Description of smap enhancements The following definitions will be used in this document: External Net (insecure network/internet) Internal Net (more secure network, machines which will be using this machine as a mail hub) This set of machines/nets, preferably defined by IP addreses, via "smap: permit-hosts" will be known as the internal network. e.g.: smap: permit-hosts 127.0.0.* 192.168.1.* would Internal Domains: these are email domains/regexp patterns which are considered to be internal for email. Usually these will be the domains for which the machine serves email, and, perhaps, additional domains for which the machine is a secondary/tertiary MX server for. These are set via "smap: permit-domains" Spam hosts: These are machines/domain names/whatever which are considered to be known spam sites, and thus should not be allowed to send mail. These are set via "smap: spam domain.com frob.com" These machines are only screened when "smap: scrub-spam 1" is set. These modifications extent smap's control such that when a connection is established, the incoming IP or domain is matched against the known internal addresses to see if it is a designated machine. if address checking is enabled (next item) it will additionally run the claimed from address through this same filter. When "Mail From: user@site" is ussued, if the machine isn't internal, then the following checks will take place: 1) If "smap: require-full-email 1" is in /etc/netperm-table, then an @ sign must appear in the user@site string 2) If "smap: check-from-address 1" is in /etc/netperm-table, then a reverse lookup will be done on "site" looking for a) Site will be checked to verify that it isn't a local domain. b) Either an MX record or an A record. if neither are found, a 410 will be returned and the connection dropped Last, if the the connect is from a non-local host, and the "rcpt to:" field is for a non-local domain, then the connection will be aborted to prevent mail reflecting. ------------------------------------------------------------------------------- Ok, so how do i go about installing this stuff? * get the tis toolkit from tis (www.tis.com) * copy smap-cih.c to smap/smap.c * configure build and install the toolkit as per their directions, including smap. How do you start screening spam? I'm going to go through the setup for spam.org, which has the ip's 192.168.1.0 and 192.168.5.0, and also serves email for superspam.org. * determine what ip's comprise your interior network and place them in your permit-hosts. in this case I would add 127.0.0.* (loopback), 192.168.1.*, and 192.168.5.* to my netperm table as follows: smap: permit-hosts 127.0.0.* 192.168.1.* 192.168.2.* * determine what domains you consider to be internal. In this case it would be spam.org and superspam.org, so i would add to my netperm-table: smap: permit-domains *cih.com *superspam.org * get a list of spamming hosts (look at the sample netperm-table). mail me ones that i don't have :) Lets pretend that ispamalot.com is a spamming domain. I would then put in my netperm-table: smap: spam ispamalot.com or, if i thought that they used subdomains/whatever, i could use a regexp: smap: spam *ispamalot.com * now i need to decide how strict I want address checking done as the mail is being received. If you want external hosts to have mail in the format of user@site rather than just putting down a username (which is rather suspicious, if you ask me, usually that is someone telnetting to port 25), I would add: smap: require-full-email 1 If you would like to have some additional checking performed on the address -- the @site part(including a second round of spam checking) then set: smap: check-from-address 1 This causes the site part to be parsed, if it isn't a spam domain, and if a valid MX or A record can be found, then the mail is accepted, if not, the leftmost part is chopped off and the parse repeats until the address is gone, or a match is made. It is absolutely amazing how much spam goes away with this enabled (especially if you block cyberpromo's ip addresses at your router) smap: check-user-too 1 This causes the checking engine to match against the whole user@domain part of the address, rather than the subset, domain. This patch to the smap-daemon contains the enhancements made from [from Ulrich, plus some cleanup]: I added some code to fetch some bytes of the E-Mail message if the domain of the sender is invalid. So i can have a look at failed E-Mails because we have some clients which have an illegal sender address (seems to be a problem with their provider). To enable this feature use the following option in netperm-table : smap: max-email 1000 If an E-Mail fails, the first 1000 bytes will be written to a file in the directory, secure. The exact filename will be logged to the syslog. To use this feature you must create the directory "secure" in your smap - mail directory with the propper permissions. Do disable this feature set max-email to 0. With the option : smap: max-dirent 500 you can limit the number of files in the secure directory. In the above example there are 500 files allowed. If you have this problem, that you have clients with broken domains in their sender, you can use the option : smap: broken-from *test.com If you use a string, beginning with a * the sender-address must contain the broken-from string as a substring. In the above example all addresses which contains test.com will be accepted from smap also : MrX@xy.test.com and also MrX@xy.test.commercial.de. If you want an exact match don't use a *. The * isn't a regular expression here. Some spammers use the fallback mailhost as a relay. To stop bouncing spam, i have included the option "kill-mail" smap: kill-mail mail.rgw-express.de All rejected mail coming from this host will get a error message of 554 instead of 4xx. So this mail will only be sent once. The syntax is the same as the broken-from line. We made these changes to smap because there is so much anoying spam-email, and there are also some "dumb" providers out who can't get their E-Mail to work correctly. I am not very familiar with the source code of the TIS toolkit. Of course, we are NOT a developers of it. This is a quick hack to enhance smap. So i think there are much things which can be made better. If you want to change the values of the error messages, they are now adjustable: via netperm-table. Examples are below: smap: set-bad-address-errno 554 smap: set-not-local-errno 554 smap: set-reject-errno 554 smap: set-kill-errno 554 naturally, you can replace 554 (or 410, or whatever) with your favorite number :) If you have problems contact Craig I. Hagan hagan@cih.com http://www.cih.com/~hagan Bruce Ellis bruce@tiac.net Ulrich Eckhardt uli@rgw-express.de http://people.frankfurt.netsurf.de/Uli ------------------------------------------------------------------------------- here is some info from Ron Snyder (snyder@roguewave.com) and his mods which i've folded in: It lets you filter based on any combination of sender/recipient. It's not foolproof, and only really effective if you can ensure that all email from a specific email address or host is spam. (eg. I currently block all email from *savetrees.com, but there is some spam getting through from aol.com because they (the spammer) keeps changing their username, and we can't afford to block all of aol.com from sending mail to us. #smap: spam-block [deny|allow] #people who have left the company and gotten themselves on a bunch of spam lists smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> #an example of protecting one user from one specific domain smap: spam-block deny <*juno.com> #this allows mail through as long as it claims to be from one of the listed #domains This is the weakest part of the whole scheme, because it doesn't #check to make sure that they aren't lying. If a spammer puts a from address #of blah@mycomany.com then their junk will get through this filter. #(Security through obscurity, unfortunately.) smap: spam-block allow <*mycomany*> <*> smap: spam-block allow <*partner-comany*> <*> #an example of blocking those spammers that are polite enough to at least #use the same domain name consistently smap: spam-block deny <*earthfriends.com> <*> smap: spam-block deny <*joinusnow.com> <*> smap: spam-block deny <*> smap: spam-block deny <*savetrees.com*> <*> #an example of blocking our internal email lists from external abuse smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*> smap: spam-block deny <*>