SpamCheetah OpenBSD tarpit in action

Stop spam dead in its tracks!

What is OpenBSD spamd?

OpenBSD spamd is a daemon that acts as an SMTP proxy. It is a very minimalist implementation of the SMTP protocol and its sole purpose is to annoy spammers. It also does annoy legitimate senders but that is only the first time. Once human generated senders and RFC compliant mail servers find the OpenBSD tarpit in action[spamd(8) ] then they will behave properly and patiently send the mail out. You can find a very interesting video of this here.

spamlogd(8) is another daemon that routinely inspects the greylist entries in spamdb(8) database. Note that this database is modeled about Berkely DB and is incredibly small and optimized. It stores these three values that interest us for greylisting. If you know greylisting already then you will be knowing this. They are:

With the above 3 tuple, we also have another 3 values for time:

If it intrigues you , then other man pages of interest would be spamd.conf(5) and spamd-setup(5).

How does OpenBSD control spam?

If you have properly understood the above man pages, then there is only little more for me to explain. The pf.conf(5) man page clearly tells you what all the great OpenBSD pf(4) firewall can do. It is the best firewall implementation and as always all the firewalling code resides in the kernel. A firewall doesn't just filter traffic, it also does several associated functions like NAT , port forwarding/redirection and Quality of Service.

It so turns out that OpenBSD also does spam filtering albeit in a roundabout way. In other words, without pf(4) firewall redirection, we cannot even achieve spam filtering and send e-mails to the mail server.

It is pf(4) that redirects incoming SMTP connections to the tarpit running at TCP port 8025. And it is the same pf(4) that inspects the Whitelist entries and redirects the legitimate IP address senders to the mail server sitting in your network after SpamCheetah.

There are several other advanced usages of pf(4) for spam control in which you can have a table which will hold the list of blacklisted IP addresses that send spam and deliberately trouble them and never let them talk to the company's mail server. This way the worldwide spam will go down if SpamCheetah becomes widely deployed and used.

Hurting spammers

OpenBSD also comes with greytrapping feature in which you can configure e-mail addresses that are bogus and published prominently at certain places specifically to attract spam or robots that trawl the Internet for mail addresses. You can also have certain common mail IDs like support@, webmaster@ or whatever the spammer usually guesses and trap them. What this means is that pf(4) will always make such people talk to spamd(8) at a slow speed of 1 character per second. This will not only annoy spammers but also hurt their ability to spam other people.

How is SpamCheetah different from a stock OpenBSD install?

It comes with a spiffy web interface and it is a LiveCD/LiveUSB which does not touch your hard disk in any way. It cannot get corrupted as it is a read only OS and you can even run it in a USB stick of 1 GB or a DOM(Disk On Memory) module on an embedded system. SpamCheetah is optimized for small installations focused on spam control and nothing else.

But there are many other differences too. Firstly we have put some other secret sauce like the greyscanner(1) perl script written by Bob Beck which further helps spamd(8) with is job looking for bogus senders and Bogons that come and go on the Internet specifically to send spam.

The most interesting feature of SpamCheetah is its smallness and focus. SpamCheetah only has whatever is necessary to do spam control. It is a self contained tiny operating system with complete POSIX semantics that sits in a box. In fact this is the model that we use it for customer installations in India. It is "spam control in a box". It uses very little CPU and memory as it resides in RAMDISK and the OS is read only. Also the decision only to do spam control and not e-mail processing greatly enhances the design and simplifies our requirements. SpamCheetah is meant to be used in an embedded system.

There is also a janitor daemon which runs in a chroot inside /var/anjal which uses restrited root access to perform priveleged actions you perform using the web interface. SpamCheetah is a product meant for commercial use in a safe and easy manner.

Moreover nothing stops you from using this in concert with other spam filtering that you may prefer to do. This will stop nearly every unwanted mail that come into your mail server.

SpamCheetah completely arrests the Botnet spew.