UNIX System Administration Handbook - Evi Nemeth [352]
Folks that sell email addresses to spammers have recently started to use a form of dictionary attack to ferret out unknown addresses. Starting with a list of common last names, the scanning software adds different first initials in hopes of hitting on a valid email address. To check the addresses, the software connects to the mail servers at, say, 50 large ISPs and does a VRFY on each of zillions of addresses.
This probing has a huge impact on your mail server and its ability to deliver your customers’ legitimate mail. sendmail can deal with this situation through the use of the PrivacyOption goaway which is covered starting on page 610. But the smarter spam software is very robust; if VRFY is blocked, they try EXPN, and if both are blocked they try RCPT. They can try millions of addresses that way and never send a single message—it sure keeps your mail server busy, though.
sendmail has added some very nice features to help with spam control and also to help with the occasional mail-borne computer virus. Unfortunately, most ISPs must pass along all mail, so these features may be too draconian for customer policy (or then again, maybe they aren’t). However, the features can be used to great effect at the end user’s site.
There are four types of spam control features:
• Rules that control relaying, which is the use of your mail server by one off-site user to send mail to another off-site user. Spammers often use relaying in an attempt to mask the true source of their mail and therefore avoid detection by their ISPs. It also lets them use your cycles and save their own. That’s the killer.
• The access database, which allows mail to be filtered by address, rather like a firewall for email.
• Blacklists containing open relays and known spam-friendly sites that sendmail can check against.
• Header checking, the beginnings of a powerful feature that we may see in sendmail version 9. It allows arbitrary scanning of messages and lets you reject any messages that match a particular profile.
We describe these new features here and then look at a couple of pieces of spam we received today to see how we might have tuned our mail system to recognize and reject them automatically.
Relaying
sendmail and other mail transport agents accept incoming mail, look at the headers and envelope addresses, decide where the mail should go, and then pass it along to an appropriate destination. That destination can be local, or it can be another transport agent further along in the delivery chain. When an incoming message has no local recipients, the transport agent that handles it is said to be acting as a relay.
Prior to sendmail version 8.9, promiscuous relaying (also called open relaying) was on by default. sendmail would accept any message presented to it on port 25 and try its best to make the delivery. It was the neighborly Internet thing to do.
Unfortunately, spammers started to abuse relaying; they exploited it to disguise their identities and, more importantly, to use your bandwidth and cycles instead of their own. It is now considered very bad to configure your mail server as an open relay.
It makes sense to worry about not only your own relaying policy, but also that of other sites. After all, any mail you receive from an open relay is probably spam. Paul Vixie, an avid spam-hater, and the Open Relay Behavior-modification System (ORBS) project have both collected databases of IP addresses that run open relays. sendmail can easily be configured to use those databases as a blacklist and to reject any mail that arrives from one of those addresses. The ORBS folks provide an automatic way to get yourself removed from their list if you fix your open relay, so being blacklisted is an easily remediable condition.
One site estimated that between one-third and one-half of all mail servers are configured as open relays today (Spring, 2000). ORBS statistics show a minimum of 15%.
Starting