[SLL] anyone use spam traps? (SMTP tarpits or bogus email
addresses?)
Bill Campbell
bill at celestial.com
Thu Feb 22 19:30:39 PST 2007
On Thu, Feb 22, 2007, Jeremy C. Reed wrote:
>Do any of you use spam traps? SMTP tarpits or bogus email addresses to
>catch spammers?
>
>For a while I have used fun at reedmedia.net and spamtrap at reedmedia.net to
>catch spammers in a tarpit. Interesting how they continue to come back. It
>usually wastes about 6.5 minutes per connection -- so hopefully I have
>helped limit 130 or so other spam connections. My spamtrap email addresses
>always exist, but when hit, the IP is added to my tarpit list for 24
>hours.
We get at least a thousand spamtrap hits a day, mostly to addresses like
user at eskimo.celestial.com, going back to the days when we provided dialup
uucp for e-mail and news for Eskimo North and others in the Puget Sound
area. We used to block on these, but false got far too many false
positives.
In my experience blocking on spamtrap address creates more problems than it
solves in terms of false positives. We still have spamtrap processing that
automatically adds IP address to a DNSRBL, and saves the messages, but we
no longer use that DNSRBL.
>Also I noticed that 200.243.12.130 attempted to send to bogus
>PaytonBArlenequark at bsdnewsletter.com 80 times! (That was just a
>non-existent user -- now I have added that as a spam trap too.)
Using a combination of DNSRBLs and postfix pattern files, we have sites
rejecting about a million connection attempts, and accepting about a half-
million, running amavisd and clamav where the load average rarely gets as
high as 1.00 (the border server passes mail that clamav passes in to a
cluster of servers for spamassassin checking and delivery).
Here's the pertinent part of our postfix main.cf file which I find does a
good job of limiting incoming spam with few false positives. We do have to
whitelist a few IP addresses each month where the DNS is set up poorly
(e.g. it has no rDNS or the hostname returned by the rDNS returns a
differnet IP address than the one connecting).
smtpd_recipient_restrictions =
check_recipient_access pcre:/csoft/etc/postfix/recipientchecks
permit_mynetworks
check_client_access hash:/csoft/etc/postfix/whitehatlist
check_client_access hash:/csoft/etc/postfix/dialupchecks
check_client_access whoson:whoson.celestial.com:9876
check_helo_access pcre:/csoft/etc/postfix/helochecks
check_client_access pcre:/csoft/etc/postfix/clientchecks
reject_rbl_client guardian.celestial.net
reject_rbl_client dul.dnsbl.sorbs.net
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client korea.services.net
reject_rbl_client combined.njabl.org
reject_rbl_client ubl.unsubscore.com
reject_unknown_client
reject_unknown_sender_domain
reject_unauth_pipelining
permit_mx_backup
reject_unauth_destination
Bill
--
INTERNET: bill at Celestial.COM Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
``Unix is simple. It just takes a genius to understand its simplicity'' --
Dennis Ritchie
More information about the linux-list
mailing list