OpenBSD Journal

What do you feed your spamd?

Contributed by jose on from the protecting-against-spam dept.

Wally Bedford writes: "I am now at a point where my spam filter (bayes, content, addresses) is getting quite taxed. I?m going to get spamd going in front of the mail server to distribute the load. After some looking around, I am finding sparse resources for lists. Spews is gone and downloading from spamcop.net costs a bunch.

I think I am going to use the rsync sites listed at http://spfilter.openrbl.org/code/xml-view.php. I can set a single cron job to rsync the files and then run spamd-setup at the end of that script.

I have also found some harsh lists at http://www.blackholes.us/zones/country/ Does anyone have some white lists to balance these out? I?d hate to block an entire continent!

So, what else is everyone using for blacklists?"

Anyone have any info they'd like to share?

(Comments are closed)

Comments

  1. By gwyllion () on

    The default spamd.conf seems to use Spamhaus, http://www.spamhaus.org/sbl/

    Apparently http://spfilter.openrbl.org/data/sbl/SBL.cidr is no longer available, as it is replaced with a bzip2 version: http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2

    The comments in /etc/spamd.conf point you to http://spamlinks.port5.com/filter-bl.htm#ip

    Comments

    1. By matt.s () nospam-4t-slakin-dot-n3t on mailto:nospam-4t-slakin-dot-n3t

      I use sbl.spamhaus.org and bl.spamcop.net as RBL servers in postfix, then default spamassassin in the FreeBSD ports. This config seems to work well for me. =)

      Comments

      1. By Fred () hamvanger@inklaar.net on mailto:hamvanger@inklaar.net

        I mainly use: list.dsbl.org, dynablock.easynet.nl.

        Dsbl contains a list of (proven) exploitable relays and proxies, dynablock a list of dynamic IP adresses. These two complement each other nicely, blocking loads of spam with no false positives so far.

        The dynablock zone files can be copied if needed, see http://dynablock.easynet.nl/.

    2. By Eric () on mailto:eric(at)naxalite(dot)ath(dot)cx

      "Apparently http://spfilter.openrbl.org/data/sbl/SBL.cidr is no longer available, as it is replaced with a bzip2 version: http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2"

      Not that hard to bypass:
      #! /bin/sh
      /usr/local/bin/wget http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2
      /usr/local/bin/bunzip2 -f SBL.cidr.bz2
      cat SBL.cidr | /usr/bin/grep -v '#' | cut -f 1 > /home/eric/spamlist

      Run in crontab every 6 hours a few minutes before spamd-setup then in spamd.conf:
      :file=/home/eric/spam:

      Comments

      1. By Anonymous Coward () on

        Or even:

        #! /bin/sh
        lynx -source http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2 | bunzip2 -c | /usr/bin/grep -v '#' | cut -f 1

        And just call it with an exec line in spamd.conf

    3. By emil () on http://rhadmin.org

      Here is the most elegant spamhaus spamd config that I've seen... /etc/spamd.conf:
      spamhaus: :black: :msg="SPAM. Your address %A is in the Spamhaus Block Listn See http://www.spamhaus.org/sbl for more details": :method=exec: :file=/etc/spamd.spamhaus: /etc/spamd.spamhaus:
      #!/bin/sh ftp -o - 'http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2' 2>/dev/null | /usr/local/bin/bunzip2 | awk '{print $1}'

  2. By Peter Hessler () spambox@theapt.org on http://www.theapt.org

    rdr inet proto tcp from any to xxx.xxx.xxx.xxx port smtp -> 127.0.0.1 port 8025

    I have a host that is a honeypot. I have a really high MX record (MX 666) aimed at that IP address, so if any spammer should try to avoid my main MX, they get denied. If they should try my main MX after that, then that is the point.

    That bogus MX is on the same machine, as a legit MX, so there is no benifit to an admin to override my MX preferences. If I take down my mail server, I also kill my honeypot.

  5. By Jedi/Sector One () j@pureftpd.org on http://www.skymobile.com/

    I'm using Daniel's relaydb (/usr/ports/mail/relaydb/) .

    I have a bunch of fake email addresses only used to feed lousy web forms, nntp posts or invisible (for browsers) parts of web pages.

    When someone writes to those addresses, it runs relaydb -b that adds the IP addresses to the spamd's blacklist.

    Works well.

    Comments

    1. By dude () dude@mung.net on http://www.mung.net

      Why not add
      http://tmda.net
      I have read on discussions where tmda seems to be able to handle a hugh load

      Comments

      1. By tedu () on

        because inevitably some nutjob will post to a mailing list asking for help such that all replies get challenged.

    2. By Craig () on

      For a rather small site with a few users I've found preexisting blacklists to be insuffient. They don't block some things they should and, more importantly, block things they shouldn't. My solution was to use relaydb in conjunction with bogofilter. Each message is passed through bogofilter. If it is identify as spam it is then passed through relaydb to blacklist the ip address. I later come along (BY HAND) and check the list (remember, this is a small site) and see if I agree with the additions. If so they go in.


      An advantage of checking by hand is this allows me to identify spam domains. Shockingly many of them allow domain zone transfers so I can get all their ip addresses and block them all at once instead of waiting to get a spam from each an every one of them.


      I then load the addresses into a pf table and have it redirect connections to spamd. Using this scheme for only a few months now I have about 17,000 ip addresses blocked. When I get a enough from an ip block I move it to a different table and have pf send the whole block to spamd. Now most of the spam that gets through (once) comes from home lusers machines and those without reverse name lookups.

      I have only had 2 occasions when I too aggressively blacklisted sites. In those cases I just removed the ip address and when the message was retried it got through. This is the best feature of spamd; mistakes do not lead to missed messages!

  6. By Anonymous Coward () on

    Reports of SPEWS' demise have been greatly exaggerated. Their most prominent server was DDOS'd out of existence, but SPEWS itself is still alive and well.

  7. By Hannu () liljis@hotmail.com on mailto:liljis@hotmail.com

    l1.spews.dnsbl.sorbs.net
    l2.spews.dnsbl.sorbs.net

    http://groups.yahoo.com/group/spews/

  8. By Jim () on

    #!/bin/sh
    #
    # Sample spamd.conf entry
    #
    # somename:
    # :method=exec:
    # :file=/path/to/this/script:
    #
    ftp -o - 'http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2'
    2>/dev/null | /usr/local/bin/bunzip2 | awk '{print $1}'

  9. By John Shannon () on

    I built my own list from the netblock for china, sinagpore, hong kong, and korea. I add addresses rejected by content filtering. When I must clear a mail queue of a reject message from my content filter, I look up the connecting mail server in the ARIN WHOIS database and add the containing block if I'm unlikely to receive legitimate mail from it. I use a whitelist to avoid embarassing blocks.

  10. By chuck () on lemure.net

    anyone know if the spamd that comes with 3.3 has the capability of logging as seen on daniel's "annoying spammers" site?

    Comments

    1. By Anonymous Coward () on

      try /var/log/daemon ?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]