LinuxPlanet - Print - Admin Digest: Stopping Spam with Linux

Admin Digest: Stopping Spam with Linux

By: Rob Reilly
Monday, March 24, 2003 09:38:14 AM EST
URL: http://www.linuxplanet.com/linuxplanet/tutorials/4724/1/

Server-Side Solutions

If you have used email at all you have seen spam: unsolicited and unwanted email. The way that email works means that it is very easy to send out bulk mailings at a very low cost. The cost is low because largely it is the receiver of the email that pays. If you read email on a dialup modem line or pay for your Internet connection, then in a real sense you are paying for the spam you get.

Often it is difficult for ISPs to block spam to everyone. This is because the ISPs do not know which email items you want to receive and which ones you do not. The ISP cannot predict in advance what email you have an expectation of getting and from where. It would also be inappropriate for ISPs to screen the content of the messages. There would also be privacy issues. However, there are certain approaches that can be taken at the email server side. If you have recently installed Linux and are thinking of running your own email server, then you should carefully consider the problem of spam.

Focus on sendmail

Sendmail is the most widely used MTA (Mail Transport Agent) on the Internet. It's an old, large, complex and not particularly efficient program. In particular it has a bad reputation for being difficult to configure. Whatever email server program you choose to use, though, blocking spam is still an important issue. The concepts outlined below are applicable to any type of server program. If you already run sendmail, I would recommend upgrading to the latest version. That way you can take advantage of any security patches or new features.

Disallow Relay

The most basic thing you should do is prevent your machine from being used as a place from which to send spam. Fortunately, as of sendmail version 8.9, forwarding is turned off, by default. That's a big help, but does require some configuration to allow forwarding. You sure don't want other people using your email server to do their dirty work. Take a look at www.sendmail.org for information on how to set up sendmail to forward messages.

The next level of sophistication is to keep a list of addresses and sites to block. For instance if you notice that a lot of junk email is coming in from 'cyberpromo.com' you will want to block that site. The way to do this is with the 'check_mail' rules set. This method will prevent delivery from the sites you list. However, it may be difficult to keep track of where the spam is coming from and time-consuming to maintain a current list of sites that allow spam. Paul Vixie maintains a MAPS Realtime Black-hole List which is accessible via the DNS Server (non-technical explanation: it works from anywhere on the Internet quickly and with minimal fuss) and to use this you only need add a couple of lines to your 'check_mail' rules set.

Vipul's Razor does a similar job. It uses an extensive set of rules to figure out what is spam and what isn't. It goes a step further, than the 'check_mail' approach and updates a network database that tracks spam signatures. As users identify new spam messages, the server databases are updated. Subsequent users have the benefit of an updated database of spam messages, that then can be filtered locally on their machines.

spamassassin.org takes a look at mail headers and text content to see if it matches a particular spam signature. It then can tag the mail message in question for filtering by the user's email reader program. Spamassassin is a great compliment to Vipul's Razor.

Tools to Trace the Source of Spam

Fret not! If your best efforts to block spam at the receiving end fail, Linux can still help you!

To complain back to the source of the mail you can look up the people that run the spam site with the whois command. Just use the left hand side of the address as input.

whois xxxxxxx.com

You'll get a listing of the registrant's address, city, state, phone number, etc. There is also usually a 'Technical Contact' section. Might be time to call or send an email to that contact. They may not even be aware of a spam problem.

traceroute

Figuring out the 'upstream' Internet providers to the spam site can be done by using the traceroute command. Traceroute shows all the hops needed to get to a certain Internet address. For example type:

traceroute 24.27.213.208

nslookup and dig

If traceroute and whois can't seem to find the right-hand side part of the email address, then nslookup or dig may be able to find you a good address you can use related to the mystery address. Please refer to the online documentation for more details.

Wrapping Up

All of the solutions outlined in this article work on the server regardless of the email client used to read mail. So you could implant a spam-blocking policy on a Linux server, and continue to read email on a different platform (like Netscape on a Macintosh for instance) while still getting the benefits of Linux!

Rob Reilly (aka: "Dr. Torque") is a senior technology consultant, whose work includes Linux, business systems integration, innovation training and occasional hot rodding excursions. He frequently writes and speaks about these and other topics. He has 16 years experience in the high technology, manufacturing and the utilities industries. He is always 'on-the-lookout' for stories and projects that focus on Linux, business and the cutting edge. Send him a note or visit his web site at http://home.cfl.rr.com/rreilly.