FAQ

About	Download	Docs	FAQ	TODO	Support	Log analysis

Frequently asked questions:

• I already have an antispam running on my mailserver, why should I install synspam ?
  Synspam prevents spammers from connecting to your mail server. This is achieved by using netfilter queues which allows a userspace program to drop or accept connections. Thus reducing the amount of spam messages your antispam must process.

• How do I install synspam and its dependencies ?
  To use synspam, the following options should be integrated in your kernel config file, either as a module or built-in:

• Netfilter Netlink NFQUEUE
• Packet marking
• Packet rejecting
  Here are the corresponding .config strings:

  CONFIG_NETFILTER_XT_TARGET_CONNMARK=[y|m]
  CONFIG_NETFILTER_XT_MATCH_CONNMARK=[y|m]
  CONFIG_IP_NF_QUEUE=[y|m]
  CONFIG_IP6_NF_QUEUE=[y|m]
  CONFIG_IP_NF_TARGET_REJECT=[y|m]
  CONFIG_IP6_NF_TARGET_REJECT=[y|m]
  

  By default, any distribution stock kernel should be okay.
  Use packages if they're available for your distribution, it's the simplest way to do things. Also please note that synspam requires your Linux kernel to have the following elements activated (in kernel or module)

If you want to do it by hand, just do the following:

• if you're using synspam >= 0.3.5:

  # cp synspam.pl /usr/local/sbin
  # /sbin/iptables -N synspam
  # /sbin/iptables -A synspam -m mark --mark 1 -p tcp -j REJECT --reject-with tcp-reset
  # /sbin/iptables -A synspam -j NFQUEUE --queue-num 0
  # /sbin/iptables -A INPUT -p tcp --syn --dport 25 -j synspam
  # /usr/local/sbin/synspam.pl
  

• if you're using synspam >= 0.2.5 and < 0.3.5:

  # cp synspam.pl /usr/local/sbin
  # /sbin/iptables -I INPUT 1 -m tcp -p tcp ! -s 127.0.0.1 --syn --dport 25 -j NFQUEUE --queue-num 0
  # /usr/local/sbin/synspam.pl
  

• if you're using synspam < 0.2.5:

  # cp synspam.pl /usr/local/sbin
  # /sbin/iptables -I INPUT 1 -m tcp -p tcp ! -s 127.0.0.1 --syn --dport 25 -j QUEUE
  # /usr/local/sbin/synspam.pl
  

  Of course if your smtp server is running on a port other than 25, use the correct port number.
  Dependencies installation depends on your distribution, you should install packages if they're available.

• How do I check synspam setup is functionnal ?
  Here is a way to test it without having to wait for a spammer to connect to your server :

  $ pgrep synspam
  12345
  
  if you're using synspam >= 0.2.5
  # iptables -L |grep NFQUEUE\ num\ 0
  NFQUEUE    tcp  -- !localhost            anywhere            tcp dpt:smtp
  flags:FIN,SYN,RST,ACK/SYN NFQUEUE num 0
  
  if you're using synspam < 0.2.5
  # iptables -L |grep ^QUEUE
  QUEUE      tcp  -- !localhost.c0a8.org   anywhere            tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN 
  
  (download and install hping)
  
  # hping -a 123.123.123.123 -S -c 1 localhost -p 25 
  # grep 123\.123\.123\.123 /var/log/daemon.log |tail -1
  Oct 27 13:27:09 sturmgeist synspam: reject connection from 123.123.123.123:3020 score=6
  

• How does synspam scoring works ?
  Scoring works this way : when a connection is initated (SYN is received), many tests are performed on the source IP: DNSBL checks, regex applied to the reverse DNS.
  Here is an example: the box 200.84.170.164 connects to our mail server First a reverse DNS lookup is made, this IP has a reverse which is 200.84.170-164.dyn.dsl.cantv.net.
  This reverse name matches our "botnet regex" because it contains the dyn and dsl part. Most (but not all) dynamic or dialup IP address sending mail are part of botnets, thus giving us a good advice on the probability the message to be delivered is a spam.
  Despite the regex on the the reverse lookup, DNSBL checks are made to verify the sender IP address is not blacklisted. There are three levels of DNSBL in synspam, low medium and high, the score is set according to how much you trust each DNSBL.
  Eventually, if the score is beyond the threshold you defined, the connection is dropped. You only received one SYN and you already blocked the spammer from using your mail server resources. Great, isn't it ?