Slashdot Mirror

If you're going to take the DIY approach, you should either be an experienced UNIX admin, or get yourself up to speed as fast as you can. The Aileen Frisch book Essential UNIX Administration (or Esential System Administration) is a good place to start. For running a mail server, also check out sendmail.org and Claus Assman's useful site on configuring sendmail.

I had similar paranoid security concerns, so I set up OpenBSD. It was a fairly painless install, provided you read the directions. I set up sendmail, UW-IMAP, IMP, and access it via secure http. UW-IMAP has some serious security concerns, but it's much easier to compile than Cyrus, my preferred IMAP server.

If you're new to UNIX admin though, try looking at FreeBSD. This is hands down the simplest UNIX installation I have ever done. It was almost as simple as starting the installation, walking away, and coming back when it was done. It also doesn't hurt that FreeBSD has excellent network performance.

TinyEgo

If you're going to take the DIY approach, you should either be an experienced UNIX admin, or get yourself up to speed as fast as you can. The Aileen Frisch book Essential UNIX Administration (or Esential System Administration) is a good place to start. For running a mail server, also check out sendmail.org and Claus Assman's useful site on configuring sendmail.

I had similar paranoid security concerns, so I set up OpenBSD. It was a fairly painless install, provided you read the directions. I set up sendmail, UW-IMAP, IMP, and access it via secure http. UW-IMAP has some serious security concerns, but it's much easier to compile than Cyrus, my preferred IMAP server.

If you're new to UNIX admin though, try looking at FreeBSD. This is hands down the simplest UNIX installation I have ever done. It was almost as simple as starting the installation, walking away, and coming back when it was done. It also doesn't hurt that FreeBSD has excellent network performance.

TinyEgo

The problem is, that's not the only plausible comparison to make. It's more or less like saying, Because Windows Crashes If You Look At It Funny, and Linux doesn't, therefore Linux must be SuperRobust Software.

Which may be a legitimate comparison at one level, but still doesn't mean that closer comparisons aren't more relevant. I'd think we'd learn more from comparing Linux to VMS, or Tandem, or *BSD.

And heading back to relevance, perhaps qmail hasn't gotten "hacked," but it seems to me that we could ask if Postfix has gotten hacked, and find that quite meaningful.

1) Add encryption into sendmail's transmission of mail.

The latest release of the free version of sendmail (8.11.0) includes some encryption features (specifically, STARTTLS. TLS is Transport Layer Security, and provides encrypted communications server-to-server). See sendmail.org for more info.

Having gone back and re-read a bunch of information, I can tell you:

• Sendmail Pro difintely currently has TLS.
• Sendmail 8.11 betas have TLS support.
• These guys have a TLS wrapper for existing sendmail installations.

So I jumped the gun a bit on BSDLed sendmail having TLS - it will RSN, or you can use a wrapper. On the upside, I was also wrong about zmailer, who apparently have TLS now. Encrypted linux-kernel anyone?

General information on blocking Spam can be found at http://spam.abuse.net/tools/mailblock.html

If they are using an up to date version of sendmail and wish to use a local blacklist this is trivial and is documented at the following URL: http://www.sendmail.org/antispam.html

Look around sendmail.org to find detailed info on using blacklists.

Another good reference is http://www.orbs.net

Spammers have gotten wise to the fact that using their own sites to send their Spam gets them blacklisted in short order. However there are lots of broken sites that accept anonymous relaying. Orbs keeps a DB of these sites so you can refuse to accept Email from these potential sources of Spam.

Pat

Right on! Every true free software monk knows that money is the root of all evil. Let's break down how the evil has grown over the years.

Linus Torvalds, cute, cuddley, penguin-looking fellow. What does he want? World domination. What does he wish have said domination? Linux[tm]. What's that "tm" stand for? Transmeta, which is a company. World domination will only benefit Transmeta. Linus is but a pawn. Boycott Linux.

Richard Stallman, a lovely character with a front as high priest of the Order of Free Software. He has been known to take donations. What do donations consist of? Money. What is the most evil substance on this planet? Money. This high priest is a charleton, I say! He is as evil as the rest!

Apache, everybody's favorite open source web server. What is the Apache Software Foundation? According to their FAQ, a "not-for-profit corporation." What do they d? Take donations. Another group whose purpose is not to make quality free software, but to create DonateWare. This, my friends, we do not need. With 60+ percent of the web server market, I fear them more than Transmeta.

Sendmail, the ever popular mail transport agent with an odd name. Right on their front page, it says "sendmail[tm]." (Sorry, Slashdot doesn't allow the SUP tags like the page has.) Obviously they are in cohorts with Linus and his merry band of power-mad mind controllers. What do they do on the side? Sendmail Pro. Which this create to bring in what? Money. Tell me once again what is the most evil substance on this planet? Money.

Can I get an "Amen!?"

Miguel de Icaza, creator, dictator, and zoo keeper of many GNOMEs (you know who you are). Why did he create them? Hatred for KDE/Qt. What's he turned the crusade into? Helix Code. (What's up with the first sentance on that page, "leading open source desktop company?" I'd like to see the study that concluded that. Why does ever company have to declare themselves the leader of a one-contestent contest? I'm the leading free software development specialization operation in my apartment, who the heck cares?) What did he create Helix Code for? So people would "Buy Helix GNOME".

I could go on and on. But my point is all software we once thought would be pure has gone the way of the dollar. It truely saddens me to see this happen. Therefore, I call upon all true free software artisans to join me on a tiny desert isle to be named shortly where we will grow our own food, choke our own chickens, and code pure free software. You see, living in places like the United States, Europe, Germany, there are just too many temptations that require money, houses, cars, beer, women. Therefore we will do away with all these in the name of pure free software. Only then can we be one with the computer. Who's with me?

userid+TheCompanyNameHere@your-domain.com
or
userid+programFoo@your-domain.com

The message will be delivered to "userid" but can be filtered on "TheCompanyNameHere" or "programFoo". You can use this to track if/how another company gets your email address.

S.P.A.M. - Stupid People's Advertising Methods

do we really _want_ spammers to be regulated, or to even have spam outlawed?

Remember, this would be done by the same people who brought you the DMCA.

It occurs to me that projects like the Real Time Blackhole List or Sendmail's anti-spam configuration options serve the cause a lot better than blanket laws passed by technologically less-than-aware legislators?

It's quite possible that lobbying organizations like DMA actually help the idea of keeping the net free of legislative overkill in the long run...

Comments?

What we do at my site is to use the Sendmail (8.9.3 and later) "access_db" feature with higher priority than RBL and ORBS. This means that you can add a host (or network, or domain) into the access hash that will always or never be able to relay to or through your site, regardless of what MAPS RBL or ORBS have to say about it. An added benefit of access_db is customized refusal messages. Say, for example, you get a lot of spam for a certain domain without a postmaster@ address whose DNS is rather screwy. It's not relaying spam, just sending spam. So, I can put something like "spamdomain.net 550 Your postmaster address is broken, I don't know who you are--too much spam from your domain. Go away." in access_db and protect your network and inform the clueless admins at the remote site of what's wrong.

What we do at my site is to use the Sendmail (8.9.3 and later) "access_db" feature with higher priority than RBL and ORBS. This means that you can add a host (or network, or domain) into the access hash that will always or never be able to relay to or through your site, regardless of what MAPS RBL or ORBS have to say about it. An added benefit of access_db is customized refusal messages. Say, for example, you get a lot of spam for a certain domain without a postmaster@ address whose DNS is rather screwy. It's not relaying spam, just sending spam. So, I can put something like "spamdomain.net 550 Your postmaster address is broken, I don't know who you are--too much spam from your domain. Go away." in access_db and protect your network and inform the clueless admins at the remote site of what's wrong.

Spud Zeppelin dun said:

Really, we shouldn't allow the medium to dictate our metaphor here: how is spam really all that different from someone approaching you on the street and asking "Hey buddy, wanna buy a watch?"

Well, among other things, it doesn't force me to store his offers for watches on private property, and it doesn't cost me money and/or labour costs to listen to him try to sell fake Rolexes, not to mention telling him to perform impossible acts of self-copulation with aforementioned watches. ;)

The same cannot be said of spam (including UCE). First off, the vast majority of sites with full-time Internet connections pay by the byte or by the hour (and, especially outside North America, a non-negligible number of home users, too; UUCP connections (where you HAVE to download all the mail) are still relatively common in Europe, Asia and South America, and are STILL some countries' only connection to the Internet (if memory serves, Mongolia's main ISP is UUCP-only, and this is also true for most African ISPs outside of South Africa and africa.net accounts), and people in most countries pay by-the-minute for phone calls period (incidentially, most countries also ban telemarketing--North America is one of the few places where it is legal--because it costs folks to receive it; this is also why junk faxes and telemarketing calls to cell-phones are illegal even in North America)...); the costs are often non-negligible, especially with the volumes of spam being sent (I did a quickie analysis around two years ago, which is posted here under the title "Spam By The Numbers"--this gives you a really good idea of the sheer amounts of crap that get sent to your local ISP daily if they aren't using specific block-lists like the MAPS-RBL list; nowadays it is also probably a very conservative estimate--with big mailspams on big ISPs, it can easily hit the gigabytes). This cost will, eventually, be passed on to the consumer-level (stuff like unlimited access being cut, or prices going up because they have to pay for the new RAID-5 array just to store all the spamaceous crap), so don't think you home users get away without paying the costs of spam.

Secondly, tracing down a source of a spam and getting them to stop spamming you is not exactly trivial. Spammers very commonly use throwaway accounts at freemail providers (and previously, AOL, Netcom and Compuserve accounts due to the sheer number of "free trial" CDs they would give out) and will obfuscate the hell out of headers (this is, in part, what the Washington bill was aimed at); not only that, they will often "relay-rape" servers, routing spam through insecure third parties' mail servers (there are a rather surprising number of these out there--Sun and SGI have notoriously insecure versions of Sendmail shipped with their programs, boxes in a lot of third-world countries and @Home boxes are insecure, and I won't even go into Windows mail daemons or mail daemons on old IBM mainframes--suffice it to say that spammers are the main reason most sites worth their salt don't relay mail anymore except for customers, and an increasing number won't even let you post mail without downloading mail first--Mindspring and Broadwing, among others, had to implement this). To make things even worse, spammers have over the years either set up shop at outright spam-friendly ISPs or at sites that couldn't be bothered to give a damn about net.abuse; at one point an entire backbone site on the 'net, Agis.net, had to be literally "IDP'd" (basically: many, many sites started refusing to share any traffic--not just mail and news, stuff like FTP and HTTP and the like) because AGIS hosted literally seven or eight of the worst spammer's havens on the Internet (including Sanford "SpamKing" Wallace's site, etc.) and refused to give them the boot after nearly EVERY other national-level ISP at the time HAD given them the Golden Boot. (Eventually AGIS did boot them and wrote up a strong, anti-net.abuse AUP. The AGIS boycott wasn't trivial--they were literally the third or fourth largest site on the net, many national-level ISPs had them as a primary or secondary network service provider, and they provided the only network service for a lot of sites including all of Alltel's Internet network.) And to make things even WORSE, many (if not most) spammers actually use "remove lists" or "do-not-spam" lists as actual confirm-lists for live addresses to spam; these lists are even bought and sold among spammers, and it is literally next to impossible to get one's address off one of these lists once they have been added on (about the only way I've found is for the email account itself to go dead).

It doesn't help that most of the folks in the "serial spamming" business--the hard-core folks-- are sociopaths (no, I am not making this up--most of them would actually be diagnosed as sociopaths). Sanford Wallace, for example, was in the junk fax business before he went to spamming--he is also widely regarded as being the person most responsible for junk faxes having been banned. Wallace is also almost singlehandedly responsible for most of the anti-spam AUPs in place, with a few other folks was largely responsible for getting AGIS "shunned" a few years back, and is almost singlehandedly responsible for nearly every anti-spam bill that has been proposed to a legislature worldwide. He finally got out of spamming when literally no ISP in North America would touch him with a 40-foot barge pole--and this, only AFTER he'd gotten AGIS IDP'd, been fined well into the millions of dollars for contempt-of-court charges, been literally banned by a Federal court in Ohio from sending mail to any customers of Compuserve, been banned by a Virginia judge from sending any mail to AOL customers, been fined by that judge for disregarding that order, paid well over US$300,000 in Internic charges for domains...this is the psychology we're dealing with. Sad individuals...

It's funny you should mention guys "selling watches", though. If he makes it a business as much as, say, most spammers do, just selling watches on the street is outright illegal in many areas. If it's over a certain volume, in many places he has to buy a specific business license. If he is found selling illegal goods (like, oh, counterfeit watches or selling adult material to under-18s or selling shares in a pyramid scheme or even selling stocks without a prospectus) they can lock him up and throw away the key.

Of note--the FTC has estimated that over 80% of all spams are for "fraudulent" and/or outright illegal schemes. Those that aren't are often adverts for adult sites which are of questionable legality for under-18's (and, depending on local ordinances, may be of questionable legality for anyone--for instance, adverts for marital aids and the sale of marital aids is illegal in Alabama and in a number of Southern counties).

In short, there are a lot of differences. You might visit CAUCE here, or spam.abuse.net for detailed info on the history of spamming and the real costs to Internet users. Those of you running Linux and *BSD boxen might want to in particular hit spam.abuse.net's info on securing your mail server, or hit Sendmail's web site which, along with the latest version, has extensive info on spamproofing your mail (including blocking open relays and spamaceous sites through the MAPS-RBL and stopping Bad Guys from relay-raping your server).

If I was a sendmail fan, I would tell you that "you're not supposed to edit the .cf file!" ... but I'm not; I prefer qmail.

I agree with this guy.

1. The Internet is a collection of computers and users who volunteer adherence to IP.
2. The new Corporate Internet is migrating away from IP. As a result, it will not be peer-to-peer, and it will not be open, and it will not be (is not) reliable.
3. Corporate networks appear to be DAMAGED (Dain Bramaged?) to traditional (good) IP hosts.
4. IP routes around damage in the network. Check out the (RBL) evolution of the Internet's Killer App: email . This is a strong and specific example of the old-school Internet segmenting the new-school Pseudo-internet. The new school sues, and the RBL lives! Paul Vixie is free to write software and distribute it, and we are all (somewhat) free to run sendmail, preserving the usefulness of our email system.
5. Like email, the rest of the real internet, loyal to our proven principles of good hosting, will simply fork off and let the Corp ses rot in isolation.

You can do a lot to fight spam. Junkbusters has a site devoted to getting these intrusions out of our lives. I've used their anti-junk snailmail system, and it really does work well. They've also got a nice page on stopping computer UBE crud, too.

Personally, I never hide my mail address. It's dishonest, and, technically, against the rules. My real address, tchrist@perl.com, is sitting right here in this message, on the header for this comment, and is also posted in a hundred thousand different places--if not more. But you know what? I don't see much spam. I auto-bounce at least fifty pieces of spam per day. And most days, not more than a couple make it through -- but only once.

Some of them get bounced using sendmail's anti-spam features. I'm a big fan of the Realtime Blackhole List, which sendmail can be configured to access.

Some spammage get bounced because the sender is on my own blacklist of forbidden addresses, which lately includes things like /\b\d+\.net/. Others are bounced because they look like spam, or because they're mime-encrypted. This is all taken care of by a custom receiving program, plus some other scripts to dynamically update the blacklist.

I don't automatically bounce mail that violates reasonable netiquette, but I do have a periodic posting about the idiotic Jeopardy mail.

And yes, now and then a few innocent men are sent to the gallows. This is the price we pay on the war against spam. If it's important, they'll figure out another way to mail me.

I disagree. While for the vast majority of people, there is no technical reason why sendmail should be preferred over other MTAs, there are cases where more obscure things need to be done and sendmail is simply the only functional choice.

I can do things with sendmail rewrite rules that are simply impossible (or at least *extremely* difficult) in other MTAs. This is why postfix is only 99% sendmail-compatible, since that last 1% is a killer.


Of course, sendmail *is* the best documented MTA in the world (it actually has two books written on the subject, Sendmail: Theory and Practice by Avolio and Vixie, and the definitive reference sendmail (now in it's second edition) by Bryan Costales with Eric Allman.

Then there's the increased available online documentation, both the FAQ, and my own Sendmail Performance Tuning for Large Systems paper that I wrote and presented at SANE'98.

While perhaps not strictly a technical reason, available documentation (or the lack thereof) is a very strong motivating factor as to why many people choose to select particular products, SMTP MTAs included.

Earlier today, this article on Slashdot talks about their financial involvment with Sendmail and the Mozilla Project, and the previous rumors about the acquisition of Cygnus turned out to be true.

Red Hat should save themselves a little bit of cash and make an investment into TrollTech and/or KDE instead. If Qt were GPL'd, there would no longer be any justification for using the less sophisticated GNOME over KDE for "philosophical reasons". KOffice would reign, and the savings could be applied toward the bottom line. "Red Hat in the black" (like SuSE) is a headline that has great appeal to serious stockholders.

Steam wears off quickly -- Netscape^H^H^H^H^H^H^H^HAOL is now taking handouts from Red Hat to keep Mozilla going, just a few short years after that promising IPO. WordPerfect (on its own) has already proven to be an unwise move, and their Windows and Mac software is just excess baggage. Those users won't switch to Linux, they'll switch to Macromedia/Adobe/Microsoft/et al. Novell sure couldn't leverage the WordPerfect name, I don't think the fedora is gonna sell many more copies...

The problem with a transition is that there's a considerable body of anti-spam code that has been specifically written for Sendmail but not for the other mailers.

RHAT adopted some of the antispam code, and has promoted it to the body of users of Red Hat Linux.

Unfortunately for the notion of moving to a newer MTA, there is both:

• A forcible necessity to continue supporting sites that want to use Sendmail;
• A necessity to support the same antispam functionality they have already been supporting;
• The cost of supporting two MTA's at the same time.

This is because sendmail's license is based upon the BSD license. It specifically allows software to become closed.

I don't want to start a GPL vs BSD flame war here, but this is a good example of the possibilities of the BSD license.
--

Unfortunately, there are no really good ways to block spam, and the better ones require that you have access either to your main mail server or another mail server that can act as an intermediate. I'll assume that you don't have access to the mail server.

• procmail is by far the best way to filter your mail. You mentioned that procmail wasn't adequate; I would respond by saying: Recheck your procmail config. procmail is infinitely configurable by using regular expressionss and having procmail run an external script or program for each incoming message. If you know Perl and can download the Net::SMTP module, have procmail fire a Perl script which contacts the originating mail server and attempts to verify the sender's address through VRFY or EXPN. This won't always work, however, because some (*&$%#^) mail servers aren't running a real MTA (sendmail, qmail, smail, etc) or are behind a firewall.
• Someone mentioned this already, and it's a good idea. Everything that doesn't have your specific email address in the To: or Cc: fields is suspect, except for mailing lists to which you may belong. Have procmail file those away in a separate folder for manual checking. This should be the default action; have procmail look first for mail from specific people, then perform your other checks (specific mailing lists, etc), then check for your address in the To: field, then everything else which doesn't match one of those criteria is suspect.
• As a final resort, you can rely on your MUA to filter messages as well. Some people like to do all the filtering at the MUA level; I'm not so sure I'm fully comfortable with this, because you are limited to the filters (or at least the filter-types) that your MUA has predefined. With procmail, you have access to regular expressions and can call external programs on your email messages, and I've never seen a MUA that allows you to do that. Perhaps sorting messages from particular users can be done in the MUA, after procmail flushes the ones that are not directly addressed to you. As an aside, the Netscape mail client lets you write mail filters in JavaScript, which has regular expression support, although it's not as intuitive or as powerful as the regexp support in, say, Perl.

What do I do? I use a combination of fetchmail, procmail, and some custom Perl scripts to sort my mail. By the time I get to it with my MUA ( mutt rules), it has already been cleaned out quite a bit. I have a list of past spammers that gets checked each time a new message comes in from someone my scripts don't recognize or isn't addressed directly to me. It's a bit of work to set up at first, but it's easier in the long run. One thing I've been toying with is creating a database of good and bad addresses, which I can call through Perl scripts from the server to which my mail actually goes (I have several accounts, through school, work, and my ISP). The scripts, and procmail, would run on the individual server, contacting my workstation, which would hold the database (a perl-based server, running on some random port, with a specialized interface to the database).

By the way, if you do have access to a mail server, get the latest version of sendmail, which includes support for the Realtime Blackhole List (which someone already mentioned). It can reject mail based on the sender's originating IP address or domain, if they are known spammers. Very useful, although it can be a resource drain if you get a lot of mail or run a high volume mail server. I have a linux box on my desk which is my primary mail server, and I have all my email forwarded to that machine, which then checks the domains.

Everybody knows ... sendmail is GNU.

On many of the modern Unix variants, /etc/passwd is only a textual representation of a database file which holds the real user information.
getpw*(3) uses this database file to access passwd data. This makes things way faster than it used to be, for example, on SunOS4, where ls(1) was written so stupidly that it scanned the (sequential) passwd file for every single uid lookup it needed to make. Typing "ls -l /home" on a SunOS system with like a thousand registered users was an invitation to get ahold of some (some!) coffee.

Speaking of today, FreeBSD uses a DB database to store passwd information (in fact, it has two databases, one with and one without passwords, for "security"). This speeds up lookups quite a lot, but beware: The DB files are still generated text files, so adding users with such huge user databases is a real pain.

The question is whether you actually want to create that many Unix user accounts. For mail servers, you can often get away better with creating mail accounts only. This requires some hackery with your friendly MTA (postfix, qmail, sendmail, exim or even smail), but it is quite doable and also has positive security side-effects.

Look into Cyrus imapd you need message store implementation which is able to handle mailboxes for users who don't have a unix login. Beware, Cyrus comes with a pretty tcl-based administration interface which you almost certainly want to replace by a bunch of home-grown perl scripts to automate administration.