spamtrap/honeypot, backscatterer #161
Conversation
spamtrap/honeypot: define a list of email addresses which you lay out as a bait on websites "CONFDIR/spamtrap_receiver" one address per line IPs of senders to these addresses will be logged to "/etc/exim4/local_host_blacklist" and be rejected in the future backscatterer: as i see lots of mails coming from somwhere but the sender pretends to be my domain i created this acl mails from "[email protected]" to "[email protected]" will be ckecked against the backscatterer DNSBL
|
I take all these spam-trap-mails and forward them to one single account which is then used to train spamassassin. Perhaps we can implement a more centralized solution in the future. Bounce address tag validation can be used to fight backscatter: https://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation |
|
Sorry, I didn't realize that this is actually a pull request. |
| # spamtrap write sender IP to BL file when receiving messages to special | ||
| # adresses defined in the file 'CONFDIR/spamtrap_receiver' | ||
| deny | ||
| message = ${run{/bin/bash -c "/bin/echo $sender_host_address >> /etc/exim4/local_host_blacklist;"}} |
There was a problem hiding this comment.
And where is /etc/exim4/local_host_blacklist used? If you block mails from hosts in /etc/exim4/local_host_blacklist you have to consider that only an account was hijacked (gmail, yahoo, ...) and also a grace period after which you remove the host.
There was a problem hiding this comment.
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
around line 216:
# deny bad sites (IP address)
# CONFDIR/local_host_blacklist holds a list of host names, IP addresses
# and networks (CIDR notation) that should have their access denied to
# The local host. Messages coming in from a listed host will have all
# RCPT statements rejected.
#
# The explicit white lists are honored as well as negative items in
# the black list. See exim4-config_files(5) for details.
deny
message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
!acl = acl_local_deny_exceptions
hosts = ${if exists{CONFDIR/local_host_blacklist}\
{CONFDIR/local_host_blacklist}\
{}}
|
Regarding the DNSBL, we should update them urgently. Perhaps you can take over: https://github.com/vexim/vexim2/pull/127/files |
|
i should have done two commits for that ;( about DNSBL: i don't use it, thats why i will not take #127. |
|
on the spamtrap/honeypot: |
|
Is it really worth running your own blacklist? Managing is a bit complicated and will be more efficient if you have a larger network of mail servers. I just got another idea, less perfect but easier to implement and to maintain:
|
|
Actually https://github.com/Exim/exim/wiki/AclSmtpRcpt is the source of my idea. I'm testing a new version now, using ipset and iptables to block blacklisted hosts before they hit exim. After running the 'new' version for some days, i get just ~10% of the bad connections logged to the ipset blacklist. |
|
I luckily don't have much of such mails, so it is difficult for me to test. For me the problem about these blacklists is that you need to keep an eye on them, you probably need to whitelist some hosts (google, hostmail, ...) because they are used from time to time to send spam. I started looking into the policy_d-like features (#153), perhaps that will be already efficient enough. |
spamtrap/honeypot:
define a list of email addresses which you lay out as a bait on websites "CONFDIR/spamtrap_receiver"
one address per line
IPs of senders to these addresses will be logged to "/etc/exim4/local_host_blacklist"
and be rejected in the future
just put the bait email addresses in a hidden/invisible area on your website
i gathered ~500 IPs in one month
backscatterer:
as i see lots of mails coming from somwhere but the sender pretends to be my domain i created this acl
mails from "[email protected]" to "[email protected]" will be ckecked against the backscatterer DNSBL