SPAM problems

[techsharp]

All,

We are currently having a lot of issues with SPAM and the amount being received. We are using Spam Assassin and everything is up to date on our server.

A lot of messages come in and are labeled SPAM, however there are quite a few that are not and we have to keep "training" our server to label them as such - it really is becoming an issue.

One solution we are talking about integrating is to block emails from unknown
and unverified addresses. AKA sender address verification. Companies such as Sendio and Digiportal offer this type of SPAM blocking.

Does anyone use this type of product with their email servers? If you do what are your suggestions for purchasing?

Or the alternative is to help fix the SPAM problem with Spam Assassin, but what can I do? Do you guys just use Spam Assassin or do you have something else set up along with it? I update it and it is completely set up correctly.

I am looking for advice as to what my next step should be in fighting this SPAM issue.

Thank you

[adhodgson]

Hi,

Personally I think these types of products are a waste of time, because they create a lot of backscatter messages. For example, for every spam message coming into the system, the system will send a verification message. This is sort of ok if the message can't get to the destination, but if the spammer forged the sender address, you will possibly send these emails to innocent third parties. Indeed, there are blacklists for just this sort of thing.

We had a similar problem at work, and implemented SpamTitan, which is a spam appliance type solution, but you can deploy it on your own hardware. http://www.spamtitan.com. The other thing to implement good practise is to try and stop messages coming into your system - i.e, being accepted by SMTP, if the address is unknown. Using Scalix and SpamTitan, it is possible to ensure that only email going to addresses which exist in the Scalix directory are ever accepted by the gateway, and this has actually really helped the amount of spam we receive daily.

Andrew.

[techsharp]

adhodgson -

Thanks I will take a look into this product when I am in the office on Monday.

[kmcelwain]

I took a new approach...block it at the firewall. I looked up and researched Africa/Asia/Amsterdam/SouthAmerica and blocked them all.

This might sound a little region bias but the proof is in the results. Last month, 700,000 messages and this month, I'm predicting 300,000. My firewall goes by the deny all allow this mindset. So all I had to do was put in multiple rules that allowed from the allowed public IP ranges that I wanted.

It's working like a charm...I still get junk but mostly from cable modem and DSL hijacked PC's.

Allow All Send Email (SMTP) 168.8.28.2 (LAN) WAN Allow All Send Email (SMTP) 204.0.0.0 - 209.255.255.255 (WAN) 168.8.28.2 (LAN)
Allow All Send Email (SMTP) 223.0.0.0 - 255.255.255.254 (WAN) 168.8.28.2 (LAN)
Allow All Send Email (SMTP) 214.0.0.0 - 216.255.255.255 (WAN) 168.8.28.2 (LAN)
Allow All Send Email (SMTP) 197.0.0.0 - 199.255.255.255 (WAN) 168.8.28.2 (LAN)
Allow All Send Email (SMTP) 191.0.0.0 - 192.255.255.255 (WAN) 168.8.28.2 (LAN)
Allow All Send Email (SMTP) 127.0.0.0 - 188.255.255.255 (WAN) 168.8.28.2 (LAN)
Allow All Send Email (SMTP) 96.0.0.0 - 115.255.255.255 (WAN) 168.8.28.2 (LAN)
Allow All Send Email (SMTP) 63.0.0.0 - 76.255.255.255 (WAN) 168.8.28.2 (LAN)
Allow All Send Email (SMTP) 42.0.0.0 - 57.255.255.255 (WAN) 168.8.28.2 (LAN)
Allow All Send Email (SMTP) 0.0.0.1 - 40.255.255.255 (WAN) 168.8.28.2 (LAN)

[William]

We use sendmail as the MTA, with a daily automtically generated whitelist from all Scalix contacts (just domains) and all domains sent to (from all sendmail logs) - with some major email domains removed. This is done via a bash script.
Also use several DNSBL in sendmail on all non-whitelisted traffic to reject delivery as well as the greet pause and delay checks/spamfriend features in sendmail.
Sendmail is also setup to auto report spam items to spamcop.net. (this only works on the addresses that spammers have made up on our domain)
The ammount of spam to users is now very minimal.
Also ClamAV is plugged into Sendmail.



here is the script to make a sendmail whitelist:

Code: Select all

#!/bin/sh
# /etc/cron.daily/generate_whitelist
#
# TODO:
#   make old maillogs be gzipped
#   look inside gziped maillog files
#   CONNECT: list
#   rename the itermediate files to something with a stnd prefix, and better location.
#   make portable, with variables defined in the header
#
# In all this entire script now takes 3 minutes.
#
echo "# /////////////////////////// WHITELIST GENERATE START /////////////////////////// #"
wget -q http://mail.DOMAIN.com/api/sxadmin@DOMAIN.com/mailbox/Public%20Folders/DOMAIN%20Contacts/?output=vcard --http-user=sxadmin --http-password=password -O - > /root/DOMAIN_contacts_vcard.txt
for i in $(/opt/scalix/bin/omshowu -m all -i | sed '/@/d; /x/d');
  do
   wget -q http://mail.domain.com/api/"$i"@domain.com/mailbox/Contacts/?output=vcard --http-user=mboxadmin:sxadmin:"$i" --http-password=password -O - >> /root/domain_contacts_vcard.txt
  done

fgrep -i "EMAIL;TYPE=OTHER;" /root/domain_contacts_vcard.txt | cut --delimiter=";" -f3 -s | tr [:upper:] [:lower:] | tr -d [:blank:] | sort | uniq > /root/DOMAIN_contacts_emails.txt

echo ""
echo "All email addresses from all DOMAIN and personal contacts:"
wc -l /root/domain_contacts_emails.txt
#
#
# This gets all the unique domains from the list of contacts email addresses
#
cat /root/domain_contacts_emails.txt | cut --delimiter="@" --only-delimited --fields=2 | sort | uniq > /root/domain_contacts_whitelist.txt
echo ""
echo "All domains from all DOMAIN and personal contacts' email addresses:"
wc -l /root/domain_contacts_whitelist.txt
#
#
# This scans the sendmail logs for addresses that have been sent email from the
# DOMAIN domain and gets the line and forgets the first part of the line upto the to= (and also clean up the address too)
#
fgrep -i " to=" /var/log/mail* | cut -d= -f2 -s | tr ",;" "\n" | cut --delimiter="<" --only-delimited --fields=2 | cut --delimiter=">" --only-delimited --fields=1 | sed "s/^[']*//" | sed "s/['.-]*$//" | tr -d [:blank:] | tr [:upper:] [:lower:] | sort | uniq > /root/raw_sendmail_email_addresses.txt
echo ""
echo "All email addresses from sendmail logs that DOMAIN has sent email to:"
wc -l /root/raw_sendmail_email_addresses.txt
#
#
# This finds the addresses from restricted domains (likely for being in DNSBL or actually are) and
# makes a whitelist of email addresses (that have had email sent to them from the domain.com domain).
#
cat /root/raw_sendmail_email_addresses.txt | sed "s/^[']*//" | sed "s/['.-]*$//" | grep 'yahoo\|hotmail\|gmail\|aol' | sed -e 's/^/from:/' -e 's/$/\tOK/' | sort | uniq > /root/addresses_sendmail_whitelist.txt
echo ""
echo "All email addresses from sendmail logs from certain domains, put into sendmail-access format:"
wc -l /root/addresses_sendmail_whitelist.txt
#
#
# This cleans up the sendmail log grep to be just the unique 'to:' domain names.
#
cat /root/raw_sendmail_email_addresses.txt | cut --delimiter="@" --only-delimited --fields=2 | tr -d [:blank:] | tr [:upper:] [:lower:] | sed "s/^[']*//" | sed "s/['.-]*$//" | sort | uniq > /root/domain_sendmail_whitelist.txt
echo ""
echo "All domains from sendmail logs that DOMAIN has sent email to:"
wc -l /root/domain_sendmail_whitelist.txt
#
#
# This merges the contact domain with the sendmail domain and the list is cleaned
# and just the unique domain names kept, whilst a few domains are removed like
# yahoo.com hotmail.co.uk etc.
#
cat /root/domain_sendmail_whitelist.txt /root/domain_contacts_whitelist.txt | sort | tr -d [:blank:] | tr [:upper:] [:lower:] | uniq | sed '/yahoo/d; /hotmail/d; /gmail/d; /aol/d' | sed -e 's/^/from:/' -e 's/$/\tOK/' > /root/domain_combined_whitelist.txt
echo ""
echo "All domains from sendmail logs and DOMAIN/personal contacts without certain domains, in sendmail-access format:"
wc -l /root/domain_combined_whitelist.txt
#
#
# This merges the combined domain whitelist with the address whitelist
#
cat /root/addresses_sendmail_whitelist.txt  /root/domain_combined_whitelist.txt > /etc/mail/white_list.txt
echo ""
echo "All entries from addresses_sendmail_whitelist.txt and domain_combined_whitelist.txt combined:"
wc -l /etc/mail/white_list.txt
echo ""
echo "Some constant/default entries for access.db -  /etc/mail/access is editable via webmin or pico."
cat /etc/mail/access | sed '/#/d' | wc -l
#
#
# This combines the access.db with the newly made list and the access file so that a compare can be performed
#
cat /etc/mail/access /etc/mail/white_list.txt | sed '/#/d' | sort | uniq  > white_list_now.txt
makemap -u hash /etc/mail/access.db | sed '/#/d' | sort | uniq > white_list_previous.txt
echo ""
echo "New entries:"
comm -3 white_list_previous.txt white_list_now.txt
rm -f white_list_previous.txt
rm -f white_list_now.txt
#
#
# This remakes the access.db with the newly made list and the access file.
#
cat /etc/mail/access /etc/mail/white_list.txt | makemap hash /etc/mail/access.db
echo ""
echo "All entries from white_list.txt and access combined, i.e. /etc/mail/access.db:"
makemap -u hash /etc/mail/access.db | wc -l
echo "# /////////////////////////// WHITELIST GENERATE FINISH /////////////////////////// #"

# ////////////////////////////////     \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\#
#                                 NOTES                                #
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\     ////////////////////////////////#
# if access is edited via webmin only the few items in access are in access.db!
# this will mean plenty of bounced emails since some servers are listed in RBLs.
# to view the contents of access.db: makemap -u hash /etc/mail/access.db | more
#
# you will need to run
#
# cat /etc/mail/access /etc/mail/white_list.txt | makemap hash /etc/mail/access.db
#   
# to make access.db full of the whitelist.
#
# cat /root/domain_sendmail_whitelist.txt /root/domain_contacts_whitelist.txt    -open two files into one for working on
# fgrep -r "EMAIL;PREF;INTERNET:" /var/opt/scalix/ml/s/data/*   -get all lines in all files on a path that contain the text
# fgrep -i " to=" /var/log/mail*      -search all files in a path for lines containing some text
# tr -d [:blank:]            -remove all blank spaces
# tr [:upper:] [:lower:]         -change all text to lower case
# tr ",;" "\n"                -replace ",;" (comma or semi-colon) with a newline
# uniq                  -remove all duplicate lines
# sort                  -sort all lines into acending alphanumeric order
# sed '/yahoo/d; /hotmail/d; /gmail/d; /aol/d'    -remove entire lines containing any of these strings
# sed '/#/d'                -remove entire lines containing #
# sed "s/['.-]*$//"            -remove trailing ' . -
# sed "s/^[']*//"            -removes any leading ' on the line
# sed -e 's/^/from:/' -e 's/$/\tOK/'      -add from: to the begining of each line and add tabOK at the end
# cut --delimiter=">" --only-delimited --fields=1   -keeps uptill the first > and also discards lines without >'s
# cut --delimiter="@" --only-delimited --fields=2   -cut off text before the @
# cut --delimiter="<" --only-delimited --fields=2   -cut off text before the <
# cut --delimiter=";" -f3 -s         -removes up to the 2nd ; and also discards lines without ;'s
# cut -d: -f6 -s             -removes up to the 5th : and also discards lines without :'s
# cut -d= -f1 -s            -removes up to the first = and also discards lines without ='s
# omshowu -m all | cut -d "/" -f 1 | tr " " "." | sed "s/[.]*$//"   -gets usernames in normal form eg: Firstname Lastname
# omshowu -m all -i | sed '/@/d; /x/d'      -gets usernames in login form eg auser (ignoring users with x's or @'s)
# sed -e 's/text1/text2/g'       -replace one text string with another
# comm -3 file1 file2            -compare two files and show only the differences.
# ls -R /pathto/scalix/data/ | wc -l      -count all the files recursively at a given point
# wc -l domain_combined_whitelist.txt      -count number of lines in a file, output eg: 916 domain_combined_whitelist.txt
# sed "s/.gz*$//"            -remove trailing text that equals .gz
# sed "s/\..$//"            -remove .wildchar from the end of line eg file.name.5 becomes file.name
# sed -e "s@text@$text/text@g" -replace text with text containing a vaiable and / in it - uses @ as delimiter.
# sed -n -e :a -e '1,6!{P;N;D;};N;ba'      -remove last 6 lines
# echo "text">>filename2.html         -append some text onto the end of a file
# gzip -dc fomefile.gz             -open a gzip file into stream
#



The above script has not been particularly tidied, it is not simply portable.
Just change domain to your domain and add in your password.

this lot is in one block in the sendmail.mc

Code: Select all

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl 
FEATURE(`delay_checks', `friend')dnl 
FEATURE(`greet_pause', `5500') dnl   
FEATURE(`blacklist_recipients')dnl 
FEATURE(`dnsbl')dnl
define(`EDNSBL_TO',2)dnl
FEATURE(`enhdnsbl',`bl.spamcop.net')dnl 
FEATURE(`enhdnsbl',`dnsbl.sorbs.net')dnl 
FEATURE(`enhdnsbl',`zen.spamhaus.org')dnl 
FEATURE(`enhdnsbl',`psbl.surriel.com')dnl 
FEATURE(`enhdnsbl',`dnsbl-1.uceprotect.net')dnl 
FEATURE(`enhdnsbl',`no-more-funn.moensted.dk')dnl


HTH