How to configure a Linux Mail Server -7

Fighting SPAM

Unsolicited Commercial Email (UCE or SPAM) can be annoying, time consuming to delete and in some cases dangerous when they contain viruses and worms. Fortunately there are ways you can use your mail server to combat SPAM.



Using Public SPAM Blacklists With Sendmail

There are many publicly available lists of known open mail relay servers and spam generating mail servers on the Internet. Some are maintained by volunteers, others are managed by public companies, but in all cases they rely heavily on complaints from spam victims. Some spam blacklists simply try to determine whether the e-mail is coming from a legitimate IP address.

The IP addresses of offenders usually remain on the list for six months to two years. In some cases, to provide additional pressure on the spammers, the blacklists include not only the offending IP address but also the entire subnet or network block to which it belongs. This prevents the spammers from easily switching their servers' IP addresses to the next available ones on their networks. Also, if the spammer uses a public data center, it is possible that their activities could also cause the IP addresses of legitimate e-mailers to be black listed too. It is hoped that these legitimate users will pressure the data center's management to evict the spamming customer.

You can configure sendmail to use its dnsbl feature to both query these lists and reject the mail if a match is found. Here are some sample entries you can add to your /etc/sendmail.mc file; they should all be on one line.

• RFC-Ignorant: A valid IP address checker.

FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from " $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP server - see http://www.rfc-ignorant.org/"')

• Easynet: An open proxy list.

FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to OPEN PROXY SERVER "$&{client_name}" by easynet.nl DNSBL (http://proxies.blackholes.easynet.nl/errors.html)"', `')dnl

• The Open Relay Database: An open mail relay list.

FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server misconfiguration - see http://www.ordb.org/faq//#why_rejected"')dnl

• Spamcop: A spammer blacklist.

FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"')

• Spamhaus: A spammer blacklist.

FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dnl

Be sure to visit the URLs listed to learn more about the individual services.



Spamassassin

Once sendmail receives an e-mail message, it hands the message over to procmail, which is the application that actually places the e-mail in user mailboxes on the mail server. You can make procmail temporarily hand over control to another program, such as a spam filter. The most commonly used filter is spamassassin.

spamassassin doesn't delete spam, it merely adds the word "spam" to the beginning of the subject line of suspected spam e-mails. You can then configure the e-mail filter rules in Outlook Express or any other mail client to either delete the suspect message or store it in a special Spam folder.



Downloading And Installing Spamassassin

Most RedHat and Fedora Linux software products are available in the RPM format. When searching for the RPMs, remember that the filename usually starts with the software package name and is followed by a version number, as in spamassassin-2.60-2.i386.rpm. (For help downloading, see Chapter 6, "Installing RPM Software").

Starting Spamassassin

You can use the chkconfig command to get spamassassin configured to start at boot:

[root@bigboy tmp]# chkconfig --level 35 spamassassin on

To start, stop, and restart spamassassin after booting:

[root@bigboy tmp]# service spamassassin start

[root@bigboy tmp]# service spamassassin stop

[root@bigboy tmp]# service spamassassin restart



Configuring procmail for spamassassin

The /etc/procmailrc file is used by procmail to determine the procmail helper programs that should be used to filter mail. This file isn't created by default.

spamassassin has a template you can use called /etc/mail/spamassassin/spamassassin-spamc.rc. Copy the template to the /etc directory.

[root@bigboy tmp]# cp /etc/mail/spamassassin/spamassassin-spamc.rc /etc/procmailrc



Configuring Spamassassin

The spamassassin configuration file is named /etc/mail/spamassassin/local.cf. A full listing of all the options available in the local.cf file can be found in the Linux man pages using the following command:

[root@bigboy tmp]# man Mail::SpamAssassin::Conf

You can customize this fully commented sample configuration file to meet your needs.

###################################################################

# See 'perldoc Mail::SpamAssassin::Conf' for

# details of what can be adjusted.

###################################################################



#

# These values can be overridden by editing

# ~/.spamassassin/user_prefs.cf (see spamassassin(1) for details)

#



# How many hits before a message is considered spam. The lower the

# number the more sensitive it is.



required_hits 5.0





# Whether to change the subject of suspected spam (1=Yes, 0=No)

rewrite_subject 1





# Text to prepend to subject if rewrite_subject is used

subject_tag *****SPAM*****





# Encapsulate spam in an attachment (1=Yes, 0=No)

report_safe 1





# Use terse version of the spam report (1=Yes, 0=No)

use_terse_report 0





# Enable the Bayes system (1=Yes, 0=No)

use_bayes 1





# Enable Bayes auto-learning (1=Yes, 0=No)

auto_learn 1





# Enable or disable network checks (1=Yes, 0=No)

skip_rbl_checks 0

use_razor2 1

use_dcc 1

use_pyzor 1





# Mail using languages used in these country codes will not be marked

# as being possibly spam in a foreign language.

# - english



ok_languages en





# Mail using locales used in these country codes will not be marked

# as being possibly spam in a foreign language.



ok_locales en

Be sure to restart spamassassin for your changes to take effect.



Testing spamassassin

You can test the validity of your local.cf file by using the spamassassin command with the --lint option. This will list any syntax problems that may exist. In this example two errors were found and corrected before the command was run again.

[root@bigboy tmp]# spamassassin -d --lint

Created user preferences file: /root/.spamassassin/user_prefs

config: SpamAssassin failed to parse line, skipping: use_terse_report 0

config: SpamAssassin failed to parse line, skipping: auto_learn 1

lint: 2 issues detected. please rerun with debug enabled for more information.

[root@bigboy tmp]# vi /etc/mail/spamassassin/local.cf

...

...

...

[root@bigboy tmp]# spamassassin -d --lint

[root@bigboy tmp]



Startup spamassassin

The final steps are to configure spamassassin to start on booting and then to start it.

[root@bigboy tmp]# chkconfig spamassassin on

[root@bigboy tmp]# service spamassassin start

Starting spamd: [ OK ]

[root@bigboy tmp]#

Tuning spamassassin

You can tune the sensitivity of spamassassin to the type of spam you receive by adjusting the required_hits value in the local.cf file. This can be made easier by viewing the score spamassassin assigns a message in its header. In most GUI based email clients this can be done by looking at the email's properties. In this case, a Nigerian email scam spam was detected and given a score of 20.1 and marked as spam.

X-Spam-Status: Yes, score=20.1 required=2.1 tests=DEAR_FRIEND,

DNS_FROM_RFC_POST,FROM_ENDS_IN_NUMS,MSGID_FROM_MTA_HEADER,NA_DOLLARS,

NIGERIAN_BODY1,NIGERIAN_BODY2,NIGERIAN_BODY3,NIGERIAN_BODY4,

RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBL,RISK_FREE,SARE_FRAUD_X3,

SARE_FRAUD_X4,SARE_FRAUD_X5,US_DOLLARS_3 autolearn=failed

version=3.0.4

X-Spam-Report:

* 0.5 FROM_ENDS_IN_NUMS From: ends in numbers

* 0.2 RISK_FREE BODY: Risk free. Suuurreeee....

* 0.4 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)

* 0.8 DEAR_FRIEND BODY: Dear Friend? That's not very dear!

* 2.2 NA_DOLLARS BODY: Talks about a million North American dollars

* 1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net

* [Blocked - see ]

* 1.1 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL

* [213.185.106.3 listed in sbl-xbl.spamhaus.org]

* 1.4 DNS_FROM_RFC_POST RBL: Envelope sender in postmaster.rfc-ignorant.org

* 1.9 NIGERIAN_BODY3 Message body looks like a Nigerian spam message 3+

* 2.9 NIGERIAN_BODY1 Message body looks like a Nigerian spam message 1+

* 1.4 NIGERIAN_BODY4 Message body looks like a Nigerian spam message 4+

* 1.7 SARE_FRAUD_X5 Matches 5+ phrases commonly used in fraud spam

* 0.5 NIGERIAN_BODY2 Message body looks like a Nigerian spam message 2+

* 1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam

* 1.7 SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud spam

* 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay

Limiting your spam fighting efforts to the required_hits value isn't usually adequate. You will probably need additional spamassassin tools to be more selective and accurate in your tests. This will be covered next.