New notification mechanism

Posted on Tuesday, 18th May, 2004 by ianmacd

The old notification mechanism has been replaced with a new one in the shape of a Mailman mailing-list.

The old Movable Type notification facility did not require confirmation when subscribing to notifications, which could result in falsely subscribed users with no easy way to unsubscribe themselves. A Mailman mailing-list puts paid to that worry and also makes it possible for users to unsubscribe themselves at will.

So, if you want to receive a brief e-mail whenever an entry is posted to this blog, just subscribe to the mailing list.

Posted in Life | Leave a comment

The war on spam

Posted on Monday, 17th May, 2004 by ianmacd

I spent a chunk of the weekend working on impoving caliban.org‘s anti-spam measures. I’d been running with the same configuration for quite a while, which was basically a basic Postfix configuration on the front-end and SpamAssassin on the back-end.

This worked well, but I decided it was time to consider using some real-time blackhole lists (or RBLs, as they’re called). Since MAPS turned into a subscription-only service, I haven’t been using blackhole lists for the outright rejection of mail, as I didn’t think any of them were as trustworthy as MAPS.

I haven’t had to do much professional SMTP server administration since 2000, so it had had been quite a while since my last assessment of other RBLs. In light of this, I decided to have a look at how professionally the currently active RBLs are administered.

I was pleased by what I found. A few of the lists appear to be very professionally administered, so I decided to use them for front-end mail rejection as opposed to just back-end spam tagging. Previously, I was using several blacklists in combination with SpamAssassin to tag messages as possible spam, but the messages were then subject to many other tests to determine whether they exhibited other spam-like characteristics.

Using up-front rejection, however, the mere presence of the sending host on one of these lists results in an immediate rejection of the message being offered. There’s no second chance to inspect the actual header and body of the e-mail, so one needs a very high degree of confidence in the quality of the blackhole lists being used as the basis for this decision.

SpamAssassin’s use of blacklists is a little different, anyway, as it will check the host in the chronologically first Received line to see whether the originating host is on a blacklist. Envelope-time rejection, however, as performed by an MTA, checks only the IP address of the connecting host and possibly the domains that it claims in the HELO and MAIL FROM lines.

I upgraded to Postfix 2.1 a few weeks ago. After this weekend’s fine-tuning, the relevant part of main.cf now looks like this:

strict_rfc821_envelopes = yes

strict_mime_encoding_domain = yes

Use this when reject_unknown_hostname is true

unknown_hostname_reject_code = 550

Use this when reject_unknown_sender_domain is true

unknown_address_reject_code = 550

Use this when reject_unverified_sender is true

unverified_sender_reject_code = 550

smtpd_client_restrictions = permit_mynetworks

Lots of ‘good’ sites have broken reverse DNS

reject_unknown_client

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks

reject_unauth_pipelining

reject_invalid_hostname

reject_non_fqdn_hostname

This traps too many poorly configured good guys

reject_unknown_hostname

smtpd_sender_restrictions = permit_mynetworks

smtpd_recipient_restrictions = permit_mynetworks

reject_unauth_destination

check_recipient_maps

reject_multi_recipient_bounce

reject_non_fqdn_sender

reject_non_fqdn_recipient

reject_unknown_sender_domain

check_client_access hash:/etc/postfix/client_access

reject_rbl_client bl.spamcop.net

reject_rbl_client dnsbl.sorbs.net

reject_rbl_client rhsbl.sorbs.net

reject_rbl_client sbl-xbl.spamhaus.org

reject_unverified_sender

address_verify_map = btree:/etc/postfix/verify

In the above, I have optimised the order of the controls for network traffic and, by extension, response time. For example, there’s no point running most of the tests if we already know that the intended recipient does not even exist. For this reason, most tests are deferred until the RCPT TO comes in.

First of all, we require an SMTP HELO and demand that the other side strictly comply with RFC821. For good measure, we also disallow unauthorised pipelining of SMTP commands. This, alone, will catch some very poorly written spamware in the act.

Next, when the HELO arrives, we check for a validly formed, fully-qualified hostname. Again, a few clueless spammers may be caught out here, but there are no significant gains. Ideally, we’d also reject anyone who passes us a hostname with no matching A record in DNS, but plenty of good sites don’t have their act together here and it quickly became apparent that I was going to reject a lot of good mail with this in place.

Next, we let the MAIL FROM stage pass without action, as we are waiting for the RCPT TO before performing our main suite of tests. Once we get the data from the RCPT TO, we’ll perform our MAIL FROM checks only if we decide we still need to.

At the RCPT TO stage, we order the tests for minimum network load and processing. We check that the remote side is not trying to relay and then the intended recipient does, in fact, exist. Next, we check for a fully qualified sender domain in the MAIL FROM as well as a fully qualified recipient in the RCPT TO. We also refuse any e-mail that is a multi-recipient bounce, which is another technique used by spammers for squeezing their messages into your server on a technicality. None of these checks requires any additional network traffic.

Next, we check DNS for an A record for the sender domain. If we find one, we then check a whitelist of domains that we always want to accept mail from. Basically, we want to spare them from the upcoming tests, which we can’t guarantee they will pass and we always want to receive e-mail from these systems.

Now, the tests get a little heavier on the network. In turn, we check SpamCop, SORBS and Spamhaus for the IP of the remote host. If found, we reject the message on the spot. From my research, these lists demonstrate that they are fairly administered and that the chance of false positives is small. That wasn’t always the case with SpamCop, but they seem to have improved a lot in recent times.

Any mail that has made it this far is doing pretty well, but there’s one final test we subject it to at this point. We take the address in the MAIL FROM and use it to make an SMTP connection back to the sender, going as far as issuing a RCPT TO with that address, but not following up with the usual DATA section.

The purpose of this exercise is to ascertain whether the ostensible sender has a real account that can be delivered back to. A sender who cannot receive replies is considered spam and we reject the original incoming message. A cache of legitimate sender addresses is built up in order to minimise the amount of work that is needed for the verifcation process.

The directives that set reply codes to 550 are there to ensure that all rejections are permanent. Postfix defaults to a 450 response on these types of rejections, which signifies a transient error. That means the remote host is basically told to correct the problem and try again. Of course, that will never happen, so we cold-heartedly reject the message as soon as we find a problem with it. Otherwise, the remote side will periodically try to resend it and we will keep on needing to check it and reject it.

Since instituting these changes, I’ve been rejecting an awful lot of e-mail. Some of it is e-mail that SpamAssassin would previously have trapped anyway, but now I’m preventing it from ever entering the system. It’s better to reject spam at SMTP-time, rather than accepting it into the system, as the latter course of action is rightfully interpreted by spammers as successful delivery. They don’t care that the mail was later filtered and not read; they care only that it was accepted by the receiving server.

Postfix really is a superb piece of software and I highly recommend it. Few MTAs offer so much fine-tuning in the fight against spam, whilst still maintaining legible configuration files.

Posted in This Site | 1 Comment

Get new entry notifications via e-mail

Posted on Thursday, 13th May, 2004 by ianmacd

There’s now a small form in the sidebar on the left, where you can sign up for e-mail notification of new blog entries. Just fill in your e-mail address, click the button and you’ll be signed up.

Posted in Life | Leave a comment

Next moves

Posted on Thursday, 13th May, 2004 by ianmacd

I was thinking about the future today. To make any reasonable judgement about the future, one must demonstrate some wisdom with regard to the past.

When I was in my twenties and dissatisfied with my first few jobs, I can remember thinking that I was simply experiencing a bad run of luck. All my jobs had sucked in some way or other and if I could just jettison this lousy company, all would be well, because my next job would surely see me at a company where people do things the right way and I wouldn’t have to be frustrated by the futility and wastage any more.

Sooner or later, though, you realise that it’s impossible to roll the die a hundred times and see the 1 come up on top every time. The law of averages has to kick in somewhere, right? Rather reluctantly, one must ultimately conclude that inefficiency, wastage and futility are not the diseases of an ailing company; rather, they are endemic to the working environment itself and all companies suffer from these ailments to some extent.

A problem with the field of system administration is that it’s hard to convince people of the necessity of good procedural methodology. All too often, young managers mistake their strong intuition for actual experiential wisdom. In other words, when they tell you which approach to take to a problem, be it technical, political or whatever, frequently they think they are drawing on experience in a similar situation, when really they are simply following a hunch. Balancing self-confidence with a healthy sense of one’s limitations is quite a feat of acrobatics for many.

What I’m getting around to saying here is that there will always be particular kinds of frustrations when one is in the employ of another. One can either resign oneself to these frustrations, seek another line of work, or seek to liberate oneself from the yoke of toil in the service of another.

All of which simply brings me back to the beginning of this entry: I was thinking about the future. With the prospect of some modest financial reserves at my disposal within the next year or so, the notion of becoming my own boss becomes a very real and attractive possibility.

But what to do? If you are going to start a successful company, you need a good idea, funding, a certain measure of luck, conducive market conditions and expertise. The most important market condition is that there is a genuine need for the service or product you intend to offer.

I’ve always wanted to write a book related to the field of system administration, but the biggest problem there is identifying a gap in the market and coupling that with the need for expertise. It’s hard enough to come up with an area of the field that hasn’t already been published to death. If you succeed, you need to be pretty lucky to also happen to have strong expertise in that area.

I could write a bad book on several different topics. I am knowledgeable on all of them, but my book would not stand out from the crowd, because I am not a true expert in those fields. There are one or two areas in which I am fairly strongly skilled, but those areas are already represented by strong books covering the field. And that’s why I haven’t yet published a book: because I don’t want to be a mediocre author.

Anyway, that was another digression, simply because it’s analagous to deciding whether it makes sense to set up one’s own company.

I can think of a massive gap in the market: a decent calendaring system that runs on Linux. Decent is a subjective notion, of course, and I won’t go into it here. Suffice it to say that all solutions I’ve seen in the last ten years have been inadequate in one or more ways, sometimes hopelessly so.

So, why not set up a company to produce a decent calendaring package for Linux? Because I don’t know enough about it. I’m not a talented software engineer, so I’d need to find someone else to do the actual work. I think a company has its greatest chance of success when started by a founder who, himself, has actual expertise in the field into which he is entering.

How about Linux consulting? Well… A packet-filtering firewall for customer X; a Web server for customer Y; e-mail infrastructure for customer Z. It’s all very nice, but it’s yesteryear for me. Been there, done that, etc. It just doesn’t excite me any more.

Perhaps that lack of excitement is burn-out; perhaps I’m simply jaded with my profession. I suppose I won’t really know until I’ve been out of work for several months and able to recuperate. I’ve met some great people in my career, however, and the thought of starting a company with them is very appealing. Of course, they, themselves, would have to be amenable to the idea, too, but I already know of a couple who would be.

So, it’s really just a question of coming up with a good idea and being knowledgeable enough about the associated field to have the confidence and wherewithall to succeed. Easier said than done, though.

While on the subject of calendaring software, I released version 0.2.1 of Ruby/CorporateTime tonight.

Posted in System Administration | 3 Comments

12th May 2004

Posted on Wednesday, 12th May, 2004 by ianmacd

Too much has happened over the last six months to bother going into much detail here.

In short, the Killing Joke concert I mentioned was so good that I deliberately missed my flight to Austin for it and consequently also missed the Ruby conference. Oh well.

Christmas came and went. As usual, we spent it on the east coast in Providence.

Sarah and I spent a week in The Netherlands at the end of April. We had a great time, but we were quite busy, so we hardly got to see any old friends.

Google has filed to go public.

Our plan to return to The Netherlands for good has now been postponed until the summer of 2005.

Finally, I’ve installed Moveable Type at home, so my blog will now be maintained there. This will be my last posting to Advogato.

Posted in Advogato | Leave a comment