Hi!
On Sun, 8 Feb 1998, Slawa V. Olhovchenkov wrote:
> On Sun, Feb 08, 1998 at 02:51:22PM +0300, Andy Igoshin wrote:
> > > > Идея такова, чтобы _не_принимать_ почту для юзеров, которых нет. Отвергать
> > > > прием на этапе SMTP. Оно это может.
> > > Толи лыжи не едут, то ли я тормоз... Народ, откуда вы такие sendmailы откопали,
> > > которые патчить надо? У меня стандартный sendmail со стандартным конфигом
> > > отвергает такое. Именно на этапе SMTP.
> > Не. Просто оно, на мой взгляд, несколько более умное, чем стандартный
> > sendmail'овский вариант.
>
> Чем?
Тут приаттачен кусок моего конфига и readme к патчу.
Andy
Last update: README: 19-Aug-97
Source: 21-Aug-97
Level: s-4
Patches to reject eMail-SPAM
----------------------------
(C) Copyright 1996,1997 by A.Zinser (fifi@hiss.org)
For sendmail-8.6.12, -8.7.3, -8.8.x -- other versions and releases
available on demand. See below for further information regarding known
bugs, changes to prior patch versions, installation and so on.
IMPORTANT: with p-beta5 the filter.cf data format has changed!
Please appreciate that I am not able to check out all combination
of features these patch offers. There may be bugs and I'm sure, there
are any (do you know a completely bug-free piece of software?). Please
tell me if you have problems and be patient if I don't respond
immediately. If I don't respond within two weeks, do it again. I won't
be angry about repeated questions cause I know that some mail gets
forgotten in my mail folder. Sorry, there is too much to do these
spammy days :-(
*** ANNOUNCEMENT *** ftp://ftp.spam-archive.org/pub/spam/spam-archive - a
collection of recent spams as distributed via
spam-list@toby.han.de (send a mail to majordomo@hiss.org with
'info spam-list' in the body). WWW interface and search engine
at .
*** smail-3.1.29 *** This is a pre-pre-pre-alpha-release! The only
feature already running is filtering by
envelope sender during SMTP receipt!
FEATURES:
! First at all: this is no replacement for the features
of sendmail-8.8.*. This filter has been created before
sendmail-8.8 was available and independend of it and it
includes in the meantime more features than sendmal-8.8.*.
* Filtering by eMail-Adress, Sitename, Domain and/or IP-Address
(SMTP only).
* Refusing mail during the RCPT phase of SMTP connections as
well as during delivery.
* As many filter targets (recipients) as you want, specified
either by eMail-address, sitename or domain.
* Configuration in a seperate file (filter.cf). Frozen config
file to speed up sendmail.
* Macros and includes supported.
* Sender to a blacklisted address get notified that they won't
receive an answer.
* Received: lines are checked for blacklisted users, sites
and ip addresses (since q-beta1)
* Exceptions from blacklists by [user[@[host[.domain]]]]+
(Suffixed '+')
* From:, To: and Reply-To: header lines are ckecked during
delivery too (cation: differing syntax for To: checking!)
* Incoming mail must contain a really valid address (A/MX
DNS record has to be defined)
* A check to deny unwanted relaying - in opposite to check_compat
offered by sendmail this is done before the mail has been
transfered
CURRENT BUGS:
If you use the TEERGRUBE feature, the sender/recipient pairs must
be given directly, if the sender is given by a macro and the mark
has been done within the macro definition, it is ignored!
Wrong: UCE=-user@domain, -user@domain2
ME=my@address
$ME: $UCE
Right: UCE=user@domain
ME=my@address
$ME: -$UCE
FUTURE PLANS:
* Adress checking will be done by a seperate daemon to reduce
waste of time by reading the config file and the amount of
memory cause of the size of it.
* Other header fields (From:/Sender:) will be checked too.
* Regular expressions (optional).
BUG REPORT:
* All patches up to and including p-beta2:
Since I added blanks as seperators in the cf file I didn't
mention the trouble caused of sick code. If you run this
filter, _never_ mix ',' and ' ' as seperators in the same
line! Fixed with p-beta3
* p-beta/p-beta2:
Not all duplicate entries have been deleted while writing
the frozen filter.fc. Minor bug, fixed with p-beta3
* p-beta up to p-beta5:
`sendmail -bF' first opens the frozen filter config for
writing and then starts to read the filter.fc file.
Any call to sendmail during writing the fc file will cause
in a warning (wrong magic found). Minor bug, fixed with
p-beta6.
* Up to and including q-beta2: delivering mail to a blacklisted
site causes a notification to the sender every time the queue
is processed. He may get a lot of mail if the blacklisted site
isn't reachable
* Up to and including q-beta2: the warning message in the case
above seems to be a little confusing. Try to get a better one.
* Up to and including q-beta2: there has been a bug while
optimizing for the fc file. Fixed with q-beta3
* Up to q-beta3: defining MAILFILTER without FILTERLOG caused
compiler errors
* Up to r-beta: filter exceptions have been wrong ducumented.
It's a suffixed '+', not a prefixed!
README:
These patches have been created before sendmail-8.8 was
available because of massive eMail-spamming from lsat.com and
*friends*@aol.com. At the beginning the filter acted global for
all sites, but massive protests from several people in our
domain caused me to create a site dependend filter.cf. The
features of this configuration file surpass those of
sendmail-8.8 (as far as I know :-)) and I hope to get a frontend
like changesys to permit our domain members changing their
entries by themselves. Beside the filtering of mail I included
this filter into CNews, but I still have not enough time to
continue with it...
BUT: Be carefully! Filtering email is a dangerous way to get
rid of unwanted mail. SMTP-server can be abused to work
as mail exploders and to filter mail from those sites (by
given domain name or IP address) can result in filtering
mail from just normal users!
AND: If you decide to filter email either using this patches
or any other method, you have to keep your config file
at an actual state. Maybe I'll create a mailing list
for exchanging config files and so on, but beside of this
you have to act fast to prevent spamming your users,
because some spammers change their email address as
fast as I do so with my underwear...
How it works:
It's really simple. During receipt (RCPT phase of SMTP connections)
and delivery (if you receive mail via UUCP for example) sender
and recipient addresses are check against a list of connections.
If the test matches the mail is refused with `551 Mail refused
due to request of the recipient host or user.'. Sender and
recipient may be single users (`user@host.domain'), sites
(`host.domain'), domains (`.domain'), ip adresses (`[A.B.C.D]',
sender only!) or ip address fragments (`[A.B.C', sender only!).
The configuration is placed in a seperate file (typically
`filter.cf') and may contain rules as well as macros:
hiss.han.de: CocaColaTs@aol.com
causes blocking of all mail from `CocaColaTs@aol.com' to any
user at `hiss.han.de' and
NATUREPLUS= health@natureplus.com, health@moneyworld.com,
[207.14.212.69]
RECIPIENTS= hiss.han.de, nutsy.han..de, fifi@kaa.han.de
$RECIPIENTS: $NATUREPLUS
affects every mail from natureplus adressed to one of the sites
mentioned in the macro RECIPIENTS. To blacklist domains with
a lot of spammers as well as ordinary users you may define
postive entries like
hiss.han.de: salynet.com, +postmaster@alberta.salynet.com
Everything from or via salynet.com except of mail from
postmaster@alberta.salynet.com is denied. The expansion of
macros is done while reading the filter.cf file every time
sendmail is coming up. Additionaly it costs a lot of time to
ignore duplicate or obsolete entries in the configuration file.
To speed up the system you can build a frozen configuration
file. Because of the macro expansion this file can grow very
large, but it's cheaper to read a large file in e few chunks
without any cpu processing like parsing and macro expansion than
reading a small file with a great amount of calculation.
For testing the patches you may create a config file like
nobody@foo.bar: spammer@hell
Restart your sendmail and type
$ telnet localhost 25
220- ...
220 ESMTP spoken here
MAIL FROM: <spammer@hell>
250 <spammer@hell>... Sender ok
RCPT TO: <nobody@foo.bar>
551 <nobody@foo.bar>... Mail refused due to request of the recipient host or user.
If you want to know the current configuration you should enter:
$ /usr/lib/sendmail -d89.8 -bt
Version 8.6.12-pa
<empty list>:
filterlist:
nobody@foo.bar: spammer@hell
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
>
Sorry, it's still a workaround and will be replaced in a future patch.
More hints about filter.cf can be found in `filter-sample.cf'.
Last famous words: no warrenty!
Fifi (aka Axel)
RESOURCES:
* Source available from ftp://ftp.hiss.org/pub/sendmail
* Infos about updates, changes etc. via Mailinglist
filter-news@hiss.org (to subscribe send an email to
majordomo@hiss.org which contains `subscribe filter-news'
in the body) - currently a dead list, because I'm working
on the next patchlevel using a seperate deamon.
* ftp://ftp.hiss.org/pub/spam/spam-archive - a collection
of recent spams (in the meantime already more than 1000 spams
in 1997 :-() as distributed via spam-list@toby.han.de (send a
mail to majordomo@hiss.org with 'info spam-list' in the
body).
* ftp://ftp.hiss.org/pub/sendmail/filter.cf.data - a daily updated
list of envelope and header sender addresses which can be used
as an input for your own filter.cf
STATE:
s-4 Prevent abuse as mail relay.
CHANGES:
Patch#
n Testing sender/recipient had a lot of overhead.
Modifications for Cnews
Recursion check for macro definitions
o Warnings & Statistic only using -bi/-bF
sendmail -bF checks and dumps filter list (replaces
-d88.x)
Recipients, which are associated with the (pseudo) sender
target `refuse-all-mail' won't get any mail any
further.
p -bF writes an optimized frozen config file. If a frozen
config file exists it will be used instead of the source
filter.cf. Now pattern like `[127.0.0' to exclude complete
networks (`127.0.0.0' in this case) are permitted. An
entry `@@filterlog: SENDER-LIST' causes logging every
mail from the mentioned senders (the method of logging
mail from any mentioned sender has been turned off with
this patch). Filter entries (RHS only) starting with a
slash (`/') are interpreted as file names containing
addresses (or macros). To get detailed information about
obsolete and duplicate entries (filename, line, argno)
you have to define `FILTERDEBUG' - but it increases
the amount of memory (for the frozen filter file too!).
"Dirty" features must be enabled by defining
`TEERGRUBE', not to use it decreases the amount of
memory. Only sendmail option `-v' gives information
about duplicate and obsolete entries (p3). Macros have
to be referenced as $MACRO (p4). Source prepared to get
included into a mail driven frontend for administration
of the filter config file (p4). Sendmail now sends an
automatic warning to the sender of a mail adressed to a
blacklisted site or user (p5). If FILTERCONTACT is
defined each sender gets a verbose error message including
FILTERCONTACT as contact in case of an error.
cf2fc file speedup:
i586: cf: 815 macro, 26366 filter entries, 560188 bytes total
4.69user 0.02system 0:04.74elapsed
fc: 0 macro, 24524 filter entries, 505566 bytes total
0.04user 0.05system 0:00.22elapsed
mips1: cf: 815 macro, 26366 filter entries, 560188 bytes total
real 39.36 user 19.95 sys 0.33
fc: 0 macro, 24524 filter entries, 505566 bytes total
real 3.21 user 0.23 sys 0.28
q Check Received: lines for any blacklisted host or ip address
(-DFILTERBYRECEIVED)
More verbosity while creating frozen config file
Port to smail (not yet finished!)
Faster (using sorted lists now)
If `REFUSE_ALL_SENDER' is defined as `"refuse-all"' (for
example), an entry `refuse-all: sender-list' causes all
mail from the mentioned senders to be refused regardless
of the recipient. You'll have to define `REFUSE_BY_RECIPIENT'
to enable the per recipient filtering if you have
defined `REFUSE_ALL_SENDER'!
r All defines have been moved to filter-include.h.
Exception rules supported.
r-beta1 Header lines can be checked too (FILTERBYRECEIVED has to
be defined). Reply-To: and From: are handled like the
envelope sender; To: is handled like the envelope sender
too, cause it makes no sense to check a forged To: line
against a envelope sender, but against a recipient.
s-exp if CHECKSYNTAX is defined, the FROM part of incoming mail
is checked wether it could be correct or no. Mails
without or without syntactical correct host part and
with pure numeric local parts are refused. If CHECKDNS
is defined, all incoming mail will checked against DNS
and refused if there is neither an A nor a MX RR defined
for this host. ** experimental patch **
s-4 If LOCAL_DOMAINS are defined all incoming mail is checked
wether the mailer is abused as mail relay/exploder.
PLANNED:
* Mail driven front-end to permit all users to modify their
individual filter entries.
* Sending to a blacklisted address removes this address from
the filter database (dangerous!).
* Pseudo recipient target `send-large-response' will cause a very,
very large SMTP response (about 40 MBytes) for special sites.
Dangerous patch! I'm not really sure wether I should realize that
or not.
* Pseudo recipient target `send-slow-resonse' will cause a medium
size, but very slow SMTP response to lock the sender mailer for
a long time. Not yet implemented. If you know what you're
doing, you'll know where to insert the three statements. But
be carefully: all outgoing stuff will get locally stored in
the mqueue directory up to successful delivery and broken pipe
notifies can fill up your syslog file!
* Filtering by contents of the subject line
Sendmail options (added/modified):
-bF Creates a frozen filter.fc file.
-v Verbose output (duplicate/obsolete entries)
-bi Information about the filter size.
Debug switches (out of date :-(():
Switch#
89.x Debugging. A lot of information which should not
be of interest for you.
255 recsearchpair(), dump all internal lists during processing
128 readfiltercf() input processing
25 all function calls
20 searchsender() calls, addfilter() actions, readfiltercf()
15 recsearchpair()
10 recsearchpair() results, addfilter()
8 dump all internal lists at the end of readfiltercf()
4 searchpair()
1 recsearchpair() success
INSTALL:
Run patch or unpack the "related files" archive in the sendmail
source directory (keep a backup of the unpatched sources :-)).
Edit `filter-include.h' to define all literals and features. Add
`-DMAILFILTER' to `ENVDEF=..' in the architecture dependend
Makefile (`obj..../Makefile'). Then run `makesendmail' and
`makesendmail install'. That's all. If you use the FILTERCONTACT
feature keep care that this address is still reachable from all
blacklisted senders.
Testlog:
Patch# OS sendmail/news Level
...
r-beta Linux-2.0.27 sendmail-8.8.5 c/t
r-beta IRIX-4.0.5 sendmail-8.8.5 c/t/r (just intalled)
s-4 Linux-2.0.x sendmail-8.8.7 c/t/r
c=compiled, t=tested
r=running
OUR = @vsu.ru, .vsu.ru, @vucnit.voronezh.su, .vucnit.voronezh.su
# Disable IC newsserv
IC_NEWSSERV = nws@ic.vrn.ru, newsserv@serv.vrn.ru, newsserv@news.vrn.ru, newsserv@ic.vrn.ru
$IC_NEWSSERV: $OUR
BLOCKED_ADDRESSES = @p0.f57.n5025.z2.fidonet.org, @p9.f23.n5025.z2.fidonet.org, f9.n5025.z2.fidonet.org
$BLOCKED_ADDRESSES: refuse-all-mail
BA_OUT = w3gate@gmd.de
w3mail@gmd.de
ftpmail@ftp.urc.ac.ru
ftpmail@urc.ac.ru
ftpmail@ftp.uni-stuttgart.de
ftpmail@info2.rus.uni-stuttgart.de
mail-server@rtfm.mid.edu
ftpmail@sunsite.unc.edu
ftpmail@decwrl.dec.com
$BA_OUT: .fidonet.org, .fido.vsu.ru, avs.vsu.ru
SPAMMERS =
#
# Complete List
#
#
# blacklist
# ---------
#
# This file is automatically generated and updated by the
# spam sent to spam-list@toby.han.de and archived in The
# Garbage Collection (). It
# is available via ftp from
# ftp://ftp.spam-archive.org/spam/blacklist/
#
# The addresses are taken from the envelope sender, reply-to
# and the from line of the spams. They may be forged!!!
#
# NEVER use this list without a preview! CHECK IT wether
# it contains addresses which must not be blacklisted under
# any cicumstances (mailinglist owners, administrative accounts)
# and send me a mail (postmaster@spam-archive.org) if you
# find any!
#
# NO WARRANTY - USE AT YOUR OWN RISK
#
# For an automatic notification each time this file has changed
# subscribe to blacklist-changes@hiss.org. To get automatic updates
# to the list subscribe to blacklist-update@hiss.org (Majordomo).
#
"48452572@makemoney"@reallyfast.com.pbtech.com
"90%OFF"@hitsrus.com
"AUCTION"@onlinebiz.net
"FREE"@quick.t-1net.com
"FREE"@saturn.t-1net.com
"Lee"<LNorton@westelcom.com>
"mailto:monicaq"@postoffice.att.net
"muju25@flood"@airmail.net
$$$$@now.com
$$$.MEGANETS.$$$@13429.com
$$$@dollar.com
$ave@money.com
*cdman@postone.com
00945140@juno.com
82728270@aol.com
[skip]
zzcnc3187776334@usa.net
zzcnc318@usa.com
zzcnc318@usa.net
zznsl991.a08qqlr@sprint..net
~_-=.@ns9.internetconnect.net
~~__.@ns9.internetconnect.net
refuse-all: $SPAMMERS
$SPAMMERS: refuse-all-mail
