OpenBSD Journal

Greylisting with PF

Contributed by sean on from the more pf articles than you can shake a stick at dept.

teemu writes:
Dan Langille has written an article on using pf and spamd with greylisting - on FreeBSD. Anyway, it shows the usage of spamd and integration, a few basics of pf and a bit of troubleshooting. He mentions greyscanner from Bob at the end.

Even if it's on FreeBSD, maybe it is worth mentioning:

http://www.onlamp.com/pub/a/bsd/2007/01/18/greylisting-with-pf.html

cheers,
teemu

(Comments are closed)


Comments
  1. By Bret Lambert (tbert) bret.lambert@gmail.com on

    The auther recommends updating your blacklist once an hour. Is that really how often you need to do it?

    I'll admit my ignorance of the matter, but it seems overkill.

    Comments
    1. By phessler (phessler) on http://theapt.org

      > The auther recommends updating your blacklist once an hour. Is that really how often you need to do it?
      >
      > I'll admit my ignorance of the matter, but it seems overkill.


      if you are going to use blacklists, you should keep them up to date.

      personally, I think they cause far more problems than they solve. not using updated lists makes it worse.

  2. By wob (12.109.229.8) wob@bonch.org on

    typo in the title, one too many "i"s.

    I'd email direct, but http://undeadly.org/I don't work here doesn't work very well. :)

    Comments
    1. By sean (sean) on

      Fixed. Thanks.

  3. By em (89.176.174.162) on

    Anyone knows about some script preferably written in Perl to handle mail server pools from spamd db output? Is there anything? .. if not I can write my own script

    Comments
    1. By jason (TheDudeAbides) on http://www.snakelegs.org

      > Anyone knows about some script preferably written in Perl to handle mail server pools from spamd db output? Is there anything? .. if not I can write my own script

      something similar

      Would like option of whitelisting whole /24 subnet, on greylist passes and outbound whitelisting, as here.

  4. By Terrell Prude' Jr. (151.188.0.238) tprude@cmosnetworks.com on

    This looks pretty comprehensive. Just last night, I got my own spamd tarpit going, and I'm seeing some hits. I'm going to try out some of the things in here, such as greytrapping, that he is describing how to do.

    The OpenBSD team is composed of some pretty damned smart individuals.

    Comments
    1. By Terrell Prude' Jr. (151.188.0.238) tprude@cmosnetworks.com on

      > This looks pretty comprehensive. Just last night, I got my own spamd tarpit going, and I'm seeing some hits. I'm going to try out some of the things in here, such as greytrapping, that he is describing how to do.
      >
      > The OpenBSD team is composed of some pretty damned smart individuals.
      >

      OK, the greylisting works pretty well. My spam content just took a nosedive over the last couple of days. My /var/log/daemon file is showing all sorts of folks from around the world getting greylisted. It does require some fine-tuning, to be sure. I have run into the issue of HotMail using multiple SMTP gateways to re-try messages, and of course each of their individual gateways gets greylisted. So, I'm working on a way to deal with that. Dan Hartmeier's solution looks promising for this. For now, I'm just allowing all of HotMail's SMTP gateways with a DNS MX query, until I can give the Hartmeier method a whirl.

      I wonder if it would be possible to take Mozilla Thunderbird's spam judgment logic and somehow apply it to the Hartmeier method. Hmmm....

      I also implemented greytrapping, and it works like a charm. I'm seeing those offenders get stuck for just under ten minutes before they get tired of my tarpit and go away. Serves 'em right.

      My logs are showing me another interesting thing. Some MTA's apparently can detect tarpitting, and they themselves drop the connection after about three seconds. Of course, if they do that, then they're obviously spammers, and I don't want to talk to them anyway. Even so, they still try multiple connections, and sometimes they try them again and again for about 10 minutes.

      Hmm...costing spammers money...I like this. :-)

      --TP

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]