hMailserver And Spam Blocking 2010-08-24
Special Note: The email addresses in this post do not exist. There is no reason for any human to ever send email to any of these addresses because nobody will ever see them. You should expect a "Ain't No User" error message if you send any email to any of the addresses on this page. Having said that, I bet some spammers (ironically the topic of this post) will scrape some of these addresses and wind up on my DNS blacklist eh!
So hMailServer is working out pretty good. As stated previously, I have a Windows 2000 (SP3) machine running hMailServer v5.x, and last night I got some nifty antispam shit setup. I found this sweet website that provides a DNS blacklist based on country of origin. Interesting you say eh? So what can you do with that? Well, here is how you can setup your hMailServer to disallow mail from selected countries. If you run different mail software let me first hope that it is not Exchange and then tell you that this may still help in concept.
First, you want to understand what a DNSBL is and how it works. Start by checking out this DNSBL page and maybe this little tutorial. If you find yourself becoming concerned about the "criticisms" part of the wiki entry stop and think about it for a moment. The primary argument of DNSBL haters is that it serves as censorship. This is a crock of shit, the whole concept of free speech is that you can say whatever the fuck you want AND I also have the choice to not listen to your fucking crap. All DNSBLs do is provide people with a way to not listen to the free (and annoying) speech of spammers. DNSBLs are not censorship, they are about providing choice to the listener instead.
If you have decided that DNSBLs are for you, then you need to setup your mail server to use them. Now hMailServer comes with a couple of default DNSBLs that can simply be turned on. I personally use the spamhaus list but not the spamcop list on my server. To enable spamhaus (or spamcop), connect to your server with the hMailServer client and navigate through the left pane to Settings -> Anti-spam. By default v5.x should come with entries already listed for both. Just select enable (see fig. 1) and voila it is ready to start evaluating crapmail.
Things to take note of are the "Expected Result" and the "Score". If the DNSBL server returns one of the IP addresses in "expected result" then "score" will be added to the message. Expected Result is a list of IP addresses separated by pipe symbols and score is an integer value (can also be negative). The scores that a message receives are then used to determine what action hMailServer will take on the message. Click on Anti-spam in the left pane to see the config settings for this.
As you can see, I have set my "spam mark threshold" to 1, which means that anytime an email scores 1 or higher, it will have headers added to it by hMailServer. My "spam delete threshold" is set to 20 (which my messages never reach) so hMailServer never deletes any of my spam, it simply marks it with headers. What do my headers look like as a result of these headings? Here's a sample from this morning...
Received: from speedtouch.lan ([188.8.131.52]) by mail.snork.ca ; Tue, 24 Aug 2010 08:02:59 -0400
Received: from 184.108.40.206 by mail.100straight.com; Tue, 24 Aug 2010 14:02:56 +0100
From: "Ethan Moreno" email@example.com
Subject: Ethan Moreno sent you a message on Facebook
Date: Tue, 24 Aug 2010 14:02:56 +0100
Content-Type: multipart/alternative; boundary="—-=_NextPart_000_0007_01CB4384.49DEE6C0"
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-hMailServer-Reason-1: Rejected by Spamhaus. - (Score: 3)
Some people may think this is just a lot of crap, but it is really not that hard to understand once you get used to seeing information in this format. You'll notice that my mail server (mail.snork.ca) received a message from the IP address 220.127.116.11 and as it turns out, that address is listed in the spamhaus DNSBL. The last three lines of that header were put there by my mail server. They say that
- YES it is spam because
- the IP address is listed at spamhaus (which added 3 to it's score)
- giving the message a final score of 3
Other than that, the message is essentially unchanged. So how does that help? Well in my email client I setup rules that say "If X-hMailServer-Spam is YES, then move message to Spam Folder"... additionally I also set it to mark the message as read so I don't have to see an unread message count on my spam folder. Cool eh? But what about this blocking by country stuff? Well, if you do a quick lookup on the above IP address you'll see that it is from Dominican Republic, which I am not blocking. Let's see how country blocking works:
Now that you know a bit about how hMailServer tags messages and how a DNSBL works, you can imagine how the DNSBL for countries works as well. The guy who runs countries.nerd.dk has setup a DNS server that will return a different IP address for your mail server's queries based on what country the sender is in. It does not evaluate whether the message has the word V1AgRA or R01EX, it does not evaluate whether or not that IP address has been caught sending spam previously, it does not evaluate anything other than where it is from. Individual mail administrators are able to use this information to block countries they do not wish to accept mail from.
In order to use this you need to first decide which countries you want to block. Start by going to here and looking at the list of country codes and write down all of the two-letter codes of the countries you wish to block. Then go to the results list chart at countries.nerd.dk and record the corresponding IP addresses. I found that it was helpful to simply put a text file on my desktop that looks something like this:
CN 127.0.0.156 HK 127.0.1.88 KH 127.0.0.116 KP 127.0.1.152 RU 127.0.2.131 TW 127.0.0.158
... and so on. It is a good idea to keep this recorded in an accessible place so that later on, if someone gives you shit for blocking them, you can quickly check your country blocks (instead of trying to reverse lookup the chart). Now that you have this list you can setup a new DNSBL service on your mail server. Go back to where you enabled spamhaus (Settings → Anti-spam → DNS Blacklists) and add a new blacklist. you'll want to set it up similar to the shot shown here:
The red arrow (see fig. 3) shows the address of the DNSBL which is zz.countries.nerd.dk, the blue arrow is where you put your list of IP addresses (separated by pipes), and the green arrow shows the score which is what will be added to the message if the country is on your block list. If you don't know what a pipe character is (you gotta seriously consider whether running a mail server is a good idea for you) it is what you get when you hold down SHIFT and press the backslash (\) key. It should look like a vertical line (Jesus I can't believe I just typed that).
Now that you have added this entry (and enabled it) you should start to see new headers and new scores in your email headers. Here's one that matched both of my DNSBLs:
Received: from AIHWJTQU ([18.104.22.168]) by mail.snork.ca ; Mon, 23 Aug 2010 08:41:33 -0400
Received: from [22.214.171.124] (port=9969 helo=wasim386f00157) by
mailserver.damowalsh.com with asmtp id 0C5E2C-000745-48 for
firstname.lastname@example.org; Mon, 23 Aug 2010 05:41:28 -0800
From: "Carlo Springer" email@example.com
Subject: Get a promotion at work after you get another diploma.
Date: Mon, 23 Aug 2010 05:41:28 -0800
Content-Type: multipart/alternative; boundary="—-=_NextPart_000_0005_01CB42C0.817C4470"
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Spam: Not detected
X-hMailServer-Reason-1: Rejected by country. - (Score: 2)
X-hMailServer-Reason-2: Rejected by Spamhaus. - (Score: 3)
Notice the new header that shows it was found in the country DNSBL as well? Turns out that IP address is in Pakistan which is on my list of countries to block. And notice that this message has scored a total of 5? If you have elevated trust in a particular country to not send spam you could create another DNSBL that would reduce the score. I am considering setting hMailServer to delete anything that achieves a score of 5 (on both blacklists) so that my mail client never even sees it. In the end, it is up to you the mail administrator to decide what scores are appropriate and which are not. Good luck with that.