At this point we've covered quite some ground, and I'm more than happy to present something really useful: PF as a means to make spammers' lives harder. Based on our recent exposure to PF rulesets, understanding the following /etc/pf.conf parts should be straightforward:
table <spamd-white> persist table <nospamd> persist file "/etc/mail/nospamd" pass in on egress proto tcp to any port smtp divert-to 127.0.0.1 port 8025 pass in on egress proto tcp from <nospamd> to any port smtp pass in log on egress proto tcp from <spamd-white> to any port smtp pass out log on egress proto tcp to any port smtp
or in pre-OpenBSD 4.7 syntax:
table <spamd-white> persist table <nospamd> persist file "/etc/mail/nospamd" rdr pass in on egress proto tcp to any port smtp -> 127.0.0.1 port 8025 pass in on egress proto tcp from <nospamd> to any port smtp pass in log on egress proto tcp from <spamd-white> to any port smtp pass out log on egress proto tcp to any port smtp
We have two tables, for now it's sufficient to note their names and the fact that these names have a special meaning in this context. SMTP traffic will be redirected to daemon listening on port 8025 unless the source addresses are to be found in one of the tables.
The application which uses these tables, spamd, is a fake SMTP daemon, designed to waste spammers' time and keep their traffic off our net. That's what lives at port 8025, and the last part of our session here will be centered around how to make good use of that software.
|This is about the OpenBSD spam deferral daemon spamd(8), not the Spamassassin component|
Please note that this text describes the OpenBSD spam deferral daemon spamd(8), not the similarly named program that is part of the Apache project's SpamAssassin content filtering system. The spam deferral daemon and the content filtering system complement each other well and can even coexist on the same system (the binaries install to different paths unless you've done something you shouldn't have). If you're primarily interested in the content filterling system, please head over to spamassassin.apache.org for information on that system.
The main point underlying the spamd design is the fact that spammers send a large number of messages, and the probability that you are the first person receiving a particular message is incredibly small. In addition, spam is mainly sent via a few spammer friendly networks and a large number of hijacked machines. Both the individual messages and the machines will be reported to blacklists fairly quickly, and this is the data which eventually ends up in the first table in our example.