Chronophage.net Blog

So, some of my users are avid World of Warcraft players. They’ve been complaining that they keep getting phishing schemes in their email accounts. Since Bayesian Filtering isn’t catching on, I think it’s time for custom SpamAssassin rules.

First, a quick scan of SARE rulesets to see if one fits the bill. I picked the the “Forged” rules simply because they are logical and simple. I like logical and simple

Then some quick adapting…

and this is what I came up with:

header __RCVD_WOW Received =~ /worldofwarcraft\.com/i
header __FROM_WOW From =~ /worldofwarcraft\.com/i
uri __URI_WOW /worldofwarcraft\.com/i
meta CUSTOM_FORGED_WOW (__FROM_WOW && __URI_WOW && !__RCVD_WOW)
score CUSTOM_FORGED_WOW 1.4

I have similar rules for blizzard.com and battle.net. What I’m looking for is the domain in the “From” field in the headers, and the domain in the body of the message but the domain NOT in the “Received” field. Most phishing schemes have a hotmail/yahoo/gmail address in the “Received” (and the “Reply To” field)

The only caveat I see with this, is that the base64 encoding of the message may screw up the body check, but I’m almost positive Spam Assassin decodes the message first.

I assigned a relatively small score of 1.4 to the messages, just to see if they show up in the “X-SpamScore” header. Remember, only one should hit at a time.

We’ll see if that works.

Certain…Parties… Have intoned I am  goofy for implementing weird “mail bouncy thing” that is sometimes frustrating and is a silly anti-spam technique. Well, that would be Greylisting, and while it’s weird, it also drops a lot of spam getting through.

Greylisting is a very simple technique. It basically is a daemon attached to database that keeps track of who externally sent mail to who internally. When a new domain/ip-address combination pops up, it bounces that transaction with a temporary, 450 bounce. This is per the RFC, and any properly implemented SMTP server should adhere to it, re-queue the message, and send it again later. If the server sends it before a specified “too early” window (in my case, 2 mins, but that’s fairly aggressive) it’s bounced again. If the message comes back after the “too early” window, but before 24 hours, it’s passed, and an entry is made in the database allowing that address to send mail unhindered for a few days. If enough messages come from the same ip address and the same domain pass greylisting, that whole domain is white-listed.

Greylisting is effective because it keeps non-compliant SMTP servers from sending mail to your server. Most virus infected computers that send or relay spam won’t re-queue messages, or will re-queue them for only the briefest amount of time.

Problems with Greylisting are legitimate, but mis-configured SMTP servers either not re-queuing the messages because they are set to treat 400 series bounces as 500 series, or permanent bounces. Or they re-queue the messages, but report to the original sender that the message bounced.

Yahoo implements a more esoteric set up, where they have 4 servers listed in the MX record, and at any time, any of them will bounce messages. This is another way to test for non RFC compliant servers, as a server is supposed to try all of the MX entries in turn, by weight value. Most virus infected computers won’t do that.

Because some of my users may have problems with receiving mail, I have a web-based interface to the Greylisting daemon’s database that allows me to opt addresses or domains out of Greylisting.

I’ve always run Greylisting, so I don’t have any comparison stats, but this guy does.

Software that I’m using for this:

• SQLGrey
• SQLGrey Web Interface (SGWI)

Postfix is surprisingly flexible. When I initially set it up two years ago, I set it up to reference a database, but I had a flaw in my logic. Basically, Postfix had no idea if a domain was marked active or inactive in the database. All it knew was whether a domain was in the database or not. Postfix has a default query, that looks for key information. However, you can supercede it in your config files. So I simply commented out the old variables that it passed to the default query, and wrote a new one:

user = DB_USER
password = supersecretpassword
hosts = 127.0.0.1
dbname = DB_NAME
table = domain
#select_field = domain < -- old version, commented out
#where_field = domain <-- old version, commented out
#New Query:
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true

Yes, I have backupmx enabled, even though that’s a titanically bad idea, and I would never use it. Why is it a bad idea to fuction as a Backup MX server? Because spammers don’t play by the RFCs and often send spam to lower weighted MX records in an attempt to bypass spam protection.

But I never know what people may ask for in the future.

Spam is fun. Watching spammers in action is even more fun. Via a friend, I have a very old domain that for which I handle mail. Since only one address is legitimate, it’s easy to use a wild card alias to catch and analyze spam. I implemented some Policies via Policyd2, aka “ClueBringer” (linux kids are cute, aren’t they?) Basically, I added a 20/hour recipient quota, and a 5/hour /24 based sender quota, hoping to bounce a few messages. It never happens. The bot network that sends these messages implements a simple, but effective interpolation scheme where the same address NEVER receives mail from the same ip address, and it always jumps /24s after 2 messages. It’s fascinating to watch.

Spam is the bane of all email servers and services. As I wrote in my email entry, I use Maia, which is a frontend to Amavis, which is a daemon that ties various anti-spam and anti-virus programs together. When I originally set things up, I followed a guide on NEOHAPSIS. That guide was written in Russian, but had English examples. Basically, you set up Amavis, have Postfix route mail to it (it acts as an ESMTP server) and Amavis takes care of the rest. My anti-virus program is ClamAV. It works, it’s fairly painless, and simple. My anti-spam choice, SpamAssassin, was not quite as easy.

SpamAssassin is basically a Perl script, maintained by the Apache group, that incorporates various config scripts to filter out spam. There are several modules that you can incorporate, including DKIM checking, URI scanning and, RBL incorporation. You can customize your scoring of each component, making it very flexible. The default modules include SA-Blacklist, a massive blacklist that should not be used. Ever. Disable it, otherwise you will monopolize the CPU on your server. Maia integrates with SpamAssassin very well, allowing for quarantining, with digests and reminders, statistics on each rule for customization, and end user blacklisting/whitelisting, setting up honeypots, among other options. It’s very useful, effective, and not prone to false positives.

I host mail for a few friends and family. I use Postfix as my MTA with Dovecot as my SASL/LDA/POP/IMAP server. Users are authenticated via MySQL and PAM, so I can have local, and virtual accounts. To manage things, I user PostfixAdmin, with a few¬† tweeks to accomodate my virtual user’s file structure. Logins are either the full email address (virtual accounts) or the username.

I user a combination of SQLGrey and ClamAV and Maia(SpamAssassin frontend) for my anti-spam/anti-virus protection. SquirrelMail and RoundCube are both availible for webmail. Mutt and Alpine are installed on the server as well.

The Settings are as follows:

Main Settings:

The POP3/IMAP4  and SMTP server is mail.chronophage.net

SMTP Authentication is ON

Ports are: 110/993* 143/995* and 25/587/465* for SMTP.

After switching LDA and SASL over to Dovecot, I have magnanimously set up Sieve scripting for my valuable users. And it works for both virtual and shell accounts.
Shell accounts can use either Squirrelmail, or upload Sieve scripts via the Sieve Thunderbird plugin or place them in your .sieve folder.
Virtual accounts will either have to use Squirrelmail or a program that can speak Sieve (standard port, 2000)
Sieve scripts DO count against your quota, so be careful Virtual Users.
This is LDA level filtering, so I can’t see what it’s doing via my logs, so watch your filters!

There are a lot of Sieve scripts out there, have fun!

Procmail and Maildrop are installed on the system, and can be used for shell users via a .forward file.

Webmail:

http://mail.chronophage.net for SquirrelMail

http://mail.chronophage.net/rc for RoundCube

Postfix Admin

http://mail.chronophage.net/admin redirects to https://calypso.chronophage.net/mailadmin

Shell users should be able to log in with their email address but passwords don’t sync with local passwords.

Send me an email to change passwords.