improve anti-spam rulesets: check_relay, check_mail, check_rcpt.

break each ruleset into identified sections. (called groups).
        note which groups can be reordered.
        each group accepts and returns the same strings,
                as much as possible.
        reactivate Paul Vixie's RBL (in check_mail)
        add rules to limit mail relaying to a list of hosts and domains
                in the R class (check_rcpt, not active on hub.freebsd.org)
Submitted by:	 jmb
This commit is contained in:
Jonathan M. Bresler 1997-12-01 00:15:38 +00:00
parent 8ac5e37330
commit 26da30bbbc
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=31467
3 changed files with 134 additions and 40 deletions

View file

@ -25,5 +25,8 @@ install:
.if exists(/etc/mail/denyip.local)
makemap -o hash /etc/mail/denyip < /etc/mail/denyip.local
.endif
.if exists(/etc/mail/fakenames)
makemap hash /etc/mail/fakenames < /etc/mail/fakenames
.endif
all: default install

View file

@ -3,12 +3,14 @@
Introduction:
The FreeBSD Project filters spam, unsolicited commerical
e-mail, from its mailing lists. The filter has two parts: databases
and rulesets. We have added three rulesets to /etc/sendmail.cf,
check_relay and check_mail and xlat. (xlat is for testing only, as
explained in /etc/mail/sendmail.cf.additions.) These rulesets use
two databases. The denyip, a list of IP addresses, and spamsites,
a list of domains. We do not accept mail from any machine that
matches a entry in either database.
and rulesets. We have rulesets to /etc/sendmail.cf, check_rcpt,
check_relay, check_rbl, check_mail and xlat. (xlat is for testing
only, as explained in /etc/mail/sendmail.cf.additions.) These
rulesets use three databases. The denyip, a list of IP addresses,
spamsites, a list of domains, and fakenames, a list of bogus
usernames (such as investor and success). We do not accept mail
from any machine that matches a entry in either database, or usersr
in the fakenames database.
Filtering at your site:
To filter spam at your site you need to:
@ -55,11 +57,24 @@ for every message filtered. The lines will be similar to one of
these two log entries:
Check_mail rejects:
"Oct 15 02:43:26 hub sendmail[6565]: CAA06565: ruleset=check_mail,
Oct 15 02:43:26 hub sendmail[6565]: CAA06565: ruleset=check_mail,
arg1=<announce@martianconsulate.com>, relay=xxx.isp.net [###.###.###.###],
reject=521 <announce@martianconsulate.com>"
reject=521 <announce@martianconsulate.com>
Nov 30 15:56:37 hub sendmail[15058]: PAA15058: ruleset=check_mail,
arg1=<ultramax@s2.eddelwissl.NET>, relay=relay.somewhere.com
[###.###.###.###], reject=451 <ultramax@s2.eddelwissl.NET>... Domain
does not resolve
Check_relay rejects:
Oct 19 04:45:24 hub sendmail[3503]: NOQUEUE: ruleset=check_relay,
arg1=imsp015.netvigator.com, arg2=205.252.144.206, relay=root@localhost,
reject=521 blocked.contact postmaster@FreeBSD.ORG
check_rcpt reject:
Nov 30 15:04:08 hub sendmail[12390]: PAA12390: ruleset=check_rcpt,
arg1=investor@100percent.per.year.com, relay=newfed.frb.gov
[198.3.221.5], reject=553 investor@100percent.per.year.com...
521<investor@100percent.per.year.com>#blocked.contact postmaster
Sun Nov 16 11:40:53 PST 1997

View file

@ -1,40 +1,116 @@
# list of hosts and domains for whom we relay mail.
# all .forward hosts, domains must be listed in this file.
# same for hosts and domains in /etc/aliases
FR-o /etc/sendmail.cR
# database declarations
Kdenyip hash -o -a.REJECT /etc/mail/denyip.db
Kfakenames hash -o -a.REJECT /etc/mail/fakenames.db
Kspamsites hash -o -a.REJECT /etc/mail/spamsites.db
# called with host.tld and IP address of connecting host.
# ip address must NOT be in the "denyip" database
Scheck_relay
R$* $| [$+ $1 $| $2 should not be needed
R$* $| $+] $1 $| $2 same (bat 2nd ed p510)
R$* $| $* $: $1 $| $(denyip $2 $)
R$* $| $*.REJECT $#error $: 521 blocked. contact postmaster@FreeBSD.ORG ($2)
# host must *not* be in the "spamsites" database
R$+.$+.$+ $| $* $2.$3 $| $4
R$+.$+ $| $* $: $(spamsites $1.$2 $) $| $3
R$*.REJECT $| $* $#error $: 521 blocked. contact postmaster@FreeBSD.ORG ($1)
# Host must be resolvable, currently not used at hub.freebsd.org
#R$* $| $* $: <?> <$1 $| $2> $>3 foo@$1
#R<?> <$*> $*<@$*.> $: $1
#R<?> <$*> $*<@$*> $#error $: 451 Domain does not resolve ($1)
# called with envelope sender, "Mail From: xxx", of SMTP conversation
# helper rulsesets; useful for debugging sendmail configurations
#
Scheck_mail
R$* $: <?> $>3 $1
R<?> $* < @ $+ . > $: $2
# R<?> $* < @ $+ > $#error $: "451 Domain does not resolve"
R<?> $* < @ $+ > $: $2
R$+.$+.$+ $2.$3
R$* $: $(spamsites $1 $: OK $)
ROK $@ OK
R$+.REJECT $#error $: 521 $1
#
Scheck_rbl
# lookup up an ip address in the Realtime Blackhole List.
R$-.$-.$-.$- $: $(host $4.$3.$2.$1.rbl.maps.vix.com $:OK $)
# for testing check_relay and check_mail
# if we type "$|", sendmail will split this into two tokens "$" and "|"
# this rule glues prevent sendmail from splitting "$|"
# to use: /usr/sbin/sendmail -bt
# host.domain.tld $| 111.222.333.444
Sxlat
Sxlat # for sendmail -bt
# sendmail treats "$" and "|" as two distinct tokens
# this rule "pastes" them together into one token
# and then calls check_relay.
R$* $$| $* $: $1 $| $2
R$* $| $* $@ $>check_relay $1 $| $2
Scheck_relay
# called with "hostname.tld $| IP address" of connecting host.
# hostname.tld is the fully-qualified domain name
# IP address is dotted-quad with surrounding "[]" brackets.
#
# each group of rules in this ruleset is independent.
# each accepts and return "hostname.tld $| IP address"
# use the ones that you want comment out the rest
# you may rearrange the groups but not the rules in each group.
# each group is preceded and followed by a comment
#
# host must NOT be in the "spamsites" database--BEGIN
R$* $| $* $: <$1 $| $2> $1
R<$*> $+.$+.$+ <$1> $3.$4
R<$*> $+.$+ $: <$1> $(spamsites $2.$3 $)
R<$*> $*.REJECT $#error $: "521 blocked. contact postmaster@FreeBSD.ORG"
R<$*> $* $: $1
# host must NOT be in the "spamsites" database--END
# ip address must NOT be in the "denyip" database--BEGIN
R$* $| $* $: $1 $| $(denyip $2 $)
R$* $| $*.REJECT $#error $: "521 blocked. contact postmaster@FreeBSD.ORG"
# ip address must NOT be in the "denyip" database--END
# Host must resolve--BEGIN
R$* $| $* $: <$1 $| $2> $>3 foo@$1
R<$*> $*<@$*.> $: $1
R<$*> $*<@$*> $#error $: "451 Domain does not resolve"
# Host must resolve--END
R$* $@ OK
Scheck_mail
# called with envelope sender (everything after ":") in
# "Mail From: xxx", of SMTP conversation
# may or may not have "<" ">"
# the groups of rules in this ruleset ARE NOT independent.
# "remove all RFC-822 comments" must come first
# "Paul Vixie's RBL" must be last
# you may rearrange the other rules.
#
# use the ones that you want comment out the rest
# each group is preceded and followed by a comment
#
# remove all RFC-822 comments--BEGIN
# MUST be first rule in check_mail rulseset.
R$* $: $>3 $1
# remove all RFC-822 comments--END
# mail must come from a DNS resolvable host--BEGIN
R$* < @ $+ . > $: $1 @ $2
R$* < @ $+ > $#error $: "451 Domain does not resolve"
# mail must come from a DNS resolvable host--END
# mail must NOT come from a known source of spam--BEGIN
# resolved. second check: one of the know spam sources?
R$+ @$+ $: <$1@$2> $1 @$2
R<$*> $+ @$+.$+.$+ <$1> $4.$5
R<$*> $* $: $(spamsites $2 $: OK $)
R$+.REJECT $#error $: 521 $1
R<$*> $* $: $1
# mail must NOT come from a known source of spam--END
# ip address must NOT be in Paul Vixie's RBL--BEGIN
R$* $: $1 $: $(dequote "" $&{client_addr} $)
R$* $: $>check_rbl $1
R$*.com. $#error $: "550 Mail refused, see http://maps.vix.com/rbl"
# ip address must NOT be in Paul Vixie's RBL--END
R$* $@ OK
Scheck_rcpt
# called with envelope recipient (everything after ":") in
# "Rcpt To: xxx", of SMTP conversation
# may or may not have "<" ">" and or RFC-822 comments.
# let ruleset 3 clean this up for us.
#
# do NOT reorder these two groups of rules.
# restrict mail relaying to host and domains listed in /etc/sendmail.cR
#
# mail must NOT be addressed "fakenames"--BEGIN
R$* $: <$1> $>3 $1
R<$*> $+ < @ $+ > $: <$1> $(fakenames $2 $: OK $)
R$+.REJECT $#error $: 521 $1
R<$*> $* $: $1
# mail must NOT be addressed "fakenames"--END
# mail must come from or go to this machine or machines we allow to relay--BEGIN
# R$* $: $>Parse0 $>3 $1
# R$+ < @ $* . > $* $: $1 < @ $2 >
# R<$+ @ $=w> $@ OK
# R<$+ @ $* $=R> $@ OK
# R$* $: $(dequote "" $&{client_name} $)
# R$=w $@ OK
# R$* $=R $@ OK
# R$@ $@ OK
# R$* $#error $: "550 Relaying Denied"
# mail must come from or go to this machine or machines we allow to relay--BEGIN
R$* $@ OK