>Date: Mon, 24 Jan 2000 18:00:46 +0100
>To: [EMAIL PROTECTED]
>From: "Dr. Erwin Hoffmann" <[EMAIL PROTECTED]>
>Subject: QMAIL 1.03 SPAMCONTROL Patch
>X-Attachments: E:\QMail\patches\spampatch.tgz;
>
>Hi,
>
>I would like to give my SPAMCONTROL patch for QMAIL 1.03 to the public.
>Here's the contents of the README:
>
>PURPOSE
>-------
>
>The SPAMCONTROL patch is intended for environments where some local
>E-Mail systems are used (eg. Lotus Notes) and QMAIL 1.03 is facilitated
>as a RELAY to the Internet. This may be called an E-Mail Gateway.
>
>In this case, QMAIL-SMTPD receives all OUTGOING E-Mails from the local
>environment and delivers them to MTAs on the Internet.
>Additionally, QMAIL-SMTPD should solely receive those INCOMING
>Internet E-Mails which are targeted for the local E-Mail systems.
>In particular, QMAIL should not forward any E-Mail to third party
>MTAs.
>
>Since QMAIL by contruction is an OPEN RELAY, some vulnerability may be
>experienced not in particular to the QMAIL system itself (which can
>stand a heavy load), but for other MTAs which are flooded by
>SPAM E-Mail.
>
>By means of the SPAMCONTROL patch, QMAIL-SMTPD can be advised to act
>as selective relay and to ignore (not to invoke QMAIL-QUEUE for) E-Mails
>from particular senders and/or receipients. Filtering is done analyzing
>the E-Mail Header's SENDER and/or RECEIPIENT address.
>
>
>RELAYCLIENT vs. RCPTHOSTS
>-------------------------
>
>Invoking the environment variable $RELAYCLIENT inverses the logic of
>QMAIL-SMTPD. Instead accepting RECEIPIENTs explicitely mentioned in
>./control/rcpthosts and ./control/morecpthosts, the SENDER
>information is evaluated and checked against the environment variable
>$RELAYCLIENT. The RELAYCLIENT patch enhances this feature by means of
>the files ./control/relayclients and/or ./control/relaydomains.
>However, contrary to the original implementation, these files may
>coexist with ./rcpthosts and ./morercpthosts which are still effectiv!
>
>See the attaced SPAMCONTROL.pdf file for more information.
>
>
>ABOUT SPAM E-MAIL
>-----------------
>
>SPAMMERS manipulate either the SENDER (MAIL FROM:) or the
>RECEIPIENT (RCPT TO:) address of E-Mails, making a MTA believe
>1) that this E-Mail is originated by himself,
>2) accepting it and send the SPAM E-Mail to a third party (target) MTA,
> which in turn sees this E-Mail to originate from your MTA/Domain,
>3) turning your MTA effectively into a host for SPAM E-Mails.
>
>
>FILTER SPAM E-MAIL
>------------------
>
>First principle: Don't accept E-Mails with the IP address and/or
>inverse DNS name of your MTA in the E-Mail's envelope SENDER and/or
>RECEIPIENT address.
>
>Let's assume, your MTA has IP address "12.34.56.78".
>The inverse DNS Name becomes "78.56.34.12.in-addr.arpa."
>
>Include the following canonical filters into the control files:
>
>./control/FILE expression
>---------------------------------------------------------------
>badmailfrom @12.34.56.78
>badmailfrom %12.34.56.78
>badreceipients @12.34.56.78
>badreceipients %12.34.56.78
>badmailpatterns *12.34.56.78*
>badrcptpatterns *12.34.56.78*
>badmailpatterns *78.56.34.12.in-addr.arpa.*
>badrcptpatterns *78.56.34.12.in-addr.arpa.*
>
>
>SPAM E-Mails with the "PERCENTHACK" can be eliminated by adding "*%*"
>to the ./control/badmailpatterns and ./control/badrcptpatterns file.
>Any E-Mails including a "%" sign in the SENDER and/or RECEIPIENT
>address will be rejected.
>The filtering logic can be picked up from the SPAMCONTROL.pdf file.
>
>Please consider, that evaluating the *PATTERNS takes a lot more CPU cycles
>then employing BADMAILFROM and BADRECEIPIENTS. However, this has to be
>compared with the amount of processing to be spend by QMAIL-QUEUE,
>QMAIL-RSPAWN and QMAIL-SEND, and of course your worries!
>
>Further, the logic of the WILDMAT filter allows you to INCLUDE
>particular clients/addresses simply putting an exclamation mark (!)
>as first character in the line.
>
>For more details about the WILDMAT logic, have a look at README.wildmat.
>
>
>LOGGING SPAM
>------------
>
>For QMAIL-SMTPD I introduced the ability to log rejected E-Mail in the
>SYSLOG. Tried to invoke Markus Stumpf patch, but failed. The code is
>a direct call to SYSLOG without employing SPLOGGER. I know, Dan will
>not like this. But anyway, its working and I think its necessary.
>E-Mails rejected by the RELAYCLIENT/RCPTHOSTS mechanisms are not logged.
>In case you intend to use the XINETD daemon instead of the regular
>INETD, calls to the SMTP port 25 can be redirected to the SYSLOG's
>MAILLOG destination, thus giving you a good control of potential
>SPAM activity. Check the SYSLOG environment (/etc/syslog.conf).
>
>See the new man-page of qmail-log(5).
>
>
>HOWTO
>-----
>
>Do the following:
>
>1. Stop your QMAIL system (receive and send).
>2. Modify your INETD/XINETD daemon to your needs.
> (an example for the XINETD is included).
>3. Follow the INSTALL.spamcontrol instructions.
>4. Edit the file ./control/relayclients and include the
> IP-Addresses of your local subnets.
> (IP-Adresses for SENDERS which are accepted by QMAIL-SMTPD).
>5. Instead, you can use ./control/relaydomains and
> put your domain name in here. But I don't recommend this.
>6. Edit the files
> ./control/badmailfrom,
> ./control/badmailpatterns,
> ./control/badreceipients,
> ./control/badrcptpatterns to your needs.
> See above samples.
>7. Restart QMAIL.
>8. If you are already blacklisted, inform those sites that
> you don't act as an OPEN RELAY anymore.
>9. Watch the QMAIL behavior by means of the SYSLOG information.
>
>Good luck!
>
>TESTED ENVIRONMENTS
>-------------------
>LINUX KERNEL 2.0
>LINUX KERNEL 2.2
>FREEBSD 3.1
>
>
>FURTHER INFORMATIONS
>--------------------
>
>- QMAIL: http://www.qmail.org/
>- XINETD: http://synack.net/
>- SPAM: http://maps.vix.com/rbl/
> http://www.orbs.org/
> http://www.obtuse.com/smtpd.html
> http://spam.abuse.net/spam/
>
>
>AUTHORS
>-------
>
>Rask Ingemann Lambertsen - who provided the original RELAY Patch
>Marc Pohl - ported it to QMAIL 1.03 ([EMAIL PROTECTED])
>Mark Delany - Auther of the WILDMAT Patch ([EMAIL PROTECTED])
>Erwin Hoffmann - ported it to QMAIL 1.03 and put it all together
>
>Erwin Hoffmann ([EMAIL PROTECTED])
>Cologne, 2000-01-21.
>
>
spampatch.tgz
+-----------------------------------------------------------------------+
| fff hh Dr. Erwin Hoffmann |
| ff hh |
| ff eee hhhh ccc ooo mm mm mm Wiener Weg 8 |
| fff ee ee hh hh cc oo oo mmm mm mm 50858 Koeln |
| ff ee eee hh hh cc oo oo mm mm mm |
| ff eee hh hh cc oo oo mm mm mm Tel 0221 484 4923 |
| ff eeee hh hh ccc ooo mm mm mm Fax 0221 484 4924 |
+-----------------------------------------------------------------------+
