« Linux: Advance to the Rear | Main | Reading list: Les Nouvelles preuves sur l'assassinat de J. F. Kennedy »

Saturday, March 26, 2005

Linux: /var-acious Dictionary Spam

Every site which operates a mail transfer agent such as sendmail will eventually be targeted by "dictionary spam". These are spam hosts which connect to your inbound SMTP port and try a huge list of user names in the hope of "getting lucky" and hitting one which works, whereupon it can be spammed and sold to other spammers. You can see the evidence of this in your mail log, for example /var/log/maillog on Linux, as an endless litany of messages like: 
sendmail[2185]: <deb@fourmilab.ch>... User unknown
sendmail[3406]: <tully@fourmilab.ch>... User unknown
sendmail[3770]: <burns@fourmilab.ch>... User unknown
sendmail[4875]: <mjf@fourmilab.ch>... User unknown
sendmail[4912]: <nizu@fourmilab.ch>... User unknown
sendmail[9148]: <gelu@fourmilab.ch>... User unknown
sendmail[11133]: <homer@fourmilab.ch>... User unknown
sendmail[12697]: <vigo@fourmilab.ch>... User unknown
sendmail[15784]: <tall@fourmilab.ch>... User unknown
sendmail[15784]: <tallie@fourmilab.ch>... User unknown
sendmail[16836]: <izzy@fourmilab.ch>... User unknown
sendmail[17229]: <tobi@fourmilab.ch>... User unknown
sendmail[18716]: <kale@fourmilab.ch>... User unknown
(I have elided the date, time, and unique identifier fields from these log items so the lines don't wrap around; these were all received in a ten minute period.) Dictionary spam arrives in irregular waves; frequently at peaks I'll see three consecutive attempts of each name a few seconds apart.

Apart from how wasteful of resources this is and the sense it gives you of living in a slum where people are constantly trying keys and picks in the lock on your door, there's a practical consequence for server administrators as well, in that essentially any local account with a common name and inbound mail capability will have its mailbox filled up with spam. Most Unix-like systems have a variety of administrative accounts pre-defined, such as adm, mail, news, etc. which, even though they are set up as "no login" accounts, are still able to receive mail with the default configuration of sendmail, which will store all the spam which arrives in its mail queue directory, for example /var/spool/mail. Since nobody logs into these accounts, they can accumulate a huge amount of spam without your ever noticing. One day last year on the former Sun server, I received a WatchFull report warning that the /var filesystem was more than 90% full. On investigation, I discovered more than 120 megabytes of spam queued to various administrative accounts!

Take a look at your server's inbound mail queue directory; you may be surprised at what you find there. One way to deal with this problem, as long as the accounts in question have no legitimate need to receive mail, is to simply alias them to the bit bucket, /dev/null, in your /etc/mail/aliases (or whatever) file. Note that you should run newaliases after modifying this file to put the new aliases into effect. Here is a list of targeted accounts I've so aliased on the Fourmilab server farm. 

adm: /dev/null
apache: /dev/null
gopher: /dev/null
mail: /dev/null
daemon: /dev/null
news: /dev/null
ftp: /dev/null
If you do need to occasionally receive mail to an administrative account or feel uncomfortable jettisoning mail without examining it, you can alias these accounts to the administrator's account and rely upon its own junk mail filtering (for example, Procmail and/or Annoyance Filter) to deal with the forwarded spam.

Posted at March 26, 2005 16:30