Security

SolutionBase: Take advantage of antispam options for Sendmail

Get a look at the various antispam techniques and solutions for the popular Sendmail e-mail server.


Over the last few years, there has been an ever-increasing need for tools to combat the endless stream of spam choking mailboxes everywhere. Despite progressive legislation toward this goal, there are few signs that an end is near. While politicians and industry heavyweights debate the future of e-mail, it is left to the local administrators to do what they can to help stem the flood.

The popular Linux-based mail transport agent (MTA) Sendmail is responsible for handling a large amount of this e-mail on the Internet. More recent versions have become progressively better at combating spam, and today we’ll look at some of the options administrators can use to combat spam on Sendmail. These options include best practices for configuring your mail server, specific mail checks, and third-party add-ons.

Antispam
Built-in options for limiting spam in Sendmail include the denial of relaying, sender verification, access lists, and detailed header checks. The use of third-party black hole lists and software can also extend the standard features of Sendmail. While everyone seems to have their favorite method of sorting regular mail from spam, it can be a tricky endeavor. The danger of classifying and discarding valid e-mail is real, so antispam configurations should be handled with care. Broad strokes such as not allowing your server to be a public relay and configuring DNS checks are safe and highly recommended. Drilling down further is best done slowly and will involve going over mail logs carefully. In this manner, you can work to alleviate some of the frustration involved with spam sent to end users, while not making the situation worse by blocking valid mail messages.

Relaying denied
One of the first steps that should be done to help the spam issue is the denial of open relaying. In short, this involves limiting—to the greatest extent possible—who is allowed to send mail through your server. An open relay will allow anyone on the Internet to connect to and send e-mail through a server.

Generally, IT professionals always hope that anyone setting up a Sendmail server realizes that steps need to be taken to keep it from being an open relay that spammers can take advantage of. Fortunately, Sendmail has turned off promiscuous relaying in version 8.9. If you’re running an older version, you may want to consider upgrading for this reason alone. Spammers have historically used rather nefarious methods to distribute their messages. Their favorite method is to exploit open relay mail servers accessible on the Internet. They will send as much as possible through that server until it gets noticed or blacklisted, and then they move on to the next open relay.

Sendmail allows you to individually specify what domains or IP addresses are allowed to send e-mail through your mail server. This is typically done either via a flat text file listing the domain or through its access database. The access database allows you to specify how exactly mail will be handled from specific domains or network addresses. Mail can be accepted for relay, silently discarded, or even have a configurable message delivered to the sender, which can be fun; but somehow I doubt spammers are doing detailed analyses of error codes in their logs. Nevertheless, there is still some small satisfaction in returning a 550 — Spammers Go Away message to senders that try to use your mail server as an open relay.

Built-in features
In addition to closing off your mail server from being used to propagate spam, you can also configure it directly on how to handle inbound spam. Sendmail will allow you to drill down into the e-mail headers and sort based on such things as the From: and To: fields. With these fields, you could allow mail from a specific e-mail address on a domain and deny all the rest, or vice-versa. Any field that exists in a mail header can be checked by Sendmail. So rejecting mail based on a Subject: line that has been determined to be a unique signature for a particular spam organization is possible.

Sendmail will also check the DNS entry for an inbound connection and make sure it exists. If a spammer is spoofing a domain name, when it hits Sendmail a check can be done on forward and reverse DNS to determine if it is valid. This check will not stop spam from valid domains, of course, but a typical antispam setup will involve varying levels of configuration. There is no one magic command, unfortunately, but multiple layers that sift through different spam indicators.

With Sendmail 8.10, support for SMTP AUTH began. SMTP AUTH is another type of option available to administrators who want to combat spam through authentication. Relaying is allowed for a user who authenticates to the mail server, which is especially useful for traveling users who may be sending from an untrusted IP address or domain name. Although this method can be useful on a private server, it’s doesn’t quite work for a public one. Public servers need to be able to accept e-mail from anyone, not just trusted users. But for small, private servers, this could eliminate spam completely.

Black hole lists
Sendmail also provides for the use of black hole lists. These lists constitute external spam databases housing DNS information of known spammers. Sendmail can be configured to reject mail coming from any of the listed sources maintained in these databases. Occasionally issues arise where an entire mail server is blacklisted for one user, and it can affect any user on that site, however innocent. In other words, there can be some false positives involved with this process too. This should be kept in the back of your mind when configuring a black hole list.

One of the best known is run by Paul Vixie at mail-abuse.org. There are a number of other black hole lists out there, and some research may be necessary to determine just how good the list is. These lists can actually be harmful if not maintained well. There should be methods for accused spammers to have their good name redeemed and their domain removed from the list if they are legitimate business that have been falsely accused of spam.

Third-party options
Third-party options can involve more than a remotely maintained list of spammers. One such option is to use a third-party mail server to handle mail and serve as the MX record for your domain in DNS. Such commercial services check messages and then forward them on to your local mail server once the spam has been trimmed out. This takes the processing load off of the local server, but I know a few administrators who would be hesitant to allow another company to decide what e-mail is delivered.

Another method is to use a software package such as Cloudmark’s Authority. This can perform antispam services locally on your server and allow a higher level of configurability. In fact, Sendmail’s commercial version now ships with filtering tools based on Cloudmark’s antispam software.

There's also everything from simple shell scripts to full-blown retail packages that can work toward fighting spam on a server running Sendmail. Another commercial solution is MailShell, while this link from Sendmail.org shows a variety of other antispam options. Much will depend on the volume of traffic a particular mail server receives.

Summary
While there is not a single button you can press to defend against all spam, there are a number of options available to help contain the problem. Sendmail has made an issue of incorporating antispam measures into its software, and many options are enabled by default, especially in recent versions of the product. Through the use of built-in features, black hole lists, and server-side antispam programs, you can filter out a large portion of spam.

Editor's Picks

Free Newsletters, In your Inbox