"Everybody complains about the weather, but nobody does anything about it." -- Mark Twain

NewTrino is a DnsBlackholeList management system designed for people who want to host their own blackhole.

I developed it in response to the W32.Swen.A TrojanHorse^? of September 2003 that was MailBombing^? me at the rate about 1,000 emails per hour at its peak.

What Does It Do?

NewTrino manages two key elements:

1. It connects and sends updates to a DynamicDNS^? server.
2. It stores information about entries in a separate backend.

More concretely, at present it uses the nsupdate tool to send commands to a BindNine^? nameserver, and uses a PostgreSQL^? database server to store information about who submitted each entry, why they were added, and when their record will expire.

Structure

A complete NewTrino system is made of several components:

• The main newtrino application
• A method for importing data into the system
• A MailServer^? configured to query NewTrino's database to process mail as seen fit

Installation

There is not currently a good installer. Follow these instructions to get NewTrino up and running.

The server application

• Get DynamicDNS^? working on your NameServer. This step is outside the scope of NewTrino's documentation. In short, you'll want to create a secure key that the nsupdate program can use to transmit changes to your server.
• Get access to a PostgreSQL^? server and create a database for this service.
• Download and unpack the tarball at the bottom of this page, and move the newtrino directory to some convenient place. Our examples will use the path /usr/local/newtrino.
• Rename config-sample.py to config.py. Edit it to suit your local installation.
• Install the database schema. An example command line is:

psql -U username < postgresql-init.sql

• Create a new user within NewTrino's authentication system by running the initialize.py script:

./initialize.py username password "My Real Name"

• Add a few "typenames" for why you'd want to reject mail from a certain host:

./newtrino addtype username password "W32.Swen.A"

Clients

I use a set of filter scripts to sort email into appropriate IMAP mailboxes. In my setup, any W32.Swen.A-infected email goes into a mailbox called "INBOX.virus.2003-09-18". I use FetchMail^? to connect to my IMAP server, download these emails, and pipe them through a program called searchreceived.py to look for relays that are broadcasting the unwanted data. Finally, the output of searchreceived.py is piped into newtrino which adds new entries to the database.

I run the included script suckworms from a CronJob^? every 5 minutes to automate all this. The fetchmailrc file is a snippet to add to your FetchMail^? configuration that pipes the email into the searchreceived.py program.

MailServer^?

Finally, you'll want to configure your mailserver to appropriately handle email transmitted from an infected address.

If you're using SendMail and want to block all such email, add a line line this to your LocalSendmailConfiguration, edited to fit your setup:

FEATURE(dnsbl, `badhosts.mydomain.com', `"550 Mail from " $&{client_addr} " rejected, see http://badhosts.mydomain.com/viruses/"')dnl

• Advantage: this is very resource-happy. Your system never actually accepts the offending email, so you don't have to spend the bandwidth, storage, or processing time to deal with it.
• Disadvantage: you will probably reject some valid email. If you can't live with this, then don't do it.

Another reasonable (and probably better) idea would be to configure SpamAssassin to add a certain number of points to an email's score if it is listed in the blackhole.

• Advantage: less chance of accidentally rejecting good email.
• Disadvantage: you have to actually accept and process infected email before you can decide to discard them.

Maintenance

You'll also want to delete entries from the system after they've expired. Use the command:

./newtrino.py cleanexpired

from a CronJob^? to do this at appropriate intervals.

Discussion

NewTrino is extremely modular. There is no direct dependency on any given DNS updating system or data storage system. Any backend that can be wrapped in a suitable API can be used without any modification to the end-user programs.

This is definitely overkill for a small system with few users, although it doesn't make the application any more complex to use. NewTrino was designed from the ground up as a stand-alone module for use in building larger systems. As an example, there are plans to use NewTrino as the backend for a Zope-driven website where users can register to submit data to the system, search for entries, etc.

PostgreSQL^? is the current storage system of choice because it allowed NewTrino to offload much logic to the SQL setup. Notice that the PostgreSQL class in the storage.py module does almost no checking for duplicate data or other problems. However, do to NewTrino's aggressively modularized nature, adding a similar MySQL^? (or plain-text, for that matter) backend should be extremely easy.

NewTrino was designed for multi-user systems. These capabilities are not currently heavily leveraged, but I believe the design is solid.

The backend classes are highly optimized for array operations. If at all possible, call the addEntries() methods instead of the addEntry() versions whenever possible.

The searchreceived.py program is not very particular. It will gleefully report AOL's outgoing mailserver, for example, if it receives an email relayed through it. If you can't live with this possibility, then either do not reject email based on NewTrino's listings, or be vigilant about adding entries to the 'goodmailers' whitelist in config.py. Put another way: the bigger the email system, the higher the likelihood of it finding its way into NewTrino's database, and the higher the chances of you rejecting valid email. Having said that, there may come a time when you're perfectly happy to toss the baby with the bathwater. When my mailserver was receiving over 10 infected emails per minute, I was so willing to do just that that I wrote a whole system to automate the indiscretion.

The folks at MessageLabs^? run a similar service. You can read about it at http://vbl.messagelabs.com/ . The main differences between NewTrino and the MessageLabs^? DnsBlackholeList are:

• NewTrino provides the server, not the data: you can fill it or not as you see fit.
• You can allow trusted friends to submit data to your NewTrino server.
• You know exactly what you're getting.

I have no experience with MessageLabs^?' system - it may in fact be an excellent service. Investigate it and make your own decision.

Version History

• 1.0 - 2003-10-16 - Initial public release.

License

All parts of NewTrino are distributed under the terms of the BSD License.

Bugs

The various programs throw many more exceptions than they catch. A proper client program would handle exceptions more gracefully.

Installer? What installer?

The suckworms script is very minimal. It needs to be replaced with a more powerful version that integrates better into the project framework.

To Do

Add finer-grained permissions (i.e., add_user, add_type, delete_entry). This should be easy, but hasn't been necessary yet.

Integrate NewTrino into a Zope application.

-- KirkStrauser - 16 Oct 2003