Automatically report spamtrap spam to Razor
by Tor Willy Austerslått
Warning: operating spamtraps is somewhat risky if you aren't completely sure what you are doing or what you want them for. Doubly so if you report them automatically or use them to seed SpamAssassin's bayes database. Also see Wikipedia's entry on spamtraps: http://en.wikipedia.org/wiki/Spamtrap
Here are my rules for spamtraps that seeds bayesian filtering and Razor. YMMV.
- Never use abandoned addresses, no matter how old. You can't guarantee the spamminess of the mail it receives.
- Use at least eight characters in the local part (the part to the left of the '@'). Legitimate users are want to have short aliases, and typos happen.
- Never tell anyone it's a spamtrap.
An easy way to find out what your spamtraps should be, is to check the smtplog for attempts to send mail to non-existing users. Beware though, so you don't end up with spamtraps that only receives bounces from spams with faked Reply-To addresses. Here's a simple script to list and sort this year's rejects from chkusr:
#!/bin/sh # Lists and sorts attempts at mailing to unknown users YEAR=`date "+%Y"` LOG=smtplog.gz zgrep "not existing" /var/log/mail/$YEAR/*/*/$LOG | cut -f 10 -d " " | tr -d "<>" | sort -r | uniq -c | sort -r
What the spamtraps do
When a spamtrap receives mail:
- Report the mail to Vipul's Razor
- Log a spamtrap hit in syslog's mail.info facility (usually /var/log/maillog)
- Place it in a spamfolder so toaster-watcher.pl can seed the bayes database
Setting up Razor reporting
Before you start:
# man razor-report
By default, Razor only checks the central spam database against the received mail. Out of the box, it cannot report spam back to the central database. To report spam (and help your fellow mail admins), you need to register with Razor.
Note well: Razor discourages automatic reporting. Herd your army of spamtraps carefully so you don't end up having your spamtraps compromised and look like a fool.
The recommended way to register is to use razor-admin and have it generate everything for you, but I found this to be somewhat confusing. Again, YMMV. So, create /usr/local/etc/razor-agent.conf, chmod it 644 and populate it like this:
debuglevel = 3 razorhome = /usr/local/etc/razorhome/ identity = /usr/local/etc/razorhome/identity ignorelist = 0 listfile_catalogue = /usr/local/etc/razorhome/servers.catalogue.lst listfile_discovery = /usr/local/etc/razorhome/servers.discovery.lst listfile_nomination = /usr/local/etc/razorhome/servers.nomination.lst logfile = /var/log/razor-agent.log logic_method = 4 min_cf = ac razordiscovery = discovery.spamnet.com rediscovery_wait = 172800 report_headers = 1 turn_off_discovery = 0 use_engines = 4,8 whitelist = /usr/local/etc/razorhome/razor-whitelist
Then, create the razorhome directory
# mkdir /usr/local/etc/razorhome
Register with Razor
# razor-admin -register -user=your@email.addre.ss -pass=secretpassword
If everything works out, there should now be a bunch of files in /usr/local/etc/razorhome. Mine looks like this:
lrwxr-xr-x 1 root wheel 19 Jun 15 21:02 identity -> identity-xxxxxxxx -rw------- 1 vpopmail wheel 90 Jun 15 21:02 identity-xxxxxxxx -rw-r--r-- 1 root wheel 621 Jun 15 21:00 server.c101.cloudmark.com.conf -rw-r--r-- 1 root wheel 593 Mar 14 10:45 server.folly.cloudmark.com.conf -rw-r--r-- 1 root wheel 593 Mar 14 10:45 server.joy.cloudmark.com.conf -rw-r--r-- 1 root wheel 19 Mar 14 10:45 servers.catalogue.lst -rw-r--r-- 1 root wheel 22 Jan 5 08:40 servers.discovery.lst -rw-r--r-- 1 root wheel 38 Mar 14 10:45 servers.nomination.lst
Change the owner on the Razor identity file to vpopmail
# chown vpopmail /usr/local/etc/razorhome/identity-xxxxxxxx
That's it! You are now ready to report spam back to Razor.
Creating a central spam store
After reporting the spam, you should store it somewhere so that the bayesian learning process can learn it according to the settings in toaster-watcher.conf. Let's make an account called spamstore in the domain example.com.
# /usr/local/vpopmail/bin/vadduser -q 104857600 spamstore@example.com secretpass
Log in to the newly created account and create a folder called "Spam". Now you can keep tabs on what's going on simply by connecting to it with an IMAP client.
Setting up the spamtraps
We're going to set up a spamtrap that's called spamtrap@example.com.
Go to the virtual directory of the domain
# cd /usr/local/vpopmail/domains/example.com/
Create a dot-qmail file called .qmail-spamtrap and put the following in it
| /usr/local/bin/razor-report -f -conf=/usr/local/etc/razor-agent.conf -logfile=/var/log/razor-agent.log | /usr/bin/logger -t spamtrap -p mail.info spamtrap hit on $EXT@$HOST || exit 0 /usr/local/vpopmail/domains/example.com/spamstore/Maildir/.Spam/
Remember: the commands in the .qmail file will run under the vpopmail account.
If you want to do even more, read the qmail-command manpage and indulge yourself. With a little tweaking, you can even block the sender with Matt's firewall script.
Change the owner and group to something vpopmail can live with
# chown vpopmail:vchkpw /usr/local/vpopmail/domains/example.com/.qmail-spamtrap
To set up another spamtrap, simply copy the .qmail-spamtrap file:
# cp -p .qmail-spamtrap .qmail-someotherspamtrap
The spamtrap will not show up in qmailadmin since you're creating the forward (dot-qmail) outside of vpopmail. It will still work though.
Finally, create and chmod the log file so vpopmail can write to it
# touch /var/log/razor-agent.log # chmod 666 /var/log/razor-agent.log
Remember to set up /etc/newsyslog.conf so that razor-agent.log doesn't fill up your disk. Here's the relevant line in mine:
/var/log/razor-agent.log 666 10 1000 * Z
That's all there is to it. To test the spamtrap, add the argument -s (simulate only) to razor-report in the dot-qmail file and send it something. Check that the mail you sent ends up where you want it to (here: the central spamtrap spamfolder), and that the log files reflect what happened.