307

Index

$_ macro, 114${auth_authen} macro, 114, 170${auth_author} macro, 114, 170${auth_ssf} macro, 114, 170${auth_type} macro, 114, 170${cert_issuer} macro, 114, 165${cert_subject} macro, 114, 165${cipher_bits} macro, 114, 165${cipher} macro, 114, 165${client_resolve} macro, 161${daemon_name} macro, 114, 160${if_addr} macro, 114, 160${if_name} macro, 114, 160${i} macro, 170${mail_addr} macro, 114, 170${mail_host} macro, 114, 170${mail_mailer} macro, 114, 170${msg_id} macro, 193${nbadrcpts} macro, 193${rcpt_addr} macro, 114, 176${rcpt_host} macro, 114, 176${rcpt_mailer} macro, 114, 176${_} macro, 160${tls_version} macro, 114, 1652yz SMTP return code, 71, 72–73

3yz return code, 724yz SMTP code, 120, 1225yz SMTP reply code, 71, 119, 122220 SMTP success code, 12–13, 78419 baiting, 7419 fraud, 7421 SMTP error code, 122550 SMTP error, 78554 SMTP error, 13

A

<a command and web references, 27Abort item, 101Abort phase, 96Abort section, 87Aborting envelopes, 197–200Accept decision, 88Accept reply, 89–90, 92–95Advance Fee fraud, 7Advisory-oriented handler functions, 155AF_INET, 159AF_INET6, 159

Constales.book Page 307 Wednesday, January 12, 2005 10:18 AM

INDEX

308

Aliaseshosts, 49–50rebuilding database, 54, 62sendmail, 53–54

Aliases file, 62, 65Allocated memory, freeing up, 236alt.test newsgroup, 74amper program, 270amper() subroutine, 270–272, 275Apache HTTP server, 58, 65Architecture, 231–232Archiving spam, 244–246argv argument, 166, 172argv array, 167, 172Arrays

CONF type, 247of pointers to strings, 166

ArticlesDate: header, 72Lines: header, 73mandatory headers, 72–73Message-Id: header, 73posting, 70–71

Asterisk (*) special character, 33Atkinson Caller-ID standard, 6Attachments

base64-decoding, 285–286base64-encoded, 24–25binary, 24MIME (Multipurpose Internet Mail

Extensions), 24–25MIME headers, 285quoted-printable encoded, 24–25

Authentication, 170autoconf, 226, 290autoheader, 226automake, 226

B

Baby-sitting script, 215–217Background, running Milters in, 217–219

backlog argument, 127Bait machine, 11

choosing platform, 44–47compiler choice, 45–46configuring sendmail, 50–54database support, 46–47excluding non-email ports, 56–58forwarding copies of good email to,

64–65installing Milters library, 46network connections, 46posix threads, 44–45rebooting, 58–59scanning, 56–57sendmail version, 45setting up

DNS records, 47–50logging, 54–56

Bank card information theft, 7–8<base command, 31Base64 encoding

decoding, 258–265marking end of data, 261

base64decode() function, 261, 264Base64-decoding attachments, 285–286Base64-encoded data, 258Base64-encoding

attachments, 24–25Subject: headers, 17–18

base64total() subroutine, 262ba.test newsgroup, 74Bayesian filters, xv–xvi, 288–293Berkeley database, 232, 237bg() function, 217–219Binary attachments, 24Bitwise OR (|), 104BL (Blackhole List) sites, xvBlacklisting, 232Blocked senders, 232Body, 92, 176–177, 190

deleting, 191Milter replies per chunk, 94modifying, 191

Constales.book Page 308 Wednesday, January 12, 2005 10:18 AM

INDEX

309

replacing, 143–145, 191routines, 255–293

Body item, 101Body section, 87Bounce address, 5Bounce email, 245Bounce information, multiline, 124Bounce messages, 5, 167Bounce reply envelope sender address, 15Bouncing email, 16, 235Boundary, 256–258BSD method used to halt Milter, 215bsearch() C library function, 281, 292Buffers

containing replacement body, 144for incoming message, 12–13length of, 144

Bulletproof multithreaded code, 214

C

C language compiler, keeping up-to-date, 45–46C language programs main() function, 99–100Cable accounts and nonfixed IP addresses, 4Camouflaging HTML body, 18–22Certificates, 165cf variable, 181cf/cf directory, 50Chapters source code, 290char *addr; regular expression, 243Character-entity encoding, 20–21

decoding, 269–276keywords, 20–21, 270literal #, 20–21, 270web references, 22

Characterscharacter-entity encoding, 269–276converting to hexadecimal ASCII

equivalent, 277–279quoted-printable encoding, 265–269URL-encoding, 21

chdir() function, 208–209

check_mail rule set, 51check_rcpt rule set, 51check_relay rule set, 51Child, 218Chunks (of body), 255

concatenating, 187containing too many characters with high

bit set, 189–190counting number of bytes in, 187Milter replies per, 94reviewing, 186–190unsigned char* type, 187writing to disk file, 256

Cleanup section, 87cleanup() routine, 247–248, 250Clickable link, 12Close item, 101CNAME records

adding, 49–50infinite loops, 35leading to other CNAME records, 35URLs and, 35–36

Commands, case insensitive, 29Comments

breaking up words with, 18–19.forward file, 64HTML, 18–20intervening newlines, 19–20spam aliases, 63unbalanced angle brackets, 20unknown HTML keyword in angle brackets

acting like, 19URLs used as, 36–37

comments() function, 281, 284Compilers, choosing, 45–46Complex data, storing, 117Concatenating chunks, 187config_getitem() routine, 251–252config_read() routine, 248–249Configuration files

# comment character, 246cleaning spaces around strings, 247–248looking up values, 251–252

Constales.book Page 309 Wednesday, January 12, 2005 10:18 AM

INDEX

310

Configuration files continuedrereading, 220routine actually reading, 248running, 253simplest form, 246

Configurationsdynamic, 246–256static, 246

configure script, creation of, 226configure.ac template file, 226confINPUT_MAIL_FILTERS mc macro, 51confMILTER_MACROS_CONNECT mc

macro, 115confMILTER_MACROS_ENVFROM mc

macro, 115confMILTER_MACROS_ENVRCPT mc

macro, 115confMILTER_MACROS_EOM mc macro, 115confMILTER_MACROS_HELO mc macro,

115Connect item, 100Connect phase and Milter replies, 89–90Connect section, 87Connecting host

name of, 157result of lookup of name, 161

Connection-context type, 154Connection-oriented handler functions, 155Connection-oriented resources, deallocating, 155Connection-persistent information,

deallocating, 228Connections

affecting, 155behavior, 12–13cipher suite used for, 165cleanup, 200–203deferring if host cannot be looked up, 164defining context, 157disconnecting by rejecting with tempfail, 121initializing and timeout, 109keeping track of, 161listening for incoming, 126–127

logging, 161number of envelopes processed during

connection, 202–203total duration, 202–203

Milters rejecting, 89rejecting, 122reviewing, 156–161skipping checks, 159termination, 200–203

Connection-specific macros, 115Content-Transfer-Encoding: header, 25Content-Type: header, 256Continue reply, 89–94, 96cp pointer, 175, 189–190Credit card information theft, 7–8ctx context pointer, 113–114, 116–117, 121,

153, 155, 157, 166, 172, 178, 183, 194Custom-added headers, 132

D

Daemons, 58Data access routines, 113–127DATA SMTP command, 120, 190DATA phase, 133Data portion

body, 190headers, 190reviewing, 176, 182–186

Databases, support for, 46–47Date: header, 72, 131&#ddd; expressions, 272dealloc envelope() handler function, 229Deallocating connection-oriented resources,

155dealloc_connection() routine, 228dealloc_envelope() routine, 228–229deamper() routine, 274–275Debugging

default level, 125setting level, 124–126

Constales.book Page 310 Wednesday, January 12, 2005 10:18 AM

INDEX

311

decimal() subroutine, 272–275Decoding

base64 encoding, 258–265character-entity encoding, 269–276quoted-printable encoding, 265–269URL-encoding, 277–279

Default SMTP replies, 120Deferring envelopes, 245#define statement, 212delay_checks FEATURE, 51/dev/null file, 53, 65, 218df queue file, truncating, 144Dial-up accounts and nonfixed IP addresses, 4Dictionaries, 288–293dig program, 48Directories

accepting core dumps, 208defining with preprocessor #define

directive, 209for Milters, 215

Discard reply, 89, 91–95Discarding envelopes, 245Disguising Subject: header, 16–18Distributed model, 232dn_expand() function, 224DNS (Domain Name Service)

adding CNAME records, 49–50sender identification, xviTXT record, 6

DNS and BIND (Albitz and Liu), 50DNS (Domain Name Services)-based services,

xv–xviDNS records

domain versus subdomain, 47–48setting up, 47–50wildcard, 34–35

dn_skipname() function, 223Domain Keys standard, 6Domain names, 47

case insensitive, 29registering for testing, 48

Domain records, controlling, 15

_domainkey domain, 6Domains

adding new host, 47–48enclosed in quotation marks, 29–30versus subdomains, 47–48

-D_REENTRANT, 112DSL (digital subscriber line) and nonfixed IP

addresses, 4dsn argument, 122DSN reply code, changing, 121Dynamic configurations, 246–256

E

EHLO commandarriving at unexpected times, 90requiring before MAIL FROM: command, 161reviewing, 161–165sending site, 172

EHLO/HELO phases and Milter replies, 89Email

composed of multiple parts, 256–258delivered using order specified by MX

records, 14detecting when received from MX servers,

221–225dividing into small, well-defined units, xvifalse positives, 10fictional persons created to receive, 61–63filtering out unwanted, xvgraylisting, 242–244literal "+" character inserted in user part,

75–77maximum size, 247policies for inbound and outbound, 232postage, xviiprotecting good, 64–65screening inbound and outbound, 234significant spam rating, xviunsolicited, xivwhitelisting, 241–242

Constales.book Page 311 Wednesday, January 12, 2005 10:18 AM

INDEX

312

Email addressesdetermining who may have sold, 76encoded @ character, 79expressing abstractly as possible, 79–80innocent person's as bounce address, 5JavaScript obscuring, 80masking URLs, 31as plain text outside mailto: command, 79posting to newsgroup, 67–74reader cutting and pasting, 79setting up for spam, 65–67showing ultimate recipient, 77–78spam email, 38Usenet, 68verifying, 77–78

Email fraudbank or credit card information theft, 7–8Nigerian fraud, 7password theft, 8viruses and worms, 8–9

Email readers, 233Empty addresses, 167Encryption key length, 170End of envelope, 190–197End of headers section, 87End of message section, 87End users

internal customer as, 233–234modeling, 233–234outside world as, 234

End-of-body semaphore, 186End-of-envelope cleanup, 192–193End-of-message phase timeout, 192End-of-message routine and Milter replies, 95–96Envelope recipients

accepting, 91, 154adding recipient, 138–140addresses, 141–142delivery agent name, 176maximum number, 247number of, 239possible replies, 92

processing, 117recipient address, 176rejecting, 172relay host, 176removing, 140–143removing address from list, 142rule sets and aliasing modifying, 142

Envelope sendersaccepting, 156address, 5, 91, 165–166, 170authentication, 170bounce messages, 167deferring, 169delivery agent name, 170discarding, 156, 169error notification sent, 166MTAs rejecting, 16rejecting, 156, 169relay host part, 170reviewing, 90saving address, 169–170source of spam email, 6

Envelope-handling functions, deallocating resources, 156

Envelopes, 155aborting, 197–200accepting, 156arbitrary number of recipients, 171DATA headers, 191DATA portion, 143, 191deferring, 245direct access to raw information, 43discarding, 156, 245end of, 190–197falsifying sender address, 15–16headers, 143identifying, 225MAIL FROM: command, 91MAIL FROM envelope sender, 191private data, 239RCPT TO envelope recipients, 191rejecting, 122, 156, 180, 245

Constales.book Page 312 Wednesday, January 12, 2005 10:18 AM

INDEX

313

Envelope-specific information, deallocating, 228

Envelope-specific macros, 115Envelope-specific resources, deallocating, 169,

184, 188, 192Envfrom item, 100Envrcpt item, 100Eoh item, 101Eom item, 101ep pointer, 189errno variable, 108, 111errno.h included file, 111Error messages, name of program for use in,

68Errors

recording, 218smfi_setconn() routine, 107

/etc/aliases fileediting, 62–63minimal, 53–54

/etc/inetd.conf file, minimizing, 56–58/etc/init.d directory, 57, 213/etc/init.d/apache file, 58/etc/magic file

tests in, 286usage, 284–288

/etc/mail directory, running Milters under, 209–210

/etc/mail/aliases file, 53–54/etc/mail/local-host-names file, setting up,

52–53/etc/mail/milters directory, 209/etc/rc* files, 57/etc/syslog.conf file, 55Exception process, whitelisting, 242exit(2), 148EXPN command, 77–78Exporting shell macros, 215EX_SOFTWARE, 111Extended SMTP commands, 166, 172EX_UNAVAILABLE, 111

F

Fake recipientsautomatic addresses, 62creation of, 61–63names corresponding to real services, 62non-user names, 62UNIX administrative names, 62

Fallback hosts and mail, 13–14False positives, 10Falsifying envelope sender address, 15Fatal (nonrecoverable) errors, 148Feedback

human, 237–239possible mechanisms, 237–240

file (for viewing local files), 29file program, 284–285

simplified, 286testing, 287

Files, identifying types by file contents, 284–288Financial institutions, 8–9finger program, 75, 81Firewalls, 9, 234Fixed IP addresses, 4Flags and smfiDesc structure, 103–104flags item, 100fork() function, 218.forward file, 64–65FreeBSD

copying startup scripts, 213/root/bin/roll shell script, 56

freehostent() function, 236ftp (File Transfer Protocol), 29ftp daemon, 57ftp host name, 52Fudgenews, 67

missing command-line switches, 69opening connection to news posting host, 69post() subroutine, 70–71switches, 68

Functions and Milter phases, 102

Constales.book Page 313 Wednesday, January 12, 2005 10:18 AM

INDEX

314

Fuzzy address matching, 242–244fuzzy() subroutine, 243

G

gethostbyname() function, 236getipnodebyname() C library function, 164,

222, 236GETLONG, 224getpeername(3), 157GETSHORT, 224getuid function, 211g.msn.com websites, 33GNU autoconf suite, 226–227GoodMailSystems website, xviiGorillas, 3, 4–5Graylisting, 242–244greetpause FEATURE, 13Grokking site, 26–37GROUP command, 72Group ID, 213Guerrillas, 3, 5–6

H

haddr argument, 159Handle signals, 219–221Handler functions, 116, 151–203

advisory-oriented, 155belonging to connection, 113connection-oriented, 155message-oriented (envelope-oriented), 154recipient-oriented, 154smfi data access routines, 113–127xxfi_ prefix, 102xxfi_ prefix for names, 102

header item, 100Header sender address, 5Headers, 92, 143, 176–177, 190

adding, 129–132, 191

appearing multiple times, 177case insensitive names, 181changing, 135–138count of, 133custom-added, 132end of, 182–186illegal values, 179index into list of existing, 133inserting in messages, 132–135Milters, 93–94MIME, 178missing, 177modifying, 191multiple lines, 177–178name, 177

in form of string, 130, 133, 136name portion, 178ordering, 93prefixed with literal X-, 131recording presence, 182rejecting, 180–182removing, 135–138, 191reviewing, 176–182RFC standards, 130, 134trace-type, 136tracking of offset, 136user-added, 136value, 130–131, 134, 177value portion, 178

Headers section, 87HELO command

arriving at unexpected times, 90requiring before MAIL FROM: command,

161reviewing, 161–165skipping, 90

helo item, 100HELO/EHLO section, 87HELO/EHLO SMTP command, 120hicount counter, 189Hijacked PCs, xv, 5, 234host argument, 162

Constales.book Page 314 Wednesday, January 12, 2005 10:18 AM

INDEX

315

Host names, 157accepting, 162adding to spam database, 234–235case insensitive, 29looking up, 161

for MX records, 48records, 223

for posting to Usenet, 68random word masquerading, 34–35string containing, 162validity, 162

host.domain form, 32host.domain part, expressed as IP number, 32Hosts

adding to existing domain, 47–48comparing IP numbers, 235–237disguising name, 32enclosed in quotation marks, 29–30IP number of connecting, 157MX records, 13, 223names of, 175redirecting site, 33–34using other aliases, 49–50

HTMLbogus keywords, 283–284camouflaging body, 18–22character-entity encoding, 20–21clickable link in code, 12commands and URLs referenced case

insensitive, 29commands and web references, 27–28comments, 18–20declaring common keywords, 280detecting non-HTML words, 281documentation, 99intervening newlines in comments, 19–20keywords, 283order of encoding, 22unknown keywords acting like comments,

19URL encoding, 21–22valid keywords, 19

HTML commentsillegal form, 280legal form, 279–280stripping, 279–284

HTML documents and special characters, 20–21, 269–276

HTML (Hypertext Markup Language)-enabled email readers, 8

HTML-capable mail programs, 18–19http (Hypertext Transport Protocol), 29HTTP listener, 58https (HTTP with Secure Sockets Layer, or

SSL), 29Human feedback, 237–239

I

$i macro, 114, 226ident lookup, 160identd, 75Idle, Eric, 10if clause, 117IMAP (Internet Message Access protocol)

email readers, 233include/milter.h file, 154inet: prefix, 106–107, 112inet6: prefix, 106–107inetd daemon, 58, 81inetd.conf file, commenting out lines, 58INPUT_MAIL_FILTER mc command, 51Installing Milter library, 46Internal PCs, risks imposed by, 234IP addresses

associated with receiving (listening) interface, 160

fixed, 4nonfixed, 4–5reverse look up, 157

IP numbersassigning multiple to network interface, 15comparing, 235–237

Constales.book Page 315 Wednesday, January 12, 2005 10:18 AM

INDEX

316

IP numbers continuedconnecting host, 157decimal or hexadecimal, 32rejecting connections from, 221spam-sending site, xvused by machines without fixed IP

numbers, xvip pointer, 261–262IPv4 socket, 106–107IPv6 socket, 106–107ishtmlcmp() function, 281ISPs, 4–5isspace() C language library routine, 259Items and zero-length string, 250

J

JavaScript, obscuring email address, 80JavaScript.Encode URLs, 37Jones, Terry, 10

K

Keystroke logging, 8–9Keywords

character-entity encoding, 20–21valid HTML, 19

Kill (Ctrl+C) keyboard shortcut, 112

L

-l items, 112Large ISPs

policies, 5spam, 4–5TXT record, 6whitelisting, 241

LDAP (Lightweight Directory Access Protocol), 232

Leftmost comparison, 251len argument, 187libmilter directory, 46libmilter RPM (Redhat Package Manager), 45libmilter/docs documentation, 151–152libmilter.h file, 102libmilter/mfapi.h included file, 111Library routines, reporting errors to, 124–126Lines: header, 73Linux

copying startup scripts, 213method used to halt Milter, 215/usr/sbin/logrotate file, 56

listen(3), 126Listeners

daemons as, 58eliminating unwanted, 57

Listening connection, establishing, 109Listening daemon, name of, 160listen(2) queue, 126–127listen(3) queue, 127Literal character-entity encoding, 20–21-lnsl, 112loadwords() routine, 288–289local: prefix, defining, 105–106local3 logging facility, 55localhost loopback interface, 112local-host-names file, 52–53Log files. limiting size, 56logadm program, 56Logging

connections, 161defensive programming, 226facilities available for nonsystem programs,

55Milters, 225–226number of envelopes processed during

connection, 202–203overview, 54–55queue identifiers, 225recording every connection, 161rotating logs, 56

Constales.book Page 316 Wednesday, January 12, 2005 10:18 AM

INDEX

317

sendmail, 128–129, 225setting up, 54–56setting up local#, 55–56Solaris, 225total connection duration, 202–203

logmilter Milter, 289Logs, rotating, 56Lost productivity, 9

M

m4 Build file, 45Macros

adding to default list, 160–161connection-specific, 115defining, 111, 258–259

end-of-file (or end of buffer), 259illegal input character or white space

characters, 259needed, 111

envelope-specific, 115fetching values, 114–115name whose value is looked up, 114–115passing sendmail macros to Milter, 115persisting, 114xxfi handler function return values, 153xxfi_connect() handler function, 160–161xxfi_envfrom() handler function, 170xxfi_envrcpt() handler function, 176xxfi_eom() handler function, 193xxfi_helo() handler function, 165

magic() routine, 286–287Mail Abuse website, xvimail facility, 54Mail fallback hosts, 13–14MAIL FROM: command, 51, 86, 87, 120,

154–155calling Milters, 85ESMTP (Extended SMTP) arguments, 91Milter replies, 90–91reviewing, 165–171

mail host name, 52mailto: command, 78–79

searching for, 65main() function, 99, 252

arguments, 111changing default socket time out, 100minimal, 110–112routing, 97

Makefile, 51, 226Makefile.am template file, 226malloc, 119Masking signals, 220Masking web addresses, 78–80maxrcpts item, 247maxsize item, 247mc configuration file

addingmacros to default list, 160Milter support, 51

adding macros, 193delay_checks FEATURE, 51editing, 50–51naming Milters, 101–102smfi_setconn() routine, 107

mc macros, 115Memory

allocating for strings, 122freeing allocated, 118

Memory leaks, avoiding, 227–229Message-Id: header, 73, 185, 193Message-oriented (envelope-oriented) handler

functions, 154Messages

aborting, 96accepting, 135, 154adding header, 129–132to be logged, 54body, 92bouncing, 5, 235changing, 121data portion, 178discarding, 135

Constales.book Page 317 Wednesday, January 12, 2005 10:18 AM

INDEX

318

Messages continuedheaders, 92, 132–135lacking Message-Id: header, 185large chunks of random text, 23–24left with no recipients, 141multiple Milters reviewing, 131–132, 135quarantining, 146–148, 191rejecting, 135, 185reviewing data portion, 176, 182–186

Microsoft Windows, 285MI_FAILURE value, 103, 109, 119, 121–123,

127, 130, 132–136, 139, 141, 143–144, 146

Milter header file, 99MILTER macro, 215MILTERARGS macro, 215MILTERDIR macro, 215MilterEmailAddress variable, 240milter.init script, 214–216MILTERKILL macro, 215Milter-library, 97

declaring Milter phases, 100installing, 46overview, 97–99registering smfiDesc structure with, 112routines, 97–98smfi_prefix, 97, 99version, 102xxfi_prefix, 99

MILTERRUN macro, 215Milters, 85

abort phase, 96aborting, 214adding support in sendmail, 50–52architecture, 231–232baby-sitting script sleep time, 215beginning execution, 100capabilities, 103–104command-line arguments, 215communicating with sendmail, 104configuration file, 209, 232considering portability early, 226–227

database, 209debugging level, 124–126declaring phases acceptable or ignorable, 100default wait, 109defining

macros, 111name, 215

directory for, 215distributed model, 232dynamic configurations, 246–256email address stored in variable, 240failing, 103, 214functions for phases, 102headers, 93–94immediate abort, 219interweaving calls to many, 86–87killing, 112learning from human input, 238–239libraries needed, 112listening, 109logging, 225–226macros for passing sendmail macros to, 115main() function, 99–100method used to halt, 215multiple reviewing message, 131–132, 135multithreaded, 113, 214name of, 101–102non-root user, 211–213order called, 132, 135, 138orderly shutdown, 219phrases accepted or ignored, 100–103port numbers listening on, 106post-connection cleanup, 96preventing from running as root, 211private variables, 100process phases, 87queue identifiers, 225quitting, 148–149real user ID, 211as recipient, 240registering with library, 88regular-expression rules, 244

Constales.book Page 318 Wednesday, January 12, 2005 10:18 AM

INDEX

319

rejecting connection, 89rejecting SMTP command, 119–120replies

for Connect and Ehlo/Helo, 89–90at end-of-message routine, 95–96to MAIL FROM: command, 90–91per chunk, 94to RCPT TO: command, 91–92

required initialization elements, 99–100return values from multiple, 88reviewing recipients, 91–92role of, 85–86running

in background, 110, 217–219under /etc/mail directory, 209–210in foreground for testing, 219by root, 105in /usr/local directory, 210

sendmailpoint of view, 86–87supporting, 45

SMTP DATA replies, 92–94sockets, 100source code examples, 289–290starting, 213–217startup script, 213–217static configurations, 246status or startup files, 209stopping, 213–217syslog records, 102T parameter, 191tempfailing SMTP command, 119–120time before restarting, 215timeout on amount of time, 145UNIX domain socket, 210updating knowledge, 232use of multiple, 85user ID, 210–213waiting for connection from sendmail, 112where to run, 208–210

milters directory, 289–290MILTERSEMAPHORE macro, 215

MIME (Multipurpose Internet Mail Extensions)

attachments, 24–25Content-Type: header, 256headers, 178headers and attachments, 285

MIME-encoded boundaries, parsing, 256–258MIME-encoded messages, 187Missing headers, 177MI_SUCCESS value, 119, 121, 125, 130, 133,

136, 139, 141, 144, 146Monty Python's Flying Circus, 10msg argument, 122–123MTAMARK (Marking Mail Transfer Agents) x

standard, 6MTAs (mail transfer agents), xiii, 6

multiline reports, 124rejecting envelope sender, 16

Multiline replies, 123–124Multipart messages, 256–258Multithreaded mode, launching, 109–110Multithreaded operation, 112Multithreaded program

deallocating resources, 96signals, 220

MX host, spam email sent directly to highest-numbered, 222

MX records, 13adding, 48–49controlling domain records, 15extracting host name associated with, 224looking up, 48–49printing, 225trapping IP number subterfuge, 14

MX (mail exchange) serversanticipating, 221–225deferring envelopes, 245detecting when mail received from,

221–225looking up, 222–224relaying spam through, 13–15unable to run spam filters on, 222

Constales.book Page 319 Wednesday, January 12, 2005 10:18 AM

INDEX

320

mx() function, 222testing, 208, 224

mySQL, 232

N

name argument, 178Name item, 100Named pipes, 104–106Named sockets, 105–106Network connections and bait machine, 46newaliases command, 54newaliases program, running, 65Newline characters, 289–290News server

acknowledging posting, 73allowing posting, 72host sending greeting, 71

Newsgroupsto post to, 68posting to, 67validating existence, 72

Nigerian fraud, 7nmap program, 56–57Non-root user, 211–213NOQUEUEID string, 226Nwords global variable, 289nwords() function, 290–291

O

okaymail user, 65~/.oksenders file, 244Old MTA addresses, 167, 173op pointer, 261–262Operating systems

posix threads, 44thread-safe C language library, 44–45

Organized crime and Nigerian fraud, 7ourmilt.run script, 216–217

P

Parent, 218Parsing MIME-encoded boundaries, 256–258Passing state, 255Passwords, 8–9Paul Graham Spam website, xviPdata structure, 119pdatap pointer, 119percenthex() subroutine, 277–279Phone numbers

detection of, 38whitelisting, 242

Phonemes, 23Platform, choosing for bait machine, 44–47Plus addressing, 75–77Pointers, storing single, 119POP (Post Office Protocol) email readers,

233Portability, 226–227Ports

excluding non-email, 56–58list of numbers, 57unnecessary services listening, 57

Posix threads, 44–45POST command, 72Postage, xv, xviiPost-connection cleanup, 96Posting

articles, 70–71to Usenet news groups, 67–74

post() subroutine, 70–71Preventive measures

EXPN command, 77–78telling users about plus addressing, 75–77

Printer hosts name, 175printf() statements, 219Printing MX records, 225priv pointer, 170priv variable, 185Private data, 239

allocating memory to pointer, 117

Constales.book Page 320 Wednesday, January 12, 2005 10:18 AM

INDEX

321

fetching, 118–119registering, 116–118

Private variables, 100priv->qid variable, 226procmail program, 242Programs run as root, 211Protecting good email, 64–65Protocols

default, 31enclosed in quotation marks, 29–30identifying in URL, 29–30not actually present with each URL, 31

Pthreads. See posix threadspthread_sigmask() library routine, 221

Q

qpdecode() function, 266–269Quarantine reply, 96Quarantining messages, 146–148, 191Queue identifiers, 225–226Queued messages

not seen by sendmail, 146–148sendmail identifier, 170

QUIT command, 74Quitting Milters, 148–149Quoted-printable encoded attachments, 24–25Quoted-printable encoding, decoding, 265–269

R

Random text, 23–24RCPT TO: command, 117, 120

calling Milters, 85Milter replies to, 91–92reviewing, 171–176

RCTP TO: command, 87rd.yahoo.com website, 33README file, 46Real user IDs, 211

Rebooting bait machine, 58–59Received: headers, 131, 177, 182Receiving (listening) interface, 160Recipient address @ character, 175Recipient-oriented handler functions, 154Recipients

accepting, 154counting number of, 116–117number of bad, 193rejecting, 122

Recording errors, 218Redirect servers, 33–34Redirecting site, 33–34regerror() function, 244regexec() C library routine, 243Registering private data, 116–118Regular-expression evaluation, 243Reject decision, 88Reject reply, 89, 91–95Rejecting

connections from IP numbers, 221envelopes, 245spam, 244–246

Relaying through MX (mail exchange), 13–15

Resourcesdeallocating, 96

connection-oriented, 155envelope-handling functions, 156

failure to deallocate temporary, 118res_query() function, 223return keyword, 112Return values from multiple milters, 88Reverse DNS, 6Reverse lookup of IP address, 157Reviewing connections, 156–161Reviewing SMTP HELO/EHLO, 161–165RFC1413 validation, 160Risks with internal PC customers, 234root user

delivering mail for, 53executing programs, 211

Constales.book Page 321 Wednesday, January 12, 2005 10:18 AM

INDEX

322

root user continuedpreventing Milters from running as, 211programs run as, 211

/root/bin/roll shell script, 56Rotating logs, 56Routers, 9, 234Routines

body, 255–293decoding

base64 encoding, 258–265character-entity encoding, 269–276quoted-printable encoding, 265–269URL-encoding, 277–279

/etc/magic file usage, 284–288parsing MIME-encoded boundaries, 256–258passing state, 255stripping HTML comments, 279–284

Rule setsdisposing of message, 96rejecting connection, 89

runas() function, 211–213

S

Sanity process and whitelisting, 242<script command, 37Semaphore file, 217Sender identification, xviSending site

connection cleanup, 200–203EHLO command, 172

sendmail220 greeting, 12–13, 90220 SMTP code, 156adding Milter support, 50–52aliases, 53–54buffer for incoming message, 12–13configuring, 50–54connection request from sending host, 89getpeername(3), 157greetpause FEATURE, 13

header added by Milter, 131host and RFC1413 validation, 160interweaving calls to many Milters, 86–87killing and restarting, 52log records, 225logging, 128–129mail facility, 54mc macros, 115minimal aliases file, 53as MTA (mail transfer agent), xiiimultiple Milter programs, 85plus addressing, 75–77point of view on Milters, 86–87queried files not seen by, 146–148rejecting envelope recipient, 172reverse lookup of IP address, 157setting up local-host-names file, 52–53SMART_HOST option, 4source directory, 50version supporting Milters, 45where and how to deliver email, 64

sendmail, 3rd edition (Costales and Allman), xivsendmail configuration file

Milter.LogLevel option, 128–129, 131, 134, 136, 138, 140, 142, 145, 147

order Milters called, 132, 135, 138sendmail Cookbook (Hunt), xivsendmail macros

fetching values, 114–115xxfi_connect() handler function, 160–161xxfi_envfrom() handler function, 170xxfi_envrcpt() handler function, 176xxfi_helo() handler function, 165

sendmail Milters, xv, 43sendmail Performance Tuning (Christenson), xivsendmail website, 45sendmail.cf file, 52sendmail.mc file, 50–52Services

screening URLs, xvi–xviiunnecessary listening on ports, 57

setsid() function, 218

Constales.book Page 322 Wednesday, January 12, 2005 10:18 AM

INDEX

323

sfsistat type, 153, 157–158, 166, 168, 171, 174, 178, 180, 183–184, 186, 194–195, 197, 201

Shell macros, 214–215Shutting down in stages, 148sig() function, 220SIGHUP signal, 219–221SIGINT signal, 219–221sigmarkreadconf() function, 220sigmarkrereadconf() function, 220–221Signals, 219–220Signature detectors, attempting to fool, 23–24SIGPIPE signal, 219–221SIGTERM signal, 219–221SIGUSR1 signal, 219–221SIGUSR2 signal, 219sizeof (3) integer, 117Sleepycat DB, 46–47slocal program, 64, 242slowmilt open source, 290Small businesses and whitelisting, 241SMART_HOST option, 4smfi data access routines, 113–127smfi modifier routines, 127–149smfi routines, 97, 151smfi_addheader() routine, 98, 129–130, 191, 196

ctx connection-context pointer, 130smfi_addrcpt() routine, 98, 138–140smfi_chgheader() routine, 98, 135–138, 191smfi_delrcpt() routine, 98, 140–141, 240smfiDesc structure, 100–103, 111–112, 158,

162–163, 167–168, 173, 179, 183, 187, 194, 198, 201

declaring xxfi_ functions, 155flags, 103–104global or local, 101items, 100–101position of xxfi_connect() handler

function, 158registering, 100

with milter-library, 112with smfi_register() function, 103

SMFIF_ADDHDRS flag, 104, 129, 132

SMFIF_ADDRCPT flag, 104, 138–139SMFIF_CHGBODY flag, 104, 143SMFIF_CHGHDRS flag, 104, 135SMFIF_DELRCPT flag, 104, 140–141SMFIF_QUARANTINE flag, 104, 146–147SMFIF_ADDHDRS flag, 104, 129, 132SMFIF_ADDRCPT flag, 104, 138–139SMFIF_CHGBODY flag, 104, 143SMFIF_CHGHDRS flag, 104, 135SMFIF_DELRCPT flag, 104, 140–141SMFIF_NONE flag, 104SMFIF_QUARANTINE flag, 104smfi_getpriv() routine, 98, 113, 117–119, 170,

192, 199, 203, 239smfi_getsymval() routine, 98, 112–115, 165,

170, 176, 193, 226smfi_insheader() routine, 98, 132–135smfilter structure, 103smfi_main() routine, 98, 100, 109–110, 112smfi_opensocket() routine, 98, 104–109, 112smfi_prefix, 97, 99smfi_progress() routine, 98, 145–146, 191, 192smfi_quarantine() routine, 98, 146–147, 191smfi_register() routine, 97–98, 100–103, 102,

112, 158, 162, 167, 173, 179, 183, 187, 194, 198, 201

smfi_replacebody() routine, 98, 143–144, 191SMFIS_ACCEPT return value, 153, 158–159,

163, 168, 174, 180, 184, 188, 195SMFIS_CONTINUE return value, 153, 159,

164, 169, 174, 180, 184, 188, 195, 240SMFIS_DISCARD return value, 153, 159, 164,

169, 174, 180, 184, 188, 195smfi_section() routine, 105–107smfi_setbacklog() routine, 98, 113, 126smfi_setconn() routine, 98, 104–109, 112smfi_setdbg() routine, 98, 113, 124smfi_setmlreply() routine, 98, 113, 123–124smfi_setpriv() routine, 98, 113, 116–118, 193,

203, 228smfi_setreply() routine, 113, 119–122smfi_settimeout() routine, 98, 109, 112

Constales.book Page 323 Wednesday, January 12, 2005 10:18 AM

INDEX

324

SMFIS_REJECT return value, 153, 159, 163, 168, 174, 180, 184, 188, 195

SMFIS_TEMPFAIL return value, 153, 159, 163, 168, 174, 180, 184, 188, 195

smfi_stop() routine, 98, 148–149SMFI_VERSION literal expression, 102SMFI_VERSION macro, 111SMTP (Simple Mail Transfer Protocol)

changing reply, 119–122DATA portion, 190EHLO command, 90envelopes, 15EXPN command, 77–78HELO command, 90MAIL FROM: command, 90MAIL FROM part, 5Milter replies with data, 92–94modifying messages, 127–149reply code, 122reviewing HELO/EHLO, 161–165

smtp argument, 121SMTP commands

extended, 166, 172rejecting, 119–120tempfailing, 119–120

Socketschanging default time out, 100opening, 107–109setting up, 112smfi_setconn() routine, 107

Solarisbaby-sitting script, 217copying startup scripts, 213-lnsl switch, 68log records, 225logadm program, 56method used to halt Milter, 215

Source code Milter examples, 289–290SPAM, xivSpam, xiv

adding URL's host to database, 234–235aliases and comments, 63

archiving, 244–246attempting to fool signature detectors,

23–24bouncing, 16camouflaging HTML body, 18–22clickable web reference (URL), 26connection behavior, 12–13constantly changing and evolving, 12disguising Subject: header, 16–18disposing of, 234email addresses, 38evolution of, 3exponential growth, 10falsifying envelope sender address, 15filtering, xvi, 234full-blown war against, 3grokking site, 26–37human view of, 11internally structured, 12ISPs, 4–5large ISPs, 4–5lost productivity, 9maintaining history, 234–237method to contact spammer, 26passing through, 244–246phone numbers, 38possible feedback mechanisms, 237–240rejecting, 244–246relaying through MX (mail exchange),

13–15religiously or politically motivated, 38selling something, 38setting up addresses to be gathered, 65–67speeding up process, 12tracking source, 76unnecessary encoding, 24–25what to do with, 232

Spam address-gathering software, 77–78Spam detection software

envelope sender, 16phonemes, 23

“Spam Song,” 10

Constales.book Page 324 Wednesday, January 12, 2005 10:18 AM

INDEX

325

Spam suppressioncost of, 9–10software, 10

Spam-blocking software recognizing spam, 11Spammers

hijacked PCs, 5method for recipient to contract, 26thinking like, 38–39

Spam-screening software, 19Spam-sending sites

false envelope sender, 16IP number, xv

Special charactersHTML documents, 20–21, 269–276redirect servers, 33–34

SPF (Sender Policy Framework) standard, 6Spyware, 8SQL (Structured Query Language) database,

232src directory, 290_srv._smtp.perm domain, 6start argument, 216Startup script, 213–217State, passing, 255stat() function, 289Static configurations, 246Status information, 155stdin, 218stdio.h included file, 111stdout, 218stop argument, 216strerror() function, 108, 111, 121String constants, 276string.h included file, 111Strings

allocating memory for, 122cleaning spaces around, 247–248longer than 980 characters, 122–123

Stripping HTML comments, 279–284strtol() C library function, 268struct keyword, 101struct priv_struct type, 170

Structure, 101Subdomains, 47–48Subject: headers, 181

base64-encoding, 17–18disguising, 16–18

submit.cf file, 52Syntax error, 122–123sysexits.h included file, 111, 208syslog(3), 203syslog records, 102syslogd daemon, restarting, 56syslog() function, 218, 226System password database, 212

T

Target file, 55TCP sockets, 104, 106–107, 112TCP/IP (Transmission Control Protocol/

Internet Protocol), 12–13Telnet to known web server on port 80, 66Tempfail decision, 88Tempfail reply, 89, 91–95Template include file, 226Test machine. See bait machinetest Milter, 290Text, computing value for, 23–24Theft

of bank or credit card information, 7–8of passwords, 8

Thinking like spammers, 38–39Threads, 148, 220time(3) C library routine, 203TLS encryption key length, 165TLS/SSL (Transaction Layer/Secure Socket

Layer) version, 165T_MX type, 224Tomlinson, Fred, 10Trace-type headers, 136Trapping signals, 220ttl (time to live), 224

Constales.book Page 325 Wednesday, January 12, 2005 10:18 AM

INDEX

326

TXT record, 6Type, 224

U

umask, 105Underlying database whitelisting, 241Units, xviUNIX, 284–285unix: prefix, 105–106UNIX domain socket, 108, 210UNIX System Administration Handbook, 3rd

edition (Nemeth, Snyder, Seebass, and Hein), xiv

Unnecessary encoding, 24–25unsigned char* type, 187Unsolicited email, xivUnwanted headers, 182URL detection, xvi–xviiURL-encoding, 21–22

decoding, 277–279URLs (Uniform Resource Locators)

case insensitive, 29CNAME records and, 35–36decoding, 22email addresses masking, 31encoding, 21–22encountering @, 32hand-screening, xvhost.domain form, 32hostname random word masquerading,

34–35identifying protocol, 29–30JavaScript.Encode, 37quotation marks when pasting, 29–30recording host names in database, 26services that screen, xvi–xviiused as comments, 36–37

Usenetcommercial postings, xivemail addresses, 68

plus addressing, 77posting to news groups, 67–74spam risks, 77

User IDsavoiding use of, 210Milters, 210–213nonzero, 213real, 211resetting, 213value as, 212

User names, 8–9user variable, 212User-added headers, 136Users

discovering if logged in, 81modeling, 233–234outside world as, 234telling about plus addressing, 75–77

/usr/local directory, 210/usr/local/etc/rc.d directory, 213/usr/local/nmh/lib/slocal program, 64/usr/sbin/logrotate file, 56/usr/share/dict/words file

loading, 288–289usage, 288–293

V

Valid HTML keywords, 19value argument, 178Values and zero-length string, 250/var/log/maillog file, 55/var/log/milter.log file, 56/var/log/syslog file, 54/var/run/ourmilter.sock socket, 51/var/run/yourmilter directory, 208Version item, 100Vikings, 10Virtual Conspiracy website, 37Viruses, 8–9VRFY command, 77–78

Constales.book Page 326 Wednesday, January 12, 2005 10:18 AM

INDEX

327

W

Web addresses, masking, 78–80Web interface

email readers, 233whitelisting, 241

Web references, 21character-entity encoding, 22<a command, 27disguising, 26HTML commands, 27–28

Web servers, running, 65–67Websites, xvwhile loop, 217White space characters, 259–260Whitelisting, 232, 241–242Wildcard DNS records, 34–35Words, breaking up with HTML comments,

18–19Words global variable, 289Worms, 8–9write program, 81www host name, 52

X

xfi_eom() handler function, 132X-milter: header, 131XMTP, VRFY command, 77–78xxfi_ handler functions, 226

common characteristics, 153ctx argument, 154declaring, 153types, 154–155

xxfi_abort() handler function, 117, 152, 155–156, 169, 184–185, 191, 192, 194, 197

calling common subroutine to deallocate envelope data, 200

ctx private-context pointer, 198deallocation routines called from, 227example, 199

recording that Milter aborted, 200usage, 197–199

xxfi_body() handler function, 143, 152, 154, 156, 255

allowing selected local recipients to receive messages, 190

archiving copy of outbound email, 190arguments, 186–187calling, 186ctx private-context pointer, 186example, 189–190len argument, 187return values, 188saving (buffering) body to file or in

memory, 190saving (buffering) body without

attachments, 190screening body for viruses, 190storing attachments in database, 190usage, 186–189

xxfi_close() function handler, 193xxfi_close() handler function, 118, 152, 155,

169, 184, 185, 199, 228calling, 200–201ctx private-context pointer, 201ensuring allocated envelope data

deallocated, 203example, 202–203summarizing actions taken by connecting

site, 203usage, 200–202

xxfi_connect() handler function, 114, 118–119, 152, 155–157

detecting if connection is on loopback interface, 161

example, 159–160haddr argument, 159keeping track of connections, 161looking up host name and IP number,

161return values, 158–159sendmail macros, 160–161

Constales.book Page 327 Wednesday, January 12, 2005 10:18 AM

INDEX

328

xxfi_connect() handler function continuedsfsistat type, 158usage, 158–159

xxfi_envfrom() handler function, 114, 117, 152, 154, 156, 165–166, 170, 185, 191, 197, 225–226

comparing IP address to list of rejected addresses, 171

envelope sender allowed to send mail in domain, 171

example of, 169–170rejecting connections with small

encryption key length, 171return values, 168–169sendmail macros, 170usage, 166–169

xxfi_envrcpt() handler function, 114, 117, 142, 152, 154, 156, 191

addressees of message inside, 239arguments, 172argv argument, 172calling, 171counting number of good recipients, 176ctx private-context pointer, 172example, 175–176list of honey-pot (bait) recipients, 176missing recipients can be found, 176return values, 174sendmail macros, 176usage, 171–174validating whitelisting pairs, 176

xxfi_eoh() handler function, 152, 154, 156calling, 183comparing number of envelope recipients

to number of header recipients, 186ctx private-context pointer, 183example, 185flagging missing headers, 186logging statistical review of headers, 186return values, 184usage, 183–184

xxfi_eom() handler function, 117, 127, 129, 132–133, 135–136, 138–139, 141, 143–145, 147, 152, 154, 156, 169, 185–186, 190–191, 240

adding envelope recipient, 197adding headers found to be missing, 196argument, 194calling, 227changing value of headers, 197constrained by time limits, 191–192ctx private-context pointer, 194deallocation routines called from, 227decoding body, 197example, 196logging summary of everything Milter did

with envelope, 196removing envelope recipient, 197removing junk headers, 197return values, 195screening body to detect spam, viruses, and

unwanted attachments, 197sendmail macros, 193usage, 194–195

xxfi_header() handler function, 152, 154, 156, 176–177, 185, 191

arguments, 178checking header values for adherence to

standards, 182ctx private-context pointer, 178detecting bogus Received: headers, 182example, 180–182name argument, 178recording presence of header, 182return values, 180unwanted headers, 182usage, 178–180value argument, 178

xxfi_helo() handler function, 114, 152, 155, 161arguments, 162calling, 162ctx private-context pointer, 162

Constales.book Page 328 Wednesday, January 12, 2005 10:18 AM

INDEX

329

detecting spamming software patterns in HELO/EHLO string, 165

example, 164host argument, 162return values, 163–164sendmail macros, 165sfsistat type, 162usage, 162–164verifying correct cipher suite, 165

xxfi_prefix, 99xxfi_rcpt() handler function, 97

Z

Zero-length file for logging messages, 55Zero-length string, 250Zombie mail machine, 9

Constales.book Page 329 Wednesday, January 12, 2005 10:18 AM

Constales.book Page 330 Wednesday, January 12, 2005 10:18 AM