I'd like to run some features by you.  If you think they're good,
you might want to include it as part of an optimized openfilter

#### Layer 1

A problem that I (and others?) have with rblsmtpd is that it's too
coarse.  It either rejects mail or lets it through.  I would much
rather kung-fu finesse the whole process by allowing non-blacklisted
mail to go through quickly and pass suspected spam into a seperate
"purgatory" queue ("the slow road from china").

I implemented a simple improvement to rblsmtpd.c that adds a "-s"
(soft) option.  It takes an additional argument for what you'd like
to set QMAILQUEUE to instead of using the default "bin/qmail-queue".
I might, for example, compile /var/qmail/bin/qmail-queue2 to use
/var/qmail/queue2 instead of /var/qmail/queue as its mail queue.
A seperate program might look through this "purgatory" queue in a
slow serialized manner and pass more scrutiny on whether to deliver
and/or bounce the messages in that queue or not (or use spamassassin,
etc.).  In the meantime, mail from servers not listed in the RBLs
passes quickly to the recipients.

To some degree it has some advantages similar to the OpenBSD+pf+RBL
efforts to preserve CPU processing for normal mail and redirect
processing from RBL-listed servers to alternate processing, especially
if end-user processing is expensive (like procmail or perl-based filters
like spamassassin).  The advantage to implementing it this way is that
you don't need to install an extra OpenBSD box and learn pf.

Here's an example of using Qmail-Scanner to bypass normal processing
if (and only if) it comes from a suspected spam server...

  rblsmtpd -s/var/qmail/bin/qmail-scanner-queue.pl -rlocalrbl.mydomain.com 
-rbl.spamcop.net -rdnsbl.sorbs.net -rsbl-xbl.spamhaus.org /var/qmail/bin/qmail-smtpd

... though, my idea of a purgatory queue (/var/qmail/bin/qmail-queue2)
might be a better approach toward protecting inbound mail servers.

Prerequisite: QMAILQUEUE patch.

#### Layer 2

A problem that I have with the Layer 2 chk-user method is that
spammers are not only sending spam, but they are also harvesting
addresses by checking for bounces after trying every user
combination against a domain.  Once they find an addres that
doesn't bounce, it's marked as a lucrative address in their
mailing lists (assuming all other addresses bounced).

I prefer not to bounce any mis-addressed mail to help protect
my users from being "found".  As a policy, all user domains
get a catch-all postmaster account installed.  Handing out
passwords for the postmaster account is part of the installation
process, and the policy is that all mail in the postmaster
mailboxes is deleted after 14 days.  If someone thinks a
message was missed, they can retrieve it.  Otherwise, misdirected
mail just doesn't get seen, nor bounced.  It also helps prevent
spammers from using my domains as bounce-relays where mailing
to an unknown mailing address makes my server bounce messages
to real envelope-from addresses.

#### Bounced messages for forwarded accounts

Something else I need to help protect delivery is a way to
rewrite the sender envelope address to use my mail server
instead of the original address.  This will become important
later as people implement SPF to ensure that forwarded mail is
recieved by SPF-enforcing servers.  I'd like to use
[EMAIL PROTECTED] as the return
address on forwarded mail.  This will ensure that if mail
forwarding breaks, mail is rejected to a place where a customer
domain representative can do something with it if they catch the
problem within two weeks.  Scripts can be rewritted to redeliver
bounced mail for a user after their forwarding alias is fixed.

I've had enough run-ins with being blacklisted for forwarded
spam that wasn't my responsibility that I need something to
help me detect the fact that mail is bouncing for a forwarded
user.  I haven't figured out implementation details yet, though.

#### AOL message tagging

In addition to the above, the AOL whitelist bounce policy makes me
want to implement message tagging and tracking that let's me know
which abuse-reported messages are attached to which forwarding
accounts.  I might add a word to the Subject line, for example:
   Subject: original subject line [fwd: [EMAIL PROTECTED]
that would come back to me in an AOL abose report.  I could then
correspond the id to a forwarder to figure out who is mis-reporting
spam.  I'd have a mapping of addresses to IDs.  Seeing the tag,
they might not quickly tag a message as "This is spam" if they knew
that doing it often enough would cause me to kill their forwarding
to protect the AOL-integrity of my servers.

I think a modification to qmail-remote or vdelivermail on my primary
inbound mail server is problably the best way to implement this.
What do you think?

#### Local spam RBL generation

When a spammer wants to send spam to users on your server, they usually
send several messages (perhaps even hundreds) of the same messages or
send to many invalid addresses.  It's not to hard to log and summarize
the worst offenders, those that send 99% spam of 100 messages or more.
Once they do, you want to add them to your own blacklist.  I hope to
create my own reactive system that utilizes spamassassin,
qmail-scanner-queue, tinydns and the soft rblsmtpd above to help my
server stay ahead of the flood instead of sink further into the depths
of mail lag.

Eric Ziegast

Patches so far....

*** /home/inter7/vpopmail/vpopmail-5.4.0-spam2/vpopmail.c.orig  2004-06-10 
02:34:54.000000000 -0700
--- /home/inter7/vpopmail/vpopmail-5.4.0-spam2/vpopmail.c       2004-05-20 
02:37:54.000000000 -0700
*** 212,214 ****
    } else {
!     fprintf(fs, "| %s/bin/vdelivermail '' bounce-no-mailbox");
--- 212,214 ----
    } else {
!     fprintf(fs, "| %s/bin/vdelivermail '' [EMAIL PROTECTED]", VPOPMAILDIR, domain);
*** /home/inter7/ucspi-tcp/ucspi-tcp-ssl-0.88/rblsmtpd.c.orig     2000-03-18 
07:18:42.000000000 -0800
--- /home/inter7/ucspi-tcp/ucspi-tcp-ssl-0.88/rblsmtpd.c  2004-06-10 
01:34:38.000000000 -0700
*** 177,180 ****
!   while ((opt = getopt(argc,argv,"bBcCt:r:a:")) != opteof)
      switch(opt) {
        case 'b': flagrblbounce = 1; break;
--- 177,181 ----
!   while ((opt = getopt(argc,argv,"bBcCt:r:a:s:")) != opteof)
      switch(opt) {
+       case 's': flagrblbounce = 2; if (!pathexec_env("QMAILQUEUE",optarg)) nomem(); 
        case 'b': flagrblbounce = 1; break;
*** 193,197 ****
    if (flagwantdefaultrbl) rbl("rbl.maps.vix.com");
!   if (decision >= 2) rblsmtpd();
!   pathexec_run(*argv,argv,envp);
    strerr_die4sys(111,FATAL,"unable to run ",*argv,": ");
--- 194,198 ----
    if (flagwantdefaultrbl) rbl("rbl.maps.vix.com");
!   if (decision >= 2 && flagrblbounce == 1) rblsmtpd();
!   pathexec(argv);
    strerr_die4sys(111,FATAL,"unable to run ",*argv,": "

Reply via email to