Fluffy the SMTPGuardDog - spam and virus filter for any SMTP server

Hosted by

You can download the latest online help file from the project summary page. This is included in the full installation download.

Documentation

• About Fluffy (Overview)
• System Requirements
• Frequently Asked Questions (FAQ)
• Installation Instructions
• Configuration Instructions
• Usage Instructions
• Log Files
• Changes in this version of Fluffy (Changelog)
• Things to Do
• ESMTP support reference
• Copyright

About Fluffy (Overview)

Capabilities

• You can accept or reject all connections from a particular IP address/range or (wildcarded) domain name
• You can set up 'spam traps' of invalid email addresses (if you accept email for a domain) and then reject all email from sources that try to send to those 'spam trap' addresses
• You can choose from a list of real-time IP spam blacklists (DNSBL) to use to reject incoming spam, with customised rejection messages.
• You can map from a (wildcarded) address to another

Features

• Messages from a new source (ie not recently seen) are delayed. This immediately cuts down on spam because spam software usually doesn't retry. It also means there is time for the spammer to be shut down or listed in a DNSBL. Fluffy can also review the intended recipient list for matches against the 'spam trap' list.
• All rejected email generates a message sent back to the sender. Messages are not simply 'binned' or sent to a junk mail folder which requires your manual review. If a genuine correspondent is blocked they will immediately be told why and can contact you by some other means. This is also a service to them - it warns them that they may have other messages being blocked (without any notification)
• A full log file is kept, and you can view the log file in a scrolling window
• DNSBL performance is monitored and queries are run in a priority order against the systems that provide the highest spam detection rate in the shortest amount of time

System Requirements

The program will run on slow hardware. My system is running under Windows 95 on a 233 MHz Pentium machine on a 128k/128k ADSL connection. It has handled 1500 x 30k messages over a period of 10 minutes without a fault. It rejects over 1200 spam messages coming in per day.

Frequently Asked Questions

• I have users connecting from outside my local network, authenticating by POP lookup, but then getting caught in the Spam Trap when sending valid outbound mail. How can I stop this from happening?

  New in version 0.4 on the Local Email tab you can list the domain names you accept (or specfic email addresses if you prefer), and choose the SMTP authentication option. Anyone who connects to Fluffy to send email from a domain or email address that matches will be considerd a local network user and spam trap tests will not apply.

• SpamCop thinks my machine is the spammer when I report spam that has got past Fluffy. What's wrong?

  This arises when Fluffy is running on a computer with a public internet IP address (ie not a private network address such as 192.168.x.x) server and the computer doesn't have a valid name that corresponds to the domain that is receving the email. The solution is to change your computer name to be a domain name that on reverse IP lookup, correspond with your IP address name, where that IP address is the target of incoming email. In other words, make sure your network is correctly configured to be on the internet, if you are using public internet addresses.

Installation

Now we need to configure the SMTP server You have an existing SMTP server that listens on port 25 (standard) for incoming mail connections. We need to have Fluffy listen for incoming mail and redirect genuine email to the existing SMTP server. There are a variety of ways to achieve that which makes this section appear more complicated than it really is. We'll present a simple case for running Fluffy and the VPOP3 mailserver on the same computer, and then go into detail for alternatives.

But first an important word on open relaying. An open relay is when your computer is set up to deliver email from anyone to anyone. This is often used for sending spam. It is something you want to avoid, especially if you pay for your bandwidth. Some SMTP servers will validate email based on IP address. This will not work with Fluffy because all email will appear to be coming from the computer running Fluffy (ie a local machine).

The preferred method is for SMTP Authentication provided that you do not require SMTP authentication for local (internal) email. Your email software must support SMTP authentication to use this option, and you need to turn it on in your email software. For example, in Outlook, choose email accounts and on the Servers tab choose My server requires authentication under outgoing email server. If VPOP3 is your SMTP server you change the settings under Services (formerly Local Servers), and enable Require SMTP Authentication and also Do not require SMTP authentication for internal/incoming mail.

If your mail software or SMTP server does not support SMTP authentication in this way, you should validate by the the From: address rather than by IP address. In VPOP3 settings, you do this by clicking on the the SMTP link (formerly Configure button), and selecting SMTP Anti-Relay Protection as Check From: Address. You should make sure Don't allow addresses with '%' in their address is enabled. This introduces another problem - what if a spammer fakes your From: address to try and use your SMTP server to send email? Fluffy will detect such attempts and prevent external (outside your network) connections from using an internal From: address as the sender of the email. If you are running a very sophisticated operation with validated relaying for some users, or just want to talk about your options for using Fluffy then you can email me or start a public discussion. Basically you can achieve what you want very simply, but you can probably work that out for yourself.

Ok, on to setting things up.

1. Simple case of Fluffy and an SMTP Server (eg VPOP3) running on the same computer

   The simplest approach is to run Fluffy on port 25 (the default) and change your SMTP server to listen on a different port. For VPOP3 you change the settings under Services (formerly Local Servers), and set the SMTP server to use port 26.

2. Fluffy and SMTP Server running on a different computer

   In this case you could run both Fluffy and your SMTP server on port 25. The trick is to set this up so that incoming (Internet) traffic talks to Fluffy rather than your SMTP server. It doesn't matter which system your local mail clients talk to.

   To direct connections to Fluffy you'd do so as you did for your SMTP server. For example, if you are using a NAT you'd forward port 25 connections to the IP address of the computer running Fluffy. Or if your mail server is listed in a DNS record you could change the MX (or A if you don't use MX) record for your domain to point to the IP address of the computer running Fluffy. Or you could swap the IP addresses of the computers running Fluffy and your SMTP server. Again, this may sound complicated, but that's because you have a choice of options, some of which you may never have heard of. Just ignore the ones you don't know anything about. If you need more help with this, you can email me or start a public discussion.

3. Not running Fluffy on port 25

   You can run Fluffy on any port (eg 26) which means your SMTP server could continue to run on port 25 (on the same computer or a different one). Internet mail connections expect to talk to port 25 so in this case you'd need to use NAT or port forwarding to direct incoming (Internet) traffic to Fluffy. If you need more help with this, you can email me or start a public discussion.

4. Other options

   There are other combinations to make Fluffy work. If you are interested in doing this, you probably have the skills to set it up. If you need help with this, you can email me or start a public discussion.

For local mail clients you don't need to change their settings. If Fluffy is listening on port 25 then you can still connect to port 25 as a default. If you are running your Fluffy on port 26 (for example) you can choose to redirect your mail clients to use port 26.

Multiple SMTP Servers

Configuration

When you first run Fluffy you will be prompted to use the default DNSBL servers, default Spam Trap address list, and default Black/White lists. If you choose to use any of these, you should then edit them for your own use.

• Language tab

  Here you can choose the language used by Fluffy. Click on Apply to make the change immediately, before choosing other configuration options. Only United Kingdom English (the default) is currently available.

• Addresses and Ports tab

  Here you can set the address and port of your SMTP server, and the port address that Fluffy should listen on. You can test that these connections are working.

• Connections tab

  Here you can set:
  • the size of the connection cache
  • the duration of blacklisting sources that trigger a spam trap
  • how long to delay accepting mail from a new connecting source
  • how long before we consider a connecting source to be 'new' again

• Local Network tab

  Here you can configure which IP addresses are part of your local network (and are allowed to send emails to external email addresses). All IP addresses are considered external unless explicitly designated as part of your local network. Click on the Add your detected IP button to try and autodetect your network settings.

• DNSBL tab

  Here you can configure which IP spam blacklists (DNSBL) you wish to use.

  Each entry consist of the address of the DNSBL, an optional message used to reject messages listed in the DNSBL, and an optional list of response codes that are not used to reject email. The message can include %%IP%%, in which case the originating, black-listed IP address will be included in the rejection message.

  You can choose not to enabled a DNSBL, in which case it remains in the list but is not used.

• DNSBL Speed

  Here you can test the responses given, and time taken, for your selected DNSBL servers. You can choose the IP address to test. This screen also lists the historic performance of your chosen DNSBL servers, reporting the number of positive (spam) detected per second taken to respond. Higher scores are better.

  You can choose to include DNSBL servers that are not enabled, in your test.

• Local Email tab

  Here you should list which addresses/domains are valid for originating local email. Then if any external connection tries to send email purporting to be from that address, it cannot be used to relay messages outside of your network. * is used to wildcard sub-domains. Important: If you are not using SMTP authentication you must update this list or Fluffy will pass on all mail messages to your SMTP server which may then relay such messages back to an external email address (if someone fakes a local address). See the section on open relays

  If you are using SMTP authentication for people connecting outside your local network, you shoudl list their email address or domain and then choose the option "My SMTP Server uses authentication.". Connecting users will then be considered local by SMTPFilter and email they send will not be checked against the Spam Trap.

• Black/White Lists tab

  You can list IP addresses and (wildcarded) domains that are always accepted or always rejected (with an optional rejection message). Note that when matching domain names you can use * as a wildcard character to match 0 or more characters in the domain name. So *.hotmail.com would match smtp1.hotmail.com and smtp2.hotmail.com and *dav*.hotmail.com would match pop3-dav69-bay4.hotmail.com

  IP address ranges can be specified using subnet masks. A subnet mask of 255.255.255.255 means the IP address must match exactly.

• Spam Trap tab

  You can list email addresses that are invalid. Then if someone tries to send an email to that invalid address they can be rejected as a source of spam trying to guess likely email addresses on your network. Obviously this is only useful if you accept email for one or more domains.

  You can also choose a wildcard match. I don't use any numbers in my email addresses, and lots of spammers try to guess email addresses with numbers in them (eg wayne2). So I add all the digits as a wildcard spam match. If any email comes in with any digit anywhere in the address preceding the @, then the email is rejected, and the source is blocked as a spammer. So wayne2@codeworks.gen.nz is blocked (matching 2) and abc3def@codeworks.gen.nz is blocked (matching 3).

  All the digits are listed in the default Spam Trap listing supplied, so you will want to remove some or all of them if you do use digits in your local email addresses. You must check the whole Spam Trap list to make sure it doesn't include any valid names (like your own) that you do want to receive!

  If mail comes in for multiple recipients, the mail is blocked for all recipients if any one of the addresses is listed in the Spam Trap.

  If a whitelisted source sends email to a Spam Trap address, that email is blocked, but the source remains whitelisted.

• Mapping tab

  You can change an incoming mail message addressed to a (wildcard) address to another address. The main message contents are not changed - just the delivery address target. This must be a target address that the SMTP server will accept for delivery.

  The list of addresses are processed in order, so the first address that matches will be applied. A final entry of * will match everything not previously matched.

  Leaving the target as blank means that if the address matches it will not be changed (and no furtehr addresses considered for matching).

• Headers tab

  Here you can enter text to match against message header lines. You can use * to match 0 or more characters. The matching is not case sensitive. So for example, you can enter lines such as
  Subject:*viagra*
  To:*nacjack*
  *yahoo.tw*

  If an email message contains a matching header, the email message is blocked.

• Virus Scanning tab

  Here you can choose whether to scan messages for viruses. If you choose an antivirus programme, Fluffy will look for it in the default location. If it can't find it, it will prompt you for the location of the antivirus programme. You can also enter the text that appears at the top of a message sent to an intended recipient when a mail message is blocked because it contains a virus.

  We would be pleased to consider adding support for other anitvirus software. Please let us know

  By default Fluffy will block any mail messages broken into parts. The most common use of partial messages is to send the first half of a virus in one message and the second half in another message. A virus checker can't detect the virus without both parts available. Since there is no need to send messages in parts, we recommend you block any messages that comes in parts.

  You can also maintain a list of attachment types to block. Fluffy comes with a default list of executable types that you should not normally need to accept.

  Fluffy does not yet support a pass-through address for people to resubmit emails that have been blocked. As a temporary measure, we have added this pass through email address text field. If you enter an email address here, people whose email is blocked will be advised to resend their email to this address. This must be an email address that is NOT processed by Fluffy (or it will be blocked again). A POP3 account, or a webmail based account (eg hotmail.com) may be suitable.

• Advanced Settings tab

  Here you can set:
  • the maximum number of connections Fluffy will process simultaneously
  • the level of detail in the log files
  • whether to block junk mail, or flag it as junk mail in the subject line
  • turn on an automatic daily check for updates to the Fluffy program
  • carry out a manual check for program updates.

• Reports tab

  Here you can enter an email address to receive daily reports on the emails accepted, rejected and dferred by Fluffy. Your local SMTP server must accept delivery to this email address.

• About Fluffy tab

  Here you can read about who created Fluffy and the online help file.

Usage

Log Files

Changelog

A change log tells you what has changed from previous version

Version 1.4

• Each DNSBL list entry can have its own score weighting - different handling options can be select by total score weight
• Improved speed of handling connection requests
• Significant speed increase in processing Base64 encoded data
• Significant speed increase in passing data to the local SMTP server
• Identifying when spammers drop the connection because Fluffy takes too long (30 seconds) to validate their connection - caught in an inadvertent 'tar pit'
• Add option to send log files to multiple syslog devices
• Ability to control detail of debug level logging
• Right click on console window gives menu to freeze display and copy selection (or all of the displayed log if no selection is made)
• General GUI font and colour improvements
• DNSBL list changes are saved on clicking OK to finish Configuration, even if that DNSBL entry hasn't been changed
• Separate active and inactive DNSBL lists
• Add seconds to the display log
• Fluffy will automatically remove DNSBL entries found in a removefromdnsbl.txt file in the Fluffy application folder

Version 1.3

• Added support for XEXCH50 command used between Microsoft Exchange servers
• Handle cases of invalid blank lines in SMTP conversations being ignored by local SMTP server
• Add colour coding to status log display
• Always apply the current setting for DNS chache expiry, rather than the setting in force when the connection was stored in the cache
• Fixed bug in handling blank sections encoded in quoted-printable
• Fixed bug where blacklist messages were not being included in the blocking message sent back to connecting server
• Fixed bug where a change in the new contact delay time reported in a temporary rejection SMTP response was not updated until Fluffy was restarted
• Fixed bug where the fact that a new contact was being forgotten too quickly

Version 1.2

• Added asynchronous queries of DNSBL servers, retrieving name servers from the registry
• Added an option to monitor IPs and addresses to see if they are listed on DNSBL sites
• Fixed too slow processing of a binary file encoded as quoted-printable
• Added option for matching message header content that warns as possible junk mail, rather than blocking
• Changed log file format to be compatible with Syslog RFC 3164
• Include bypass address in warning message for temporary deferral
• Included a list of all known DNSBL to add to Fluffy's resources, especialyl for monitoring of listing
• DNSBL lists now listed in alphabetical order
• Added a reference to foreign translation of the GPL
• Fixed bug in handling too many simultaneous connections
• Removed Winsock module
• Removed unused code, and consolidated library code

Version 1.1

• Added the ability to specify whether each DNSBL is to be used to block or to warn only
• Added a global option to log actions, rather than block, as well as warn only (only applies to DNSBL use)
• Will now parse Subject lines using character set encodings for matching against blacklisted header contents
• Added a monitoring option so you can get a report if an IP or domain name is listed on a DNSBL
• Added a sanity check so we only use DNSBL that appear to be working correctly (don't use ones that reject everybody)
• Don't allow the local SMTP server to admit we support CHUNKING or XEXCH50 because we don't - yet
• Added an option to log IP addresses we consider valid and invalid, suitable for submitting to spam monitoring services
• Added explict identification and support for all known ESMTP command extensions
• Fixed a bug in handling mapped email addresses
• Fixed more bugs in shrinking the connection cache
• Fixed a bug where we didn't read in the connection cache on a restart
• Fixed a bug where we didn't send all lines in a multi-line response from the local SMTP server
• Fixed a bug where the first part of an SMTP blocking message was trimmed off
• Fixed a bug where the EHLO/HELO greeting got corrupted
• Fixed a bug where we were purging old connection cache entries in the wrong order
• Fixed a bug that would cause an overflow if there was no free connection in 5 minutes
• Added a new log level 10 to record memory copy when retrieving domain names
• Added new log level 11 to record incoming and outgoing SMTP conversations
• Fixed a bug where the deferred and then later received counter was not working
• Fixed a bug where the message "you are a forced data server" was not being sent properly

Version 1.0

• Adding matching of wildcard text strings against message headers
• Added a pass-through email address for notification of blocked users.
• Fixed bug in applying wildcard domain matching, introduced in 0.9
• Improved performance over 0.9 version, including ensuring closing connection messages are sent
• Removed automatic download and installation of updates until this can be tested
• Improved navigation of configuration screens for keyboard users
• Handle shrinking the connection cache without errors

Version 0.9

• Adding matching of IP address ranges using subnet maskes
• Adding mapping of incoming addresses to a different address
• Fixed bug in running on a clean install with no IP black/white list
• Fixed bug in removing spamtrap/white/black list entries without a restart
• Fix a bug in handling a connection cache larger than 32767
• Fix bug where daily reports sent too many times
• Improved speed in loading a large connection cache
• Rewrite connection handler as timer loop driven, rather than event driven

Version 0.8

• Improved wildcard matching of domain names for white/black lists
• Fixed bug that could cause infinite loops processing certain nested MIME messages

Version 0.7

• Added blocking of file attachment types
• Added virus scanning support for Sophos for Windows NT/2000/XP
• Added tracking of numbers of messages accepted, rejected and deferred, with an optional daily email report
• Adding blocking of partial mail messages
• Added option to test non-enabled DNSBL servers
• Handle cases of missing MIME boundaries of internally nested multipart messages
• Fixed bug in disabling DNSBL servers

Version 0.6

• Added virus scanning of emails
• Made online help context sensitive
• Added X-Fluffy-RejectionReason header explainig reason for identifying email as junk mail
• Fixed bug in using default, unchanged spam trap and black/white list on clean install

Version 0.5

• Fixed bug that would precent a clean install of version 0.4 from starting.
• Added a time for the automatic check of program updates, and fixed the bug that caused it to crash when an update was found
• Added online help - not yet context sensitive
• Added blocking of spammers trying to push through email with an HTTP POST command
• Added warning if you try to cancel from configuration without saving changes
• Removed automatic testing of SMTP servers if no changes made to SMTP server addresses/ports during configuration

Version 0.4

• Changed program name from SMTPFilter to Fluffy the SMTPGuardDog
• Improved DNSBL configuration, with an option to disable a DNSBL server
• Added a check for program updates
• Changed log file names to include full date, with a configuration for how many days to keep the logs
• Option to allow non-local network users to be considered local, based on their email address
• Sundry improvements and minor fixes to the GUI configuration
• Fix a problem causing error 40006 to be generated

Version 0.3

• Completed GUI configuration screens
• Added wildcard matching to Spam Trap addresses
• Option to automatically apply sample DNSBL servers, spam trap lists, and black/white lists on first use
• Option to mark mail as Junk Mail, rather than block it
• Capturing of incoming mail as text files on disk, in preparation for anti-virus scanning in a later version
• Added Received: headers and RFC compliant HELO greeting

Version 0.2

• Configuration screens for most options
• Spam trap addresses will now trigger a rejection of a whitelisted domain/IP connection, but only for the duration of that connection
• More informative error message if the connection is temporarily swamped

Version 0.1

• Original public release

Things to Do

• Figure out how SLMail can work as an authenticated closed relay with Fluffy
• Add support for RFC 3030 - Chunking and BDAT synonym for DATA command
• Allow pass through addresses
• Automatic whitelisting when outgoing mail passes through
• Run as a service
• Add support for BINHEX attachments
• Handle more forms of invalidly formatted mail messages
• Improve memory of old connections and adjust defer time appropriately
• Put all text into language files
• Create a larger list of DNSBL servers - fetchable
• Add text based Bayesian filtering a la Paul Graham
• Update online documentation

Copyright

Fluffy the SMTPGuardDog Copyright (C) 2003 Wayne McDougall

Help files Copyright (C) 2003 Hairydog Ltd

Fluffy comes with ABSOLUTELY NO WARRANTY; for details read GPL.txt

This is free software, and you are welcome to redistribute it under certain conditions; read GPL.txt for details.

The help file was developed by Hairydog Ltd in grateful thanks to the creators of Fluffy. At Hairydog Ltd, we specialise in software documentation and help systems, web site design, development, maintenance and hosting.

We produce help in winhelp, htmlhelp, webhelp, javahelp and other formats.

Contact us - we can help you:

• get the best from your product with good, user-friendly documentation and help
• reduce support costs by giving the users the information they want
• turn web browsing visitors into your customers by giving them the information they want about your product
• reach your customers with clear, informative and easy-to-use web pages that rate well on the important search engines.

Hairydog Ltd
info@hairydog.co.uk
Tel +44 (0)845 124 9504

Download Fluffy

You can check out the latest source code in development using CVS

Fluffy Project hosted at Sourceforge.Net

News about Fluffy

Feedback and Support

If you prefer email, you can join a mailing list

You can report any bugs, ask for help or request new features in the online tracking system