Stopping incoming spam with sendmail

Question

I am having an issue due to a "smart" sysadmin that made some choices while I was away for two months: Spam.

I manage probably close to 10,000 web/mail sites. He decided to allow all mail to everyone of those domains go to /dev/null if the user did not exist instead of bouncing it back. Which is OK in some cases but the problem with that is that it says recipient OK for unknown users which makes spammers believe they are hitting a valid address.

So, with all that said I am now seeing TONS of attempted spam coming into all of these sites and I can't figure out a fix on server a by server basis.

Right now they are back to getting a user unknown so bandwidth on the network has dropped a decent amount since the actual content is not being delivered, however since the mail is still making it to me I am losing a good amount of bandwidth on DNS lookups per message as well as my inital bounceback. Doesn't seem like it would take a lot but with the volume of sites we are talking about it is relatively significant.

I am using sendmail on CentOS 5. I have full root access to the machines and I am really comfortable with IPTables, tcpdump, kernel modifications, sendmail modifications as well as access list and such on my core routers.

The catch, the company has not purchased a global antispam service. Ideally if there was a way I could configure sendmail to not do a DNS lookup if mail is sent to an unknown user that would be a start.

Answer 1

1) Add greylisting

2) Add spamhaus

3) Add the various xxxx_delay_xxx magros in sendmail.mc

4) add

FEATURE(`greet_pause',`5000')dnl
define(`confBAD_RCPT_THROTTLE',`2')dnl

to sendmail.mc

All these will do a lot of good to the goal of limiting spam.

Answer 2

I'm assuming that bandwidth is the problem you are facing and the solution you are looking for. Please correct me if there is a different problem.

Is this all in one homogenous internal network or is it a bunch of independent sites/data centres? I'm wondering if it's feasible to run your own caching DNS resolver to cut down on the bandwidth caused by DNS lookups. If not a central one for all mail servers, maybe local caching nameservers at all sites would be feasible.

Another plan would be to block any IP address at the firewall from hitting port 25 that has caused more than 90% unknown user response (minimum of 10 send attempts). You could likely use fail2ban for this purpose.

Can you cut down on the size of your bounce messages?

---

Other things you should do:

• Start measuring. See if you can measure how much bandwidth is "wasted" due to spam and at which point in the SMTP conversation it is happening. How much are the DNS lookups contributing? How much is the HELO? How much is headers? How much is the bounce messages? How much does all of this bandwidth cost?

• Get a spam filtering service. Once you know how much the bandwidth costs and how much of it should be reduced if you had no spam, you can justify the cost of a spam filtering service. If you have measured the bandwidth and you can't reduce it any more, you're going to be paying the money anyway. Change who you pay it to and put one more problem on the "fixed" pile.

Answer 3

Sendmail performs reverse DNS lookups anyway. Have you considered rejecting messages from hosts lacking closed reverse DNS loop?

Warning: sendmail.org provided FEATURE(require_rdns) acts after DNSBL checks. You may use its variant provided at open-sendmail.sourceforge.net.

It is possible to limit above checks on per country basis using locally served IP->country DNS map (e.g. zz.countries.nerd.dk) and `FEATURE(anfi/rsdnsbl) provided at open-sendmail.sourceforge.net.

P.S. FEATURE(greet_pause,...)mentioned in another reply is worth to consider.

Answer 4

First off, Sendmail is for sending email, not receiving. Is spam being sent FROM your server or TO your server? It sounds like spam is being sent TO your server. If that's the case, Sendmail has nothing to do with this.

I have 1 simple suggestion: Implement some of the public blacklists, such as Spamcop, Spamhaus, and Barracuda. Here's how mine are configured in Postfix:

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client b.barracudacentral.org,
        reject_unauth_destination,
        permit_mynetworks,
        reject_invalid_hostname,
        permit

Of course, after a certain volume (I'm not sure what the threshold is), they start to cut you off or ask you to shell out some dough. It's a good bit of volume, though, before you get to that point, I think.