The method of defending spam in Linux _unix Linux

I. Environmental description

The server of the unit uses Redhat Linux 9.0, the mail server uses SendMail 8.12.8; This server is placed in the intranet, through a Win2000 server as a gateway, connected to the Internet; The Gateway software uses WinRoute Pro 4.2.5.

Second, the main modification measures

1. Turn off the relay function of SendMail

The so-called relay means that others can use this SMTP mail server, to anyone to send a letter, so that the ulterior motives of the spammers can use the author unit of this mail server a large number of spam, and the last other people complain is not the spammers, but the unit of the server. So the open Relay must be turned off by going to the Linux server's/etc/mail directory, editing access files, removing "*relay" settings, usually leaving "localhost Relay" and "127.0.0.1 Relay" Two bar.

Note: After you modify the Access file, use the command makemap hash access.db

2. Turn on the SendMail SMTP authentication feature

Turn off the relay function, the unit of the teacher can not use the software such as OE letter  does not matter, as long as the SendMail configured SMTP authentication, and then open SMTP authentication in OE, you can use the unit's SMTP server anywhere.

It is convenient to configure SMTP authentication in Redhat Linux 9.0, first using the command rpm-qa|grep SASL Check that there are no CYRUS-SASL packages installed (the general default installation is already included). If not installed, use the command RPM-IVH cyrus-sasl.rpm install all packages, then open/ETC/MAIL/SENDMAIL.MC file, put the following three lines:

DNL Trust_auth_mech (' digest-md5 cram-md5 login PLAIN ') dnldnl define (' confauth_mechanisms ', ' digest-md5 cram-md5 Login PLAIN ') dnldaemon_options (' Port=smtp,addr=127.0.0.1,name=mta ') changed to Trust_auth_mech (' digest-md5 CRAM-MD5 LOGIN PLAIN ') Dnldefine (' confauth_mechanisms ', ' digest-md5 cram-md5 LOGIN PLAIN ') dnldaemon_options (' Port=smtp,addr=0.0.0.0,name= MTA ')

3. Add RBL function to SendMail

RBL (Realtime Blackhole list) is a real-time blacklist. Some foreign agencies to provide RBL services, they collect the Chinese spam IP address into their blacklist, we just add the RBL authentication function in the SendMail, will make our mail server automatically to the RBL server to verify each time when receiving the letter, if the letter comes from the blacklist, The SendMail will reject the message, making the unit's users less vulnerable to spam.

Foreign more well-known RBL is http//www.ordb.org, their RBL can be used free of charge, the domestic http//anti-spam.org.cn also provide similar services last year, but it must be registered before the use of  free .

In the SendMail to add RBL authentication, as long as the SENDMAIL.MC add the following words (the first sentence to join the ordb.org RBL service, the second sentence to join the Anti-Spam RBL service, note that the second must first go to the site registration before use. If you want to add other RBL authentication, then add a few more sentences to this, generally add two RBL certification is enough too):

①feature (' DNSBL ', ' relays.ordb.org ', ' ″email blocked using Ordb.org-see″ ')

②feature (' DNSBL ', ' cblplus.anti-spam.org.cn ', ', ', ' ″451 temporary lookup failurefor″$&{client_addr}″in Cbl.anti-spam.org.cn″ ')

The final implementation of the M4 SENDMAIL.MC>SENDMAIL.CF and service SendMail Restart two orders to bring the changes to the sendmail into effect.

4. Close Open Proxy

Units of the gateway using WinRoute software, in order to improve access to the Internet, open the WinRoute Proxy service, but it is not surprising that most of the proxy is the default allows the HTTP connect method to connect any one TCP port, so , when the proxy does not make the appropriate restrictions on the user and the corresponding TCP port, it is easy for spammers to exploit. They only need to use the unit proxy to connect another mail server 25 ports, and send specific SMTP instructions to send a large number of spam.

Do not check do not know, a check scare jump. Unit server as early as last December due to open proxy on the foreign blacklist. More exasperating is, due to the opening of the agent, our Gateway CPU utilization has been around 50%, the original author unit of the Gateway has been doing bad things for others.

The method of shutting open proxy in WinRoute is also very simple, as long as the proxy port connected to the external network card is closed.

The specific operation is as follows: Click "Settings→advanced→packet Filter", select the incoming panel, find the network adapter, click the Add button, will display the Add Item dialog box, the protocol selected as TCP, The port selection =3128,action in destination is selected as a deny (as shown in Figure 1).

　　

Figure 1

5. Close the external 25 port

The author view sendmail log, the results did not find out from the unit sent a lot of spam, is depressed, suddenly think of this time is making Internet network Sky "Netsky" and only Noghri "MyDoom" virus, both of these viruses will automatically send a lot of junk e-mail, Especially the network sky, it takes the SMTP service function. Do not need to use the unit of the SendMail, directly can send a letter. Units of the SendMail log of course will not have records, so immediately to the gateway machine WinRoute to connect the intranet network card plus can not be connected to the outside of the 25th number limit, the specific settings as shown in Figure 2.

　　

Figure 2

Note: This setting is added to the intranet network card, and the above closed open proxy settings are added on the external network card.

6. Removal from the Blacklist

Some time ago, due to their own negligence, so that my unit IP has been on the blacklist of foreign RBL. Query and delete the IP address in the RBL can go to http://openrbl.org/and http://ordb.org, in addition, the domestic http://anti-spam.org.cn/cbl_minus/query.html can also be queried.