pantz.org banner
Using spamd as a mail pit
Posted on 11-26-2003 03:33:00 UTC | Updated on 11-26-2003 03:33:00 UTC
Section: /software/spamd/ | Permanent Link

Spamd is a fake sendmail-like daemon which rejects false mail. If the pf packet filter is configured to redirect port 25 (SMTP) to this daemon, it will attempt to waste the time and resources of the spam sender. spamd is designed to be very efficient so that it does not slow down the receiving machine. Spam is never accepted, but always rejected with either a 450 or 550 error message. The normal way that spam has been dealt with in the past is to either accept and drop, or outright block. When configured to use 450 responses, spamd takes neither of these actions: it rejects the mail back to the senders' queue. Spamd is best started from rc.

In this config I use spamd on the machine as a straight tarpit. I have no MTA running to do mail transfer. If you want to know how to setup spamd with an MTA like postfix see my spamd configuration page on setting this up. In this configuration if you touch the server on port 25 you get pitted. Don't touch my 25! If your touching a port that has not been advertised to be open your usually up to no good. To lure in spammers if you don't have an static ip signup at dyndns.org for a free dynamic host name that changes with your ip. Run the ddclient software in OpenBSD packages that watches for an ip address to change and updates dyndns if it does. Then post fake e-mail addresses around the net using the dyndns or static hostnames in the e-mail address. Post on places like test newsgroups and free webpages where spammers like to scrape up e-mail addresses. But to be sure your passive about this on webpages do the text in the href mailto: tag but don't put it in the text area so the text will not show up on the webpage. This way you know the mailto: link was scraped from the page by a bot not a human. This way you can put it on webpages and it won't show up as text and will not effect the layout of the page. Some fun example e-mail addresses to post with your new host name (dyndns has a big list of host names) are things like: jail@thepit.dyndns.org or spam@timewaster.dyndns.org

1. Open /etc/spamd.conf and make it look like the one below. Save it. This will pit all connecitons.

# $OpenBSD: spamd.conf,v 1.9 2004/01/21 08:07:39 deraadt Exp $

all:\
        ::

2. Open /etc/rc.conf find the line spamd_flags= and put in "-b127.0.0.1 -v -s5 -nWelcome_To_The_Pit"

3. Put lines below in /etc/pf.conf to redirect to spamd. Put the rdr line at the top before the pass rule. Then save the file and restart pf (pfctl -f /etc/pf.conf).

#Replace any $ext_if with your external interface name. Ex. fxp0.

# redirect any connection from the outside to localhost port 8025 (spamd).
rdr on $ext_if proto tcp from any to port smtp -> 127.0.0.1 port spamd

# allow the access to spamd port on localhost. 
pass in quick on $ext_if inet proto tcp from any to lo0 port spamd synproxy state flags S/SA

4. Start spamd up with the command "/usr/libexec/spamd -b127.0.0.1 -v -s5 -nWelcome_To_The_Pit"

5. The logs are in /var/log/deamon by default. I've made a Perl script (below) that adds up all the stats and ouputs them to an html file. I have a webserver running on the internal interface and a cronjob set up (50 23 * * * /var/www/cgi-bin/PantzSpamdStats.pl >>/dev/null 2>&1) to run the script every night and dump it to the website directory. Then I can browse to it every day and check out how many spammers are trying to send mail to my fake passive e-mail addresses.

#!/usr/bin/perl

################################
# Start Configuration Settings #
################################

# Set to "all" of you want all files (compressed also) read.
# Set to "one" if you just want the one file named "spamd" read.
$oneorallfiles = "all";

# Path to spamd logfile(s). No "/" after last dir name. Ex. "/var/log".
$spamdpath = "/var/log";

# Spamd log file (daemon by default)
$spamdfile = "daemon";

# Path to output html file
$spamdhtmlfile = "/var/www/htdocs/spamdstats.shtml";

##############################
# End Configuration Settings #
##############################

#####Begin: Assembling date code.#####

($Second, $Minute, $Hour, $Day, $Month, $Year, $WeekDay, $DayOfYear, $IsDaylightSavings) = localtime(time);

$Month += 1;
$Year += 1900;
if ($Month < 10) { $Month = "0" . $Month; }
if ($Hour < 10) { $Hour = "0" . $Hour; }
if ($Minute < 10) { $Minute = "0" . $Minute; }
if ($Second < 10) { $Second = "0" . $Second; }
if ($Day < 10) { $Day = "0" . $Day; }

#####End: Assembling date code.#####

#####Begin: Get one or all spamd filenames.#####

if ($oneorallfiles eq "all") {
  @spamdfilenames = <$spamdpath/$spamdfile*>;
  @spamdfilenames = sort { $b cmp $a } @spamdfilenames;
} else {
  push(@spamdfilenames, "$spamdpath/$spamdfile");
}

#####End: Get one or all spamd filenames.#####

#####Begin: Read spamd file(s) and input data into a hash of arrays for sorting.#####

foreach $spamdlogfile (@spamdfilenames) {
  open(IN, "gzcat -f $spamdlogfile |") or die ("Can't open file. Permissions?. UserID?");
    while( <IN> ) {
      if ((/spamd/) && (/disconnected after/)) {
        ($date,$hostname,$daemonandid,$ipaddress,$seconds) =
        ($_ =~ /(\w+\s{1,2}\d+ \d+:.\d:.\d+) (.*) (.*)\: (\d+\.\d+\.\d+\.\d+)\: disconnected after (\d+)/);
        # Ipaddress is hash key. Update the 1st value in the array with seconds count calling old seconds count and
        # adding it to the new count. Update the 2nd value in the array by 1. Count is per unique ip address hit.
        $spamd_hash{$ipaddress} = [$spamd_hash{$ipaddress}[0] + $seconds,$spamd_hash{$ipaddress}[1] + 1];
      }
    }
  close(IN);
}

#####End: Read spamd file(s) and input data into a hash of arrays for sorting.#####

#####Begin: Output of HTML file.#####

open(SPAMDHTMLSTATS, ">$spamdhtmlfile") or die ("Can't create file");
print SPAMDHTMLSTATS "<html><HEAD><TITLE>Pantz Spamdlog Stats</TITLE></HEAD><div align=\"center\">\n";
print SPAMDHTMLSTATS "<b><font size=\"4\">Pantz Spamdlog Stats</font></b><br>\n";
print SPAMDHTMLSTATS "Script run on: $Month-$Day-$Year $Hour:$Minute:$Second <br><br>\n";
print SPAMDHTMLSTATS "<TABLE BORDER=\"1\"><tr><td align=\"center\"><b>IP Address</b></td>

<td align=\"center\"><b>Hits</b></td><td align=\"center\"><b>Seconds</b></td></tr>\n";

# Loop thru the hash of arrays. Sort on the second value in the arrays. Print it.
for $ips ( sort {  $spamd_hash {$b}[1]  <=>  $spamd_hash{$a}[1] }  keys %spamd_hash ) {
  print SPAMDHTMLSTATS "<tr><td align=\"center\">$ips</td>

  <td align=\"center\">$spamd_hash{$ips}[1]</td>
  <td align=\"center\">$spamd_hash{$ips}[0]</td></tr>\n";
  $totalseconds += $spamd_hash{$ips}[0];
  $totalhitcount += $spamd_hash{$ips}[1];
  $totaluniquehosts++;
}

$avgpitmin = sprintf("%4.1f",($totalseconds/60)/$totalhitcount);
$avgnumhits = sprintf("%4.1f",$totalhitcount/($totaluniquehosts));
$totalpitmin = sprintf("%4.1f",$totalseconds/60);
$totalpithr = sprintf("%4.1f",($totalseconds/60)/60);

print SPAMDHTMLSTATS "<tr><td align=\"center\"><b>Totals:</b></td>

<td align=\"center\"><b>$totalhitcount</b></td><td align=\"center\">
<b>$totalpitmin Mins<br>$totalpithr Hrs</b></td></tr>";

print SPAMDHTMLSTATS "<tr><td align=\"center\"><b>Averages:</b></td>

<td align=\"center\"><b>$avgnumhits</b></td>
<td align=\"center\"><b>$avgpitmin Mins</b></td></tr>";

print SPAMDHTMLSTATS "</html>";

close(SPAMDHTMLSTATS);

Del.icio.us! | Digg Me! | Reddit!

Related stories


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
android
apache
areca
arm
ati
auditd
awk
badblocks
bash
bind
bios
bonnie
cable
carp
cat5
cdrom
cellphone
centos
chart
chrome
cifs
cisco
cloudera
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dbus
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dkim
dns
dos
dovecot
drac
dsniff
dvdauthor
e-mail
echo
editor
emerald
ethernet
expect
ext3
ext4
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flac
flexlm
floppy
flowtools
fonts
format
freebsd
ftp
gdm
gmail
gnome
greasemonkey
greylisting
growisofs
grub
hacking
hadoop
harddrive
hba
hex
hfsc
html
html5
http
https
idl
ie
ilo
intel
ios
iperf
ipmi
iptables
ipv6
irix
javascript
kde
kernel
kickstart
kmail
kprinter
krecord
kubuntu
kvm
lame
ldap
linux
logfile
lp
lpq
lpr
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflix
netflow
nginx
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
pulseaudio
putty
pxe
python
qemu
r-studio
raid
recovery
redhat
router
rpc
rsync
ruby
saltstack
samba
schedule
screen
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
sox
spam
spamd
spf
sql
sqlite
squid
srs
ssh
ssh.com
ssl
su
subnet
subversion
sudo
sun
supermicro
switches
symbols
syslinux
syslog
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
ting
tls
tools
tr
trac
tuning
tunnel
ubuntu
unbound
vi
vpn
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
youtube
zdump
zeromq
zic
zlib