howto

The quicker you block spammers the better. Here’s my recipe:

1. OpenBSD’s PF firewall redirects all incoming SMTP connections to the SPAMD daemon for greylisting. I hate repeating stuff, so at this point you should go read the links I’ve put at the end of this. Other people have written about it way better than I could. It’s a freaking elegant solution really, saving me a ton of resources in that a lot of “undesirables” are stopped at the gate and never get to ring my doorbell, make me put on teh robe and slippers and saunter to the door, gold chain hanging around my neck, just to tell them I’m not interested in their DirectTv offer.

2. Once they pass greylisting (which all “real” MTAs will) an SMTP client has to behave correctly when dealing with sendmail: FEATURE(`greet_pause', `10000')dnl FEATURE(`conncontrol', `nodelay', `terminate')dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl define(`confBAD_RCPT_THROTTLE', `1')dnl etc… some omgwtfbbq EASY config steps which will block 99% of crappy perl scripts, SMTP worms and old spam shotguns in a heartbeat. Here’s my openbsd-proto-skip.mc for your reading pleasure.

Don’t forget to m4 /usr/src/gnu/usr.sbin/sendmail/cf/m4/cf.m4 /etc/mail/openbsd-proto-skip.mc > /etc/mail/sendmail.cf

3. Upon submitting a message, smtp-vilter runs it through clam anti-virus and spamassassin’s spamd BEFORE sendmail accepts it (yes in almost real time… the delay is negligible). I use a mysql backend for spamassassin and have assigned a ten point spam threshold for this step, because if a message receives ten points by spamassassin it will be rejected. This is an important step… while I do spend a bit more up front on filtering the SMTP transactions on the fly, overall I win because it simply ends there. No procmail calling various tools and perl and written to my drives etc… it’s over right there. There’s some papers on the false-positive rate of spamassassin being godlike at a threshold of ten. For those of you who can’t miss that one in a million email, go for a threshold of say, twelve, I guess. A spam message wih an absurdly high spamassassin rating should never get through to end users.

By the way, thus far I haven’t /dev/null’d anything. The worst that I’ve done is to outright REJECT an smtp client (the whole spamassassin thing) and guess what, eventually that’ll bounce back to the sender. If you’re worried about deleting spam because of false-positives… rejecting is a far better solution because, in the case that it was a false-positive, at least now the person will know that his email was rejected, so he can pick up the phone and call.

4. Also running as a milter is vthrottle, which will temporarily reject (delay) hosts which attempt to send mail too many times per minute for my tastes. The beauty of SMTP is how much redundancy is built in. At any point in the SMTP transaction, one party can say “oh uh yah ummm I’ve got to go for a minute, could you call back in like an hour? k thanks”

5. I’m against outright blacklisting of hosts using any of the million RBL lists… though I will allow spamassassin to add points onto messages that appear on said lists. Too many horror stories of people being wrongly listed and having to beg nazi list owners to remove them, only to get the answer of “You chose the wrong ISP so we won’t un-blacklist you now go away”.

6. In a corp setting there will often be an email server such as Lotus or Exchange or Quickmail Pro… leave the existing server intact, but don’t make it your MX. Place a hardened OpenBSD box with these mods out there as your MX, and have it hand off mail to the “real” mail server. Also a good idea because some of the anti-spam settings don’t play well when email clients are connecting directly to send mail, which should be handled by your internal mail server anyway, and not your MX…

=======================================
That’s pretty much it… Read these:
http://www.acme.com/mail_filtering/
Article that was slashdotted a few weeks ago. “Or, how to block a few million spams per day without breaking a sweat.”

http://www.benzedrine.cx/relaydb.html
“Annoying spammers with pf and spamd.”

http://www.aei.ca/~pmatulis/pub/obsd_mfg-1.html
“Installing an OpenBSD mail filter gateway with smtp-vilter, Clam AV, and SpamAssassin”

http://www.flakshack.com/anti-spam/wiki/index.php
“Fairly-Secure Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC.”

http://www.maildroid.org/
“MailDroid is a special “distro” of the popular OpenBSD operating system that is optimized to provide a secure, spam fighting, virus killing, Mail Filtering Gateway, ‘right out of the box’.”

http://www.scanmail-software.com/support/sendmailtuning.html
Sendmail Performance Tuning for Ptsfilter.

http://www.linux-sxs.org/internet_serving/sendm2.html
“Describes installing Sendmail to utilize some of it’s neater features, to be a little more secure (we will run Sendmail under a non-root id), and so we have a better understanding of Sendmail itself.”

http://www.technoids.org/
http://www.technoids.org/dossed.html
“The recent flood of spam, viruses and trojaned Windows machines has brought a dramatic increase in attacks on e-mail servers, including (but not limited to) denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, Joe Jobs, dictionary attacks, slamming, and other assorted nuisances. This document describes some sendmail facilities–many of them new in version 8.13–that can help foil these attacks.”

http://perlcode.org/lists/vps-mail/msg01572.html
“Re: [vps-mail] Email dictionary attacks – what would you do?”

http://sunsite.mff.cuni.cz/MIRRORS/ftp.mysql.com/doc/en/Adding_users.html
“4.3.5 Adding New Users to MySQL”

http://wiki.apache.org/spamassassin/UsingSQL
How to use spamassassin with SQL.