Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature
Installing and configuring spamd
By Terrell Prudé, Jr.
on
April 12, 2007 (8:00:00 AM)
Share
Print
Comments
Yesterday we looked at spamd, a service designed to reduce the flow of spam to your email inbox. Now that we know some of its advantages, let's put it to work.
Finally, we deal with /etc/spamd.conf. If this file is not correct, spamd will complain in various ways -- it may not start, or it might ignore some or all of your configuration. One strong caution: you cannot use tab characters as whitespace in this file; you must use spaces. I tore my hair out trying to figure out why my /etc/spamd.conf wasn't working as I expected. I replaced the tab characters with spaces, and everything started working correctly.
Here is my entire /etc/spamd.conf file:
all:\
:spews1:spews2:spamhausdroplist:china:korea:russia:mycustom-black:
# Mirrored from http://www.spews.org/spews_list_level1.txt
spews1:\
:black:\
:msg="SPAM. Your address %A is in the spews level 1 database\n\
See http://www.spews.org/ask.cgi?x=%A for more details":\
:method=http:\
:file=www.openbsd.org/spamd/spews_list_level1.txt.gz:
# Mirrored from http://www.spews.org/spews_list_level2.txt
spews2:\
:black:\
:msg="SPAM. Your address %A is in the spews level 2 database\n\
See http://www.spews.org/ask.cgi?x=%A for more details":\
:method=http:\
:file=www.openbsd.org/spamd/spews_list_level2.txt.gz:
spamhausdroplist:\
:black:\
:msg="SPAM. Your address %A is in the Spamhaus drop list\n\
See http://www.spamhaus.org for more details":\
:method=file:\
:file=/etc/spamhaus.droplist.20071227.txt:
# Mirrored from http://www.okean.com/chinacidr.txt
china:\
:black:\
:msg="SPAM. Your address %A appears to be from China\n\
See http://www.okean.com/asianspamblocks.html for more details":\
:method=http:\
:file=www.openbsd.org/spamd/chinacidr.txt.gz:
# Mirrored from http://www.okean.com/koreacidr.txt
korea:\
:black:\
:msg="SPAM. Your address %A appears to be from Korea\n\
See http://www.okean.com/asianspamblocks.html for more details":\
:method=http:\
:file=www.openbsd.org/spamd/koreacidr.txt.gz:
# Mirrored from http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/RU-cidr.txt
russia:\
:black:\
:msg="SPAM. Your address %A appears to be a source of spam email\n\
Please contact your ISP regarding this issue":\
:method=http:\
:file=www.completewhois.com/statistics/data/ips-bycountry/rirstats/RU-cidr.txt:
# My custom blacklist
mycustom-black:\
:black:\
:msg="SPAM. Your address %A is in my spammers list. Please stop.":\
:method=file:\
:file=/etc/blacklist.txt:
End /etc/spamd.conf
Every address in here gets populated into the
<spamd> PF table and thus gets automatically and immediately tarpitted the instant that it connects.And now, the moment of truth: we are ready to turn on spamd. To do so, run /usr/libexec/spamd-setup now; whenever you make any changes to /etc/spamd.conf, you must run it again for the changes to take effect. spamd-setup does two things:
- It tells PF what to do by loading every IP address or netblock referenced in any of the files mentioned in /etc/spamd.conf into the
<spamd>table defined in /etc/pf.conf. Remember that we have a PF rule saying that if an address is in the<spamd>table, redirect it to spamd on TCP 8025 on localhost. - It tells spamd itself that, in the /etc/spamd.conf file, every IP address or netblock in the following lists is to be treated in blacklist mode once PF forwards that address's SMTP traffic to spamd's tarpit:
- www.openbsd.org/spamd/spews_list_level1.txt.gz
- /etc/spamhaus.droplist.20071227.txt
- www.openbsd.org/spamd/chinacidr.txt.gz
- www.openbsd.org/spamd/koreacidr.txt.gz
- www.completewhois.com/statistics/data/ips-bycountry/rirstats/RU-cidr.txt
- /etc/blacklist.txt
Since there are regular updates to the SPEWS Level 1 and Level 2 lists, you should fire off a cron job once a day that runs spamd-setup to download new files and put them into the
<spamd> table for you.
Note that I added three sections to my spamd.conf file in order to tarpit and reject even more spammers than the default configuration does. I patterned these new spamhausdroplist, russia, and mycustom-black sections on existing ones in /etc/spamd.conf. You can also include the worst offenders from completewhois.com, which contains all the netblocks in the world, listed by country.
How well does it work?
Spamd has exceeded my expectations. The spam count in my mailbox has gone down to less than 2% of the amount I was receiving before I began running the utility. I've seen a total of only 10 spam messages over the last 10 days; that's a drop from more than 150 per day. Most days my inbox sees no spam whatsoever. My real mail server (mailhost), which does not run anything like SpamAssassin, is cruising along beautifully, and I continue to get all legitimate email.
Spamd's greytrapping is phenomenal and a significant part of why I get that huge reduction. My spamd logs show large numbers of folks attempting to spam my single fake email address, and all of them get tarpitted and rejected.
Copyright (c) 2007 C. Terrell Prudé, Jr.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
Comments
on Installing and configuring spamdNote: Comments are owned by the poster. We are not responsible for their content.
And don't forget, the author is one of those "Linux guys" that the OpenBSD developers also hate. How do I know? I'm that author.<nobr> <wbr></nobr>:-)
We can disagree on licenses--GNU vs. BSD--and as long as it doesn't devolve to name-calling, it's a healthy and necessary debate. But we cannot compromise on our fight for freedom. And that's why I wrote the article.
--TP
We can disagree on licenses--GNU vs. BSD--and as long as it doesn't devolve to name-calling, it's a healthy and necessary debate. But we cannot compromise on our fight for freedom. And that's why I wrote the article.
--TP
Russian ISPs always take care of any spam-related complaints. I am Russian, I get a lot of Russian spam, and the vast majority of it comes from the LACNIC 200.0.0.0/7 network, KR/CN, as well as North America and Western Europe. The number of spam received from Russian networks is just close to being negligible.
Could you please be so kind as to either provide reputable verification of your claims that Russian ISPs and government doesn't care about spam, or remove Russia from the default configuration that you provide in the article? Too many people just copy-paste the configuration these days, so I hope that you will act responsibly here and with duly promptness.
Thank you,
Constantine.
Could you please be so kind as to either provide reputable verification of your claims that Russian ISPs and government doesn't care about spam, or remove Russia from the default configuration that you provide in the article? Too many people just copy-paste the configuration these days, so I hope that you will act responsibly here and with duly promptness.
Thank you,
Constantine.
Re: unverified claims about origins of spam
Posted by: Anonymous [ip: 70.169.167.212] on July 22, 2007 02:04 PM
Actually, I have to agree with the author on this one. You oughta see my logs, there are lots of Russian bots trying to spam me (whois is great for determining this).
Re: unverified claims about origins of spam
Posted by: Anonymous [ip: 151.188.247.104] on November 09, 2007 02:50 AMIf only that were true, Constantine! I wish it were. Unfortunately, my server logs for the past seven months do show lots of Russian IP addresses trying to spam me with "V1agra" ads. This is right along with IP addresses from Romania, Bulgaria, Poland, and Hungary. It seems that Eastern Europe is as much a hotbed for "scam spams" as China and Nigeria are!
You correctly point out that a good chunk of the spam originates from LACNIC. A bunch of WHOIS queries shows that the chief source of spam from LACNIC is currently Brazil.
You also correctly point out that a lot of the spam is from the United States. I would add Canada to that list. That's why I also do my sleuthwork and find the IP ranges that Verizon, Comcast, Quest, Rogers, etc. use for their dynamic IP assignments. These are automatically blacklisted, since home broadband users with dynamic IP addresses don't typically run Internet mail servers. :-)
HOTMAIL ALERT: I have also been getting a lot of spam from Microsoft's HotMail in the last few months. After several notices to them, it still didn't stop. Therefore, MS HotMail is now also on my private blacklist (65.54.0.0/16). Doggone shame. Yahoo currently seems to be better with that, from what I can see.
So, it's not just the Russians. Far from it. And my blacklist has grown since I first wrote the article
--TP
Installing and configuring spamd
Posted by: Anonymous [ip: 89.32.82.94] on October 18, 2007 09:18 PM
I have spam .This product is made in USA,the best quality.
Installing and configuring spamd
Posted by: Anonymous [ip: 151.188.247.104] on November 09, 2007 02:38 AM
There are minor changes for subsequent versions of OpenBSD. First, the greylisting is on by default. That means that, in /etc/rc.conf, you don't have to throw the -G switch in the list of spamd's parameters. Also, the default /etc/spamd.conf no longer points to the now-defunct SPEWS (it points elsewhere now). Other than that, it's the same on OpenBSD 4.1. A month and a half ago, I implemented this on 4.1 for a friend, using 3Com 3C905's instead of Intel EtherExpress cards, and everything transferred over. All I had to do in /etc/pf.conf was change the aliases for fxp0 and fxp1 to xl0 and xl1, respectively. Worked like a champ. And my friend is very happy with the reduction in spam.
I haven't yet tried it on 4.2 (released this month), but I'd expect it to work the same.
Other than that, I didn't have to make any other changes.
--TP
I haven't yet tried it on 4.2 (released this month), but I'd expect it to work the same.
Other than that, I didn't have to make any other changes.
--TP
Ha
Posted by: Anonymous Coward on April 18, 2007 07:38 AM#