drink the sweet feeling of the colour zero

A simple spam server

Tags: , , , , , ,

I can’t afford a really pricy third-party spam filtering option.  GFI, Symantec, even Microsoft offer up some pretty robust solutions.  They are pricy though, and I don’t see why I should bother fighting that particular funding war when there are some easy solutions available for free.  In my particular environment, I run an Exchange 2010 server front-ended by a CentOS box running Sendmail, SpamAssassin, ClamAV and a few others.

The first and most important thing is to of course go get the latest and greatest CentOS.  As of the time of this write-up that would be CentOS 5.5.  Toss it in a virtual machine and install it with nothing but the bare bones.  In my case, I gave it two interfaces; one directly externally accessible, and the other on my local LAN.  (I trust iptables to keep the baddies out as much as I do any other firewall, so I see little reason to hide the spam server behind a separate firewall and port forward.)  Let’s get to the build.

0) Set up your IP addressing according to your own internal schema.  Pointing the spamserver at your internal DNS (probably your domain controller) saves you having to build extensive hosts files on the spam server.  (It will be talking to your active directory, so using your AD’s DNS is a good plan.)

1) Enable the RPMforge repo.  (https://rpmrepo.org/RPMforge/Using) I use this for the simple reason that they have a tendency to keep ClamAV significantly more up-to-date than RedHat (and thus CentOS) do.  If you don’t use RPMforge, eventually ClamAV will get so out of date it will refuse to download new definitions.  Save yourself the aggravation; use RPMforge.  (I tend to wget the latest rpm, then “yum install [rpm name] –nogpgpcheck”.  This is because CentOS doesn’t natively have RPMforge’s key available, and RPMforge keeps changing the location on their site where they store the rpm installer for the key…)

2) Install the necessary software: yum install procmail sendmail sendmail-cf sendmail-milter clam* spamass* pyzor perl-Razor-Agent

3) Download and install Webmin: RPMs are available, and certainly work well enough.

4) Disable SELinux and allow ports 10000 and 25 through the firewall, as this is what centos works on.  You can usually do this from the command line via system-config-securitylevel on a base CentOS install.  Don’t forget to restart the system after disabling SELinux!  I know that there are ways around disabling SELinux, but frankly I’m too lazy to futz with the thing.  (At some point in the future I will figure out how to get SpamAssassin and ClamAV working with SELinux enabled.)

5) Create a user called Sendmail in your Active Directory under to OU “users.”

6) Save the password for this user in a file on the spam server.  I used /etc/mail/ldap.secret

7) Log into Webmin, and under servers go to “Sendmail Mail Server.”

The following is what we are going to need to modify to get Sendmail to use ClamAV and SpamAssassin.  It will also be set up to talk to your domain controller in order to look up users when a server attempts to deliver mail.  In this way the Sendmail server will be able to reject recipients who don’t exist in your organization.  (Thus avoiding a truckload of NDRs from your exchange server.)

1) Under Webmin -> Servers -> Sendmail Mail Server -> Domain Routing (mailertable)

The mailertable tells Sendmail where to send e-mail it receives for a given domain.  In the example below, domain1.com and domain2.com are being redirected to internalmailserver.company.local.  To achieve this, click on “manually edit /etc/mail/mailertable.”  Update it to suit your configuration.

Mailertable example:
domain1.com smtp:internalmailserver.company.local
domain2.com smtp:internalmailserver.company.local

2) Under Webmin -> Servers -> Sendmail Mail Server -> Spam control (access)

This file contains a list of servers allowed to use your spam server as a relay.  While e-mail relays are generally a very bad plan, in this case they are an excellent way to scan all your outbound company e-mail.  Enter the internal IP address of your exchange server (and any other e-mail sending systems) in your organizations here.  You can then configure them to treat your spam server as a “smart host,” thus providing antiviral and antispam scanning for all outbound e-mail traffic.  To achieve this, click on “manually edit /etc/mail/access.”  Update it to suit your configuration.

Acceslist example: RELAY
mail.internalmailserver.company.local RELAY

3) Under Webmin -> Servers -> Sendmail Mail Server -> Relay Domains
Enter a list (separated by carriage returns) of all domains that you will be handling internally and which you wish to pass through this spam server.

Relay Domains example:

4) Under Webmin -> Servers -> Sendmail Mail Server -> Sendmail M4 Configuration

This is the heart of configuring Sendmail.  Most of the default configuration provided by CentOS 5.5 is good, but we need to add a few goodies to get it working the way we want it.

The first and most important thing is the setting LOCAL_DOMAIN(`’).  There is a big push right now by e-mail administrators the world over to require reverse DNS.  The long story short is that the hostname of your spam server (as your incoming and outgoing mail point) absolutely must match the reverse DNS of the IP address assigned to it.  That reverse DNS also needs to contain the word “mail.”  So the hostname of your spamserver should be something akin to mail.domain.com, and the reverse DNS on your external IP address provided you by your ISP should also read mail.domain.com.

In this vein, it is a good idea to set LOCAL_DOMAIN(`’) to LOCAL_DOMAIN(`mail.domain.com’).  This means your spamserver would always accept mail for “mail.domain.com” without forwarding it to your exchange server (an odd requirement that some e-mail administrators have begun to put into place.)  It still allows you to forward mail bound for domain.com internally.
Keep an out for this command: DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA’).  Toss a dnl #  in front of it if you want your sendmail to listen on any addresses other than!

I also tend to dnl # out EXPOSED_USER(`root’) and FEATURE(`accept_unresolvable_domains’) for sanity reasons.

The rest of the commands I won’t go into too much detail on; if you are really curious there is plenty of documentation available online as to their specific functions.  If you are reading this page, I trust you are capable of spotting where in the configuration you should be changing “domain.com” and “company.local” style commands to suit your configuration.

define(`LUSER_RELAY’,`error:5.1.1:”550 User unknown”‘)dnl
INPUT_MAIL_FILTER(`clamav-milter’, `S=/var/clamav/clmilter.socket, T=S:4m;R:4m’)dnl
INPUT_MAIL_FILTER(`spamassassin’, `S=:/var/run/spamass.sock, F=,T=C:15m;S:4m;R:4m;E:10m’)dnl
define(`confINPUT_MAIL_FILTERS’, `clamav-milter,spamassassin’)dnl
FEATURE(`ldap_routing’,, `ldap -1 -T<TMPF> -v mail -k proxyAddresses=SMTP:%0′, `bounce’)dnl
define(`confLDAP_DEFAULT_SPEC’,`-h “domaincontroller.company.local” -d “CN=sendmail,CN=Users,DC=company,DC=local” -M simple -P /etc/mail/ldap-secret -b “DC=company,DC=local”‘)dnl

Once you have finished this, go save and rebuild the Sendmail configuration.  It’s a good plan to restart Sendmail at this point to see if it blows up.  Remember that Sendmail is really grouchy if you have an extra carriage return, or forget a ` or a ‘.

For SpamAssassin configuration, first go to Webmin -> Servers -> SpamAssassin Mail Filter -> Setup Procmail For SpamAssassin and enable SpamAssassin.

Next stop is Webmin -> Servers -> SpamAssassin Mail Filter and modify to your heart’s desire.  I generally change the setting “Prepend text to Subject: header” to read [SPAM ASSASSIN DETECTED SPAM].  This then allows me to set either an Outlook rule or an Exchange -> Hub Transport -> Transport rule.

In the case of a local Outlook rule each client must be individually configured to deal with the [SPAM ASSASSIN DETECTED SPAM] in the subject line of “spam” e-mails.  (I usually have them directed to the “Junk-Email” folder.)

In the case of an Exchange -> Hub Transport -> Transport rule, I usually set exchange to assign anything with [SPAM ASSASSIN DETECTED SPAM] in the subject line to a Spam Confidence Level (SCL) of 7.  If  you want to enable SCL junk filtering and set your own SCL levels, you will need some Exchange PowerShell commands.  Google can tell you more.  http://msexchangeteam.com/archive/2009/11/13/453205.aspx is a good article to read as well.

Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 9
Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 8
Set-OrganizationConfig -SCLJunkEnabled $true -SCLJunkThreshold 7

Go to Exchange -> Hub Transport -> Anti-Spam -> Content Filtering.  Enable it, and uncheck any boxes except “Delete Messages that have an SCL greater than or equal to.”  The rationale behind this is that the SpamAssassin server is doing all the heavy filtering.  If you allow Exchange to reject mails, you are going to end up with a mess of rejection NDRs that will pile up and go nowhere.  Similarly, under Exchange -> Hub Transport -> Remote Domains -> Default (*) I really recommend disabling non-delivery reports.  There is a growing trend amongst email administrators to not accept mail from domains that send NDRs, as NDRs are being used by spammers as a vector to get spam into people’s e-mail boxes.

run freshclam and sa-update from the command line to get ClamAV and SpamAssassin updated to the latest definitions.

Go into Webmin -> System -> Bootup and Shutdown.  Make sure important things like ClamAV-Milter, SpamAssassin and Sendmail are all set to start on boot (and are currently running.)

That’s it!  If you’ve done it right, then you should now have a CentOS box capable of receiving e-mail from the internet, scanning it for viruses and Spam, and forwarding it on to your exchange server.  The exchange server itself can be configured with junk-filtering properties, adding a second layer of protection.  (Though in truth I’ve not needed it: SpamAssassin does the job just fine, and better than Exchange’s native capabilities.)

Trend Micro’s Housecall is reborn


Trend Micro has put out a new version of Housecall. Back in the days of Housecall 6, you had two choices: run a Java version, or an ActiveX control. Usually, even on the most infected systems, you could get one or the other of these to co-operate, and off you went. Time passed, and along came Housecall 7. Instead of being run in browser, this one was a downloadable stand-alone executable. Fire it up, let it connect to Trend Micro’s servers for some updated defs, and watch it work.

Problem was, version 7 wasn’t all that great, and had a nasty habit of being prevented from executing by whatever strain of internet malignancy you happened to have running on your system at the time. Time and time again I found myself going back to the old Housecall 6.5.

Well, hark and rejoice! Housecall 7.1 has been out for a while, and it works like a charm. I don’t know what sort of voodoo was included in the point update between 7.0 and 7.1, but I have yet to encounter a creepy crawly that manages to tank Housecall 7.1. It has killed 12 out of 15 strains of Vundo I threw at it in the past few weeks, and successfully murdered all of Vundo’s little downloaded friends. That’s better than any other AV I’ve tried, and it’s free.

No matter which vendor you choose, there will be a bug that can get past it, and cleaning a machine that has already been infected requires multiple anti-virus packages from multiple vendors. Combined with a few other friendlies, Housecall is an essential tool for every computer geek out there. Eventually someone will knock on your door with an infected Windows box, and Housecall 7.1 has proven to be a solid step forward in emergency AV software.

Disclaimer: Housecall, as with any other “on-line virus scanner” is in no way sufficient to be your daily anti-virus package. It is an emergency clean-up solution, or one you use periodically when you suspect something might have gotten past your regular anti-virus package. If you feel you simply can not afford to buy an anti-virus package for use on your computer, I recommend you at the bare minimum download and install Microsoft Security Essentials. ( http://www.microsoft.com/Security_Essentials/ ) It is free for users of XP 32, Vista 32 or 64, and Windows 7 32 or 64. Please compute responsibly, and do not run Windows computers without anti-virus software.

Trend Micro has put out a new version of Housecall. Back in the days of Housecall 6, you had two choices: run a Java version, or an ActiveX control. Usually, even on the most infected systems, you could get one or the other of these to co-operate, and off you went. Time passed, and along came Housecall 7. Instead of being run in browser, this one was a downloadable stand-alone executable. Fire it up, let it connect to Trend Micro’s servers for some updated defs, and watch it work.
  • Author:
  • Published: May 9th, 2009
  • Category: Dealing with Viruses
  • Comments: Comments Off on Hello, World. (I’m finished with Vundo, you can have it back.)

Hello, World. (I’m finished with Vundo, you can have it back.)

Tags: , , ,

Hello, World.
Blogs.  I know, I know, I have ranted and railed against them as the vanity enduced tools of <insert negative diety here> a great many times.  WordPress is, however, a great little tool to be able to easily add content to one’s site if one happens to be too lazy to go knobbling around in the HTML, or update the ages-old self-written PHP CMS.  I have decided to actually USE my growing collection of domain names for something, and one thing that would be excellent would be a place to stash useful information on problems I have solved.  For my own personal erudition if for no one else’s.  Thus, in traditional fashion of first post/test/script/program, etc: hello, world.

That said, sticking to the theme that instead of simply serving as a mirror for one’s ego there should be content of some variety in a blog; I do have links to post.

Vundo, and friends.
Some days, you just have to deal with a virus.  More often than not for me recently, that virus is my old nemesis, Vundo.  I’ve had a few customers wander in with this little gem, and even, I am embarrassed to say, managed to infect my home XP web browsing VM with this little menace.  I have some tips on making this go away, however.

Kill it with fire.
No matter what I post here today, trust me, the tools and methods posted will prove incomplete in a few weeks.  Vundo evolves very quickly, so the best I can offer are some good “best practices” in hunting this little pest, (and all of it’s friends,) down.

· Immediately disable system restore and reboot.  Don’t ask questions, just do it.  If you have figured out you have Vundo, then it’s already infected your system restore, and you need to kill it.  If you have a variant that prevents you from doing this, you may need to, (from a clean system,) change permissions on c:\system volume information (taking ownership first, of course,) and go clear out the system restore information yourself.  (There are lots of better walkthroughs about this on the net.)  Be careful in there, delete the wrong thing, and your system is toast!

· Turn your system off, disconnect the disk (or VHD) and attach it to a clean test system.  Don’t bother trying to fix everything from within the native system, it’s almost impossible.

· Pick the low hanging fruit.  There are some pretty standard places where viruses stash their goodies.  Most virus makers haven’t caught onto the idea of modifying the “last modified” date of the infected files they leave around, so you can generally tell what to start nuking based on date.  Here are a list of commonly infected folders:
– C:\Documents and Settings\%username%\local settings\temp
– C:\Documents and settings\%username%\local settings\temporary internet files
– C:\temp
– C:\windows\csc
– C:\windows\prefetch
– C:\windows\temp
– C:\windows\system32
– C:\windows\system32\dllcache
– C:\windows\system32\drivers

· Throw some automated tools at it.  No single antivirus vendor is ever enough.  The best of the best out there still let some of the creeps leak.  There are, however, mixes of free tools that are generally good enough to help you with cleanup.  Here are my favourites.
http://www.superantispyware.com/ Despite the name, it is real.  It is effective against a limited number of malware, but it works well against those on it’s list.
http://housecall.trendmicro.com/ Hell yes, housecall.  Trend Micro’s online scanner is excellent, effective, and often my first choice when I suspect a creepy crawly on my system.
http://support.f-secure.com/enu/home/ols.shtml FSecure online.  IE only.  Effective, but is constantly tearing out VNC even when I tell it not to.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99 Symantec’s Vundo removal tool.  Does not kill all variants of Vundo, or all of vundo’s friends.  (Who will re-download Vundo if given a chance.)  A good addition to the arsenal, however.
http://free.avg.com/ AVG Free.  AVG is your friend.  Why?  It’s free!  (In addition, it’s not half bad.)
http://www.eset.com/onlinescan/ ESET’s online scanner.  If this actually detects anything after you’ve cleaned with all the rest, you might consider burning the drive.  With lava.

· Reset the permissions.  This one is so critical to surviving VUndo, I’m going to give it it’s own section.

Resetting the file and registry permissions to defaults in Windows XP:
Next, you are going to have to reset file and registry permissions, because Vundo is an evil little abomination, and it mangles all sorts of things just to make your life miserable.  Yes, you too can survive the infinite boot loop cycle, and random “even the few programs Vundo didn’t infect won’t work.”   Most of this is due to Vundo’s desire to muck about with registry and file permissions, denying administrators access to critical areas.  I won’t bother walking through how to do it, because others have done so better than I possibly could have.

Reboot, run SFC /SCANNOW from the command line, (so windows can repair any missing/deleted files,) and re-install any programs that Vundo infected, and the virus scanners had to nuke.  You should now have a repaired system, Vundo free.

Most of these ideas should work against other viruses, through the scanners and tools you need to use are often different.  Remember: never rely on just one anti-virus vendor, they are all incomplete, and most can only warn you that you have been infected, not do anything to clean up the infection once it’s hit.

© 2009 drink the sweet feeling of the colour zero. All Rights Reserved.

This blog is powered by the Wordpress platform and beach rentals.