Topic: How to stop SPAM (A HowTo) on Pre-SME 5.5

[Nathan Fowler]

Note this does not work on SME 5.5; SME 5.5 uses Mailfront, not Obtuse SMTPD.

I've been fighting a losing battle with SPAM, as have many people.  I often get tired of getting mail from my own domain; the messages have been spoofed.  nakedgirls@fundeals.stickit.nu doesn't exist, so why should I get mail from it, especially if I own the domain?  

After reading the Juniper smtpd_check_rules documentatation I was able to craft some rules to stop those SMTP hosts and MAIL FROM addresses that are not valid (They do not have a reverse DNS lookup AND do not have a valid MX entry).  I'm now going to share some simple changes you can make to your smtpd_check_rules that will enable you to block such spam.

Below are the steps:
mkdir -p /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules
cd /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules
pico -w 10NotoSpammers

[Add the following lines to 10NotoSpammers:]
#Deny SMTP hosts that do not have a reverse lookup or MX entry.
deny:UNKNOWN:ALL:ALL:550 Your SMTP server's IP of %I does not have a reverse lookup or MX entry, as a result your message to %T was not delivered. Please contact your mail administrator and inform them of the problem.

#Deny MailFrom addresses that do not have a reverse lookup or MX entry.
deny:ALL:NS=UNKNOWN:ALL:550 Your MAIL FROM address of %F does not have a reverse lookup or MX entry, as a result your message to %T was not delivered.  Please contact your mail administrator and inform them of the problem.

[Save the file 10NotoSpammers]
/sbin/e-smith/expand-template /var/spool/smtpd/etc/smtpd_check_rules

[If you are using my pop-before-smtp code be sure you:]
rm -rf /var/pop-before-smtp/IP/*

Rejoice in knowing that you've just help eliminate invalid E-Mails, most of which will be SPAM.

Hope this helped,
Nathan

[Nathan Fowler]

Note the "deny:" lines in the 10NotoSpammers should all be one line.  HTML has caused the text to wrap.  It is vital that these configuration rules are each on a separate line and do not wrap.

[Darrell May]

Nathan Fowler wrote:

> /sbin/e-smith/expand-template
> /var/spool/smtpd/etc/smtpd_check_rules

Replace the above with:

/sbin/e-smith/signal-event email-update

This is needed to restart all the services and load the new smtpd_check_rules settings.

Regards,

Darrell

[Nathan Fowler]

Actually, changes to the smtpd_check_rules file are seen in real-time, smtpd services do not need to be restarted to activate changes made to that file.  

But thanks Darrel

[Nathan Fowler]

If you wish to be more restrictive about the root level domain then instead use:

#Deny SMTP hosts that do not have a reverse lookup or MX entry.
deny:NS=UNKNOWN:ALL:ALL:550 Your SMTP server's IP of %I does not have a reverse lookup or MX entry, as a result your message to %T was not delivered. Please contact your mail administrator and inform them of the problem.

as opposed to:

#Deny SMTP hosts that do not have a reverse lookup or MX entry.
deny:UNKNOWN:ALL:ALL:550 Your SMTP server's IP of %I does not have a reverse lookup or MX entry, as a result your message to %T was not delivered. Please contact your mail administrator and inform them of the problem.

Using "Unknown" will attempt to find a DNS entry for the root level domain, NS=UNKNOWN matches the entire FQDN string, and does not attempt to chop until it finds the root domain:

IE:
Using "Unknown" will allow this.is.a.fake.domain.from.yahoo.com to proceed because the DNS entry for the root level domain "Yahoo.com" is present.  Using the "NS=UNKNOWN" will not allow this entry because the FQDN does not exist.

Nathan

[Nathan Fowler]

Note that if you use the restrictive set be sure to include "NS=UNKNOWN EXCEPT 127.0.0.1" or your webmail client will have trouble sending mail.

[Randy Brown]

Wow this is great !

  In the world of spam that we live in....  
Thanks man! : )

as long as I donw lose any good e-mail we are good.

[Jeff Coleman]

Nahan,

Quick clarification.  The syntax would be:

deny:NS=UNKNOWN EXCEPT 127.0.0.1:ALL:ALL:550 blah blah

Yes?

-jeff

[Eric Belhomme]

Did you tried it on an official 5.5 release to say it don't work ? D. May sais on a previous post that smtpfront works like obtuse smtp, that's why it isn't well documented ???

I would try your howto on me sme 5.5 box, but as it's a procution server...

Best regards

Eric Belhomme

[Craig Jensen]

I too would be interested in answers to Eric's question here.  Runing 5.5 hosting several web sites so I want to keep it funcioning

Craig Jensen

[Darrell May]

SME 5.5 does not support any smtpcheckrules.  Obtuse smtpd has been completely replaced with mailfront (http://untroubled.org/mailfront/).  Mailfront currently supports qmail validation only (http://untroubled.org/mailfront/qmail-validate.html).

If you need smtpdcheckrules, stick with SME 5.1.2 and upgrade only the individual packages you need from 5.5.

Darrell

[Nate]

deny:UNKNOWN:ALL:ALL:550
Too bad my home server can't send to my work server when that is enabled(as well as a few other servers I know of).  I use dyndns and it rejects my home ip address when I send mail.  Just FYI.

[Nathan Fowler]

Guys (Esp Nate), remember you can use the EXCEPT rule to add those mail servers or clients that need access to the box:

IE:
deny:UNKNOWN EXCEPT 192.168.0.1,127.0.0.1:ALL:ALL:550 Blah blah, you eat bugs.

I've had to add several IP's to the EXCEPT ruling, and the reason why I haven't replied to these emails is that the forum mail server for e-smith does not have a reverse DNS, so the messages have been bouncing back, hah!

216.191.234.126 is the E-Smith forum smtp server, so be sure to add this to the exception list.

Darrell, thanks for your help in answering this stuff while I was out.

Thanks,
Nathan

[Tom Carroll]

Nathan, I am trying to fight the spammers myself.  Here's what I have in my smtpd_check_rules on my SME 5.1.2 server:

deny:UNKNOWN EXCEPT ...:ALL:ALL:550 blah blah...
deny:ALL:NS=UNKNOWN:ALL:550 blah blah...
deny:NS=UNKNOWN EXCEPT 127.0.0.1:ALL:ALL:550 blah blah...

Is this right?  See any problems?

Tom

[Steven Thomson]

I have put all of the above in place....
Thanks for the great ideas...
now....do the results of the rejected mails get logged anywhere to see what is happening ?
I'm not sure if it is functioning correctly.

[Nathan Fowler]

Steven, hang tight, I've got another thread you'll want to check out.  Give me until tomorrow morning.

12/03/2002 8:24 PM CST
Nathan