[SUMMARY] Unwanted SPAM

From: Jim Harmon (jharmon@telecnnct.com)
Date: Thu May 01 1997 - 18:04:05 CDT


Hello, fellow SM's...

This has been an enlightening response session. <smile> I appologize in
advance for the length of this bugger:

To Summarize, as is the custom, I'm giving my thoughts, the list of
suggestions, and the list of contributors...

Subject:

I requested help with blocking SPAM of the XXX variety one of my users
is recieving, at a rate of 2-3 notices per day. I asked if there were
any good ways to handle the problemt, and recieved 23 responses. I
expect at least 10 more by EOB tomorrow.

Overview of suggestions:

One of the responders requested this summary.

Another suggested that this is an off-topic request for Sun Managers.
   (Following a recent series of off-topic flames on
    WWW-Security@ns2.rutgers.edu, --I wasn't a participant--)

    I understand and appreciate that POV (point of view)
    No more need be said. :)

By far the largest group of responses said "Move to Sendmail 8.8.5" and
use the built-in blocking features for domains and servers.

Another large segment pointed to a "Blacklist" site that is operated to
warn SPAMMERS that SPAM won't be tolerated in a self-policing
heterogeneous world-internet. A milder (kinder/gentler?) site that
performs a similar function with less direct means was also suggested.

        The idea is that anyone who uses my system to post their
        unrequested junkmail is liable to pay rent on my system for
        each occurance found. A number of sample "legalese" notices
        are shown, and different methods of applying the notices
        were discussed. Very thourough. Very time consuming.

procmail and Qmail were also suggested.

As mentioned in my request, the user is a POP3 client, POP pulls the
client's messages from the spool directory. Sendmail checks your
..forward file before putting messages in the spool directory.

The questionable mail goes to the mail spool directory, and therefore is
filterable using .forward and filter-rules. (or procmail)

Before I list the links and suggestions below, here's what I think my
strategy will be, and why:

        First, collect the various sources of SPAM for about a week.
        (the user has been trashing them as they come in, as many
         are rather suggestive, and the user is sensitive to this
         cr*p, so I need to build a list of the offenders.)

        Second, build a .filter for the user that redirects all such
        SPAM from these sources into a collection bin, where I can
        set up statistical parsing, to build a case file.

        Next, build the parsing tool with Perl or awk to grab the
        vendor information from each heading, build a list of
         occurances, classify the "ads" into mild, rude, and offensive,
        then:

        Parse the Blacklist and other lists mentioned in the links
        below to find the actual sources of the SPAM.

        Last, in the tone of the Anti-Spam Declaration described below,
         I'll notify each of the vendors, their ISP's, postmasters, and
        agents that can be identified, that we do not accept their
        material, and that from that notice on, we will bill for
        previously recorded instances as well as new ones, an amount
        (TBD) for the time they've wasted on our systems, and
        for my labor responding to their SPAM.

I know that there is little chance of collection, but as a strategem, it
gives us a history and point of reference to make claims of harassment,
as well as a few other nifty legal postures described in the links.

Thankyou for all the suggestions, and after this is all through, we'll
be discussing the upgrade to sendmail 8.8.5 for more expansive control.

To contributors, to shorten the summary, I cut liberally. Can you
fogive me? :) Thanks!

----------------------------------cropped suggestions:--------------

install Sendmail 8.8.5.

Check out www.sendmail.org/anitspam.html for some good info on this
topic

-------------------------

[CITE: 47USC227]
                   TITLE 47--TELEGRAPHS, TELEPHONES, AND RADIOTELEGRAPHS
                          CHAPTER 5--WIRE OR RADIO COMMUNICATION
                              SUBCHAPTER II--COMMON CARRIERS
Sec. 227. Restrictions on use of telephone equipment

(summary: In the US, it's illegal to send stuff via electronic means to
                someone they haven't asked for, and a citizen can sue
                the sender for actual damages or $500.00 PER OCCURANCE,
                 whichever is GREATER.)

[long and very legal doc cropped]

-------------------------

Look into procmail, it supposedly dove-tails into sendmail to handle
filtering mail.

-------------------------

See

http://www.junkbusters.com/
http://www.junkbusters.com/ht/en/junkemail.html

-------------------------

1) Recompile sendmail (you might want to upgrade to 8.8.5, too) with
   TCP Wrapper Library Support. Result: No Host you choose to forbid
   in /etc/hosts.{allow,deny} can *connect* to your Mailhost. (Don't
   forget any MXes you might have.)

2) In Order to reject Mail naming specific Domains in the *Headers*,
   use the following (rumoured to become a FEATURE() in future sendmail
   Versions) in your mc Source:

LOCAL_RULE_0
R$* < @$*$=K . > $* $#error $@ 5.7.1 $: "Whatever Error Message"
R$* < @$*$=K > $* $#error $@ 5.7.1 $: "Whatever Error Message"
LOCAL_CONFIG

FK /some/file/which/lists/blacklisted/domains

   Of course, this is relatively easy to fool.
3) While at it, enable FEATURE(local_procmail) and MAILER(procmail)
   (the former allowing the User, the latter the Sysadmin to use
        procmail to process incoming Mails, which is a quite powerful
        Tool).

..forward gets applied whenever sendmail decides to try to deliver the
Mail into a local User's Mailbox. .procmailrc (with procmail being
made the local Mailer) is procmail's Version of it. If I remember
correctly, POP serves Mails out of normal User Mailboxes - which
would imply that .forward gets applied to them.

-------------------------

Check out http://spam.abuse.net/spam/ for multiple ways of blocking
SPAM.

Checkout news.admin.net-abuse.email for the current highlights on the
.... spamming...

-------------------------

http://www.sendmail.org/antispam.html
http://spam.abuse.net/spam/tools/mailblock.html

-------------------------

http://www.informatik.uni-kiel.de/~ca/email/english.html

-------------------------

http://www.informatik.uni-kiel.de/%7Eca/email/check.html
http://www.nepean.uws.edu.au/users/david/pe/blockmail.html
http://www.cl.cam.ac.uk/spam/

-------------------------

You can use procmail in .forward (you deliver to the spool directory,
right?)

ftp://ftp.informatik.rwth-aachen.de/pub/packages/procmail/
http://www.jazzie.com/ii/internet/procmail/

-------------------------

http://digital.net/~gandalf/spamfaq.html

Also, you might want to (as many others have done) block IP connectivity
to cyperpromo.com and AGIS, both of whom are spam ISP's (well, AGIS does
some other stuff besides, but they have spam-friendly policies)

As a note, cyberpromo is run by the same guy who is credited with being
the annoyance that led to the junk fax laws. Gotta love it.

-------------------------

Much info on this can be found at the AntiSPAM site,
http://www.vix.com/spam/

-------------------------

Qmail is significantly more secure and faster than sendmail, and most
important for you, lets you specify a list of domains from which to
refuse mail (the badmailfrom list).

We are using qmail on Solaris 2.5.1 on the mail gateway at a 15,000
person company and have been quite satisfied with it.

Check it out at http://www.qmail.org .

-------------------------

Thanks to:

        Mark Baldwin
        Rick Fincher
        Johnie Stafford
        Jon Diekema
        Phil Poole
        Jochen Bern
        Stephen Harris
        Craig Raskin
        Gnuchev Fedor
        Mick Morgan
        Claus Assmann
        Michael Neef
        Jeff Gelb
        Michael Kohne
        Reto Lichtensteiger
        John Bradley
        Derek Schatz
        Carlo Musante
        Benjamin Cline
        mlroberts@dow.com
        jstanley
        Michael Gordon
        Alfredo Sola

-- 
   Jim Harmon                           The Telephone Connection
jim@telecnnct.com                          Rockville, Maryland



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:52 CDT