Spam traps

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Spam traps

נור דאוד
Hello people,
 
I have Postfix 2.6 running on FreeBSD 7.0/amd64. Postfix is set to make use of DNSBL services, and is actually doing a good job in deterring spam and unwanted senders. I am also using DSPAM set as a relay. Postgrey is also present.
 
Now I wish to set up spam traps (fake e-mail addresses, planted in websites that we operate) so they'd be harvested by spammers. Eventually, those address will get to spam lists, and help feed the DSPAM engine with 99% spam.
 
I've read lots of documentation about Postfix and UCE control, but I am still unable to set Postfix to do what I want, which is presented in chronological order below:
 
0) Permit SASL authenticated
1) Check the headers, if the recipient's address matches any of the spam traps addresses, let the connection continue.
2) Activate Postgrey.
3) Check DNSBL's.
4) Other checks (sender domain, unknown hostname, fqdn, etc.)
5) Permit
 
I hope someone have done this and can help. Thanks!
 
Noor
 
Reply | Threaded
Open this post in threaded view
|

Re: Spam traps

mouss-2
ðåø ãàåã wrote:

> Hello people,
>  
> I have Postfix 2.6 running on FreeBSD 7.0/amd64. Postfix is set to make use of DNSBL services, and is actually doing a good job in deterring spam and unwanted senders. I am also using DSPAM set as a relay. Postgrey is also present.
>  
> Now I wish to set up spam traps (fake e-mail addresses, planted in websites that we operate) so they'd be harvested by spammers. Eventually, those address will get to spam lists, and help feed the DSPAM engine with 99% spam.
>  
> I've read lots of documentation about Postfix and UCE control, but I am still unable to set Postfix to do what I want, which is presented in chronological order below:
>  
> 0) Permit SASL authenticated
> 1) Check the headers, if the recipient's address matches any of the spam traps addresses, let the connection continue.
>  

no, do not check the headers. check the envelope recipient
(check_recipient_access). see below.

> 2) Activate Postgrey.
> 3) Check DNSBL's.
> 4) Other checks (sender domain, unknown hostname, fqdn, etc.)
> 5) Permit
>  
> I hope someone have done this and can help. Thanks!
>  
> Noor
>  
>
>  

This involves multiple things:

1- the traps must be valid addresses. you can simply use
virtual_alias_maps to redirect them to a single spam trap mailbox.

2- accept mail for the traps:

smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    check_recipient_access hash:/etc/postfix/trap_access

== trap_access
[hidden email]   OK
[hidden email]   OK
...

3- either do rewrite before dspam or configure dspam to know about the
traps (otherwise, you'll get a "dictionary" per spam trap)

few notes:

- In thoery at least, traps published on web sites are not completely
safe. (a spammer can use the address to register somewhere, and the
confirmation request will go to the trap, which will pollute your
database). In practice, they may be safe though (if they get a lot more
spam than ham).

PS. I don't know for you, but I get a lot of connections to addresses
with many numbers (phone-style addresses, message-id strings confused
with addresses, ... etc). this gives "free" traps with pcre:
/\d{5}\.*@example\.com$/.







Reply | Threaded
Open this post in threaded view
|

RE: Spam traps

נור דאוד
Re: Spam traps
OK, this is starting to work, but now I have another problem:
Since master.cf is configured to relay all successful connections (that pass smtpd_recipient_restrictions) to DSPAM (using -o content_filter=lmtp:unix:dspam/socket), seems like Postfix with its current configuration doesn't recognize the local alias maps. The config is as follows:
 
main.cf
 
local_recipient_maps = unix:passwd.byname, $alias_maps
alias_database = hash:/usr/local/etc/postfix/aliases
alias_maps = $alias_database
mynetworks = 127.0.0.0/24
myhostname = mail.example.com
mydomain = example.com
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain
virtual_maps = mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf
virtual_alias_maps = hash:/usr/local/etc/postfix/dspam_recipient_maps, hash:/usr/local/etc/postfix/dspam_spam_traps_aliases, $virtual_maps
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access regexp:/usr/local/etc/postfix/dspam_spam_traps, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, check_recipient_access pcre:/usr/local/etc/postfix/dspam_disllow_unauth, permit
 
dspam_recipient_maps: (used for spam-/notspam-) forwards, feeds sent by users to DSPAM
 
dspam_spam_traps:
 
dspam_spam_traps_aliases:
[hidden email]   localuser
 
aliases:
localuser:   "|/usr/local/bin/dspam --user globalgroup --class=spam --source=corpus"

As mentioned before, when I fake a connection and request to send an Email to ([hidden email]), which is a trap address, Postfix relays the message to DSPAM (per master.cf's setting) and doesn't look at the aliases file (which would fire dspam --user globalgroup --class=spam --source=corpus)
 
Where's the problem in the configuration?
 
Thanks in advance!
 
Noor
 
 


מאת: [hidden email] בשם mouss
נשלח: א 08/06/2008 21:42
עותק לידיעה: [hidden email]
נושא: Re: Spam traps

ðåø ãàåã wrote:


> Hello people,

> I have Postfix 2.6 running on FreeBSD 7.0/amd64. Postfix is set to make use of DNSBL services, and is actually doing a good job in deterring spam and unwanted senders. I am also using DSPAM set as a relay. Postgrey is also present.

> Now I wish to set up spam traps (fake e-mail addresses, planted in websites that we operate) so they'd be harvested by spammers. Eventually, those address will get to spam lists, and help feed the DSPAM engine with 99% spam.

> I've read lots of documentation about Postfix and UCE control, but I am still unable to set Postfix to do what I want, which is presented in chronological order below:

> 0) Permit SASL authenticated
> 1) Check the headers, if the recipient's address matches any of the spam traps addresses, let the connection continue.
>  

no, do not check the headers. check the envelope recipient
(check_recipient_access). see below.

> 2) Activate Postgrey.
> 3) Check DNSBL's.
> 4) Other checks (sender domain, unknown hostname, fqdn, etc.)
> 5) Permit

> I hope someone have done this and can help. Thanks!

> Noor

>
>  

This involves multiple things:

1- the traps must be valid addresses. you can simply use
virtual_alias_maps to redirect them to a single spam trap mailbox.

2- accept mail for the traps:

smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    check_recipient_access hash:/etc/postfix/trap_access

== trap_access
[hidden email]   OK
[hidden email]   OK
...

3- either do rewrite before dspam or configure dspam to know about the
traps (otherwise, you'll get a "dictionary" per spam trap)

few notes:

- In thoery at least, traps published on web sites are not completely
safe. (a spammer can use the address to register somewhere, and the
confirmation request will go to the trap, which will pollute your
database). In practice, they may be safe though (if they get a lot more
spam than ham).

PS. I don't know for you, but I get a lot of connections to addresses
with many numbers (phone-style addresses, message-id strings confused
with addresses, ... etc). this gives "free" traps with pcre:
/\d{5}\.*@example\.com$/.






Reply | Threaded
Open this post in threaded view
|

Re: Spam traps

mouss-2
ðåø ãàåã wrote:

> OK, this is starting to work, but now I have another problem:
> Since master.cf is configured to relay all successful connections (that pass smtpd_recipient_restrictions) to DSPAM (using -o content_filter=lmtp:unix:dspam/socket), seems like Postfix with its current configuration doesn't recognize the local alias maps. The config is as follows:
>  
> main.cf
>  
> local_recipient_maps = unix:passwd.byname, $alias_maps
> alias_database = hash:/usr/local/etc/postfix/aliases
> alias_maps = $alias_database
> mynetworks = 127.0.0.0/24
> myhostname = mail.example.com
> mydomain = example.com
> myorigin = $myhostname
> mydestination = $myhostname, localhost.$mydomain
> virtual_maps = mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf
> virtual_alias_maps = hash:/usr/local/etc/postfix/dspam_recipient_maps, hash:/usr/local/etc/postfix/dspam_spam_traps_aliases, $virtual_maps
> smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access regexp:/usr/local/etc/postfix/dspam_spam_traps, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, check_recipient_access pcre:/usr/local/etc/postfix/dspam_disllow_unauth, permit
>  
> dspam_recipient_maps: (used for spam-/notspam-) forwards, feeds sent by users to DSPAM
> [hidden email] <mailto:[hidden email]>       [hidden email] <mailto:[hidden email]>
> [hidden email] <mailto:[hidden email]>  [hidden email] <mailto:[hidden email]>
>  
> dspam_spam_traps:
> [hidden email] <mailto:[hidden email]>    OK
>  
> dspam_spam_traps_aliases:
> [hidden email] <mailto:[hidden email]>    localuser
>  
> aliases:
> localuser:   "|/usr/local/bin/dspam --user globalgroup --class=spam --source=corpus"
>
> As mentioned before, when I fake a connection and request to send an Email to ([hidden email] <mailto:[hidden email]> ), which is a trap address, Postfix relays the message to DSPAM (per master.cf's setting) and doesn't look at the aliases file (which would fire dspam --user globalgroup --class=spam --source=corpus)
>  
> Where's the problem in the configuration?
>  

since you have a content_filter, all mail will be passed to the content
filter. if you configure dpsam in relay mode, then dspam will pass mail
to postfix after filtering, and your aliases should work.

if they don't, then you may have configured dspam to deliver directly
(bypassing postfix).

check your logs for all lines related to a test message. then post these
lines here.

if your problem is different, please explain more clearly.

PS. Please do not top post. put your replies after the text you reply to
(as I am doing here).
Reply | Threaded
Open this post in threaded view
|

RE: Spam traps

נור דאוד
Re: Spam traps

> since you have a content_filter, all mail will be passed to the content

> filter. if you configure dpsam in relay mode, then dspam will pass mail
> to postfix after filtering, and your aliases should work.
>
> if they don't, then you may have configured dspam to deliver directly
> (bypassing postfix).
>
> check your logs for all lines related to a test message. then post these
> lines here.
>
> if your problem is different, please explain more clearly.
>
> PS. Please do not top post. put your replies after the text you reply to
> (as I am doing here).

Hi again,
 
I am using DSPAM in relay mode, it gets messages from Postfix and it re-injects back to Postfix using another port -- snippet from master.cf:
 
#
# Mail enters here... Firewall is responsible to direct external port 25 to internal port 20025
#
20025      inet  n       -       n       -       -       smtpd
        -o content_filter=lmtp:unix:dspam/socket
 
#
# Messages that are permitted by (smtpd_recipient_restrictions) are directed to this content_filter.
#
 
#
# DSPAM re-injects using this port...
#
20026      inet  n       -       -       -       -       smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
This is NOT what I want for messages that are directed to spam addresses. What I want is that trap addresses DO NOT go all the way to DSPAM using the content filter above, but rather uses the aliases file. Because then I can feed DSPAM and ask it to filter. From aliases file:
 
#
# Found in aliases file...
#
dspam: "|/usr/local/bin/dspam --user globalgroup --class=spam --source=corpus"
 
And how am I directing spam addresses to local aliases file? Using virtual_alias_maps.
 
Is this clear enough?
 
Noor
 
 
Reply | Threaded
Open this post in threaded view
|

Re: Spam traps

mouss-2
ðåø ãàåã wrote:

> Hi again,
>  
> I am using DSPAM in relay mode, it gets messages from Postfix and it re-injects back to Postfix using another port -- snippet from master.cf:
>  
> #
> # Mail enters here... Firewall is responsible to direct external port 25 to internal port 20025
> #
> 20025      inet  n       -       n       -       -       smtpd
>         -o content_filter=lmtp:unix:dspam/socket
>  
> #
> # Messages that are permitted by (smtpd_recipient_restrictions) are directed to this content_filter.
> #
>  
> #
> # DSPAM re-injects using this port...
> #
> 20026      inet  n       -       -       -       -       smtpd
>         -o content_filter=
>         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>         -o smtpd_helo_restrictions=
>         -o smtpd_client_restrictions=
>         -o smtpd_sender_restrictions=
>         -o smtpd_recipient_restrictions=permit_mynetworks,reject
>         -o mynetworks=127.0.0.0/8
>         -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
> This is NOT what I want for messages that are directed to spam addresses. What I want is that trap addresses DO NOT go all the way to DSPAM using the content filter above, but rather uses the aliases file. Because then I can feed DSPAM and ask it to filter. From aliases file:
>  
> #
> # Found in aliases file...
> #
> dspam: "|/usr/local/bin/dspam --user globalgroup --class=spam --source=corpus"
>  
> And how am I directing spam addresses to local aliases file? Using virtual_alias_maps.
>  
>  


The easy way is to "opt out" the trap addresses in dspam (ask on dspam
list for more infos on how to do that).

if you want to skip dspam at once, then you can use multiple instances
of postfix (run postfix multiple times, not create multiple smtpd
listeners in master.cf), and use transport_maps instead of content_filter.



Reply | Threaded
Open this post in threaded view
|

RE: Spam traps

נור דאוד
Re: Spam traps
> The easy way is to "opt out" the trap addresses in dspam (ask on dspam
> list for more infos on how to do that).
>
> if you want to skip dspam at once, then you can use multiple instances
> of postfix (run postfix multiple times, not create multiple smtpd
>listeners in master.cf), and use transport_maps instead of content_filter.
 
OK, this has helped now. I've touched few files in $DSPAM_HOME/opt-out/example.com/foobar.nodspam and the address ([hidden email]) is ignored silently by DSPAM on the first run. After being re-injected, Postfix identifies then that the recipient is a local address, and fires the relevant program as configured in aliases file.
 
I've put a cronjob to re-generate the spam traps map file, and to reload Postfix in case of new entries.
 
Thanks for the help!
 
Noor