Once I fixed the NAT rules, I went to m21 and tried to connect. I made it straight through to the real SMTP server:
dan@m21:~$ telnet nyi 25 Trying 188.8.131.52... Connected to nyi.example.org. Escape character is '^]'. 220 nyi.example.org ESMTP Postfix QUIT 221 2.0.0 Bye Connection closed by foreign host. dan@m21:~$
Good, that proves the whitelisting is working. Then I flushed the Postfix mail queue, and the mail message went straight through.
Yes, I missed this entirely during the port install:
$ cd /usr/ports/mail/spamd $ less pkg-message ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ In order to use spamd greylisting feature you have to have a mounted fdescfs(5) at /dev/fd. This is done by adding: fdescfs /dev/fd fdescfs rw 0 0 to /etc/fstab. You may need either a customized kernel, or kldload the fdescfs kernel module. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ $
What is in my spambd right now?
$ spamdb | grep GREY GREY|184.108.40.206|<email@example.com>|<firstname.lastname@example.org>|1163008607|1163023007|1163023007|1|0 GREY|220.127.116.11|<email@example.com>|<firstname.lastname@example.org>|1163008652|1163023052|1163023052|1|0 GREY|18.104.22.168|<email@example.com>|<firstname.lastname@example.org>|1163008622|1163023022|1163023022|1|0 GREY|22.214.171.124|<email@example.com>|<firstname.lastname@example.org>|1163008592|1163022992|1163022992|1|0 GREY|126.96.36.199|<email@example.com>|<firstname.lastname@example.org>|1163008636|1163023036|1163023036|1|0 GREY|188.8.131.52|<email@example.com>|<firstname.lastname@example.org>|1163002782|1163017182|1163017182|1|0 GREY|184.108.40.206|<BrunoYang@rotes-teufelchen.de>|<email@example.com>|1163005081|1163019481|1163019481|1|0 GREY|220.127.116.11|<OctavioDickey@rpcredit.ie>|<firstname.lastname@example.org>|1163005080|1163019480|1163019480|1|0 GREY|18.104.22.168|<>|<email@example.com>|1163010937|1163025337|1163025337|1|0 GREY|22.214.171.124|<firstname.lastname@example.org>|<email@example.com>|1163011838|1163026238|1163026238|1|0 GREY|126.96.36.199|<firstname.lastname@example.org>|<email@example.com>|1163011853|1163026253|1163026253|1|0 GREY|188.8.131.52|<firstname.lastname@example.org>|<email@example.com>|1163001747|1163016147|1163016147|2|0 GREY|184.108.40.206|<firstname.lastname@example.org>|<email@example.com>|1163002285|1163016685|1163016685|1|0 GREY|220.127.116.11|<firstname.lastname@example.org>|<email@example.com>|1163010826|1163025226|1163025226|1|0 GREY|18.104.22.168|<firstname.lastname@example.org>|<email@example.com>|1163000304|1163014704|1163014704|1|0 GREY|22.214.171.124|<firstname.lastname@example.org>|<email@example.com>|1163000292|1163014692|1163014692|1|0 GREY|126.96.36.199|<firstname.lastname@example.org>|<email@example.com>|1162997706|1163012106|1163012106|1|0 GREY|188.8.131.52|<firstname.lastname@example.org>|<email@example.com>|1163008485|1163022885|1163022885|1|0 GREY|184.108.40.206|<firstname.lastname@example.org>|<email@example.com>|1163010212|1163024612|1163024612|1|0 GREY|220.127.116.11|<Antelmi@care-mail.example.com>|<firstname.lastname@example.org>|1163007068|1163021468|1163021468|1|0 GREY|18.104.22.168|<email@example.com>|<firstname.lastname@example.org>|1163001318|1163015718|1163015718|1|0 GREY|22.214.171.124|<email@example.com>|<firstname.lastname@example.org>|1163005846|1163020246|1163020246|1|0 GREY|126.96.36.199|<email@example.com>|<firstname.lastname@example.org>|1163002484|1163016884|1163016884|1|0 GREY|188.8.131.52|<email@example.com>|<firstname.lastname@example.org>|1163009003|1163023403|1163023403|1|0 GREY|184.108.40.206|<email@example.com>|<firstname.lastname@example.org>|1163009013|1163023413|1163023413|1|0 GREY|220.127.116.11|<email@example.com>|<firstname.lastname@example.org>|1163003291|1163017691|1163017691|1|0
Yes, I have slightly obscured the domain names, but you should be able to see who is sending to what. For the record, the MX server in question is not an MX for langille.org or freebsddiary.org... but that's not stopping the spammers from trying. At present, only bsdcan.org uses this greylisting server as an MX. I'm about to add more domains to it and implement greylisting on my other servers.
As I type this additional note on November 24, about 3 weeks after the above, here are the stats of each of my three mail servers:
$ spamdb | grep -c GREY 101 $ spamdb | grep -c WHITE 4462
$ spamdb | grep -c GREY 256 $ spamdb | grep -c WHITE 2404
$ spamdb | grep -c GREY 30 $ spamdb | grep -c WHITE 37
It is interesting to see that one machine has whitelisted nearly 4500 servers in about nine days.
I'm sure all of this sounds great. It can be better. Greytrapping is one step further than greylisting. No doubt you have an abandoned email address that still receives mail. It's probably been on spamming lists for years. If someone is sending email to that address, it's bound to be spam. You can add that address to
spamdb as a spamtrap address. See
man spamdb for details. For example, to designate anyone sending to email@example.com, use the command:
spamdb -T -a "<firstname.lastname@example.org>"
I have a list of 24,592 such email addresses. Why? Well, they aren't really addresses. They are Message-ID values from FreshPorts. FreshPorts didn't always store Message-ID. When I added that attribute, I needed to come up with a value for the existing commits stored in the database. Unfortunately, I selected something like email@example.com (
s/example/FreshPorts/). Spammers grabbed all those addresses, and I started to see huge spam attempts. All bounced of course, because they were not valid addresses. I have since changed those Message-IDs to @dev.null.example.org (
s/example/FreshPorts/), but the spammers continue.
So how do I get the email addresses into
spamdb? They are all in a file named greytrap. This command loads them. It takes a few minutes to complete.
cat greytrap | xargs -n1 spamdb -T -a
That's all there is to it.
With newer versions of
spamd (not available in the FreeBSD Ports tree at the time of writing), you can take advantage of the greylisting period to scan your logs and take appropriate action. The greyscanner script will scan the
spamdb output and look for patterns and blacklist those IP address for 24 hours. If it's not spam, it will come through later. If it is spam, well, you've delayed it. This script can validate the address, check for an MX or A record for the source address, and more.
Things to Think About
Greylisting can delay mail. Greylisting can block mail, but only if you continuously redirect the connection to the tarpit. However, it does greatly reduce the amount of incoming spam. I have no comparative statistics to show you. All I know is that I like it and that it reduces the amount of garbage in my mailbox. :)
Dan Langille runs a consulting group in Ottawa, Canada, and lives in a house ruled by felines.
Return to the BSD DevCenter.