-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== SingCERT Advisory SA-98.01.uce_spam_mail Original issue date: June 16, 1998 Topic: Increase of Mail Abuse and Unsolicited Spamming - - ----------------------------------------------------------------------------- SingCERT has received increasing reports of mail spamming and abuse. The most common form is unsolicited commercial email otherwise known as UCE. We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. - - ----------------------------------------------------------------------------- I. Description The cost of sending an email message to an individual recipient is in most cases identical to the cost of sending that same message to a list of 500 email addresses. This fact alone becomes the primary stimulus for advertisers to use email as a means of reaching a wide audience very cheaply. In addition, the existence of websites that let any internet user send email anonymously encourage anonymous and sometimes abusive email. Abusive anonymous email also belong in the category of undesired email. II. Impact The proliferation of electronic junk mail affects the internet community particularly the users who post regularly to Usenet newsgroups and those who publish their email addresses by other means. The activities of a small number of people have become a much bigger problem for the internet. III. Solution The simplest solution is personal tolerance and the use of the delete command in your Mail User Agent (MUA). If the email is spam mail, simply delete the offending message. However, constant and consistent receipt of unsolicited email can be a sore test for any user's patience. As an Internet user, the only true recourse you have at your disposal is to implement filters at the client level. SingCERT recommends that you choose to use a MUA that allows you to filter out unwanted email before you read them. Better mail clients can filter your messages based on intelligent rules. Administrators of mail servers can take this a step further by installing filters into the Mail Transport Agent (MTA) on their servers. This is generally the best place to implement anti-spam measures. Most MTAs can be modified to perform simple checks such as domain name verification before delivering the mail message. In additional to this, it is critically important for administrators or mail servers to control mail relaying on their servers. The default configuration of many MTAs allow relaying from any host. Network administrators may alternatively choose to implement filter rules at the router level. This effectively blocks all IP traffic from blacklisted addresses. Firewall administrators can opt to block just mail traffic from spam sites. Regardless of the solution you apply, there is no optimal workaround that can guarantee the rejection of all junk mail addressed to you. All solutions presented in this advisory share the common side effect of possibly filtering away legitimate mail traffic. Additionally, some spam mail may escape the filter rules. MTA Specific Solutions A. sendmail Eric Allman has published sample configurations for sendmail version 8.8 that help control mail relaying as well as restricting mail acceptance from selected sites. These measures come as standard features in sendmail version 8.9, which is currently in beta. Specific instructions are at: http://www.sendmail.org/antispam.html B. qmail Dan Bernstein's qmail is a drop-in replacement for sendmail. Its default configuration prevents unauthorized mail relay. Additional information and tools are at: http://www.qmail.org/ C. exim Exim is another drop-in replacement for sendmail developed at the University of Cambridge and based on smail version 3. Default installation does not allow unauthorized mail relay. Unwanted spam and UCE can be blocked via a variety of methods. More information can be found at: http://www.exim.org/ MUA Specific Solutions A. Eudora Eudora is a widely used commercial MUA that runs on the Windows platform as well as MacOS. Eudora Lite is its freeware version. There are a number of third-party plugins that can perform various degrees of mail filtration. Refer to: http://eudora.qualcomm.com/central/plugins/ B. Netscape Netscape Communicator 4 comes complete with the Netscape Messenger Mail Filter. For instructions on how to use these filters effectively, please check: http://coldcure.com/html/no_spam.html http://www.aibn.com/help/Software/Netscape/Communicator/Messenger/ filters.html C. Procmail Procmail is a versatile unix mail processing utility that can help you filter or sort your mail. Procmail can be downloaded from: ftp://ftp.informatik.rwth-aachen.de/pub/packages/procmail/ Useful instructions on how to use procmail: http://shell3.ba.best.com/~ariel/nospam/proctut.shtml http://www.gl.umbc.edu/~ian/procmail.html http://www.acme.com/mail_filtering.html IV. Additional Notes The Mail Abuse Protection System (MAPS) championed by Paul Vixie is maintaining the Realtime Blackhole List (RBL). The MAPS RBL is a published list of sites that engage in or tolerate abuse of email. It is a system for creating intentional network outages for the purpose of limiting the transport of unwanted mass email. The list is available in realtime via DNS or alternatively as a BGP feed. Most modern MTAs have builtin hooks or available patches that allow communication with the MAPS RBL prior to accepting an email message for delivery. The following mail agents/proxies/wrappers can support MAPS RBL: * sendmail at http://maps.vix.com/rbl/usage.html * qmail at http://www.qmail.org/rbl/ * exim at http://www.exim.org/howto/rbl.html * zmailer at http://www.zmailer.org/ * smail 3.x at ftp://ftp.reptiles.org/pub/smail/smail-rbl.patch * smtpd at http://www.obtuse.com/smtpd.html * stalker internet mail server at http://www.stalker.com/SIMS/ * blackmail at http://www.jsm-net.demon.co.uk/blackmail/blackmail.html * smap at http://www.sabernet.net/products/ * procmail at http://www.xnet.com/~emarshal/rblcheck/ * tcpd at http://www.smallworks.com/anti-spam/ For more information on MAPS RBL, refer to http://maps.vix.com/rbl/ SingCERT Contact Information - - -------------------------- Email cert@singcert.org.sg Phone +65 874-8888 (Office Hours Hotline) SingCERT personnel answer 8:30-5:00 p.m. SGT(GMT+8) Fax +65 872-6198 Postal address SingCERT 3rd Floor Computer Centre National University of Singapore 10 Kent Ridge Crescent Singapore 119260 Using encryption We strongly urge you to encrypt sensitive information sent by email. We support PGP. Contact SingCERT for more information. Location of SingCERT PGP key http://www.singcert.org.sg/asc/singcert.asc Getting security information SingCERT publications and other security information are available from http://www.singcert.org.sg/ ftp://ftp.singcert.org.sg/pub/ To be added to our mailing list for advisories and bulletins, send an empty email message to singcert-advisory-subscribe@singcert.org.sg - - ----------------------------------------------------------------------------- Copyright 1998 SingCERT. - - ----------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNcVWAXr03uiLwmvpAQHxaQP/cJMXOaS3OJDLYVIZ08s+kS0XWe29SJ0/ I7L0s/3601aaMAMwhjORe/ANi3ukKqTIiTxxBbr60mT2q68lOdPfiZUeOHNH7OJU Q68NMC4SW589M9PqGV3ynT3+rZOltWq5eOoclNRGEIA2YrzY8EaXvSK8JRNTF50E XLaqAWmX/CU= =C+HY -----END PGP SIGNATURE-----