-

freebsd pf spamd smtp distributed bruteforce

Configuration: I am using sendmail for smtp server. In front of the smtp server there is configured spamd server in greylisted mode.

# cat /etc/rc.conf
...
obspamd_enable="YES"
obspamd_flags="-4 -G 23:4:864 -h mail.chaosophia.net -l 127.0.0.1 -n \"open yourself for chaos\" -S10 -s1 -v -w1"
...
# cat /etc/pf.conf
...
rdr pass on $ext_if proto tcp from  to 78.128.27.117 port 25 -> 127.0.0.1 port 25
rdr pass on $ext_if proto tcp from ! to 78.128.27.117 port 25 -> 127.0.0.1 port 8025
...
The problem: since 15 of April spamd.log and spamdb start to increase too fast.
# less /var/log/spamd.log
...
Apr 15 01:48:53 chaosophia spamd[65751]: 186.137.96.185: connected (1/0)
Apr 15 01:49:05 chaosophia spamd[65751]: (GREY) 186.137.96.185: <schedulesxc42@yhbia.com> -> <ymyhdu@koue.net>
Apr 15 01:49:05 chaosophia spamd[65751]: (GREY) 186.137.96.185: <schedulesxc42@yhbia.com> -> <vyvtlv@koue.net>
Apr 15 01:49:06 chaosophia spamd[65751]: (GREY) 186.137.96.185: <schedulesxc42@yhbia.com> -> <segiqb@koue.net>
Apr 15 01:49:06 chaosophia spamd[65751]: (GREY) 186.137.96.185: <schedulesxc42@yhbia.com> -> <zojois@koue.net>
Apr 15 01:49:06 chaosophia spamd[65751]: 186.137.96.185: disconnected after 13 seconds.
Apr 15 01:50:19 chaosophia spamd[65751]: 190.107.105.160: connected (1/0)
Apr 15 01:50:32 chaosophia spamd[65751]: (GREY) 190.107.105.160: <dinedocj22@mthai.com> -> <prrueh@koue.net>
Apr 15 01:50:32 chaosophia spamd[65751]: (GREY) 190.107.105.160: <dinedocj22@mthai.com> -> <wdqbzq@koue.net>
Apr 15 01:50:32 chaosophia spamd[65751]: (GREY) 190.107.105.160: <dinedocj22@mthai.com> -> <zsiuwq@koue.net>
Apr 15 01:50:32 chaosophia spamd[65751]: (GREY) 190.107.105.160: <dinedocj22@mthai.com> -> <xbsfua@koue.net>
Apr 15 01:50:33 chaosophia spamd[65751]: 190.107.105.160: disconnected after 14 seconds.
...
# spamdb | wc -l
794
794 is too big value for my idle smtp server so I have started to examine the spamd.log file. Every few minutes few different smtp servers were trying to connect to my smtp server and were trying to send mail to unknown user: prrueh, wdqbzq, zsiuwq. I have been decided to start another spamd server in blacklisted mode and will redirect all of the spammers to collect wasted minutes.
# cat /etc/pf.conf
...
rdr pass on $ext_if proto tcp from  to 78.128.27.117 port 25 -> 192.168.100.102 port 8025
...
# pfctl -t spamd -T add 190.107.105.160
Blacklisted spamd:
# cat /var/log/spamd.log
...
Apr 15 10:05:45 j102 spamd[58928]: 190.107.105.160 connected (1/0)
Apr 15 10:08:05 j102 spamd[58928]: 190.107.105.160 disconnected after 140 seconds.
...
Nice... but after few attempts another IP address have been appeared in the log file of the greylisted spamd server. So I created script which add them to the spamd table and run it from the cron.
#!/bin/sh

for i in `/usr/local/sbin/spamdb | tail | cut -d '|' -f 2  | sort | uniq`
do 
	COUNT=`tail -n 100 /var/log/spamd.log | grep $i | grep GREY | wc -l`
	if [ $COUNT -gt 4 ]
	then 
		pfctl -t spamd -T show | grep -q $i
		if [ $? -ne 0 ]
		then 
			pfctl -t spamd -T add $i
		fi
	fi
done 
Keep in mind that [ $COUND -gt 4 ] is a small value but it's OK to me. For 24 hours in my spammers list there is more than 200 entries.
It's not great solution but it works for now. Don't forget to check you log files regularly!

Posted at Fri Dec 16 14:31:31 2016 # Google