* Richard Wilson <[EMAIL PROTECTED]> [2007-09-27 07:49]:
> In recent weeks I have seen a number of spam attempts to servers we host
> that should never see them. More concisely, people are trying to send
> spam by connecting to port 25 on our web servers. These connections die
> on their arse because we don't allow 25 inbound to anything but our mail
> servers, but it strikes me that such connections could be a good source
> of data on who to block in spamd.
>
> I can easily put together a pf table of some servers that should never
> see connections to port 25, and redirect them to our spamd instances,
> but my questions are these:
>
> How should I make spamd recognise that these attempts are phony, and
> instantly blacklist/tarpit them? -b appears to still have to check a
> list, I want something more like greytrapping.
>
> Should I be running a separate spamd instance on a different port for
> this, or can it all be done with cunning configuration of the standard one?
>
> If I run two spamd instances, my standard one and my honeytrap one, and
> they look at and manipulate the same /var/run/spamdb, will it all go
> Horribly Wrong? I suspect not, as spamlogd manipulates it at the same
> time, but I think that might be over a sock, and hence kept safe that way.
>
> Have I missed some reason why this is a Really Dumb Idea(tm)?
>
>
> I think it bears mention that our spamd stuff is currently on a 4.0 box,
> but I'm making plans for when we re-build with 4.2, so answers would be
> best based on 4.2 functionality.
>
> Thanks for any and all responses, even if they're "No! You fool!" :-)
>
Still not sure what you're going to get out of it, but you could Get
your spamd to 4.2, then use /etc/mail/spamd.alloweddomains - put a
nonsensical domain in there and it will trap everything. i.e.
"blahblahblah"
However using spamd for this seems like overkill. there a lots of other
ways to just make a list of everyone who connects to a port, since I'm assuming
you just want to make a list of *everyone* who connects to port 25
-Bob
