Recipe 6.2 Preventing Local Users from Replying to Spammers

Previous page
Table of content
Next page

Problem

Some local users encourage spam by responding to spam emails. You have been asked to configure sendmail to stop the spammers and to stop those who encourage spam.

Solution

Before creating any user accounts, create an acceptable use policy that, among many other things, gives you the power to block spam communications ”both inbound and outbound. Ensure that all users agree to this policy before giving out any user accounts.

Add the spam addresses you want blocked to the /etc/mail/access text file. Use To : and From : tags to prevent mail from being sent to spammers or from being accepted from spammers. Run makemap to build a hash database from the text file.

Create a sendmail configuration that enables the access database with the access_db feature. The required sendmail FEATURE command is: 

 dnl Use the access database FEATURE(`access_db')

Rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail, as described in Recipe 1.8.

Discussion

By default, the access database applies to source addresses. The action defined in the database entry is taken based on the source of the email. Given the access database created for Recipe 6.1, mail from example.com , wrotethebook.net , and fake.ora.com is rejected, as the tests in that recipe show. For example, mail from anyone at example.com is rejected with an "Access denied " error. However, the access database from Recipe 6.1 does not prevent mail from the local host being sent to someone at example.com .

Adding the To : tag to an access database entry applies the action defined in the entry to recipient addresses that match the key, while the From : tag specifically requests that the action be applied to matching source addresses. Here is the access database from Recipe 6.1 rewritten with To : and From : tags: 

 From:example.com          REJECT To:example.com            ERROR:5.7.1:550 Mail to this site is not allowed From:wrotethebook.net     ERROR:5.7.1:550 Invalid mail source To:wrotethebook.net       ERROR:5.7.1:550 Mail to this site is not allowed From:fake.ora.com         DISCARD To:fake.ora.com           ERROR:5.7.1:550 Mail to this site is not allowed

Because the action for the From : example.com entry is REJECT , mail from that site is rejected as shown in Recipe 6.1. With the addition of the To : entry, mail addressed to example.com is also rejected, as this test shows: 

 #  telnet localhost smtp  Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400  HELO localhost  250 chef.wrotethebook.com Hello IDENT:UWSRv+Jij66J8vALUBVBECbGPVoU8OQe@localhost  [127.0.0.1], pleased to meet you  MAIL From:<craig@chef.wrotethebook.com>  250 2.1.0 <craig@chef.wrotethebook.com>... Sender ok  RCPT To:<crook@example.com>  550 5.7.1 <crook@example.com>... Mail to this site is not allowed  QUIT  221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host.

Care must be taken when blocking outbound mail. Local users expect to be able to communicate with anyone, and they do not want you deciding who they can and cannot talk to. An AUP that gives you this authority is essential before you take any action. Be prepared for complaints no matter what the AUP says.


Alternatives

The blacklist_recipients feature is an alternative way to block outbound mail to known spammers. The blacklist_recipients feature applies every untagged entry in the access database to recipient addresses. The following lines added to the sendmail configuration enable the access database and apply the database to recipient addresses: 

 dnl Use the access database FEATURE(`access_db') dnl Also apply the access database to recipient addresses FEATURE(`blacklist_recipients')

The blacklist_recipients feature works well, and it is very easy to use. However, because it applies to every untagged entry in the access database, it does not provide the level of configuration control provided by the To : tag. Additionally, tags are self-documenting . Anyone looking at the sample access database just shown understands that mail to example.com is not allowed when they see the To : tag and the error in the action field.

See Also

Chapter 3 and the Introduction to this chapter provide more information about the access database. The sendmail book covers the access database in Section 7.5 and the blacklist_recipients feature in 7.5.5. The Anti-Spam Configuration Control section of the cf/README file also covers this topic.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
WebLogic: The Definitive Guide
Developing Tablet PC Applications (Charles River Media Programming)
Competency-Based Human Resource Management
What is Lean Six Sigma
Programming .Net Windows Applications
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy