view release on metacpan or  search on metacpan

pods/INSTALL.pod  view on Meta::CPAN

for command line details.

=head3 configuring IPTABLES for dbtarpit

In the iptables configuration file (usually rc.iptables), place the filter for B<dbtarpit>
as the first entry in the INPUT chain.  do not insert other entries ahead of this rule.

  i.e.

  IPTABLES = "/usr/local/spamcannibal/bin/iptables"
  INET_IFACE="eth0"	# or your internet device
  ...

  $IPTABLES -A INPUT -p tcp -i $INET_IFACE --dport 25 -j QUEUE

This rule will send tcp packets destined for port 25 from the internet
to the B<dbtarpit> daemon. If the IP
address of the packet is not found in the database, the packet is
returned to the chain untouched. If the IP
address is found in the database, the packet is dropped and the
connection tarpitted.

If the target host is not the host that will process the connection, i.e.
you are using NAT on a dual-homed bastion host, then the following rules
would apply.

  i.e.
  TARGET = "1.2.3.4"
  LAN_IFACE = "eth1"

  $IPTABLES -t nat -p tcp --dport 25 -j DNAT --to $TARGET

If the incoming IP address is virtual (i.e. eth0:n) then simply add the
virtual IP address -d $VIRTUAL_DEST_IP to the above rules.

	and in the FORWARD chain
  $IPTABLES $IPTABLES -A FORWARD -p tcp -o $LAN_IFACE \
	--dport 10025 -d $TARGET -j QUEUE
  $IPTABLES $IPTABLES -A FORWARD -p tcp -o $LAN_IFACE \
	--dport 10025 -d $TARGET -j ACCEPT

B<WARNING>: if the dbtarpit daemon is not running, packets destined for
port 25 are silently dropped by IPTABLES.

=head2 Mail::SpamCannibal

Before installing SpamCannibal, you must edit the configuration the install
script to indicate the location and executable name for the PGP binary you
will use on your system.

Edit the file B<executableTestPath.conf>. The contents of the file looks
like this:

  #
  # put the path to the pgp executable 
  # in this file in "quotes"
  #
  # i.e.
  #       /usr/local/bin/pgp
  #       /usr/local/bin/gpg

  sub privacyexecutables {
    return qw (
        /usr/local/bin/gpg
        /usr/local/bin/pgp
    );
  }
  1;

Include only the executables you have installed on your system.

Now you can proceed with a standard perl module installation by typing:

  perl Makefile.PL

    #####################################################
    SpamCannibal comes with a preselected set of defaults 
    that should work for almost all installations. 

    #####################################################

    spamcannibal db environment directory   : [/var/run/dbtarpit] 
    spamcannibal user (must already exist)  : [spam] 
    spamcannibal user home directory        : [/usr/local/spamcannibal] 
    spamcannibal tarpit database name       : [tarpit] 
    spamcannibal archive database name      : [archive] 
    spamcannibal black list contrib name    : [blcontrib] 
    spamcannibal evidence database name     : [evidence] 
    spamcannibal default umask (007)        : [007] 
    If you wish to support additional databases, edit
    the rc.xxxx startup scripts for the appropriate program.

  make
  make test
  make install

=head1 SpamCannibal setup

SpamCannibal can be run entirely on a single host or the B<dbtarpit> and
B<dnsbls> daemons can be run on one host with the public and
administrative web services running on a seperate host.

Additional security can be provided by running dbtarpit/dnsbls daemons in a
DMZ. Access restrictions for zone transfer can be provide by using BIND as
the distribution DNS and updating the slave DNS servers from the dnsbls
server with no outside access. Users are invited to write an expanded FAQ or
installation procedure and submit it for inclusion with this documentation
package.

=head2 rDNS setup

There are three methods to set up SpamCannibal rDNS. There are advantages
to each and disadvantages to each method. With all methods, a zone file is
available that can be copied for http or ftp download to mirror providers.

=head3 example 1: rDNS direct

This method is the simplest and must be used to provide service for the
following two methods. The dnsbls daemon is run on port 53.

=for html <blockquote>
See: man <a href=Mail-SpamCannibal-DNSBLserver.html>Mail::SpamCannibal::DNSBLserver</a>
</blockquote>

pods/INSTALL.pod  view on Meta::CPAN

retrieve and write new flag images as needed from the CIA web site. If you
wish to set this directory with more restrictive permissions, use the
utilities that come with Geo::CountryFlags to download ALL the country flags
so that global write permissions are not necessary.

=head1 SpamCannibal mail robot script sc_mailfilter.pl

SpamCannibal provides a mail header parsing script, B<sc_mailfilter.pl>, that examines a mail
header and after eliminating known local MTA's, identifies the originator of
the mail traffic. This script can incorporate PGP armor (recommended) to
prevent unauthorized messages from being used. Basically, if you identify a
piece of mail as being SPAM, email it to the B<spam> user on the tarpit host
system as follows:

=over 4

=item 1. unhide the headers on the spam message

=item 2. copy the headers and beginning message body to a new message

=item 3. encrypt the message with B<spam's> public key

=item 4. email the message to B<spam>

NOTE: it is important to keep the B<public_key> a secret. The manner in
which it is used in this application provides the security for sending
messages to add to the spamcannibal tarpit. Anyone with the public key can
send a message to sc_mailfilter.pl for inclusion in the tarpit database.
B<sc_mailfilter.pl> will reject messages that are not PGP armored and which
do not decrypt.

WARNING: The B<sc_mailfilter.pl> script only reads the first 10,000
characters of incoming messages. If you encode more characters than this
with PGP, you will get B<INVALID ARMOR> errors and the submitted spam will
not be decoded. If you get this error, either don't paste as much message
into what is sent to the spam user or edit B<sc_mailfilter.pl> to increase
the number of characters. The latter choice make the evidence database that
much bigger on the average.

=back

=head2 Setting up sc_mailflter's PGP keys

The details of the procedure vary slightly depending on whether you select
GPG or PGP, but the basic steps are the same.

=over 4

=item create a private/public key pair for the spamcannibal user

=item export the public key to a file

=item install the public key file in your mail client

=back

=head3 key generation for GPG

Login as the spamcannibal user and type:

  gpg --gen-key

  Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
  Your selection? 1
  DSA keypair will have 1024 bits.
  About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
  What keysize do you want? (1024) 
  Requested keysize is 1024 bits   
  Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
  Key is valid for? (0) 
  Key does not expire at all
  Is this correct (y/n)? y
                        
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

  Real name: SpamCannibal
  Email address: spam@myhost.com          
  Comment: eats spammers for lunch
  You selected this USER-ID:                   
    "SpamCannibal (eats spammers for lunch) <spam@myhost.com>"

  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  You need a Passphrase to protect your secret key.    

  Enter password: myspampassword
  Reenter password: myspampassword

  (gng generates the keys...++..++++...)

  gpg: /usr/local/spamcannibal .gnupg/trustdb.gpg: trustdb created

  public and secret key created and signed.
  key marked as ultimately trusted.

  pub  1024D/EA000A1B 2003-08-28 SpamCannibal (eats spammers for lunch) <spam@myhost.com>
       Key fingerprint = EBBD 0A8A 1AB4 B6E8 38B6  FFA1 E9A3 E4C8 EA00 0A1B
  sub  1024g/37858C46 2003-08-28

Done!, the keys can now be found in:

  ls -1 .gnupg/
	gpg.conf
	pubring.gpg
	random_seed
	secring.gpg
	trustdb.gpg

Export the public key and transport it to your mail client.

  gpg --armor --export SpamCannibal        

  gpg: please see http://www.gnupg.org/faq.html for more information
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: GnuPG v1.2.2 (GNU/Linux)

  mQGiBD9ON2gRBACLXEuYYtz/wIjwGKsgcIDIz8KySCjgM8/XamKjqv+Ir7IpO2jA
  o7oH3+vpvse6xvVA4yNTLAsnozojc2D9gS9U2ZwtFq3mnvP3VLOLa4CkgixoO+ET
  /JkPAF+RG7lRCFVg733IxSkQE4eyuhSuu/6DIrREUNt/z6Mr4p4U1DApWwCg6Pba
  uLDAeumG2XyYSsXpVAEIn4cD/03z0FPHBxpCFnZ82IykQoNH6PMtRrFjNW/0FrjK
  lGa4Wger1bGwaQ846/lpYBeqVZEk7BhX7kg0uRmizZf2LRujl0uu2onbpAyvSY3u
  O1DZRm+o4r3gihO9x3LrsCp0H2osSLyv0PT3s6w+2EAeQ7F/nGs9W/zQAUkTnEJi
  K+w8A/9qln10T+FzF/tQHdNilEVLu9/c/pnlkQk/AXRXygvpjD4rDchaWcXDWODK
  oNDIcHO7doEoox2tpHilLjHpHoJi9QBDueRuu0ATCXhXszkIQuS4trgddP5R/N8D
  bmvYtuHNnyURR5bO4ZQbxVWE0029C5tyYSBndIdgWUb3OeD9ILQ4U3BhbUNhbm5p
  YmFsIChlYXRzIHNwYW1tZXJzIGZvciBsdW5jaCkgPHNwYW1AbXlob3N0LmNvbT6I
  XAQTEQIAHAUCP043aAcLCQgHAwIBAxUCAwMWAgECHgECF4AACgkQ6aPkyOoAChse
  5gCeKKb+qx9fEDyjjGsz0t9qhRK+jkkAnR69AP97bXgjByd5tWl3zrAmsnq1uQEN
  BD9ON2sQBADkDn8M6idGEuEr0PSPPI6VG/PPpMDlDf9LT8lSSpDhNLOg2msFplmM
  bK6MyIZc/CKL7mnAsIURd87lvK4lRv1L5gtj0ORHP+4xYTj2CQ0EBFHfTPkRL1mU
  6eZTmtkTxFn6wQQ7oVNCjMYdv3V7eaZVY4WAbUpUTMMF34w31Z27TwADBQP/WQhW
  AiO+PnmOfI8i0tOXGt1XD1eem/Chtl3nqprDnf2L3aUPVijTHbj0u08VXYV4cExi
  fH0vubql3xWAYmZSPEesVn5GDH8R6LH/PpqApUqzp7jiqo8C28Kwh46pLsAosB6W
  GakCkwK5Owm4bUeeHrcAO2x4J/GbJp8F1MO8WUCIRQQYEQIABgUCP043awAKCRDp
  o+TI6gAKG0BGAJ92+fXyJztpAIHtWCxr4/SL1P5TbACXbYNCPu/7IUgFt1bibhK5
  QCnYTg==
  =omfJ
  -----END PGP PUBLIC KEY BLOCK-----

=head3 key generation for PGP

Login as the spamcannibal user and type:

   pgp -kg

  Pretty Good Privacy(tm) Version 6.5.8
  (c) 1999 Network Associates Inc.
  Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
  Export of this software may be restricted by the U.S. government.

  Choose the public-key algorithm to use with your new key
  1) DSS/DH (a.k.a. DSA/ElGamal) (default)
  2) RSA
  Choose 1 or 2: 2
  Pick your RSA key size:
  1)  1024 bits- High commercial grade, secure for many years
  2)  2048 bits- "Military" grade, secure for forseeable future
  Choose 1, 2, or enter desired number of bits: 1
  Generating a 1024-bit RSA key.

  You need a user ID for your public key.  The desired form for this
  user ID is your name, followed by your E-mail address enclosed in
  <angle brackets>, if you have an E-mail address.
  For example:  John Q. Smith <jqsmith@nai.com>

  Enter a user ID for your public key: SpamCannibal <spam@myhost.com>

  Enter the validity period of your signing key in days from 0 - 10950
  0 is forever (the default is 0): 0

You need a pass phrase to protect your RSA secret key.
Your pass phrase can be any sentence or phrase and may have many
words, spaces, punctuation, or any other printable characters.