Greylisting with PF
Pages: 1, 2, 3, 4, 5, 6, 7
Once I fixed the NAT rules, I went to m21 and tried to connect. I made it straight through to the real SMTP server:
dan@m21:~$ telnet nyi 25
Trying 64.147.113.42...
Connected to nyi.example.org.
Escape character is '^]'.
220 nyi.example.org ESMTP Postfix
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
dan@m21:~$Good, that proves the whitelisting is working. Then I flushed the Postfix mail queue, and the mail message went straight through.
Yes, I missed this entirely during the port install:
$ cd /usr/ports/mail/spamd
$ less pkg-message
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In order to use spamd greylisting feature you have to have a mounted fdescfs(5)
at /dev/fd. This is done by adding:
fdescfs /dev/fd fdescfs rw 0 0
to /etc/fstab. You may need either a customized kernel, or kldload the fdescfs
kernel module.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$What is in my spambd right now?
$ spamdb | grep GREY
GREY|12.199.121.98|<abfaf@cardinalconst.example.com>|<sponsorship@bsdcan.example.org>|1163008607|1163023007|1163023007|1|0
GREY|12.199.121.98|<bfddcgfaceccbe@carltonabbott.example.com>|<sponsorship@bsdcan.example.org>|1163008652|1163023052|1163023052|1|0
GREY|12.199.121.98|<daacgdcedacg@careerpointgroup.example.com>|<sponsorship@bsdcan.example.org>|1163008622|1163023022|1163023022|1|0
GREY|12.199.121.98|<eegadda@carrierescrete.example.com>|<sponsorship@bsdcan.example.org>|1163008592|1163022992|1163022992|1|0
GREY|12.199.121.98|<gffafgfd@cascadecont.example.com>|<sponsorship@bsdcan.example.org>|1163008636|1163023036|1163023036|1|0
GREY|199.227.43.178|<wow_deb48@sharkteethrus.example.com>|<sponsorship@bsdcan.example.org>|1163002782|1163017182|1163017182|1|0
GREY|201.216.157.1|<BrunoYang@rotes-teufelchen.de>|<papers@bsdcan.example.org>|1163005081|1163019481|1163019481|1|0
GREY|201.216.157.1|<OctavioDickey@rpcredit.ie>|<papers@bsdcan.example.org>|1163005080|1163019480|1163019480|1|0
GREY|202.27.236.89|<>|<info@bsdcan.example.org>|1163010937|1163025337|1163025337|1|0
GREY|213.98.26.251|<noreply@freebsddiary.example.org>|<majordomo@freebsddiary.example.org>|1163011838|1163026238|1163026238|1|0
GREY|41.241.113.223|<febo@geol.lsu.edu>|<majordomo@freebsddiary.example.org>|1163011853|1163026253|1163026253|1|0
GREY|58.8.10.140|<ppppppp@hotmail.example.com>|<dan@langille.example.org>|1163001747|1163016147|1163016147|2|0
GREY|58.8.99.137|<thaiwork_job@yahoo.example.com>|<papers@bsdcan.example.org>|1163002285|1163016685|1163016685|1|0
GREY|62.215.92.138|<training@intech-online.example.com>|<dan@langille.example.org>|1163010826|1163025226|1163025226|1|0
GREY|62.45.20.12|<deboraholcomb_hu@calcoastrepiping.example.com>|<activities@bsdcan.example.org>|1163000304|1163014704|1163014704|1|0
GREY|62.45.20.12|<deborahtaylor235@campuscrossroads.example.com>|<activities@bsdcan.example.org>|1163000292|1163014692|1163014692|1|0
GREY|75.89.28.189|<john@pistonheads.biz>|<payment@bsdcan.example.org>|1162997706|1163012106|1163012106|1|0
GREY|76.184.184.115|<stephen@quasarman.biz>|<payment@bsdcan.example.org>|1163008485|1163022885|1163022885|1|0
GREY|80.35.70.14|<mingshengw@postcardsally.example.com>|<payment@bsdcan.example.org>|1163010212|1163024612|1163024612|1|0
GREY|80.98.245.220|<Antelmi@care-mail.example.com>|<papers@bsdcan.example.org>|1163007068|1163021468|1163021468|1|0
GREY|84.227.161.190|<rooster@tuttoocchiali.example.com>|<keys@bsdcan.example.org>|1163001318|1163015718|1163015718|1|0
GREY|84.245.217.46|<work96@tel.fer.hr>|<majordomo@freebsddiary.example.org>|1163005846|1163020246|1163020246|1|0
GREY|84.60.218.15|<sensirox.example.com@theloglog.example.com>|<activities@bsdcan.example.org>|1163002484|1163016884|1163016884|1|0
GREY|85.98.190.1|<deborahschlumpf@calabreselaw.example.com>|<sponsorship@bsdcan.example.org>|1163009003|1163023403|1163023403|1|0
GREY|85.98.190.1|<deborapadinha@canaltai.example.com>|<sponsorship@bsdcan.example.org>|1163009013|1163023413|1163023413|1|0
GREY|91.76.45.94|<h-dudaz@usa.net>|<majordomo@freebsddiary.example.org>|1163003291|1163017691|1163017691|1|0Yes, I have slightly obscured the domain names, but you should be able to see who is sending to what. For the record, the MX server in question is not an MX for langille.org or freebsddiary.org... but that's not stopping the spammers from trying. At present, only bsdcan.org uses this greylisting server as an MX. I'm about to add more domains to it and implement greylisting on my other servers.
As I type this additional note on November 24, about 3 weeks after the above, here are the stats of each of my three mail servers:
- nyi
$ spamdb | grep -c GREY 101 $ spamdb | grep -c WHITE 4462 - havoc
$ spamdb | grep -c GREY 256 $ spamdb | grep -c WHITE 2404 - supernews
$ spamdb | grep -c GREY 30 $ spamdb | grep -c WHITE 37
It is interesting to see that one machine has whitelisted nearly 4500 servers in about nine days.
Greytrapping
I'm sure all of this sounds great. It can be better. Greytrapping is one step further than greylisting. No doubt you have an abandoned email address that still receives mail. It's probably been on spamming lists for years. If someone is sending email to that address, it's bound to be spam. You can add that address to spamdb as a spamtrap address. See man spamdb for details. For example, to designate anyone sending to yourname@example.org, use the command:
spamdb -T -a "<yourname@example.org>"I have a list of 24,592 such email addresses. Why? Well, they aren't really addresses. They are Message-ID values from FreshPorts. FreshPorts didn't always store Message-ID. When I added that attribute, I needed to come up with a value for the existing commits stored in the database. Unfortunately, I selected something like fp1.12345@example.org (s/example/FreshPorts/). Spammers grabbed all those addresses, and I started to see huge spam attempts. All bounced of course, because they were not valid addresses. I have since changed those Message-IDs to @dev.null.example.org (s/example/FreshPorts/), but the spammers continue.
So how do I get the email addresses into spamdb? They are all in a file named greytrap. This command loads them. It takes a few minutes to complete.
cat greytrap | xargs -n1 spamdb -T -aThat's all there is to it.
Greyscanning
With newer versions of spamd (not available in the FreeBSD Ports tree at the time of writing), you can take advantage of the greylisting period to scan your logs and take appropriate action. The greyscanner script will scan the spamdb output and look for patterns and blacklist those IP address for 24 hours. If it's not spam, it will come through later. If it is spam, well, you've delayed it. This script can validate the address, check for an MX or A record for the source address, and more.
Things to Think About
Greylisting can delay mail. Greylisting can block mail, but only if you continuously redirect the connection to the tarpit. However, it does greatly reduce the amount of incoming spam. I have no comparative statistics to show you. All I know is that I like it and that it reduces the amount of garbage in my mailbox. :)
Dan Langille runs a consulting group in Ottawa, Canada, and lives in a house ruled by felines.
Return to the BSD DevCenter.
Showing messages 1 through 5 of 5.
-
spamd and spamassassin
2007-12-19 12:24:23 pollywog [Reply | View]
Can spamd be installed even when Spamassassin is installed? The reason I ask is that Spamassassin also has a binary called spamd.
-
Do clients get cranky?
2007-01-19 11:06:20 msams [Reply | View]
Just wondering if you have had any feedback from people trying to send you mail, especially if they have a badly configured MTA that does not retry, or takes forever to retry. Have people complained "Hey my emails not getting through!!"?
Great article BTW!
-
Minor correction
2007-01-18 16:15:40 SaintAardvark [Reply | View]
Hi Dan -- many thanks for the article; I've been looking for an excuse to set up spamd, and this is it.
One minor correction, though -- shouldn't the URL on page 2 of the article behttp://beta.freebsddiary.org:8080/? -
Minor correction
2007-01-18 17:26:04 danlangille [Reply | View]
I've tried it using links from an external box:
http://beta.freebsddiary.org/:8080 gets me to the website.
http://beta.freebsddiary.org:8080 does not
But I can get to the same spot with both of these URLS:
http://beta.freebsddiary.org/index.php:8080
http://beta.freebsddiary.org/index.php:8080/
Go figure....
:)
