Girish Venkatachalam wrote:
a) Most of the spam originates in USA. And high bandwidth links and busy
mail servers are common targets.
You haven't looked at China and Korea in a long time looks like. USA is
not a clean place, but not the major source of it either. Definitely not
in my logs anyway.
As for the rest of your email. If you want to stop spam from getting to
you and your mail server, there isn't anything related to BGP, high
bandwidth, etc. They will send spam to any mail box that will accept it
regardless where, who and how connected it is.
It is very easy, simple and fast to setup spam trap, specially these
days with OpenBSD.
1. Put 4.2 on a box, setup spamd on it, that's real easy. For that, look
at your pf configuration and follow the man page.
2. Then use Bob lists in spamd-setup, updated every hours, for add to
your filter. You don't need to update it each hours if you want to be
nice to Bob, but I guess you can. Just don't do it more often then once
per hours however. There isn't any point.
***** Make sure to increase the table limit entry if you use it as you
run out of space for them. ****
3. Then unless you have reason to receive emails from China and Korea,
just block that too. And I also use the nixspam list also provided
nicely. (;>
my /etc/mail/spamd.conf looks like below for spamd.conf
4. I also use /var/db/whitelist.txt as well in my configuration for some
special cases if needed, but there isn't much there and not really any
changes happen to often either. I created it once to allow some mail
server with the SPF records for them, witch is not needed, but does help
some sending one. You can find a list here:
http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt
And again, I put my list below, not that you need to use it, but for the
details. If you don't need it, don't use it.
5. Then add the even better greyscanner also from Bob that you can find
here:
http://www.ualberta.ca/~beck/greyscanner/
Obviously, put the 4.1 version on your 4.2 box and there was changes
between < 4.1 and 4.1 and up. I only needed the greyscanner.41.
You set that up and it's really easy to do. All the default work as is,
nothing special needed, but you can add some unuse domain for even more
fun and efficiency. See later for this, but in short, you read the PERL
script use and you need minimal addition for your setup if you go that
route.
You will need to install a few packages, all ready to go anyway, so not
a big deal to do. I run current, so your may need different version for
yours, but the list is below.
# pkg_info
p5-Digest-HMAC-1.01p0 interface to HMAC Message-Digest Algorithms
p5-Digest-SHA1-2.11p0 module to calculate SHA1 digests
p5-Email-Valid-0.176p0 Check validity of Internet email addresses
p5-Mail-Tools-1.77 modules for handling mail with perl
p5-Net-DNS-0.61 module to interface the DNS resolver
p5-Net-IP-1.25p0 perl module for IPv4/IPv6 address parsing
p5-Time-TimeDate-1.16p0 library for parsing and formatting dates and times
I run my greyscanner in a special user for that as to keep it safer and
more restricted as well, witch you can go without but then why not.
So, in /etc/rc.local, I have this added to it:
# Grey Scanner
if [ -x /usr/local/sbin/greyscanner ]; then
echo -n 'Start Bob Becks Grey Scanner'; su _greyscanner -c
/usr/local/sbin/greyscanner
fi
and obviously I have Bob script install in /usr/local/sbin/greyscanner
# ls -al /usr/local/sbin/greyscanner
-rwxr-xr-x 1 root bin 11711 Sep 4 17:18 /usr/local/sbin/greyscanner
I also added a user _greyscanner without login and that I run also under
the _spamd group. That's my choice, but you can do differently if you
want, but as greyscanner interact with _spamd, then it was logical for
me to use the same group here.
# cat /etc/master.passwd | grep _greyscanner
_greyscanner:*:1000:62:daemon:0:0:Grey Scanner Daemon:/var/empty:/bin/ksh
# cat /etc/group | grep _greyscanner
_spamd:*:62:_greyscanner
And by the way, in case it wasn't obvious, I also do a spand-setup at
startup as well, so my /etc/rc.local also include:
# spamd black list building
if [ -x /usr/libexec/spamd-setup ] ; then
/usr/libexec/spamd-setup & echo -n ' building spamd blacklist'
fi
And then you can see the greyscanner running and doing it's stuff, under
a limited users as well:
# ps -auxw | grep _greyscanner
_greyscanner 17011 0.0 0.9 6480 4872 00- I 9Dec07 0:30.72
/usr/bin/perl /usr/local/sbin/greyscanner
6. If you are welling to add unuse domain that you may already have,
then edit the greyscanner and put them here:
@BADRERCPT = (
"[EMAIL PROTECTED]",
);
The short of this is that it will look for them and trap senders to
these unuse domains and trap them for 24 hours. Worth the addition of
new domains just for that.
7. Then obviously, your trap domain, add any email address to a web page
for the various low life to grab them and then start sending you spam to
them and enjoy the show.
8. If you want even more, you can also sync the lists of spamd content
between multiple smtp servers via rc.conf.local and the use of
spamd_flags=, etc, but I am not sure you have multiple mail servers, so
I will skip that part. However that works very well and add more to the
fight I tell you. I sync multiple servers together and really enjoy the
logs! (;>
Anyway, setting all this, is way shorter then it took me just to write
it all and it's pretty darn efficient I tell you.
Just do it and then give feedback on your new find joy! (;>
Best,
Daniel
spamd.conf
=======================
all:\
:uatraps:override:nixspam:override:china:override:korea:override:
# University of Alberta greytrap hits.
# Addresses stay in it for 24 hours from time they misbehave.
uatraps:\
:black:\
:msg="Your address %A has sent mail to a ualberta.ca spamtrap\n\
within the last 24 hours":\
:method=http:\
:file=www.openbsd.org/spamd/traplist.gz
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz
# Mirrored from http://www.okean.com/chinacidr.txt
china:\
:black:\
:msg="SPAM. Your address %A appears to be from China\n\
See http://www.okean.com/asianspamblocks.html for more details":\
:method=http:\
:file=www.openbsd.org/spamd/chinacidr.txt.gz:
# Mirrored from http://www.okean.com/koreacidr.txt
korea:\
:black:\
:msg="SPAM. Your address %A appears to be from Korea\n\
See http://www.okean.com/asianspamblocks.html for more details":\
:method=http:\
:file=www.openbsd.org/spamd/koreacidr.txt.gz:
# An example of a list containing addresses which should not talk to spamd.
#
override:\
:white:\
:method=file:\
:file=/var/db/whitelist.txt:
/var/db/whitelist.txt
================================
# From http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt
12.5.136.141 # Southwest Airlines (unique sender, no retry)
12.5.136.142 # Southwest Airlines (unique sender, no retry)
12.5.136.143 # Southwest Airlines (unique sender, no retry)
12.5.136.144 # Southwest Airlines (unique sender, no retry)
12.107.209.244 # kernel.org mailing lists (high traffic, unique sender
per mail)
63.82.37.110 # SLmail
63.169.44.143 # Southwest Airlines (unique sender, no retry)
63.169.44.144 # Southwest Airlines (unique sender, no retry)
64.7.153.18 # sentex.ca (common pool)
64.124.204.39 # moveon.org (unique sender per attempt)
64.125.132.254 # collab.net (unique sender per attempt)
#65.82.241.160 # Groupwise?
66.94.237.0/24 # Yahoo Groups servers (common pool, no retry)
66.100.210.82 # Groupwise?
66.135.209.0/24 # Ebay (for time critical alerts)
66.135.197.0/24 # Ebay (common pool)
66.162.216.166 # Groupwise?
66.206.22.82 # PLEXOR
66.206.22.83 # PLEXOR
66.206.22.84 # PLEXOR
66.206.22.85 # PLEXOR
66.218.66.0/24 # Yahoo Groups servers (common pool, no retry)
66.218.67.0/24 # Yahoo Groups servers (common pool, no retry)
66.218.69.0/24 # Yahoo Groups servers (common pool, no retry)
#66.249.82 # gmail (common server pool, bad 451 handling)
66.27.51.218 # ljbtc.com (Groupwise)
#66.89.73.101 # Groupwise?
#68.15.115.88 # Groupwise?
72.14.204.0/24 # qproxy.gmail.com (common server pool, bad 451 handling?)
152.163.225.0/24 # AOL (common pool)
194.245.101.88 # Joker.com (email forwarding server)
195.235.39.19 # Tid InfoMail Exchanger v2.20
195.238.2.0/24 # skynet.be (wierd retry pattern, common pool)
195.238.3.0/24 # skynet.be (wierd retry pattern, common pool)
#204.60.8.162 # Groupwise?
204.107.120.10 # Ameritrade (no retry)
205.206.231.0/24 # SecurityFocus.com (unique sender per attempt)
205.211.164.50 # sentex.ca (common pool)
207.115.63.0/24 # Prodigy (broken software that retries continually with
no delay)
#209.104.63 # Ticketmaster (poor retry config)
209.132.176.174 # sourceware.org mailing lists (high traffic, unique
sender per mail)
211.29.132.0/24 # optusnet.com.au (wierd retry pattern and more than 48hrs)
213.136.52.31 # Mysql.com (unique sender)
#216.136.226.0 # Yahoo Mail?
#216.157.204.5 # Groupwise?
217.158.50.178 # AXKit mailing list (unique sender per attempt)
#
#
# SPF list was created from script here:
# http://home.xnet.com/~ansible/openbsd_spamd_conf.html
#
#aol.com
152.163.225.0/24
205.188.139.0/24
205.188.144.0/24
205.188.156.0/23
205.188.159.0/24
64.12.136.0/23
64.12.138.0/24
152.163.225.0/24
205.188.139.0/24
205.188.144.0/24
205.188.156.0/23
205.188.159.0/24
64.12.136.0/23
64.12.138.0/24
#amazon.com
207.171.160.0/19
87.238.80.0/21
72.21.196.0/24
72.21.208.0/24
207.171.160.32/28
207.171.180.176/28
207.171.164.32/28
207.171.190.0/28
87.238.80.24/29
87.238.84.24/29
72.21.196.0/24
72.21.208.0/24
#_spf.google.com
216.239.56.0/23
64.233.160.0/19
66.249.80.0/20
72.14.192.0/18
#spf-a.hotmail.com
209.240.192.0/19
65.52.0.0/14
131.107.0.0/16
157.54.0.0/15
157.56.0.0/14
157.60.0.0/16
167.220.0.0/16
204.79.135.0/24
204.79.188.0/24
204.79.252.0/24
207.46.0.0/16
199.2.137.0/24
#spf-b.hotmail.com
199.103.90.0/23
204.182.144.0/24
204.255.244.0/23
206.138.168.0/21
64.4.0.0/18
65.54.128.0/17
207.68.128.0/18
207.68.192.0/20
207.82.250.0/23
207.82.252.0/23
209.1.112.0/23
#spf-c.hotmail.com
209.185.128.0/23
209.185.130.0/23
209.185.240.0/22
216.32.180.0/22
216.32.240.0/22
216.33.148.0/22
216.33.151.0/24
216.33.236.0/22
216.33.240.0/22
216.200.206.0/24
204.95.96.0/20
#spf-d.hotmail.com
65.59.232.0/23
65.59.234.0/24
209.1.15.0/24
64.41.193.0/24
216.34.51.0/24
#_spf-a.microsoft.com
213.199.128.139
213.199.128.145
207.46.50.72
207.46.50.82
#_spf-b.microsoft.com
131.107.65.22
131.107.65.131
131.107.1.101
131.107.1.102
217.77.141.52
217.77.141.59
#_spf-c.microsoft.com
131.107.1.18
131.107.1.19
131.107.1.20
131.107.70.12
131.107.70.16
