How to make spamd more annoying ?

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

How to make spamd more annoying ?

Mik J
Hello,
I've been annoyed for months/years by a few marketing companies from which I regularly unsubriscribed (according to the law in my country they should have done it).A few days ago I decided to make spamd work on my pf machine.
And I trapped that spam companyDec 12 19:25:55 openbsd spamd[99682]: (BLACK) x.x.x.x: <[hidden email]> -> <[hidden email]>
Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: To: victim <[hidden email]>
Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: From: =?utf-8?Lalalala= <[hidden email]>
Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: Subject: =?utf-8?Lalalalla
Dec 12 19:28:45 openbsd spamd[99682]: x.x.x.x: disconnected after 387 seconds. lists: spamd-greytrap blacklist

I notice that this spammer lost 387 seconds so 6 minutes.
Is there a way to make them loose more time ?
# grep spamd /etc/rc.conf
spamd_flags="-5 -v -l 127.0.0.1 -h mymx.mydomain.com -n Somestring"

Thank you

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Peter Hessler
On 2016 Dec 12 (Mon) at 21:31:25 +0000 (+0000), Mik J wrote:
:Hello,
:I've been annoyed for months/years by a few marketing companies from which I regularly unsubriscribed (according to the law in my country they should have done it).A few days ago I decided to make spamd work on my pf machine.
:And I trapped that spam companyDec 12 19:25:55 openbsd spamd[99682]: (BLACK) x.x.x.x: <[hidden email]> -> <[hidden email]>
:Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: To: victim <[hidden email]>
:Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: From: =?utf-8?Lalalala= <[hidden email]>
:Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: Subject: =?utf-8?Lalalalla
:Dec 12 19:28:45 openbsd spamd[99682]: x.x.x.x: disconnected after 387 seconds. lists: spamd-greytrap blacklist
:
:I notice that this spammer lost 387 seconds so 6 minutes.
:Is there a way to make them loose more time ?
:# grep spamd /etc/rc.conf
:spamd_flags="-5 -v -l 127.0.0.1 -h mymx.mydomain.com -n Somestring"
:

Don't use -5, but use the default -4.  550 is "permanent failure", 450
is "temp fail, try again later".

Also look at the -S and -s options.  -w is also fun.

:Thank you
:

--
"Hello," he lied.
                -- Don Carpenter quoting a Hollywood agent

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Mik J
Thank you Peter,
I've added the -s 5 Option and removed the -5Do you know what is the default
-w window size ?About the -S I didn't understand what it means (I read the
man)
Regards

    Le Lundi 12 décembre 2016 23h22, Peter Hessler <[hidden email]> a
écrit :



 On 2016 Dec 12 (Mon) at 21:31:25 +0000 (+0000), Mik J wrote:
:Hello,
:I've been annoyed for months/years by a few marketing companies from which I
regularly unsubriscribed (according to the law in my country they should have
done it).A few days ago I decided to make spamd work on my pf machine.
:And I trapped that spam companyDec 12 19:25:55 openbsd spamd[99682]: (BLACK)
x.x.x.x: <[hidden email]> -> <[hidden email]>
:Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: To: victim
<[hidden email]>
:Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: From: =?utf-8?Lalalala=
<[hidden email]>
:Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: Subject: =?utf-8?Lalalalla
:Dec 12 19:28:45 openbsd spamd[99682]: x.x.x.x: disconnected after 387
seconds. lists: spamd-greytrap blacklist
:
:I notice that this spammer lost 387 seconds so 6 minutes.
:Is there a way to make them loose more time ?
:# grep spamd /etc/rc.conf
:spamd_flags="-5 -v -l 127.0.0.1 -h mymx.mydomain.com -n Somestring"
:

Don't use -5, but use the default -4.  550 is "permanent failure", 450
is "temp fail, try again later".

Also look at the -S and -s options.  -w is also fun.

:Thank you
:

--
"Hello," he lied.
        -- Don Carpenter quoting a Hollywood agent

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Peter Nicolai Mathias Hansteen
On Mon, Dec 12, 2016 at 11:12:33PM +0000, Mik J wrote:
> Thank you Peter,
> I've added the -s 5 Option and removed the -5Do you know what is the default
> -w window size ?About the -S I didn't understand what it means (I read the
> man)

the -S option: by default spamd will 'stutter' (send one byte at the time at
the -s seconds interval) for 10 seconds. Using the -S option, you can set
the number of seconds the stuttering will last on connections from greylisted
hosts before normal traffic parameters kick in.

I don't think I've ever played with that. When I've looked at actual data, (such
as when working on this piece bsdly.blogspot.com/2014/02/effective-spam-and-malware.html
- the graph in the "Introducing greylisting" section) it looks like the vast
majority of connections last less than 3 seconds and the next peak is at approximately
the 400 seconds mark.

- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Craig Skinner-3
In reply to this post by Peter Hessler
Hi Mik,

On Mon, 12 Dec 2016 23:21:51 +0100 Peter Hessler wrote:

> On 2016 Dec 12 (Mon) at 21:31:25 +0000 (+0000), Mik J wrote:
> > I notice that this spammer lost 387 seconds so 6 minutes.
> > Is there a way to make them loose more time ?
> > # grep spamd /etc/rc.conf
> > spamd_flags="-5 -v -l 127.0.0.1 -h mymx.mydomain.com -n Somestring"
>
> Don't use -5, but use the default -4.  550 is "permanent failure", 450
> is "temp fail, try again later".
>
> Also look at the -S and -s options.  -w is also fun.
>

These flags work really REALLY well:

spamd_flags='-S 90 -s 5 -w 1 -y .... -Y ... -Y .... -Y ....'


Another trick I found to work well when unsubscribing from a service:
1) change my subscribed address to [hidden email]
2) unsubscribe
3) add [hidden email] as a SPAMTRAP address (spamdb -T -a ....)


Also try Boudewijn's patch (see his continued blocking graph):
https://github.com/bdijkstra82/OpenBSD-spamlogd


Regards,
--
Craig Skinner | http://linkd.in/yGqkv7

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Mik J
Hello Peter, Craig,
Thank you for your answers. There are two machines trapped in my spamd at the
moment. For one of them it's been 18 hours already and stay connected for 800
seconds each time, the other one stays connected 11s only but has been trying
for 16 hours. So things are working.
Craig, I'm not sure I understood what this patch does.I use spamlogd so that
every outgoing mail adds the remote mx IP in my whitelist.It's used to give
some additional statistics ?


Peter, you use greylists but I read somewhere that gmail servers change their
IPs when they retry to send the mails. With a high outgoing volume of mails,
many IPs can be whitelisted thanks to spamlogd. But my server is very low
volume. How would you deal with that ?
At the moment my configuration is this one:1) whitelist matched send the mail
to my mx
2) blacklists (personal, nixspam, blocklist...) matched send the mail to spamd
configured with -b3) for other IPs send the mail to my mx

Regards

    Le Mardi 13 décembre 2016 14h24, Craig Skinner <[hidden email]>
a écrit :



 Hi Mik,

On Mon, 12 Dec 2016 23:21:51 +0100 Peter Hessler wrote:

> On 2016 Dec 12 (Mon) at 21:31:25 +0000 (+0000), Mik J wrote:
> > I notice that this spammer lost 387 seconds so 6 minutes.
> > Is there a way to make them loose more time ?
> > # grep spamd /etc/rc.conf
> > spamd_flags="-5 -v -l 127.0.0.1 -h mymx.mydomain.com -n Somestring"
>
> Don't use -5, but use the default -4.  550 is "permanent failure", 450
> is "temp fail, try again later".
>
> Also look at the -S and -s options.  -w is also fun.
>

These flags work really REALLY well:

spamd_flags='-S 90 -s 5 -w 1 -y .... -Y ... -Y .... -Y ....'


Another trick I found to work well when unsubscribing from a service:
1) change my subscribed address to [hidden email]
2) unsubscribe
3) add [hidden email] as a SPAMTRAP address (spamdb -T -a ....)


Also try Boudewijn's patch (see his continued blocking graph):
https://github.com/bdijkstra82/OpenBSD-spamlogd


Regards,
--
Craig Skinner | http://linkd.in/yGqkv7

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Peter Nicolai Mathias Hansteen
On 12/13/16 19:29, Mik J wrote:

> Peter, you use greylists but I read somewhere that gmail servers change
> their IPs when they retry to send the mails. With a high outgoing volume
> of mails, many IPs can be whitelisted thanks to spamlogd. But my server
> is very low volume. How would you deal with that ?

That's a fairly common problem, and comes down to a particular
misfeature of the SMTP RFCs: a requirement to retry, but noe
requirenment to retry from the same IP address. I grumbled about that in
http://bsdly.blogspot.com/2008/10/ietf-failed-to-account-for-greylisting.html.

The most common workaround is to extract the IP addresses or more likely
address ranges from the SPF records that the sites publish and put in a
nospamd table as seen in most of the examples.

My incrementally growing nospamd is available at
http://www.bsdly.net/~peter/nospamd, and Aron Poffenberger's spf_fetch
script that takes a file of domain names and extracts the SPF info for
you: https://github.com/akpoff/spf_fetch

- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Peter Nicolai Mathias Hansteen
In reply to this post by Mik J
This thread made me take a fresh look at some of my earlier scribblings,
mostly http://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html
which has grown an addendum with a fresh graph of connection lengths
based on what was available on the spamd boxes where I have the liberty
to do what I want with log data. Also, a few links to useful resources
such as http://bgp-spamd.net/.

I hope you find this useful.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

OpenBSD lists
In reply to this post by Mik J
Mik J wrote:

> Hello,
> I've been annoyed for months/years by a few marketing companies from which I regularly unsubriscribed (according to the law in my country they should have done it).A few days ago I decided to make spamd work on my pf machine.
> And I trapped that spam companyDec 12 19:25:55 openbsd spamd[99682]: (BLACK) x.x.x.x: <[hidden email]> -> <[hidden email]>
> Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: To: victim <[hidden email]>
> Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: From: =?utf-8?Lalalala= <[hidden email]>
> Dec 12 19:27:40 openbsd spamd[99682]: x.x.x.x: Subject: =?utf-8?Lalalalla
> Dec 12 19:28:45 openbsd spamd[99682]: x.x.x.x: disconnected after 387 seconds. lists: spamd-greytrap blacklist
>
> I notice that this spammer lost 387 seconds so 6 minutes.
> Is there a way to make them loose more time ?
> # grep spamd /etc/rc.conf
> spamd_flags="-5 -v -l 127.0.0.1 -h mymx.mydomain.com -n Somestring"
>
> Thank you
>

Most of the spam I've received from marketing companies tends to come
from send-only servers (looking at the user-agent of the sending server
its some kind of Python library intended for just sending pre-formatted
messages to a list of recipients).

What I've done is constructed a script that while spmad is stuttering
their connection, it connects back to the sending server on port 25 and
executes an EHLO.  If the sending server doesn't respond to the EHLO, it
runs pfctl to add that server's address to a block list.


Another technique I've done is to use a catch-all address for my primary
email address, so each time I give out an address I give them a unique
address.  If I receive spam on an address (say something from "facebook"
on amazon@<mydomain>) then I know that my address has been leaked and
can readily identify who it was that leaked/sold my address to spammers.

.

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Mikkel C. Simonsen
OpenBSD lists wrote:
> Most of the spam I've received from marketing companies tends to come
> from send-only servers (looking at the user-agent of the sending server
> its some kind of Python library intended for just sending pre-formatted
> messages to a list of recipients).
>
> What I've done is constructed a script that while spmad is stuttering
> their connection, it connects back to the sending server on port 25 and
> executes an EHLO.  If the sending server doesn't respond to the EHLO, it
> runs pfctl to add that server's address to a block list.

That will block a LOT of legitimate e-mail also. Including
semi-legitimate e-mails like this one... Why should all e-mail servers
accept connections from the outside?

Mikkel

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

OpenBSD lists
Mikkel C. Simonsen wrote:

> OpenBSD lists wrote:
>> Most of the spam I've received from marketing companies tends to come
>> from send-only servers (looking at the user-agent of the sending
>> server its some kind of Python library intended for just sending
>> pre-formatted messages to a list of recipients).
>>
>> What I've done is constructed a script that while spmad is stuttering
>> their connection, it connects back to the sending server on port 25
>> and executes an EHLO.  If the sending server doesn't respond to the
>> EHLO, it runs pfctl to add that server's address to a block list.
>
> That will block a LOT of legitimate e-mail also. Including
> semi-legitimate e-mails like this one... Why should all e-mail servers
> accept connections from the outside?
>
> Mikkel
>

Because that is what legitimate e-mail servers are supposed to do.
Yeah, it blocks emails from "Smart Host" SMTP servers, but I very rarely
interact with someone using such a setup.

Beside, this is only enabled on my primary server, the secondary server
will still accept email where the sender doesn't listen for SMTP.  A
legitimate email server would detect the failure and try again with the
next MX record.  Marketing and spam servers tend to see a single failure
and just carry on with spamming the next person.

My primary server is in a fairly expensive hosting provider (They are
very, very reliable, so the cost is worth it), so I try and avoid using
its bandwidth as much as possible.  The secondary server is located in
the office and on a connection with no bandwidth cap but will fail
periodically.

My infrastructure was set up to stop malicious traffic traffic like bots
sending malware / phishing messages and non-reputable spammers.  I've
noticed a correlation between marketers that don't respond to
unsubscribe messages and running servers that don't bother to resend in
case of error.


-C
.

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Robert Szasz-2
In reply to this post by Mikkel C. Simonsen
Just wanted to second this. While individuals would rarely send through
email servers set up this way, mid sized to enterprise businesses can.


On 12/13/2016 1:53 PM, Mikkel C. Simonsen wrote:

> OpenBSD lists wrote:
>> Most of the spam I've received from marketing companies tends to come
>> from send-only servers (looking at the user-agent of the sending
>> server its some kind of Python library intended for just sending
>> pre-formatted messages to a list of recipients).
>>
>> What I've done is constructed a script that while spmad is stuttering
>> their connection, it connects back to the sending server on port 25
>> and executes an EHLO.  If the sending server doesn't respond to the
>> EHLO, it runs pfctl to add that server's address to a block list.
>
> That will block a LOT of legitimate e-mail also. Including
> semi-legitimate e-mails like this one... Why should all e-mail servers
> accept connections from the outside?
>
> Mikkel

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Craig Skinner-3
In reply to this post by Mik J
Hi Mik,

On Tue, 13 Dec 2016 18:29:00 +0000 (UTC) Mik J wrote:
> I use spamlogd so that every outgoing mail adds the remote mx IP in
> my whitelist.

As with many domains, large mail services deploy/out source separate
inbound & outbound clusters, so spamlogd'ing outbound mail wont help.

These spamlogd flags seem to work best here:

spamlogd_flags='-I -Y ... -Y ... -Y ....'

>
> I'm not sure I understood what this patch does.
> It's used to give some additional statistics?
>

spamd expires trapped IP addresses after 24 hours.

Boudewijn's patch keeps them trapped while they continue to spam.
His stats prove it works.

>
> I read somewhere that gmail servers change their IPs when they retry
> to send the mails.

This tool helps to auto white list silly round robin senders:
http://web.Britvault.Co.UK/products/ungrey-robins/

(SPF lists are often not trustworthy.)

Cheers,
--
Craig Skinner | http://linkd.in/yGqkv7

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Stuart Henderson
In reply to this post by OpenBSD lists
On 2016-12-14, OpenBSD lists <[hidden email]> wrote:
>
> Beside, this is only enabled on my primary server, the secondary server
> will still accept email where the sender doesn't listen for SMTP.  A
> legitimate email server would detect the failure and try again with the
> next MX record.  Marketing and spam servers tend to see a single failure
> and just carry on with spamming the next person.

Not for many years. They do retry, and they do try alternative MX (though
sometimes in the reverse order). In my opinion a secondary MX (if you list
one at all) should have *stronger* filtering than the primary. You don't
want something entering the queue on a secondary unless you're pretty sure
the primary is going to want to see it.

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Boudewijn Dijkstra
In reply to this post by Craig Skinner-3
Op Wed, 14 Dec 2016 18:07:15 +0100 schreef Craig Skinner  
<[hidden email]>:

> On Tue, 13 Dec 2016 18:29:00 +0000 (UTC) Mik J wrote:
>> I use spamlogd so that every outgoing mail adds the remote mx IP in
>> my whitelist.
>
> As with many domains, large mail services deploy/out source separate
> inbound & outbound clusters, so spamlogd'ing outbound mail wont help.
>
> These spamlogd flags seem to work best here:
>
> spamlogd_flags='-I -Y ... -Y ... -Y ....'
>
>>
>> I'm not sure I understood what this patch does.
>> It's used to give some additional statistics?
>>
>
> spamd expires trapped IP addresses after 24 hours.
>
> Boudewijn's patch keeps them trapped while they continue to spam.
> His stats prove it works.

My stats just prove that senders exist who will happily continue delivery  
attempts for weeks or months.  ;)

To see that it works, you have to turn on verbose logging and realise that  
spammers who get greytrapped sometimes also use valid envelope-to  
addresses. My patch is intended to reduce the chances of those spammers  
getting whitelisted. It can also be used as an ad-hoc blacklist for e.g.  
senders of daily newsletters who refuse to unsubscribe you.

>> I read somewhere that gmail servers change their IPs when they retry
>> to send the mails.
>
> This tool helps to auto white list silly round robin senders:
> http://web.Britvault.Co.UK/products/ungrey-robins/
>
> (SPF lists are often not trustworthy.)

Whitelisting an address simply because it appears on an SPF record of a  
domain used for legitimate mail, is indeed a bad idea.  SPF was never  
meant for that.

SPF can be used for accept/reject decisions, but your policy of what to do  
with a certain SPF result should be based on your level of trust in the  
publishing domain.



--
Boudewijn Dijkstra
Indes-IDS B.V.
+31 345 545 535

Reply | Threaded
Open this post in threaded view
|

Re: How to make spamd more annoying ?

Stuart Henderson
In reply to this post by Mik J
On 2016-12-13, Mik J <[hidden email]> wrote:
> Peter, you use greylists but I read somewhere that gmail servers change their
> IPs when they retry to send the mails.

It used to be common to attempt a few deliveries from a "main" smarthost and
then push to a "slow retry" host, it seemed that this was particularly popular
with some larger Exim users.

Nowadays it's more likely that the sending servers at large mail providers
are just behind NAT pools (and in some cases, also multiple SMTP senders
running from a common queue). No point wasting precious v4's when the
bottleneck is storage i/o.