Re: need help with honeypot
чт, 2 нояб. 2023 г. в 09:51, kasak : > > пн, 23 окт. 2023 г. в 09:11, kasak : > > > > пт, 20 окт. 2023 г. в 19:52, Юрий Иванов : > > > > > > Sorry for off top... > > > ...but thanks for your OpenBSD PF book Peter :-) > > > > > > От: kasak > > > Отправлено: 20 октября 2023 г. 8:48 > > > Кому: Peter N. M. Hansteen > > > Копия: misc@opensmtpd.org > > > Тема: Re: need help with honeypot > > > > > > чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > > > > > > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > > > > In traps file I have list of spoiled addresses for example > > > > > aa...@tvema.ru > > > > > But mail is not accepted :( > > > > > > > > This sounds like you are more or less trying to imitate the greytrapping > > > > feature of OpenBSD spamd. > > > > > > Yes, it is something similar, but not quite. I'm no need of > > > greytrapping, I want to teach rspamd. > > > Hope I can do this without spamd. > > > > > > > You might want to read this article of mine (gosh, it's been 11 years) > > > > and links therein for inspiration: > > > > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > > > > (also newly available trackerless but with even uglier formatting as > > > > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > > > > assuming, as usual that your system runs OpenBSD (also applicable with > > > > minor adjustments on FreeBSD or NetBSD) > > > > > > > > - Peter > > > > > > > > -- > > > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > > > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > > > > "Remember to set the evil bit on all malicious network traffic" > > > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > > > > > > I did some experiment here, and looks like this is not "match" > > problem, this is "action" problem. > > If I change action "trap" to some real delivery method, it works. > > So, I need to fix it with rspamc somehow. > > If someone interested, I have figured out how to do what I wanted to do. > > Here is howto: > At first, collect spoiled email addresses to some list, for example > /etc/mail/traps. > Second, we must map these addresses to some local user, because > otherwize, smtpd will not know where to put them. > To do this, we must make another table, with mapping all addresses to > _rspamd user. > You can do this with a simple sed pattern: > cat /etc/mail/traps | sed 's/$/ _rspamd/' > /etc/mail/virtualtraps > Now we have two tables, traps for matching and virtualtraps for action. > > add something like this to smtpd.conf: > > table traps file:/etc/mail/traps > table virtualtraps file:/etc/mail/virtualtraps > > action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add" virtual > > > match from any for rcpt-to action "trap" > > > The match directive should be placed above the main domain match. > And voila! > You can monitor teaching with grep: > grep -F -f /etc/mail/traps /var/log/maillog Folks, I just suddenly discovered that rspamd has a module to achieve exactly similar functionality. https://rspamd.com/doc/modules/spamtrap.html I already tested it and it works like a charm! How did I not notice it before?
Re: need help with honeypot
пн, 23 окт. 2023 г. в 09:11, kasak : > > пт, 20 окт. 2023 г. в 19:52, Юрий Иванов : > > > > Sorry for off top... > > ...but thanks for your OpenBSD PF book Peter :-) > > > > От: kasak > > Отправлено: 20 октября 2023 г. 8:48 > > Кому: Peter N. M. Hansteen > > Копия: misc@opensmtpd.org > > Тема: Re: need help with honeypot > > > > чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > > > > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > > > In traps file I have list of spoiled addresses for example > > > > aa...@tvema.ru > > > > But mail is not accepted :( > > > > > > This sounds like you are more or less trying to imitate the greytrapping > > > feature of OpenBSD spamd. > > > > Yes, it is something similar, but not quite. I'm no need of > > greytrapping, I want to teach rspamd. > > Hope I can do this without spamd. > > > > > You might want to read this article of mine (gosh, it's been 11 years) > > > and links therein for inspiration: > > > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > > > (also newly available trackerless but with even uglier formatting as > > > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > > > assuming, as usual that your system runs OpenBSD (also applicable with > > > minor adjustments on FreeBSD or NetBSD) > > > > > > - Peter > > > > > > -- > > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > > > "Remember to set the evil bit on all malicious network traffic" > > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > > > I did some experiment here, and looks like this is not "match" > problem, this is "action" problem. > If I change action "trap" to some real delivery method, it works. > So, I need to fix it with rspamc somehow. If someone interested, I have figured out how to do what I wanted to do. Here is howto: At first, collect spoiled email addresses to some list, for example /etc/mail/traps. Second, we must map these addresses to some local user, because otherwize, smtpd will not know where to put them. To do this, we must make another table, with mapping all addresses to _rspamd user. You can do this with a simple sed pattern: cat /etc/mail/traps | sed 's/$/ _rspamd/' > /etc/mail/virtualtraps Now we have two tables, traps for matching and virtualtraps for action. add something like this to smtpd.conf: table traps file:/etc/mail/traps table virtualtraps file:/etc/mail/virtualtraps action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add" virtual match from any for rcpt-to action "trap" The match directive should be placed above the main domain match. And voila! You can monitor teaching with grep: grep -F -f /etc/mail/traps /var/log/maillog
Re: need help with honeypot
пт, 20 окт. 2023 г. в 19:52, Юрий Иванов : > > Sorry for off top... > ...but thanks for your OpenBSD PF book Peter :-) > > От: kasak > Отправлено: 20 октября 2023 г. 8:48 > Кому: Peter N. M. Hansteen > Копия: misc@opensmtpd.org > Тема: Re: need help with honeypot > > чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > > In traps file I have list of spoiled addresses for example aa...@tvema.ru > > > But mail is not accepted :( > > > > This sounds like you are more or less trying to imitate the greytrapping > > feature of OpenBSD spamd. > > Yes, it is something similar, but not quite. I'm no need of > greytrapping, I want to teach rspamd. > Hope I can do this without spamd. > > > You might want to read this article of mine (gosh, it's been 11 years) > > and links therein for inspiration: > > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > > (also newly available trackerless but with even uglier formatting as > > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > > assuming, as usual that your system runs OpenBSD (also applicable with > > minor adjustments on FreeBSD or NetBSD) > > > > - Peter > > > > -- > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > > "Remember to set the evil bit on all malicious network traffic" > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > I did some experiment here, and looks like this is not "match" problem, this is "action" problem. If I change action "trap" to some real delivery method, it works. So, I need to fix it with rspamc somehow.
RE: need help with honeypot
Sorry for off top... ...but thanks for your OpenBSD PF book Peter :-) От: kasak Отправлено: 20 октября 2023 г. 8:48 Кому: Peter N. M. Hansteen Копия: misc@opensmtpd.org Тема: Re: need help with honeypot чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > In traps file I have list of spoiled addresses for example aa...@tvema.ru > > But mail is not accepted :( > > This sounds like you are more or less trying to imitate the greytrapping > feature of OpenBSD spamd. Yes, it is something similar, but not quite. I'm no need of greytrapping, I want to teach rspamd. Hope I can do this without spamd. > You might want to read this article of mine (gosh, it's been 11 years) > and links therein for inspiration: > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > (also newly available trackerless but with even uglier formatting as > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > assuming, as usual that your system runs OpenBSD (also applicable with > minor adjustments on FreeBSD or NetBSD) > > - Peter > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: need help with honeypot
чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > In traps file I have list of spoiled addresses for example aa...@tvema.ru > > But mail is not accepted :( > > This sounds like you are more or less trying to imitate the greytrapping > feature of OpenBSD spamd. Yes, it is something similar, but not quite. I'm no need of greytrapping, I want to teach rspamd. Hope I can do this without spamd. > You might want to read this article of mine (gosh, it's been 11 years) > and links therein for inspiration: > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > (also newly available trackerless but with even uglier formatting as > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > assuming, as usual that your system runs OpenBSD (also applicable with > minor adjustments on FreeBSD or NetBSD) > > - Peter > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: need help with honeypot
On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > In traps file I have list of spoiled addresses for example aa...@tvema.ru > But mail is not accepted :( This sounds like you are more or less trying to imitate the greytrapping feature of OpenBSD spamd. You might want to read this article of mine (gosh, it's been 11 years) and links therein for inspiration: https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html (also newly available trackerless but with even uglier formatting as https://nxdomain.no/~peter/in_the_name_of_sane_email.html), assuming, as usual that your system runs OpenBSD (also applicable with minor adjustments on FreeBSD or NetBSD) - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
