Spam spam spam spam

The internet seems to be a pretty noisy place. I remember an old adage about ‘What is the sound of the internet?’. It seems to have faded as there is no mention of it anywhere, but I’m sure it involved banging on drums and the yowling of cats. A glance through the log file of this web server displays a lot of noise. POST requests to non-existent URLs and garbage variables abound. Looking at the timing of these requests, they come from compromised computers without any human supervision.

It’s the same with email. There is a lot of junk being sprayed around the place by similarly compromised computers. It’s been a problem for a LONG time and no-one has found a magic bullet yet.

I first installed a brand new package called Sendmail on a brand new DG/UX server coming up 30 years ago. I no longer use Sendmail (no-one sane does, I switched to Postfix) and I still have nightmares about writing raw rulesets in /etc/sendmail.conf. I’ve administered a mail server ever since that time and I’ve noticed the changing patterns of the junk we all receive in our emails. The perpetrators of this computer equivalence to a plague of mosquitoes tend to have runs of spam, where they’ll set up or compromise a series of servers to relay their junk. One thing I’ve noticed about the origins of these runs is that they all tend come from IP addresses administered by the same people. A simple ‘whois A.B.C.D’ will tell you the admins behind any spam origin. How is that useful? If I see a run of spam, all from the same registrar, I’ll simply block ALL IP addresses from that registrar.

How does one do that? Years ago I found a great bit of software in QPSMTPD. It’s not a mail server, just the front end to one. It has a bunch of plugins, all written in Perl (a language uniquely suited to dealing with pattern matching). In a plugin subroutine hook_connect, which is called when dealing with an incoming connection, something like this…

my $cmd = "whois $remote_ip | egrep -f /etc/qpsmtpd/blocked_registrars | wc -l";
my $output = `$cmd`;

$self->log(LOGINFO, "$cmd : $output" );

if( $output == 0 ) {
    $self->log(LOGINFO, "$remote_ip has no dodgy registrar pattern" );
} else {
    return (DENY, "No access to hosts using with this registrar" );
}

If lots of people start doing this, It might force administrators to look after their networks a bit more and perhaps even service the email addresses they put in their ‘whois’ records.

If you think I can help with any of your email server woes, please contact me.