lukasz.bromirski.net

aviate, navigate, communicate

it’s hard to be a spammer

…if everyone is trying to make your life harder.

couple weeks ago i refreshed my private email server on FreeBSD. for some time spam levels were raising and i had to do something about it. old spamassassin was not handling it accurately enough anymore.

enter spamd from OpenBSD.

current postfix has built in greylisting server that’s working quite well. for my installation i tuned it a bit, by extending period of time that has to pass from last delivery attempt (to 1200 seconds, which is 20 minutes):

in /etc/rc.conf:

postgrey_enable="YES"
postgrey_flags="--inet=10023 --delay=1200 --greylist-action=451 --x-greylist-header='X-Greylist: delayed %t seconds by postgrey-%v at %h; %d' --auto-whitelist-clients --lookup-by-subnet --greylist-text='4.7.1 Greylisted' --whitelist-clients=/usr/local/etc/postfix/postgrey_whitelist_clients"

once greylisting is done, we can now attempt to fight the spammers more aggresively. spamd from OpenBSD can work in blacklisting mode - doing tarpitting for all redirected connections. while it will try to emulate real mail server, it will do so at speed of one character per second (or… per longer time slices). of course, at the end mail is discarded anyway - but after hours or even days of keeping spammer queue busy.

how to gather such addresses? you can use traplists - email addresses that were hidden in different places around your HTML code, and while invisible for human, will be readily scrappable for bots hunting for “good emails”. then, from the logs of attempted delivery to such known bad addresses you can select abusers, and redirect them to spamd.

so a short selection of my trap e-mails:

us2@bromirski.net
it-admin@null0.pl
arek@bromirski.net
dobry.jozek@bromirski.net
jutro.bedzie.futro@bromirski.net

…and those were added by observing mail logs, as it seems somebody was trying to find other users:

passw0rd@null0.pl
christop@null0.pl
scotty@null0.pl

list contains 26 e-mails today and grows by 1-2 every month.

startup options for obspamd in /etc/rc.conf:

obspamd_enable="yes"
obspamd_flags="-b -l 127.0.0.1 -s 3 -v -n Postfix"
obspamlogd_enable="yes"

of course, the traffic needs to be redirected. for pf, in /etc/pf.conf:

rdr pass on $ext_if inet proto tcp from { spamd, spamd-local } \
 to $ext_if port { smtp, 465, 587 } -> lo0 port spamd

so the last part - script that will monitor /var/log/maillog, find all trap e-mails and add them to pf table. my adds daily 4-5 new IPs, but there are worse days (where around 30-40 different hosts attempt some new campaign). so, for current numbers:

# pfctl -t spamd -T show | wc -l
  3063
# pfctl -t spamd-local -T show | wc -l
  1087

if you do it right - spammers will suffer. hardcores tend to stay in the connection for 18 minutes, here are some real world examples from /var/log/spamd.log:

91.207.211.227: 1085 seconds.
14.177.85.0: 1085 seconds.
14.177.78.51: 1085 seconds.
91.207.211.227: 1082 seconds.
91.207.211.227: 1082 seconds.
91.207.211.227: 1080 seconds.
189.216.86.7: 1080 seconds.
199.59.150.86: 1079 seconds.
91.207.211.227: 1078 seconds.
199.59.150.86: 1074 seconds.
14.177.11.20: 992 seconds.
103.255.5.117: 981 seconds.
212.237.47.252: 595 seconds.
80.82.64.73: 543 seconds.
183.131.162.73: 400 seconds.
24.222.21.82: 219 seconds.
24.222.21.82: 217 seconds.
24.222.21.82: 217 seconds.
24.222.21.82: 216 seconds.
24.222.21.82: 215 seconds.
24.222.21.82: 215 seconds.
14.236.29.71: 34 seconds.
14.231.160.197: 34 seconds.
114.104.157.150: 16 seconds.
114.104.157.150: 14 seconds.
114.104.157.150: 14 seconds.
114.104.157.150: 14 seconds.
114.104.157.150: 14 seconds.
114.104.157.150: 13 seconds.
114.104.157.150: 13 seconds.
114.104.157.150: 13 seconds.
114.104.157.150: 13 seconds.

all the best in making spammers life more miserable.


Share