From owner-freebsd-questions@FreeBSD.ORG Wed Apr 28 17:00:29 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5AE191065670 for ; Wed, 28 Apr 2010 17:00:29 +0000 (UTC) (envelope-from john@starfire.mn.org) Received: from elwood.starfire.mn.org (starfire.skypoint.net [173.8.102.29]) by mx1.freebsd.org (Postfix) with ESMTP id 1D5178FC14 for ; Wed, 28 Apr 2010 17:00:28 +0000 (UTC) Received: from elwood.starfire.mn.org (john@localhost [127.0.0.1]) by elwood.starfire.mn.org (8.14.3/8.14.3) with ESMTP id o3SH0RNC003979; Wed, 28 Apr 2010 12:00:27 -0500 (CDT) (envelope-from john@elwood.starfire.mn.org) Received: (from john@localhost) by elwood.starfire.mn.org (8.14.3/8.14.3/Submit) id o3SH0RT9003978; Wed, 28 Apr 2010 12:00:27 -0500 (CDT) (envelope-from john) Date: Wed, 28 Apr 2010 12:00:27 -0500 From: John To: Matthew Seaman Message-ID: <20100428170027.GA3857@elwood.starfire.mn.org> References: <20100427193106.GA91570@elwood.starfire.mn.org> <4BD7DCE1.9070004@infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4BD7DCE1.9070004@infracaninophile.co.uk> User-Agent: Mutt/1.4.2.3i Cc: John , freebsd-questions@freebsd.org Subject: Re: Really simple spam trap - /dev/pf permissions? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Apr 2010 17:00:29 -0000 On Wed, Apr 28, 2010 at 07:59:45AM +0100, Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 27/04/2010 20:31:06, John wrote: > > I have done a monkey-simple spam trap. It just so happens that I have > > a dozen or more user accounts that haven't been actually used in over five > > years and get dozens of spam hits every day. I had been just sending > > them all to /dev/null with a sendmail alias. > > > > It seems to me that these are perfect trap e-mails for spam, and > > in the course of playing with what I'm attempting to do, it really > > does look that the only thing that hits them are spam messages. > > > > So, I built this really simple perl script, which gets invoked through > > a sendmail alias, as such: > > sink: "| /home/john/spamsink >> /tmp/blacklist" > > and then I alias various of the old, dead accounts to "sink". > > Check out the mail/spamd port -- it does what you want, and more > besides. The keyword is 'greytrapping' Also, as it works against the > host that connects to your server, rather than anything in the message > headers (probably forged by the spammers) it's much better targeted. > > Oh, and the action on discovered spammers is not simply to block their > access, but to engage them in a long drawn out and ultimately futile > SMTP coversation, thus wasting their resources and giving them a > generally bad day. > > Cheers, > > Matthew That sounds cool, and I'll look at it again, but the last time I looked at it, the learning curve seemed prohibitive. I wrote my script in less time than it took me to read the spamd man page - and that wasn't even counting the time I spent being confused over there being TWO different "SPAMD" programs... With regard to the headers - the spammers CANNOT forge the most recent "Received: from" header, because that is generated by MY sendmail, and even if they "lie" about their name (DNS), the IP address given is the IP address that connected to my machine, which has to be correct in order for the SMTP "conversation" to occur. The problem, as already illucidated by a previous poster, is if they come thorugh a "common" or "choke point" SMTP server, I'll block a lot of legit e-mail, too. So far, that does NOT appear to have happened to me, and as tighter and tighter controls are placed on relaying, I think that becomes even less of a risk. Anyway, every two hours, I drop entries that are 2 hours old or older, so that should be manageable, as well. Right now, my rule is set to RETURN and I wonder if it should be DROP instead. Any feedback on what's "better"? So far, I've seen over a 3/4ths reduction in SPAM hitting my inbox, so, it seems to be a moderate success, right now. I've only had one spam site that was so persistent that it kept trying to deliver the messages until after the entry got cleared from the table. I currently have 105 (a new high!) entries in my "spammers" table, and I've only gotten 2 spam e-mails in the last two hours. -- John Lind john@starfire.MN.ORG