More Sendmail Hacks

Friday, January 17th, 2003 at 12:00 am | 362 views | trackback url

I’ve been handling mail for some friends, one of which gets a LOT of spam. He’s a good litmus test for how to tweak a spam filter to maximum effectiveness.

I’m using a combination of Sendmail, triple-RBL, ordb.org, SpamAssassin (and the milter), and iptables to filter out spam from reaching $USER mailboxes. Here’s some recent tweaks I came up with (some with the gentle nudging of others):

# There is no reason to send HTML in email, none. Blocked.
HContent-type:  $>+Check_Content_Type
SCheck_Content_Type
Rtext/html $*    $#error $@ 5.5.5 $: "555 HTML email denied; use plain text."

# There is no reason for anyone to send a Content-Type of
# multipart/alternative. Multipart is fine in the body
# or as an attachment, but the generalized header for those
# should be text/plain, not multipart/alternative. Blocked.
HContent-type:  $>+Check_Content_Type
SCheck_Content_Type
Rmultipart/alternative    $*       $#error $@ 5.5.5 $: "555 multipart mail blocked; use plain text"

# Likewise for base64-encoded bodies. There is no reason
# for the ENTIRE message body to be base64-encoded. Blocked.
HContent-Transfer-Encoding:     $>+Check_Transfer_Encoding
SCheck_Transfer_Encoding
Rbase64 $*    $#error $@ 5.5.5 $: "555 base64-encoded body blocked; use plain text"

And recently, there is an increase in the number of people being affected by this W32/Sobig@MM trojan, so I blocked that (and another worm) too:

/etc/mail/access

big@boss.com         ERROR:5.7.1:550 Sobig worm rejected
hahaha@sexyfun.net   ERROR:5.7.1:550 Hybris worm rejected

These small changes alone have begun to cut down the number of spam messages that my system(s) will accept for users. A quick grep shows that in the last 2 days, the three tweaks above have successfully blocked 417 separate spam messages that would have otherwise been caught by spamassassin or passed onto a user.

Any spams that get through these + spamassassin, I block with iptables. It’s been doing quite a good job so far. In the last week, my iptables blocks for known spammers has produced 1,291 hits in the logs.

Other Stuff

Things are busy here, but still no permanent employment (427 days, 61 weeks so far). It may be time to call UPS/Fedex/USPS and see if they have any openings. There are definately no technology jobs left here on the East Coast. Depressing.

Last Modified: Friday, January 17th, 2003 @ 00:00

Leave a Reply

You must be logged in to post a comment.

Bad Behavior has blocked 491 access attempts in the last 7 days.