Contributed by grey on from the applied designs are cool dept.
At JTAN we fight spam using an adaptive database system that controls PF rules for OpenBSD's "spamd" tarpit. Our system consists of a set of perl scripts that we have just updated. They are available here under the BSD license. They aren't the prettiest scripts, but they do a great job for us.
The system depends on our extensive collection of honeypot email addresses (we have over 1000), although it could be used effectively with a smaller group of honeypots. Mail to a honeypot address causes a small "spamparser" script to send a UDP packet with the spammer IP and SpamAssasin score to the central "spamtrapd" daemons, not necessarily on the same machines. These daemons maintain and expire a DB style database of spammers. The daemons also update PF rules as needed based on the state of the dynamic DB database record for each IP. Spammers are automatically added and removed from the PF table. For convenience, we also provide: a script to query the dynamic DB database from procmail, a daemon that serves a DNSBL from the same data (not intended for a high DNSBL load), a status web page updated periodically, reload of PF on reboot, and automatic DB file corruption detection.
The system is entirely event-driven with minimum latency. Cron is not used. We can route spammers into the spamd tarpit withing a few hundred milliseconds of when they send high-score spam to any of our honeypots. Currently, we are trapping about one new spammer IP per second, keeping and average of 200-300 of them amused in our tarpit at any one time. These are all dynamically discovered "quality" spammer IPs, trapped after standard blacklists, like SBL and blocks of Cable/IP senders.
(Comments are closed)