SpamCannibal Quick Install
Jonathan Baker-Bates E<lt>jonathan_AT_bakerbates.comE<gt> Michael Robinton E<lt>michael@bizsystems.comE<gt> Last Update - February 11, 2009
This describes how to install SpamCannibal on a machine running as a mail server behind a firewall (e.g. on a DMZ), or running as a mail gateway: passing incoming mail through to the main mail server after connections have been filtered by SpamCannibal. These instructions have been tested on Debian (Sarge) and Red Hat Enterprise Linux 3.1. Your mileage may vary.
You may also want to consult further information (http://www.spamcannibal.org/docs/install.html) on configuration options, other functions and features of the SpamCannibal package that are not covered here.
You'll need a Linux kernel version 2.4 or higher (i.e. it must support iptables), with the CONFIG_NETFILTER flag turned on (have a look at /boot/config-2.4.XX-XX-386 on your system)
CONFIG_NETFILTER
/boot/config-2.4.XX-XX-386
You should have the following turned on:
CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_QUEUE
If you are going to be processing a lot of connections on a very low-powered box (e.g. a P90 with <64Mb), you may want to turn them off, or have them as loadable modules in case the work of tracking connections becomes too much. But this has not been reported as a problem.
The above are turned on by default in most recent distros so you shouldn't need to do anything. If not, then you'll have to re-compile your kernel. Come back here when you're done...
You will probably have it installed already, but in case you don't... do this and come back here when you're done.
You'll also need the iptables development headers in installed. If you have a file called libipq.h then you'll be fine. If not, install iptables-devel (Red Hat) or iptables-dev (Debian).
Get this from: www.packetfactory.net/libnet (http://www.packetfactory.net/libnet) , unpack and run:
./configure make make install
The easiest way of installing these is with the CPAN utility, which comes with most perl installations. Run this (as root):
perl -MCPAN -e shell o conf prerequisites_policy ask
Then install the following if you don't already have them:
Test::Harness Test::More MIME::Base64 Digest::MD5 Unix::Syslog Net::DNS::Codes Net::DNS::ToolKit NetAddr::IP::Lite Net::SMTP -- part of standard perl Net::Whois::IP Proc::PidUtil Sys::Hostname::FQDN Net::Netmask Net::DNSBL::MultiDaemon
This is optional, but recommended if you are also going to be running the web management interface.
NOTE: BEFORE INSTALLING GEOIP WITH CPAN
Get the GeoIP database (http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz) and unpack this file to:
/usr/local/share/GeoIP (and chmod 777 ).
/usr/local/share/GeoIP
chmod 777
If you don't do this, the perl module compile tests will fail with a totally cryptic error that Larry Wall himself would be hard pushed to work out.
Now install the following with CPAN:
Geo::CountryFlags Geo::IP::PurePerl
A web server is needed so that you can get reports and stuff through a web interface. Note that you do not have to have the web server on the same machine as SpamCannibal if you don't want to, but this quick guide assumes you do. See the full docs for more details.
Create a user on the system called "spam" in group "spam." Give it a shell and a home directory of /usr/local/spamcannibal
/usr/local/spamcannibal
Make a note of where your C libraries and headers are installed. On Red Hat and Debian they are:
/usr/lib /usr/include
But they may be different on your system.
Now, sticking with CPAN, install IPTables::IPv4::DBTarpit
IPTables::IPv4::DBTarpit
When asked by the installer, enter the path to the "dbtarpit daemon install directory" as /usr/local/spamcannibal/bin
/usr/local/spamcannibal/bin
Enter the paths to the shared libraries and headers on your system as noted above, and leave the other options as their defaults.
With CPAN, install Mail::SpamCannibal
Mail::SpamCannibal
The defaults paths and stuff should be fine.
Finally, and again with CPAN, install LaBrea::Tarpit
LaBrea::Tarpit
Go to /usr/local/spamcannibal/config and edit the following files. You will need to rename them from their defaults first: e.g. cp dnsbls.conf.sample dnsbls.conf
/usr/local/spamcannibal/config
cp dnsbls.conf.sample dnsbls.conf
Un-comment the line to activate the LeBrea Tarpit stats daemon:
'rc.sc_lbdaemon' => 'start',
Un-comment the "zonename" line and give the host that your SpamCannibal setup is running on:
zonename => 'myhost.mydomain.com',
Similarly, edit the host line:
host
host => { # ip address or blank '' 'myhost.mydomain.com' => '192.168.10.1', },
Add any hosts that you need in the IGNORE section. See the notes in the config file for details, but in particular the machine's local interface addresses and 127.0.0.1. I have my two secondary mail servers as well, like this:
'IGNORE' => [ # local addresses: '127.0.0.1', '192.168.10.5', '128.23.28.5', # seconadary MX servers: '195.149.39.130', '195.149.39.122',
Set the REJECT section to point to a public URL. This should be a page explaining why the host has been rejected. You are advised to be simple and polite - don't taunt spammers - being in your tarpit will screw them up enough.
REJECT
Set the email line to your admin mailing address.
email
Now make sure the permissions on all the above config files are OK. They should all be owned by "spam" group "spam" and chmod-ed 640 for all except sc_web.conf which should be 644.
sc_web.conf
As the spam user , go to /usr/local/spamcannibal/script and run sc_initdb.pl to set up the necessary database tables.
/usr/local/spamcannibal/script
sc_initdb.pl
First, copy the tarpit database startup script (part of the DBTarpit module sources) to the Spamcannibal scripts directory. If you've been using CPAN it'll be in the build directory:
cp /root/.cpan/build/IPTables-IPv4-DBTarpit-0.33/rc.dbtarpit /usr/local/spamcannibal/scripts
Then, in the Spamcannibal scrips directory, rename the following file to activate it:
cp rc.sc_lbdaemon.sample rc.sc_lbdaemon
Then to start it all up, run the following as root (with absolute paths to avoid confusion):
/usr/local/spamcannibal/scripts/rc.sc_dbwatch start /usr/local/spamcannibal/config/sc_dbwatch.conf
Check that the following are running:
rc.sc_lbdaemon bdbaccess dnsbls
Assuming you saw no errors, Spamcannibal will now be running. To make sure that Spamcannibal starts when the systems reboots, you can use the following script:
#!/bin/sh # Start/stop spamcannibal SCRIPT=/usr/local/spamcannibal/scripts/rc.sc_dbwatch CONF=/usr/local/spamcannibal/config/sc_dbwatch.conf test -f /usr/local/spamcannibal/bin/dbtarpit || exit 0 case "$1" in start) echo -n "Starting spamcannibal" $SCRIPT start $CONF echo "." ;; stop) echo -n "Stopping spamcannibal" $SCRIPT stop $CONF echo "." ;; stop) echo -n "Restarting spamcannibal" $SCRIPT restart $CONF echo "." ;; *) echo "Usage: /etc/init.d/spamcannibal start|stop|restart" exit 1 ;; esac exit 0
On Red Hat, put this script in /etc/init.d and set it up with:
/etc/init.d
chkconfig -add spamcannibal
On Debian, put this script in /etc/init.d and set it up with:
update-rc.d spamcannibal defaults
Add the following entries to the "spam" users crontab:
# check accumulated archive IP addresses every 15 minutes file */4 * * * * /usr/bin/nice -n 20 ./scripts/sc_BLcheck.pl ./config/sc_BlackList.conf # check valid blcontrib every few days 21 0 */4 * * /usr/bin/nice -n 20 ./scripts/sc_BLpreen.pl ./config/sc_BlackList.conf # check valid blcontrib every few days 21 0 */4 * * /usr/bin/nice -n 20 ./scripts/sc_cleanup.pl -q
At this point, although Spamcannibal will be running, you need to get it to start filtering incoming connections on port 25. To do this, add the following lines to your iptables startup script (note the path to iptables - it needs to be correct!):
IPTABLES="/sbin/iptables" ANYWHERE="0/0" $IPTABLES -A INPUT -p tcp -s $ANYWHERE --dport 25 -j QUEUE
If you are already using iptables on the machine , then make sure this rule is the first entry in the INPUT chain. Do not insert other entries ahead of this rule.
NOTE: MAKE SURE THE ip_queue KERNEL MODULE IS LOADED
ip_queue
Check this with lsmod | grep ip_queue . If it's not running, load it with modprobe ip_queue . In future, make sure it's loaded when iptables loads (either by adding modprobe ip_queue to the iptables ruleset, startup script, or other method).
lsmod | grep ip_queue
modprobe ip_queue
Start (or restart) the iptables script. Assuming you saw no errors, then Spamcannibal will now be tarpitting.
WARNING If the dbtarpit daemon is not running, packets destined for port 25 are silently dropped by iptables. You will need to stop iptables (or remove the rule) to get things back to normal.
If you want, you can configure your mail server as a gateway to pass mail through to another server after SpamCannibal (and any other filters, like the devastatingly good MailScanner (http://www.mailscanner.info) ) has done its work. This is a good approach if you handle a lot of mail. If not, then you can skip this step and mail will be delivered to the local machine in the normal way.
First, make sure the mail server you want to handle the mail is configured correctly to handle mail for your desired domains.
Then, configure the mail server on the machine that Spamcannibal is running on as follows. No other configuration should be required.
Sendmail has a file /etc/mail/mailertable , and postfix has a file /etc/postfix/transport into which you can put the following line for each domain you wish to pass through to the "real" mail server:
/etc/mail/mailertable
/etc/postfix/transport
mydomain.com smtp:[192.168.20.102]
(where mydomain.com is the domain you are handling mail for, and 192.168.20.102 is the address of the mail server you want to hand the mail off to once Spamcannibal has done its thing)
mydomain.com
192.168.20.102
Don't forget to rebuild the config databases (for sendmail, go to /etc/mail and type "make." For postfix go to /etc/postfix run postmap transport ).
/etc/mail
/etc/postfix
postmap transport
Restart the mail daemon to make sure it's got the new configuration OK and make sure you can send a mail though your system OK before proceeding.
Spamcannibal comes with some cgi scripts that let you view what's going on in your tarpit, and other things. To enable this, tell your web server to execute scripts in /usr/local/spamcannibal/public_html
For apache, add the following in httpd.conf :
httpd.conf
Alias /tarpit/ /usr/local/spamcannibal/public_html/ <Directory /usr/local/spamcannibal/public_html/> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory>
(You should really tweak the "Allow from" directory suit your setup.)
Note: you might also need the following line if you don't already have it:
AddHandler cgi-script .cgi
Activate the admin script by renaming it and setting up the password:
cd /usr/local/spamcannibal/public_html cp spam_report.cgi.exmple to spam_report.cgi cd ../private cp passwd.initial passwd chown spam:spam passwd chmod 600 passwd
(the passwd file must be owned by the spam user)
spam
Set the admin password (default is blank):
htpasswd /usr/local/spamcannibal/private/passwd admin
Reload apache, and go to the admin interface at:
http://www.yourserver.com/tarpit/admin.cgi
Click on "View DB" and have a look around. You should start to see a few addresses being logged in various states. Whether you'll see any tarpitting activity depends on the amount of mail you handle.
Assuming you encountered no errors, congratulations! You are now running a fully-fledged tarpit!
For a general overview of what's going on, go to:
http://www.yourserver.com/tarpit/spam_report.cgi
To install Mail::SpamCannibal, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Mail::SpamCannibal
CPAN shell
perl -MCPAN -e shell install Mail::SpamCannibal
For more information on module installation, please visit the detailed CPAN module installation guide.