17 Jan 2003 hacker   » (Master)

More Sendmail Hacks

    I've been handling mail for some friends, one of which gets a LOT of spam. He's a good litmus test for how to tweak a spam filter to maximum effectiveness.

    I'm using a combination of Sendmail, triple-RBL, ordb.org, SpamAssassin (and the milter), and iptables to filter out spam from reaching $USER mailboxes. Here's some recent tweaks I came up with (some with the gentle nudging of others):

     # There is no reason to send HTML in email, none. Blocked.
    HContent-type:  $>+Check_Content_Type
    SCheck_Content_Type
    Rtext/html $*    $#error $@ 5.5.5 $: "555 HTML email denied; use plain text."
    
    

    # There is no reason for anyone to send a Content-Type of # multipart/alternative. Multipart is fine in the body # or as an attachment, but the generalized header for those # should be text/plain, not multipart/alternative. Blocked. HContent-type: $>+Check_Content_Type SCheck_Content_Type Rmultipart/alternative $* $#error $@ 5.5.5 $: "555 multipart mail blocked; use plain text"

    # Likewise for base64-encoded bodies. There is no reason # for the ENTIRE message body to be base64-encoded. Blocked. HContent-Transfer-Encoding: $>+Check_Transfer_Encoding SCheck_Transfer_Encoding Rbase64 $* $#error $@ 5.5.5 $: "555 base64-encoded body blocked; use plain text"

    And recently, there is an increase in the number of people being affected by this W32/Sobig@MM trojan, so I blocked that (and another worm) too:

    /etc/mail/access

    big@boss.com         ERROR:5.7.1:550 Sobig worm rejected
    hahaha@sexyfun.net   ERROR:5.7.1:550 Hybris worm rejected
    
    These small changes alone have begun to cut down the number of spam messages that my system(s) will accept for users. A quick grep shows that in the last 2 days, the three tweaks above have successfully blocked 417 separate spam messages that would have otherwise been caught by spamassassin or passed onto a user.

    Any spams that get through these + spamassassin, I block with iptables. It's been doing quite a good job so far. In the last week, my iptables blocks for known spammers has produced 1,291 hits in the logs.

Other Stuff

    Things are busy here, but still no permanent employment (427 days, 61 weeks so far). It may be time to call UPS/Fedex/USPS and see if they have any openings. There are definately no technology jobs left here on the East Coast. Depressing.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!