From owner-freebsd-questions@FreeBSD.ORG Tue Apr 27 19:31:07 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3791106564A for ; Tue, 27 Apr 2010 19:31:07 +0000 (UTC) (envelope-from john@starfire.mn.org) Received: from elwood.starfire.mn.org (starfire.skypoint.net [173.8.102.29]) by mx1.freebsd.org (Postfix) with ESMTP id 85ADF8FC08 for ; Tue, 27 Apr 2010 19:31:07 +0000 (UTC) Received: from elwood.starfire.mn.org (john@localhost [127.0.0.1]) by elwood.starfire.mn.org (8.14.3/8.14.3) with ESMTP id o3RJV6SI091900 for ; Tue, 27 Apr 2010 14:31:06 -0500 (CDT) (envelope-from john@elwood.starfire.mn.org) Received: (from john@localhost) by elwood.starfire.mn.org (8.14.3/8.14.3/Submit) id o3RJV6pZ091899 for freebsd-questions@freebsd.org; Tue, 27 Apr 2010 14:31:06 -0500 (CDT) (envelope-from john) Date: Tue, 27 Apr 2010 14:31:06 -0500 From: John To: freebsd-questions@freebsd.org Message-ID: <20100427193106.GA91570@elwood.starfire.mn.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Subject: Really simple spam trap - /dev/pf permissions? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2010 19:31:07 -0000 I have done a monkey-simple spam trap. It just so happens that I have a dozen or more user accounts that haven't been actually used in over five years and get dozens of spam hits every day. I had been just sending them all to /dev/null with a sendmail alias. It seems to me that these are perfect trap e-mails for spam, and in the course of playing with what I'm attempting to do, it really does look that the only thing that hits them are spam messages. So, I built this really simple perl script, which gets invoked through a sendmail alias, as such: sink: "| /home/john/spamsink >> /tmp/blacklist" and then I alias various of the old, dead accounts to "sink". The script is as follows: -- begin script #!/usr/bin/perl -w # This script is invoked as a program from a sendmail mail alias # and scans for sources IP addresses, which it then adds to # the spammer pfctl table. $| = 1; $seekfrom = 1; while () { if ($seekfrom > 0) { $seekfrom = 0 if (/^From /); } else { if (/^Received: from .*\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]/) { $harvestip = $1; $seekfrom = 1; # Don't block localhost! if ($harvestip ne '127.0.0.1') { print "Adding $harvestip to spammers table\n"; system "/sbin/pfctl -t spammers -T add $harvestip"; } } } } exit 0; -- end script Note that it takes just the first "received" line that it finds after the "From". Looking at incoming messages, that seemed to always be the Received line that refers to it reaching my server, which is really the only connection I can do anything about from an IP firewall. (Obviously, I'll want to add to my cron scripts to age entries out of the spammers table, just to keep it down to a manageable size. I already have two dozen entries.) The Packet evaluation count for the rule that uses the spammers table is already showing 538 hits, so I suspect that this may actually be doing some good. I'll monitor this for a few days and see how things are going. If it doesn't actually reduce the amount of spam I get, this will have been fun and interesting, but not useful. This seems to be working pretty well, and I'll eventually take the print statement out, but I'm not sure why I had to make /dev/pf public read/write in order to get the pfctl command to work. What is the best solution to be able to add to my spammers table in pf without making it public read/write? -- John Lind john@starfire.MN.ORG