Features

The enemieslist package has the following features:

  • m4-compatible sendmail "HACK"s that can be selectively turned on or off through the .mc file
  • m4-configurable error messages for every check; configurable contact email address and phone number (or URL) for error messages; configurable header error messages for checks that simply tag messages as suspicious
  • drop-in Local_check_rcpt with fully configurable set of HELO and remote IP checks, including:
    • local domain and IP HELO forgery checks
    • scraped Message-ID-as-address checks
    • 419/advance-fee-fraud HELO spamware checks
    • configurable acceptance of all mail to role accounts
    • virus HELO checks
    • RFC2821 HELO checks
    • "outscatter" sender/hardware checks
    • FcrDNS checks
    • generic rDNS and HELO checks
    • domain blacklist checks
    • spamtrap checks
    • automatic abuse reporting
    • bad HELO string checks
    • various other RFC compliance checks
    • a variety of spamware/spammer specific format signatures
    • [future]: on OSes with TCP fingerprinting support, configurable OS-specific rejection/tagging
  • full debugging/troubleshooting support (uses syslog)
  • per-check/per-address policy configuration for most checks; allows for SMTP-time rejection or pre-delivery header tagging including meaningful messages, configurable via m4
  • checks remote IP and HELO against over 16K rDNS naming conventions (or a much smaller subset that matches common left-anchored strings, e.g. "dynamic.example.net", compatible with sendmail access.db; and a subset of non-fully-qualified "compact" patterns for common naming conventions)
  • domain-based blacklist with support for both SMTP-time rejection and header tagging for post-delivery filtering; checks a variety of header contents for known spammy domains
  • IP-based whitelist with support for post-delivery filtering via header tagging (so you can ignore whitelisted mail in a quarantine environment)
  • IP-based role account blacklist (to keep spam from longtime abusers out of your role account mailboxes while letting legitimate mail in)
  • name-based list of "outscatter" hosts from whom you may not want to accept null sender mail (MAILER-DAEMON and other common antispam software that does not properly use null sender) as the reports are usually bogus and the result of virus traffic, forged senders or "joe jobs"
  • name-based "off-white" list of legitimate mail servers from whom you have received too much spam; can configure local blacklist to mark suspect mail, refuse mail from servers with unacceptably poor tracking information (e.g., no Received: headers indicating source of injection for Nigerian 419/advance-fee-fraud scams), challenge/response systems, virus-infected systems and phishing scams
  • spamtrap list support for more flexible handling of messages sent to spamtrap addresses, To/Cc/etc. header checks to catch messages also addressed to non-spamtraps ([future: ability to distinguish between a completely fictional address, such as a scraped Message-Id, and a now dormant or disabled existing address]
  • wordlist-based check to defeat generated sender "names" (e.g., the "Mobster I. Syphilitic" spam signature)
  • configurable abuse reporting mechanism for worst offenders or ISPs you're on good terms with who want reports of abuse from their networks
  • checks HELO against a list of known forged/bogus HELO strings
  • checks Received: headers of commonly compromised webmail systems against a geographic database of country/netblock mappings; also checks for satellite, proxy, and other commonly abused sources of Nigerian 419/advance-fee-fraud scams; m4-configurable list of ISO country codes can limit/expand the checks to suit your local policy
  • checks against a list of known spammer MXen so mail from new domains with old MX records (or MX records shared with spammers) can be refused or tagged
  • checks against a list of known spammer NSen so mail from new domains with NS records used exclusively by spammers can be refused or tagged
  • check for "First M. Last" <first.m.lastzz@...> spamware signatures
  • a wide variety of header checks (both legitimate and spamware signature headers and their contents); RFC checks for Subject: and other headers; known bogus Reply-To: headers; m4-configurable forged Received: header checks; bogus Message-ID/References/In-Reply-To spamware signatures; various other antivirus checks
  • check to reject mail lacking Message-ID header and/or Subject or both; also direct-to-MX mail (lacking Received: header)
  • check to forbid mail from forged Outblaze/Hotmail/Yahoo/Seznam addresses
  • check to block mail from "single-character" localpart senders (antivirus check)
  • check to forbid HTML and/or multipart/alternative mail to role accounts (plus m4 macro for defining which accounts you treat as "role"s)
  • check to reject/tag known compressed/executable file formats in attachments (configurable using both small and large lists of extensions for both ZIP and EXE types)
  • m4-configurable header contents checks for commonly forged "Millions" CD addresses (e.g., names scraped from old whois database info)
  • check to allow rejection of Yahoo SpamGuard-tagged messages
  • check for "B0rken" spamware with ill-programmed token processors; the junk it leaves behind is sure spamsign, such as %RND_IP in a Received: header
  • reject bogus abuse reports from Sp@MX
  • various specific anti-virus checks (MyDoom, SoBig, Bagle)
  • check to tag/reject banking/financial messages to accounts without a bank/ebay/paypal account (antiphishing check)
  • check to tag/reject bounces sent to accounts that never send mail (spam/virus forgery check)
  • per-user, per-address, per-domain configurable policy; including scoring-based quarantine or rejection
  • various known spammer checks
  • [future: DNS based access to all blacklists (IP, HELO, generic rDNS)]

System Requirements

The full enemieslist package(s) are provided for sendmail (8.12.x and up; currently running here under 8.13.x), and to a lesser extent (primarily the reverse DNS patterns) postfix, and exim. qmail is not supported, nor is any Windows mail server system, but we'd like to hear from anyone with an unsupported system that can be configured to use flat files for checking HELO or sender reverse DNS.