Sendmail milter-regex mini HOWTO

[403]

Hallo,

Fuer diejenigen unter euch die immer noch sendmailen muessen

Neben /etc/mail/{access,virtusertable}; RBLs, Spamassassin, procmail gibt es die Möglichkeit
die Milter-Schnittstelle von Sendmail mit milter-regex zu nutzen. Das Schöne dabei ist, das Spam
schon auf SMTP Ebene aussen vor bleibt. Das spart zum Beispiel die IO-teuere Mail-Zustellung
und schont Nerven.




1. Beschaffung der Sourcen

Ansurfen von http://www.benzedrine.cx/milter-regex.html und Download der Stable Version
(Wer sich mit yacc herumaergern will kann die current Version probieren)

2. Kopieren der Konfiguration nach /etc oder wahlweise im Startaufruf

Ich habe die Config nach /etc/mail gepackt.

Code:

cd /tmp && tar zxf milter-regex-1.6.tar.gz && 
cd milter-regex && cp milter-regex.conf /etc/mail

3. Optional: Kleines Init Skript schreiben

Code:

#!/bin/bash
#
# milter-regex           This shell script enables the automatic use of
#
# Author:       Seth Vidal <protected>
#
# chkconfig:	- 50 01
#
# description:  Enable daily run of milter-regex, a program updater.
# processname:  milter-regex
# config: /etc/milter-regex.conf
#

# source function library
#. /etc/rc.d/init.d/functions

#lockfile=/var/lock/subsys/milter-regex

RETVAL=0

start() {
	echo -n $"Enabling milter-regex: "
        /usr/sbin/milter-regex -u milter-regex -c /etc/mail/milter-regex.conf
	echo
}

stop() {
	echo -n $"Disabling milter-regex "
        killall  milter-regex
	echo
}

restart() {
	stop
	start
}

case "$1" in
  start)
	start
	;;
  stop) 
	stop
	;;
  restart|force-reload)
	restart
	;;
  reload)
	;;
  *)
	echo $"Usage: $0 {start|stop|restart|reload|force-reload}"
	exit 1
esac

exit $RETVAL

4. In die sendmail.mc den richtigen Pfad zu Socket einfuegen:

Code:

 INPUT_MAIL_FILTER(`milter-regex',
		   `S=unix:/var/spool/milter-regex/sock, T=S:30s;R:2m')

und mit m4 eine neue sendmail.cf generieren.

,cp sendmail.mc sendmail.mc.bak
,m4 sendmail.mc > sendmail.cf.test


5. /etc/milter-regex.conf anpassen.

Standard Regeln befinden sich auf der Webseite.
Das ist jetzt eine gute Zeit um Ausnahmen zu defineren.
Falls zum Beispiel $CHEF immer auf die Regel "forged
Outlook Header" zutrifft.

Möglicherweise sich vorher ueber HELO FIltering informieren.
HELO Funktionsweise in RFC 821/1123. (Wer das dicke Oreilly
Sendmail Buch hat, es wird auch darin etwas versteckt gut
erklaert)

Ein gueltiger HELO Command muss ein voll qualifizierter
Domain/Server Name (FQDN) des Senders sein. Der eigene
Server ist folglich nicht erlaubt.


Helo Filter aktivieren:

# From Christopher Kruslicky:
tempfail "Malformed HELO"
helo /^141\.71\.128\.42$/ <- natuerlich die eigene Addresse

tempfail "Malformed HELO"
helo /^127\.0\.0\.1$/


6. eigenen User anlegen

Code:

 useradd -d /var/nonexistant milter-regex

7. Logging einstellen

Die Idee nach maillog oder messages zu loggen ist Geschmackssache.
Deswegen kann man dem Beispiel folgen und /var/log/milter-regex
anlegen, fuer den User milter-regex beschreibbar machen und dann in
/etc/syslog.conf folgendes eintragen:

Code:

!milter-regex \tab\tab\tab /var/log/milter-regex

Dann den Syslog neustarten.

8. Starten

Code:

 /etc/init.d/spamassassin start
/etc/init.d/milter-regex start
/etc/init.d/sendmail start

9. Auf die ersten Spammer freuen, wie sie sich die Zaehne ausbeissen

Zu Beginn ein tail -f mitlaufen lassen und ggf. Regeln anpassen.
Interessant in diesem Zusammenhang milter-greylist, das ist auch relativ einfach
aufgesetzt und Real-Time-Address Verification.



Gruss
403

[LordDarkmage]

Hallo,

ich hab ein Problem mit milter-regex zu kompileren. Habs entpackt und werd direkt mit einem Fehler begrüßt.

Code:

drwxr-xr-x  2 webadmin ftpusers  1024 2007-08-04 00:12 .
drwxr-xr-x  9 root     root      1024 2007-12-30 12:39 ..
-rw-r--r--  1 webadmin ftpusers     4 2007-01-11 16:49 .cvsignore
-rw-r--r--  1 webadmin ftpusers 12185 2007-01-11 16:49 eval.c
-rw-r--r--  1 webadmin ftpusers  3096 2007-01-11 16:49 eval.h
-rw-r--r--  1 webadmin ftpusers   555 2007-01-11 16:49 Makefile
-rw-r--r--  1 webadmin ftpusers   843 2007-01-11 16:49 Makefile.linux
-rw-r--r--  1 webadmin ftpusers  1072 2007-01-11 16:49 Makefile.solaris
-rw-r--r--  1 webadmin ftpusers 12697 2007-02-21 23:50 milter-regex.8
-rw-r--r--  1 webadmin ftpusers 20681 2007-08-04 00:11 milter-regex.c
-rw-r--r--  1 webadmin ftpusers  2367 2007-01-11 16:49 milter-regex.init
-rw-r--r--  1 webadmin ftpusers 10396 2007-01-11 16:49 parse.y
-rw-r--r--  1 webadmin ftpusers  2969 2007-01-11 16:49 rules
-rw-r--r--  1 webadmin ftpusers  1758 2007-01-11 16:49 strlcpy.c
-rw-r--r--  1 webadmin ftpusers  1384 2007-01-11 19:44 test.c
45110:/usr/src/milter-regex # make
Makefile:18: *** missing separator.  Schluss.

Weiss mir da keinen Rat. Kann mir jemand einen Tip geben?

Gruß und Dank
LordDarkmage

Peinlich:
Die Lösung ist natürlich "make -f Makefile.linux"

[403]

Code:

# http://www.benzedrine.cx/milter-regex.html

# let this be first or it will be gone
accept
envrcpt /xen@xxx.de/

accept
envrcpt /xxx@sun.com/


# for local bcc
accept
envrcpt /root@vs160xxx.vserver.de/

discard
envrcpt /restart@foobar.de/

discard
envrcpt /cvsweb@foobar.de/

discard
envrcpt /someone@foobar.de/


HAS_UNKNOWN_RECEIVED  = header /^Received/ /from unknown /ei
reject "Frogged Intention(1)"
$HAS_UNKNOWN_RECEIVED

accept
connect /bar.net/ //

#accept
#connect /mail.openbc.com //

discard 
connect /ipa167.74.91.tellas.gr/ //

discard
connect /83.19.247.34/ //

discard
connect /81.35.92.33/ //

discard
connect /60.48.104.17/ //

discard
envfrom /tiddhmk@braim.com.ar/

discard
connect /89.139.173.8/ //


reject "Goto Hell!!1elf"
envfrom /<>/

#reject "Goto Hell!!1elf"
#envfrom /  <>  /

accept
connect /hormel.redhat.com/ //

accept
connect /lists.cluenet.de/ //


# FIXME
# sage at guug
accept
connect /82.165.34.161/ //


#reject "hicks"
#envfrom /\dw.*@.*\>/

accept
envfrom /foobar@gmx.net/

discard
envfrom /Nadim.Martins@aroundthehounds.com/

accept
connect /plasma.jpberlin.de/ //

discard
connect /88.251.232.137/ //

discard
connect /88.235.113.42/ //

reject "Sorry no dynamic"
connect /.dyn.user.ono.com/ //

reject "Sorry no dynamic"
connect /*.dyn.user.ono.com/ //

reject "Sorry no dynamic"
connect /[0-9].dyn.user.ono.com/ //

reject "Sorry no dynamic (net.tr)"
connect /*.ttnet.net.tr/ //


reject "Goto Hell!!1elf"
connect /apay.com.tw/ //

reject "Goto Hell!!1elf"
connect /korea.com/ //

reject "Goto Hell!!1elf"
connect /210.107.47.18/ //

reject "Goto Hell!1elf"
connect /.*retail.telecomitalia.it/ //

reject "Goto Hell!1elf"
connect /[0-9].retail.telecomitalia.it/ //

reject "Goto Hell!!1elf"
connect /daum.net/ //

reject "Goto Hell!!1elf"
connect /ns.motorsports-online.net/ //

reject "Goto Hell!!1elf"
connect /yahoo.com/ //

#works
#reject "test"
#helo /\[77\.132\.149\.66.$\]/n

#reject "test schlumpf"
#helo /\[[0-9][0-9][0-9]\.[0-9][0-9][0-9][0-9]\.[0-9][0-9][0-9]\.[0-9][0-9][0-9]\]/n

# DNS/Helo Namen enthalten kein  [ oder ]

reject "Schlumpf!!11elf"
helo /\[/

reject "Schlumpf!!11elf"
helo /\]/

reject "What?"
helo /dsldevice.lan*$/
#helo /^127\.0\.0\.[0-9]*$/

reject "What?"
helo /speedtouch.lan*$/

reject "What?"
helo /*.lan*$/

reject "What?"
helo /elephas.theplanet.host*$/

reject "What?"
helo /uaswfb.css.od.ua*$/

reject "What?"
helo /.kornet*$/

reject "What?"
helo /n1*$/

reject "What?"
helo / dsl*$/

reject "What?"
helo / *foobar*$/

reject "What?"
helo /*[A-Z]*$/

reject "What?"
helo /.*.retail.telecomitalia.it*$/

reject "What?"
helo /.*dynamic.*$/

#reject "What?"
#helo /ppp.*$/

#Schlumpf
#reject  "Spammers goto hell today!!!, kill THEM!!"
#reject  "Schlumpf!"
#connect /0.0.0.0/ //			       

#reject   "Spammers goto hell today!, kill THEM!!"
#reject  "Schlumpf!"
#connect /.*/ //			       

reject "No, thanks"
#header /^(TO|FROM|SUBJECT)$/ei
body /"heisse Singles"/ei

#tempfail "Sender IP address not resolving"
#tempfail "Sender IP in another dimension"
#tempfail "want some viagra? :p"
tempfail "Botnet attempts will be persecuted by Law!"
connect /\[.*\]/ //


#Schlumpf
#reject  "Spammers goto hell today!!!, kill THEM!!"
#reject  "Schlumpf!"
#connect /0.0.0.0/ //			       

#reject   "Spammers goto hell today!, kill THEM!!"
#reject  "Schlumpf!"
#connect /.*/ //			       

reject "No, thanks"
#header /^(TO|FROM|SUBJECT)$/ei
body /"heisse Singles"/ei


#tempfail "Sender IP address not resolving"
#tempfail "Sender IP in another dimension"
#tempfail "want some viagra? :p"
tempfail "Botnet attempts will be persecuted by Law!"
connect /\[.*\]/ //

# reject "Malformed HELO (not a domain, no dot)"
reject "Malformed"
helo /\./n

# reject "Malformed RCPT TO (not an email address, not <.*@.*>)"
reject "Malformed"
envrcpt /<(.*@.*|Postmaster)>/ein

reject "HTML mail not accepted"
# use comma as delimiter here, as / occurs within RE
header /^Content-type$/i ,^text/html,i and (envrcpt /<m@/ein)
body ,^Content-type: text/html,i and (envrcpt /<m@/ein)

# Swen worm
discard
header /^(TO|FROM|SUBJECT)$/e //
header /^Content-type$/i /boundary="Boundary_(ID_/i
header /^Content-type$/i /boundary="[a-z]*"/
body ,^Content-type: audio/x-wav; name="[a-z]*\.[a-z]*",i

# Some nasty spammer
reject "Business Corp spam, get lost"
body /^Business Corp. for W.& L. AG/i and \
( body /043.*317.*0285/ or body /0041.43.317.02.85/ )

#tempfail "All Queues full, please try again later"
discard
helo /^www.MyMainServer.com*$/

discard
helo /^indiamedia.com*$/
#   From Christopher Kruslicky:
tempfail "Malformed HELO"
helo /^62\.75\.160\.xxx$/

tempfail "Malformed HELO"
helo /^127\.0\.0\.1$/

# "(can't be me)"
tempfail "Malformed HELO"
helo /^127\.0\.0\.[0-9]*$/

#Dynamic host addresses
#
#   From Darren Henderson:
## from your examples, tempfailing non-resolving rDNS connections
#
# tempfail "Sender IP address not resolving"
tempfail "Sender IP address is on holiday"
connect /\[.*\]/ //


#reject "Sorry, are you from the past?"
#header /^Date: [A-Z][a-z][a-z], [0-9[0-9] [A-Z][a-z][a-z]  [1-2][0-9]0[0-6]/ //
#body /^Date: [A-Z][a-z][a-z], [0-9[0-9] [A-Z][a-z][a-z]  [1-2][0-9]0[0-6]/ //
#Date: Thu, 30 Jun 2005 15:10:02 GMT


# postmaster spam

NULL_SENDER = envfrom /^<>/
FRIENDLY_HOST = connect // /ucarp\.de/

discard
$NULL_SENDER and not $FRIENDLY_HOST


# reject things that look like they might come from a dynamic address

# reject "Looks like a dynamic address"
reject "Looks like a bad day"

connect /[0-9][0-9]*\-[0-9][0-9]*\-[0-9][0-9]*/ //

connect /[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*/ //

connect /[0-9]{12}/e //

# RTFM!
#   So, we reject anything that has three digit sets deperated by a 
#  dash, (ie 
#   adsl-134-11-333-11.someisp.net). We reject anything that has 3 or more
#   numeric subdomains, (ie dialup.123.45.67.8.someisp.net). And finally reject
#   any    address    that    has    a    group    of   12   digits,   (ie
#   pool123045067003.someisp.net).
#
#Forged Outlook headers
#
#   Analyzing the spam that still gets delivered (and then promptly detected by
#   SpamAssassin), I found that most of it uses fake Outlook headers. So let's
#   add  a  rule  to detect that inline (blatantly stealing [33]rules from
#   SpamAssassin ;).
#
HAS_MIMEOLE             = header /^X-MimeOLE$/ //
HAS_MSMAIL_PRI          = header /^X-MSMail-Priority$/ //
HAS_X_MAILER            = header /^X-Mailer$/ //
HAS_OUTLOOK_IN_MAILER   = header /^X-Mailer$/ /Microsoft (CDO|Outlook) /e
MISSING_OUTLOOK_NAME    = ( $HAS_MIMEOLE or $HAS_MSMAIL_PRI ) and \
                            $HAS_X_MAILER and not $HAS_OUTLOOK_IN_MAILER
OUTLOOK_MUA             = header /^X-Mailer$/ / Outlook /
OUTLOOK_MSGID_1         = header /^Message-ID$/ \
                            /^<[0-9a-f]{12}\$[0-9a-f]{8}\$[0-9a-f]{8}@>$/
OUTLOOK_MSGID_2         = header /^Message-ID$/ \
                            /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}@hotmail\.com>$/
IMS_MSGID               = header /^Message-ID$/ \
                            /^<[A-F]{36,40}@>$/
UNUSABLE_MSGID          = header /^List-Unsubscribe$/ //
FORGED_MUA_OUTLOOK      = $OUTLOOK_MUA and not ( $UNUSABLE_MSGID or \
                            $OUTLOOK_MSGID_1 or $OUTLOOK_MSGID_2 )
MSGID_OE_SPAM_4ZERO     = header /^Message-ID$/ \
                            /<[a-f0-9]{12}\$[a-f0-9]{8}\$0000[a-f0-9]{4}@/

#reject "Forged Outlook headers"
reject "Frogged Intention"
$MISSING_OUTLOOK_NAME or $FORGED_MUA_OUTLOOK or $MSGID_OE_SPAM_4ZERO



HAS_X_ORGIP_LOCALHOST      = header /^X-Originate-IP: 127.0.0.1$/ //
HAS_X_ORGIP_LOCALHOST2     = header /^X-Originating-IP: 127.0.0.1$/ //
HAS_X_ORGIP_ME             = header /^X-Originate-IP: 62.75.160.xxx$/ //
HAS_X_ORGIP_ME2             = header /^X-Originating-IP: 62.75.160.xxx$/ //
reject "Frogged Intention"
$HAS_X_ORGIP_LOCALHOST or $HAS_X_ORGIP_ME or $HAS_X_ORGIP_LOCALHOST2 or $HAS_X_ORGIP_ME2

Nicht besonders sauber, aber ein paar gute Filter.

Gruss
403