Hallo,

Fuer diejenigen unter euch die immer noch sendmailen muessen :ugly:

Neben /etc/mail/{access,virtusertable}; RBLs, Spamassassin, procmail gibt es die Möglichkeit
die Milter-Schnittstelle von Sendmail mit milter-regex zu nutzen. Das Schöne dabei ist, das Spam
schon auf SMTP Ebene aussen vor bleibt. Das spart zum Beispiel die IO-teuere Mail-Zustellung
und schont Nerven.




1. Beschaffung der Sourcen

Ansurfen von http://www.benzedrine.cx/milter-regex.html und Download der Stable Version
(Wer sich mit yacc herumaergern will kann die current Version probieren)

2. Kopieren der Konfiguration nach /etc oder wahlweise im Startaufruf

Ich habe die Config nach /etc/mail gepackt.


cd /tmp && tar zxf milter-regex-1.6.tar.gz &&
cd milter-regex && cp milter-regex.conf /etc/mail


3. Optional: Kleines Init Skript schreiben


#!/bin/bash
#
# milter-regex This shell script enables the automatic use of
#
# Author: Seth Vidal <protected>
#
# chkconfig: - 50 01
#
# description: Enable daily run of milter-regex, a program updater.
# processname: milter-regex
# config: /etc/milter-regex.conf
#

# source function library
#. /etc/rc.d/init.d/functions

#lockfile=/var/lock/subsys/milter-regex

RETVAL=0

start() {
echo -n $"Enabling milter-regex: "
/usr/sbin/milter-regex -u milter-regex -c /etc/mail/milter-regex.conf
echo
}

stop() {
echo -n $"Disabling milter-regex "
killall milter-regex
echo
}

restart() {
stop
start
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart|force-reload)
restart
;;
reload)
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|force-reload}"
exit 1
esac

exit $RETVAL




4. In die sendmail.mc den richtigen Pfad zu Socket einfuegen:


INPUT_MAIL_FILTER(`milter-regex',
`S=unix:/var/spool/milter-regex/sock, T=S:30s;R:2m')


und mit m4 eine neue sendmail.cf generieren.

,cp sendmail.mc sendmail.mc.bak
,m4 sendmail.mc > sendmail.cf.test


5. /etc/milter-regex.conf anpassen.

Standard Regeln befinden sich auf der Webseite.
Das ist jetzt eine gute Zeit um Ausnahmen zu defineren.
Falls zum Beispiel $CHEF immer auf die Regel "forged
Outlook Header" zutrifft.

Möglicherweise sich vorher ueber HELO FIltering informieren.
HELO Funktionsweise in RFC 821/1123. (Wer das dicke Oreilly
Sendmail Buch hat, es wird auch darin etwas versteckt gut
erklaert)

Ein gueltiger HELO Command muss ein voll qualifizierter
Domain/Server Name (FQDN) des Senders sein. Der eigene
Server ist folglich nicht erlaubt.


Helo Filter aktivieren:

# From Christopher Kruslicky:
tempfail "Malformed HELO"
helo /^141\.71\.128\.42$/ <- natuerlich die eigene Addresse

tempfail "Malformed HELO"
helo /^127\.0\.0\.1$/


6. eigenen User anlegen


useradd -d /var/nonexistant milter-regex


7. Logging einstellen

Die Idee nach maillog oder messages zu loggen ist Geschmackssache.
Deswegen kann man dem Beispiel folgen und /var/log/milter-regex
anlegen, fuer den User milter-regex beschreibbar machen und dann in
/etc/syslog.conf folgendes eintragen:


!milter-regex \tab\tab\tab /var/log/milter-regex


Dann den Syslog neustarten.

8. Starten



/etc/init.d/spamassassin start
/etc/init.d/milter-regex start
/etc/init.d/sendmail start


9. Auf die ersten Spammer freuen, wie sie sich die Zaehne ausbeissen

Zu Beginn ein tail -f mitlaufen lassen und ggf. Regeln anpassen.
Interessant in diesem Zusammenhang milter-greylist, das ist auch relativ einfach
aufgesetzt und Real-Time-Address Verification.



Gruss
403

Hallo,

ich hab ein Problem mit milter-regex zu kompileren. Habs entpackt und werd direkt mit einem Fehler begrüßt.

drwxr-xr-x 2 webadmin ftpusers 1024 2007-08-04 00:12 .
drwxr-xr-x 9 root root 1024 2007-12-30 12:39 ..
-rw-r--r-- 1 webadmin ftpusers 4 2007-01-11 16:49 .cvsignore
-rw-r--r-- 1 webadmin ftpusers 12185 2007-01-11 16:49 eval.c
-rw-r--r-- 1 webadmin ftpusers 3096 2007-01-11 16:49 eval.h
-rw-r--r-- 1 webadmin ftpusers 555 2007-01-11 16:49 Makefile
-rw-r--r-- 1 webadmin ftpusers 843 2007-01-11 16:49 Makefile.linux
-rw-r--r-- 1 webadmin ftpusers 1072 2007-01-11 16:49 Makefile.solaris
-rw-r--r-- 1 webadmin ftpusers 12697 2007-02-21 23:50 milter-regex.8
-rw-r--r-- 1 webadmin ftpusers 20681 2007-08-04 00:11 milter-regex.c
-rw-r--r-- 1 webadmin ftpusers 2367 2007-01-11 16:49 milter-regex.init
-rw-r--r-- 1 webadmin ftpusers 10396 2007-01-11 16:49 parse.y
-rw-r--r-- 1 webadmin ftpusers 2969 2007-01-11 16:49 rules
-rw-r--r-- 1 webadmin ftpusers 1758 2007-01-11 16:49 strlcpy.c
-rw-r--r-- 1 webadmin ftpusers 1384 2007-01-11 19:44 test.c
45110:/usr/src/milter-regex # make
Makefile:18: *** missing separator. Schluss.

Weiss mir da keinen Rat. Kann mir jemand einen Tip geben?

Gruß und Dank
LordDarkmage

Peinlich:
Die Lösung ist natürlich "make -f Makefile.linux"

# http://www.benzedrine.cx/milter-regex.html

# let this be first or it will be gone
accept
envrcpt /xen@xxx.de/

accept
envrcpt /xxx@sun.com/


# for local bcc
accept
envrcpt /root@vs160xxx.vserver.de/

discard
envrcpt /restart@foobar.de/

discard
envrcpt /cvsweb@foobar.de/

discard
envrcpt /someone@foobar.de/


HAS_UNKNOWN_RECEIVED = header /^Received/ /from unknown /ei
reject "Frogged Intention(1)"
$HAS_UNKNOWN_RECEIVED

accept
connect /bar.net/ //

#accept
#connect /mail.openbc.com //

discard
connect /ipa167.74.91.tellas.gr/ //

discard
connect /83.19.247.34/ //

discard
connect /81.35.92.33/ //

discard
connect /60.48.104.17/ //

discard
envfrom /tiddhmk@braim.com.ar/

discard
connect /89.139.173.8/ //


reject "Goto Hell!!1elf"
envfrom /<>/

#reject "Goto Hell!!1elf"
#envfrom / <> /

accept
connect /hormel.redhat.com/ //

accept
connect /lists.cluenet.de/ //


# FIXME
# sage at guug
accept
connect /82.165.34.161/ //


#reject "hicks"
#envfrom /\dw.*@.*\>/

accept
envfrom /foobar@gmx.net/

discard
envfrom /Nadim.Martins@aroundthehounds.com/

accept
connect /plasma.jpberlin.de/ //

discard
connect /88.251.232.137/ //

discard
connect /88.235.113.42/ //

reject "Sorry no dynamic"
connect /.dyn.user.ono.com/ //

reject "Sorry no dynamic"
connect /*.dyn.user.ono.com/ //

reject "Sorry no dynamic"
connect /[0-9].dyn.user.ono.com/ //

reject "Sorry no dynamic (net.tr)"
connect /*.ttnet.net.tr/ //


reject "Goto Hell!!1elf"
connect /apay.com.tw/ //

reject "Goto Hell!!1elf"
connect /korea.com/ //

reject "Goto Hell!!1elf"
connect /210.107.47.18/ //

reject "Goto Hell!1elf"
connect /.*retail.telecomitalia.it/ //

reject "Goto Hell!1elf"
connect /[0-9].retail.telecomitalia.it/ //

reject "Goto Hell!!1elf"
connect /daum.net/ //

reject "Goto Hell!!1elf"
connect /ns.motorsports-online.net/ //

reject "Goto Hell!!1elf"
connect /yahoo.com/ //

#works
#reject "test"
#helo /\[77\.132\.149\.66.$\]/n

#reject "test schlumpf"
#helo /\[[0-9][0-9][0-9]\.[0-9][0-9][0-9][0-9]\.[0-9][0-9][0-9]\.[0-9][0-9][0-9]\]/n

# DNS/Helo Namen enthalten kein [ oder ]

reject "Schlumpf!!11elf"
helo /\[/

reject "Schlumpf!!11elf"
helo /\]/

reject "What?"
helo /dsldevice.lan*$/
#helo /^127\.0\.0\.[0-9]*$/

reject "What?"
helo /speedtouch.lan*$/

reject "What?"
helo /*.lan*$/

reject "What?"
helo /elephas.theplanet.host*$/

reject "What?"
helo /uaswfb.css.od.ua*$/

reject "What?"
helo /.kornet*$/

reject "What?"
helo /n1*$/

reject "What?"
helo / dsl*$/

reject "What?"
helo / *foobar*$/

reject "What?"
helo /*[A-Z]*$/

reject "What?"
helo /.*.retail.telecomitalia.it*$/

reject "What?"
helo /.*dynamic.*$/

#reject "What?"
#helo /ppp.*$/

#Schlumpf
#reject "Spammers goto hell today!!!, kill THEM!!"
#reject "Schlumpf!"
#connect /0.0.0.0/ //

#reject "Spammers goto hell today!, kill THEM!!"
#reject "Schlumpf!"
#connect /.*/ //

reject "No, thanks"
#header /^(TO|FROM|SUBJECT)$/ei
body /"heisse Singles"/ei

#tempfail "Sender IP address not resolving"
#tempfail "Sender IP in another dimension"
#tempfail "want some viagra? :p"
tempfail "Botnet attempts will be persecuted by Law!"
connect /\[.*\]/ //


#Schlumpf
#reject "Spammers goto hell today!!!, kill THEM!!"
#reject "Schlumpf!"
#connect /0.0.0.0/ //

#reject "Spammers goto hell today!, kill THEM!!"
#reject "Schlumpf!"
#connect /.*/ //

reject "No, thanks"
#header /^(TO|FROM|SUBJECT)$/ei
body /"heisse Singles"/ei


#tempfail "Sender IP address not resolving"
#tempfail "Sender IP in another dimension"
#tempfail "want some viagra? :p"
tempfail "Botnet attempts will be persecuted by Law!"
connect /\[.*\]/ //

# reject "Malformed HELO (not a domain, no dot)"
reject "Malformed"
helo /\./n

# reject "Malformed RCPT TO (not an email address, not <.*@.*>)"
reject "Malformed"
envrcpt /<(.*@.*|Postmaster)>/ein

reject "HTML mail not accepted"
# use comma as delimiter here, as / occurs within RE
header /^Content-type$/i ,^text/html,i and (envrcpt /<m@/ein)
body ,^Content-type: text/html,i and (envrcpt /<m@/ein)

# Swen worm
discard
header /^(TO|FROM|SUBJECT)$/e //
header /^Content-type$/i /boundary="Boundary_(ID_/i
header /^Content-type$/i /boundary="[a-z]*"/
body ,^Content-type: audio/x-wav; name="[a-z]*\.[a-z]*",i

# Some nasty spammer
reject "Business Corp spam, get lost"
body /^Business Corp. for W.& L. AG/i and \
( body /043.*317.*0285/ or body /0041.43.317.02.85/ )

#tempfail "All Queues full, please try again later"
discard
helo /^www.MyMainServer.com*$/

discard
helo /^indiamedia.com*$/
# From Christopher Kruslicky:
tempfail "Malformed HELO"
helo /^62\.75\.160\.xxx$/

tempfail "Malformed HELO"
helo /^127\.0\.0\.1$/

# "(can't be me)"
tempfail "Malformed HELO"
helo /^127\.0\.0\.[0-9]*$/

#Dynamic host addresses
#
# From Darren Henderson:
## from your examples, tempfailing non-resolving rDNS connections
#
# tempfail "Sender IP address not resolving"
tempfail "Sender IP address is on holiday"
connect /\[.*\]/ //


#reject "Sorry, are you from the past?"
#header /^Date: [A-Z][a-z][a-z], [0-9[0-9] [A-Z][a-z][a-z] [1-2][0-9]0[0-6]/ //
#body /^Date: [A-Z][a-z][a-z], [0-9[0-9] [A-Z][a-z][a-z] [1-2][0-9]0[0-6]/ //
#Date: Thu, 30 Jun 2005 15:10:02 GMT


# postmaster spam

NULL_SENDER = envfrom /^<>/
FRIENDLY_HOST = connect // /ucarp\.de/

discard
$NULL_SENDER and not $FRIENDLY_HOST


# reject things that look like they might come from a dynamic address

# reject "Looks like a dynamic address"
reject "Looks like a bad day"

connect /[0-9][0-9]*\-[0-9][0-9]*\-[0-9][0-9]*/ //

connect /[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*/ //

connect /[0-9]{12}/e //

# RTFM!
# So, we reject anything that has three digit sets deperated by a
# dash, (ie
# adsl-134-11-333-11.someisp.net). We reject anything that has 3 or more
# numeric subdomains, (ie dialup.123.45.67.8.someisp.net). And finally reject
# any address that has a group of 12 digits, (ie
# pool123045067003.someisp.net).
#
#Forged Outlook headers
#
# Analyzing the spam that still gets delivered (and then promptly detected by
# SpamAssassin), I found that most of it uses fake Outlook headers. So let's
# add a rule to detect that inline (blatantly stealing [33]rules from
# SpamAssassin ;).
#
HAS_MIMEOLE = header /^X-MimeOLE$/ //
HAS_MSMAIL_PRI = header /^X-MSMail-Priority$/ //
HAS_X_MAILER = header /^X-Mailer$/ //
HAS_OUTLOOK_IN_MAILER = header /^X-Mailer$/ /Microsoft (CDO|Outlook) /e
MISSING_OUTLOOK_NAME = ( $HAS_MIMEOLE or $HAS_MSMAIL_PRI ) and \
$HAS_X_MAILER and not $HAS_OUTLOOK_IN_MAILER
OUTLOOK_MUA = header /^X-Mailer$/ / Outlook /
OUTLOOK_MSGID_1 = header /^Message-ID$/ \
/^<[0-9a-f]{12}\$[0-9a-f]{8}\$[0-9a-f]{8}@>$/
OUTLOOK_MSGID_2 = header /^Message-ID$/ \
/^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}@hotmail\.com>$/
IMS_MSGID = header /^Message-ID$/ \
/^<[A-F]{36,40}@>$/
UNUSABLE_MSGID = header /^List-Unsubscribe$/ //
FORGED_MUA_OUTLOOK = $OUTLOOK_MUA and not ( $UNUSABLE_MSGID or \
$OUTLOOK_MSGID_1 or $OUTLOOK_MSGID_2 )
MSGID_OE_SPAM_4ZERO = header /^Message-ID$/ \
/<[a-f0-9]{12}\$[a-f0-9]{8}\$0000[a-f0-9]{4}@/

#reject "Forged Outlook headers"
reject "Frogged Intention"
$MISSING_OUTLOOK_NAME or $FORGED_MUA_OUTLOOK or $MSGID_OE_SPAM_4ZERO



HAS_X_ORGIP_LOCALHOST = header /^X-Originate-IP: 127.0.0.1$/ //
HAS_X_ORGIP_LOCALHOST2 = header /^X-Originating-IP: 127.0.0.1$/ //
HAS_X_ORGIP_ME = header /^X-Originate-IP: 62.75.160.xxx$/ //
HAS_X_ORGIP_ME2 = header /^X-Originating-IP: 62.75.160.xxx$/ //
reject "Frogged Intention"
$HAS_X_ORGIP_LOCALHOST or $HAS_X_ORGIP_ME or $HAS_X_ORGIP_LOCALHOST2 or $HAS_X_ORGIP_ME2



Nicht besonders sauber, aber ein paar gute Filter.

Gruss
403