Stixs

How it works

The components of the system are (1) a small Postfix database full of fake or bogus addresses, (2) a blacklist server, and (3) the stixs module. The blacklist server answers to queries ("is this IP blacklisted or not?") and accepts requests of new IPs to be blacklisted.

When new mail arrives, Stixs first queries the blacklist daemon to check if sender IP is already blacklisted; if it is, it rejects incoming mail.

Otherwise it looks up the fake addresses database to see if if the recipient of incoming mail is listed among the fakes; if it is, it blacklists sender IP in the blacklist server and rejects the mail. That IP will be blacklisted until its entry in the blacklist server expires according to server configuration.

It follows that if a spammer MTA sends to all the addresses published, there is a strong chance its IP gets blacklisted and none or few of its spam messages will get delivered. Here's the difference between a regular MTA which send mail to allowed addressess and a spammer who indisciminately sends mail to any address harvested.

Installation

This section will not cover the installation detail of Postfix and bld, but only configuration details.

1. Install and configure bld (Black List Daemon) and postfix

   apt-get install postfix bld 

   Unless you plan to use an ssh tunnel, both should be installed on the same machine with bld listening on localhost. It's not wise to let anyone out there decide which hosts you'll going to blacklist. Otherwise, you can edit bld access lists so thet blacklist server accepts updates only from localhost. Check that the bld daemon is really started.

   /etc/init.d/bld start

2. Unpack stixs in /etc/postfix/stixs.pl
3. Configure postfix as follows:
   • main.cf:

     smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_unauth_destination,
        check_policy_service unix:private/stixs,
     			

   • master.cf: add

     stixs   unix    -       n       n       -       -       spawn 
        user=nobody argv=/usr/bin/perl /etc/postfix/daemon.pl
     			

   • /etc/postfix/fakeaddr (in postfix access (5) format):

     fakeaddress1@domain.tld REJECT
     fakeaddress2@domain.tld REJECT
     fakeaddress3@domain.tld REJECT
     			

     these are the addresses that should be bublished in an indexed webpage or extracted from the logs of frequently rejected addresses Make sure these addresses are not rejected as unauth_destination.
     
   • Depending on your postfix configuration you may have to edit /etc/aliases to add them as "valid" destinations:

     fakeaddress1: /dev/null
     fakeaddress2: /dev/null
     fakeaddress3: /dev/null
     			

   • rebuild fake addresses database and aliases

     postmap /etc/postfix/fakeaddr
     postalias /etc/aliases
     			

4. Now restart postfix: /etc/init.d postfix restart

Checking and troubleshooting

In case of problems, Stixs can be more verbose if you set the variable $debug=1
Watch the mail.log and daemon logs.

The bld daemon normally binds to localhost, port 2905. If you configured differently, edit stixs variables $blhost and $blport accordingly.