In recent weeks I have seen a number of spam attempts to servers we host that should never see them. More concisely, people are trying to send spam by connecting to port 25 on our web servers. These connections die on their arse because we don't allow 25 inbound to anything but our mail servers, but it strikes me that such connections could be a good source of data on who to block in spamd.
I can easily put together a pf table of some servers that should never see connections to port 25, and redirect them to our spamd instances, but my questions are these: How should I make spamd recognise that these attempts are phony, and instantly blacklist/tarpit them? -b appears to still have to check a list, I want something more like greytrapping. Should I be running a separate spamd instance on a different port for this, or can it all be done with cunning configuration of the standard one? If I run two spamd instances, my standard one and my honeytrap one, and they look at and manipulate the same /var/run/spamdb, will it all go Horribly Wrong? I suspect not, as spamlogd manipulates it at the same time, but I think that might be over a sock, and hence kept safe that way. Have I missed some reason why this is a Really Dumb Idea(tm)? I think it bears mention that our spamd stuff is currently on a 4.0 box, but I'm making plans for when we re-build with 4.2, so answers would be best based on 4.2 functionality. Thanks for any and all responses, even if they're "No! You fool!" :-) -- Richard 'Dave' Wilson Systems Administrator Senokian Solutions Ltd. Business Innovation Centre, Binley Business Park, Coventry, United Kingdom CV3 2TX T: +44 (0)24 76 233 400 DDI: +44 (0)24 76 233 416 F: +44 (0)24 76 233 401
