From: Phil Howard on
I saw fail2ban discussed in another thread. I was wondering if anyone
here have used it to block based on spamtraps. I want to set up a
number of dummy users and splatter their email addresses where
spammers would get at them (e.g. white on white text on web pages,
etc). Then ban the IPs that try to send to N or more of those
addresses, where N is relatively low, like 2.

From: Michael Orlitzky on
On 06/22/2010 02:30 PM, Phil Howard wrote:
> I saw fail2ban discussed in another thread. I was wondering if anyone
> here have used it to block based on spamtraps. I want to set up a
> number of dummy users and splatter their email addresses where
> spammers would get at them (e.g. white on white text on web pages,
> etc). Then ban the IPs that try to send to N or more of those
> addresses, where N is relatively low, like 2.

This doesn't do exactly what you want; it only allows one attempt on a
spamtrap address. Add more regexen and increase maxretry to taste.

A word of caution: don't assume that everyone browses the web using a
graphical web browser. People still browse from the command line, and
more importantly, screen readers for the disabled. If you're going to
hide an address, make sure that there is some indication (for humans)
that the address should not be contacted under any circumstances.

# jail.conf

[spamtrap-iptables]
# Be extra mean to these hosts. The bantime is 28 days.
enabled = true
bantime = 2419200
findtime = 86400
maxretry = 1
filter = spamtrap
action = iptables[name=spamtrap, port=smtp, protocol=tcp]
logpath = /var/log/mail/mail.log


# filter.d/spamtrap.conf

[Definition]

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5\.1\.1
<address(a)example\.com>


You will probably also need to configure the 'iptables' action, and some
part of your iptables config. Snippets from mine won't help you much,
but basically, I append banned addresses to a new fail2ban-<name> table,
and then insert this table into my standard chain at a particular
position during actionstart.

(I also mail myself the output of iptables -L -n, so that I can verify
that nothing has gone haywire.)

From: Phil Howard on
On Tue, Jun 22, 2010 at 16:46, Michael Orlitzky <michael(a)orlitzky.com> wrote:

> A word of caution: don't assume that everyone browses the web using a
> graphical web browser. People still browse from the command line, and more
> importantly, screen readers for the disabled. If you're going to hide an
> address, make sure that there is some indication (for humans) that the
> address should not be contacted under any circumstances.

Good point. I was thinking that for these, the dummy addresses would
just not be sent out. No harm of spammers are doing scans using these
methods, too. So I'm thinking just output those addresses when the
conditions are such that it appears to be graphical browsing, under
the theory that spammers would likely be attempting to look like that,
too.

From: Tom Hendrikx on
On 23/06/10 16:28, Phil Howard wrote:
> On Tue, Jun 22, 2010 at 16:46, Michael Orlitzky <michael(a)orlitzky.com> wrote:
>
>> A word of caution: don't assume that everyone browses the web using a
>> graphical web browser. People still browse from the command line, and more
>> importantly, screen readers for the disabled. If you're going to hide an
>> address, make sure that there is some indication (for humans) that the
>> address should not be contacted under any circumstances.
>
> Good point. I was thinking that for these, the dummy addresses would
> just not be sent out. No harm of spammers are doing scans using these
> methods, too. So I'm thinking just output those addresses when the
> conditions are such that it appears to be graphical browsing, under
> the theory that spammers would likely be attempting to look like that,
> too.
>

Actually, when using a visual browser, people still can use their own
colouring (again, the visually impaired). What you are suggesting is
generating browser-specific output. This practise has been tried,
tested, and discarded in webdesign country for some years now (we're
getting OT here) as it does not work for all audiences, and in general
creates an unmaintainable mess.

If you want spam traps advertised, there are numerous better ways.
Adding a clear ("The following e-mail address is solely targetted at
catching mail abuse, do not use it for mail interaction:
foobar(a)example.com") or more cryptic message ("The trapper recommends
today: foobar(a)example.com") to the e-mail address will stop humans from
using it, but harvesters will still pick it up.

Keep in mind: automated harvesters can impersonate regular people (or
browsers), but they cannot think like one.

--
Regards,
Tom

From: Jerry on
On Wed, 23 Jun 2010 17:21:21 +0200
Tom Hendrikx <tom(a)whyscream.net> articulated:


> Keep in mind: automated harvesters can impersonate regular people (or
> browsers), but they cannot think like one.

Which, in some instances, might be considered a good thing.

--
Jerry ✌
postfix-user(a)seibercom.net

_____________________________________________________________________
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html