Date: Wed, 28 Apr 2010 12:00:27 -0500 From: John <john@starfire.mn.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: John <john@starfire.mn.org>, freebsd-questions@freebsd.org Subject: Re: Really simple spam trap - /dev/pf permissions? Message-ID: <20100428170027.GA3857@elwood.starfire.mn.org> In-Reply-To: <4BD7DCE1.9070004@infracaninophile.co.uk> References: <20100427193106.GA91570@elwood.starfire.mn.org> <4BD7DCE1.9070004@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 28, 2010 at 07:59:45AM +0100, Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 27/04/2010 20:31:06, John wrote: > > I have done a monkey-simple spam trap. It just so happens that I have > > a dozen or more user accounts that haven't been actually used in over five > > years and get dozens of spam hits every day. I had been just sending > > them all to /dev/null with a sendmail alias. > > > > It seems to me that these are perfect trap e-mails for spam, and > > in the course of playing with what I'm attempting to do, it really > > does look that the only thing that hits them are spam messages. > > > > So, I built this really simple perl script, which gets invoked through > > a sendmail alias, as such: > > sink: "| /home/john/spamsink >> /tmp/blacklist" > > and then I alias various of the old, dead accounts to "sink". > > Check out the mail/spamd port -- it does what you want, and more > besides. The keyword is 'greytrapping' Also, as it works against the > host that connects to your server, rather than anything in the message > headers (probably forged by the spammers) it's much better targeted. > > Oh, and the action on discovered spammers is not simply to block their > access, but to engage them in a long drawn out and ultimately futile > SMTP coversation, thus wasting their resources and giving them a > generally bad day. > > Cheers, > > Matthew That sounds cool, and I'll look at it again, but the last time I looked at it, the learning curve seemed prohibitive. I wrote my script in less time than it took me to read the spamd man page - and that wasn't even counting the time I spent being confused over there being TWO different "SPAMD" programs... With regard to the headers - the spammers CANNOT forge the most recent "Received: from" header, because that is generated by MY sendmail, and even if they "lie" about their name (DNS), the IP address given is the IP address that connected to my machine, which has to be correct in order for the SMTP "conversation" to occur. The problem, as already illucidated by a previous poster, is if they come thorugh a "common" or "choke point" SMTP server, I'll block a lot of legit e-mail, too. So far, that does NOT appear to have happened to me, and as tighter and tighter controls are placed on relaying, I think that becomes even less of a risk. Anyway, every two hours, I drop entries that are 2 hours old or older, so that should be manageable, as well. Right now, my rule is set to RETURN and I wonder if it should be DROP instead. Any feedback on what's "better"? So far, I've seen over a 3/4ths reduction in SPAM hitting my inbox, so, it seems to be a moderate success, right now. I've only had one spam site that was so persistent that it kept trying to deliver the messages until after the entry got cleared from the table. I currently have 105 (a new high!) entries in my "spammers" table, and I've only gotten 2 spam e-mails in the last two hours. -- John Lind john@starfire.MN.ORG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100428170027.GA3857>