Howdy list,
1.) Do you run Qmail & TMDA?
2.) Do you have a lot of virtual email domains?
3.) Do you maintain a system-wide whitelist so anyone on your server
can email anyone else on your server without having to confirm?
4.) Do you or your users receive forged emails from external mail
domains that bypass TMDA by claiming to be from an internal mail
domain?
I do. And until recently, I thought I'd have to sacrifice my
system-wide internal domain whitelist to eliminate this forged
spam that was slipping through. See the following FAQ entry for the
most common solutions to this problem:
http://tmda.net/faq.cgi?req=show&file=faq04.010.htp
But there may be a better way. Take a look at WingNET's block-forged-sender.py
script here:
ftp://ftp.wingnet.net/pub/MAIL/qmail-related/queue-filters/block-forged-sender.tar.gz
It's designed to run with Qmail-1.03 with the QMAILQUEUE patch installed:
http://www.qmail.org/qmailqueue-patch
And it is designed to run under the qmail-qfilter program:
http://untroubled.org/qmail-qfilter/
See attached for typical setup instructions.
When properly set up, the block-forged-sender.py script basically
provides the same functionality as Qmail-1.03's badmailfrom file,
but with the following benefits:
1.) block-forged-sender.py uses TMDA's auto-CDB functionality for
fast CDB database lookups. (To my knowledge, Qmail-1.03's badmailfrom
file does not use CDB databases.)
2.) block-forged-sender.py checks both the envelope sender address
(like Qmail-1.03's badmailfrom file) AND the header From: address
(unlike the badmailfrom file), allowing for a more complete
email blocking solution.
Your users never even see the envelope sender address, so why
should you just block the envelope sender?
block-forged-sender.py is mostly regurgitated TMDA code with a few
custom "glue" functions thrown in to get the job done. However, it
is a standalone script ( it does not need TMDA to function ), and
unlike TMDA, it does NOT load the entire email message into memory.
Instead, block-forged-sender.py loads only the email's headers into
memory and passes the rest of the message through from STDIN to
STDOUT in 256 byte chunks.
I have been testing this script on WingNET's production servers for
about two months now, and I am satisfied that it is reliable and
efficient.
block-forged-sender.py was designed as an alternative solution to
the "forged" domain or email address problem, but we have discovered
that it is also an excellent replacement for Qmail-1.03's badmailfrom
file. You can use block-forged-sender.py to block mail from ANY email
address or domain on a server or system-wide basis.
NOTE: If you wish to use the block-forged-sender.py script to prevent
spammers sending you forged email, you MUST install the script
on ALL of your mail servers. Otherwise, depending on your
configuration, forged emails will either slip through, or
legitimate emails will be lost.
Also, if, like WingNET, you choose to deny all emails from
remote hosts that have an internal mail domain in the envelope
sender of header From: address, you WILL incurr some additional
tech support load because you will have to whitelist, on a per-
customer basis, domains like:
grp.scd.yahoo.com
hallmark.com
ebay.com
in your /etc/tcp.smtp file. Why? These domains frequently send
customers "legitimate" forged email with the customer's address
in either the envelope sender or header From: address.
Please, let me know if anyone finds this script useful. Thanks!
Sincerely,
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
# -----------------------------------------------------------------
# 29.) do the qmail-qfilter build && install
# -----------------------------------------------------------------
fetch http://untroubled.org/qmail-qfilter/qmail-qfilter-1.5.tar.gz
tar -xvzf qmail-qfilter-1.5.tar.gz
cd qmail-qfilter-1.5
# --
# Make a temporary directory that only qmail-qfilter has write
# permissions to.
# --
mkdir /var/qmail/tmp
chown qmaild:qmail /var/qmail/tmp
chmod 750 /var/qmail/tmp
# --
# Do build & install
# --
gmake
./installer
cd ..
# -----------------------------------------------------------------
# 30.) do the queue-filters install
# -----------------------------------------------------------------
mkdir queue-filters
cd queue-filters
fetch
ftp.wingnet.net/pub/MAIL/qmail-related/queue-filters/block-forged-sender.tar.gz
# --
# NOTE: block-forged-sender.py is a python script. It REQUIRES
# Python 2.x or higher AND the py-cdb module to be
# installed. FreeBSD's Python package does NOT come with
# the py-cdb module installed by default. It resides in
# a seperate port/package, and can be installed like this:
#
# cd /usr/ports
# make search name=py22-cdb
#
# Then either this:
#
# cd /usr/ports/databases/py-cdb
# make
# make install
#
# Or something like this:
#
# portupgrade -NNP <py22-cdb-package-name-from-make-search-goes-here>
#
# --
mkdir /var/qmail/queue-filters
chown qmaild:qmail /var/qmail/queue-filters
chmod 750 /var/qmail/queue-filters
tar -C /var/qmail/queue-filters -xvzf block-forged-sender.tar.gz
chown -R qmaild:qmail /var/qmail/queue-filters/*
chmod -R 754 /var/qmail/queue-filters/*
cd ..
# --
# Now, we should set up logging for block-forged-sender:
# block-forged-sender, by default, uses the syslog name 'bfs' when
# logging.
#
# If you would like to change the default log name, please run:
/var/qmail/queue-filters/block-forged-sender.py --help
# for command line options and more information.
#
# The below information assumes the default log name: bfs
# --
vim /etc/syslog.conf
# --
# Add the following to the bottom of syslog.conf:
# --
#
# !bfs
# *.* /var/log/mailblock
#
# --
# and uncomment.
# --
vim /etc/newsyslog.conf
# --
# Then add the following to newsyslog.conf:
# --
#
# /var/log/mailblock 640 7 * @T00 J
#
# --
touch /var/log/mailblock
chown root:wheel /var/log/mailblock
chmod 644 /var/log/mailblock
killall -HUP syslogd
vim /var/qmail/supervise/qmail-smtpd/run
# --
# In /var/qmail/supervise/qmail-smtpd/run, Change the
# softlimit from 2000000 to 15000000. This allows qmail-smtpd
# to use more memory, which allows it to run qmail-qfilter/
# block-forged-sender.py AND qmail-scanner/ClamAV.
#
# My tests have shown that block-forged-sender.py can use up
# to 5M of RAM while searching incoming messages. However,
# block-forged-sender.py is VERY effecient and will NOT load
# the entire message into memory. Instead, it passes the
# message from STDIN to STDOUT in 256 byte chunks.
#
# Ideally, the qmail-smtpd->qmail-qfilter->block-forged-sender.py->
# qmail-scanner-queue.pl->clamdscan->qmail-queue "pipeline"
# would only require about 8-10M of softlimit RAM, but for some
# reason qmail-scanner-queue.pl thinks it's necessary to run two
# instances of itself while it passes the message off to qmail-queue,
# which effectively adds another 5M of RAM to the required softlimit.
# --
# --
# You're pretty much done installing block-forged-sender now.
# However, a few things must still be done which this manual
# does not cover:
#
# 1.) Populate /var/qmail/queue-filter/badsenders with a list
# of domains/email addresses you wish to block. You can do
# this manually or via cron script.
# 2.) Populate your QMAILQUEUE environment variable in
# /etc/tcp.smtp with "queue-filters/block-forged-sender",
# like this:
#
# 127.0.0.1:allow,QMAILQUEUE="queue-filters/block-forged-sender"
#
# and rebuild your /etc/tcp.smtp.cdb by running the
# following command:
#
# qmailctl cdb
#
# 3.) Try sending some forged emails to your server via
# telnet or sendmail, then check /var/log/mailblock to
# see if it's working.
# --
