Use the UBE plug-in to resist spam

In the past year, all of us have been concerned about how to solve spam. By enabling the UBE filter on Netscape Messaging Server, we can get rid of spam and restore some of the interrupted routes to foreign countries. This article describes how to implement Email filtering on the Netscape Mail Server.
UBE plug-in for Netscape Mail Server
1. About the SMTP plug-in of the Netscape Mail Server
After version 3.x, the Netscape Mail Server provides an application programming interface to facilitate third-party development of server plug-ins to expand the features of specific sites on the mail server. The SMTP plug-in is developed using this programming interface. It can pre-process the header and body, including Character Set conversion, content filtering, and re-defining the split envelope information. The SMTP plug-in acts on two specific time periods for the server to process mail: PostSmtpAccept after the mail is received) or PreSmtpDeliver before mail delivery. The former is actually MTA filtering, and the latter is MDA filtering, during these two periods, You can intercept incoming and outgoing emails, analyze their features, and take appropriate actions before they are released.
2. UBE plug-in Introduction
The UBE plug-in is a SMTP plug-in. This plug-in is pre-built on the Netscape Mail Server after version 3.x and is automatically installed with the mail server. It provides flexible and customizable filtering capabilities to remove or redirect unwanted information. UBE is the Unsolicited Bulk Email, which evolved from UCEUnsolicited into cial Email. It is commonly known as spam ). The UBE plug-in supports Simple scripting languages and can be customized as needed to create a filter rule) to generate a filter command ). The UBE plug-in is used for MTA filtering. It generates actions during the PostSmtpAccept period and checks the matching degree of the emails to be sent and the filtering command one by one, selectively Delete, intercept, and redirect data streams with UBE features. Emails that are not affected by filter rules can continue with normal travel.
The filter instruction is the criteria for filtering emails. At any time, as long as the mail information meets this criteria, you will be triggered by the action specified in it ). You can create different types of filter commands to activate or disable them as needed. Using the management interface of the Netscape Server or directly editing the UBEfilter. cfg file is two ways to filter operations.
3. UBE filter Instruction format
A filtering command is a line of plain text in the UBE configuration file UBEfilter. cfg, which contains 3 to 5 fields. The order is as follows:
[: Label] | MessageField | MatchCriterion | Action | [argument] [: label] -- filter the label of the instruction. Tags are used to identify the destination of the JUMP action only when this command is another filter command.
MessageField-the Header of the email analyzed by the filter command) or part of the envelope. The filter command uses this information to determine how to process the mail. The mail header is generated when the client sends an email. The envelope is generated when the server sends or forwards the message from the sender to the receiver, contains some key information about the email. RFC821 defines some standard Header fields, including To, From, Sender, Reply-To, Content-type, and Subject.
When applying a filter rule, you can specify that the UBE plug-in checks both the envelope and the header, or adds a tag) -- envonly to indicate that the filter command only checks the envelope information. Because the header is easier to be changed by the sender than the envelope, using this flag can resist the spoofing attack based on the header information. Envelope items that can be used to filter rules include: submitted-date, host-from, user-from, auth-sender, mail-exts, channel-to, rcpt-exts, messages-size, MTA-hops, and so on.
MatchCriterion -- matching criteria for messagefield. It is a string or rule expression. The combination of Messagefield and MatchCriterion is called the declaration of filter rules. For example, Subject "Bad mail" is a declaration. The declared status, that is, matching or mismatch determines whether the rule is applied.
Action -- specifies the Action taken by the UBE plug-in when the declaration matches. Available actions include copy, drop, exit, holdcopy, holdonly, jump, reject, and run.
[Argument] -- used to add instructions for some special actions. The description text is sent to the sender along with the Bounce Message.
Email Filtering
The following describes how to use the UBE plug-in to design a set of filtering rules to implement Anti-Relay for spam.
1. if you install an independent external email server outside the firewall, set it to only receive external emails but not forward internal emails, that is, it is just an MX, the relaying can be effectively blocked by checking the Channel-To envelope item.
* Channel-To "xyz.com" EXIT
Channel-
Indicates that a specific sending point is followed by the mail recipient list, which is equivalent to the rcpt to command of SMTP followed by the mail recipient. It can be a single mail address, mail list, or a mail domain;
Xyz.com
Indicates the matching standard. All mailboxes in xyz.com are used here;
EXIT
It indicates that as long as the email is sent to any mailbox in the xyz.com domain, it can be opened without the following filtering.
* $ ANY ". *" REJECT "We accept mail for XYZ Company only"
$ ANY
Any envelope item;
.*
Match any string (can be blank );
REJECT
It indicates that the sender will be returned after the previous filter;
We accept mail for XYZ Company only
Argument is the postscript in the return letter.
The first rule checks whether emails from the recipient's internal domain xyz.com are allowed and the receiver exits the UBE filter.
The second rule will return any email that does not match the first rule to the reject) sender.
2. if the same email server is used for sending and receiving emails, you need to add one step to filter them in advance. First, check the Auth-sender envelope item to verify that the sender is a local user, that is, perform SMTP authentication on the sender.
* Auth-sender ". +" EXIT
Auth-Sender
An envelope is a special one in the envelope sent when the client requires the server to "send an authentication". emails that do not require "Send authentication" do not have this option. After the server receives an Email from the client, the server fills in the Content Based on the userID and passwd value provided by the server, which is the sender's Email address. The email server then delivers the email to the UBE plug-in for further processing. By checking this envelope item, the UBE plug-in allows the mail server to send only authenticated messages from local users.
. +
It cannot be an empty string or an Email address.
EXIT
It means that the following filter is not required to allow access.
Note: The Message field of the filter rule must be set to envonly to prevent malicious email senders from changing the header and impersonating local users.
3. If several branches of your enterprise network are deployed with email servers, all of which are sent and received through the Headquarters email server, you should also set a rule to check the sources of information to be forwarded. That is:
* Host-From "10. x" EXIT
Host-From
If an envelope item is directly connected to it, the IP address of another server that requires the server to help it forward emails. This rule limits the server to forward illegal emails.
10. x
The IP address of the internal subdomain email server.
EXIT
It means that the following filter is not required to allow access.
The preceding settings can block irrelevant emails from the Relay email server. However, it is generally not recommended that you use the same email server to process incoming and outgoing mails. This will make your email system more open to external attacks.
Design UBE filter
Our enterprise network mail system is deployed as follows: the mail server at the headquarters is deployed in the DMZ area of the firewall, which is responsible for sending and receiving mails inward, and the mail servers at the LAN of each branch are placed internally. We first created the following filtering rules on the mail server at the Headquarters:
* Auth-Sender ". +" EXIT
* Host-From "subdom mailserver IP" EXIT
* Channel-To "academy.net" EXIT
* $ ANY ". *" DROP (garbage@academy.net)
The last filter rule indicates that emails that fail to pass any of the preceding filter rules are discarded to the garbage mailbox rather than the sender. This can reduce the burden on the email server, avoid sending back and forth messages due to nonexistent senders and occupy resources. In addition, the first, third, and fourth settings should also be made on the mail server of the branch LAN.
When the spam is not very serious, you can also change the fourth command:
* + $ ANY ". *" REJECT "SMTP authentication needed"
"SMTP authentication needed" is a postscript in the return letter. In this way, Outlook Express users who have not yet added Sender authentication can receive the "SMTP authentication needed" prompt in the return letter.
The UBE plug-in intercepts emails and compares them one by one according to the sorting order of the filtering rules in the configuration file. This order is very important and determines whether your email filtering works properly.
Solution to spam in LAN
The preceding four measures prevent the email server from being attacked by spam from the Internet. However, with the proliferation of Sircam, cover letter, and other viruses on the internet, our mail server suffered another heavy hit. These worms have their own SMTP engine, which can be used for mail routing. They collect the IP addresses of SMTP servers used by users from system related files and the Registry, and use the default account of the system, send a virus-infected Email to an account in the address book or to a number of self-created Email accounts that do not exist to occupy network bandwidth. Enterprise mail server address information is usually entered in the enterprise mail server on the enterprise network user machine. This virus will generate excessive load on the enterprise mail server. The virus does not even need to enable Outlook Express, so authentication is not required for the sent letter. If the recipient address is outside the current domain, spams sent by viruses cannot be filtered by the UBE and put into the garbage mailbox as spam. However, if the recipient's address is in the domain, the emails sent by the virus will pass the third filter, allowing the virus to spread quickly within the LAN. Therefore, we add a filter rule to the second, which targets emails from the domain, as long as it does not pass the first authentication, such as virus), and also invests in garbage spam, in this way, emails that fail to pass the mail authentication but are sent by users in this domain are also filtered out. That is:

* Auth-Sender“.+” EXIT * User-From“academy.net” JUMP (badmail) * Host-From“subdom mailserver IP” EXIT * Channel-To“academy.net” EXIT * :badmail  $ANY“.*” DROP (garbage@academy.net)

Badmail is the tag of 5th rules. As mentioned above, when 5th rules are the targets of the JUMP action of another rule 2nd), tags must be used to identify the target rule.
Filtering blocks spam, but does not reduce the burden on the mail server. The frequency of sending viruses is extremely high. A single machine can send 2-3 messages/second. If there are several or dozens of terminals infected, the enterprise network's mail server will be used to send emails, not only the server itself, furthermore, garbage mailboxes used for UBE filtering will be overwhelmed. Since the problem mainly comes from viruses, the fundamental solution is to start with anti-virus and block spam from the source. Therefore, we add the virus scanning function to the mail server-set a rule to check the content of the subject of the header item. When the mail subject is a characteristic topic of a popular virus, it is cleared directly. This can be used to replace some additional email content security check software. This Filtering Rule is as follows:

If (Subject = sircam 'subject) Then RUN (VirusScan.exe) or If (Subject = sircam 'subject) then DROP (garbage@academy.net)

The RUN action built in by the UBE plug-in extends the capabilities of the UBE plug-in so that it not only works with the Messaging server to send mail, but also triggers an external program to work with the UBE filter to process mail. In addition to virus scanning, external programs called in this way can execute other self-compiled scripts.
After the above filtering rules are set on the server and make them take effect, there are three work to do: ① change the SMTP settings of the mail server to ESMTP; ② create a garbage account, cancel the mailbox size limit and schedule the task: automatically clear the garbage mailbox every 10 to 20 minutes; ③ notify all Outlook Express users on the Intranet to set "Request for sending authentication ".
It is worth mentioning that the Antirelay function has been added to the Netscape Mail Server of a later version, so that regular Spam
Anti-Spam can be used by Antirelay to filter out small quantities of special spam mails with UBE, which makes it more efficient to control spam.