SecurityWeekBleepingComputerSlashdotExploit-DBSANS Internet Storm CenterFull DisclosureThe Hacker NewsDark ReadingMcAfee BlogAcunetix BlogGoogle Online Security BlogANY.RUN Cybersecurity BlogSecurity AffairsTripwireSecurityFocus VulnerabilitiesGoogle Project ZeroPacket Storm SecuritySchneier on SecurityDan KaminskyGraham CluleyThreatPostKrebs on SecurityWe Live SecurityDaVinci ForensicsCisco TalosCisco Security BlogInfosecurity MagazineSC MediaGoogle Security BlogTrend Micro ResearchProofpointCISA Current ActivityNCSC UK NewsCenter for Internet SecurityBinary DefenseSecurelistCheck Point ResearchVirus BulletinJames ForshawAdam Chester XPNMicrosoft Security BlogMSRC BlogRecorded FutureSentinelOne BlogRed Canary Blog
Hacker mascot
PT-BREN
Sign inRegister

Products

HACKER Filter for OpenSMTPD

A production-ready OpenSMTPD filter, designed to drop in alongside your existing mail security stack.

Overview

What the HACKER Filter does

The HACKER Filter is a production-ready OpenSMTPD filter that provides:

  • IP-based blocking with CIDR subnet support
  • Hostname/domain blocking using regex patterns
  • HELO/EHLO validation to catch spoofed connections
  • Sender address filtering at the envelope level
  • Recipient protection for sensitive addresses
  • Content filtering for spam words and phrases
  • Header inspection for malicious patterns
  • Per-user configurations allowing individual filter customization
  • Whitelist support at both global and user levels

Tip

The filter integrates seamlessly with existing mail security stacks including rspamd, SpamAssassin, ClamAV, and DKIM/DMARC verification.

Architecture

System overview

The filter slots into OpenSMTPD's session lifecycle and hands off to the broader mail security pipeline before local delivery.

┌─────────────────────────────────────────────────────────────────────────┐
│                                INTERNET                                 │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────┐
│                         FIREWALL (pf/pfctl)                             │
│                         Port 25, 465, 587                               │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────┐
│                          OpenSMTPD (smtpd)                              │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐     │
│  │   CONNECT   │─▶│    HELO     │─▶│  MAIL FROM │─▶│  RCPT TO   │     │
│  └─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘     │
│         │               │               │               │               │
│         ▼               ▼               ▼               ▼               │
│  ┌─────────────────────────────────────────────────────────────────┐    │
│  │                          HACKER FILTER                          │    │
│  │  ┌───────────────────────────────────────────────────────────┐  │    │
│  │  │                       Global Config                       │  │    │
│  │  │               /etc/mail/filter-hacker.json                │  │    │
│  │  └───────────────────────────────────────────────────────────┘  │    │
│  │  ┌───────────────────────────────────────────────────────────┐  │    │
│  │  │                       User Configs                        │  │    │
│  │  │            /etc/mail/filter-users/<email>.json            │  │    │
│  │  └───────────────────────────────────────────────────────────┘  │    │
│  └─────────────────────────────────────────────────────────────────┘    │
│         │                                                               │
│         ▼                                                               │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐     │
│  │   rspamd    │─▶│ SpamAssassin│─▶│   ClamAV   │─▶│   DKIM     │     │
│  └─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘     │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────┐
│                             LOCAL DELIVERY                              │
│                        Maildir / Dovecot / LMTP                         │
└─────────────────────────────────────────────────────────────────────────┘

Architecture

Filter protocol flow

The filter implements the OpenSMTPD filter protocol (smtpd-filters(7)):

SMTP Phase          Filter Event       Possible Actions
─────────────────────────────────────────────────────────
Connection      →   connect        →   proceed | reject | disconnect
HELO/EHLO       →   helo/ehlo      →   proceed | reject
MAIL FROM       →   mail-from      →   proceed | reject
RCPT TO         →   rcpt-to        →   proceed | reject
DATA content    →   data-line      →   filter-dataline (pass through)
End of DATA     →   commit         →   proceed | reject

Architecture

File structure

/etc/mail/
├── smtpd.conf                      # OpenSMTPD main configuration
├── filter-hacker.json              # Global filter configuration
└── filter-users/                   # Per-user configurations
    ├── user1@domain.com.json
    ├── user2@domain.com.json
    └── ...

/usr/local/libexec/smtpd/
└── filter-hacker.js                # Filter executable

/var/log/
├── maillog                         # OpenSMTPD logs
└── smtpd-filter.log                # Filter-specific logs

Requirements

Software requirements

ComponentMinimum versionRecommended
OpenBSD7.07.4+
OpenSMTPD6.87.7+

Requirements

Hardware requirements

ResourceMinimumRecommended
RAM512 MB2 GB
CPU1 core2+ cores
Disk10 GB50 GB

Per-mailbox

Filter options every user can customize

Each @hacker.com.br mailbox owner can manage their own rules from the dashboard. Per-user filters layer on top of the global HACKER Filter - they cannot weaken the operator's blocklists, but they let each user add extra blocks or whitelist trusted senders. Patterns are matched the same way as the global config.

Blocked IPs

IP addresses or CIDR ranges that should be rejected.

e.g. 203.0.113.0/24

Blocked hostnames

Regex patterns matched against connecting hostnames.

e.g. .*\.example\.com$

Blocked HELO/EHLO

Regex patterns matched against HELO / EHLO values.

e.g. ^localhost$

Blocked senders

Regex patterns matched against the MAIL FROM envelope.

e.g. .*@spamdomain\.com$

Blocked recipients

Regex patterns matched against the RCPT TO envelope.

e.g. ^admin@.*

Blocked words

Regex patterns matched against message body content.

e.g. \bviagra\b

Blocked headers

Match a header name with a regex pattern - useful for catching specific mailer signatures, broken subject prefixes, or known spam markers.

e.g. Subject^\[SPAM\]

Whitelisted IPs

IPs or CIDR ranges that bypass blocking rules.

e.g. 127.0.0.1

Whitelisted hostnames

Hostnames that bypass blocking rules.

e.g. trusted.example.com

Whitelisted senders

Senders that bypass blocking rules.

e.g. friend@example.com

Tip

Patterns are POSIX-style regex (same engine the operator uses for the global filter). IP rules accept plain IPs or CIDR ranges. Whitelist entries always win over blocklist entries so trusted addresses keep flowing even if the global filter would otherwise reject them.

Manage from dashboard

Hacker.com.br Email

Get a premium @hacker.com.br mailbox running on the same security-first stack the HACKER Filter is built for.

Reserve your mailbox