Abuse of Usenet: Defending Against Email-Bombing and Unwanted Mail

Copyright Zach Babayco, 1996 used by permission of the author.

This tutorial is provided as is and without warranty. The conditionals have NOT been tested. Procmail is a powerful tool, and it is very easy to write a recipe that causes all of your email to go down the drain. If you do not understand what is being proposed here, do not risk it.

Thanks go to Nancy McGough for allowing liberal quotes from her Filtering Mail FAQ.

Lately, there are more and more people out there sending you email that you just don't want, like "Make Money Fast!" garbage or lame ezines that you never requested or wanted in the first place. Worse, there is the emailbomb.

  • Massmail-bombing. This is when an attacker sends you hundreds, or perhaps even thousands of pieces of email, usually by means of a script and fakemail. Of the two types, this is the easier to defend against, since the messages will be coming from just a few addresses at the most.
  • Mailing List bombs. In this case, the attacker will subscribe you to as many mailing lists as he or she can. This is much worse than a massmail because you will be getting email from many different mailing lists, and will have to save some of it so that you can figure out how to unsubscribe from each list.
  • This is where Procmail comes in. Procmail (pronounced prok-mail) is a email filtering program that can do some very neat things with your mail, like for example, if you subscribe to several high-volume mailing lists, it can be set up to sort the mail into different folders so that all the messages aren't all mixed up in your Inbox. Procmail can also be configured to delete email from certain people and addresses.

    Setting up Procmail

    First, you need to see if your system has Procmail installed. From the prompt, type:

    > which procmail

    If your system has Procmail installed, this command will tell you where Procmail is located. Write this down - you will need it later.

    NOTE: If your system gives you a response like "Unknown command: which" then try substituting 'which' with 'type', 'where', or 'whereis'.

    If you still cannot find Procmail, then it is probably a good bet that your system does not have it installed. However, you're not completely out of luck - look at the FAQ I mentioned at the beginning of this document and see if your system has any of the programs that it talks about.

    Next, you have to set up a resource file for Procmail. For the rest of this document, I will use the editor Pico. You may use whichever editor you feel comfortable with.

    Make sure that you are in your home directory, and then start up your editor.

    > cd
    > pico .procmailrc

    Enter the following in the .procmailrc file:

    This line tells Procmail what to put in its log file. Set it to on when you are debugging.
    Replace 'mail' with your mail directory.
    This is where the logfile and rc files will be kept

    (yes, type the INCLUDERC line WITH the #)

    Now that you've typed this in, save it and go back up to your home directory.

    > cd
    > mkdir .procmail

    Now go into the directory that you just made, and start your editor up with a new file: rc.ebomb: IMPORTANT: Be sure that you turn off your editor's word wrapping during this part. You will need to have the second, third, and fourth lines of this next example all on one line. With Pico, use the -w flag. Consult your editor's manual page for instructions on turning off its word wrapping. Make sure that when you edit it, you leave NO SPACES in that line.

    > cd .procmail
    > pico -w rc.noebomb
    # noebomb - email bomb blocker
    * ! ^((((Resent-)?(From|Sender)|X-Envelope-From):|From )(.*[^.%@a-z0-9])? (Post(ma?(st(e?r)?|n)|office)|Mail(er)?|daemon|mmdf|root|uucp|LISTSERV|owner|request|bounce |serv(ices?|er))([^.!:a-z0-9]|$)))
    * ! ^From:.*(postmaster|Mailer|listproc|majordomo|listserv|cmeinel|johnb)
    * ! ^TO(netstuff|computing|pcgames)

    Lets see what these do. The first line tells Procmail that this is the beginning of a "recipe" file. A recipe it basically what it sounds like - it tells the program what it should look for in each email message, and if it finds what it is looking for, it performs an action on the message - forwarding it to someone; putting it in a certain folder; or in this case, deleting it.

    The second, third, and fourth lines (the ones beginning with a *)are called CONDITIONS. The asterisk (*) tells Procmail that this is the beginning of a condition. The ! tells it to do the OPPOSITE of what it would normally do.

    Condition 1:

    * ! ^((((Resent-)?(From|Sender)|X-Envelope-From):|From )(.*[^.%@a-z0-9])? (Post(ma?(st(e?r)?|n)|office)|Mail(er)?|daemon|mmdf|root|uucp|LISTSERV|owner|request|bounce |serv(ices?|er))([^.!:a-z0-9]|$)))

    Don't freak out over this, it is simpler than it seems at first glance. This condition tells Procmail to look at the header of a message, and see if it is from one of the administrative addresses like root or postmaster, and also check to see if it is from a mailer-daemon (the thing that sends you mail when you bounce a message). If a message IS from one of those addresses, the recipe will put the message into your inbox and not delete it.

    Advanced User Note: Those of you who are familiar with Procmail are probably wondering why I require the user to type in that whole long line of commands, instead of using the FROM_MAILER command. Well, it looked like a good idea at first, but I just found out a few days ago that FROM_MAILER also checks the Precedence: header for the words junk, bulk, and list. Many (if not all) mailing-list servers have either Precedence: bulk or Precedence: list, so if someone subscribes you to several hundred lists, FROM_MAILER would let most of the messages through, which is NOT what we want.

    Condition 2:

    * ! ^From:.*(listproc|majordomo|cmeinel|johnb)

    This condition does some more checking of the From: line in the header. In this example, it checks for the words listproc, majordomo, cmeinel, and johnb. If it is from any of those people, it gets passed on to your Inbox. If not, it's a goner. This is where you would put the usernames of people who normally email you, and also the usernames of mailing-list servers, such as listproc and majordomo. When editing this line, remember to: only put the username in the condition, not a persons full email address, and remember to put a | between each name.

    Condition 3:

    X * ! ^TO(netnews|crypto-stuff|pcgames)

    This final condition is where you would put the usernames of the mailing lists that you are subscribed to (if any). For example, I am subscribed to the netnews, crypto-stuff, and pcgames lists. When you get a message from most mailing lists, most of the time the list address will be in the To: or Cc: part of the header, rather than the From: part. This line will check for those usernames and pass them through to your Inbox if they match. Editing instructions are the same as the ones for Condition 2.

    The final line, /dev/null, is essentially the trash can of your system. If a piece of email does not match any of the conditions, (i.e. it isn't from a mail administrator, it isn't from a listserver or someone you write to, and it's not a message from one of your usual mailing lists) Procmail dumps the message into /dev/null, never to be seen again.

    Ok. Now you should have created two files: .procmailrc and rc.noebomb. We need one more before everything will work properly. Save rc.noebomb and exit your editor, and go to your home directory. Once there, start your editor up with the no word wrapping command.

    > cd
    > pico -w .forward

    We now go to an excerpt from Nancy M.'s Mail Filtering FAQ:

    Enter a modified version of the following in your ~/.forward:

    "|IFS=' ' && exec /usr/local/bin/procmail -f- || exit 75 #nancym"

    On many systems you need to make your .forward world readable and your home directory world searchable in order for the mail transport agent to "see" it. To do this type:

    cd chmod 644 .forward chmod a+x .

    If the .forward template above doesn't work the following alternatives might be helpful:

    In a perfect world:
    "|exec /usr/local/bin/procmail #nancym"
    In an almost perfect world:
    "|exec /usr/local/bin/procmail USER=nancym"
    In another world:
    "|IFS=' ';exec /usr/local/bin/procmail #nancym"
    In a different world:
    "|IFS=' ';exec /usr/local/bin/procmail USER=nancym"
    In a smrsh world:
    "|/usr/local/bin/procmail #nancym"

    Now that you have all the necessary files made, it's time to test this filter. Go into your mailreader and create a new folder called Ebombtest. This procedure differs from program to program, so you may have to experiment a little. Then open up the rc.noebomb file and change /dev/null to Ebombtest. (You should have already changed Conditions 2 and 3 to what you want; if not, go do it now!) Finally, open up .procmailrc and remove the # from the last line.

    You will need to leave this on for a bit to test it. Ask some of the people in Condition 2 to send you some test messages. If the messages make it through to your Inbox, then that condition is working fine. Send yourself some fake email under a different name and check to see if it ends up in the Ebombtest folder. Also, send yourself some fakemail from root@wherever.com to make sure that Condition 1 works. If you're on any mailing lists, those messages should be ending up in your Inbox as well.

    If all of these test out fine, then congratulations! You now have a working defense against email bombs. For the moment, change the Ebombtest line in the rc.noebomb file back to /dev/null, and put the # in front of the INCLUDERC line in the .procmailrc file. If someone ever decides to emailbomb you, you only need to remove the #, and you will have greatly cut down on the amount of messages coming into your Inbox, giving you a little bit of breathing room to start unsubscribing to all those lists, or start tracking down those idiots who did it and get their asses kicked off their ISP's.

    If you have any comments or questions about this, email Zach B.. Emailbombs WILL go to /dev/null, so don't bother!

    Disclaimer: When you activate this program, it is inevitable that a small amount of wanted mail MAY get put into /dev/null, due to the fact that it is nearly impossible to know the names of all the people that may write to you. Therefore, I assume no responsibility for any email which may get lost, and any damages which may come from those lost messages.

    Currently maintained by The HELP Fund

    Return to Main Page

    Page expanded from an original compiled and written by Marty Fouts