The worm broke out on the office network at 10:42 a.m. Joe—the email administrator—was on the phone at the time, making arrangements to take his wife to dinner that evening. As the worm slithered from mailbox to address book to mailbox, Joe was happily contemplating enjoying a quiet evening out with his spouse, blissfully unaware of the monster growing within his network. Little did he realize that within a few hours, he'd have to cancel his plans.
As Joe hung up the phone, his heart sank when he saw the message appear in his Inbox: Important notify about your e-mail account. Joe recognized the subject title as a variant of the Bagel worm and realized that the worm was in his network. He'd have to put everything on hold to deal with the outbreak of this latest worm—a routine that Joe was all too familiar with.
I've long been disappointed that many modern email servers (such as Microsoft Exchange Server) lack standard mail-filtering capabilities. Microsoft has released an add-on for Exchange Server 2003 called the Exchange Intelligent Message Filter that gives you some control over your mail flow, but certain fundamental capabilities, such as attachment blocking, should be available on every server out of the box. Imagine how much less time we'd spend fighting Internet worms if all mail servers had even a rudimentary attachment-blocking capability. I decided to address this need, so I looked for an open-source mail filter that runs on Windows and can block attachments and help me manage the deluge of spam that continually assaults my network.
A Word About Mail Relays
The use of a mail relay or proxy server to deliver email messages is gaining popularity as a defense against hostile attachments, spam, and other email nuisances. Separating mail storage (handled by the mail server) from mail delivery (handled by the mail relay or proxy server) also makes sense from a security and performance perspective. By setting up a mail relay or proxy server in a demilitarized zone (DMZ) on your network, you can prevent the outside world from even connecting to your mail server.
Establishing a mail relay or proxy is typically accomplished by allowing SMTP traffic over TCP port 25 into the relay or proxy servers within the DMZ, then letting the relay or proxy servers communicate via SMTP with your mail server, which is behind a firewall. By delegating tasks such as spam filtering and attachment blocking to a relay or proxy server, you can decrease the processor load on the mail server.
Because the mail proxy package I discuss in this article is open source, you might want to consider implementing more than one on your network, for a couple reasons. First, open-source software sometimes has bugs. Although I've found my open-source mail filter to be exceptionally reliable in most environments, running two mail proxies gives you a backup should one proxy server crash or otherwise stop processing messages. The second reason is that because the software is free and doesn't cost anything other than some additional hardware, you can implement a second relay server. By using multiple DNS MX records, you can have both servers work on processing your network's incoming mail.
Fluffy the SMTPGuardDog
I first noticed Fluffy the SMTPGuardDog about a year ago. Fluffy is an open-source mail-filter application for systems running Windows 95 and later that derives its name from the ferocious three-headed dog in the Harry Potter book series. I was impressed to see an open-source mail-filtering solution for Windows platforms. Designed to act as a proxy between the Internet and your mail server, Fluffy checks all incoming messages and attempts to filter out hostile attachments and spam.
Fluffy doesn't require much processing power to run. The application's author, Wayne McDougall, says that his 233MHz Pentium machine can handle roughly 1500 messages in 10 minutes without fault. You can run Fluffy on the same system as your existing mail server or on a dedicated DMZ system. Although I highly recommend the DMZ-based implementation, for the purposes of this article, I set up Fluffy on the same system as my mail server, which is a bit more complicated than setting it up on a separate system.
You'll need to download the executable code for Fluffy, along with a Visual Basic (VB) runtime engine to install on your system. You can obtain both items from the application's homepage at http://smtpfilter.sourceforge.net. For this article, I use version 1.4.95 of Fluffy.
Install the VB runtime by downloading and executing msvbvm50.exe, which provides the necessary support for the primary application. Then, you're ready to install Fluffy. Unzip the installation package for Fluffy and launch setup.exe. There are no real options to choose for the installation—you need to specify only the directory you want to use. After you've installed the application, you're ready to start configuring it to filter your mail.
Fluffy doesn't run as a service, so you must leave your system logged on and run Fluffy as a desktop application. Currently, this is the only supported configuration for Fluffy. However, some users report that they've been able to run Fluffy as a service by using the resource kit utility Srvany or set up Fluffy as a scheduled task to launch at system start-up. (For more information about Srvany, see Resources.) Although it's a slight security risk, I like to leave Fluffy running on the desktop so that I can see its main console window, which Figure 1 shows—it gives me a real-time look at how much my mail server is being assaulted and also helps me diagnose users' email problems.
Setting Up Fluffy
When you launch Fluffy from the Start menu for the first time, the program asks you some configuration questions. I leave most of the options blank so that I can set them up on my own. However, Fluffy provides some useful default settings, and we'll accept some of them here. The first question you're asked is whether you want to let Fluffy detect the network settings for your system. I recommend you select Yes.
Next, Fluffy asks whether you want to preload a set of DNS blacklist servers into the application. DNS blacklists (aka Realtime Block Lists—RBLs) typically contain IP addresses of mail servers known to have recently sent spam. When a new inbound SMTP connection contacts your mail server, Fluffy can query these lists to determine whether your mail server should trust or discard the incoming connection. Answering Yes to accept the predefined list of DNS blacklist servers (which I recommend you do) only populates the DNS blacklist information into Fluffy; it doesn't automatically activate any of the blacklists. I cover DNS blacklist capabilities and blacklist providers in more detail later.
You can also blacklist certain incoming domains and IP address ranges for systems that you've determined shouldn't be trusted. Fluffy asks whether you want to accept a predefined list of blacklisted domains and IP addresses. Although Fluffy includes only a few entries in the predefined list, I recommend you choose No for this option to ensure that you don't mistakenly block important mail.
Fluffy also includes a "spam trap" capability—that is, the ability to specify which inbound email addresses (or parts of addresses) shouldn't receive any mail at all. When Fluffy sees a message sent to a trap address, it immediately records the IP information of the server that sent the message, thereby telling your mail server to discard any future deliveries from the sender. Fluffy's preloaded spam-trap list is rather extensive, and—in my opinion—way too aggressive. A quick look through the default list showed email addresses such as byron@ and [email protected]—relatively common names. Therefore, I suggest you select No for this option. Although the idea of populating this list with "fake" names for users not in your organization is a good one, the default option here is far too broad.
The last question Fluffy asks is whether you want to enable its predefined attachment-blocking list. This option preloads all the common attachment types (e.g., .bat, .cmd, .com, .exe, .pif, .scr) that you don't want your email users to receive. I suggest you select Yes. Later, you can add or remove attachment-type entries as needed. After you've answered the last question, Fluffy will be up and running on your network. However, you're not done with your configuration just yet.
Getting Fluffy Ready for the Internet
You need to tell Fluffy where it should direct mail messages after it processes them. To do so, double-click the three-headed dog icon in the system tray to display Fluffy's monitoring console window. Click Configure, then select the SMTP Servers tab. At this tabbed page, which Figure 2 shows, you can access IP configuration details and enter Fluffy's TCP port and your mail server's IP address and TCP port.
As I mentioned earlier, for this article's purposes I run Fluffy and my mail server (Windows Server 2003 with POP and SMTP enabled) on the same system. Before I installed Fluffy, my Microsoft Internet Information Services (IIS) 6.0 SMTP server listened for incoming SMTP sessions on TCP port 25. However, I want Fluffy, not IIS, to be the first server to see new inbound SMTP connections. To accomplish this, I changed the listening port of my mail server (i.e., IIS's SMTP server) to port 26. To change IIS's listening port, you need to use the Microsoft Management Console (MMC) Internet Information Services snap-in to modify your SMTP server's properties. Launch the snap-in and double-click the server, then select the General tab. Click the Advanced button next to the IP address field to display the Identification dialog box, where you configure the TCP port for IIS. Make sure that the port you specify for your mail server in the Internet Information Services snap-in matches the SMTP Server Port that's defined on Fluffy's SMTP Servers tab.
After you tell Fluffy which IP address and TCP ports to use, Fluffy should face the Internet and be the first server to receive SMTP traffic. Because you've changed your mail infrastructure a bit, double-check your system to make sure that your new server isn't acting as an open relay (i.e., a mail server that sends email messages regardless of their origin or destination). If your mail server wasn't an open relay before you installed Fluffy, it shouldn't be one now, but it's always wise to double-check. To verify that your system can't be used as an open relay, you can use the free mail-relay testing service available from Network Abuse Clearinghouse. If your system allows open relay, you should restrict its mail-relaying capabilities as quickly as possible, or else it won't be long before spammers find your server and start using it to deliver their junk.
Now that Fluffy knows where to find your server and it's secured against open relaying, you should test whether you can deliver a regular email message to your network from the outside world. To do so, in Fluffy's configuration window, select the Update/Logs tab, set the Logging Detail level to 6 so that you can watch a detailed diagnostic for Fluffy, then send yourself a message from an outside email address. Don't panic if you don't see your message right away—the delay means that the message has just encountered one of the first antispam defenses that Fluffy provides for your network.
Deferring Connections and Blocking Attachments
When a new server (i.e., one that hasn't connected to Fluffy recently) connects to your mail server to deliver a message, Fluffy initially denies the message by sending a "deferral" error message to the connecting mail server. By default, any properly configured Internet mail server automatically redelivers a message in approximately 15 minutes if the message wasn't rejected outright on the first delivery attempt. From my observations of Fluffy's email deferrals, I infer that spammers typically make only one pass at delivering a message and, if it isn't delivered on the first try, simply move on to the next victim on their list. In 24 hours of running Fluffy on a personal domain that has only one valid email address, I experienced more than 100 instances of servers that attempted to deliver a message to me, were deferred for 15 minutes, then never came back. That's 100 fewer spam messages I had to deal with that day—not bad, for such a simple technique!
After your first test-message attempt, the remote server should resubmit the message within 15 minutes, at which point Fluffy will recognize the server and accept the message. From now on, Fluffy will accept all mail from that server on the first connection. If Fluffy doesn't hear from a server for 16 hours, it returns the server to the deferred state the next time that server tries to send a message.
If you want to disable the deferred-connection feature or change the deferral time value, select the Connections tab and enter a new value for New contact delay, as Figure 3 shows. Setting the value to 0 disables the deferred-connection feature, causing Fluffy to automatically accept all messages on the first delivery attempt.
If you configured Fluffy to automatically block unauthorized attachments according to a predefined attachment list, you'll find this list on the Virus Scanning tab. As I mentioned earlier, this list contains all the common attachment types that you don't want your mail users to receive. You can test Fluffy's attachment-blocking feature by sending a message to yourself that contains an unauthorized attachment type. When Fluffy sees the banned attachment type, it rejects the message, causing the message to bounce back to the sender. In addition to sending the bounce, Fluffy sends a message to the intended recipient, letting him or her know that the message was dropped.
If you configured Fluffy to block attachments and Fluffy isn't blocking them, select the Virus Scanning tab, then select each attachment type you want to block and click OK. (In my testing, I found Fluffy's interface to be a bit quirky at times.) In addition to attachment blocking, Fluffy can use Grisoft's AVG Anti-Virus or Sophos Anti-Virus as a virus scanner for your inbound messages.
Blacklisting and Whitelisting
If you want to always block certain IP addresses or domain names from your network (i.e., blacklisting), you can do so on the Accept/Reject tab, which Figure 4 shows. Conversely, if you want to always allow certain mail servers or domains into your network (i.e., whitelisting) without any delay or spam processing—for example, organizations that your users communicate with regularly—you also enter those servers or domains on the Accept/Reject tab. For each server or domain you enter on the Accept/Reject tab, click the appropriate radio button to indicate whether you want to add the server or domain to the whitelist or the blacklist.
ISPs and other large mail providers commonly use DNS blacklists to filter spam. These lists, which are maintained by third-party providers, contain the IP addresses of servers known to be recent spammers and those of well-known spammers who simply won't quit. If you opted to accept the predefined list of DNS blacklist servers when you configured Fluffy, Fluffy will know which IP addresses to refuse when those servers attempt to connect and send mail. When a new inbound connection is attempted, Fluffy checks the DNS blacklists you've defined to determine whether the IP address matches one on the list. If it does, Fluffy drops the connection. By default, that server remains in Fluffy's memory for 24 hours and no further mail is accepted from it. After the default time has expired, Fluffy will again check the DNS blacklist when it receives a new connection from the server.
Fluffy includes a large set of DNS blacklists. However, none of them are enabled by default. Before you enable any of these lists on your network, I strongly recommend you research the blacklists you're considering, then test them thoroughly after you've enabled them. I've found that the DNS blacklists vary widely in their effectiveness.
To enable a blacklist in Fluffy, select the DNSBL tab, which Figure 5 shows. Highlight a blacklist to use and in the Score weighting field enter a weighted score (the higher the score, the more you trust the list), then save the change. By default, Fluffy assigns all its DNS blacklists a score weighting of 0. After you've saved the change, you should see the list name move from the Available DNSBL list into the Active DNSBL list at the top of the page. After assigning scores to the DNS blacklists you want to enable, you can choose to have Fluffy behave in various ways according to the weighted score. To do so, select the Handling tab, then adjust the parameters on the page. For example, you can tell Fluffy to block incoming connections that reach a certain cumulative weighted score, modify the subject line of messages, defer acceptance of the message, or just log that the message exceeded a scoring threshold. The last option, Flag as possible junk if total DNSBL score at least, can be helpful when you're deciding which DNS blacklists you might want to use.
For my own network, I implemented the two DNS blacklists listed in Figure 5—SpamCop and Spamhaus. SpamCop has proved to be an efficient blacklist for my needs because it's completely automated and mathematically determines when to remove systems from the list. Spamhaus focuses its efforts on tracking only the most egregious spammers—the roughly 200 that Spamhaus estimates to be the cause of approximately 90 percent of the spam on the Internet. Because Spamhaus's focus is so narrow, I generally trust its blacklist for my networks and those of my clients.
The first day that I implemented Fluffy, my spam load decreased by 80 percent and I blocked several dozen executable attachments that were designed to infest my network. Now, Fluffy defers 700 to 1500 connections a week for mail to my domain—so much that Fluffy has made my email accounts usable again. Fluffy is well worth the minimal amount of effort needed to set up the system. Over time, I'm confident that Fluffy will improve and become even more robust. A few of the items expected to be added to Fluffy in the future (according to the program's author) are the ability to run Fluffy as a service and to automatically populate new whitelist entries according to outbound email going through Fluffy. If you want to avoid the scenario that cut short our administrator friend Joe's dinner plans, I suggest you take a look at Fluffy.
Fluffy the SMTPGuardDog
Network Abuse Clearinghouse
WINDOWS & .NET MAGAZINE ARTICLES
This Old Resource Kit, " More About Srvany," March 2000, InstantDoc ID 8148
This Old Resource Kit, "Srvany," February 2000, InstantDoc ID 7959