Controlling e-mail spam

TCP Wrapper and SMAP
Blocking by MTAs (sendmail, exim, smail, qmail, postfix, zmailer, PMDF MMDF, PP, Macintosh, Microsoft Exchange, Microsoft Windows, smtpd, and Netscape Messaging Server, and any (or many) MTA(s).

Fortunately, blocking mailed spams is getting easier - see CIAC bulletin I-005. You can do one of two different things. The first is straightforward and works well for all but the biggest sites. This is to block access to your SMTP port so it can't be used to inject spam (several MTAs (sendmail, exim and qmail) can make use of the Mail Abuse Protection System's Realtime Blackhole List to block spam domains -- see usage instructions. The other thing you do is to block spams from traversing your system. This is more difficult because older mailers don't give you a good way to look at the originating address. The Transport Security Initiative is also part of the MAPS project.

TCP Wrapper and SMAP

You block your SMTP port by turning off your mailers

SMTP daemon mode

and run it out of inetd instead. With PROCESS_OPTIONS defined, rather than simply rejecting calls at the TCP level, you may care to twist off a command which reject the call at the SMTP level.
If you combine this with running smap from the TIS Firewall Toolkit, your configurations look somewhat like this:

In /etc/inetd.conf:

smtp	stream	tcp	nowait	root	/usr/local/etc/tcpd	smap

In /etc/hosts.allow if PROCESS_OPTIONS is defined:

smap : badsite.com .badsite.com ppp.qqq.rrr.0 : DENY

otherwise, in /etc/hosts.deny:

smap : badsite.com .badsite.com ppp.qqq.rrr.0

In /usr/local/etc/netperm-table:

smap, smapd:            userid 32
smap, smapd:            directory /var/spool/smap
smapd:                  executable /usr/local/libexec/smapd
smapd:                  sendmail /usr/sbin/sendmail

This is a sample, your exact paths would vary. This combination is very powerful, and prevents badsite.com or anyone in the Internet range ppp.qqq.rrr.0 from accessing your SMTP server. Be aware, though, that this could load your mail server down. It will run a separate process for each incoming mail message. If your server is small relative to your load, you should investigate one of the other techniques listed here.

Craig Hagan has contributed a method for blocking third-party relaying with smap. Spammers often use third-party relaying to distribute spam via an intermediary party's mailer. Using this routine, you can prevent your mailer from being misused that way. They are starting to do this because the other blocking techniques are making it harder for them to reach their targets.

Blocking by MTAs

A number of Mail Transfer Agents (MTA) provide techniques to reduce spam. They can block mail from known spammers and spam sites, stop your site being abused by them to act as a relay, etc. Here is a list of some of the techniques, sorted by MTA.

[sendmail]: Eric Allman (the author of sendmail) has started to publish some information on spam blocking and will be formalising it in a future release.
[sendmail]: sendmail MTAs which accept SMTP email from currently active POP clients should read details of POP before SMTP to avoid spurious relaying, or an alternative.
[sendmail 8.6.12, 8.7.3 or 8.8.2]: Axel Zinser has patches for blocking spam. Axel's patches allow blocking spam during the SMTP transaction phase.
[sendmail]: xmission.com have their own sendmail.cf rules to cause mail from named site to be returned to sender.
[sendmail 8.8.2 and 8.8.3]: Wolfgang Rupprecht has supplied a routine using check_compat that can be used to block spam mail or prevent all third-party relaying.
[sendmail]: Pete Ashdown has contributed a procedure for dropping spam mail. His procedure accepts the SMTP mail and then drops it during the delivery phase.
[sendmail 8.8.2 and later]: Claus Aßmann has put together a very detailed write-up of using the check_* routines.
[sendmail + compatibles]: Christian Alice Scarborough's perl5 package splam-2.0 [ Used to be called `ignore-spam' ]
[sendmail + compatibles]: Ian Leicht's PERL5 package the NAGS Spam Filter can reject spam mail automatically, sending a rejection letter with details of how to get past the block.
[sendmail]: another example of how to block spam
[sendmail]: spamshield actively manages the filtering for you.
[sendmail]: A Sendmail patch to capture spam by regular expression
[sendmail]: The OpenISP package has a spam control and monitoring system for sendmail.
[sendmail]: Dansie Spam Net is a commercial score-based filtering system for sendmail with perl. It is web-manageable and so suitable for hosted e-mail environments.
[Sendmail]: SMTPblock parses your UNIX mail log looking for smtp relays. When a new relay is detected, Smtpblock performs a series of tests to determine if the remote host allows the relaying of third party mail. If the remote host relays third party mail, Smtpblock will call external shell scripts to create a firewall rule which blocks access to the local host's SMTP port and/or update a database for sendmail to perform RFC 822 pattern matching against.
[Sendmail]: ScanMail is a commercial general mail filter package, useful for spam and virii.
[Sendmail]: PureMessage (formerly PerlMx) is a complete email filtering system for spam protection, virus protection, and corporate policy enforcement. PureMessage provides flexible control over the security and usage of any corporate email system at the gateway level.
[Sendmail]: E-mail Processing Agent is a mail server software add-in that controls incoming and outgoing, Internet and intranet e-mail to eliminate 100% of unwanted e-mails (including "spam").
[sendmail/rbl]: See the RBL usage instructions for how to configure sendmail.
[Sendmail]: Get and contribute to an /etc/mail/access file for sendmail.
[Sendmail]: MailCorral filters all email messages delivered via sendmail to eliminate viruses and spam. Spam identification is handled by plug-in identifiers. Viruses and spam are sidelined in a holding area. Daily notification of held mail is sent to the recipients who can easily release what they wish to see.
[Sendmail]: Milter-greylist is a sendmail milter that implements "greylisting" - refusing mail from never-before-seen hosts with a temporary failure. Legitimate mailers requeue and retry the message, while much spamware does not.
[Sendmail]: The greylisting paper discusses greylisting in detail and provides a perl-based sample implementation of a sendmail milter.
[exim/rbl]: If you can change your mailer from (e.g.) sendmail but need to keep the mailbox format (etc) unchanged, you may care to look at exim (overview) which is a ``drop in replacement'' for sendmail, a `next generation' smail, which can use the MAPS RBL to block spam domains from version 1.735.
[smail]: Since 3.2.0.95, smail can restrict which addresses can relay email, e.g. `smtp_remote_allow = 194.64.4.*:194.163.56.*'
[qmail/rbl]: If you can completely change the way email is processed, you may care to look at qmail. There is info on how to use rbl. There is a suitable database of filters, and some BETA patches to 1.01 to incorporate procmail filtering at the SMTP acceptance stage.
[qmail]: Mikio Okawa's dynamail is a package for qmail that allows ordinary users to create temporary, access limited e-mail addresses.
[qmail]: SPAMbaffle is spam filtering software which can be set up either by indiviaul users on a Qmail system, or by the system administrator. It filters based on email headers, the message body, and the MIME types or filenames of attachments, and can either drop or bounce messages that it catches, with customized bounce messages.
[postfix]: Postfix, by Wietse Venema, installs with relaying and volume controls set to sane values by default; is under very active development to make controls for relaying easy to set correctly if the default values won't do, and difficult to set in such a way as to allow unauthorized relaying; and is supported by an extremely active users' mailing list (including active participation by Venema) that's extremely anti-spam.
[zmailer]: There is a patch for Zmailer 2.99.45 which implements flexible policy based SMTP filtering. It is very useful against spam and third party relaying.
If you sre using 2.99.49 or later, these patches are not needed.
[PMDF]: E.vanRhee@co.hvu.nl says that to block mail from hotmail.com, you need to edit the mapping file PMDF_TABLE:MAPPINGS (for VMS) or /pmdf/table/mapping (for Solaris and Digital Unix), e.g.
```
     SEND_ACCESS
             *|*@hotmail.com|*|*    $N
             *|*|*|*@hotmail.com    $N
```
[PMDF]: As well as rejecting e-mail (at the SMTP or TCP level) from rogue sites, pmdf (from Process Software, available for VMS, Digital UNIX and Solaris) can be told only to allow a certain percentage of incoming calls from specified sites, providing some protection from mail floods.
[MMDF]: Ed Hew's write-up on refusing email
[PP AKA Isode Internet/X.400 Message Switch]: Details of how to block spam and relaying can be fond in IC-1103 Administrator's Guide: Message Handling Services
[Macintosh]: It has been reported that CommuniGate and Stalker Internet Mail Server from Mill Valley, Calif.-based Stalker Software Inc. and the newly shipping Eudora Internet Mail Server 2.0 from San Diego-based Qualcomm Inc. can prevent spam relaying.
[Microsoft Exchange]: GFI MailEssentials is a server-based anti-spam & email management solution for Microsoft Exchange Server and other mail servers.
[Microsoft Exchange]: Open Relay Filter is a tool that prevents relaying through Microsoft Exchange servers.
[Microsoft Exchange]: MSExchange.org is a site with anti-spam information for MS Exchange administrators.
[Microsoft Exchange]: SpamSafe is an anti-spam engine that uses regular expressions for SMTP / Exchange Server for Windows 2000.
[Microsoft Windows NT]: DynaComm i:mail is a mail filtering and blocking product for Microsoft Windows NT-family (NT, XP or 2000) systems.
[Microsoft Windows 2000 or XP]: RelayWatcher RBL plugs in to Windows 2K/XP mailserver and sends open relay information to a centralized database to be used for a DNS-based BL (blocklist).
[Microsoft Windows]: Spam Manager Server Professional is a server based SMTP gateway solution to reduce the number of incoming spam or "junk mail" messages reaching a mail server.
[Microsoft Windows]: Megaphat Philter is a Windows server-based product which uses DNSBL technology to block blacklisted spam.
[Microsoft Windows]: Macallan Mail Solution is a Mail Server for Windows XP/2K that can determine the spam originator and send a mail to the organization that have been abused by the spammer.
[smtpd]: Obtuse's smtpd/smtpfwdd is an smap replacement which allows filtering.
[Netscape Messaging Server]: Aleksander Adamowski has a HOWTO on implementing RBL in Netscape Messaging Server 4.
[Any]: The Spamhaus Project runs the SBL and ROKSO, a DNS-based blocklist that can be integrated into virtually any modern mailer, and a listing of repeat/unrepentant spammers.
[Any]: BlackMail (old) can be used if your MTA cannot be made to filter -- it sits between your MTA and the outside world.
[Any]: MailShield is a commercial program which blocks spam and relaying, and works with your current mail server.
[Any]: Declude JunkMail offers spam control for mail servers, including heuristic spam detection, and can be configured separately for each domain or user.
[Any]: Postini is an Application Service Provider (ASP) with a range of high-reliability e-mail services, including spam and virus filtering.
[Any]: Spamido is a technique using procmail and spamtrap addresses to afford some local protection against spam runs.
[Any]: blq is a tool for querying DNS blocklists (BLs) from the UNIX command line, useful for figuring out why mail is bouncing.
[Any]: Meridius Mail Relay is a dedicated mail server appliance with anti-relay and spam-blocking features.
[Any]: SpamFilter is a proxy with simple DNS blocklist functionality that works with your existing mailserver.
[Any]: Internet Sheriff is a network traffic management system that includes "intelligent" spam filtering.
[Any]: Junk Proof Mail provides a front-line mail exchanger, filtering spam before it gets to your mail server.
[Any]: Extensible Messaging Platform is a commercial SPAM filtering firewall server application. Protects SMTP mail servers from Internet SPAM, e-mail-borne viruses (including dangerous auto-launch viruses) and other objectionable content. Filters mail using complex contextual signatures (not simple keyword lists).
[Any]: Singlefin a provider of e-mail protection services, specializing in spam filtering, anti-virus protection, attachment blocking, policy filtering, store and forwarding service, as well as detailed reporting.
[Any]: Mirapoint provides email security through intelligent anti-spam and anti-virus filtering with end user controls as to how to handle spam.
[Any]: Brightmail Anti-Spam blocks spam for corporate customers and service providers, using accurate, effective and patented spam fighting technology.
[Any]: CleanMessage can safely remove up to 98% of incoming spam so that it never reaches your inbox. Their SpamCheck Module protects against corporate productivity loss, infrastructure consumption, and liability resulting from unsolicited commercial email overload.
[Any]: SpamRejection.com provides a comprehensive money back guaranteed spam filtering service for domains. With no hardware, software or maintenance required, this service is for organizations that prefer to outsource spam filtering for their domains.
[Any]: Sender Policy Framework (SPF) is a mechanism for identifying authorized outgoing mailhosts for a domain. It doesn't really address spam directly; it is an attempt to stop domain forgery.
[Any]: ITA Secure Messaging Server is a multi-pronged spam detection and filtering system for enterprises and ISPs.
[Any]: ASSP is a mail proxy system for multiple mail servers on multiple platforms.
[Any]: SublimeMail is a domain level spam filter preventing spam from reaching end-users mail boxes. There is no software or hardware to install. Simply point MX records to their server and their filters will eliminate up to 97% of all inbound spam.
[Many]: BlackHole works with Qmail, Sendmail, Postfix, Exim or Courier and does general mail filtering as well as spam and virus blocking.
[Many]: SpamAssassin can be installed by administrators on a site wide basis; it works with SendMail, qmail, Postfix, MIMEDefang and other tools.
[Many]: Hexamail Guard is a server side filtering tool that works with various Windows and Linux mail server packages.
[Many]: CanIt is a UNIX mail server filtering tool which traps suspected spam for review.
[Many]: InboxLock is available as a standalone network appliance and email server software for the enterprise.
[Many]: Scanmail for UNIX is a program that blocks spam by keywords, phrases, addresses, IP addresses and networks.
[Many]: Singlefin comprehensive message management is an external filtering solution.
[Many]: Project UCEPROTECT is a spamtrap-driven blacklist and commercial (UNIX) blocking software.
[Many]: Trimmail network appliance filters spam, dangerous content, and protects your e-mail server from being used as an open relay by junk mailers.
[Many]: TMDA is an open source software application designed to significantly reduce the amount of spam (Internet junk-mail) you receive. It is a UNIX-based Message Delivery Agent; it does not work with Windows.
[Many]: ClearMX filters, stops and eliminates 99.9% of unwanted email and viruses before before they reach your network. Free 15 Day Trial. Free Setup.
[Many]: VircoM's Modus3 anti-spam solution catches 98.2% of spam and delivers 99.99% protection against false positives.
[Many]: SpamCannibal is a perl-based tarpitting tool for Linux users.
[Many]: OpenRBL is site to lookup IP addresses against multiple DNSBLs at once. It is not a DNSBL itself.
[Many]: MailScanner is a spam and virus scanner for various UNIX mailers.

Scott Hazen Mueller / E-mail me