Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Apr 2010 14:31:06 -0500
From:      John <john@starfire.mn.org>
To:        freebsd-questions@freebsd.org
Subject:   Really simple spam trap - /dev/pf permissions?
Message-ID:  <20100427193106.GA91570@elwood.starfire.mn.org>

next in thread | raw e-mail | index | archive | help
I have done a monkey-simple spam trap.  It just so happens that I have
a dozen or more user accounts that haven't been actually used in over five
years and get dozens of spam hits every day.  I had been just sending
them all to /dev/null with a sendmail alias.

It seems to me that these are perfect trap e-mails for spam, and
in the course of playing with what I'm attempting to do, it really
does look that the only thing that hits them are spam messages.

So, I built this really simple perl script, which gets invoked through
a sendmail alias, as such:
sink:	"| /home/john/spamsink >> /tmp/blacklist"
and then I alias various of the old, dead accounts to "sink".

The script is as follows:

-- begin script
#!/usr/bin/perl -w

# This script is invoked as a program from a sendmail mail alias
# and scans for sources IP addresses, which it then adds to
# the spammer pfctl table.

$| = 1;

$seekfrom = 1;
while (<STDIN>) {
    if ($seekfrom > 0) {
	$seekfrom = 0 if (/^From /);
	}
    else {
	if (/^Received: from .*\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]/) {
	    $harvestip = $1;
	    $seekfrom = 1;
	    # Don't block localhost!
	    if ($harvestip ne '127.0.0.1') {
		print "Adding $harvestip to spammers table\n";
		system "/sbin/pfctl -t spammers -T add $harvestip";
		}
	    }
	}
    }

exit 0;
-- end script

Note that it takes just the first "received" line that it finds after
the "From".  Looking at incoming messages, that seemed to always be
the Received line that refers to it reaching my server, which is really
the only connection I can do anything about from an IP firewall.

(Obviously, I'll want to add to my cron scripts to age entries out
of the spammers table, just to keep it down to a manageable size.
I already have two dozen entries.)

The Packet evaluation count for the rule that uses the spammers
table is already showing 538 hits, so I suspect that this may
actually be doing some good.  I'll monitor this for a few days and
see how things are going.  If it doesn't actually reduce the amount
of spam I get, this will have been fun and interesting, but not
useful.

This seems to be working pretty well, and I'll eventually take the
print statement out, but I'm not sure why I had to make /dev/pf
public read/write in order to get the pfctl command to work.

What is the best solution to be able to add to my spammers table
in pf without making it public read/write?
-- 

John Lind
john@starfire.MN.ORG



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100427193106.GA91570>