Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


ANTI-SPAM - TARPITS

I do not like spam - at all. I have already gone through a couple of articles on how to use postfix and other software to help combat this scourge of the internet. Well here is something else you can do to make spammers lives a bit more difficult, a smtp tarpit. You see a spammer lives on speed, it is the speed at which they can send emails which makes their job worthwhile, by implementing a tarpit you slow down any spam attempts, thus starving any potential spammers of their most precious resource.

What do you need?
Well, you need a linux box with perl, xinetd, iptables and your email server. Now I am also using a postfix/amavisd/spamassassin combination, so my script for getting my blacklisted IP addresses centres around that and may need to be adapted. You also need to download a very nifty perl script called smtarpit (from here). Once you have the smtarpit file, do the following;
Ok, now you need to set it up to listen. I used the xinetd telnet configuration file as I sure as heck am never actually going to use telnet. So put this in /etc/xinetd.d/telnet ..
service telnet
{
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = root
       server          = /usr/local/bin/smtarpit
       log_on_success  = PID HOST
       log_on_failure  = HOST USERID
       instances       = 10
}

Now when you start xinetd, you should have a listening process on port 23. Once thats done, we are all set to divert all the nasties there.

Making life difficult
I use the following script to grep through my mail log and filter out any bad people, I then add them to master blacklist which I then use to setup diverts into my smtp tarpit. I am assuming that your email server has no firewall rules setup, if it has the script will need modification (put it into a separate chain or something). Also, I make no claim that my script is a work of art, you are free to use it and change it, it works for me and thats it. I have it in my /admin/bin folder called spam-ip..
#SETUP VARIABLES
MASTER=/admin/conf/mast.ip
LOG=/var/log/maillog
TMP=/tmp/tmp.ip.bl
ADD=/admin/conf/other.ip
EXCEPT="<exception ip addresses>"
FLAG=0

#GETTING IP'S - USED FOR POSTFIX/AMAVISD/SPAMASSASSIN
echo "Getting IP's.."
cat $LOG | grep -e "Blocked SPAM" | gawk '{ print $9 }' | cut -f 2 -d "[" | cut -f 1 -d "]" | sort | uniq >> $TMP
cat $LOG | grep -e "blocked using" | gawk '{ print $10 }' | cut -f 2 -d "[" | cut -f 1 -d "]" | sort | uniq > $ADD

#CREATING THE MASTER LIST
cat $ADD >> $TMP
cat $MASTER >> $TMP
cat $TMP | sort | uniq > $MASTER
cat $MASTER > $TMP
rm -rf $MASTER
touch $MASTER

#REMOVE YOUR EXCEPTIONS
for t in `cat $TMP`
 do
  FLAG=0
  for k in $EXCEPT
   do
    if [ "$t" == "$k" ]
     then
      echo match
      FLAG=1
     fi
   done
  if [ $FLAG == 1 ]
   then
    echo match2
   else
    echo $t >> $MASTER
  fi
 done

#CREATE A SYSLOG MESSAGE OF THE NUMBER OF BLOCKED IP'S
CNT=`cat $MASTER | wc -l`
echo "Got $CNT unique IP's.."
logger "==smtarpit== $CNT unique IP's.."

#CLEAR THE FIREWALL
iptables -t nat -F

#BLACKLISTING THE IP'S
echo "Blacklisting IP's.."
for x in `cat $MASTER`
 do
  iptables -t nat -A PREROUTING -s $x -d <mail_server> -m tcp -p tcp --dport 25 -j DNAT --to-dest <mail_server>:23
 done

rm -rf $TMP

I then schedule it hourly through crontab..
50 * * * * /admin/bin/spam-ip

So once thats done, a spammer can send me one mail or he needs to end up on a RHBL server and I will then divert him to the tarpit, where he can sit for as long as he likes while I laugh. The cronjob also ensures that it will keep updating itself. To check the logs you can check the files in /usr/local/etc/log or if you want to see the current status, use the smtpcli utility.

Final Words
A tarpit is a way of making the spammers life a bit more difficult, it also has the knock-on effect of dropping the load on your email server system as your server no no longer has to process all that junk. We can also live in the hope that if a spammer gets stuck for long enough that they will remove you from the list altogether. As always, have fun and learn.