SMTPD Spammer Deterrent

What is Obtuse SMTPD Spammer Deterrent?

Spammer Deterrent is a patched version of the Obtuse SMTPD store and forward SMTP mail proxy that provides the following functionality useful in warding off spammers:

Tar pitting - Adds an administrator specified delay to each SMTP command after a number of RCPT TO commands. This makes life difficult for spammers who send a single email with many, many recipients

Content filtering - Allows an administrator to define a number of regular expressions that will be used to deny messages. This for example allows the administrator to ban email worms by subject, message content or from address. It may also allow an administrator to perform generic content based rejection of email (e.g nothing with the word 'Microsoft').
MX based from address checking - Rejects messages that do not contain a valid address in the MAIL FROM part of the envelope. A valid address is defined as one that passes RFC2821 and has an MX [or A] record defined for the domain in question. If any transient DNS failure occurs the check returns that the address is valid.
Generic DNS based rejection services - Rejects message based on the presence of an A record in a particular domain for a particular remote MTA. This provides support for services such as rfc-ignorant.org.
ESMTP Support - Spammer Deterrent adds ESMTP support to smtpd. Presently, the ESMTP SIZE command is the only extension supported and allows administrators to reject messages based on their ESMTP size. This is useful for rejecting messages with large attachments before receiving the data (and wasting bandwith).
External Data Checking - Allows an arbitary command to be executed that determines whether a message should be accepted, rejected or the remote MTA told to retry message delivery at a later date. This feature allows the usage of the Distributed Checksum Clearing House (DCC) along with just about anything else you could possibly code :).

Why SMTPD?

SMTPD is a well proven and highly secure SMTP front end. It provided the perfect canditate for such functionality to be added. SMTPD offers many other excellent features such as RBL support, DNS based realying and execution within a chroot gaol.

Spammer Deterrent Details

The majority of configuration options of Spammer Deterrent are configureable at run time. See the Makefile for further information. Configuration options such as delay time and delay multiplier are defined within the Makefile as is the path to the file that contains regular expressions for content filtering.

Content Filtering

An example content filtering file would look as follows:

# ban friend@public emails
From: Friend@public.com
To: Friend@public.com
# ban the snowwhite virius
From: hahaha@sexyfun.net
# ban any emails with VisualBasic Script attachments
name\=".*\.vbs"

The content filter is activated by the usage of the 'allow-filter' keyword in smtpd_check_rules. It is used in place of the standard 'allow' keyword. For example:

allow-filter:ALL:ALL:ALL@somedomain.com
allow-filter:127.0.0.1:ALL:ALL

Note: regular expressions are non-extended and are interpreted with case INSENSITIVITY.

A syslog entry such as the following is generated when a message is rejected based on content:

Feb  8 23:49:42 host smtpd[6457]: Rejecting message with content: 
From: Friend@public.com from localhost [127.0.0.1]

MX Checking

The following message will be displayed in syslog if a message is rejected due to the address in the MAIL FROM part of the envelope failing the MX check (domain has a valid MX or A record):

Jul  6 15:47:32 host smtpd[13786]: [ID 258560 mail.alert] Rejected 
from address with unresolvable domain: <1gfclarkeghy@one.net.au> from
localhost [127.0.0.1]

Generic DNS based Rejection

Generic DNS based rejection for services such as rfc-ignorant.org are provided by placing an entry such as the following in the smtpd_check_rules file:

noto:ALL:RHS.dsn.rfc-ignorant.org:ALL:550 Mail refused. Your mail system 
does not accept bounces. This violates RFC 2821. See www.rfc-ignorant.org

ESMTP SIZE support

ESMTP Pre-SMTP rejection based on message size is provided by specifying the maximum message size in the Makefile. See the Makefile for more details.

External Data Checking Programs

External data checking facilitates the usage of services such as DCC, etc. As the administrator has full control over what gets executed, this command could potentially do anything you want, including alter message content (such as add a tagline/disclamer), etc.

The name of the external command to be forked/execed is set in the Makefile. This command is then executed when the CRLF.CRLF is received in the DATA state. The command is passed the following details:

       command -s spool-filename -a remote-mta-ip -f \<from-address\>
               -t number-of-rcpt-addresses \<rcpt-addresses\> ...

The return value of the command determines whether the message should be accepted (0), rejected (1) or re-queued (any other value).

Note: As the command is executed in the chroot jail, any dependancies, libraries and support files will also need to be installed into the jail.

The external checker is activated by the usage of the 'allow-extchk' keyword in smtpd_check_rules. It is used in place of the standard 'allow' keyword. For example:

allow-extchk|allow-filter:ALL:ALL:ALL@somedomain.com
allow-extchk:ALL:ALL:ALL@nofilter.com
allow:127.0.0.1:ALL:ALL

Note: Multiple features can be added together with the "|" operator. The above line would activate both filtering and checking for messages destined to somedomain.com.

License

The Spammer Deterrent patch is distributed under the Obtuse SMTPD BSD style license.

Installation

Download and edit the Makefile accordingly as one would with standard SMTPD.

Relevant documentation is included in the Makefile

Download

A pre-patched Obtuse SMTPD 2.0 with Spammer Deterrent 1.3 is available - smtpd-sd-1.3.tar.gz (70k).

ChangeLog

** Changes from 1.2 to 1.3
 * Fix small bug where content filtering file may not be closed;
 * Add external message checking feature which allows an arbitary program
   to be executed after message data has been received that then determines
   whether the message should be accepted (250), rejected (552) or the remote
   MTA told to retry (451) based on the return value of that program;
 * Include a contributed shell script from Dave Lugo to use the distributed
   checksum clearing house (dcc) with external data checking feature;
 * Compile in content filtering by default and allow it and also the external
   message checking to be controlled by the new check rules directives 
   'allow-filter' and 'allow-extchk';
 * Apply a patch from Earl A. Killian to fix a number of cosmetic problems 
   with the source;
 * Apply the smtpd-2.0-RBL patch by default;
 * Add -l option to smtpd to allow it to listen on a particular interface
   when in daemon mode;
 * Fix some cosmetic bugs in smtpd.c and mailq.c;
 * Rename mailq to smtpd-mailq.

Bug reports, patches and suggestions

Send your bug reports and patches to Liam Widdowson. Be sure to remove the 'nospam' before sending. If someone would like to write some half-decent documentation and web pages, please let me know.

Last update: Sunday, 01-Dec-2002 21:05:27 EST