Mail and Messaging Guide
Chapter 5, sendmail administration
Managing spam

Managing spam

Unsolicited email, or ``spam'', is an increasing problem on the Internet. You can use anti-spam rulesets to:

With the exception of check_rcpt, these anti-spam features are disabled by default. You must manually modify the sendmail configuration file, /usr/lib/sendmail.cf, file to configure and enable these rulesets. Configuring anti-spam features requires a thorough knowledge of both SMTP (RFC 821) and sendmail. The O'Reilly book on sendmail, listed in ``Related documentation'', provides detailed information on sendmail configuration. Other resources are also available at http://www.sendmail.org.

NOTE: The ruleset names are built into sendmail, and do not always indicate the functionality they enable. See the descriptions of each ruleset for a detailed description of their capabilities.

Currently, anti-spam features cannot be enabled with the SCOadmin Sendmail Configuration Manager, mkdev cf, or the Internet Manager's mail configuration options. With the exception of check_rcpt, modifications made to /usr/lib/sendmail.cf to enable anti-spam features are not preserved across successive executions of these configuration utilities. Be sure to save your changes to /usr/lib/sendmail.cf so that you can re-enable the anti-spam features should you run one of the sendmail configuration utilities.



Using the check_rcpt ruleset

Those sending spam mail often try to use an intermediate system in an attempt to hide the source of electronic mail. The check_rcpt ruleset prevents your site from being used as an intermediate site between a sender and a recipient.

To implement check_rcpt:

  1. Uncomment the check_rcpt, Parse0, and matchvdom rulesets, as well as the Krelays line, in /usr/lib/sendmail.cf.

  2. Add entries to the relays file for those sites that are allowed to send mail through this site.

  3. Restart sendmail.
After your restart sendmail, attempts to relay mail through this site are rejected and an error message is returned to the sender, unless: If no extra sites will use this site as a relay, do not add entries to the relays map.

NOTE: This ruleset will account for and allow mail delivery to virtual domains defined by the SCO Internet Manager, if you uncomment the appropriate section of /usr/lib/sendmail.cf.

The class R, defined by entries in the file /usr/lib/mail/antispam/sendmail.cR, allows additional relays not defined in the relays map. You must also have DD and Cw defined for this ruleset to function properly.



Adding entries to the relays map

The relays file (/usr/lib/mail/antispam/relays), used by the the check_rcpt ruleset, specifies those sites and IP numbers that are allowed to use this site as an intermediate relay.

Add entries to the file using this <Tab>-separated format: 

   address	OK
address is either the fully-qualified domain name or the IP number of the site that is allowed to use this one as an intermediate relay. The fields must be <Tab>-separated, and the OK entry is required.

For example, to allow the site bomb20.pdev.sco.com to use this site as an intermediate relay, add the following line to the file: 

   bomb20.pdev.sco.com	OK

This example shows a specific IP number: 

   10.0.67.15	OK

After adding or deleting entries from this file, rebuild the relays map:

  1. Log in to the system as root.

  2. Enter the following commands:

    cd /usr/lib/mail/antispam
    makemap hash relays < relays




Using the check_relay ruleset

This ruleset prevents mail from being sent from a pre-defined list of fully qualified domain names and/or IP numbers, regardless of recipient.

To implement this feature:

  1. Uncomment the check_relay ruleset and the Kspammers line in /usr/lib/sendmail.cf.

  2. Modify and rebuild the spammers file.

  3. Restart sendmail.
When implemented, mail sent from the sites indicated in /usr/lib/mail/antispam/spammers will be returned to the sender with an error message.

NOTE: Do not use both check_relay and check_mail. The check_mail ruleset is essentially a superset of check_relay. However, check_mail may be too strict when dealing with remote SMTP clients that may not be configured properly in the Domain Name Service.



Adding entries to the spammers map

The spammers file (/usr/lib/mail/antispam/spammers), used by the check_relay or check_mail rulesets, identifies systems from which mail will be rejected.

Add entries to the file using this <Tab>-separated format: 

   address	message
address is either the fully qualified domain name or the IP number of the site from which this system will refuse mail. message is the error message to be sent back to the sender. For example, to refuse mail from the machines bomb20.pdev.sco.com and the machine at IP address 10.0.67.15, you might add these entries: 
   bomb20.pdev.sco.com	Mail rejected, contact postmaster@mydomain.com
   10.0.67.15		Mail rejected, contact postmaster@mydomain.com
Note that the error message is only used by check_mail, not check_relay. However, a string must always exist on the right hand side of this file regardless of which ruleset uses it.

After editing this file, rebuild the spammers map:

  1. Log in to the system as root.

  2. Enter the following commands:

    cd /usr/lib/mail/antispam
    makemap hash spammers < spammers



Using the check_mail ruleset

This ruleset requires that the domain of the sender specified in the "Mail From:" SMTP command resolves to a valid fully-qualified DNS domain name. Additionally, the client making the connection to the local SMTP server is checked against a pre-defined list of fully qualified domain names.

To implement this feature:

  1. Uncomment the check_mail ruleset and the Kspammers line from /usr/lib/sendmail.cf.

  2. Modify and rebuild the spammers file.

  3. Restart sendmail.
After you implement this feature, SMTP "Mail From:" commands whose argument is not a valid fully qualified domain name (as listed by the Domain Name Service), will cause that SMTP transaction to terminate with an error. Additionally, if the "Mail From:" check succeeds, the IP number and name of the client making the connection will be checked against the domains and IP numbers listed in /usr/lib/mail/antispam/spammers, and the mail returned with an error message if a match is found.

NOTE: Do not use both check_relay and and check_mail. The check_mail ruleset is essentially a superset of check_relay, However, check_mail may be too strict when dealing with remote SMTP clients that may not be configured properly in the Domain Name Service. Also, check_mail is incompatible with the DeliveryMode=Defer option, as it requires an immediate DNS lookup to verify. (DeliveryMode=Defer is not set by default).



Using the check_compat ruleset

Use check_compat to prevent mail from being sent from a pre-defined list of domain names or email addresses to a specified list of recipients. For example, you may use this ruleset for preventing all mail from any user in domain foobar.com from being sent to any user in domain barfoo.com, but still allow mail from users in foobar.com to be sent to users in other domains. This is useful for combating individual spam attacks from individual sites to a specific set of users or domains.

To implement this feature:

  1. Uncomment the check_compat, matchprotected, and matchspam rulesets, and the Kspammers2 and Kprotected lines, from /usr/lib/sendmail.cf.

  2. Add users and domains from which mail will possibly be rejected to the spammers2 file and rebuild the map.

  3. Add users and domains that are considered 'protected' from spam attacks from the first set of addresses to the protected file and rebuild the map.

  4. Restart sendmail.


Adding entries to the spammers2 map

The spammers2 file (/usr/lib/mail/antispam/spammers2), used by the check_compat ruleset, specifies those addresses that are to be considered as potential spammers against those addresses in the protected map.

Add entries to the file using this <Tab>-separated format: 

   address	SPAMMER
address is the user name, system name, or domain name which is considered a source of spam mail. For example, if mail from all users in isendspam.com are to be considered generators of spam mail, enter: 
   isendspam.com		SPAMMER
This will mark as a potential spam attack all mail from all users in the domain isendspam.com, as well as all of its subdomains such as machine1.isendspam.com and machine1.subdom.isendspam.com are all considered possible spam.

To specify an individual user instead, enter their individual addresses: 

   chris@sendyouspam.com	SPAMMER
This marks chris@sendyouspam.com as a potential spam generator, but does not affect mail from other users in sendyouspam.com.

All entries must contain the string SPAMMER on the right hand side.

After editing this file, rebuild the spammers2 map:

  1. Log in to the system as root.

  2. Enter the following commands:

    cd /usr/lib/mail/antispam
    makemap hash spammers2 < spammers2

NOTE: Use both the protected and spammers2 files carefully.

Because you can block whole domains from access to your protected users, you may also exclude valid e-mail addresses. In this case, it is best to target individual addresses in the spammers2 file.



Adding entries to the protected users map

The protected users file (/usr/lib/mail/antispam/protected), used by the check_compat ruleset, specifies those addresses that are to be considered 'protected' from spam attacks by the addresses in the spammers2 map.

Add entries to the file using this <Tab>-separated format: 

   address	PROTECTED
address is the user name, system name, IP address, or domain name which is considered protected. For example, if mail to all users in foobar.com are protected, enter the line: 
   foobar.com	PROTECTED
This will mark as protected all mail to all users in the domain foobar.com, as well as its subdomains such as machine1.foobar.com, and machine1.subdom.foobar.com.

To protect individual users rather than entire domains, enter their individual addresses: 

   chris				PROTECTED
   chris@foobar.com		PROTECTED
This marks as protected the local user chris and the address chris@foobar.com, but leaves as unprotected all other local users and all other users in the domain foobar.com.

All entries must contain the string PROTECTED on the right hand side.

After editing this file, rebuild the protected map:

  1. Log in to the system as root.

  2. Enter the following commands:

    cd /usr/lib/mail/antispam
    makemap hash protected < protected