BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Greylisting with PF
Pages: 1, 2, 3, 4, 5, 6, 7

Once I fixed the NAT rules, I went to m21 and tried to connect. I made it straight through to the real SMTP server:

dan@m21:~$ telnet nyi 25 
Trying 64.147.113.42...
Connected to nyi.example.org.
Escape character is '^]'.
220 nyi.example.org ESMTP Postfix
QUIT 
221 2.0.0 Bye
Connection closed by foreign host.
dan@m21:~$

Good, that proves the whitelisting is working. Then I flushed the Postfix mail queue, and the mail message went straight through.

Yes, I missed this entirely during the port install:

$ cd /usr/ports/mail/spamd 
$ less pkg-message
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In order to use spamd greylisting feature you have to have a mounted fdescfs(5)
at /dev/fd.  This is done by adding:

        fdescfs /dev/fd fdescfs rw 0 0

to /etc/fstab.  You may need either a customized kernel, or kldload the fdescfs
kernel module.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$

What is in my spambd right now?

$ spamdb | grep GREY
GREY|12.199.121.98|<abfaf@cardinalconst.example.com>|<sponsorship@bsdcan.example.org>|1163008607|1163023007|1163023007|1|0
GREY|12.199.121.98|<bfddcgfaceccbe@carltonabbott.example.com>|<sponsorship@bsdcan.example.org>|1163008652|1163023052|1163023052|1|0
GREY|12.199.121.98|<daacgdcedacg@careerpointgroup.example.com>|<sponsorship@bsdcan.example.org>|1163008622|1163023022|1163023022|1|0
GREY|12.199.121.98|<eegadda@carrierescrete.example.com>|<sponsorship@bsdcan.example.org>|1163008592|1163022992|1163022992|1|0
GREY|12.199.121.98|<gffafgfd@cascadecont.example.com>|<sponsorship@bsdcan.example.org>|1163008636|1163023036|1163023036|1|0
GREY|199.227.43.178|<wow_deb48@sharkteethrus.example.com>|<sponsorship@bsdcan.example.org>|1163002782|1163017182|1163017182|1|0
GREY|201.216.157.1|<BrunoYang@rotes-teufelchen.de>|<papers@bsdcan.example.org>|1163005081|1163019481|1163019481|1|0
GREY|201.216.157.1|<OctavioDickey@rpcredit.ie>|<papers@bsdcan.example.org>|1163005080|1163019480|1163019480|1|0
GREY|202.27.236.89|<>|<info@bsdcan.example.org>|1163010937|1163025337|1163025337|1|0
GREY|213.98.26.251|<noreply@freebsddiary.example.org>|<majordomo@freebsddiary.example.org>|1163011838|1163026238|1163026238|1|0
GREY|41.241.113.223|<febo@geol.lsu.edu>|<majordomo@freebsddiary.example.org>|1163011853|1163026253|1163026253|1|0
GREY|58.8.10.140|<ppppppp@hotmail.example.com>|<dan@langille.example.org>|1163001747|1163016147|1163016147|2|0
GREY|58.8.99.137|<thaiwork_job@yahoo.example.com>|<papers@bsdcan.example.org>|1163002285|1163016685|1163016685|1|0
GREY|62.215.92.138|<training@intech-online.example.com>|<dan@langille.example.org>|1163010826|1163025226|1163025226|1|0
GREY|62.45.20.12|<deboraholcomb_hu@calcoastrepiping.example.com>|<activities@bsdcan.example.org>|1163000304|1163014704|1163014704|1|0
GREY|62.45.20.12|<deborahtaylor235@campuscrossroads.example.com>|<activities@bsdcan.example.org>|1163000292|1163014692|1163014692|1|0
GREY|75.89.28.189|<john@pistonheads.biz>|<payment@bsdcan.example.org>|1162997706|1163012106|1163012106|1|0
GREY|76.184.184.115|<stephen@quasarman.biz>|<payment@bsdcan.example.org>|1163008485|1163022885|1163022885|1|0
GREY|80.35.70.14|<mingshengw@postcardsally.example.com>|<payment@bsdcan.example.org>|1163010212|1163024612|1163024612|1|0
GREY|80.98.245.220|<Antelmi@care-mail.example.com>|<papers@bsdcan.example.org>|1163007068|1163021468|1163021468|1|0
GREY|84.227.161.190|<rooster@tuttoocchiali.example.com>|<keys@bsdcan.example.org>|1163001318|1163015718|1163015718|1|0
GREY|84.245.217.46|<work96@tel.fer.hr>|<majordomo@freebsddiary.example.org>|1163005846|1163020246|1163020246|1|0
GREY|84.60.218.15|<sensirox.example.com@theloglog.example.com>|<activities@bsdcan.example.org>|1163002484|1163016884|1163016884|1|0
GREY|85.98.190.1|<deborahschlumpf@calabreselaw.example.com>|<sponsorship@bsdcan.example.org>|1163009003|1163023403|1163023403|1|0
GREY|85.98.190.1|<deborapadinha@canaltai.example.com>|<sponsorship@bsdcan.example.org>|1163009013|1163023413|1163023413|1|0
GREY|91.76.45.94|<h-dudaz@usa.net>|<majordomo@freebsddiary.example.org>|1163003291|1163017691|1163017691|1|0

Yes, I have slightly obscured the domain names, but you should be able to see who is sending to what. For the record, the MX server in question is not an MX for langille.org or freebsddiary.org... but that's not stopping the spammers from trying. At present, only bsdcan.org uses this greylisting server as an MX. I'm about to add more domains to it and implement greylisting on my other servers.

As I type this additional note on November 24, about 3 weeks after the above, here are the stats of each of my three mail servers:

  • nyi
    $ spamdb | grep -c GREY
    101
    $ spamdb | grep -c WHITE
    4462
  • havoc
    $ spamdb | grep -c GREY
    256
    $ spamdb | grep -c WHITE
    2404
  • supernews
    $ spamdb | grep -c GREY
    30
    $ spamdb | grep -c WHITE
    37

It is interesting to see that one machine has whitelisted nearly 4500 servers in about nine days.

Greytrapping

I'm sure all of this sounds great. It can be better. Greytrapping is one step further than greylisting. No doubt you have an abandoned email address that still receives mail. It's probably been on spamming lists for years. If someone is sending email to that address, it's bound to be spam. You can add that address to spamdb as a spamtrap address. See man spamdb for details. For example, to designate anyone sending to yourname@example.org, use the command:

spamdb -T -a "<yourname@example.org>"

I have a list of 24,592 such email addresses. Why? Well, they aren't really addresses. They are Message-ID values from FreshPorts. FreshPorts didn't always store Message-ID. When I added that attribute, I needed to come up with a value for the existing commits stored in the database. Unfortunately, I selected something like fp1.12345@example.org (s/example/FreshPorts/). Spammers grabbed all those addresses, and I started to see huge spam attempts. All bounced of course, because they were not valid addresses. I have since changed those Message-IDs to @dev.null.example.org (s/example/FreshPorts/), but the spammers continue.

So how do I get the email addresses into spamdb? They are all in a file named greytrap. This command loads them. It takes a few minutes to complete.

cat greytrap | xargs -n1 spamdb -T -a

That's all there is to it.

Greyscanning

With newer versions of spamd (not available in the FreeBSD Ports tree at the time of writing), you can take advantage of the greylisting period to scan your logs and take appropriate action. The greyscanner script will scan the spamdb output and look for patterns and blacklist those IP address for 24 hours. If it's not spam, it will come through later. If it is spam, well, you've delayed it. This script can validate the address, check for an MX or A record for the source address, and more.

Things to Think About

Greylisting can delay mail. Greylisting can block mail, but only if you continuously redirect the connection to the tarpit. However, it does greatly reduce the amount of incoming spam. I have no comparative statistics to show you. All I know is that I like it and that it reduces the amount of garbage in my mailbox. :)

Dan Langille runs a consulting group in Ottawa, Canada, and lives in a house ruled by felines.


Return to the BSD DevCenter.



Sponsored by: