[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Spam

To: zimbra-hied-admins@sfu.ca
Subject: Re: Spam
From: Damion Alexander <dalexand@bard.edu>
Date: Tue, 13 Nov 2012 17:29:35 -0500
In-reply-to: <20121112150959.GO4983@rivendell>
List-help: <mailto:zimbra-hied-admins-request@sfu.ca?subject=help> (List Instructions)
List-id: <zimbra-hied-admins.sfu.ca>
List-owner: <mailto:owner-zimbra-hied-admins@sfu.ca>
List-unsubscribe: <mailto:zimbra-hied-admins-request@sfu.ca?subject=unsubscribe>
Organization: Bard College
References: <1002561011.41821198.1352398652488.JavaMail.root@carleton.edu> <509C0119.8060208@bard.edu> <20121112150959.GO4983@rivendell>
User-agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:15.0) Gecko/20120907 Thunderbird/15.0.1

On 11/12/2012 10:09 AM, Csillag Tamas wrote:
> On Thu, Nov 08, 2012 at 01:59:37PM -0500, Damion Alexander wrote:
>> On 11/08/2012 01:17 PM, Rich Graves wrote:
>>> I do it downstream, with sendmail and mailfromd, just because I'm one of
>>> the few crazies who were working with milters from the beginning.
>>
>> We implemented a few outgoing zimbra mta's with mailfromd a few weeks
>> ago. Our mailfromd script is not perfect but we've prevented nearly all
>> outgoing spam blasts since.
> 
> Can you share your config/script to be used as a starting point?
> 
> Thanks!
> 
> Regards,
>   cstamas
> 

mailfromd.mf = script
mailfromd.conf = config

any __TEXT__ strings are placeholders for actual values.

Basic logic of the script

  if whitelisted accept blindly
  if blacklisted put all email in hold queue for review
  if recipient > GL_TRACK_NUM greylist
  if greylisted and recipient rate > RCPT_GL_MAX/RCPT_MAX_TIME blacklist
  if rate > RCPT_MAX/RCPT_MAX_TIME blacklist

We have a set of Zimbra MTA's to handle incoming mail and a set to
handle mail destined outside of our domains. Users log into the 'inside'
set via clients. The outside set are the ones that use mailfromd via
milters.  Because of this recipient counts are only for non local
domains. i.e. send to 80 people 50 on-campus 30 off and the milter only
sees 30.

whitelist and blacklist db's are Berkeley DB's and can be managed via
perl scripts using 'tie' (steve hillman showed us his scripts for this
purpose).

The good about this config: large blasts of spam never leave the
outgoing servers. Not being put on blacklists outweighs the negatives.

The bad:

- users who are used to sending emails to large BCC fields will always
be caught by this. We untrap about 3-4 mailings a day. They haven't
noticed any delays (yet). We've been trying to move them over to mailing
lists.

- in the middle of a large torrent of spam being sent, the incoming
servers (postfix) will reuse a connection by issuing RESET.  As written
the recipient_count doesn't get reset so any additional email senders
will inherit the previous recipient count and trapped.

- any spammer with the patience of a saint can eventually find the magic
numbers. most are never that patient. Upside is that they will be
extremely (self) rate limited.

- token bucket rate limiting algorithms make my brain hurt

Damion

-- 
Damion Alexander
Manager of Networks and Systems
Bard College
Annandale-on-Hudson, NY 12504
(845) 758-7225

# mailfromd conf

state-directory /var/lib/mailfromd;
relayed-domain-file /usr/local/etc/mailfromd-domains;

listen inet://localhost:10057;

# config for greylist db

database greylist {
    enable true;
    # we don't use greylist in the traditional sense so lower the expiration to 30 mins.
    expire-interval 1800;
}

/*

  mailfromd script for (outgoing) mail servers
 
  if whitelisted accept blindly
  if blacklisted put all email in hold queue for review
  if recipient > GL_TRACK_NUM greylist
  if greylisted and recipient rate > RCPT_GL_MAX/RCPT_MAX_TIME blacklist
  if rate > RCPT_MAX/RCPT_MAX_TIME blacklist

  
  
*/


#pragma regex +extended +icase
#pragma stacksize 128k twice
/* con-tassios is needed to activate is_greylisted */
#pragma greylist con-tassios

require status
require dns
require localdomain
require rateok

  
# times

## greylist
const GL_TRACK_TIME interval("5 min")
## max rcpt over time
const RCPT_MAX_TIME interval("30 min")

# recipient limits

const GL_TRACK_NUM __NUMBER__
const RCPT_MAX __NUMBER__
const RCPT_GL_MAX __NUMBER__

# rates

## max gl time
const GL_TRACK_RATE_INTERVAL (( GL_TRACK_TIME / RCPT_GL_MAX ) * 1000000) 
##  
const RCPT_MAX_RATE_INTERVAL (( RCPT_MAX_TIME / RCPT_MAX ) * 1000000) 

# tags

const GL_TRACK_TAG "gltrack"
const RCPT_MAX_TAG "rcptmax"

# databases
const WHITELIST_DB "/var/lib/mailfromd/whitelist.db"
const BLACKLIST_DB "/var/lib/mailfromd/blacklist.db"

# runtime variables

number rcpt_counter
string this_sender
number iam_quarantined 0


/* Begin block is executed at the beginning of each SMTP transaction.
 */
/* 
begin
do
  set ehlo_domain localdomain()
done
*/


prog envfrom
do
   if ((dbmap(WHITELIST_DB,$1)) or ($1 matches "__MAILLIST_SERVER_DOMAIN__") or ($1 == "<>"))
	echo $1 . " is whitelisted"
	accept
   fi

   set this_sender $1
done


prog envrcpt
do 
   set rcpt_counter rcpt_counter + 1
done

/* Do work in eom.  Although we have gathered most all information
   by eoh the message ID is not available till eom.  Since this runs
   on a remote box, we need something to tie into the actual machine
*/


prog eom
do

 if (dbmap(BLACKLIST_DB,this_sender)) 
	set iam_quarantined 1
	echo this_sender . " was already blacklisted (mid $i)"
	quarantine(this_sender . " was already blacklisted (mid: $i)")
	continue
 fi

 if (not tbf_rate(this_sender . RCPT_MAX_TAG, rcpt_counter, RCPT_MAX_RATE_INTERVAL, RCPT_MAX))
	# blacklist, went over the line
        dbput(BLACKLIST_DB,this_sender,1)
	set iam_quarantined 1
	echo this_sender . " is now blacklisted, over max recpipient/time quota (mid $i)"
	quarantine(this_sender . " is now blacklisted, over max recpt/time quota (mid: $i)")
	continue
 fi

 if (is_greylisted(this_sender . GL_TRACK_TAG))
	if (not tbf_rate(this_sender . GL_TRACK_TAG, rcpt_counter, GL_TRACK_RATE_INTERVAL, RCPT_GL_MAX))
		# no more allowed widgets.  + you went over allowed settings. you go way now
		dbput(BLACKLIST_DB,this_sender,1)
		set iam_quarantined 1
		echo this_sender . " is now blacklisted. over greylist quota (mid $i)"
		quarantine(this_sender . " is now blacklisted. over greylist quota (mid: $i)")
		continue
	else 
		# still greylisted. tempfail
		tempfail 451 4.7.1 "Greylisted for %greylist_seconds_left seconds"
	fi
 fi

 if (rcpt_counter >= GL_TRACK_NUM)
	if (greylist(this_sender . GL_TRACK_TAG,GL_TRACK_TIME))
		if ( tbf_rate(this_sender . GL_TRACK_TAG, rcpt_counter, GL_TRACK_RATE_INTERVAL, RCPT_GL_MAX))
			# if statement handles adding to the rate tracking.

			echo this_sender . " has been greylisted. recipient_count = " . rcpt_counter

		fi
		tempfail 451 4.7.1 "Greylisted for %greylist_seconds_left seconds"
	fi
 fi

done

References:
- Re: Spam
  - From: Rich Graves <rgraves@carleton.edu>
- Re: Spam
  - From: Damion Alexander <dalexand@bard.edu>
- Re: Spam
  - From: Csillag Tamas <cstamas@digitus.itk.ppke.hu>

Prev by Date: Re: Spam
Next by Date: audit.log to syslog
Previous by thread: Re: Spam
Next by thread: Re: Spam
Index(es):
- Date
- Thread