From d86b9f73126adcaefc521b51db62825c7d9837b5 Mon Sep 17 00:00:00 2001 From: Stuart Gathman Date: Tue, 9 Sep 2008 23:07:48 +0000 Subject: [PATCH] Whitelists and Blacklists --- doc/milter.ht | 62 +++++--------------------------------------- doc/policy.ht | 71 +++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 69 insertions(+), 64 deletions(-) diff --git a/doc/milter.ht b/doc/milter.ht index 682a0f3..844d662 100644 --- a/doc/milter.ht +++ b/doc/milter.ht @@ -25,7 +25,7 @@ Mascot by Christian Hafner Stuart D. Gathman
This web page is written by Stuart D. Gathman
and
sponsored by Business Management Systems, Inc.
-Last updated Mar 30, 2007 +Last updated Aug 26, 2008 See the FAQ | Download now | Subscribe to mailing list | @@ -44,7 +44,9 @@ Sendmail 8.12 officially releases libmilter. Version 8.12 seems to be more robust, and includes new privilege separation features to enhance security. Even better, sendmail 8.13 supports socket maps, which makes pysrs much more -efficient and secure. I recommend upgrading. +efficient and secure. Sendmail 8.14 finally supports modifying +MAIL FROM via the milter API. Unfortunately, I haven't gotten around +to supporting that yet in python milter. @@ -209,60 +211,8 @@ href="http://www.duh.org/cvsweb.cgi/~checkout~/pmilter/doc/milter-protocol.txt?r

Confirmed Installations

Please email -me if you successfully install milter on a system not mentioned below. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Operating System Compiler Python Sendmailmilter
Mandrake 8.0gcc-3.0.12.1.18.12.00.3.3
Mandrake 8.0gcc-2.962.08.11.20.3.6
RedHat 6.2egcs-1.1.22.2.28.11.60.5.4
RedHat 7.1gcc-2.96?8.12.10.3.5
RedHat 7.3gcc-2.962.2.28.11.60.5.5
RedHat 7.3gcc-2.962.3.38.13.10.7.2
RedHat 7.3gcc-2.962.4.18.13.50.8.4
RedHat 8.0gcc-3.22.2.18.12.60.5.2
RedHat 9.0gcc-3.2.22.4.18.13.10.8.2
RedHat EL3gcc-3.2.32.4.18.13.50.8.4
Debian Linuxgcc-2.95.22.1.18.12.00.3.7
Debian Linuxgcc-3.2.22.2.28.12.70.5.4
AIX-4.1.5gcc-2.95.22.1.18.11.50.3.3
AIX-4.1.5gcc-2.95.22.1.18.12.10.3.4
AIX-4.1.5gcc-2.95.22.1.38.12.30.4.2
AIX-4.1.5gcc-2.95.22.4.18.13.10.8.4
Slackware 7.1??8.12.10.3.8
Slackware 9.0gcc-3.2.22.2.38.12.90.5.4
OpenBSD?2.3.3?8.13.1?0.7.2
SuSE 7.3gcc-2.95.32.1.18.12.20.3.9
FreeBSDgcc-2.95.32.2.18.12.30.4.0
FreeBSDgcc-2.95.32.2.2?0.5.5
FreeBSD 4.4gcc-2.95.3?8.12.100.6.6
+me if you do not successfully install milter. The confirmed +installations are too numerous to list at this point.

Enough Already!

diff --git a/doc/policy.ht b/doc/policy.ht index 750cf08..3e57bc6 100644 --- a/doc/policy.ht +++ b/doc/policy.ht @@ -82,7 +82,7 @@ to determine the official SPF policy result. The offical SPF result is then logged in the Received-SPF header field, but certain results are subjected to further processing to create an effective result for policy purposes. - +

If the official result is 'none', we try to turn it into an effective result of 'pass' or 'fail'. First, we check for a local substitute SPF record under the domain defined in the [spf]delegate configuration. @@ -91,12 +91,12 @@ too clueless to add their own. If there is no local substitute, we use a "best guess" SPF record of "v=spf1 a/24 mx/24 ptr" for MAIL FROM or "v=spf1 a/24 mx/24" for HELO. In addition, a HELO that is a subdomain of MAIL FROM and resolves to the connect IP results in an effective result of 'pass'. - +

If there is no local SPF record, and the effective result is still not 'pass', we check for either a valid HELO name or a valid PTR record for the connect IP. A valid HELO or PTR cannot look like a dynamic name as determined by the heuristic in Milter.dynip. - +

If HELO has an SPF record, and the result is anything but pass, we reject the connection: 

@@ -107,16 +107,16 @@ the connection:
Note that HELO does not have any forwarding issues like MAIL FROM, and so any result other than 'pass' or 'none' should be treated like 'fail'. - +

Only if nothing about the SMTP envelope can be validated does the effective result remain 'none. I call this the "3 strikes" rule. - +

If the official result is 'permerror' (a syntax error in the sender's policy), we use the 'lax' option in pyspf to try various heuristics to guess what they really meant. For instance, the invalid mechanism "ip:1.2.3.4" is treated as "ip4:1.2.3.4". The result of lax processing is then used as the effective result for policy purposes. - +

With an effective SPF result in hand, we consult the sendmail access database to find our receiver policy for the sender. @@ -159,7 +159,7 @@ SPF-Fail:abeb@adelphia.net DSN This says to accept mail from that adelphia.net user despite the SPF fail, but only after annoying them with a DSN about their ISP's broken policy. - +

If there is no match on the full sender, the domain is checked: 

 SPF-Neutral:aol.com     REJECT
@@ -168,7 +168,7 @@ This says to reject mail from AOL with an SPF result of neutral.
 This means AOL users can't use their AOL address with another mail service
 to send us mail.  This is good because the other mail service is 
 likely a badly configured greeting card site or a virus.
-
+

 Finally, a default policy for the result is checked.  While there are program
 defaults, you should have defaults in the access database for SPF results:
 
@@ -192,3 +192,58 @@ independently for each SPF result and sender combination.  So aol.com:neutral
 might have a really bad reputation, while aol.com:pass would be ok.
 Furthermore, when a sender finally publishes an SPF policy and starts
 getting SPF pass, their reputation is effectively reset.
+
+
 Whitelists and Blacklists 

+
+The administrator can whitelist or blacklist senders and sending domains by
+appending them to ${datadir}/auto_whitelist.log or
+${datadir}/blacklist.log respectively.  In addition,
+recipients of internal senders (except for automatic replies like vacation
+messages and return receipts) are automatically whitelisted for 60 days, and
+senders that fail CBV or DSN checks are automatically blacklisted for 30 days.
+Whitelisted and blacklisted senders are used to automatically train the
+bayesian content filter before being delivered or rejected, respectively.
+

+Real Soon Now users will be able to maintain their own whitelist and
+blacklist that applies only when they are the recipient.
+
+
 Content Filter 

+
+Most messages have been rejected or delivered by now, but spammers
+are always finding new places to send their junk from.  For instance,
+we get around 10000 emails a day, of which around 500 are first time
+spam senders.  A bayesian filter is trained by the whitelists and
+blacklists, and scores the message.  What is likely spam is either
+rejected or quarantined.  If the sender is an effective SPF pass,
+then they get a DSN notifying them that their message has been
+quarantined.  (A DSN failure gets the sender auto blacklisted.)
+Else, if the reject_spam option is set, the message is rejected.  
+Otherwise, a CBV is done (failure gets the sender auto blacklisted)
+and the message is silently quarantined.
+

+Normally, you don't want email messages to silently disappear into
+a black hole, so you should set the reject_spam option.  However,
+if you don't want your correspondent's email to get rejected, you can
+check your quarantine frequently instead.
+
+
 Honeypot 

+
+You can also blacklist recipients by listing them as aliases of the
+'honeypot' dspam user.  These are collectively called
+the honeypot.  Any email to these recipients is used to train the
+spam filter as spam and chalk up a reputation demerit for the sender, then
+discarded.  It might be a good idea to blacklist the sender if it has SPF pass
+as well, but I'm afraid of accidents.
+
+
 Reputation 

+
+Reputation is tracked by sending domain and effective SPF result.
+The GOSSiP server tracks the spam/ham status of the last 1024 messages
+for each domain:result combination.  When the server is queried during
+the SMTP envelope phase (MAIL FROM), it also queries any configured
+peers, and the scores are combined.  Domains with a history of spam for
+a given SPF result are rejected at MAIL FROM.  The GOSSiP system has
+a command line utility to reset (delete) a reputation for cases where a
+sender that was infected with malware is repaired.  In addition,
+the confidence score of a reputation decays with time, so a bad sender
+will eventually be able to try again without manual intervention.