Urban Hillebrand wrote:
Thanks, but I already stole several ideas from his presentation :)
However, it does not answer the 3 questions in my original post.
Regarding hardware sizing Bob says he is using a "smallish Dell Server" - I
would be interested in more details (how much RAM is needed, how big does the
greylist DB get...). I suppose two "standard servers" (single xeon, 2 GB RAM,
small internal disk) would be more than sufficient for us, but some real
world examples would still be helpful.
When Bob say that spamd doesn't take much power is really true.
I run an ISP and I have plenty of spamd in service all running on Sun
V100 and that doesn't even break to sweat at all! So, you do as you see
fit, but putting xeon with 2GB is really a waist here.
And the questions about CARP and problematic SMTP servers remain as well.
As for CARP, it's easy to setup, but again, keep it simple. Not that it
doesn't work or that it's wrong to do this, but why??? MX already have
built in backup with the DNS entry for the MX, so no need for CARP here.
Simpler the setup are better it is. Plus having more MX servers might
well work best for you as you can see spamer accessing the wrong server
first and in that case, you know it's spam, so you just block that.
I sent many example in the archive as to a very good setup, but here it
is again. Here is what work best for me, but again, you may need or want
something different. Don't forget, I run an ISP, so I process way more
then your 300K or 500K peek per day here and again, that's done with Sun
V100 only. So, power is not the issue here.
First, I run it with prejudice here and all my customers are aware of it
and have no problem what so ever with that. Some others are in front of
a different setup where that prejudice is not present, but in short, if
you look at China and Korea, you will see lots of spam coming from that
and unless you have reason for this, it's 100% spam. So, this is fully
block from the start. That the prejudice I do here and only that one.
So, I use the black list for these two only and you can see that below.
I use the following in my setup, all very quickly setup and easy and
very efficient as well and none needs lots of power:
1. spamd
2. spam-trap email address for very popular domains.
3. grey-scanner
4. grey-listing
5. white-list with SPE records
6. Manually entry if needed for very important entry in that white-list
7. spamd-sync between multiple SMTP servers
8. Bob grey list as well from the University.
9. MX records for not use valid domain without any valid email address
that really trap a LOTS of spam. If you don't have spare domain, just
register some and use it. It's worth the minimum $ per year big time.
10. spamd-setup to keep the various lists updated
11. CRONJOB each hours for the above.
12. Increase limits in PF for this much bigger lists as a results.
13. I setup greyscanner under a special user, witch again is my choice,
but not needed if you don't want too. I prefer make it safer then not by
default.
All this is very simple, quickly setup and then I can enjoy the view of
the logs.
Now here is how I do it. Again, all this was in the archive, so next
time, do a search first.
1. Put 4.2 on a box, setup spamd on it, that's real easy. For that, look
at your pf configuration and follow the man page.
2. Then use Bob lists in spamd-setup, updated every hours, for add to
your filter. You don't need to update it each hours if you want to be
nice to Bob, but I guess you can. Just don't do it more often then once
per hours however. There isn't any point.
***** Make sure to increase the table limit entry if you use it as you
run out of space for them. ****
3. Then unless you have reason to receive emails from China and Korea,
just block that too. And I also use the nixspam list also provided
nicely. (;>
my /etc/mail/spamd.conf looks like below for spamd.conf
4. I also use /var/db/whitelist.txt as well in my configuration for some
special cases if needed, but there isn't much there and not really any
changes happen to often either. I created it once to allow some mail
server with the SPF records for them, witch is not needed, but does help
some sending one. You can find a list here:
http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt
And again, I put my list below, not that you need to use it, but for the
details. If you don't need it, don't use it.
5. Then add the even better greyscanner also from Bob that you can find
here:
http://www.ualberta.ca/~beck/greyscanner/
Obviously, put the 4.1 version on your 4.2 box and there was changes
between < 4.1 and 4.1 and up. I only needed the greyscanner.41.
You set that up and it's really easy to do. All the default work as is,
nothing special needed, but you can add some unuse domain for even more
fun and efficiency. See later for this, but in short, you read the PERL
script use and you need minimal addition for your setup if you go that
route.
You will need to install a few packages, all ready to go anyway, so not
a big deal to do. I run current, so your may need different version for
yours, but the list is below.
# pkg_info
p5-Digest-HMAC-1.01p0 interface to HMAC Message-Digest Algorithms
p5-Digest-SHA1-2.11p0 module to calculate SHA1 digests
p5-Email-Valid-0.176p0 Check validity of Internet email addresses
p5-Mail-Tools-1.77 modules for handling mail with perl
p5-Net-DNS-0.61 module to interface the DNS resolver
p5-Net-IP-1.25p0 perl module for IPv4/IPv6 address parsing
p5-Time-TimeDate-1.16p0 library for parsing and formatting dates and times
I run my greyscanner in a special user for that as to keep it safer and
more restricted as well, witch you can go without but then why not.
So, in /etc/rc.local, I have this added to it:
# Grey Scanner
if [ -x /usr/local/sbin/greyscanner ]; then
echo -n 'Start Bob Becks Grey Scanner'; su _greyscanner -c
/usr/local/sbin/greyscanner
fi
and obviously I have Bob script install in /usr/local/sbin/greyscanner
# ls -al /usr/local/sbin/greyscanner
-rwxr-xr-x 1 root bin 11711 Sep 4 17:18 /usr/local/sbin/greyscanner
I also added a user _greyscanner without login and that I run also under
the _spamd group. That's my choice, but you can do differently if you
want, but as greyscanner interact with _spamd, then it was logical for
me to use the same group here.
# cat /etc/master.passwd | grep _greyscanner
_greyscanner:*:1000:62:daemon:0:0:Grey Scanner Daemon:/var/empty:/bin/ksh
# cat /etc/group | grep _greyscanner
_spamd:*:62:_greyscanner
And by the way, in case it wasn't obvious, I also do a spamd-setup at
startup as well, so my /etc/rc.local also include:
# spamd black list building
if [ -x /usr/libexec/spamd-setup ] ; then
/usr/libexec/spamd-setup & echo -n ' building spamd blacklist'
fi
And then you can see the greyscanner running and doing it's stuff, under
a limited users as well:
# ps -auxw | grep _greyscanner
_greyscanner 17011 0.0 0.9 6480 4872 00- I 9Dec07 0:30.72
/usr/bin/perl /usr/local/sbin/greyscanner
6. If you are welling to add unuse domain that you may already have,
then edit the greyscanner and put them here:
@BADRERCPT = (
"[EMAIL PROTECTED]",
);
The short of this is that it will look for them and trap senders to
these unuse domains and trap them for 24 hours. Worth the addition of
new domains just for that.
7. Then obviously, your trap domain, add any email address to a web page
for the various low life to grab them and then start sending you spam to
them and enjoy the show.
8. If you want even more, you can also sync the lists of spamd content
between multiple smtp servers via rc.conf.local and the use of
spamd_flags=, etc, but I am not sure you have multiple mail servers, so
I will skip that part. However that works very well and add more to the
fight I tell you. I sync multiple servers together and really enjoy the
logs! (;>
Anyway, setting all this, is way shorter then it took me just to write
it all and it's pretty darn efficient I tell you.
Just do it and then give feedback on your new find joy! (;>
Best,
Daniel
spamd.conf
=======================
all:\
:uatraps:override:nixspam:override:china:override:korea:override:
# University of Alberta greytrap hits.
# Addresses stay in it for 24 hours from time they misbehave.
uatraps:\
:black:\
:msg="Your address %A has sent mail to a ualberta.ca spamtrap\n\
within the last 24 hours":\
:method=http:\
:file=www.openbsd.org/spamd/traplist.gz
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz
# Mirrored from http://www.okean.com/chinacidr.txt
china:\
:black:\
:msg="SPAM. Your address %A appears to be from China\n\
See http://www.okean.com/asianspamblocks.html for more details":\
:method=http:\
:file=www.openbsd.org/spamd/chinacidr.txt.gz:
# Mirrored from http://www.okean.com/koreacidr.txt
korea:\
:black:\
:msg="SPAM. Your address %A appears to be from Korea\n\
See http://www.okean.com/asianspamblocks.html for more details":\
:method=http:\
:file=www.openbsd.org/spamd/koreacidr.txt.gz:
# An example of a list containing addresses which should not talk to spamd.
#
override:\
:white:\
:method=file:\
:file=/var/db/whitelist.txt:
/var/db/whitelist.txt
================================
# From http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt
12.5.136.141 # Southwest Airlines (unique sender, no retry)
12.5.136.142 # Southwest Airlines (unique sender, no retry)
12.5.136.143 # Southwest Airlines (unique sender, no retry)
12.5.136.144 # Southwest Airlines (unique sender, no retry)
12.107.209.244 # kernel.org mailing lists (high traffic, unique sender
per mail)
63.82.37.110 # SLmail
63.169.44.143 # Southwest Airlines (unique sender, no retry)
63.169.44.144 # Southwest Airlines (unique sender, no retry)
64.7.153.18 # sentex.ca (common pool)
64.124.204.39 # moveon.org (unique sender per attempt)
64.125.132.254 # collab.net (unique sender per attempt)
#65.82.241.160 # Groupwise?
66.94.237.0/24 # Yahoo Groups servers (common pool, no retry)
66.100.210.82 # Groupwise?
66.135.209.0/24 # Ebay (for time critical alerts)
66.135.197.0/24 # Ebay (common pool)
66.162.216.166 # Groupwise?
66.206.22.82 # PLEXOR
66.206.22.83 # PLEXOR
66.206.22.84 # PLEXOR
66.206.22.85 # PLEXOR
66.218.66.0/24 # Yahoo Groups servers (common pool, no retry)
66.218.67.0/24 # Yahoo Groups servers (common pool, no retry)
66.218.69.0/24 # Yahoo Groups servers (common pool, no retry)
#66.249.82 # gmail (common server pool, bad 451 handling)
66.27.51.218 # ljbtc.com (Groupwise)
#66.89.73.101 # Groupwise?
#68.15.115.88 # Groupwise?
72.14.204.0/24 # qproxy.gmail.com (common server pool, bad 451 handling?)
152.163.225.0/24 # AOL (common pool)
194.245.101.88 # Joker.com (email forwarding server)
195.235.39.19 # Tid InfoMail Exchanger v2.20
195.238.2.0/24 # skynet.be (wierd retry pattern, common pool)
195.238.3.0/24 # skynet.be (wierd retry pattern, common pool)
#204.60.8.162 # Groupwise?
204.107.120.10 # Ameritrade (no retry)
205.206.231.0/24 # SecurityFocus.com (unique sender per attempt)
205.211.164.50 # sentex.ca (common pool)
207.115.63.0/24 # Prodigy (broken software that retries continually with
no delay)
#209.104.63 # Ticketmaster (poor retry config)
209.132.176.174 # sourceware.org mailing lists (high traffic, unique
sender per mail)
211.29.132.0/24 # optusnet.com.au (wierd retry pattern and more than 48hrs)
213.136.52.31 # Mysql.com (unique sender)
#216.136.226.0 # Yahoo Mail?
#216.157.204.5 # Groupwise?
217.158.50.178 # AXKit mailing list (unique sender per attempt)
#
#
# SPF list was created from script here:
# http://home.xnet.com/~ansible/openbsd_spamd_conf.html
#
#aol.com
152.163.225.0/24
205.188.139.0/24
205.188.144.0/24
205.188.156.0/23
205.188.159.0/24
64.12.136.0/23
64.12.138.0/24
152.163.225.0/24
205.188.139.0/24
205.188.144.0/24
205.188.156.0/23
205.188.159.0/24
64.12.136.0/23
64.12.138.0/24
#amazon.com
207.171.160.0/19
87.238.80.0/21
72.21.196.0/24
72.21.208.0/24
207.171.160.32/28
207.171.180.176/28
207.171.164.32/28
207.171.190.0/28
87.238.80.24/29
87.238.84.24/29
72.21.196.0/24
72.21.208.0/24
#_spf.google.com
216.239.56.0/23
64.233.160.0/19
66.249.80.0/20
72.14.192.0/18
#spf-a.hotmail.com
209.240.192.0/19
65.52.0.0/14
131.107.0.0/16
157.54.0.0/15
157.56.0.0/14
157.60.0.0/16
167.220.0.0/16
204.79.135.0/24
204.79.188.0/24
204.79.252.0/24
207.46.0.0/16
199.2.137.0/24
#spf-b.hotmail.com
199.103.90.0/23
204.182.144.0/24
204.255.244.0/23
206.138.168.0/21
64.4.0.0/18
65.54.128.0/17
207.68.128.0/18
207.68.192.0/20
207.82.250.0/23
207.82.252.0/23
209.1.112.0/23
#spf-c.hotmail.com
209.185.128.0/23
209.185.130.0/23
209.185.240.0/22
216.32.180.0/22
216.32.240.0/22
216.33.148.0/22
216.33.151.0/24
216.33.236.0/22
216.33.240.0/22
216.200.206.0/24
204.95.96.0/20
#spf-d.hotmail.com
65.59.232.0/23
65.59.234.0/24
209.1.15.0/24
64.41.193.0/24
216.34.51.0/24
#_spf-a.microsoft.com
213.199.128.139
213.199.128.145
207.46.50.72
207.46.50.82
#_spf-b.microsoft.com
131.107.65.22
131.107.65.131
131.107.1.101
131.107.1.102
217.77.141.52
217.77.141.59
#_spf-c.microsoft.com
131.107.1.18
131.107.1.19
131.107.1.20
131.107.70.12
131.107.70.16
