New Idea: Checking for outgoing spam

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
The exim users list has an interesting post today:

Subject: Spam control via ratelimiting

I like the idea from this list to detect spammers/spambots not by rate
of sending of all mail, but by rate of attempts to send to nonexistent
recipients. Spammers and spambots send to huge lists of email addresses.
Large part of email addresses in such lists don't exist anymore or
never existed (Message-Ids and corrupted strings in memory taken by
address harvesters as email addresses).

My implementation:

LIM = 100
PERIOD = 1h
WARNTO = abuse@example.com
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
...
begin acl
acl_check_rcpt:
...
accept hosts = !@[] : +relay_from_hosts
set acl_m_user = $sender_host_address
# or an userid from RADIUS
condition = ${if exists{$spool_directory/blocked_relay_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_relay_users}{1}{0}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Relayed-From: $acl_m_user

accept hosts = !@[] : +relay_from_hosts
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_relay_users; \
\N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
because has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Relayed-From: $acl_m_user

accept hosts = +relay_from_hosts
control = submission/domain=

accept authenticated = *
set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
condition = ${if exists{$spool_directory/blocked_authenticated_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_authenticated_users}{1}{0}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Authenticated-As: $acl_m_user

accept authenticated = *
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_authenticated_users; \
\N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Authenticated-As: $acl_m_user

accept authenticated = *
control = submission/domain=
Let's open this for discussion... should we implement this or similar?

Jeff
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Hello Jeff,

That sounds really good. More to say, we've started to use daily and hourly limits much more before it was implemented by default exim. But if I'm not mistaken, default exim does not limit hourly usage of SMTP. Month or two ago, we've started to check outgoing message by Spamassassin, as we use a smarthost scheme, we do the check on our email relay. But I've never ever before thought about a check suggested by you, that's a really good idea to implement such a check.

So what your code does? It freezes emails if condition matches. And as I see if sender_host_address is blacklisted an user (authenticated or not authenticated), which tries to send emails from the host_address won't even know, that he/she is blocked? And he/she would think that email was accepted for delivery? Is it so?
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
It's not my idea; I found it on the Exim Users mailing list and I posted it without taking time to study it. We can make changes to it to do anything exim is capable of doing; as is, it also sends a warning email to abuse@example.com (most likely the server admin) so s/he will know that the user is spamming.

More input from others, too, please.

Jeff
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
I think should be very interesting and, if possible, should maybe be usefull aswell if spamassassin and rbl's check outgoing mails for spam, should that be easy to implement?

Regards
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
Don't know; I haven't started looking into any of this yet and won't for at least a few weeks, due to time limitations, but I do want to. So far only a discussion.

Jeff
 

mmx

Verified User
Joined
May 8, 2005
Messages
114
Location
Montreal, QC, Canada
I would love to see this feature implemented. I'm always worried about my clients getting their machines compromised and having their email clients pump out spam. This would also work great with compromised web scripts I'm sure. With a feature like this, I would sleep better at night. :)
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
This would also work great with compromised web scripts I'm sure.
In most cases (with default things) nothing but firewall would ever help, if a compromised script open sockets to remote 25 ports.
 

mmx

Verified User
Joined
May 8, 2005
Messages
114
Location
Montreal, QC, Canada
In most cases (with default things) nothing but firewall would ever help, if a compromised script open sockets to remote 25 ports.
I've always wondered about that. However, wouldn't blocking port 25 (outgoing) cause issues with exim and external mail servers?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Not sure about FreeBSD but iptables can check UID, and either allow or block connections based on user ID. So with iptables one can allow outgoing connections to remote 25 port only for root,mail users and block for others. But in this case, legal users on such a server won't be able to use any remote server to send emails.
 

mmx

Verified User
Joined
May 8, 2005
Messages
114
Location
Montreal, QC, Canada
Not sure about FreeBSD but iptables can check UID, and either allow or block connections based on user ID. So with iptables one can allow outgoing connections to remote 25 port only for root,mail users and block for others. But in this case, legal users on such a server won't be able to use any remote server to send emails.
I never knew that was possible. I just read ipfw's manpage, and indeed, it does support UID logging. Thanks, I learned something new today. :D
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
A script acting as a mailserver (MTA) would have to be blocked at the firewall level, or by finding and shutting down the script. We generally find these by setting up a feedback loop with AOL since most spammers do spam lots of AOL addresses.

You can't block outgoing messages destined for port 25 (not quite the same as blocking port 25), unless you can do it based on origin uid, and even then you might be blocking legitimate scripts as well. But you probably shouldn't allow that; your TOS should probably not allow outgoing scripts to connect directly to external servers on port 25, without going through your MTA, exim.

Jeff
 
Top