Sunday, April 10, 2011

Postfix as a spam trap server

If you want to build a Spam trap with Postfix this can be done very very easy. You don't even have to configure Postfix to act as a Spam trap.
Postfix ships with a neat tool called smtp-sink which does the trick.
smtp-sink is mainly intended to act as a testing tool for SMTP clients which need a Server to play with. So you can configure it to log the whole conversation or even dump each received mail to a file. The latter is needed for a spamtrap.

There is no configuration file to configure smtp-sink. Everything is done via command-line options.
smtp-sink -c -d "%Y%m%d%H/%M." -f . -u postfix -R /tmp/ -B "550 5.3.0 The recipient does not like your mail. Don't try again." -h 25 1024
Let's have a closer look to each parameter.
  • -u postfix
    Runs the program under the user "postfix"
  • -R /tmp/
    Sets the output directory to /tmp/. In this directory the mails will be stored. If you have a high spam volume (hundreds of Spam per minute) it is recommended to write the mails to a ramdisk
  • -d "%Y%m%d%H/%M."
    Writes the mail to a directory of the format "YearMonthDayHour" and in this directory the files are name "Month.RandomID". Note that the dates are in UTC
  • -c
    Write statistics about connection counts and message counts to stdout while running
  • -f .
    Reject the mail after END-OF-DATA. But the mail will be saved. Cool, isn't it?!
  • -B "550 5.3.0 The recipient does not like your mail. Don't try again"
    This is the rejection message after END-OF-DATA.
  • -h
    Announce the hostname
  • 25
    The port to listen on. Can be prepended with an IP or host if you want to bind on a special interface.
  • 1024
    The backlog count of connections that can wait in the TCP/IP stack before they get a free slot for sending mail.
You can find more information in the man page of smtp-sink, but these are the important ones to run a catch-all spamtrap.
In this configuration the program accepts any mail with any size from any sender to any recipient with IPv4 and IPv6. The only restrictions are that there are only 256 simultaneous connections possible with 1024 queued connections and the program is flagged experimental.
So do not use smtp-sink in a production environment.

The next step of a Spamtrap is to read the saved files, parse and interpret them and then do whatever is needed. For example block further connections from that IP via a firewall, feed it to a blacklist, scan for viruses or create checksums from these mails.

EDIT on 2011-04-12
The -B option is only valid in newer versions of Postfix. In 2.7.1 it is missing. In 2.8.2 it is present. Somewhere in-between it was introduced.

No comments: