31 10 | 2013

How to implement a Postfix spam trap?

Written by Tanguy

Classified in : Homepage, Debian, Lazyweb

Open envelope

Spam trap

Dear lazyweb, I am considering to implement spam traps and evaluate their efficiency. The idea as rather simple:

  1. publish some real-looking email addresses on websites, in ways that no human would use them to send legitimate mail, for instance in hidden texts, or in texts clearly stating they should not be used;
  2. when my mail server receives a message for one of these address, blacklist the originating server for some time so it cannot spam real recipients.

Practical implementation

Now, I have to decide on how to implement that with my Postfix server. I am thinking of using fail2ban to simply detect attempts to send mail to my spam traps and blocking these spammers at iptables-level, but I do not think that will give me much tuning possibilities. Do you have other suggestions?

Implementation details

I also have to think about some specific details. Here is what I identified so far, do you think I am missing something that may be useful?

  • Blacklisting time: since no legitimate mail can ever be sent to an explicit spam trap address, everyone sending mail to these addresses is by definition a spammer, so I can block them for months, if not forever. There is, however, a risk of blocking large scale services mostly used by regular users but sometimes abused by spammers, like Hotmail or Gmail…
  • Server response: a spam trap address is only efficient if it gets included in a spammer's address list and if it stays there, so I should make sure my server answers the first attempt in a way that does not make him think that address is problematic and should be removed from his list. Defining a /dev/null alias should do it.

9 comments

thursday 31 october 2013 à 17:05 Csillag Tamas said : #1

Hi,

I would make a policy daemon.

It would do two things:
1. if the address is a spamtrap address do a DISCARD action then
2. add the client IP to a lookup table (or some internal data stucture) effectively blocking the address from this IP.

thursday 31 october 2013 à 17:14 Laurento said : #2

What about using all received emails to feed spamassassin bayesian filter automatically?

thursday 31 october 2013 à 17:20 Mika said : #3

Hi, for the problem of blacklisting hotmail or gmail, you should consider using a whitelist (like the spamhaus whitelist) of IP addresses that you will never ever blacklist.

thursday 31 october 2013 à 17:41 Tanguy said : #4

@Laurento : That may be a good idea to initialize a bayesian filter database, but I do not like the idea of using it with almost no human control. To me, these are two distinct measures: spam traps to block what is, by definition, a spam, and bayesian filters to identify what looks like spammy messages. Now, I would not use that spam trap to bayesian linking as the only measure, since the on a bayesian filter requires some computing power that can be saved with a simple blocking.

@Mika : You can add dnswl.org too, which may be more reliable than Spamhaus. Personally, I do not trust Spamhaus, because I ended on their policy list, and as a consequence on their global block list, with no valid reason (my ISP never told me not to send mail directly, and I know they does not voluntarily gives away his end user addresses to RBL providers; they only gave them to TrendMicro MAPS, after they blackmailed them to blacklist their main servers if they did not gave them their end user address ranges).

thursday 31 october 2013 à 21:14 Steven C. said : #5

I agree with @Laurento. You could accept spamtrap mail without doing any scanning, and have procmail pipe them to sa-learn, or store them in a maildir and batch-process them.

That teaches the Bayesian filter with texts and also headers, including the Received: lines identifying servers involved, and may be able to pick out specific email addresses (useful for GMail etc.).

I thought the whole idea of a spamtrap mailbox is that you don't have human control? If you prefer, you could retain the learned messages, in case you want to review sometime for false positives, then you could re-learn them as ham.

Something else you could do is create your own local DNS-based RBL, add sending servers to it for some period of time, and configure SpamAssasin to use it. You might even make it public :)

thursday 31 october 2013 à 23:15 MJD said : #6

There is a service that already implemented such a thing at: http://psbl.org/ . They use the software at http://spamikaze.org/ to do their filtering. I use the public blacklist myself, seems to generally work well.

thursday 31 october 2013 à 23:24 AH said : #7

Isn't it very easy to launch a denial-of-service attack against your server then?

sunday 03 november 2013 à 23:14 Craig said : #8

I use dspam for my filtering and they have this concept of innoculation. So email to abigail@enc.com.au goes to a special alias that dspam knows is spam. It then uses this to determine if email for other users is spam.
From the outside it looks like the email is delivered.

monday 04 november 2013 à 16:09 mirabilos said : #9

I'm doing it using OpenBSD’s spamd, which ofc won’t work for you. But it works.

Block only for a day, or a couple of days. The biggies aren’t as much an issue as people with changing IPs are. (The biggies have other, worse, problems.)

Write a comment

What is the third letter of the word xsec? : 

Archives