翻訳ちう...
SMTPのラッパーである「antibadmail」は、SMTPセッションにおいてspam (迷惑メール)を拒否するための汎用的な機能を提供するソフトウェアです。 このプログラムは、私が作成したqmail patches の後継版です。
「antibadmail」はラッパーであるため、qmailだけではなくsendmailや postfixを初めとするRFC2821準拠に準拠したものであれば利用可能です。
コンテンツフィルタとは異なり、antibadmailはコンテンツをいっさいチェッ クせずに迷惑メールを拒否します。想像してみてください。もしあなたが迷惑 メールを送信する側であるならば、正規のSMTPサーバから迷惑メールを送信し ますか? 自分の正しいメールアドレスを利用して迷惑メールを送りますか?
いいえ。
antibadmailはSMTPセッションにおけるおかしなパラメータを元に迷惑メー ルを拒否します。antibadmailのプログラムは、三つのSMTPパラーメータ (HELO, MAIL-FROM, RCPT-TO)とSMTPクライアントのDNSレコードのみをチェッ クしますので、このソフトを使うことでメールサーバの負荷を下げることがで きます。
cvs -d :pserver:anonymous@yatex.org:/qmail co antibadmail
下記のようにしてantibadmailを利用することでqmail/sendmail/postfixで 簡単に迷惑メールを拒否することができます。
($CONTROLDIR のデフォルト値は /var/qmail/control)
HELOにおいて$CONTROLDIR/badhelodir/にリストアップされたホスト 名を名乗るホストからのメールを拒否します。各エントリが . から始 まる場合はワイルドカードとして扱われます。
helo-hostは後続で参照されないけど記述は必要?迷惑メールは偽ったIPアドレスをHELOで送ってくる場合もあります。 これらのほとんどは迷惑メールです。これらを拒否します。
unknown-host(IPアドレスに対してPTRレコードが登録されていない ホスト)に対しては、下記のより厳密なHELOメッセージ確認が行なわれ ます。
HELOに「.(ドット)」が含まれていない場合は迷惑メールと見なす。
badhostは後続で参照されないけど記述は必要?Much wider wildcard match for helo string, `.jp' for example, can be applied for unknown host. Put wider wildcard patterns into $CONTROLDIR/badhelodir/unknown/.
上記のいずれの場合においても、qmailと同様に$RELAYCLIENTか $RELIABLECLIENTがセットされている場合は、badhelo チェックはされ ません。
badhelo拒否と同様に、MAIL-FROM アドレスで拒否することができま す。$CONTROLDIR/badmailfromdir/に拒否したいメールアドレスを置く ことで実現できます。「@」から始まるすべてのパターンは当該ドメイ ンのすべてのメールアドレスを意味します。「.(ドット)」から始まる パターンは、そのドメイン下のすべてのドメインにマッチします。
(例) @hotmail.com -> すべての *@hotmail.com アドレスにマッチします .biz -> すべての *@*.biz アドレスにマッチします
ランダム@hotmail.comと言ったアドレスからの非常に多くの迷惑メー ルがあることを知るかも知れません。そのときに、すべての @hotmail.com のメールを受信をあきらめるのは賢い選択でしょう。 やりすぎだと思いますか?? では次を読んでください。
tcpserverのルールファイルの中で、GOODMAILFROMに受け入れるドメ
インを設定します。この変数にリストアップされたドメインは、
$CONTROLDIR/badmailfromdir/
に含まれていたとしても受
け入れられます。これにより、正規の hotmail サーバから
@hotmail.com のメッセージを受け取りつつ、偽った @hotmail.com を
すべて拒否することができます。これを行なうためには、
=.hotmail.com:allow,GOODMAILFROM="@hotmail.com"
をtcpserverのルールとbadmailfrom
データベースの
@hotmail.comの中へ記述します。antibadmailを-Hオプションを
*つけずに* 起動します。(-Hオプションはリモートホスト名をしないオ
プション)
$GOODMAILFROMのルールのように、
$CONTROLDIR/badhelodir/
の中に存在したとしても
$GOODHELOにリストアップされていれば受け入れられます。
USE THIS WITH CARE
Yahooのように無料のメールアドレスサービスやインターネット接続 サービスを提供しているプロバイダ(ISP)があります。正規のYahooの SMTPサーバは、サーバ自身の正しいFQDN名を送ってきますから、 「HELO yahoo.com」と送ってくる(名乗る)サーバはまず間違いなく迷惑 メールを送ろうとしていると思われますので、これらを拒否するのは賢 い方法と言えます。この場合、「yahoo.com」エントリをbadhelodir/デー タベースに追加します。この時、$GOODHELOを設定してはいけません。 なぜならば...
例えば、hotmail.comのように、FQDNを送ってこないサーバもあります。 HotmailのSMTPサーバは困ったことに、FQDNの代わりに 「HELO hotmail.com」を送ってきます。このような場合には$GOODHELO を使います。
=.hotmail.com:allow,GOODMAILFROM="@hotmail.com",GOODHELO="hotmail.com"
こうすることで、頭を悩ませるようなサーバからもメールを受け取 ることができます。
bounceメッセージやRELAYCLIENTからのメッセージを除き、 ローカルパートのみの送信者を持つメールを拒否します。
bounceメールにはnull送信者が使われます。迷惑メールを送信する サーバによっては、 Null-sender is used for bounce mail. Some spammer's MTA sends emails with null-sender to multiple recipients. That's wrong. The antibadmail program refuses null-sender emails once the client requests more than one RCPT TO.
If $RELAYCLIENT or $RELIABLECLIENT is set, cancel mail-from domain chek. Useful for receiving bounce mail from reliable mail server.
When you had old mail account on host you previously used, you want to forward emails to current mail server. In such case, you ought to know "forwarded email are full of spam!!", because your current mail server should rely the forwarding servers. Against this problem, the antibadmail program rejects all forwarded mail from such server except those listed in $PASSONLY, If you want to limit forwarded emails from old server to *.jp and *.org, put
=old.server.previously.used:allow,PASSONLY=".jp/.org"
in tcpserver's rule.
Reject any RCPT-TO recipient addresses listed in $CONTROLDIR/badrcpttodir/.
If the environment variable BADHOST set, reject the mail from that host with SMTP error 553. It is bad idea to refuse TCP connection from host which sends emails you want to reject, because natural action of SMTP client is to try to connect to secondary MX and/or more. Set $BADHOST by tcpserver as follows;
=.evil.domain:allow,BADHOST=""
It will sends SMTP-5xx error code to smtp client.
Requires tcpserver with tcpserver-paranoid patch.
It is true IP'addresse's DNS PTR record is not absolutely required. But almost all UBE sender disguise or omit PTR record.
If you want to reject mail from server whose PTR record is disguising, add -p option to tcpserver
tcpserver -p ......
and replace tcpserver with tcpserver-paranoid patch. antibadmail will reject mail from such host whose IP address has invalid PTR record.
Paranoid check is too much powerful. It sometimes rejects desirable email. You can find rejection log by grep-ping "BAD_PARANOID". To forgive x.y.z.w which sends *@xyz.its.dom.ain for incorrect PTR record setting, add a rule to tcprule file as follows;
x.y.z.w:allow,PASSONLY="@xyz.its.dom.ain"
Emails from x.y.z.w that matches with $PASSONLY is acceptable even if x.y.z.w has wrong PTR record.
In most case, spammer's computer is connected as unknown host. So it is clever to reject from unknwon host. But in fact, many desirable messages are sent from unknown host, since some mail-server administrators can't imagine the importance of correct DNS settings.
For this problem, we should request PTR record of IP-address blocks for unfamiliar country. If you and your site's users all don't have need to communicate with AAA-country, and IP-address block of `XXX.YYY.*.*' is allocated to AAA-country, put
XXX.YYY.:allow,REQPTR=""
in tcpserver's rule file. All connections from XXX.YYY.*.* without PTR record will be rejected.
Note that this is not a virus scanner. Most virus-infected PC sends malicious email with infected person's email addresses. Introduction of antibadmail does not mean unnecessity of virus scanner. But `contents filter' including virus scanners always waste tremendous computing resources which are essentially unnecessary.
You'll find 60%-99% of undesirable emails are comfortably rejected by antibadmail. Save your mail server's resources!
Antibadmail should be invoked by tcpserver which is in ucspi-tcp package.
# gtar zxpf ucspi-tcp-0.88.tar.gz # cd ucspi-tcp-0.88 # vi conf-home (edit conf-home to define installation prefix) # make && make setup check
Change smtp daemon port other than 25. 10025 for example here.
Create a unprivileged user for antibadmail
# groupadd abm # useradd -g abm abm
User name `abm' is arbitrary. Suppose uid and gid of `abm' user are 250 and 25 respectively.
Start antibadmail as follows;
tcpserver -u 250 -g 25 -x /etc/smtp.cdb 0 25 \ antibadmail mconnect 127.0.0.1 10025
Make sure antibadmail and mconnect command are located in
$PATH. `mconnect' is a SMTP connection client, which comes
with ucspi-tcp. /etc/smtp.cdb
is the
tcpserver's connection control rule database. If you are
not familiar with tcpserver, see the tcpserver rule section below.
The qmail-smtpd daemon program is well designed to be wrapped by others. All you have to do is to add antibadmail to starting script. For example, you may already have script like this;
tcpserver -u 250 -g 25 -x /etc/smtp.cdb 0 25 qmail-smtpd
Rewrite it as follows;
tcpserver -u 250 -g 25 -x /etc/smtp.cdb 0 25 \
antibadmail qmail-smtpd
That's all.
If you are not familiar with tcpserver yet, try this simplest rule
file /etc/smtp
.
127.0.0.1:allow,RELAYCLIENT="" 10.0.0.:allow,RELAYCLIENT="" all:allow
where 10.0.0. is IP-address prefix of your LAN. RELAYCLIENT="" means setting environment variable like that at invocation of antibadmail when smtp connection comes from corresponding address. Like qmail-smtpd, antibadmail assume that the client is located in LAN when the environment variable RELAYCLIENT is set, so that connection at that time must not be abusing. Antibadmail accepts all message when RELAYCLIENT set.
If you wrote rule database in /etc/smtp
, you have to
convert it to cdb-format as follows.
# cd /etc # tcprules smtp.cdb tmp < smtp
After starting tcpserver+antibadmail, try `telnet localhost smtp' to confirm it is running. If the SMTP greeting message of original smtp-daemon shows up, almost goes well.
To record the rejecting/accepting result, add the following line to
/etc/syslog.conf
.
local1.info /var/log/smtp-stat
It is more desirable to add a notation for log rotation to
/etc/newsyslog.conf
(BSD) or
/etc/logrotate.conf
(Linux).
Antibadmail refers `datadir' database structure. Datadir is maildir-similar structure where an entity exists in a form of `file in a directory' instead of `line in a file'. By default, antibadmail referes three directories.
/var/qmail/control/badhelodir/
Contains files whose names are patterns of SMTP-HELO string for rejection
/var/qmail/control/badmailfromdir/
Contains files whose names are patterns of envelope sender for rejection
/var/qmail/control/badrcpttodir/
Contains files whose names are patterns of envelope recipient for rejection
You can change the prefix /var/qmail/control
by
environment variable $CONTROLDIR at running time or by
`CFLAGS=-DCONTROLDIR=/foo/' at compilation.
A filename should be one of as follows;
For badhelodir, badmailfromdir and badrcpttodir, reject all clients which send parameter same as `name'.
For badhelodir and badmailfromdir, reject all clients which send parameter whose domain ends with `.name'. That is, wildcard matching with `*.name'.
For badmailfromdir, reject all clients which send MAIL-FROM parameter whose domain part is the same as `@name'. That is, wildcard matching with `*@name'.
The policy of antibadmail is ``Don't inspect contents''.
However, as to badmail forwarded by (friendly) SMTP server, we can find rejection ground only in message header.
Antibadmail can reject mails by mail header pattern. The datadir structure for rejection by header is little bit different from above. Datadir for one header pattern consists of as follows;
$CONTROLDIR/badhdrdir/FieldName/EntryName/p* $CONTROLDIR/badhdrdir/FieldName/EntryName/errmsg
where FieldName is header-field name all lower case, EntryName is arbitrary name for pattern set.
Any file whose name begins with `p' is evaluated as fixed string pattern to be compared with the value of FieldName. A pattern must be written in a line. Patterns more than one line are AND-ed. Patterns in different files are OR-ed.
SMTP error message to be sent for clients when their sending header match with pattern.
For example, if you reject message whose header field contains as follows;
Received: from hogehoge.fugafuga.com (HELO oldserver.you.used) ....(1) or Received: from unknown .... by oldserver.you.used ....(2)
where `....' is any string. You might want to reject forwarded badmails by seeing received-header added by SMTP server you previously used. Pattern for (1) is like this;
(HELO oldserer.you.used)
For (2);
from unknown by oldserver.you.used
Note that pattern(2) is written in two lines so that each string ("from unknwn" and "by oldserver.you.used") must match with received header. As a conclusion,
--- File: $CONTROLDIR/badhdrdir/received/foo/ptn-1 --- (HELO oldserer.you.used) --- File: $CONTROLDIR/badhdrdir/received/foo/ptn-2 --- from unknwon by oldserer.you.used --- File: $CONTROLDIR/badhdrdir/received/foo/errmsg --- We cannot receive suspicious messages.
refuses the messages which have received-header that matches with "(HELO oldserer.you.used)", or matches with both "from unknwon" and "by oldserer.you.used", returning the SMTP error message of "We cannot receive suspicious messages.".
You might want to reject all false `*@hotmail.com' mails. But you might want to receive `*@hotmail.com' from real hostmail server. In this case, do as follows;
# touch /var/qmail/control/badmailfromdir/@hotmail.com
=.hotmail.com:allow,GOODMAILFROM="@hotmail.com"
If you want to receive any message from certain server, Set environment variable RELIABLECLIENT for the server.
=smtp.server.you.wantto.rely:allow,RELIABLECLIENT=""
Antibadmail stops all rejection check except extremely insecure parameter when RELIABLECLIENT is set.
If you or users of your SMTP server want to receive all email even if the sender's SMTP server has wrong DNS-record settings. Suppose when you apply web-shoping, auction, mail-magazine or so. Those sites as a whole are held in ill-mannered service provider. Many of them don't have correct settings of DNS(A and PTR record) nor SMTP-HELO. Althogh antibadmail reject emails from those incorrect servers by default, you can stop rejection upon certain receipient addresses.
You can make `soiled recipient address' as follows.
Create datadir for soiled recipients.
# mkdir /var/qmail/control/soiledrcpttodir
Make the entry of recipient address for no rejection.
# mkdir /var/qmail/control/soiledrcpttodir/local-foo@your.domain
Then antibadmail will pass all emails for `local-foo@your.domain'.
For qmail, wildcard patterns acceptable for soiledrcpttodir are as follows.
local-@your.domain
When local part ends with `-', pass all for `local-*@your.domain'.
@any.domain
Pass all for `*@any.domain'.
Note that rejection avoidance don't occur when smtp client sends parameter which matches strictly with entry of one of badhelodir, badmailfromdir and badrcpttodir.
The public spam rejection database is available via anoncvs.
cvs -d :pserver:anonymous@yatex.org:/qmail co spamdb
This database is in plain text format, not datadir structure. You can convert plain text database to datadir struct by f2d command, which comes with antibadmail package.
You can convert, for example, badmailfrom file from spamdb to badmailfromdir/ structure by executing f2d as follows.
f2d -d ./badmailfromdir badmailfrom
Note that ./badmailfromdir/ and badmailfrom is accessible from working directory.
Any database which has multiple records in a file always suffers from these difficulties;
With `Datadir' structure, there's no need for file locking because all the updation on an entity can be done without referring any other entities. All addition/deletion operation is automatically atomic because they are file creation or file deletion.