?

Log in

No account? Create an account
mail - brad's life — LiveJournal [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

mail [Jun. 8th, 2004|08:42 am]
Brad Fitzpatrick
So if 80% of spam is from Windows Trojans, what about making an incoming mail filter that fingerprints the remote TCP stack and assigns massive spam points to mail from Windows?

Speaking of mail, LJ was sucking yesterday because of mail, and people in lj_dev seemed to all have a clue, but I still didn't. I really, really hate mail systems.

What I ended up doing was writing a daemon that's a mix of a pipelined HTTP server and QMTP and dumps messages into the MTA's outgoing mail queue with the sendmail interface. (actually use postfix) The protocol looks HTTP-like, with two headers: Content-Length (required) and optionally Envelope-Sender. Then the body is the mail to pipe to sendmail. The client can send as many mails as they want on the same connection.

Seems to kick ass. More rewarding since concept to realization was only a few hours. (the Danga::Socket base class makes network daemons pretty easy)

It's in cvs if you want it, but I imagine it's a lame fix and real mail admins could just fix their mail servers.
LinkReply

Comments:
[User Picture]From: wrexen
2004-06-08 09:30 am (UTC)
Conversely, since at least 80% of non-spam mail comes from Windows, shouldn't we assign major non-spam points to mail coming from Windows boxes? Statistics are a wonderful thing
(Reply) (Thread)
[User Picture]From: cpm
2004-06-08 09:34 am (UTC)
Wouldn't that end up flagging most messages from Exchange servers as spam?

On the other hand, most people probably receive far more trojaned Windows spam than legitimate mail from Exchange users, so it might a fair tradeoff. Heh.
(Reply) (Thread)
[User Picture]From: scosol
2004-06-08 09:36 am (UTC)
Whose remote TCP stack would you connect to?
Most of the time tracking a spam back to the individual sending machine (windows) is impossible-
So all you'll see are intermediary MTAs (likely not windows)

(Reply) (Thread)
From: jamesd
2004-06-08 01:47 pm (UTC)

Are you blocking dynamic/home IPs yet?

Are you blocking dynamic (dialup, cable, DSL) IPs from connecting directly to your mailservers yet? AOL does, so do I and I wrote the SpamPal plugin which does it client-side. NJABL has the one I use, here's the list of possibilities I know about:

MXNJABL YES dnsbl.njabl.org 127.0.0.3
MXPANAM NO dialups.visi.com 127.0.0.2
MXDULRU NO dul.ru 127.0.0.1
MXLEAD NO spamguard.leadmon.net 127.0.0.2
MXSORBS NO dul.dnsbl.sorbs.net 127.0.0.10

YES is the one I have turned on, domain is the place to send the DNS query, IP is the result code which means dynamic. The usual reversed byte order for a DNS query. Can cache the results for a long time (a week perhaps) with a local DNS server - these don't change much.

You will get some complaints. Mail address whitelists are a good idea to cut them - if you track outgoing for a while you can build the list in advance. If it turns out that you don't have an efficient way to compare addresses, calculate CRC-32 and just use that - you don't care enough about the rare collisions (false positive whitelisting) for it to matter. No idea if your mail system does this efficiently or not.

For those who don't know, trojan-captured systems tend not to use the mail servers of their ISP. They tend to directly connect to the mail server of the destination site. Hence, direct to MX spam and blocking of such connections, or even ISPs blocking the ability of their customers to make outbound connections on the normal port used to connect to those servers.
(Reply) (Thread)
[User Picture]From: brad
2004-06-08 04:30 pm (UTC)

Re: Are you blocking dynamic/home IPs yet?

No, we don't. We should, though. I'll do it at least for my personal mail.
(Reply) (Parent) (Thread)
From: (Anonymous)
2004-06-08 04:58 pm (UTC)

qmail

You mentioned QMTP, why are you guys using postfix and not qmail? If security, performance, and ease of administration are at the top of your requirements, you should take a serious look at it.
(Reply) (Thread)
[User Picture]From: brad
2004-06-08 05:19 pm (UTC)

Re: qmail

I don't like djb.
(Reply) (Parent) (Thread)
From: (Anonymous)
2004-06-09 09:57 am (UTC)

Re: qmail

Me either, but hey I swallow my pride, his software is the best.
(Reply) (Parent) (Thread)
[User Picture]From: brad
2004-06-09 11:19 am (UTC)

Re: qmail

Well, it's not in Debian, so as far as I'm concerned it's not part of my free software world.
(Reply) (Parent) (Thread)
From: (Anonymous)
2004-06-09 03:19 pm (UTC)

Re: qmail

Touche:
http://packages.debian.org/stable/mail/qmail-src
Sure you have to "compile" it (using the qmail-build command that comes with the package) but djb doesn't allow qmail to be distributed in binary form anyways, mostly for academic reasons
(Reply) (Parent) (Thread)
[User Picture]From: brad
2004-06-09 03:52 pm (UTC)

Re: qmail

I'm aware of that. Did you notice the big red [non-free] marker after the title?
(Reply) (Parent) (Thread)
[User Picture]From: grumpy_sysadmin
2004-06-08 05:02 pm (UTC)
I'm sure this HTTP + QMTP thing is swell... but could you explain how it's not reinventing the SMTP wheel, please?
(Reply) (Thread)
[User Picture]From: brad
2004-06-08 05:21 pm (UTC)
Because I couldn't figure out how to get SMTP to accept+defer immediately without blocking the SMTP client.

It's a quick hack.

But it's also good because, like QMTP, there's much less round-tripping, and the client can keep a persistent connection open and reuse it. Yes, you can do that with SMTP too, but none of the perl modules seem to support it. Or I haven't seen.

If we ever get our mail non-sucky, we could remove this hack.
(Reply) (Parent) (Thread)
[User Picture]From: grumpy_sysadmin
2004-06-08 06:09 pm (UTC)
I don't like djb either. ;^>

Postfix 2 can accept/defer at SMTP time, though it does make the client wait. (There's really no way not to if you're going to give them a 45x or 55x.) In my experience (feed data to amavisd, so to SA), it's not long enough that anyone hangs up on you.
(Reply) (Parent) (Thread)