Spam Count™:543,811,197

If you feel that hermes is useful to you please donate any amount to help fund further hermes development.

User login

Top users
 
anonymous226,979,678
wahlich69,554,173
aplachy36,226,407
psycho36,057,488
7zsfx33,627,496

Hermes

What is hermes?

hermes is an SMTP proxy. We developed hermes for our own use on ITEISA, and we have perfected it with new features to cover our own needs. It is now being made public on the hope that it will help others to stop spam the same way it does for us everyday.

What makes it special is that it can be used to stop spam using a combination of the following techniques:

SMTP banner delay
Most spammers will start sending data as soon as the connection is open, without waiting for the SMTP banner. What we do is delay this banner and if we have data waiting before we print it, we drop the connection.
Throttling
hermes will process incoming SMTP commands at a slow pace. Most spammers have very little patience, so they will stop sending an email if it's taking too long to deliver.
Greylisting
Greylisting is a process that will delay incoming mails for some minutes before allowing them to be delivered. As most spammers will not resend their messages, you will not receive them. If you want a more technical description, scroll down to read a greylisting description.
DNSBL
As of hermes 1.2 you can now configure hermes to reject emails coming from ips listed on your favourite DNSBL, using the rbl_domain option.
You can configure how this techniques work in the configuration file and you can even disable/enable them at will.

How does it work?

SMTP banner delay

When a client connects to a SMTP server, the first thing that happens is that the server shows a line like the following:

220 ns1.iteisa.com ESMTP
This line, in its most basic form, informs the client of three things: Without this line, the client cannot continue the connection because it doesn't know how to present itself, as SMTP uses the command "HELO", while ESMTP uses the "EHLO" command.

Of course, if you are a spammer, you don't care wether it's SMTP or ESMTP, and you will just start the connection without waiting for this line.
So what we have done is to simply delay this line for a few seconds, and before printing it, check wether the client has started the communication. If it has, we simply drop the connection, as it is certainly a spammer.

Throttling

Spammers are always trying to send their spam as fast as posible, and usually have a limit on how much time they want to spend to send an email.

What we do is just insert a small delay between each command, making the connection much slower, so an impatient spammer will simply give up. If they don't give up, they have spent more time sending your spam, so they have less time to spend sending other spam, either to you or other people.

Example of a normal SMTP connection

220 ns1.iteisa.com ESMTP
EHLO [127.0.0.1]
250-ns1.iteisa.com
250-AUTH=LOGIN CRAM-MD5
250-AUTH LOGIN CRAM-MD5
250-STARTTLS
250 8BITMIME
MAIL FROM: xxxx@xxx.xx
250 ok
RCPT TO: yyyy@yyy.yy
250 ok
DATA
354 go ahead
From: xxxx@xxx.xx
To: yyyy@yy.yy
Subject: Stuff

<mail-contents>
.

250 ok 1174992091 qp 12536
QUIT
221 ns1.iteisa.com

Example connection with throttling

220 ns1.iteisa.com ESMTP
EHLO [127.0.0.1]
<1 second delay>
250-ns1.iteisa.com
250-AUTH=LOGIN CRAM-MD5
250-AUTH LOGIN CRAM-MD5
250-STARTTLS
250 8BITMIME
MAIL FROM: xxxx@xxx.xx
<1 second delay>
250 ok
RCPT TO: yyyy@yyy.yy
<1 second delay>
250 ok
DATA
<1 second delay>
354 go ahead
From: xxxx@xxx.xx
To: yyyy@yy.yy
Subject: Stuff

<mail-contents>
.

<1 second delay>
250 ok 1174992091 qp 12536
QUIT
<1 second delay>
221 ns1.iteisa.com
If this connection came from a spammer, somewhere on the middle of the communication, they will simply drop the connection and move on to spamming other accounts.

Greylisting

SMTP has a way of telling clients "I can't receive your email right now, can you try later?". To do so, it uses temporary error codes (of the form 4xx). Examples of this include (but are not limited to), 450 (mailbox busy), 452 (insufficient space on disk) and 421 (service not available).

hermes implements a technique know as greylisting, where the server will answer with a temporary error in the first try to deliver a message. If the connection was from a spammer, they will probably NOT retry it, as that would be too much work for their systems. As a result, hermes will effectively stop those spam emails.

Example of a greylisting session:

220 ns1.iteisa.com ESMTP
EHLO [127.0.0.1]
250-ns1.iteisa.com
250-AUTH=LOGIN CRAM-MD5
250-AUTH LOGIN CRAM-MD5
250-STARTTLS
250 8BITMIME
MAIL FROM: xxxx@xxx.xx
250 ok
RCPT TO: yyyy@yyy.yy
421 Greylisted!! Please try again in a few minutes

On the second try, hermes will recognize the sender and will allow the mail to go through without any problem. To do this, hermes keeps track of three things, known as a triplet, that consist of the following things:

IP of the sending computer
The IP of the server that is sending the email.
From address
The email address of the person sending you the email
To addres
The email address of the person receiving the email
With this information, hermes builds a table that says WHO sent an email, to WHOM it sends it and from WHERE did he send the email. The next time this triplet is received, the mail will get through without any problem.
To make it simple, this means: