System Administration: Fighting Spam

System Administration: Fighting Spam

Being yourself an internet user you have to deal with spam daily, I myself always have the SPAM mail directory filled and ready to empty. It's something that most of us are now used to and try to deal with the best way possible.

Although, if you're a system administrator, spam isn't a problem you have to deal and live with, it's a problem you have to fight against!
Assuring that every SMTP server on your network is correctly configured so spammers cannot abuse or that the hosts aren't compromised and running a ilegal STMP or getting a way to prevent that spam reachs your users. Definatly a nightmare.

In this article I'll try to give you some tips on how to get better results fighting spam. I only have some experience in this matters with sendmail and qmail smtp servers, so I'll be only refering to those. Although, the generic ideas works for every server and you only have to google for the one you use.
Here's a list of what I'm going to talk:

• Enabling authentication in smtp
• Finding if you have open relay enabled
• Configuring relay
• Blacklists
• How to report spam abuses
• SpamAssassin
• Final notes

1. Enabling authentication in stmp

You should enable authentication in your smtp server in order to allow only authorized users to send emails from it. This measure reduces the risks of spammers using your server to send spam.

Although, besides the server side configuration, all the users have to configure their MUA in order to be able to send email. But that's really no big deal!

1.1 Enable authentication for sendmail:

First I thought in actually writing the complete step by step configuration. But why re-write something that others already have written, here's a nice Sendmail auth configuration step by step written by the sendmail team.

1.2 Enable authentication for qmail:

Qmail configuration is a tricky one since you actually have to use a patch on the smtpd. Here is the walkthrough to install it, along with other patches also.

2. Finding if you have open relay enabled

You can check if your stmp server has open relay enabled, by nc'ing (or telneting) to port 25 to the server and after giving the hello and mail from, issue a rcpt to with an email from another domain. If it's accepted then you have open relay active. If you get that request denied, you might have it correctly configured.
Anyway, I guess the best way is to use an application to test the server using some "extensive testing", you can use the Open Relay Test which is a nice tool for this purpose.

3. Configuring relay

If you're using sendmail you can easily configure which domains you do accept for relay using the configuration_dir/relay-domains file. This is a file that in each line has a domain that is accepted to relay. Imagine that your server takes care of the mail system of 3 domains, domain1.com, example.net and pabrantes.net it would look like this:

domain1.com example.net pabrantes.net

Qmail configuration is similar in everything, except in the name's filee, in qmail it's called rcpthosts. Syntax is the same, one domain per line.

4. Blacklists

Blacklists are lists where servers or client IPs that were distributing spam are stored. Using these blacklists is helpful to deny traffic from known spammer. There are plenty of blacklists our there the open relay database which is a directory with dozens of blacklists.

Classifying certain hosts or even emails has dangerous emails and blocking them, might be a bold action but sometimes it's what is really needed. You can reject them in sendmail using the access file. The rules in this file are the type target __action__.

Target can be:

• an email
• an ip
• a domain

Action can be:

• OK
• REJECT
• RELAY
• CODE + MESSAGE

If you prefer you can also use access to configure your relays instead of using the relay-domains file.

5. How to report spam abuses

If your network is being a target of spam, don't just block them, report them! Doing a whois to the domain or ip that's performing the spam, will probably show you up an abuse reporter email, send them an email, don't forget to attach the spam email. Unfortunately that action by itself sometimes isn't enough, so report also to Abuse.net, they'll make more pressure!

6. SpamAssasin

Definately one of the most well known applications is spamassassin, which is a powerful spam filter developed by the Apache foundation. Spamassassin can be incorporated with most of the stmp servers, that includes of course sendmail and qmail. Here are some links that you may find useful:

• Installing spamassassin with sendmail
• Spamasassin & Qmail

But spamassassin is not the only application that you have out there to help you fight spam. There are now, for example, commercial firewalls (like the ones from Barracuda Networks) that have support to filter out spam.

7. Final notes

Since I'm focusing in sysadmins and spam, I want to make a final warning.

Spammers also use proxies to hide themselves, if you have webservers in your network be sure that they aren't configured as open proxies.
If you use Apache with mod_proxy you can also check if you have ProxyRequests variable set to off in your httpd.conf.
But a better way to see if you're webserver is configured as open proxies is using Samair's online proxy checkers, works with any webserver and you don't have to check the configuration (unless you have to reconfigure it after seeing it's an open proxy).

I hope you have found this a useful reference to secure one step further your network.