LINUX GAZETTE

"Linux Gazette...making Linux just a little more fun!"


Stopping Spam on Your Linux Box

By Suresh Ramasubramanian


If you have an e-mail account, you are bo doubt getting mail that you have not asked for, and do not want in your inbox - unsolicited e-mail (aka spam). What's Spam? In 3D "meatspace", it is a luncheon meat manufactured by Hormel Corp (which also owns http://www.spam.com). Spam on the net though is unsolicited e-mail, unwanted e-mail, frequently sent in bulk and advertising some commercial proposition. Most of the Spam you probably get, and what this article deals with, is UC/BE (Unsolicited Commercial and/or Bulk E-Mail).

If you have a linux (or *nix) box, you have a set of powerful tools to stop all this spam from cluttering your inbox. These tools are even more useful to you if you run a production mailserver and want to stop spam from reaching your users.

The three cardinal rules of spamfighting are:

I. Prevention is better than cure. Armor yourself against spam.

Protect yourself and prevent spammers from harvesting your address. Don't expose your primary e-mail addresses where a spammer can get at it and add it to his list. This includes places like /., usenet, publicly archived mailing lists, web based bulletin boards - in short, anywhere online. Instead, follow one of these steps:

1. Use a "throwaway" address (say abcde@yahoo.com) when posting. If you find that this address is getting spammed, you can just throw it away and switch to another address. To be on the safe side, when you are posting online, "munge" your address to something like abcde@yahoo.com.Spammers.Suck. Obviously, spammers (who use robots to crawl the web searching for mail ids and burn the entire thing into a CD) will not be able to mail you.

2. If you run your own domain, use "expiring" mail addresses - addresses which will be valid for a [week|month|year], and will then cease to exist. This address can be something like me-mar31-apr31@mydomain.com. In case you don't have your own domain, heck, use me-mar31-april31@yahoo.com instead :)

3. Both these measures have a major drawback: you have to keep changing your e-mail address--faster than your girlfriend changes her hairstyle! :) If your ISP uses sendmail, you have another option - "plus" addresses.

Plus addresses are available with newer versions of sendmail (8.8 and above). Just add a plus sign and any string you want after the username and before the '@'--the mail will still be delivered properly. For instance, me+foo_bar@myisp.com will reach me - sendmail will ignore everything after the plus. For a (slightly old) FAQ on how to implement plus addressing in various MTAs (and how to use them in various mail clients) see http://www.faqs.org/faqs/mail/addressing/. (Note that some MTAs use a hyphen instead of a plus sign. We'll still call them plus addresses here--but maybe we should call them "minus" addresses instead! ;D)

Obligatory disclaimer: before you start using plus addresses in your e-mail, send yourself a test mail with a plus address and check whether it reaches you.

Plus addresses are useful because they reveal just where a spammer harvested your mail id from. For instance, if you subscribe to the Linux India Help mailing list, subscribe to it as you+lih@yourdomain.com (and make sure you set your mail client to post messages to the list only using this identity or the list will bounce your mails). Both PINE and Mutt allow you to use different identities when posting (roles in PINE and folder hooks in mutt). Another advantage of plus addresses is that, if you start getting lots of spams to a plus address, you can just send all mails reaching that address to be read by Dave Null (aka /dev/null).

See Appendix #1 below for how to configure multiple identities (including plus addresses) in pine 4.x and Mutt.

II. Filter Spam before it reaches your mailbox

You can do this at the MTA level and by running Procmail filters. If your remote mailbox gives you a unix shell account, run the filters there instead of on your desktop linux box. Naturally, for the MTA level config / patching, you have to be root :)

Procmail Filtering

Several procmail recipes are available for you to trap and dev/null (or even complain about) most of the spam you get. The most popular one is Spambouncer by Catherine Hampton. Download for free at http://www.spambouncer.org. Another excellent page is maintained by Concordia University at http://alcor.concordia.ca/topics/email/auto/procmail/spam/. You can also check out SpamDunk by Walt Dnes.

MTA level filtering (Sendmail)

As most linux boxes come installed with sendmail, I will go into slightly more detail here. Sendmail 8.8.7 (which came with Redhat 5.1) and above have spam blocking features, which allow you to deny mails from specific domains / domains blackholed in the MAPS RBL and other blackhole lists. In any case, upgrade to the latest version of sendmail available (currently 8.11.3, or the 8.12 betas).

Compiling sendmail is a really good idea (and is quite easy - with detailed instructions given in a file called INSTALL in the sendmail source tree). Or you can get prebuilt binaries in whatever format you want (rpm, deb and such).

Stock sendmail installs can reject SMTP connections from domains / addresses based on a database of filter rules - see /etc/mail/access (and /etc/mail/access.db, which you generate using makemap hash access.db < access).

/etc/mail/access can have e-mail addresses, whole domains or even specific ip addresses / ip blocks as keys.

	spammer@yahoo.com        550 Get lost - No spammers allowed
	spammer.com	         550 Go to hell
	192.168.212		 REJECT

would refuse smtp connections from spammer@yahoo.com, any user from spammer.com (or hosts within the spammer.com domain), and any host on the 192.168.212.* netblock. For further (extremely detailed) details, see Claus Assmann's page at http://www.sendmail.org/~ca/email/ (and the sendmail FAQ at http://www.sendmail.org/faq/ won't hurt either).

Test this by sending a test mail to yourself from that host and then download the message using fetchmail, using the -v argument. This will allow you to monitor the SMTP transaction - when the FROM address is parsed, if sendmail sees that you have blacklisted the address, fetchmail will flush and delete it. Obvious warning: never put a reject entry your own mailhost or any host you accept mail from using fetchmail into your access db--you will lose mail if you do this.

You can also reject mail from all hosts listed in the MAPS RBL and other DNS based blackhole lists by enabling the dnsbl features in sendmail.mc and rebuilding sendmail.cf. See http://www.mail-abuse.org/rbl/usage.html for more details.

Oh yes - make sure you are not an open relay, which can be abused by spammers to relay their spam, leaving you with a clogged mailqueue, a mailbox full of thousands of bounces, angry flames from spammed people and possibly a listing in the RBL (if you are slow to fix it). See http://www.sendmail.org/tips/relaying.html and http://www.orbs.org/otherresources.html for more details.

Newer versions of sendmail dont make you an open relay - if you resist the temptation to configure sendmail using linuxconf (or most other auto config tools). Create a sendmail.mc file and regenerate sendmail.cf. For example, see http://www.hserus.net/sendmail.html (part of my Dialup HOWTO at http://www.hserus.net/dlhowto.html

See Appendix #2 below for antispam measures (including closing open relays) in other MTAs

III. Complain against spammers, get them shut down.

Spam, being the insiduous, creeping slime that it is, will sooner or later slip through all your filters and enter your mailbox. A linux box gives you all you need to track the spammer down - basic *nix tools like whois, nslookup, traceroute, and the best one of all: dig. The best solution is to spare a little time (less than five minutes) to send out a few complaints to the spammer's webhost, his ISP, his freemail provider - anyone and everyone who can do serious damage to the spammer. These tools are also available on the web at http://www.samspade.org.

See Appendix #3 below for more links on tracing and reporting spam

Appendix 1

Roles in PINE - With PINE 4.x and above, press S (Setup) and R (Roles). Add as many roles as you feel like and switch between them using # (the Hash character). Or you can choose between different roles when replying to an e-mail.

Roles in Mutt - Use folder hooks, so that all outgoing mail from a particular folder have the from field set to me+tag@myisp.com

	folder-hook linux   "my_hdr From: me+linux@myisp.com (My Linux Account)"
	set envelope_from   # sets the envelope sender, which is what's checked 
			    # by the list server <= mutt 1.2.x and above

Procmail recipe to dev/null all mails sent to a tagged address that attracts too much spam:

	# If mail is sent to you+spam_string@yourisp.com trash it
	:0:
	*^TO_ you+spam_string@yourisp.com
	/dev/null

Appendix 2

QMail: See http://www.summersault.com/chris/techno/qmail/qmail-antispam.html for a detailed account of anti-spam features in qmail (several of them).

Other MTAs: Debian comes with Exim. There are other *nix MTAs as well. See http://www.mail-abuse.org/tsi/ar-fix.html (and the websites of each MTA) for a comprehensive howto.

Appendix 3

Reference links:

Suresh Ramasubramanian

Suresh is President of the Indian chapter of CAUCE, an international organization of people dedicated to fighting Spam. He is webmaster of KCircle, one of the world's most popular trivia quiz resources.


Copyright © 2001, Suresh Ramasubramanian.
Copying license http://www.linuxgazette.net/copying.html
Published in Issue 66 of Linux Gazette, May 2001