Difference between revisions of "OpenBSD spamd: create a fake MTA"
(Created page with "Openbsd comes with a greylisting daemon called "spamd". To run a fake MTA and distribute that list to real working MTA.. This article will show you how; First we need to ad...") |
|||
Line 6: | Line 6: | ||
table <spamd> persist | table <spamd> persist | ||
− | |||
− | |||
pass in log on em1 proto tcp from any to any port 25 rdr-to 127.0.0.1 port spamd | pass in log on em1 proto tcp from any to any port 25 rdr-to 127.0.0.1 port spamd | ||
pass in log on em1 inet proto tcp from <spamd> to any port smtp divert-to 127.0.0.1 port spamd | pass in log on em1 inet proto tcp from <spamd> to any port smtp divert-to 127.0.0.1 port spamd | ||
− | |||
− | |||
− | |||
+ | </pre> | ||
+ | |||
+ | So all traffic from port 25 will be directed to spamd | ||
+ | All traffic in the table spamd will be redirected to spamd | ||
+ | |||
+ | Add the following to /etc/rc.conf.local | ||
+ | <pre> | ||
+ | spamd_flags="-4 -G25:4:864 -h your_hostname.org -l127.0.0.1 -n \"Sendmail 8.11.4/8.11.1\" -S10 -s1 -v -w1" | ||
+ | spamd_black=NO | ||
+ | spamlogd_flags="-I -i lo0" | ||
+ | </pre> | ||
+ | |||
+ | This will set arguments on spamd, for more information you can man spamd. I'm setting spamd to whitelist everything knowing that they will be blacklisted. Spamd does have a blacklist mode but it doesn't store information into the spamdb database for logging purposes. | ||
+ | |||
+ | In this case if we; | ||
+ | |||
+ | mrt1# spamdb | ||
+ | WHITE|104.152.52.22|||1559777210|1559777210|1562887610|1|0 | ||
+ | WHITE|80.82.77.33|||1559827557|1559827557|1562937957|1|1 | ||
+ | WHITE|37.49.227.175|||1559837786|1559837786|1562948186|1|0 | ||
+ | WHITE|213.148.210.30|||1559842400|1559842400|1562952800|1|0 | ||
+ | WHITE|107.6.208.18|||1559856160|1559856160|1562966560|1|0 | ||
+ | WHITE|185.234.216.232|||1559910852|1559910852|1563021252|1|0 | ||
+ | WHITE|185.234.219.66|||1559917244|1559917244|1563027644|1|0 | ||
+ | |||
+ | We can see that some address have already connected to our fake email server. Mostly by port scanning 25 and see if they can send email? (who knows). We know these address are considered bad so we can simply; | ||
+ | <pre> | ||
+ | spamdb | grep WHITE | awk -F "|" '{print $2}' >> ip.txt | ||
+ | </pre> | ||
+ | This will send/parse all the IP's into a file. | ||
+ | |||
+ | We can host this txt file via a webserver or scp it to other working MTA's to be put into their block list. If we wanted to trap all these ips into a working MTA running PF and opensmtpd we could; | ||
+ | |||
+ | <pre> | ||
+ | cat ip.txt | xargs -n 1 spamdb -t -a | ||
+ | </pre> | ||
+ | |||
+ | Or send it to a block list in PF; | ||
+ | |||
+ | <pre> | ||
+ | cat file.txt | xargs pfctl -t blockedspammers -T add | ||
</pre> | </pre> |
Revision as of 11:05, 10 June 2019
Openbsd comes with a greylisting daemon called "spamd". To run a fake MTA and distribute that list to real working MTA.. This article will show you how;
First we need to add a few tables to pf.conf;
table <spamd> persist pass in log on em1 proto tcp from any to any port 25 rdr-to 127.0.0.1 port spamd pass in log on em1 inet proto tcp from <spamd> to any port smtp divert-to 127.0.0.1 port spamd
So all traffic from port 25 will be directed to spamd All traffic in the table spamd will be redirected to spamd
Add the following to /etc/rc.conf.local
spamd_flags="-4 -G25:4:864 -h your_hostname.org -l127.0.0.1 -n \"Sendmail 8.11.4/8.11.1\" -S10 -s1 -v -w1" spamd_black=NO spamlogd_flags="-I -i lo0"
This will set arguments on spamd, for more information you can man spamd. I'm setting spamd to whitelist everything knowing that they will be blacklisted. Spamd does have a blacklist mode but it doesn't store information into the spamdb database for logging purposes.
In this case if we;
mrt1# spamdb WHITE|104.152.52.22|||1559777210|1559777210|1562887610|1|0 WHITE|80.82.77.33|||1559827557|1559827557|1562937957|1|1 WHITE|37.49.227.175|||1559837786|1559837786|1562948186|1|0 WHITE|213.148.210.30|||1559842400|1559842400|1562952800|1|0 WHITE|107.6.208.18|||1559856160|1559856160|1562966560|1|0 WHITE|185.234.216.232|||1559910852|1559910852|1563021252|1|0 WHITE|185.234.219.66|||1559917244|1559917244|1563027644|1|0
We can see that some address have already connected to our fake email server. Mostly by port scanning 25 and see if they can send email? (who knows). We know these address are considered bad so we can simply;
spamdb | grep WHITE | awk -F "|" '{print $2}' >> ip.txt
This will send/parse all the IP's into a file.
We can host this txt file via a webserver or scp it to other working MTA's to be put into their block list. If we wanted to trap all these ips into a working MTA running PF and opensmtpd we could;
cat ip.txt | xargs -n 1 spamdb -t -a
Or send it to a block list in PF;
cat file.txt | xargs pfctl -t blockedspammers -T add