Tanguy Ortolo - Lazyweb

How to implement a Postfix spam trap?

Tanguy — Thu, 31 Oct 2013 15:51:00 +0000

Spam trap

Dear lazyweb, I am considering to implement spam traps and evaluate their efficiency. The idea as rather simple:

publish some real-looking email addresses on websites, in ways that no human would use them to send legitimate mail, for instance in hidden texts, or in texts clearly stating they should not be used;
when my mail server receives a message for one of these address, blacklist the originating server for some time so it cannot spam real recipients.

Practical implementation

Now, I have to decide on how to implement that with my Postfix server. I am thinking of using fail2ban to simply detect attempts to send mail to my spam traps and blocking these spammers at iptables-level, but I do not think that will give me much tuning possibilities. Do you have other suggestions?

Implementation details

I also have to think about some specific details. Here is what I identified so far, do you think I am missing something that may be useful?

Blacklisting time: since no legitimate mail can ever be sent to an explicit spam trap address, everyone sending mail to these addresses is by definition a spammer, so I can block them for months, if not forever. There is, however, a risk of blocking large scale services mostly used by regular users but sometimes abused by spammers, like Hotmail or Gmail…
Server response: a spam trap address is only efficient if it gets included in a spammer's address list and if it stays there, so I should make sure my server answers the first attempt in a way that does not make him think that address is problematic and should be removed from his list. Defining a /dev/null alias should do it.

Looking for an SPF milter

Tanguy — Fri, 07 Jun 2013 18:14:00 +0000

For email extensions such as SPF, DKIM and DMARC, I think the most flexible and portable system is the milter protocol. Originally developed for Sendmail, it is now also supported by Postfix, and it allows to “plug” specific filters in the mail server without the hassle of the previous systems like SMTP proxies.

SPF milters in Debian

OpenDKIM provides a good milter for checking DKIM. OpenDMARC provides a similar milter for DMARC. But the situation is more difficult for SPF in Debian — which is a requirement for DMARC! :

spf-milter: It was based on the buggy libspf0 and was never updated to libspf2, and was finally removed from Debian;
spf-milter-python: This one seems a bit Sendmail-centric — it uses a dbm configuration file for instance — and not very documented.

Packaging a new SPF milter?

There are other milters for SPF, which have not been packaged for Debian yet, but I am ready to package one. Has anybody tried another SPF milter?

spfmilter: Still in beta test, still to be ported to libspf2 which may never happen since it was not updated since 2005.
smf-spf: Based on libspf2, seems rather neat, with a clean configuration, but inactive since 2007.
milter-spiff: Proprietary.

Camera with a standard USB cable?

Tanguy — Tue, 17 Apr 2012 19:01:00 +0000

Since some years, there has been a movement towards standardization: mobile devices are now using Micro-USB for data transfer and charging, and SD or Micro-SD for storage extension (except Apple of course).

One piece is lacking to this perfection, however; as far as I know, digital camera producers did realize that SD won for storage, but they do not seem to have acknowledged the Micro-USB standard yet.

Now, since manufacturers and resellers do not indicate the connector type, I have no way to be sure that this is still the case. So, dear lazyweb, do you know if, by chance, there exists a compact digital camera that would use SD cards and a Micro-USB connector for data transfer and integrated charging?

Opportunistic SSH agent

Tanguy — Mon, 20 Feb 2012 13:19:00 +0000

To use an SSH agent, one usually has to:

launch the agent;
add his key to it.

The first step can be automated in the desktop or shell startup script (this is a typical use case for login shell-only startup scripts, by the way), but the second one cannot if your private key is protected by a passphrase.

Opportunistic key loading

GNOME Keyring includes an SSH agent which has an interesting feature I call “opportunistic key loading”: it asks for the passphrase to decrypt the private key the first time it is needed. This feature mimics the behaviour of PGP agents, and eliminates the second step I previously mentioned.

Question

Do you know if there exists another SSH agent able to do opportunistic key loading?