Kai's SpamShield™
No weaseling webbugs.
No gagging GIFs. No jerking Javascript.
No pooping popups. No manic music.
Die Microsoft, die
"The war won't be over until the last spammer's head is stuck onto a spear at the city limits."
[Paul Vixie, NANOG mailing list, Sept.1997]
Spamworld - SpamShield.org's current 24-hour view of the world via Google Maps
What is SpamShield™?
Has SpamShield™ 2.0 been released?
Is there a mailing list I can sign up for to get news about SpamShield™?
What version of Sendmail™ is SpamShield™ compatible with?
What operating systems does SpamShield™ run on?
What does it do?
What about [Open] Source?
How is SpamShield™ licensed?
When and where was SpamShield™ first published?
What's with all the trademark (™) signs?
Six years is a long time between releases, don't you think?
[Spammer]: But mail should flow unimpeded, especially MINE! - I am a respectable business man!
[Spammer]: We'll sue you for "any reason"!
We are an ISP/NSP, where are the emails that SpamShield™ complains about?
We are an ISP/NSP, and we are extremely annoyed by all those SpamShield™ alarm messages!
Someone pointed us here for some cool tools and toys!
A trojan horse/botnet conspiracy?
What is SpamShield™?
- SpamShield™ is companion software for the non-commercial version of Sendmail™, the world's most
popular mail server software (MTA) for Unix-like operating systems. It remains untested with the commercial version of
Sendmail made by Sendmail, Inc.
Has SpamShield™ 2.0 been released? Oh, please, daddy, please!
- No, unfortunately not. While the functionality is 99% done, the documentation is 99% NOT DONE,
and the license/legal stuff is lacking behind as well.
Is there a mailing list I can sign up for to get news about SpamShield™?
- Yes, finally there is! Many thanks to Daniele Frijia for running the mailing lists for us:
- Sign up via email by sending mail with a subject of "subscribe" to:
spamshield-users-request (AT) list.spamshield.org (General user discussion: installation, operation, etc.)
spamshield-announce-request (AT) list.spamshield.org (Moderated, infrequent announcements)
- You can sign up via a web interface at http://list.spamshield.org/ as well.
What version of Sendmail™ is SpamShield™ compatible with?
- Development of SpamShield 2.0 was done with Sendmail 8.9.3 for more than 2 years
- SpamShield 2.0 is officially compatible with Sendmail 8.12.10, 8.12.9 and should work with any version since 8.9.3.
What operating systems does SpamShield™ run on?
- It runs on common UNIX-like operating systems like BSD/OS (BSDI) (R.I.P.!), FreeBSD, OpenBSD and Linux,
but is not designed to run on SCO Unix under any circumstances.
Indeed, its licensing conditions prohibit running it on SCO Unix systems - take that, SCO crooks!
- SpamShield™ has historically been developed on BSD/OS (BSDI) (R.I.P.!) 3.1 through 4.1 but
has been fully tested on FreeBSD 4.4 through 4.10, RedHat Enterprise Server 3, and somewhat tested
on RedHat Linux 6 and 7. Adaptation to a different flavor of UN*X (We can't say
UNIX™ without getting sued - damn those SCO crooks, again!)
should involve only trivial modifications by a competent system administrator.
What does it do?
- SpamShield™ provides strong traffic control for your Sendmail server:
- Keeps graded history of Sendmail-logged events for every single connecting host
- Will notify you by email/pager about 'notice' and 'alarm' activity levels exceeded
for any host
- Can mail you all relevant Sendmail maillog lines for a given host for a notice or alarm
- Can automatically complain to the originating ISP/NSP (by AS number, verified
rDNS name of host or manually configured netblock) about the activity seen - and
will censor the maillog for varying levels of privacy (user & mailbox names suppressed, etc.)
- Modular approach to 'alarm action' applied to the connecting host or a 'surrounding'
network block of arbitrary size: blocking an entire /16 in China in reaction to
an open proxy attacking your server has never been easier.
- SpamShield™ ships with 'alarm action' modules to:
- blackhole a host or network with a local (loopback) blackhole route
- block a host or network via Sendmail access file
- firewall/blackhole via FreeBSD 'ipfw'
- firewall/blackhole via Linux 'iptables' (beta)
- more modules are possible: gated/zebra blackhole feeds, DNSBL zone file generation
- Activity levels and timely decay of grading are configurable on a per host, per network basis.
- Activity grading can be arbitrarily adjusted for any Sendmail-logged event
- Recognized Sendmail-logged activity (not an exhaustive list):
- Mail volume in KB per host delivered to local users or forwarded
- RCPT TO: grading for accepted & delivered mail
- RCPT TO: grading for 'User unknown' (stops SMTP dictionary-cracking cold!)
- RCPT TO: grading for specially designated 'User unknown - Spammers must die' spamtrap configurations
- VRFY/EXPN denied/granted events (stops SMTP dictionary-cracking cold!)
- Automatic recognition of mail-bombing attacks against specific users
- Connection probes (Null Connections) (broken proxy rape & spamware!)
- Arbitrary rejections for any reason (DNSBL, access file, etc.)
- Constant watchdog over max. permissible simultaneous SMTP connections per host
- Will kill processes to cut off abusive excess connections and defend against reconnects very rapidly. (Except Sun Solaris™)
What about [Open] Source?
- SpamShield™ is written in Perl, and requires Perl 5.8.5 or later and
certain Perl modules installed.
As such, it comes with full source at all times and altering SpamShield™ to adopt it
to a specific environment is encouraged, if not required.
How is SpamShield™ licensed?
- SpamShield™ is released under a BSD-like license, with certain important restrictions.
The author(s) deem(s) it necessary to deny any rights under that license, including the right to copy, operate or derive any benefit
from SpamShield™ whatsoever to certain classes of individuals and organizations harmful
to the Internet community at large. These classes include, but are not limited to:
- DMCA supporters (law makers, lobbyists, corporations expressing support for the DMCA, etc.)
- Plaintiffs in any legal action, threatened or actual, materially using the DMCA as a basis for the complaint (That means you, DirectTV crooks)
- Entities and their legal representatives threatening or actually suing DNSBL operators or
contributors to anti-spam efforts on the Internet for any reason at all
- Persons or entities committing, supporting or advocating unlawful acts against
DNSBL operators or contributors to anti-spam efforts on the Internet.
- Persons or entities committing, supporting or advocating the theft of IP space ('Hijacking')
- Persons or entities adversely and negatively effecting the public interest in free,open source software, freedom of expression or the first-sales doctrine with threatened or actual legal action. Examples:
- Microsoft and its major contractors, suppliers and resellers - for attempting to squash Linux and other open source altogether.
- SCO and their ridiculous Linux suit(s) and public statements that the GPL is unenforceable and will be ignored by them from this point on
- The DVD Copy Control Association - a mouthpiece of the MPAA
- The MPAA - a racketeering organization on a Ji-haad against consumer rights and DeCSS
- The RIAA - another racketeering organization - suing everyone and their mother will stop the file-sharing, and boost profits across the bank 'ya know!
- non-civilian government agencies of any country
- all government agencies of Cuba, Belorussia, Russia, China, North Korea, Burma, Thailand
- Persons or entities acting on behalf, in collusion or in concert with the above
When and where was SpamShield™ first published?
- The first version of SpamShield™ was first published in Queens County, City of New York, United States
on Monday, July 21, 1997 at http://www.9inch.org/~kai/spamshield.html and
was announced
on news.admin.net-abuse.misc, alt.kill.all-the-spammers and alt.cyberspace.rebels.kai.kai.kai (Thank you Bix!)
on Tuesday July 22, 1997
- Since then, it has been updated several times and continuously published at a variety of websites, up to the current
one: http://www.spamshield.org
- Thousands of downloads of SpamShield™ have been made in the first weeks after publication, made from locations around the world,
with an estimated total number of over 10,000 downloads since first publication, and an estimated
number of at least 3000 active installations.
What's with all the trademark (™) signs?
- 'SPAMSHIELD' is a common-law trademark
owned by Kai Schlichting in the United States and other countries that permit common-law trademarks.
- In order for a trademark to stay valid and not become a generic word, it has to be used
for a product advertised and distributed to the general public, and the trademarked word
should be marked with a 'trademark' or 'registered trademark' sign at all times to
signify its status different from a generic word. Please acknowledge SPAMSHIELD as a
trademark in publications!
Nine years is a long time between releases, don't you think?
- The world is changing at an awfully fast pace nowadays,
and we all have different priorities. In August 2000, I decided that it was
time for an update, but the world (in general, but the world of spam in particular)
had begun to change faster than you or I ever expected: It certainly didn't help development.
[Spammer]: But e-mail should flow unimpeded, especially MINE - I am a respectable business man!
- A Dangerous Snare, a Fatal Delusion: Freedom - I won't.
- You have no rights. Being able to access (and send email) to systems that you don't own is a privilege, not a right. Obey, or wither and die.
We are an ISP/NSP, where are the emails that SpamShield™ complains about?
- SpamShield™ does not report about email content, it reports about SMTP activity. This activity is more often than not abusive all by itself, and a strong indicator
of spamming or cracking activity, or the simple fact that one of your dialups/DSL/cable modems is originating mail in ways neither you
(or quite possibly: your customer!) or the recipient appreciate: spamtraps are being hit, mail is being rejected for any and all policy reasons,
or unlawful discovery of valid/invalid accounts is taking place. Most of this does not generate actual mail
delivered to any mailbox: you may want to treat SpamShield reports as security incidents,
rather than "spam complaints".
We are an ISP/NSP, and we are extremely annoyed by all those SpamShield™ alarm messages!
- It's quite simple: eliminate the illegal, AUP-breaking activity originating from you or your customer's network, and the notifications will stop automagically - and not just SpamShield's!
Neither SpamShield™ nor Sendmail™ are making up any incidents - they are merely the reporting conduit, albeit one that is a little different
from the usual source of mail to your abuse@ address.
- Routing SpamShield warnings to /dev/null may have an adverse PR effect and subject you
to civil liability - you were informed about those illegal activities on a regular basis
but treated them with reckless disregard and ignored them, you say?
- If you believe a site is targeting you with SpamShield reports wrongly, please check whether your abuse@
and postmaster@ accounts are in working order, and your ASN registration is up to date and lists
an Abuse contact (how to do this depends on your RIR: ARIN,LACNIC,RIPE,APNIC all do
things differently), THEN check back with the sending site (the return address the "SpamShield alarm" notice came with or abuse@ and postmaster@FQDN are likely contacts) - the default
option for SpamShield's notifications is "off", and there is an infinite number of ways
to configure this feature by the local admin running SpamShield™!
- SpamShield supports notification lists for ASNs and networks, and you may be the
upstream of a given ASN or network. If you determine that you are copied as an upstream, something is seriously
wrong with your downstream: they may be a rogue party, they may be crackers or spammers,
they may have no abuse contacts or have a publicly known history of unaddressed abuse/security issues.
This is configured by hand, and should be addressed with each site sending SpamShield reports individually.
Chance is, that a site is copying you as an upstream as a very intentional act,
and it is up to you to force compliance with your AUP and applicable law upon your
downstream (customers) : use of computer systems without authorization is a crime!
Someone pointed us here for some cool tools and toys!
-
dummy-smtpd (V1.8, 20080414) - a fake logging SMTP daemon, designed to fool spamware attempting to circumvent your spam filters by connecting to your domains' lowest-priority mail exchanger (MX)
- fast-rdns.pl (V1.2, 20070430) - a fast reverse-DNS (rDNS) scanner, capable of scanning more than 100 hosts/sec
- route-leecher.pl (V1.8, 20031101) - The route-leecher : a program to list all BGP routes announced or transiting through a given list of ASNs via route-servers
- ip-leecher.pl (V1.1, 20031101) - The ip-leecher : a program to determine the selected/dominant BGP route (and originating AS) for a given IP number via route-servers
- Example of a tarpit patch for Sendmail to thwart SMTP dictionary cracking (rather untested/alpha code):
- cidr-convert.c - program to generate canonized lists of CIDR notation netblocks from expressions like "10.0.0.0-10.22.255.255" and "10.0.0.0/24, 10.0.2.0/255.255.252.0"
A trojan horse Botnet conspiracy?
The mysterious 'ntlmscp' worm: a secret botnet 14 months into the making? Ignored by AV-vendors, CERT, ISC?
Created: 2002/07/25, Last rev.: 2003/09/10 . Last updated: 2008/05/03
--------