On 10/13/15 16:00, Boudewijn Dijkstra wrote:
Op Thu, 08 Oct 2015 11:06:45 +0200 schreef Markus Rosjat <ros...@ghweb.de>:
Hi there,
I have a spamd running in greylisting mode and maintain my own blacklist
that I update manually. So far so good yesterday I just did a quite
radical adding to my blacklist :) and I noticed my outgoing traffic
jumped from around 500mb per day to 3,2gb per day. I checked the traffic
with tcpdump and it was no strange traffic going on just my mailports
and the 25 for the spamd. So my question is, could the radical adding of
IPs cause this (and yeah its a lot because I added some ranges)? As far
as I understand it when some IP is on a blacklist it get redirected to
spamd right away by pf and then I get some traffic going on. If a IP is
not on the blacklist and not known Greylisting jumps in an sends the
server away to come back later to decide if it goes through or on the
blacklist. So by adding a lot of possible spammer on a black list in the
first place I generate traffic with them.
Could someone confirm this ?
Adding to a blacklist shouldn't increase traffic. I suspect there is an
error in your pf.conf.
I thought I had responded to this earlier, but it appears that was not so.
As Boudewijn says here, there's no reason why adding addresses to the
blacklist manually should generate any additional traffic.
Unless of course either
a) you're using a script or somesuch that does some network gymnastics
we don't know about yet in addition to the add, or
b) your method for measuring traffic has some dependency or other on the
blacklist's content (uneven distribution of 'keep state pflow' in your
pf.conf rules perhaps?)
In any case, showing us your rule set and explaining both your traffic
measurement method and how you add entries to your blacklist would be
useful
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
