OpenBSD Journal

Getting back at spammers with spamd

Contributed by dwc on from the la-brea dept.

Strykar writes:

A light humorous article on using OpenBSD and spamd to get back at spammers. This would include almost every BSD machine not serving SMTP with a public IP.

DISCLAIMER: This will not bring world peace or make De Fermat's theorem clearer. It's in jest, please take it lightly.

http://www.hungryhacker.com/articles/misc/spamd

So far I have received comments like:
"that must be the single most useless script"
"good intention and an interesting idea however 100% useless"
"most spammers have thousands of zombies and they change each day, one zombie slowed down for a few minutes and listed won't do too much... even if you have thousands of these servers"

I have reiterated in the article that this is a fun-to-do thing; took me 20 minutes to read, setup and get going. I've also mentioned that 100'000 users running spamd would make a difference, or so I think - this was in reference to how RBLs came into existence in the post.

I agree it won't make spammers rethink strategy or save babies in Africa. But for those who haven't setup spamd yet, I'll say this, "It is the only log you will smile the minute you tail."

All constructive criticism is welcome :)

(Comments are closed)


Comments
  1. By Anonymous Coward (24.37.242.64) on

    I don't think this is useless at all; I like this kinda stuff because I hate spam/spammers with a passion too.

    If only more people would or could do this too, then in theory, the next person down the line won't get spammed as much or as often - depending on how you look at it. Even if we can't stop spam completely, why not at least help slow it down like this...

    Regardless of any criticism (if any), I think this was a worthy post.

    PS: What video codec does the .avi use? I can only hear the sound but no video.

    Comments
    1. By Brynet (Brynet) on

      > PS: What video codec does the .avi use? I can only hear the sound but no video.

      Is that a trick question? It's a container file extension... commonly used codecs are DivX and XViD.. Use VLC :)

      Comments
      1. By Anonymous Coward (69.28.228.76) on

        > > PS: What video codec does the .avi use? I can only hear the sound but no video.
        >
        > Is that a trick question? It's a container file extension... commonly used codecs are DivX and XViD.. Use VLC :)

        VLC can't play this file either.

        Comments
        1. By Anonymous Coward (66.238.233.150) on

          rtfa ;)
          the article tells you what codec you need and where to get it.

          Comments
          1. By Anonymous Coward (24.37.242.64) on

            > rtfa ;)
            > the article tells you what codec you need and where to get it.

            lol, oops, it's cause I was trying to view it in windows and I didn't bother to read the part about the MSU screen capture codec, I just downloaded it and tried later.

  2. By Daniel Ouellet (66.63.10.94) daniel@presscom.net on

    I can only confirm one big thing for anyone that still do not use spamd and still haven't consider to use it yet. You are missing big time! I would even push spamd much more as to built it into a bgp/spamd like ideas if you want with users/partners you trust to sync multiple spamd setup and to fight back spam as it is!

    Why you may asked. Very simple to understand if you read below and I grant you that your needs are sure different then mine, but if you stop, sit back and think about what it does for me, you can imagine what it can possibly do for you.

    I run an ISP and spam is a huge problem, not only for the spam itself, but as almost every virus that spread are spread to users/customers via emails. Years ago, I started to install honey pot at multiple locations on my network to catch various problem, attack and compromise customers and then contacting them with the results and notifying them of that fact. It was a huge under taking and many resources where dedicated to it as you have no idea how many people run their computers and servers and even their LAN without protection what so ever. Sad but true. So, this have been a huge education process for my customers and huge amount of work for my business as well. However as time pass, less and less customers have compromise computers and servers and also they learn over time as well. Now the results are that many years later, I can proudly say that it is very rare that a customers have a compromise system and that virus on my network and customers are now the exception. It's always a laptop of someone that travel that get connected to their network that is compromise, and get cut into the honey pot and each time, now the customers are smiling when we contact them with such things as it make them something to talk about and to show they are doing better them many of their office else where.

    Plus, not only that, but if you are actually looking at the amount of traffic pro actively on your network if you have one, or the amount of traffic on your LAN that is part for spam, virus transmitted by compromise computers spamming you, oppose to the real amount of traffic that is legitimate, you will see that it is not only 5% or 10%, but way more then that. Way more.... In some cases, I had customers that their usage of bandwidth was in some cases reaching 80% was spam and virus stuff and they were suffering the impact of it, plus having a life time subscription to IT consultant that were making a killing just doing virus removal, but not always making the customers safe as they were killing their own source of income. Not very ethical if you asked me, and no, that's not the norm, but sure is not uncommon either. In some cases, it's just the customers that is to cheap to do it right and do not want to invest in making it's own setup better until they are stuck to it and in many cases, they address the problem by adding bandwidth instead of making it work properly.

    So, use spamd and spread it as much as you can it will help you, help your customers if you provide service to any and sure will help your own network if you manage it.

    Just think about it. Without spamd, you get all these emails, virus, time waisted fixing compromise computers by users that just accept these virus and all the bandwidth waisted as well carrying this crap. then all the resources in network equipment processing all this, etc...

    The list is very long and I could go on and on and on with examples.

    I can only tell you that with proper spamd setup, not only you clean up your users mail box, you make them more happy, but you eliminate your problem with virus, or reduce it to a very minimal, you also increase the efficiency of your network big time and in the end all is much better and you will have more time to drink a beer sitting back!

    Every setup I have done so far, may be because I am an ISP I get different results then you, or see the impact way more, but I can tell you that in every cases, the results are impressive, the users are way more happy and the efficiency of their LAN, including my network is much better and I can make that statement without a problem that my network is way more then 50% more efficient and by a very long shut is 95% cleaner of crap as well! And these number keep increasing as the quantity of spam keep increasing as well on the Internet. Just look at some specialize firm that provide spam filter as a service. The biggest one if I am not mistaken said that their last look was more then 89% of their emails processing was spam and keep increasing to the point that may be one day, emails may become un use by users as there isn't anything good anymore from it.

    Yes this is a bold statement, but is real never the less and just sit back and think about it, you will see the light. My 50% figure is already almost 2 years old when I have done tests and track network traffic, etc. I can't say what is the number today and I sure do not and can't tell you as to do so would mean to crash some customers setup just to get the results I am sure.

    I am a strong advocate of it, not only for the impact it has on my mail box, but also for the very strong and visible impact it has on my network and customers and I can only imagine the scale of this plague on the Internet at large. If every ISP and users was doing the same thing, I can tell you that you wouldn't see the bandwidth requirements double every few months on the Internet, plus it would become a much better place. Many company do not have interest to fix the problem as it mean they would reduce their income, or growth as customers wouldn't increase their access to the Internet and also many company that provide anti virus wouldn't be as badly needed and even some IT support consultant wouldn't make as much money doing recurring virus clean up on customers computers.

    But it is a must have if you asked me and I would even put it as a requirements these days and I would also be strongly in favor to establish a bgp/spamd like setup to fight back to the spam and to reduce the false positive to a minimum, cleaning up your mail box in the process, but even more in cleaning up the Internet of virus and as a side effect of it's use and also even more in making the Internet, each ISP network and your LAN cleaner more efficient and each and every one of us doing work on more interesting things then dealing with spam and virus on user computers.

    That's my own experience and I am sure that many others can confirm that as well. Just ask Bob what quantity of bandwidth or virus he got ride of at the University of Alberta and that's just one user, yes a big one, but one user only and have much bandwidth he save by eliminating all that useless traffic right from the Internet, now just picture the impact inside in LAN.

    Hope this help you get the idea and the impact of spamd use and if you haven't started to use it, I would say you are an irresponsible user. Yes I realize this is a strong statement, but true never the less and show you lack of understanding of it's benefit and you should learn it sooner then later and more importantly install it and run it and enjoy the piece it will bring over time.

    Now, what we really need to do is to find a way to extend it's use to make it even better and more efficient at blocking spam by having live multi point of entry before it even reach you and if we can do this, may be, just may be we can put a good nail in the coffin of spamer for good and make their business irrelevant as well as making the Internet a better place for everyone.

    Thanks

    Daniel

    Comments
    1. By Anonymous Coward (66.238.233.150) on

      thanks for the writeup, much appreciated.

    2. By Daniel Ouellet (66.63.10.94) daniel@presscom.net on

      Just a few more thing that I should have added to my previous writing and that also make your setup a real fire power is a very few more details.

      First, I also have my mail servers exchanging their list of spamer if you want via the new portion of spamd that allow you to share the list each one gets. Very wonderful addition and I strongly suggest to use it.

      man 8 spamd and look for the "synctarget" and "synclisten". Makes a wonderful deadly weapon!

      Second, I also use Bob list, witch is updated every hour and that he so graceful share with us.

      Third, a very big portion is also from Bob, the wonderful greyscanner and I can't wait when it would be fully part of the default system. If you haven't discover it yet, you got to install it as well if you are serious about fighting spam!

      Forth and that's really a killer as well is the setup of a few honey pot on public IP's that are not even providing MTA service at all, but that are just trap without any MX records in DNS and these are 100% attack, or found by virus, compromise servers, computers and spamer. 100% of what connect to it is scrap and when you link that with your real mail server via the point one above, you get a real killer for spam!

      Fifth, addition of a few unused domains with the sole reason to be trap for spam as no email accounts exists on them, so if you really want to be dirty, you add MX records to them and then setup your trap for any address destinate to this domains, except may be the postmaster if you really want to follow the RFC and then sync them as well.

      Sixth, would be then to even add a few email trap also using the spamd trap flexibility.

      Next, would be the wonderful sharing of this list between multiple users and global source somewhere that you can tap into and get your LAN protected.

      You do all this is you want to go that far and you would be hard press to get any spam what so ever.

      Don't take my words for it, try it and you will be surprise of the results and the best part of it is you can use it without any RDBL as we used to and eliminate any side effect and really fight back.

      Then if we put together a few resources, we can see a possible win against spam for the benefit of all and finally start to clean up the Internet some, or at a minimum, each one of us in a small way, but for sure, this is one of the best way I found to fight the virus propagation problem and it does work!

      I have proven it in real live in ISP setup.

      You need to care about your customers however to extend all that, but if you do, it sure work and the results are very impressive!

      Best of luck in your spam fight!

      Daniel

      Comments
      1. By Claer (212.234.103.153) claer |at| claer_dyndns_org on

        I use another feature from OpenBSD : OS detection coupled with PF.
        I choose to block OS that I'm sure are workstations and frequently contamined hosts. OK, it's mostly MS OSes. I should add also PalmOS or SymbianOS but these OS are not scanning a lot at the moment.


        Here is the extract of my pf.conf regarding mail :

        pass in on egress proto tcp from any to $platon port = 25
        block in quick from <spammer>
        block in log on egress proto tcp from any os "Windows NT" to $gorgias port = 25
        block in log on egress proto tcp from any os "Windows 95" to $gorgias port = 25
        block in log on egress proto tcp from any os "Windows 98" to $gorgias port = 25
        block in log on egress proto tcp from any os "Windows ME" to $gorgias port = 25
        block in log on egress proto tcp from any os "Windows CE" to $gorgias port = 25
        block in log on egress proto tcp from any os "Windows XP" to $gorgias port = 25

        One could log these requests to another logfile and parse it to add the bad hosts to spamd.

    3. By Bob Beck (68.148.128.240) beck@openbsd.org on

      >
      > ... Longest... Undeadly.. Post... Ever...
      >

      Geez Daniel.. Well, you do have two kidneys, and you can live with one ;)

      Well, maybe just the standard hookers and blow would be ok.

      Aww fuck, just buy CD's dammit..








      Comments
      1. By Daniel Ouellet (66.63.10.94) daniel@presscom.net on

        > >
        > > ... Longest... Undeadly.. Post... Ever...
        > >
        >
        > Geez Daniel.. Well, you do have two kidneys, and you can live with one ;)
        >
        > Well, maybe just the standard hookers and blow would be ok.
        >
        > Aww fuck, just buy CD's dammit..

        Sorry Bob!

        I guess dreaming of hanging spamer naked by their big toes from a cactus in the dry desert without water, watching scorpions and other lovely creatures having a fiesta and let them cook under the sun like we used to dry fish with salt years ago always inspired me. (;>

        But you are right, sending you hookers might do a better job as long as they bring the beer right? (;>

        In the end, you are 100% right once more, just buying CD's is the right thing to do!

        Many thanks never the less for your work.

  3. By Henrik Hellerstedt (83.253.53.109) on

    Question:
    Why not let spamd listen directly to the external ip and port 25?
    Is the pf and its magic really needed here?

    Comments
    1. By Anonymous Coward (66.238.233.150) on

      to keep spamd simple and lean.
      the pf redirects are used to allow the "not-bad" ip addresses to connect to the real smtp.

      Comments
      1. By Terrell Prude' Jr. (151.188.247.104) tprude@cmosnetworks.com (this is a spamtrap address) on http://www.cmosnetworks.com/

        > to keep spamd simple and lean.
        > the pf redirects are used to allow the "not-bad" ip addresses to connect to the real smtp.
        >

        Exactly. You're essentially doing port address translation to forward the "black" or "grey" IP addresses to spamd. We redirect TCP 25 to 8025 in case you're also running your real MTA on the same OpenBSD box. In my case, I run it on a separate GNU/Linux box (Postfix), in which case you still have to do NAT on that traffic.

        It's damned effective *and* versatile, I'll tell you that. But yes, it does require some learning about PF. It's not horrible, and it's a good thing to learn.

        --TP

        Comments
        1. By Anonymous Coward (24.37.242.64) on

          > > to keep spamd simple and lean.
          > > the pf redirects are used to allow the "not-bad" ip addresses to connect to the real smtp.
          > >
          >
          > Exactly. You're essentially doing port address translation to forward the "black" or "grey" IP addresses to spamd. We redirect TCP 25 to 8025 in case you're also running your real MTA on the same OpenBSD box. In my case, I run it on a separate GNU/Linux box (Postfix), in which case you still have to do NAT on that traffic.
          >
          > It's damned effective *and* versatile, I'll tell you that. But yes, it does require some learning about PF. It's not horrible, and it's a good thing to learn.
          >
          > --TP

          If I understand this correctly, anything connecting to you on port 25 gets redirected to spamd listening on port 8025 (with an rdr rule).

          Spamd then processes the data based on black/grey/white list(s) - if it passes ok, spamd then passes it internally to the listening MTA on port 25 (in this case, without NAT translation) and thus the email gets processed/delivered properly...?

          If this is the case, does your real public MTA listen or need to listen on port 25 'externally' or just 'internally' because of spamd?

          Comments
          1. By chris_g_g (81.179.73.85) on

            >
            > If I understand this correctly, anything connecting to you on port 25 gets redirected to spamd listening on port 8025 (with an rdr rule).
            >
            > Spamd then processes the data based on black/grey/white list(s) - if it passes ok, spamd then passes it internally to the listening MTA on port 25 (in this case, without NAT translation) and thus the email gets processed/delivered properly...?
            >
            > If this is the case, does your real public MTA listen or need to listen on port 25 'externally' or just 'internally' because of spamd?

            Assuming your MTA is on the same computer as spamd/pf, I believe it works as follows...

            1) Incoming traffic on port 25 hits the pf firewall.

            2) pf matches against 3 tables (black, white, grey) and takes the following action:
            white = Tass on through the firewall to local port 25. MTA will answer.
            grey = Redirect to 8025. spamd will answer.
            black = Kindly inform the connecting party to get lost!

            3) spamd will do one of two things:
            -a Tell the connecting party to call again later and update/add an entry to pf's grey table.
            -b Tell the connecting party to call again later and move an entry from pf's grey table to the white table.

            How spamd decides which action to take is tweakable. spamd performs no re-direction of traffic itself, it just "guides" the firewall.

            For your latter question, not sure quite what you mean by "internal" and "external" port 25... There's no special config needed for the MTA as the firewall always "gets in the way" first - the MTA either sees traffic or doesn't.

            Comments
            1. By Anonymous Coward (24.37.242.64) on

              > >
              > > If I understand this correctly, anything connecting to you on port 25 gets redirected to spamd listening on port 8025 (with an rdr rule).
              > >
              > > Spamd then processes the data based on black/grey/white list(s) - if it passes ok, spamd then passes it internally to the listening MTA on port 25 (in this case, without NAT translation) and thus the email gets processed/delivered properly...?
              > >
              > > If this is the case, does your real public MTA listen or need to listen on port 25 'externally' or just 'internally' because of spamd?
              >
              > Assuming your MTA is on the same computer as spamd/pf, I believe it works as follows...
              >
              > 1) Incoming traffic on port 25 hits the pf firewall.
              >
              > 2) pf matches against 3 tables (black, white, grey) and takes the following action:
              > white = Tass on through the firewall to local port 25. MTA will answer.
              > grey = Redirect to 8025. spamd will answer.
              > black = Kindly inform the connecting party to get lost!
              >
              > 3) spamd will do one of two things:
              > -a Tell the connecting party to call again later and update/add an entry to pf's grey table.
              > -b Tell the connecting party to call again later and move an entry from pf's grey table to the white table.
              >
              > How spamd decides which action to take is tweakable. spamd performs no re-direction of traffic itself, it just "guides" the firewall.
              >
              > For your latter question, not sure quite what you mean by "internal" and "external" port 25... There's no special config needed for the MTA as the firewall always "gets in the way" first - the MTA either sees traffic or doesn't.

              Wow, that's excellent, thank you very much for the clear reply!

              Regards

      2. By Anonymous Coward (64.81.40.211) on

        > to keep spamd simple and lean.
        > the pf redirects are used to allow the "not-bad" ip addresses to connect to the real smtp.
        >
        >

        But, the article here is really targeting people who don't run mail servers. And for that, yeah, might as well run spamd right on the public interface.

        Comments
        1. By Strykar (Strykar) on

          > > to keep spamd simple and lean.
          > > the pf redirects are used to allow the "not-bad" ip addresses to >connect to the real smtp.
          > >
          >
          > But, the article here is really targeting people who don't run mail servers. And for that, yeah, might as well run spamd right on the public interface.

          It's targetted at people who don't run a "public MTA". I run sendmail for local reporting on the same host as spamd. The pf rules allow for unmatched versatility and cost zero in terms of performance unless you're on some überfast Gigabit connection.

    2. By Strykar (Strykar) on www.hackerzlair.org

      > Question:
      > Why not let spamd listen directly to the external ip and port 25?
      > Is the pf and its magic really needed here?
      >
      To quote from the article:
      "This is intended for machines that have a public IP address and receive no external mail. You can be running Sendmail/Postfix/Exim locally for system mails etc. This typically means your MTA listens only on localhost." and
      "We tell pf not to send anything from our public/external interface to the SMTP port at localhost. This is a fail-safe for those running a mailserver locally."

      To answer your question, no, it's not really needed if you don't run an MTA. Just have spamd listen on port 25.

      I run sendmail on that box only to receive system mails. The port redirection keeps me from ever having to worry about a spammer talking to my mailserver while allowing me to run a public mailserver if I choose to do so later down the road. Keeps spamd and my MTA clean.

      It also just works with spamd's defaults (port 8025). A little port redirection is easier to setup and debug than mucking with spamd.

  4. By cml (24.196.48.198) on

    how cool would it be to have a 'spamd' project like seti@home or folding@home??? Got a spare machine (public IP address really)? Run spamd on it and help fight spam! That would rock.

    Comments
    1. By Strykar (Strykar) on

      > how cool would it be to have a 'spamd' project like seti@home or folding@home??? Got a spare machine (public IP address really)? Run spamd on it and help fight spam! That would rock.

      I can't say anything till the details are sorted, but watch this space for something exactly like that :)

    2. By Jim (74.92.184.228) on

      > how cool would it be to have a 'spamd' project like seti@home or folding@home??? Got a spare machine (public IP address really)? Run spamd on it and help fight spam! That would rock.

      Or maybe something like this:

      http://www.projecthoneypot.org/index.php

      in conjunction with spamd?

      Out of curiousity, is anyone else presently participating? Are you getting any value out of it?

      Jim

      Comments
      1. By Daniel Ouellet (66.63.10.94) daniel@presscom.net on

        <i>Out of curiousity, is anyone else presently participating? Are you getting any value out of it?</i><br>

        So far I get better results from the setup I describe previously and no false positive as well, but the biggest part I guess that makes is better to use the spamd with additional part explained is that spamd also have auto clean up if you want or old IP's meaning for example, should you trap someone mail server because it got compromise for example and the person clean it up, then after 24 hours your setup will accept legitimate mail from it oppose to other setup that will block it for ever, or until you let it come manually.

        Call it efficiency without false positive and without maintenance, meaning piece of mind. You set it up as aggressively as you want and then forget about it. It does it's job very well and the most important part is that it also correct itself.

        Example why it's better, assume for a minute, what ever this might be, you have a kid that for what ever reason got a virus, from a friends, via emails, disk brought home, or what not. Not important how you got it, but you do. Then you send email to these spam trap, you get cut in it and from that point on, your server is out for anyone that use it, even if you correct the problem the next day, you are out.

        So, for a spamer, the best way to fight this is to make sure they get as many legitimate source to send to this as time comes they will become irrelevant as having to many false positive.

        Don't get me wrong, the idea is great, but the in the end, there is still to much flaw in it.

        In case of spamd setup, with greyscanner, honey pot trap, email address trap, domains trap, multiple real and trap smtp servers exchanging their lists via sync messages between them, and the auto clean up of the list of spamd, you get an incredible setup that correct itself and will not block legitimate emails and if it does for what ever reason, will correct itself over time.

        What else you possibly want. Setup once and forget about it setup that maintain itself.

        Just think about it and then see witch one you would use.

        I know witch one I use.

        Best,

        Daniel

  5. By Matthew Dempsky (70.143.90.158) on

    From the article: 1. Use addresses logged by spamd to setup my own RBL. Have sendmail use it from our DNS servers as a private and guaranteed spammer-only list. Nobody should be talking SMTP to a dynamic home IP netblock!

    This is trivially vulnerable to forgery. Assuming your home IP address is 1.2.3.4, I could create a gmail.com account and send a few emails to postmaster@1.2.3.4 with the result that your SMTP server is now rejecting mail from gmail.com's servers. Similarly, I can lead you to block mail from OpenBSD.org's mail servers by simply running:

    echo 'From: postmaster@1.2.3.4\n\nhelp' | sendmail majordomo@openbsd.org

    So you might want to rethink this strategy before you deploy it. :-)

    Comments
    1. By Anonymous Coward (142.205.212.203) on

      > From the article: 1. Use addresses logged by spamd to setup my own RBL. Have sendmail use it from our DNS servers as a private and guaranteed spammer-only list. Nobody should be talking SMTP to a dynamic home IP netblock!
      > This is trivially vulnerable to forgery. Assuming your home IP address is 1.2.3.4, I could create a gmail.com account and send a few emails to postmaster@1.2.3.4 with the result that your SMTP server is now rejecting mail from gmail.com's servers. Similarly, I can lead you to block mail from OpenBSD.org's mail servers by simply running:
      > echo 'From: postmaster@1.2.3.4\n\nhelp' | sendmail majordomo@openbsd.org
      > So you might want to rethink this strategy before you deploy it. :-)

      From TFA. "This is intended for machines that have a public IP address and receive no external mail."

      The author is well aware of that. The target audience won't give a sh!t if they can't receive gmail or OpenBSD e-mails on their mailserver, because they weren't getting any to begin with.

      If you are intending to get legitimate e-mails, you can always use Spamhaus, which solves your stated problem - but that won't hurt spammers as much as this does.

  6. By Arthur Dent (87.194.37.218) on

    Anyone know if spamd would work in a setup where your mail is coming from an ISP-controlled backup/relay SMTP server?

    So to keep our SMTP server tight and to have some backup in case our office DSL gets knocked out, we have all our public MX servers listed as our ISP's. They then pass that traffic (after some initial virus-scanning on their part) to our Postfix server running on OpenBSD which only listens for connections from our ISP's pool of servers.

    So my question is, would spamd be effective in this case? Wouldn't it just tie up the ISP's bandwidth instead of the spammers? I'm fairly sure it would, but I just wanted to confirm.

    Comments
    1. By Jim (74.92.184.228) on

      > Anyone know if spamd would work in a setup where your mail is coming from an ISP-controlled backup/relay SMTP server?

      Not really. You want spamd in front of your mail exchangers. If your secondary/ISP mail server already accepted mail from the spammer, you missed your opportunity to hurt the spammer and prevent the delivery.

      That's the beauty of spamd. It stutters it's way to a permanent 'temporary failure' when spammers attempt delivery.

      Jim

  7. By Pizza is your friend (68.125.31.8) on

    Fun stuff; keep it up.

  8. By Chas (147.154.235.52) on

    ...in a rage that I has personally written software to suck down his spam network. He said some generic stuff about slashing my tires, firebombing my house, etc.

    I didn't do him the courtesy of a reply, but I do enjoy imagining his histrionics from time to time. I can only hope that he has run across a few more spamd traps since then.

  9. By Ben (mouring) mouring@nospam.eviladmin.org on http://eviladmin.org

    I've ran spamd for a long time and it has been great. There are some annoying issues with people doing retries from different servers *COUGH-gmail-COUGH*, but after a while you can find tricks around it (I dislike SPF, but it is sOO nice that some large mail hosts are publishing SPF records to whitelist their broken servers =).

    However, the spammers have decided that spamming me isn't useful anymore, but spamming in my name is.

    And nothing in the universe besides beating admins over the head with hammers will stop me from getting 1,000 to 10,000 return emails a day because some idiot admin ACCEPTS THE MAIL before VALIDATING THE USER EXISTS!

    Or the wonderful, "I'm sorry, but person X doesn't work here anymore." or "Due to excess spam I've moved my email address to..." type emails.

    Now if only one can solve that issue correctly and I'd be happy. *SIGH* I can dream.

    - Ben
    I refuse to give up my email address due to other people's stupidity.

    Comments
    1. By Terrell Prude' Jr. (151.188.247.104) tprude@cmosnetworks.com (this is a spamtrap address) on http://www.cmosnetworks.com/

      > - Ben
      > I refuse to give up my email address due to other people's stupidity.

      Then I have a handy trick for you. Give out a "hidden" fake email address via an href tag, like this. You can also do it with punctuation marks, like that last comma you just blew past. Check out the HTML source of this post to see how I did it. And yes, both of these are greytrap addresses that I use.

      --TP

      Comments
      1. By Strykar (59.95.24.254) on

        > - Ben
        > I refuse to give up my email address due to other people's stupidity.
        >
        > Then I have a handy trick for you. Give out a "hidden" fake email address via an href tag, like this. You can also do it with punctuation marks, like that last comma you just blew past. Check out the HTML source of this post to see how I did it. And yes, both of these are greytrap addresses that I use.
        >
        > --TP

        Munging email addresses on a web page: http://www.projecthoneypot.org/how_to_avoid_spambots.php

        Comments
        1. By Ben (mouring) on http://eviladmin.org

          > > - Ben
          > > I refuse to give up my email address due to other people's stupidity.
          > >
          > > Then I have a handy trick for you. Give out a "hidden" fake email address via an href tag, like this. You can also do it with punctuation marks, like that last comma you just blew past. Check out the HTML source of this post to see how I did it. And yes, both of these are greytrap addresses that I use.
          > >
          > > --TP
          >
          > Munging email addresses on a web page: http://www.projecthoneypot.org/how_to_avoid_spambots.php

          I've never bothered to put my email address on my website. Google knows my email address, and anyone that is serious in getting a hold of me either know my email address, know contacts of mine, or knows how to use Google (funny enough I did have someone contact me about a former company I worked for using the "google method of email address finding." Thus I know it works =).

          As for grey trapping, I have scripts that dig through spamd's database and grey trap any to: name not on my white list (my email and the my friends using me as a backup MX). It would be nice if spamd did this automatically. It would save a lot of hassle.

          - Ben

          Comments
          1. By Anonymous Coward (194.231.39.124) on

            > As for grey trapping, I have scripts that dig through spamd's database and grey trap any to: name not on my white list (my email and the my friends using me as a backup MX). It would be nice if spamd did this automatically. It would save a lot of hassle. >

            You can use the spamd.alloweddomain feature look at man spamd(8)

            for example:
            your domain
             - example.org
            
            friend domains
             - example.com
             - example.org
            
            
            @example.org
            friend1@example.com
            friend2@example.com
            friend1@example.net
            friend1@example.net
            

            Comments
            1. By Ben (mouring) on http://eviladmin.org

              >> As for grey trapping, I have scripts that dig through spamd's database and grey trap any to: name not on my white list (my email and the my friends using me as a backup MX). It would be nice if spamd did this automatically. It would save a lot of hassle.
              >
              >
              > You can use the spamd.alloweddomain feature look at
              >
              [.. snip ..]

              Serves me right for leap frogging ever two years for server software upgrades. I missed this feature had even appeared.

              Thanks.

              - Ben

    2. By Daniel Ouellet (66.63.10.94) daniel@presscom.net on

      And nothing in the universe besides beating admins over the head with hammers will stop me from getting 1,000 to 10,000 return emails a day because some idiot admin ACCEPTS THE MAIL before VALIDATING THE USER EXISTS!
      With one exception however. Refusing emails for accounts that do not exists is great, but many people have backup MX records for their domains manage by their ISP and in that case, the problem really is that they have no clue as to what email address is good and witch one is not. So the emails are getting to them, then from there back to you were it is refuse, then they may well bounce it back to the source, where in most cases it will also be refuse as not real, then double bounce back to you at postmaster@ account. Providing backup MX records for ISP is a real pain in the butts at time for some customers I tell you. It is kind of counter productive, better you protect your mail server worst it is on the ISP side as they get stuck with all the crap and their servers still have to process all that stuff one way or an other. The best setup is when both the user and the ISP have their setup in sync and can exchange spamd lists and valid accounts as well, but really, how many ISP will go to that extend and even worst, how many users will even understand the reason for doing so, or even how to do it. Fighting spam could be real easy if everyone was putting a bit of effort in it, but that would be an utopia to think it will happen anytime soon.

      Comments
      1. By Ben (mouring) on http://eviladmin.org

        > And nothing in the universe besides beating admins over the head with hammers will stop me from getting 1,000 to 10,000 return emails a day because some idiot admin ACCEPTS THE MAIL before VALIDATING THE USER EXISTS!
        >
        > With one exception however. Refusing emails for accounts that do not exists is great, but many people have backup MX records for their domains manage by their ISP and in that case, the problem really is that they have no clue as to what email address is good and witch one is not. So the emails are getting to them, then from there back to you were it is refuse, then they may well bounce it back to the source, where in most cases it will also be refuse as not real, then double bounce back to you at postmaster@ account.
        >
        > Providing backup MX records for ISP is a real pain in the butts at time for some customers I tell you. It is kind of counter productive, better you protect your mail server worst it is on the ISP side as they get stuck with all the crap and their servers still have to process all that stuff one way or an other.
        >
        > The best setup is when both the user and the ISP have their setup in sync and can exchange spamd lists and valid accounts as well, but really, how many ISP will go to that extend and even worst, how many users will even understand the reason for doing so, or even how to do it.
        >
        > Fighting spam could be real easy if everyone was putting a bit of effort in it, but that would be an utopia to think it will happen anytime soon.

        <nod> A friend was acting as my secondary MX, and we just setup a few simple policies. I gave him a list of valid email address from the onset, and there was an automated tool for finding out new valid address. So he could reject mail correctly (well, he didn't technically reject. He just didn't accept it).

        I dropped my secondary MX because I didn't want to burden my friend's server when around the 6th of July I saw a peek of almost 100,000 bounce backs a day.

        - Ben

  10. By viking (viking) on

    An excellent article!

    On the topic of stopping spam, I recommend having a look at this site - the guy has created an interesting spam-blocking setup called "traveler" .

    http://www.vsta.org/spam/Traveler.html

    It does seem a bit more work than the setup in the spamd article, but it may be of some interest anyway....
    - viking

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]