OpenBSD spamd: create a fake MTA

From WTFwiki
Revision as of 11:05, 10 June 2019 by Anexit (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Openbsd comes with a greylisting daemon called "spamd". To run a fake MTA and distribute that list to real working MTA.. This article will show you how;

First we need to add a few tables to pf.conf;


table <spamd> persist
 
pass in log on em1 proto tcp from any to any port 25 rdr-to 127.0.0.1 port spamd
pass in log on em1 inet proto tcp from <spamd> to any port smtp divert-to 127.0.0.1 port spamd


So all traffic from port 25 will be directed to spamd All traffic in the table spamd will be redirected to spamd

Add the following to /etc/rc.conf.local

spamd_flags="-4 -G25:4:864 -h your_hostname.org -l127.0.0.1 -n \"Sendmail 8.11.4/8.11.1\" -S10 -s1 -v -w1"
spamd_black=NO
spamlogd_flags="-I -i lo0"

This will set arguments on spamd, for more information you can man spamd. I'm setting spamd to whitelist everything knowing that they will be blacklisted. Spamd does have a blacklist mode but it doesn't store information into the spamdb database for logging purposes.

In this case if we;

mrt1# spamdb
WHITE|104.152.52.22|||1559777210|1559777210|1562887610|1|0
WHITE|80.82.77.33|||1559827557|1559827557|1562937957|1|1
WHITE|37.49.227.175|||1559837786|1559837786|1562948186|1|0
WHITE|213.148.210.30|||1559842400|1559842400|1562952800|1|0
WHITE|107.6.208.18|||1559856160|1559856160|1562966560|1|0
WHITE|185.234.216.232|||1559910852|1559910852|1563021252|1|0
WHITE|185.234.219.66|||1559917244|1559917244|1563027644|1|0

We can see that some address have already connected to our fake email server. Mostly by port scanning 25 and see if they can send email? (who knows). We know these address are considered bad so we can simply;

spamdb | grep WHITE | awk -F "|" '{print $2}' >> ip.txt

This will send/parse all the IP's into a file.

We can host this txt file via a webserver or scp it to other working MTA's to be put into their block list. If we wanted to trap all these ips into a working MTA running PF and opensmtpd we could;

cat ip.txt | xargs -n 1 spamdb -t -a

Or send it to a block list in PF;

cat file.txt | xargs pfctl -t blockedspammers -T add