's been
around for so long that I know its configuration ins and outs very well.
When I started working with sendmail configs it was back before the m4 days,
when you had to work directly with the "line noise" rules. Thank God I
haven't had to do that for quite a while!! So the real reason I use sendmail
for my mail server isn't because I think it's better than qmail, Postfix, or
exim, etc. It's simply that I've already done some really complicated mail
hosting stuff with sendmail. And at least with sendmail you can find a
wealth of detailed documentation, both online and in print. The docs for the
other guys are meager in comparison. Also, whenever I've a problem with
sendmail, I can almost guarantee that a google search will find some
exposition by someone who's already dealt with the issue successfully. The
short of it then, is this: If you don't want to use sendmail, for whatever
the reason, then don't. But I do, and the reason for this little blurb is
not to do sendmail evangelism, but to instead disclose my sendmail anti-spam
tricks. For that matter, these techniques can be applied to most mail
servers. On to the nitty gritty...
My steps to curtail spam for my domain:
- I (almost) never, ever publish my e-mail addresses
on any web site.
It's a well-established fact that e-mail addresses published on web sites
get harvested for spam by automated programs, and rather quickly and
voluminously at that. I've only ever published one e-mail address on the
web, and I am still amazed that the address is still prolifically used by
spammers in spite of the fact that it's been unavailable for quite some
time. This only serves to strengthen my conviction that one should never
publish one's e-mail address on web sites.
I've been told that this technique is counter-productive in a day and age
when e-mail communication is almost ubiquitous. However, there are ways
to inform web users of your address without ever displaying the address
itself. My own web site is a case in point (see my
contact info page). Note that I describe my e-mail address in such
a way that someone should be able to figure out what it is without too
much difficulty, whereas a software program designed to automatically
harvest e-mail addresses would be virtually unable to do so.
Not only do I describe my address, I take into account that some folks
may not be able to figure out my description, and therefore add a
contact form to my web site.
Bear in mind though, that much of the freely available software for
creating web contact forms is not written securely, and can be used to
relay spam. The most reliable way to secure a form mail program is to
hard-code the recipient address in the software somehow. Any form mail
program that allows the HTML of a web page to determine the e-mail's
recipient can be abused as a spam relay. Thus I've written my contact
form software so that the e-mail can only be sent to my address.
- I use the following two (and only two) RBLs (Real-time Black Lists).
These two RBLs have a solid reputation for blocking real spam without
false positives. Many of the others either have too many false
positives, or once a server's IP address is added to the list, there is
no way for the poor sysadmin to have it removed once the problem has been
fixed. For this reason I recommend that RBLs be avoided, other than these
two.
- sbl-xbl.spamhaus.org
The folks at spamhaus work diligently to find and list what I like
to refer to as the "repeat criminal spammers". For details on
this list see http://spamhaus.org.
- list.dsbl.org
My understanding of this list is that it targets IP addresses of
mail servers that are proven to be open relays. They also have a
policy and procedure in place by which sysadmins can get their
servers off the list once the open relay has been fixed. For
details, see http://dsbl.org.
- I use greylisting.
A mail server that is set up correctly will attempt to deliver mail to a
recipient's server, but if it can't for whatever reason, it will queue
the e-mail for later attempts. Spammers on the other hand, know that
most of the mail that they try to send is going to invalid addresses, and
don't want millions of bounces clogging up their works. So they often
use a "dump-or-run" strategy for mail delivery. In other words, if their
mail delivery software can't immediately connect to your mail server,
they just move on to the next server on their list. Fortunately, the
SMTP protocol is designed so that mail servers are allowed to announce
themselves as temporarily unavailable when another mail server connects
to them. Greylisting advantageously uses that fact to fight spammers by
delaying the server's availability for each connecting IP for a
predetermined amount of time. Hence when spammers connect to my mail
server and get the "Unavailable, please try again in five minutes"
message, they move on and don't bother coming back. It's similar to what
some people do when door-to-door salesmen come knocking: If they don't
answer the door, the salesmen move on to the next house and usually don't
come back.
The only disadvantage to this technique is for the people who have
foolishly come to rely on e-mail as a form of rapid or instantaneous
communication, as it introduces delays in e-mail propagation. My
response is that e-mail was never designed for instant delivery--If you
need rapid/instant communication, use the appropriate tools: telephones,
fax machines, instant messaging, and web download sites. Relying on
e-mail for instant delivery is like relying on a hammer to dig a hole.
You can do it, but it's the wrong tool for the job.
The greylist software that I use also implements SPF (Sender Policy
Framework), and will reject e-mail that claims to be from an
SPF-compliant server but is not, thus another cog in my anti-spam machine.
But before you start arguing that "spammers can set up SPF-compliant
servers too", think about this: The spammer's own SPF records can then be
used against him for blocking (and for the ethically challenged among us,
for retaliation). I've yet to see that actually happen, but it won't
surprise me when it does.
The website for the greylist software that I use is at
http://hcpnet.free.fr/milter-greylist/.
- I use a custom "Not-Me" sendmail milter (a.k.a. filter).
As part of the SMTP protocol, a mail server that connects to your mail
server is supposed to announce either its name or its IP address. The
last time I checked, sendmail still accepted an announcement of its own
IP address from the connecting mail server, which then allowed the
connecting server to freely relay to any e-mail address. I'm not the
only one to discover this, as I've seen more than a few spammers take
advantage of this flaw. In retaliation, I created my custom milter,
which I call the "notme milter". This custom milter determines whether
or not the connecting server's announcement is an IP or not, and if so
compares it to the actual IP. If they do not match it will reject the
mail. I've made it available as a gzipped source tarball for downloading under the
GNU General Public License.
- I actively add addresses to the sendmail access database for blocking.
When I recieve spam, I add the offending IP address (or e-mail address if
it's from a legitimate e-mail address such as accounts from hotmail or
yahoo) to sendmail's access database for blocking. It's a (mostly)
manual process, but the longer I've an Internet e-mail presence, the
more effective I become at blocking spam. Whether it proves worth the
effort in the long run remains to be seen. But then isn't that the
situation we're all in?