New Idea: Checking for outgoing spam

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
496
Location
California
The exim users list has an interesting post today:

Subject: Spam control via ratelimiting

I like the idea from this list to detect spammers/spambots not by rate
of sending of all mail, but by rate of attempts to send to nonexistent
recipients. Spammers and spambots send to huge lists of email addresses.
Large part of email addresses in such lists don't exist anymore or
never existed (Message-Ids and corrupted strings in memory taken by
address harvesters as email addresses).

My implementation:

LIM = 100
PERIOD = 1h
WARNTO = [email protected]
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
...
begin acl
acl_check_rcpt:
...
accept hosts = !@[] : +relay_from_hosts
set acl_m_user = $sender_host_address
# or an userid from RADIUS
condition = ${if exists{$spool_directory/blocked_relay_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_relay_users}{1}{0}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Relayed-From: $acl_m_user

accept hosts = !@[] : +relay_from_hosts
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_relay_users; \
\N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
because has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Relayed-From: $acl_m_user

accept hosts = +relay_from_hosts
control = submission/domain=

accept authenticated = *
set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
condition = ${if exists{$spool_directory/blocked_authenticated_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_authenticated_users}{1}{0}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Authenticated-As: $acl_m_user

accept authenticated = *
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_authenticated_users; \
\N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Authenticated-As: $acl_m_user

accept authenticated = *
control = submission/domain=
Let's open this for discussion... should we implement this or similar?

Jeff
 
Hello Jeff,

That sounds really good. More to say, we've started to use daily and hourly limits much more before it was implemented by default exim. But if I'm not mistaken, default exim does not limit hourly usage of SMTP. Month or two ago, we've started to check outgoing message by Spamassassin, as we use a smarthost scheme, we do the check on our email relay. But I've never ever before thought about a check suggested by you, that's a really good idea to implement such a check.

So what your code does? It freezes emails if condition matches. And as I see if sender_host_address is blacklisted an user (authenticated or not authenticated), which tries to send emails from the host_address won't even know, that he/she is blocked? And he/she would think that email was accepted for delivery? Is it so?
 
It's not my idea; I found it on the Exim Users mailing list and I posted it without taking time to study it. We can make changes to it to do anything exim is capable of doing; as is, it also sends a warning email to [email protected] (most likely the server admin) so s/he will know that the user is spamming.

More input from others, too, please.

Jeff
 
I think should be very interesting and, if possible, should maybe be usefull aswell if spamassassin and rbl's check outgoing mails for spam, should that be easy to implement?

Regards
 
Don't know; I haven't started looking into any of this yet and won't for at least a few weeks, due to time limitations, but I do want to. So far only a discussion.

Jeff
 
I would love to see this feature implemented. I'm always worried about my clients getting their machines compromised and having their email clients pump out spam. This would also work great with compromised web scripts I'm sure. With a feature like this, I would sleep better at night. :)
 
This would also work great with compromised web scripts I'm sure.

In most cases (with default things) nothing but firewall would ever help, if a compromised script open sockets to remote 25 ports.
 
In most cases (with default things) nothing but firewall would ever help, if a compromised script open sockets to remote 25 ports.

I've always wondered about that. However, wouldn't blocking port 25 (outgoing) cause issues with exim and external mail servers?
 
Not sure about FreeBSD but iptables can check UID, and either allow or block connections based on user ID. So with iptables one can allow outgoing connections to remote 25 port only for root,mail users and block for others. But in this case, legal users on such a server won't be able to use any remote server to send emails.
 
Not sure about FreeBSD but iptables can check UID, and either allow or block connections based on user ID. So with iptables one can allow outgoing connections to remote 25 port only for root,mail users and block for others. But in this case, legal users on such a server won't be able to use any remote server to send emails.

I never knew that was possible. I just read ipfw's manpage, and indeed, it does support UID logging. Thanks, I learned something new today. :D
 
A script acting as a mailserver (MTA) would have to be blocked at the firewall level, or by finding and shutting down the script. We generally find these by setting up a feedback loop with AOL since most spammers do spam lots of AOL addresses.

You can't block outgoing messages destined for port 25 (not quite the same as blocking port 25), unless you can do it based on origin uid, and even then you might be blocking legitimate scripts as well. But you probably shouldn't allow that; your TOS should probably not allow outgoing scripts to connect directly to external servers on port 25, without going through your MTA, exim.

Jeff
 
Back
Top