Re: Spam filter software

From: Peter H. Lemieux (phl@cyways.com)
Date: 12/07/01 

Date: Thu, 6 Dec 2001 22:53:06 -0500 (EST)
From: "Peter H. Lemieux" <phl@cyways.com>
To: "focus-linux@securityfocus.com" <focus-linux@securityfocus.com>

On Wed, 5 Dec 2001, Marcus.Zoller wrote:

> We are using the obtuse daemon. This is really a great tool but
> you need some time to configure it...

I've found that blocking hijackers of popular domains can cut down
enormously on spam. For instance, with the Obtuse daemon, I use rules
like these:

   # exploits of legit domains
   deny:ALL EXCEPT *hotmail.com:*hotmail.com:ALL
   deny:ALL EXCEPT *home.com:*home.com:ALL
   deny:ALL EXCEPT *yahoo.com:*yahoo.com:ALL
   deny:ALL EXCEPT *aol.com:*aol.com:ALL
   deny:ALL EXCEPT *eudoramail.com:*eudoramail.com:ALL
   deny:ALL EXCEPT *excite.com:*excite.com:ALL
   deny:ALL EXCEPT *msn.com:*msn.com:ALL
   allow:*outblaze.com:*mail.com:ALL
   allow:*mail.com:*mail.com:ALL
   deny:ALL:*mail.com:ALL

The rules format is "policy:sending server:from address:to address".
There are also powerful conditionals like EXCEPT. So the first rule says
to refuse any mail with a From address ending in hotmail.com unless it
comes from a server within the hotmail.com domain. Occasionally an MX
lookup indicates that you need to enable another server, as in the
mail.com case.

I also use the Obtuse RBL patches and also have written a number of
regex-based rules to block relaying exploits uncovered by ORBS and its
offspring. They're all variations of this approach:

   # Forbid addresses of the form somebody%some.domain@this.domain
   deny:ALL:ALL:/(.+)%(.+)@(.+)/

(Items within slashes are regular expressions.)

Another place to control spam is /etc/procmailrc on the mailbox server,
though I use this more to block evil Outlook attachments.

Peter