>Date: Mon, 24 Jan 2000 18:00:46 +0100 >To: [EMAIL PROTECTED] >From: "Dr. Erwin Hoffmann" <[EMAIL PROTECTED]> >Subject: QMAIL 1.03 SPAMCONTROL Patch >X-Attachments: E:\QMail\patches\spampatch.tgz; > >Hi, > >I would like to give my SPAMCONTROL patch for QMAIL 1.03 to the public. >Here's the contents of the README: > >PURPOSE >------- > >The SPAMCONTROL patch is intended for environments where some local >E-Mail systems are used (eg. Lotus Notes) and QMAIL 1.03 is facilitated >as a RELAY to the Internet. This may be called an E-Mail Gateway. > >In this case, QMAIL-SMTPD receives all OUTGOING E-Mails from the local >environment and delivers them to MTAs on the Internet. >Additionally, QMAIL-SMTPD should solely receive those INCOMING >Internet E-Mails which are targeted for the local E-Mail systems. >In particular, QMAIL should not forward any E-Mail to third party >MTAs. > >Since QMAIL by contruction is an OPEN RELAY, some vulnerability may be >experienced not in particular to the QMAIL system itself (which can >stand a heavy load), but for other MTAs which are flooded by >SPAM E-Mail. > >By means of the SPAMCONTROL patch, QMAIL-SMTPD can be advised to act >as selective relay and to ignore (not to invoke QMAIL-QUEUE for) E-Mails >from particular senders and/or receipients. Filtering is done analyzing >the E-Mail Header's SENDER and/or RECEIPIENT address. > > >RELAYCLIENT vs. RCPTHOSTS >------------------------- > >Invoking the environment variable $RELAYCLIENT inverses the logic of >QMAIL-SMTPD. Instead accepting RECEIPIENTs explicitely mentioned in >./control/rcpthosts and ./control/morecpthosts, the SENDER >information is evaluated and checked against the environment variable >$RELAYCLIENT. The RELAYCLIENT patch enhances this feature by means of >the files ./control/relayclients and/or ./control/relaydomains. >However, contrary to the original implementation, these files may >coexist with ./rcpthosts and ./morercpthosts which are still effectiv! > >See the attaced SPAMCONTROL.pdf file for more information. > > >ABOUT SPAM E-MAIL >----------------- > >SPAMMERS manipulate either the SENDER (MAIL FROM:) or the >RECEIPIENT (RCPT TO:) address of E-Mails, making a MTA believe >1) that this E-Mail is originated by himself, >2) accepting it and send the SPAM E-Mail to a third party (target) MTA, > which in turn sees this E-Mail to originate from your MTA/Domain, >3) turning your MTA effectively into a host for SPAM E-Mails. > > >FILTER SPAM E-MAIL >------------------ > >First principle: Don't accept E-Mails with the IP address and/or >inverse DNS name of your MTA in the E-Mail's envelope SENDER and/or >RECEIPIENT address. > >Let's assume, your MTA has IP address "12.34.56.78". >The inverse DNS Name becomes "78.56.34.12.in-addr.arpa." > >Include the following canonical filters into the control files: > >./control/FILE expression >--------------------------------------------------------------- >badmailfrom @12.34.56.78 >badmailfrom %12.34.56.78 >badreceipients @12.34.56.78 >badreceipients %12.34.56.78 >badmailpatterns *12.34.56.78* >badrcptpatterns *12.34.56.78* >badmailpatterns *78.56.34.12.in-addr.arpa.* >badrcptpatterns *78.56.34.12.in-addr.arpa.* > > >SPAM E-Mails with the "PERCENTHACK" can be eliminated by adding "*%*" >to the ./control/badmailpatterns and ./control/badrcptpatterns file. >Any E-Mails including a "%" sign in the SENDER and/or RECEIPIENT >address will be rejected. >The filtering logic can be picked up from the SPAMCONTROL.pdf file. > >Please consider, that evaluating the *PATTERNS takes a lot more CPU cycles >then employing BADMAILFROM and BADRECEIPIENTS. However, this has to be >compared with the amount of processing to be spend by QMAIL-QUEUE, >QMAIL-RSPAWN and QMAIL-SEND, and of course your worries! > >Further, the logic of the WILDMAT filter allows you to INCLUDE >particular clients/addresses simply putting an exclamation mark (!) >as first character in the line. > >For more details about the WILDMAT logic, have a look at README.wildmat. > > >LOGGING SPAM >------------ > >For QMAIL-SMTPD I introduced the ability to log rejected E-Mail in the >SYSLOG. Tried to invoke Markus Stumpf patch, but failed. The code is >a direct call to SYSLOG without employing SPLOGGER. I know, Dan will >not like this. But anyway, its working and I think its necessary. >E-Mails rejected by the RELAYCLIENT/RCPTHOSTS mechanisms are not logged. >In case you intend to use the XINETD daemon instead of the regular >INETD, calls to the SMTP port 25 can be redirected to the SYSLOG's >MAILLOG destination, thus giving you a good control of potential >SPAM activity. Check the SYSLOG environment (/etc/syslog.conf). > >See the new man-page of qmail-log(5). > > >HOWTO >----- > >Do the following: > >1. Stop your QMAIL system (receive and send). >2. Modify your INETD/XINETD daemon to your needs. > (an example for the XINETD is included). >3. Follow the INSTALL.spamcontrol instructions. >4. Edit the file ./control/relayclients and include the > IP-Addresses of your local subnets. > (IP-Adresses for SENDERS which are accepted by QMAIL-SMTPD). >5. Instead, you can use ./control/relaydomains and > put your domain name in here. But I don't recommend this. >6. Edit the files > ./control/badmailfrom, > ./control/badmailpatterns, > ./control/badreceipients, > ./control/badrcptpatterns to your needs. > See above samples. >7. Restart QMAIL. >8. If you are already blacklisted, inform those sites that > you don't act as an OPEN RELAY anymore. >9. Watch the QMAIL behavior by means of the SYSLOG information. > >Good luck! > >TESTED ENVIRONMENTS >------------------- >LINUX KERNEL 2.0 >LINUX KERNEL 2.2 >FREEBSD 3.1 > > >FURTHER INFORMATIONS >-------------------- > >- QMAIL: http://www.qmail.org/ >- XINETD: http://synack.net/ >- SPAM: http://maps.vix.com/rbl/ > http://www.orbs.org/ > http://www.obtuse.com/smtpd.html > http://spam.abuse.net/spam/ > > >AUTHORS >------- > >Rask Ingemann Lambertsen - who provided the original RELAY Patch >Marc Pohl - ported it to QMAIL 1.03 ([EMAIL PROTECTED]) >Mark Delany - Auther of the WILDMAT Patch ([EMAIL PROTECTED]) >Erwin Hoffmann - ported it to QMAIL 1.03 and put it all together > >Erwin Hoffmann ([EMAIL PROTECTED]) >Cologne, 2000-01-21. > > +-----------------------------------------------------------------------+ | fff hh Dr. Erwin Hoffmann | | ff hh | | ff eee hhhh ccc ooo mm mm mm Wiener Weg 8 | | fff ee ee hh hh cc oo oo mmm mm mm 50858 Koeln | | ff ee eee hh hh cc oo oo mm mm mm | | ff eee hh hh cc oo oo mm mm mm Tel 0221 484 4923 | | ff eeee hh hh ccc ooo mm mm mm Fax 0221 484 4924 | +-----------------------------------------------------------------------+
