OpenBSD Journal

What do you feed your spamd?

Contributed by jose on from the protecting-against-spam dept.

Wally Bedford writes: "I am now at a point where my spam filter (bayes, content, addresses) is getting quite taxed. I?m going to get spamd going in front of the mail server to distribute the load. After some looking around, I am finding sparse resources for lists. Spews is gone and downloading from costs a bunch.

I think I am going to use the rsync sites listed at I can set a single cron job to rsync the files and then run spamd-setup at the end of that script.

I have also found some harsh lists at Does anyone have some white lists to balance these out? I?d hate to block an entire continent!

So, what else is everyone using for blacklists?"

Anyone have any info they'd like to share?

(Comments are closed)

  1. By gwyllion () on

    The default spamd.conf seems to use Spamhaus,

    Apparently is no longer available, as it is replaced with a bzip2 version:

    The comments in /etc/spamd.conf point you to

    1. By matt.s () nospam-4t-slakin-dot-n3t on mailto:nospam-4t-slakin-dot-n3t

      I use and as RBL servers in postfix, then default spamassassin in the FreeBSD ports. This config seems to work well for me. =)

      1. By Fred () on

        I mainly use:,

        Dsbl contains a list of (proven) exploitable relays and proxies, dynablock a list of dynamic IP adresses. These two complement each other nicely, blocking loads of spam with no false positives so far.

        The dynablock zone files can be copied if needed, see

    2. By Eric () on mailto:eric(at)naxalite(dot)ath(dot)cx

      "Apparently is no longer available, as it is replaced with a bzip2 version:"

      Not that hard to bypass:
      #! /bin/sh
      /usr/local/bin/bunzip2 -f SBL.cidr.bz2
      cat SBL.cidr | /usr/bin/grep -v '#' | cut -f 1 > /home/eric/spamlist

      Run in crontab every 6 hours a few minutes before spamd-setup then in spamd.conf:

      1. By Anonymous Coward () on

        Or even:

        #! /bin/sh
        lynx -source | bunzip2 -c | /usr/bin/grep -v '#' | cut -f 1

        And just call it with an exec line in spamd.conf

    3. By emil () on

      Here is the most elegant spamhaus spamd config that I've seen... /etc/spamd.conf:
      spamhaus: :black: :msg="SPAM. Your address %A is in the Spamhaus Block Listn See for more details": :method=exec: :file=/etc/spamd.spamhaus: /etc/spamd.spamhaus:
      #!/bin/sh ftp -o - '' 2>/dev/null | /usr/local/bin/bunzip2 | awk '{print $1}'

  2. By Peter Hessler () on

    rdr inet proto tcp from any to port smtp -> port 8025

    I have a host that is a honeypot. I have a really high MX record (MX 666) aimed at that IP address, so if any spammer should try to avoid my main MX, they get denied. If they should try my main MX after that, then that is the point.

    That bogus MX is on the same machine, as a legit MX, so there is no benifit to an admin to override my MX preferences. If I take down my mail server, I also kill my honeypot.

  3. By Jedi/Sector One () on

    I'm using Daniel's relaydb (/usr/ports/mail/relaydb/) .

    I have a bunch of fake email addresses only used to feed lousy web forms, nntp posts or invisible (for browsers) parts of web pages.

    When someone writes to those addresses, it runs relaydb -b that adds the IP addresses to the spamd's blacklist.

    Works well.

    1. By dude () on

      Why not add
      I have read on discussions where tmda seems to be able to handle a hugh load

      1. By tedu () on

        because inevitably some nutjob will post to a mailing list asking for help such that all replies get challenged.

    2. By Craig () on

      For a rather small site with a few users I've found preexisting blacklists to be insuffient. They don't block some things they should and, more importantly, block things they shouldn't. My solution was to use relaydb in conjunction with bogofilter. Each message is passed through bogofilter. If it is identify as spam it is then passed through relaydb to blacklist the ip address. I later come along (BY HAND) and check the list (remember, this is a small site) and see if I agree with the additions. If so they go in.

      An advantage of checking by hand is this allows me to identify spam domains. Shockingly many of them allow domain zone transfers so I can get all their ip addresses and block them all at once instead of waiting to get a spam from each an every one of them.

      I then load the addresses into a pf table and have it redirect connections to spamd. Using this scheme for only a few months now I have about 17,000 ip addresses blocked. When I get a enough from an ip block I move it to a different table and have pf send the whole block to spamd. Now most of the spam that gets through (once) comes from home lusers machines and those without reverse name lookups.

      I have only had 2 occasions when I too aggressively blacklisted sites. In those cases I just removed the ip address and when the message was retried it got through. This is the best feature of spamd; mistakes do not lead to missed messages!

  4. By Anonymous Coward () on

    Reports of SPEWS' demise have been greatly exaggerated. Their most prominent server was DDOS'd out of existence, but SPEWS itself is still alive and well.

  5. By Hannu () on

  6. By Jim () on

    # Sample spamd.conf entry
    # somename:
    # :method=exec:
    # :file=/path/to/this/script:
    ftp -o - ''
    2>/dev/null | /usr/local/bin/bunzip2 | awk '{print $1}'

  7. By John Shannon () on

    I built my own list from the netblock for china, sinagpore, hong kong, and korea. I add addresses rejected by content filtering. When I must clear a mail queue of a reject message from my content filter, I look up the connecting mail server in the ARIN WHOIS database and add the containing block if I'm unlikely to receive legitimate mail from it. I use a whitelist to avoid embarassing blocks.

  8. By chuck () on

    anyone know if the spamd that comes with 3.3 has the capability of logging as seen on daniel's "annoying spammers" site?

    1. By Anonymous Coward () on

      try /var/log/daemon ?

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]