Administering Mail and Messaging

Blocking spam email from known offenders

A feature in the sendmail.cf configuration file for UnixWare 7 can be used to screen mail in order to verfify the envelope-sender address and reject email from sites that are known to be sources of spam.

This feature uses the sendmail check_mail ruleset to implement a check during the SMTP dialogue. The MAIL command in SMTP specifies the envelope sender's address:

   MAIL From: <sender@host.domain>

The check_mail ruleset is called immediately after the MAIL command is read, and is passed the sender's address. The check_mail ruleset does the following verification:

If the sender address has an @host.domain portion and host.domain cannot be resolved, then the mail is rejected.
If the name of the host making the SMTP connection is listed in a table of known spammers, then the mail is rejected.
If the IP address of the host making the SMTP connection is listed in a table of known spammers, then the mail is rejected.
Otherwise, the mail is accepted.

If the mail is rejected because the sender address is remote and cannot be resolved, sendmail issues the following error message during the SMTP dialoge, and writes it to the system log file as well:

   451 Domain must resolve

By default, this feature is disabled in sendmail.cf, which must be hand-altered to enable it. To enable check_mail, set the Check_Mail macro to a non-null value by changing the following line in sendmail.cf:

   D{Check_Mail}

to the following:

   D{Check_Mail} ON

NOTE: Use of check_mail ruleset requires that DNS be properly configured, and is incompatible with the DeliveryMode=deferred sendmail option, as it requires a DNS lookup be done immediately upon mail receipt. Adminstrators should also consider whether their server can handle the load of an additional DNS lookup for each message received before enabling this feature.

To create a list of known spam sites from which mail is rejected, create the file /etc/mail/table/spammers, containing entries of the form:

   hostname         rejection message
   ip_address       rejection message

The left hand side specifies either the hostname or the IP address of the site from which the system refuses mail. The right hand side specifies a message to be sent to the original sender. This error message is also entered into the system log file. The left and right sides are separated by the <Tab> character.

For example, if you wish to reject all mail from hostname iam.aknown.spammer.com, you could add the following entry to /etc/mail/table/spammers:

   iam.aknown.spammer.com    Mail rejected, please contact postmaster@my.domain.com

If you want to reject mail from an IP number, an example entry might be:

   132.147.193.96            Mail rejected, contact postmaster@my.domain.com

You can also use an asterisk (*) wildcard to match an entire domain or IP address range. For example:

   *.spammer.com             Mail rejected
   132.147.193.*             Mail rejected

When specifying wildcards for IP addresses, you must use an asterisk for each portion of the dotted quad which will be matched. For example, the following is valid syntax:

   132.147.*.*               Mail rejected

However, this is not:

   132.147.*                 Mail rejected

The list of known spammers is not mandatory.

After you have created file /etc/mail/table/spammers, you must create its associated database by executing the following command:

/etc/mail/makemap hash /etc/mail/table/spammers < /etc/mail/table/spammers

This command must be run after any modification of the spammers list.

As a final step, stop and restart the sendmail daemon to load all of the configuration changes by executing the following commands:

/etc/mail/sendmailrc stop
/etc/mail/sendmailrc start