defeating spammers (networks admin’s view)

wakakakkakakakakakak….. serem nikok judulnyaaaa…… gaya gayaan doang sih sebenernya. biar keliatan keren gituuuu…. hahahhahaha.. 😀 padahal gw ga bisa apa apa….. kkkkkk. yo wis lah, gpp, sedikit sharing sharing ilmu yg udah gw dapet dari pengalaman gw kmaren. gini, sekitar semingguan kmaren, gw dapet pengalaman menarik. ngurusin email server di kantor gw yg rada rese’. sebenernya, anti spamm buat mail server di kantor gw udah jalan, gw mikir aja, kalo di level aplikasi bisa di blok, knapa ga main di layer network ajah buat blocking spam nya…. ehueheueueheuehue, iseng iseng ajah sih sebenernyaa.

oke, dapet ide gitu, gw cobain aja di mail server kantor. wkwkwkwkwkwk, hasilnya ternyata mengecewakan Y_Y. oh iya, hampir lupa, gw disini pake spamd yaa jgn lupa SPAMD. percobaan pertama spamd di kantor gagal. huhuhuhuu…. penasaran jugak. gw baru inget, ternyata gw masi punya akses root di salah satu server di kampus….(maklomm, adminnya ngilang ga tau kmana, ga pernah diurusin tu server). ya udah, gw cobain aja tu spamd di server kampus gw yg kebetulan ada fasilitas mail servernya. sedikit informasi, mail server kantor make Openbsd-x.x dan di kampus make freebsd-x.x.

kalo di freebsd, kita harus install dulu itu yg namanya spamd.caranya :

cd /usr/ports/mail/spamd
make install clean
di openbsd, udah jadi bawaan system operasinya. udah selesai nginstall?? oks, configuring the spamd it self. gw bahasnya di freebsd aja yaahh (yg udah jalan). sebelum kita konfig spamdnya, mount terlebih dulu file sistem berikut :

fdescfs 1.0K 1.0K 0B 100% /dev/fd

kalo udah, kita setting aja spamd nya. file konfig di freebsd ada di /usr/local/etc/spamd/spamd.conf. konfigurasi nya adalah sbb :

all:\
:uatraps:nixspam:china:korea:

# University of Alberta greytrap hits
# Addresses stay in it for 24 hours from time they misbehave.
uatraps:\
:black:\
:msg=”Your address %A has sent mail to a ualberta.ca spamtrap\n\
within the last 24 hours”:\
:method=http:\
:file=www.openbsd.org/spamd/traplist.gz

# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg=”Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details”:\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz

# Mirrored from http://www.okean.com/chinacidr.txt
china:\
:black:\
:msg=”SPAM. Your address %A appears to be from China\n\
See http://www.okean.com/asianspamblocks.html for more details”:\
:method=http:\
:file=www.openbsd.org/spamd/chinacidr.txt.gz:

# Mirrored from http://www.okean.com/koreacidr.txt
korea:\
:black:\
:msg=”SPAM. Your address %A appears to be from Korea\n\
See http://www.okean.com/asianspamblocks.html for more details”:\
:method=http:\
:file=www.openbsd.org/spamd/koreacidr.txt.gz:

bingung ama konfigurasinya??? silakan baca penjelasannya di sini : http://www.openbsd.org/cgi-bin/man.cgi?query=spamd.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

udah??? tinggal setting PF nya. kkkkkkkkkk, PF lagi PF lagi,hahahhaa bosen yah ama PF? buat rule sbb (defaut accept untuk contoh file /etc/pf.conf dibawah ini) :

table <spamd-white> persist

no rdr inet proto tcp from <spamd-white> to any port smtp

rdr pass inet proto tcp from any to any port 25 -> 127.0.0.1 port spamd

penjelasan rule :

table <spamd-white> persist : buat tabel spamd-white untuk menampung white-list address mail server. address yg tertampung di tabel spamd-white, akan langsung masuk ke port mail server (25).

no rdr inet proto tcp from <spamd-white> to any port smtp : ddress yg tertampung di tabel spamd-white, akan langsung masuk ke port mail server (25), tidak di redirect ke port spamd nya.

rdr pass inet proto tcp from any to any port 25 -> 127.0.0.1 port spamd : semua host yang ingin mengirim mail ke mail server gw, dia akan di redirect ke localhost port 8025 (portnya spamd).

udah selesai??? tinggal save, reload pf, + jalanin spamd nya. liat log nya nih (lebi asik ketimbang liat bokep, kkkkkkkkk) :

WHITE|69.147.83.53|||1219267326|1219269449|1222379850|4|0
WHITE|66.163.168.171|||1219278086|1219279746|1222390196|5|0
GREY|74.212.58.171|clsm-74-212-58-171-pppoe.dsl.clsm.epix.net|<hedley@atomic.com>|<fajar@xxxxxxxxxxx>|1219597616|1219612016|1219612016|1|0
GREY|82.10.176.183|cpc3-walt1-0-0-cust182.popl.cable.ntl.com|<Halina-iinifs@alloyd.com>|<phie@xxxxxxxxxxxx>|1219599136|1219613536|1219613536|1|0
GREY|74.65.70.142|cpe-74-65-70-142.stny.res.rr.com|<.reuef1986@3n1motorsports.com>|<bc6a4755@xxxxxxxxxxxxx>|1219600253|1219614653|1219614653|1|0
GREY|69.44.231.10|69-44-231-10.imsday.com|<htamansa@lort.com>|<johan@xxxxxxxxxxxxx>|1219600710|1219615110|1219615110|1|0
GREY|72.14.204.231|qb-out-0506.google.com|<frontiers.agency10@gmail.com>|<riezza@xxxxxxxxxxxxx>|1219604583|1219618983|1219618983|1|0
GREY|85.130.99.80|unknown.interbgc.com|<Harold-‘sdeath@menoldinc.com>|<h_winarto.21s@xxxxxxxxxxxxx>|1219606565|1219620965|1219620965|1|0
GREY|201.89.241.206|201-89-241-206.ctame700.dsl.brasiltelecom.net.br|<nrobredn1967@ty.ca>|<xxx@xxxxxxxxxxxxx>|1219609635|1219624035|1219624035|1|0
GREY|80.195.224.12|80-195-224-12.cable.ubr01.shef.blueyonder.co.uk|<ignisses1988@countryhut.com>|<mill@xxxxxxxxxxxxxxxxxx>|1219610378|1219624778|1219624778|1|0
GREY|190.253.189.108|[190.253.189.108]|<mtedelen_1950@slantfin.com>|<tomrf@xxxxxxxxxxxxxx>|1219610934|1219625334|1219625334|1|0
WHITE|222.124.18.72|||1219434760|1219437269|1222547705|5|0
WHITE|66.163.168.172|||1219460851|1219462456|1222572907|5|0
GREY|78.161.122.18|[78.161.122.18]|<9mcclellan@exxell.com>|<novan@xxxxxxxxxxxxxxxx>|1219597572|1219611972|1219611972|1|0
GREY|99.232.64.249|CPE0014bfe9ea40-CM000a739a8c22.cpe.net.cable.rogers.com|<Ferencne-backfram@borroughs.com>|<rizal@xxxxxxxxxxxxxxxxx>|1219599510|1219613910|1219613910|1|0
GREY|79.120.196.196|[79.120.196.197]|<4richy5b5b@ms35.hinet.net>|<cakep@xxxxxxxxxxxx>|1219600151|1219614551|1219614551|1|0

penjelasan :

WHITE : host host yang boleh ngirim email (langsung masuk ke port 25) tanpa lewat spamd.

GREY : host host tersebut akan di lewatkan ke spamd. di spamd nya akan di proses apakah dia akan di mark sbg BlackList-mail server atooo White-list Mail server.

GREY|79.120.196.196|[79.120.196.197]|<4richy5b5b@ms35.hinet.net>|<ca

kep@xxxxxxxxxxxx>|1219600151|1219614551|1219614551|1|0 (sebenernya sih nyambung itu log, tapi di wordpressnya kepotong jadi cuman kek gini GREY|79.120.196.196|[79.120.196.197]|<4richy5b5b@ms35.hinet.net>|<ca)

nih dikit penjelasannya

79.120.196.196|[79.120.196.197] : host yg nyoba buat ngirim mail

<4richy5b5b@ms35.hinet.net> : email sender

<cakep@xxxxxxxxxxxx> : alamat email penerima

1219600151 : tupple (host yg di greylist disebut tuple) pertama kali konek

1219614551 : kapan tupple tersebut di whitelist

1219614551 : kapan tupple tersebut akan di remove dari database (spamdb)

1: berapa kali host mencoba mengirim email ketika di greylist

0 : berapa kali host tersebut di deliver ke real mailserver (not talk to spamd-nya)

kalo pengen liat output diatas, tinggal jalanin aja perintah spamdb

table spamd-white di pf akan terisi otomatis ama spamd + pf nya, ketika mail-mail yg di tag sbg GREY berubah ke WHITE list. nih outputnya kalo ga percaya :

[begok]# pfctl -t spamd-white -Ts | grep 69.147.83
No ALTQ support in kernel
ALTQ related functions disabled
69.147.83.53
dari pengalaman gw setelah jalanin spamd, spam mail di mail server gw bisa berkurang drastis……

asik kan gabungin application security + network security nya?? hehehhehe, monggo monggo di cobain. selamat mencoba yaaahh :), kalo ada error, mohon di benerin yaahh, gw jg masih belajar

regards……… ^_^

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s