File: suresh.html

package info (click to toggle)
lg-issue66 2-3
links: PTS
area: main
in suites: woody
size: 1,008 kB
ctags: 146
sloc: python: 85; perl: 77; makefile: 36; sh: 25
file content (334 lines) | stat: -rw-r--r-- 13,856 bytes
parent folder | download | duplicates (2)
<!--startcut  ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Stopping Spam on Your Linux Box LG #66</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->

<CENTER>
<A HREF="http://www.linuxgazette.com/">
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png" 
	WIDTH="600" HEIGHT="124" border="0"></H1></A> 

<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
<P>
</CENTER>

<!--endcut ============================================================-->

<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>

<P> <HR> <P> 
<!--===================================================================-->

<center>
<H1><font color="maroon">Stopping Spam on Your Linux Box</font></H1>
<H4>By <a href="mailto:mallet@cluestick.org">Suresh Ramasubramanian</a></H4>
</center>
<P> <HR> <P>  

<!-- END header -->




<P> If you have an e-mail account, you are bo doubt getting mail
that you have not asked for, and do not want in your inbox - unsolicited e-mail
(aka spam).  What's Spam? In 3D "meatspace", it is a luncheon meat manufactured
by Hormel Corp (which also owns <a href="http://www.spam.com"
>http://www.spam.com</a>).  Spam on the net though is
unsolicited e-mail, unwanted e-mail, frequently sent in bulk and advertising
some commercial proposition. Most of the Spam you probably get, and what this
article deals with, is UC/BE (Unsolicited Commercial and/or Bulk E-Mail).</p>

<P> If you have a linux (or *nix) box, you have a set of powerful tools to stop
all this spam from cluttering your inbox.  These tools are even more useful to
you if you run a production mailserver and want to stop spam from reaching your
users.</p>


<P>The three cardinal rules of spamfighting are:</p>


<UL>
<LI>Prevention is better than cure.  Armor yourself against spam.</LI>
<LI>Filter Spam before it reaches your mailbox</LI>
<LI>Complain to the spammer's ISP and get him shut down</LI>
</UL>

<H2>I. Prevention is better than cure.  Armor yourself against spam.</H2>


<P>Protect yourself and prevent spammers from harvesting your address.  Don't
expose your primary e-mail addresses where a spammer can get at it and add it
to his list.  This includes places like <a href="http://www.slashdot.org"
>/.</a>, usenet, publicly archived mailing lists, web based
bulletin boards - in short, anywhere online.  Instead, follow one of these
steps:</P>


<P>1. Use a "throwaway" address (say abcde@yahoo.com) when posting.  If you
find that this address is getting spammed, you can just throw it away and
switch to another address.  To be on the safe side, when you are posting
online, "munge" your address to something like abcde@yahoo.com.Spammers.Suck.
Obviously, spammers (who use robots to crawl the web searching for mail ids and
burn the entire thing into a CD) will not be able to mail you.</P>


<P>2. If you run your own domain, use "expiring" mail addresses - addresses
which will be valid for a [week|month|year], and will then cease to exist.
This address can be something like me-mar31-apr31@mydomain.com.  In case you
don't have your own domain, heck, use me-mar31-april31@yahoo.com instead :)</p>


<P>3. Both these measures have a major drawback: you have to keep changing
your e-mail address--faster than your girlfriend changes her hairstyle! :) If
your ISP uses sendmail, you have another option - "plus" addresses.</P>

<P>Plus addresses are available with newer versions of sendmail (8.8 and
above). Just add a plus sign and any string you want after the username and
before the '@'--the mail will still be delivered properly. For instance,
me+foo_bar@myisp.com will reach me - sendmail will ignore everything after the
plus.  For a (slightly old) FAQ on how to implement plus addressing in
various MTAs (and how to use them in various mail clients) see <a
href="http://www.faqs.org/faqs/mail/addressing/"
>http://www.faqs.org/faqs/mail/addressing/</a>.  (Note that some
MTAs use a hyphen instead of a plus sign.  We'll still call them plus addresses
here--but maybe we should call them "minus" addresses instead!  
<IMG SRC="../gx/dennis/smily.gif" ALT=";D" height="24" width="20"
align="middle">)


<p><EM>Obligatory disclaimer: before you start using plus addresses in your
e-mail, send yourself a test mail with a plus address and check whether it
reaches you.</EM>

<p> Plus addresses are useful because they reveal just <EM>where</EM> a
spammer harvested your mail id from.
For instance, if you subscribe to the Linux India Help mailing list,
subscribe to it as you+lih@yourdomain.com (and make sure you set your mail
client to post messages to the list only using this identity or the list will
bounce your mails).  Both PINE and Mutt allow you to use different identities
when posting (roles in PINE and folder hooks in mutt).  Another advantage of
plus addresses is that, if you start getting lots of spams to a plus
address, you can just send all mails reaching that address to be read by Dave
Null (aka /dev/null).</p>

<P>See <a href="#app1">Appendix #1</a> below for how to configure multiple
identities (including plus addresses) in pine 4.x and Mutt.


<H2>II.	Filter Spam before it reaches your mailbox</H2>


<P>You can do this at the MTA level and by running Procmail filters.  If your
remote mailbox gives you a unix shell account, run the filters there instead of
on your desktop linux box.  Naturally, for the MTA level config / patching, you
have to be root :)</p>

<H3>Procmail Filtering</H3>


<P>Several procmail recipes are available for you to trap and dev/null (or even
complain about) most of the spam you get.  The most popular one is Spambouncer
by Catherine Hampton.  Download for free at
<a href="http://www.spambouncer.org"
>http://www.spambouncer.org</a>. Another excellent page is
maintained by Concordia University at <a
href="http://alcor.concordia.ca/topics/email/auto/procmail/spam/"
>http://alcor.concordia.ca/topics/email/auto/procmail/spam/</a>.
You can also check out <a href="http://www.waltdnes.org/email"
>SpamDunk</a> by Walt Dnes.</p>


<H3>MTA level filtering (Sendmail)</H3>


<P>As most linux boxes come installed with sendmail, I will go into slightly
more detail here.  Sendmail 8.8.7 (which came with Redhat 5.1) and above have
spam blocking features, which allow you to deny mails from specific domains /
domains blackholed in the MAPS RBL and other blackhole lists.  In any case,
upgrade to the latest version of sendmail available (currently 8.11.3, or the
8.12 betas).</p> 


<P>Compiling sendmail is a really good idea (and is quite easy - with detailed
instructions given in a file called INSTALL in the sendmail source tree).  Or
you can get prebuilt binaries in whatever format you want (rpm, deb and
such).</p>

<P>Stock sendmail installs can reject SMTP connections from domains / addresses
based on a database of filter rules - see /etc/mail/access (and
/etc/mail/access.db, which you generate using makemap hash access.db &lt;
access).</p>


<P>/etc/mail/access can have e-mail addresses, whole domains or even specific
ip addresses / ip blocks as keys.</p>


<pre>
	spammer@yahoo.com        550 Get lost - No spammers allowed
	spammer.com	         550 Go to hell
	192.168.212		 REJECT
</pre>

<P>would refuse smtp connections from spammer@yahoo.com, any user from
spammer.com (or hosts within the spammer.com domain), and any host on the
192.168.212.* netblock.  For further (extremely detailed) details, see Claus
Assmann's page at <a href="http://www.sendmail.org/~ca/email/"
>http://www.sendmail.org/~ca/email/</a>  (and the sendmail FAQ
at <a href="http://www.sendmail.org/faq/"
target=_blank">http://www.sendmail.org/faq/</a> won't hurt either).</p>

<P>Test this by sending a test mail to yourself from that host and then
download the message using fetchmail, using the -v argument.  This will allow
you to monitor the SMTP transaction - when the FROM address is parsed, if
sendmail sees that you have blacklisted the address, fetchmail will flush and
delete it.  <EM>Obvious warning: never put a reject entry your own mailhost or
any host you accept mail from using fetchmail into your access db--you will
lose mail if you do this.</EM></p>

<P>You can also reject mail from all hosts listed in the MAPS RBL and other DNS
based blackhole lists by enabling the dnsbl features in sendmail.mc and
rebuilding sendmail.cf.  See <a href="http://www.mail-abuse.org/rbl/usage.html"
>http://www.mail-abuse.org/rbl/usage.html</a> for more
details.</p>


<P>Oh yes - make sure you are not an open relay, which can be abused by
spammers to relay their spam, leaving you with a clogged mailqueue, a mailbox
full of thousands of bounces, angry flames from spammed people and possibly a
listing in the RBL (if you are slow to fix it).  See
<A HREF="http://www.sendmail.org/tips/relaying.html">http://www.sendmail.org/tips/relaying.html</A> and
<A HREF="http://www.orbs.org/otherresources.html ">http://www.orbs.org/otherresources.html </A>for more details.</p>


<P>Newer versions of sendmail dont make you an open relay - if you resist the
temptation to configure sendmail using linuxconf (or most other auto config
tools).  Create a sendmail.mc file and regenerate sendmail.cf.  For example,
see
<a href="http://www.hserus.net/sendmail.html"
>http://www.hserus.net/sendmail.html</a> (part of my Dialup
HOWTO at <a href="http://www.hserus.net/dlhowto.html"
>http://www.hserus.net/dlhowto.html</a></p>

<P>See <a href="#app2">Appendix #2</a> below for antispam measures (including
closing open relays) in other MTAs

<H2>III. Complain against spammers, get them shut down.</H2>


<P>Spam, being the insiduous, creeping slime that it is, will sooner or later
slip through all your filters and enter your mailbox.  A linux box gives you
all you need to track the spammer down - basic *nix tools like whois, nslookup,
traceroute, and the best one of all: dig. The best solution is to spare a
little time (less than five minutes) to send out a few complaints to the
spammer's webhost, his ISP, his freemail provider - anyone and everyone who can
do serious damage to the spammer.  These tools are also available on the web at
<A HREF="http://www.samspade.org">http://www.samspade.org</A>.</P>

<P>See <a href="#app3">Appendix #3</a> below for more links on tracing and
reporting spam

<H2><a name="app1">Appendix 1</a></H2>


<P>Roles in PINE - With PINE 4.x and above, press S (Setup) and R (Roles).  Add
as many roles as you feel like and switch between them using <b>#</b> (the Hash
character).  Or you can choose between different roles when replying to an
e-mail.</p>


<P>Roles in Mutt - Use folder hooks, so that all outgoing mail from a
particular folder have the from field set to me+tag@myisp.com</p>


<pre>
	folder-hook linux   "my_hdr From: me+linux@myisp.com (My Linux Account)"
	set envelope_from   # sets the envelope sender, which is what's checked 
			    # by the list server <= mutt 1.2.x and above
</pre>

<P>Procmail recipe to dev/null all mails sent to a tagged address that attracts
too much spam:</P>


<PRE>
	# If mail is sent to you+spam_string@yourisp.com trash it
	:0:
	*^TO_ you+spam_string@yourisp.com
	/dev/null
</PRE>

<H2><a name="app2">Appendix 2</A></H2>


<P>QMail: See <a
href="http://www.summersault.com/chris/techno/qmail/qmail-antispam.html"
>http://www.summersault.com/chris/techno/qmail/qmail-antispam.html</a>
for a detailed account of anti-spam features in qmail (several of them).</p>

<P>Other MTAs: Debian comes with Exim.  There are other *nix MTAs as well.  See
<A HREF="http://www.mail-abuse.org/tsi/ar-fix.html">http://www.mail-abuse.org/tsi/ar-fix.html</A> 
(and the websites of each MTA) for a comprehensive howto.</p>


<H2><A NAME="#app3">Appendix 3</A></H2>


<P>Reference links:</p>
<P><UL>
<LI><A HREF="http://spam.abuse.net/howtocomplain.html">The abuse.net faq</A></LI>
<LI><A HREF="http://oasis.ot.com/~dmuth/spam-l/tracking.html">The Spam-L mailing list FAQ</A></LI>
<LI><A HREF="http://www.geocities.com/SiliconValley/Lakes/5362/search.html">The
Lumber Cartel Search Page</A>--see their home page for the funny story of
just <EM>how</EM> the Lumber Cartel has become an in-joke among anti-spammers)</LI>
<LI><A HREF="http://www.mail-abuse.org">MAPS</A>-The Mail Abuse Prevention
System, home of the RBL, RSS and DUL blackhole lists)</LI>
<LI><A HREF="http://www.orbs.org">ORBS</A>--another DNS based blackhole list</LI>
<LI><A HREF="http://spam.abuse.net">John R Levine's Network Abuse Clearinghouse</A></LI>
<LI><A HREF="http://www.cauce.org">CAUCE International</A></LI>
<LI><A HREF="http://www.india.cauce.org">CAUCE India</A></LI>
</UL>





<!-- *** BEGIN bio *** -->
<SPACER TYPE="vertical" SIZE="30">
<P> 
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">Suresh Ramasubramanian</H4>
<P><A HREF="mailto:suresh@india.cauce.org">Suresh</A> is
President of the Indian chapter of 
<A HREF="http://india.cauce.org">CAUCE</A>, an international organization of
people dedicated to fighting Spam.  He is webmaster of 
<A HREF="http://www.kcircle.com">KCircle</A>, one of the world's most popular
trivia quiz resources.</a>

<!-- *** END bio *** -->

<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P --> 
<H5 ALIGN=center>

Copyright &copy; 2001, Suresh Ramasubramanian.<BR>
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR> 
Published in Issue 66 of <i>Linux Gazette</i>, May 2001</H5>
<!-- *** END copyright *** -->

<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->