OpenBSD ships a wonderful little tool: spamd(8). spamd is a fake SMTP server that will accept all incoming connections and attempt to waste the time and resources of the spam sender by delaying the connection and replying slowly. Eventually spamd will return error code 450 to the spammer but by that time, the spammer usually wasted several hundreds or thousands of seconds.
Usually spamd listens on port 8025 on localhost and traffic on port 25 is redirected with pf:
table <spamd> persist
rdr pass inet proto tcp from <spamd> to any \
port smtp -> 127.0.0.1 port spamd
All IPs listed in the <spamd> table will be redirected to spamd. The spamd blacklist table can be maintained manually like this:
# pfctl -q -t spamd -T replace -f /my/list/of/spammers
Or with the help of spamd-setup(8) and spamd.conf(5) to use online blacklist like the one from www.spews.org.
Further spamd supports greylisting. Greylisting assumes that spam senders usually do not try to reconnect to a mail server if it returns a temporary errors. They normally scans a whole network and just try the next IP if a server returns an error or the connection times out. Normal mail server should try a reconnect after a configured time, so in greylist mode spamd tries to exploit this difference in behaviour . From the greylisting description of spamd:
When run in greylisting mode, spamd will run in the normal mode for any
addresses blacklisted by spamd-setup(8). Connections from addresses not
blacklisted by spamd-setup(8) will be considered for greylisting. Such
connections will not be stuttered at (though see the -S option above) or
delayed, and will receive the pleasantly innocuous temporary failure of:
451 Temporary failure, please try again later.
in the SMTP dialogue immediately after the recipient is specified. spamd
will use the db file in /var/db/spamd to track these non-blacklisted con-
nections to spamd by connecting IP address, envelope-from, and envelope-
to, or “tuple” for short.
A previously unseen tuple is added to the /var/db/spamd database, record-
ing the time an initial connection attempt was seen. After passtime min-
utes if spamd sees a retried attempt to deliver mail for the same tuple,
spamd will whitelist the connecting address by adding it as a whitelist
entry to /var/db/spamd.
These are very nice features for a mail server. But not only ISPs or people who operate a mail server can annoy spammers.
Just add the following line to your pf.conf:
rdr pass inet proto tcp from any to ($exit_if) port smtp -> 127.0.0.1 port spamd
And start spamd. In order to start spamd on boot use the spamd_flags keyword in /etc/rc.conf.local:
# grep spamd /etc/rc.conf.local
spamd_flags=””
Now everybody who connects to your server on port 25 will be redirected to spamd as you do not operate a mail server and so by definition all traffic to port 25 is malicious. You can check how effective this is by searching /var/log/daemon for spamd logs. For example in my logfile I find:
Oct 11 15:05:45 wrap spamd10833: xxx.109.43.1: disconnected after 551 seconds.
Oct 11 21:41:31 wrap spamd10833: xxx.64.88.103: disconnected after 667 seconds.
Oct 12 00:02:23 wrap spamd10833: xxx.36.81.231: disconnected after 3 seconds.
Oct 13 11:40:11 wrap spamd10833: xxx.64.98.17: disconnected after 1033 seconds.
Easy to set up and annoys spammers, I love it.
Thsi technique is obsolete. Since spammers use large botnets of zombie PCs these days, you have already lost the battle over resources. Even if you slow them down tremendously using very little resources, the sheer mass of trojaned zombie PCs will still overcome you. Bottom line: it’s useless.
Maybe they’ll outman us, but they’ll never outgun us (if we use the smarter guns)...