Playing with spammers

avsm — Thu, 29 Jul 2004 09:53:48 +0100

The amount of spam sent to Recoil accounts has dramatically sprung up over the last few years, sending the machine loads skyrocketing accordingly. Luckily, we're running OpenBSD, which added a fun tool called spamd(8) a couple of releases ago.

It's activated by tracking IP addresses of known spammers from blacklists like Spamhaus, and redirecting them to the spam daemon via pf rules. Once the mail reaches spamd, it "tarpits" it by dropping its TCP send and receive buffers to a very small value, encouraging the spammers and virii to (slowly) send their malware on. If they ever do reach the end of their data, it then rejects it with a temporary failure - costing the spammers more resourcs if they decide to retransmit it.

The load has dropped quite a bit since I activated this filtering; it seems to help against some of the latest worms quite a lot, which just connect to port 25, spew off a buffer-overflow attempt, and repeat this once every few seconds. Since spamd, things take a bit longer though!

quick spamd: 221.2.232.138: connected (9/9), lists: spamhaus
quick spamd: 221.2.232.138: disconnected after 431 seconds. lists: spamhaus

Very satisfying. I did play with the greylisting mode of spamd as well, but it wasn't quite as successful as some valid mail sites such as EDAS (bless its underwhelming soul) take five days to send conference paper rejections into a greylisted system. Public whitelists do exist, but I think I'll wait a while and see if things mature a little more first.

No Content, No Fuss: Playing with spammers

Playing with spammers