Automatically report spamtrap spam to Razor

by Tor Willy Austerslått

Warning: operating spamtraps is somewhat risky if you aren't completely sure what you are doing or what you want them for. Doubly so if you report them automatically or use them to seed SpamAssassin's bayes database. Also see Wikipedia's entry on spamtraps: http://en.wikipedia.org/wiki/Spamtrap

Here are my rules for spamtraps that seeds bayesian filtering and Razor. YMMV.


 * 1) Never use abandoned addresses, no matter how old. You can't guarantee the spamminess of the mail it receives.
 * 2) Use at least eight characters in the local part (the part to the left of the '@'). Legitimate users are want to have short aliases, and typos happen.
 * 3) Never tell anyone it's a spamtrap.

An easy way to find out what your spamtraps should be, is to check the smtplog for attempts to send mail to non-existing users. Beware though, so you don't end up with spamtraps that only receives bounces from spams with faked Reply-To addresses. Here's a simple script to list and sort this year's rejects from chkusr:

YEAR=`date "+%Y"` LOG=smtplog.gz zgrep "not existing" /var/log/mail/$YEAR/*/*/$LOG | cut -f 10 -d " " | tr -d "<>" | sort -r | uniq -c | sort -r
 * 1) !/bin/sh
 * 1) Lists and sorts attempts at mailing to unknown users

What the spamtraps do
When a spamtrap receives mail:


 * Report the mail to Vipul's Razor
 * Log a spamtrap hit in syslog's mail.info facility (usually /var/log/maillog)
 * Place it in a spamfolder so toaster-watcher.pl can seed the bayes database

Setting up Razor reporting
Before you start:


 * 1) man razor-report

By default, Razor only checks the central spam database against the received mail. Out of the box, it cannot report spam back to the central database. To report spam (and help your fellow mail admins), you need to register with Razor.

Note well: Razor discourages automatic reporting. Herd your army of spamtraps carefully so you don't end up having your spamtraps compromised and look like a fool.

The recommended way to register is to use razor-admin and have it generate everything for you, but I found this to be somewhat confusing. Again, YMMV. So, create /usr/local/etc/razor-agent.conf, chmod it 644 and populate it like this:

debuglevel            = 3 razorhome             = /usr/local/etc/razorhome/ identity              = /usr/local/etc/razorhome/identity ignorelist            = 0 listfile_catalogue    = /usr/local/etc/razorhome/servers.catalogue.lst listfile_discovery    = /usr/local/etc/razorhome/servers.discovery.lst listfile_nomination   = /usr/local/etc/razorhome/servers.nomination.lst logfile               = /var/log/razor-agent.log logic_method          = 4 min_cf                = ac razordiscovery         = discovery.spamnet.com rediscovery_wait      = 172800 report_headers        = 1 turn_off_discovery    = 0 use_engines           = 4,8 whitelist             = /usr/local/etc/razorhome/razor-whitelist

Then, create the razorhome directory
 * 1) mkdir /usr/local/etc/razorhome

Register with Razor
 * 1) razor-admin -register -user=your@email.addre.ss -pass=secretpassword

If everything works out, there should now be a bunch of files in /usr/local/etc/razorhome. Mine looks like this:

lrwxr-xr-x 1 root      wheel   19 Jun 15 21:02 identity -> identity-xxxxxxxx -rw--- 1 vpopmail  wheel   90 Jun 15 21:02 identity-xxxxxxxx -rw-r--r-- 1 root      wheel  621 Jun 15 21:00 server.c101.cloudmark.com.conf -rw-r--r-- 1 root      wheel  593 Mar 14 10:45 server.folly.cloudmark.com.conf -rw-r--r-- 1 root      wheel  593 Mar 14 10:45 server.joy.cloudmark.com.conf -rw-r--r-- 1 root      wheel   19 Mar 14 10:45 servers.catalogue.lst -rw-r--r-- 1 root      wheel   22 Jan  5 08:40 servers.discovery.lst -rw-r--r-- 1 root      wheel   38 Mar 14 10:45 servers.nomination.lst

Change the owner on the Razor identity file to vpopmail
 * 1) chown vpopmail /usr/local/etc/razorhome/identity-xxxxxxxx

That's it! You are now ready to report spam back to Razor.

Creating a central spam store
After reporting the spam, you should store it somewhere so that the bayesian learning process can learn it according to the settings in toaster-watcher.conf. Let's make an account called spamstore in the domain example.com.


 * 1) /usr/local/vpopmail/bin/vadduser -q 104857600 spamstore@example.com secretpass

Log in to the newly created account and create a folder called "Spam". Now you can keep tabs on what's going on simply by connecting to it with an IMAP client.

Setting up the spamtraps
We're going to set up a spamtrap that's called spamtrap@example.com.

Go to the virtual directory of the domain


 * 1) cd /usr/local/vpopmail/domains/example.com/

Create a dot-qmail file called .qmail-spamtrap and put the following in it

| /usr/local/bin/razor-report -f -conf=/usr/local/etc/razor-agent.conf -logfile=/var/log/razor-agent.log | /usr/bin/logger -t spamtrap -p mail.info spamtrap hit on $EXT@$HOST || exit 0 /usr/local/vpopmail/domains/example.com/spamstore/Maildir/.Spam/

Remember: the commands in the .qmail file will run under the vpopmail account.

If you want to do even more, read the qmail-command manpage and indulge yourself. With a little tweaking, you can even block the sender with Matt's firewall script.

Change the owner and group to something vpopmail can live with


 * 1) chown vpopmail:vchkpw /usr/local/vpopmail/domains/example.com/.qmail-spamtrap

To set up another spamtrap, simply copy the .qmail-spamtrap file:


 * 1) cp -p .qmail-spamtrap .qmail-someotherspamtrap

The spamtrap will not show up in qmailadmin since you're creating the forward (dot-qmail) outside of vpopmail. It will still work though.

Finally, create and chmod the log file so vpopmail can write to it


 * 1) touch /var/log/razor-agent.log
 * 2) chmod 666 /var/log/razor-agent.log

Remember to set up /etc/newsyslog.conf so that razor-agent.log doesn't fill up your disk. Here's the relevant line in mine:

/var/log/razor-agent.log               666     10       1000 *  Z

That's all there is to it. To test the spamtrap, add the argument -s (simulate only) to razor-report in the dot-qmail file and send it something. Check that the mail you sent ends up where you want it to (here: the central spamtrap spamfolder), and that the log files reflect what happened.