NAME
SpamCannibal Quick Install
Jonathan Baker-Bates E<lt>jonathan_AT_bakerbates.comE<gt>
Michael Robinton E<lt>michael@bizsystems.comE<gt>
Last Update - February 11, 2009DESCRIPTION
This describes how to install SpamCannibal on a machine running as a mail server behind a firewall (e.g. on a DMZ), or running as a mail gateway: passing incoming mail through to the main mail server after connections have been filtered by SpamCannibal. These instructions have been tested on Debian (Sarge) and Red Hat Enterprise Linux 3.1. Your mileage may vary.
You may also want to consult further information (http://www.spamcannibal.org/docs/install.html) on configuration options, other functions and features of the SpamCannibal package that are not covered here.
1. Check Your Kernel
You'll need a Linux kernel version 2.4 or higher (i.e. it must support iptables), with the CONFIG_NETFILTER flag turned on (have a look at /boot/config-2.4.XX-XX-386 on your system)
You should have the following turned on:
CONFIG_IP_NF_CONNTRACK
CONFIG_IP_NF_QUEUE
If you are going to be processing a lot of connections on a very low-powered box (e.g. a P90 with <64Mb), you may want to turn them off, or have them as loadable modules in case the work of tracking connections becomes too much. But this has not been reported as a problem.
The above are turned on by default in most recent distros so you shouldn't need to do anything. If not, then you'll have to re-compile your kernel. Come back here when you're done...
2. Install the Dependencies
Iptables
You will probably have it installed already, but in case you don't... do this and come back here when you're done.
You'll also need the iptables development headers in installed. If you have a file called libipq.h then you'll be fine. If not, install iptables-devel (Red Hat) or iptables-dev (Debian).
libnet
Get this from: www.packetfactory.net/libnet (http://www.packetfactory.net/libnet) , unpack and run:
./configure
make
make installRequired perl modules
The easiest way of installing these is with the CPAN utility, which comes with most perl installations. Run this (as root):
perl -MCPAN -e shell
o conf prerequisites_policy askThen install the following if you don't already have them:
Test::Harness
Test::More
MIME::Base64
Digest::MD5
Unix::Syslog
Net::DNS::Codes
Net::DNS::ToolKit
NetAddr::IP::Lite
Net::SMTP -- part of standard perl
Net::Whois::IP
Proc::PidUtil
Sys::Hostname::FQDN
Net::Netmask
Net::DNSBL::MultiDaemonGeoIP
This is optional, but recommended if you are also going to be running the web management interface.
NOTE: BEFORE INSTALLING GEOIP WITH CPAN
Get the GeoIP database (http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz) and unpack this file to:
/usr/local/share/GeoIP (and chmod 777 ).
If you don't do this, the perl module compile tests will fail with a totally cryptic error that Larry Wall himself would be hard pushed to work out.
Now install the following with CPAN:
Geo::CountryFlags
Geo::IP::PurePerlA web server
A web server is needed so that you can get reports and stuff through a web interface. Note that you do not have to have the web server on the same machine as SpamCannibal if you don't want to, but this quick guide assumes you do. See the full docs for more details.
3. Create the spam user
Create a user on the system called "spam" in group "spam." Give it a shell and a home directory of /usr/local/spamcannibal
4. Install DBTarpit
Make a note of where your C libraries and headers are installed. On Red Hat and Debian they are:
/usr/lib
/usr/includeBut they may be different on your system.
Now, sticking with CPAN, install IPTables::IPv4::DBTarpit
When asked by the installer, enter the path to the "dbtarpit daemon install directory" as /usr/local/spamcannibal/bin
Enter the paths to the shared libraries and headers on your system as noted above, and leave the other options as their defaults.
5. Install SpamCannibal
With CPAN, install Mail::SpamCannibal
The defaults paths and stuff should be fine.
Finally, and again with CPAN, install LaBrea::Tarpit
6. Configure SpamCannibal
Go to /usr/local/spamcannibal/config and edit the following files. You will need to rename them from their defaults first: e.g. cp dnsbls.conf.sample dnsbls.conf
i) sc_dbwatch.conf
Un-comment the line to activate the LeBrea Tarpit stats daemon:
'rc.sc_lbdaemon' => 'start',ii) dnsbls.conf
Un-comment the "zonename" line and give the host that your SpamCannibal setup is running on:
zonename => 'myhost.mydomain.com',Similarly, edit the host line:
host => { # ip address or blank ''
'myhost.mydomain.com' => '192.168.10.1',
},iii. sc_BlackList.conf
Add any hosts that you need in the IGNORE section. See the notes in the config file for details, but in particular the machine's local interface addresses and 127.0.0.1. I have my two secondary mail servers as well, like this:
'IGNORE' => [
# local addresses:
'127.0.0.1',
'192.168.10.5',
'128.23.28.5',
# seconadary MX servers:
'195.149.39.130',
'195.149.39.122',Set the REJECT section to point to a public URL. This should be a page explaining why the host has been rejected. You are advised to be simple and polite - don't taunt spammers - being in your tarpit will screw them up enough.
iv. sc_web.conf
Set the email line to your admin mailing address.
Now make sure the permissions on all the above config files are OK. They should all be owned by "spam" group "spam" and chmod-ed 640 for all except sc_web.conf which should be 644.
7. Initialize the Database
As the spam user , go to /usr/local/spamcannibal/script and run sc_initdb.pl to set up the necessary database tables.
8. Start the Daemons
First, copy the tarpit database startup script (part of the DBTarpit module sources) to the Spamcannibal scripts directory. If you've been using CPAN it'll be in the build directory:
cp /root/.cpan/build/IPTables-IPv4-DBTarpit-0.33/rc.dbtarpit /usr/local/spamcannibal/scriptsThen, in the Spamcannibal scrips directory, rename the following file to activate it:
cp rc.sc_lbdaemon.sample rc.sc_lbdaemonThen to start it all up, run the following as root (with absolute paths to avoid confusion):
/usr/local/spamcannibal/scripts/rc.sc_dbwatch start /usr/local/spamcannibal/config/sc_dbwatch.confCheck that the following are running:
rc.sc_lbdaemon
bdbaccess
dnsblsAssuming you saw no errors, Spamcannibal will now be running. To make sure that Spamcannibal starts when the systems reboots, you can use the following script:
#!/bin/sh
# Start/stop spamcannibal
SCRIPT=/usr/local/spamcannibal/scripts/rc.sc_dbwatch
CONF=/usr/local/spamcannibal/config/sc_dbwatch.conf
test -f /usr/local/spamcannibal/bin/dbtarpit || exit 0
case "$1" in
start) echo -n "Starting spamcannibal"
$SCRIPT start $CONF
echo "."
;;
stop) echo -n "Stopping spamcannibal"
$SCRIPT stop $CONF
echo "."
;;
stop) echo -n "Restarting spamcannibal"
$SCRIPT restart $CONF
echo "."
;;
*) echo "Usage: /etc/init.d/spamcannibal start|stop|restart"
exit 1
;;
esac
exit 0On Red Hat, put this script in /etc/init.d and set it up with:
chkconfig -add spamcannibal
On Debian, put this script in /etc/init.d and set it up with:
update-rc.d spamcannibal defaults
9. Set a crontab up for the spam user
Add the following entries to the "spam" users crontab:
# check accumulated archive IP addresses every 15 minutes file
*/4 * * * * /usr/bin/nice -n 20 ./scripts/sc_BLcheck.pl ./config/sc_BlackList.conf
# check valid blcontrib every few days
21 0 */4 * * /usr/bin/nice -n 20 ./scripts/sc_BLpreen.pl ./config/sc_BlackList.conf
# check valid blcontrib every few days
21 0 */4 * * /usr/bin/nice -n 20 ./scripts/sc_cleanup.pl -q10. Configure iptables
At this point, although Spamcannibal will be running, you need to get it to start filtering incoming connections on port 25. To do this, add the following lines to your iptables startup script (note the path to iptables - it needs to be correct!):
IPTABLES="/sbin/iptables"
ANYWHERE="0/0"
$IPTABLES -A INPUT -p tcp -s $ANYWHERE --dport 25 -j QUEUEIf you are already using iptables on the machine , then make sure this rule is the first entry in the INPUT chain. Do not insert other entries ahead of this rule.
NOTE: MAKE SURE THE ip_queue KERNEL MODULE IS LOADED
Check this with lsmod | grep ip_queue . If it's not running, load it with modprobe ip_queue . In future, make sure it's loaded when iptables loads (either by adding modprobe ip_queue to the iptables ruleset, startup script, or other method).
Start (or restart) the iptables script. Assuming you saw no errors, then Spamcannibal will now be tarpitting.
WARNING If the dbtarpit daemon is not running, packets destined for port 25 are silently dropped by iptables. You will need to stop iptables (or remove the rule) to get things back to normal.
11. [OPTIONAL] Configure the mail server
If you want, you can configure your mail server as a gateway to pass mail through to another server after SpamCannibal (and any other filters, like the devastatingly good MailScanner (http://www.mailscanner.info) ) has done its work. This is a good approach if you handle a lot of mail. If not, then you can skip this step and mail will be delivered to the local machine in the normal way.
First, make sure the mail server you want to handle the mail is configured correctly to handle mail for your desired domains.
Then, configure the mail server on the machine that Spamcannibal is running on as follows. No other configuration should be required.
Sendmail has a file /etc/mail/mailertable , and postfix has a file /etc/postfix/transport into which you can put the following line for each domain you wish to pass through to the "real" mail server:
mydomain.com smtp:[192.168.20.102](where mydomain.com is the domain you are handling mail for, and 192.168.20.102 is the address of the mail server you want to hand the mail off to once Spamcannibal has done its thing)
Don't forget to rebuild the config databases (for sendmail, go to /etc/mail and type "make." For postfix go to /etc/postfix run postmap transport ).
Restart the mail daemon to make sure it's got the new configuration OK and make sure you can send a mail though your system OK before proceeding.
12. Configure the web server and check the web interface
Spamcannibal comes with some cgi scripts that let you view what's going on in your tarpit, and other things. To enable this, tell your web server to execute scripts in /usr/local/spamcannibal/public_html
For apache, add the following in httpd.conf :
Alias /tarpit/ /usr/local/spamcannibal/public_html/
<Directory /usr/local/spamcannibal/public_html/>
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>(You should really tweak the "Allow from" directory suit your setup.)
Note: you might also need the following line if you don't already have it:
AddHandler cgi-script .cgi13. Set up the Admin Web Interface
Activate the admin script by renaming it and setting up the password:
cd /usr/local/spamcannibal/public_html
cp spam_report.cgi.exmple to spam_report.cgi
cd ../private
cp passwd.initial passwd
chown spam:spam passwd
chmod 600 passwd(the passwd file must be owned by the spam user)
Set the admin password (default is blank):
htpasswd /usr/local/spamcannibal/private/passwd adminReload apache, and go to the admin interface at:
http://www.yourserver.com/tarpit/admin.cgiClick on "View DB" and have a look around. You should start to see a few addresses being logged in various states. Whether you'll see any tarpitting activity depends on the amount of mail you handle.
Assuming you encountered no errors, congratulations! You are now running a fully-fledged tarpit!
For a general overview of what's going on, go to:
http://www.yourserver.com/tarpit/spam_report.cgi