Spamhuntress

In the past, personal mailservers have been very popular with geeks who travel a lot. Or even people who travel a lot who have geek friends. Search for “personal smpt server”
These mailservers are usually used for outgoing mail only. And it worked well for years and years.

No longer…….

Today, it will work in some cases, and fail miserably in others. Basically, dynamic IP numbers have been identified, and mail from mailservers on a dynamic IP address may be rejected or silently dropped. And getting the HELO right on a windows machine presents its own challenges…

Because the majority of spam and viruses today are sent directly from small smtp servers (outgoing mailservers) on ordinary windows computers, more and more mailservers are configured to reject or drop mail from ordinary windows computers.

Get the picture?

So, what’s the alternative? It’s pretty simple, really.

Either log in to your company’s VPN. Find a mailservers with SMTP auth or similar. Or keep a computer at home or at work set up with remote desktop.

No matter where you are in the world, your e-mail will come through the same mailserver. Problem solved…

I apologize in advance for this looking more cryptical than usual. It’ll make perfect sense to mailserver admins who use Spamassassin…

If you’ve got a mail server with Spamassassin, which relies on bayesian filtering, you need to keep it trained. Many trim the bayesian database weekly to keep the size and speed down.

Even if you keep auto-learning on, you may end up in a situation where you reject so much spam before it’s received, your bayesian filters will deteriorate over time. They simply don’t get enough spam to keep them effective.

If and when that happens, feed the filters spam manually, and they’ll get better.

This deterioriation may happen over time. Keep an eye on your spam-bin statistics. See how much of the mail gets “skimmed off the top”. If the numbers go down, chances are it’s not the sum total of the spam that’s gone down, but the effectiveness of your filters…

Many people use their job e-mail for private things. It may seem completely innocent, but e-mail isn’t completely private. What may seem innocent in the beginning, may end up anything but.

Many of these examples are true stories.

What if you send a racy proposition to some business associate, and manage to misspell his address… That mail may end up somewhere it’s not supposed to be. If you’re lucky, it’ll bounce back to you, but you may not be that lucky.

What if you send a love note, and attach a file that gets stopped by some filters, or clog up the server? A note may get sent to you, but also to the admin, who even gets a copy of the entire mail…

Let’s say the boss sacks you for some offense, and decides to find out what you used company e-mail for. If you’ve been a really bad boy, the server logs alone will give the boss an idea of what you do with your free time. And forget about saying you only get spam. Good analysis will differentiate between spam and mail generated by a subscription.

Or even if you leave your job for another job. If there’s a lot of valuable incoming mail to your account, your old boss may decide to reroute your old e-mail address to a new employee, so no business contacts will be lost in the transition. If you’ve used that e-mail address for private stuff, it could get embarassing, if you forget to notify someone, or that someone is a bit forgetful…

And if you have your own e-mail address, don’t use the outgoing mailserver at work. Like I said, server logs are pretty specific about who you converse with.

Some companies keep and analyze logs of what you surf. They can’t tell what the contents of Hotmail, Gmail and Yahoo webmail is, though, without more invasive methods.

Just a little heads up.

Even if you don’t have anything to hide, separating company e-mail and private e-mail is a good rule of thumb, just in case you switch jobs or your company gets embroiled in legal action. Think about all those e-mails by Enron employees that have become public, even though some of those mails have nothing to do with the case!

Sometimes I just have to laugh.

I work for an ISP these days, and sometimes I get puzzling problems thrown in my lap.

Like the guy who couldn’t send e-mail through our servers. He couldn’t understand it, because he was hooked up to our net, and there was absolutely no reason he shouldn’t be able to send e-mail.

Then there’s the guy who threw a fit because our network blocked a racy site. Or so he thought.

Problem is, both of them were connected to a VPN (Virtual Private Network).

Many companies provide their employees with VPN connections to minimize the chance that their traffic could be sniffed and misused, because a VPN connection is encrypted. When you’re connected to a VPN, your IP address becomes that of the VPN connection. And your company may have installed filters, maybe even proxy servers for that connection. So you may not be able to reach everything. An ISP generally doesn’t filter your net access, but companies can usually get away with any kind of filtering they like. It’s not like their employees will leave over that…

Consequently, when these employees are unaware that they’re still connected to the VPN, then unexpected things could happen…

So next time unexpected things happen with your net connetion, check to see that you’re not hooked up to your VPN connection…

I’ve started over from scratch with a few HP computers of various ages.

As some of you know, HP computers come with rescue partitions these days. They’re supposed to be used instead of installing from a windows CD. So if you do start from scratch (new harddrive, for instance), you might be in for a few surprises, like I was.

One older machine came with a sticker for a win2000 license, but I felt like installing win98 on it (only put such a machine offline or behind a good router firewall). The installation was text book, until I was finished and discovered that the display driver was wrong. Looked horrible. Turns out it needed drivers for just about everything. HP is really good about drivers. You can download everything you need from HP’s site, no matter how old the computer is. Just search their site for the exact model number. And using a different OS wasn’t a problem with this particular computer.

An AMD Pavilion that must have been a race horse in 2003 was due for a complete reinstall. I didn’t have the original harddrive, and the harddrive I put in had had a Debian flavor on it.

It has one DVD drive and one DVD burner. But no matter what I did (yes, verifying in bios that it’s set to boot from one of the drives, changing drives even), I could not get it to boot from the DVD drives.

Solution:
First a win98 boot floppy with fdisk on it. To kill of the Linux MBR:
fdisk /mbr

Then, disconnect the built in DVD drives, and connect a plain vanilla CD-ROM drive, with the windows CD in it.

This time it works…

Heh, the first time I did this, I just grabbed the first CD-ROM I saw. And marvelled at how slow the windows installation went. Turns out the CD-ROM was made in 1996. So I got a newer one (yanked it out of a machine at the office), and the installation worked.

BTW, there’s usually a sticker with a windows license key on HP machines. To use those, you need an OEM windows CD. The license will not work with a retail version CD. Fujitsu Siemens CD’s are usually OK. They don’t have bloatware built in, like some rescue disks (Dell, HP, and I’m sure others are filled with bloatware). One win98 CD I tried refused to install on a non-Fujitsu Siemens machine, but winXP usually works. Well, at least the machine hasn’t foobared yet. I didn’t have time to register windows last night… Hopefully I won’t have trouble with switching the DVD drives back? WinXP has copy protection that pays attention to the hardware you use for a windows installation…

Update: I had to call Microsoft to get the WinXP copy activated. Because it had been activated before, and the hardware was changed a little bit since (new harddrive), it wouldn’t activate by itself. Calling Microsoft was pretty painless. The automated thingy didn’t work, but all the guy at Microsoft needed to know, was that it was the same box, and that the code on the license sticker hadn’t been used for other computers as well. IE, that it wasn’t pirated, just a new harddrive on the same box. I’ve been thinking. Let’s say I want to test out some software on the box, but don’t want to ruin my main installation (not time to reformat). I’m not sure if Microsoft would understand the distinction - one machine, several instalations alternating? Maybe an image of the finished and patched OS would be in order, before I put on a lot of software?

Also, as I said below. Both DVD drives failed and had to be replaced. I don’t know why they failed, but they wouldn’t work in any of my tests.

I was contacted by someone who’s been under a heavy deluge of faked sender spam bounces for months. He wanted help in making it go away.

I have a few tips that can be used, and I’ll put some of them here:

First of all, a faked sender spam is different from the classic Joe Job. You can read more about the Joe Job here, and some advice on handling it:

Sabotage! Coping With The Joe Job

There’s also advice there that you can use for fake sender spams, but he doesn’t address the faked sender bounces many domain owners experience today. Those spamruns are done with non-existant addresses at your domain.

Perhaps the biggest perpetrator of large scale faked sender spams is Leo Kuvayev. He’s tagged some of my customer’s domains, so I know how bad it can get until you take countermeasures.

1) Turn off catch all, so you don’t receive all those bounces.
2) Verify that your mailserver REJECTS mail to non-existent e-mail addresses, instead of BOUNCING them. This will significantly reduce the load on the server. This is default if you’ve got cpanel with catch all turned off. Send yourself an e-mail to a nonsensical address at your domain, and verify that your local mailserver is the one sending you the bounce.
3) Put up a notice (small textlink)on your website with information about the spamruns, if it keeps on going.
4) If your domain is used for very few e-mail accounts, and you’ve got full control over where people send legitimate mail from with your domain as sender, you can check out SPF (Sender Policy Framework). Also investigate other techniques like DomainKeys etc.

All of my suggestions will make your domain less palatable to the spammers. But if they’ve been using it for some time, they may not notice, since they don’t get the bounces anyway. However, if you act proactively and remove catch all before the first faked sender spamrun, they may bypass your domain altogether.

And remember: Unless you’ve got access to your mailservers logs, you won’t know if the spamruns continue after you’ve removed catch all - unless they tag an existing e-mail address by mistake.

Another factor you should remember, is that a faked sender spamrun will increase the total spam load against your domain. Some people have rules that put all sender addresses into their address books. When they get hit by a virus, that address book gets copied by spammers. Whammo, lots of mail to non-existent addresses. So removing catch-all will take care of that too.

I’ve been working on ways to find infected computers on my network.

And there is one very simple way.

If you have a Postfix server, grep the log files each day for these phrases:

Blocked SPAM, LOCAL
Passed SPAM, LOCAL

Or you could do it in one go:
SPAM, LOCAL

That should net you a few infected machines.

I’ve seen infected machines sending spam to addresses in their own address book, so you should be able to find stuff that way.

Be on the lookout for stuff that looks like infected computers, but isn’t. A mailserver (at a client site) that sends mail to other recipients (such as a blackberry) may send on spam mails. You should familiarize yourself with the recipients in these cases, and figure it out that way.

Other servers may be set up in such a way it could be used to relay mail to its own domain. If that’s what you’re seeing, you’ll notice there are no outside recipients.

An explanation of HELO configuration for admins.

I just tested this postfix setting:

reject_unknown_hostname

If you implement that setting under smtpd_helo_restrictions in main.cf in postfix, it checks the HELO of all sending servers, and checks if the HELO actually resolves (to the IP number that again resolves to the HELO, by checking DNS). If it doesn’t, the mail is rejected.

It’s wonderful, because it rejects a lot of spam. But there’s a problem…

Lots of legitimate mail was rejected. Why? Because Norwegian postmasters are either lazy or incompetent.

OK, so they’re not the only ones who have incorrectly configured servers, but I’m in Norway, so chances are I’ll see more of those.

Please, please, please, postmaster: Check that your mailservers have the correct HELO.

It’s a common rookie mistake, but for a production server, you really NEED to make sure it’s right!

If you’re administering a mail server and don’t have a clue what I’m talking about, then get serious about your job and learn!

——-

You could get away with using this instead:
reject_non_fqdn_hostname

It will reject mail from HELO’s that don’t look like IP numbers or ending in a TLD. It won’t check if the address is valid. You’ll still reject legitimate mail with this setting, for the same reason as above: Lazy or clueless admins. But at least the casualties won’t be quite as many.

Most of the mails that would have been rejected by this one, is also rejected by policyd-weight.

Today I’ve seen HELO’s from (probably) legitimate servers, on these formats (some of these are the actual HELO’s or very lightly munged):
EXCHANGE2K3.domain.int
tplist.adm.adm
z50v002.domain.local

I’m cleaning my spam-bin (collected from above my SpamAssassin threshold on the server, so pretty large).

The CAN-SPAM compliant stuff is pretty easy to find. The subject lines and senders are descriptive, in contrast to the “criminal” spammers who try to trick you into opening their mails, or advertize the three P’s.

The problem for CAN-SPAM compliant spammers (yes, I call them that, even though they themselves say they’re in the bulk e-mail business), is that mail server admins might implement content filters that look for specific patterns.

Like unsubscription links.
Privacy policy

Sometimes their attempts at being innovative, trying to avoid those filters, are kinda funny. Like this one:

“detach yourselves off this list”
“To remove your email from our database or unsubscribe”
“getmeoff” (a smart way to filter this one: getmeoff:http )
“To unsubscribe from this ADVERTISEMENT”
“Want to block this message then visit”

Doesn’t exactly sound idiomatic, does it?

While setting up my mailservers, I’ve come across information about how you could retain a copy of EVERY e-mail that comes through the e-mail servers.

There are companies out there that do such things. Or they retain copies of mails to some people. It’s actually quite easy to do.

So here’s yet another warning: Don’t send embarassing or sensitive, or potentially damaging stuff through company e-mail. As a long time e-mail administrator, I’ve seen my share of very embarassing stuff. And that was mostly due to e-mail getting lost somehow.

I’ve seen love letters and randy suggestions I wasn’t supposed to see. And I knew the people involved.

I’m saying this to make people understand that this happens REGULARLY. And it’s not the e-mail administrator’s fault. These things just happen.

Today I’m blessed with being the administrator of a large and well functioning operation, so the amount of embarassing stuff is minimal, actually non-existent. Not a one company server…

But even so, whenever I send an e-mail that is of a sensitive nature in any way, I wonder about the mailservers I send it through. How big are they, how possible is it that it would get read? I’d rather send mail through my own mail server, because I know exactly what kind of monitoring is being done there!

Here’s an article about e-mail policy, and what could happen in case of a lawsuit or routine monitoring:

CollegeJournal | On the Job