Spamd PF milter-spamd
Howdy List? I'm trying to setup spamd on a sparc and wondering about using PF or the milter redirect mechanism. Are there any instruction on using these with sendmail past the man pages? I've set up spamd but am clearly missing something as there's been no abatement of crap in my mailboxes ... also I'm getting an error
Spamd PF milter-spamd
Howdy List? I'm trying to setup spamd on a sparc and wondering about using PF or the milter redirect mechanism. Are there any instruction on using these with sendmail past the man pages? I've set up spamd but am clearly missing something as there's been no abatement of crap in my mailboxes ... also I'm getting an error (faaakk sorry about the truncation) spamlogd: Failed to initialize: pflog0: Device not configured in /var/log/messages . Any pointers would be appreciated... Thanks, Dhu PS, FWIW, here's my dmesg: console is keyboard/display Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2009 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.5 (GENERIC) #1898: Sat Feb 28 17:42:44 MST 2009 dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC real mem = 536870912 (512MB) avail mem = 507494400 (483MB) mainbus0 at root: Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 270MHz) cpu0 at mainbus0: SUNW,UltraSPARC-IIi (rev 1.3) @ 270 MHz cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external (64 b/l) psycho0 at mainbus0 addr 0xfffc4000: SUNW,sabre, impl 0, version 0, ign 7c0 psycho0: bus range 0-4, PCI bus 0 psycho0: dvma map c000-dfff pci0 at psycho0 ppb0 at pci0 dev 1 function 1 "Sun Simba PCI-PCI" rev 0x13 pci1 at ppb0 bus 1 ebus0 at pci1 dev 1 function 0 "Sun PCIO EBus2" rev 0x01 auxio0 at ebus0 addr 726000-726003, 728000-728003, 72a000-72a003, 72c000-72c003, 72f000-72f003 power0 at ebus0 addr 724000-724003 ivec 0x25 "SUNW,pll" at ebus0 addr 504000-504002 not configured sab0 at ebus0 addr 40-40007f ivec 0x2b: rev 3.2 sabtty0 at sab0 port 0 sabtty1 at sab0 port 1 comkbd0 at ebus0 addr 3083f8-3083ff ivec 0x29: layout 34 wskbd0 at comkbd0: console keyboard com0 at ebus0 addr 3062f8-3062ff ivec 0x2a: mouse: ns16550a, 16 byte fifo lpt0 at ebus0 addr 3043bc-3043cb, 30015c-30015d, 70-7f ivec 0x22: polled "fdthree" at ebus0 addr 3023f0-3023f7, 706000-70600f, 72-720003 ivec 0x27 not configured clock1 at ebus0 addr 0-1fff: mk48t59 "flashprom" at ebus0 addr 0-f not configured audioce0 at ebus0 addr 20-2000ff, 702000-70200f, 704000-70400f, 722000-722003 ivec 0x23 ivec 0x24: nvaddrs 0 audio0 at audioce0 hme0 at pci1 dev 1 function 1 "Sun HME" rev 0x01: ivec 0x7e1, address 08:00:20:a2:f6:94 nsphy0 at hme0 phy 1: DP83840 10/100 PHY, rev. 1 vgafb0 at pci1 dev 2 function 0 "ATI Mach64" rev 0x5c wsdisplay0 at vgafb0 mux 1: console (std, sun emulation), using wskbd0 pciide0 at pci1 dev 3 function 0 "CMD Technology PCI0646" rev 0x03: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x7e0 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 8063MB, 16514064 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 ppb1 at pci0 dev 1 function 0 "Sun Simba PCI-PCI" rev 0x13 pci2 at ppb1 bus 2 ppb2 at pci2 dev 1 function 0 "DEC 21152 PCI-PCI" rev 0x02 pci3 at ppb2 bus 3 "Sun PCIO EBus2" rev 0x01 at pci3 dev 0 function 0 not configured hme1 at pci3 dev 0 function 1 "Sun HME" rev 0x01: ivec 0x7d1, address 08:00:20:a3:e8:52 nsphy1 at hme1 phy 1: DP83840 10/100 PHY, rev. 1 isp0 at pci3 dev 4 function 0 "QLogic ISP1020" rev 0x05: ivec 0x7d0 isp0: invalid NVRAM header scsibus1 at isp0: 16 targets, initiator 7 ppb3 at pci2 dev 2 function 0 "DEC 21152 PCI-PCI" rev 0x03 pci4 at ppb3 bus 4 "Sun PCIO EBus2" rev 0x01 at pci4 dev 0 function 0 not configured hme2 at pci4 dev 0 function 1 "Sun HME" rev 0x01: ivec 0x7d5, address 08:00:20:ab:02:fd nsphy2 at hme2 phy 1: DP83840 10/100 PHY, rev. 1 isp1 at pci4 dev 4 function 0 "QLogic ISP1020" rev 0x05: ivec 0x7d4 isp1: invalid NVRAM header scsibus2 at isp1: 16 targets, initiator 7 softraid0 at root bootpath: /p...@1f,0/p...@1,1/i...@3,0/d...@0,0 root on wd0a swap on wd0b dump on wd0b
Re: Spamd PF milter-spamd
On Wed, 26 Aug 2009 15:34:17 +0200 Iqigo Ortiz de Urbina wrote: > On Wed, Aug 26, 2009 at 2:48 PM, Duncan Patton a Campbell < > campb...@neotext.ca> wrote: > > > Howdy List? > > > > I'm trying to setup spamd on a sparc and wondering > > about using PF or the milter redirect mechanism. > > > > Are there any instruction on using these with sendmail > > past the man pages? I've set up spamd but am clearly > > missing something as there's been no abatement of > > crap in my mailboxes ... also I'm getting an error > > (faaakk sorry about the truncation) > > spamlogd: Failed to initialize: pflog0: Device not configured > > in /var/log/messages . > > > > Any pointers would be appreciated... > > > > Thanks, > > > > Dhu > > > > PS, FWIW, here's my dmesg: > > > > console is keyboard/display > > Copyright (c) 1982, 1986, 1989, 1991, 1993 > >The Regents of the University of California. All rights reserved. > > Copyright (c) 1995-2009 OpenBSD. All rights reserved. > > http://www.OpenBSD.org > > > > OpenBSD 4.5 (GENERIC) #1898: Sat Feb 28 17:42:44 MST 2009 > >dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC > > real mem = 536870912 (512MB) > > avail mem = 507494400 (483MB) > > mainbus0 at root: Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 270MHz) > > cpu0 at mainbus0: SUNW,UltraSPARC-IIi (rev 1.3) @ 270 MHz > > cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external > > (64 b/l) > > psycho0 at mainbus0 addr 0xfffc4000: SUNW,sabre, impl 0, version 0, ign 7c0 > > psycho0: bus range 0-4, PCI bus 0 > > psycho0: dvma map c000-dfff > > pci0 at psycho0 > > ppb0 at pci0 dev 1 function 1 "Sun Simba PCI-PCI" rev 0x13 > > pci1 at ppb0 bus 1 > > ebus0 at pci1 dev 1 function 0 "Sun PCIO EBus2" rev 0x01 > > auxio0 at ebus0 addr 726000-726003, 728000-728003, 72a000-72a003, > > 72c000-72c003, 72f000-72f003 > > power0 at ebus0 addr 724000-724003 ivec 0x25 > > "SUNW,pll" at ebus0 addr 504000-504002 not configured > > sab0 at ebus0 addr 40-40007f ivec 0x2b: rev 3.2 > > sabtty0 at sab0 port 0 > > sabtty1 at sab0 port 1 > > comkbd0 at ebus0 addr 3083f8-3083ff ivec 0x29: layout 34 > > wskbd0 at comkbd0: console keyboard > > com0 at ebus0 addr 3062f8-3062ff ivec 0x2a: mouse: ns16550a, 16 byte fifo > > lpt0 at ebus0 addr 3043bc-3043cb, 30015c-30015d, 70-7f ivec 0x22: > > polled > > "fdthree" at ebus0 addr 3023f0-3023f7, 706000-70600f, 72-720003 ivec > > 0x27 not configured > > clock1 at ebus0 addr 0-1fff: mk48t59 > > "flashprom" at ebus0 addr 0-f not configured > > audioce0 at ebus0 addr 20-2000ff, 702000-70200f, 704000-70400f, > > 722000-722003 ivec 0x23 ivec 0x24: nvaddrs 0 > > audio0 at audioce0 > > hme0 at pci1 dev 1 function 1 "Sun HME" rev 0x01: ivec 0x7e1, address > > 08:00:20:a2:f6:94 > > nsphy0 at hme0 phy 1: DP83840 10/100 PHY, rev. 1 > > vgafb0 at pci1 dev 2 function 0 "ATI Mach64" rev 0x5c > > wsdisplay0 at vgafb0 mux 1: console (std, sun emulation), using wskbd0 > > pciide0 at pci1 dev 3 function 0 "CMD Technology PCI0646" rev 0x03: DMA, > > channel 0 configured to native-PCI, channel 1 configured to native-PCI > > pciide0: using ivec 0x7e0 for native-PCI interrupt > > wd0 at pciide0 channel 0 drive 0: > > wd0: 16-sector PIO, LBA, 8063MB, 16514064 sectors > > wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 > > atapiscsi0 at pciide0 channel 1 drive 0 > > scsibus0 at atapiscsi0: 2 targets > > cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom > > removable > > cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 > > ppb1 at pci0 dev 1 function 0 "Sun Simba PCI-PCI" rev 0x13 > > pci2 at ppb1 bus 2 > > ppb2 at pci2 dev 1 function 0 "DEC 21152 PCI-PCI" rev 0x02 > > pci3 at ppb2 bus 3 > > "Sun PCIO EBus2" rev 0x01 at pci3 dev 0 function 0 not configured > > hme1 at pci3 dev 0 function 1 "Sun HME" rev 0x01: ivec 0x7d1, address > > 08:00:20:a3:e8:52 > > nsphy1 at hme1 phy 1: DP83840 10/100 PHY, rev. 1 > > isp0 at pci3 dev 4 function 0 "QLogic ISP1020" rev 0x05: ivec 0x7d0 > > isp0: invalid NVRAM header > > scsibus1 at isp0: 16 targets, initiator 7 > > ppb3 at pci2 dev 2 function 0 "DEC 21152 PCI-PCI" rev 0x03 > > pci4 at ppb3 bus 4 > > "Sun PCIO EBus2" rev 0x01 at pci4 dev 0 function 0 not configured > > hme2 at pci4 dev 0 function 1 &
Re: Spamd PF milter-spamd
On 2009-08-26, Duncan Patton a Campbell wrote: >> > OpenBSD 4.5 (GENERIC) #1898: Sat Feb 28 17:42:44 MST 2009 > > Hi. I don't have such device on the sparc64: pflog0 is automatically created when pf is enabled since /etc/rc r1.310 (OpenBSD 4.3). either you didn't have pf enabled at last boot - in which case enabling it, as you need for spamd anyway, and rebooting, will fix it - or you have an old /etc/rc from an incomplete upgrade (missing etc45.tgz).
Re: Spamd PF milter-spamd
On Wed, 26 Aug 2009 22:43:34 + (UTC) Stuart Henderson wrote: > On 2009-08-26, Duncan Patton a Campbell wrote: > >> > OpenBSD 4.5 (GENERIC) #1898: Sat Feb 28 17:42:44 MST 2009 > > > > Hi. I don't have such device on the sparc64: > > pflog0 is automatically created when pf is enabled since /etc/rc r1.310 > (OpenBSD 4.3). > > either you didn't have pf enabled at last boot - in which case enabling > it, as you need for spamd anyway, and rebooting, will fix it - or you have > an old /etc/rc from an incomplete upgrade (missing etc45.tgz). > Yes. Another case of RTFM, I'm afraid. Things didn't work until the reboot. Seems OK now. Thanks, Dhu
spamd
Hi! I have some problems with spamd. A lot of smtp servers stops at this point of cycle: Jun 4 20:40:17 firewall spamd[7659]: xxx.yyy.zzz.ccc: connected (118/3) Jun 4 20:44:14 firewall spamd[7659]: xxx.yyy.zzz.ccc: disconnected after 374 seconds. After some retries nothing changes, they do not pass. What can be a wrong? spamd_flags"-v -G5:4:864"
spamd
Hi misc! Is it possible to keep in sync two or more spamdb over the network? :) Thanks. Edgars.
spamd
Hello. First I am new to using spamd. I have a spare IP address that is sometimes used for outbound stuff (keep state) - it is not listed anywhere in DNS, so nobody should be touching any of the 65535 ports unless they are scanning me, trying to connect to windows ports, etc. ignoring icmp, is there a way to:- 1) save those IP's except the one's that are in response to an outbound connection 2) add it to the spamd blacklist and tarpit them should they later try and connect to port 25. I'm curious about how many remote IP's try and touch my spare IP addressper day and also what ports and how mnay attempts per port. Sponsored Link Online degrees - find the right program to advance your career. www.nextag.com
spamd not logging to /var/log/spamd
I think I just need a second pair of eyes because I'm obviously missing something. I've just installed a new firewall, and i'm trying to get spamd to log to /var/log/spamd. It *does* log to /var/log/daemon though, and the greylisting daemon is working fine. fire:/var/log#ls -al spamd -rw-r- 1 root wheel 0 Apr 5 16:05 spamd ---/var/log/daemon--- Apr 11 15:33:29 fire spamd[8627]: 218.38.56.27: connected (7/6), lists: korea Apr 11 15:33:34 fire spamd[8627]: 80.72.152.151: connected (8/6) ---My modifications to syslog.conf--- !spamd daemon.err;daemon.warn;daemon.info /var/log/spamd ---My modifications to newsyslog.conf--- /var/log/spamd 640 30100 * Z
spamd does not update /var/db/spamd
Hi, I'm trying to use spamd to block spam using graylisting, but the spamd database is not updated. I run /usr/libexec/spamd -v -d to see what's happening and I definitely see hosts connecting to it: (GREY) 209.85.219.176: mytestem...@gmail.com> -> Got Grey HELO mail-yb1-f176.google.com, IP 209.85.219.176 from to added 209.85.219.176 mail-yb1-f176.google.com 209.85.219.176 connected for 11 seconds. I also tried to submit an email using Python SMTP library and I confirmed 451 Temporary failure response. But when I browse /var/db/spamd, there is nothing there. My spamd is running and is referring to a correct file: # ps aux | grep spamd _spamd 93211 0.0 0.1 9672 1492 ?? Isp5:29AM 0:00.00 spamd: (pf update) (spamd) _spamd 59023 0.0 0.5 10012 4836 ?? Ip 5:29AM 0:00.02 spamd: [priv] (greylist) (spamd) _spamd 13468 0.0 0.1 9640 1172 ?? Ip 5:29AM 0:00.00 spamd: (/var/db/spamd update) (spamd) Database file has correct perms: # ls- l /var/db/spamd -rw-r--r-- 1 _spamd _spamd 65536 Oct 30 05:30 /var/db/spamd # spamdb /var/db/spamd My spamd config is default. OpenBSD 6.3. What is wrong with it? Best regards, Chris
spamd sync
Has anyone written a utility to keep /var/db/spamd in sync across multiple spamd servers? Mike Spenard
spamd extension
I would like some advice on extending spamd functionality. I'm not sure the best approach to this problem. Problem: I administer several independent mail gateway / firewall devices that greylist for their networks. I've done a fair job of educating users about how greylisting will affect their email but, inevitably a user will contact me to request that an incoming email be whitelisted. The only information they have is 1) sending email address and 2) receiving email address. Of course, spamd only deals in IP addresses and it may be difficult to find the ip address of the sending mail server. Additionally, I'd like to provide some method to the users where they could whitelist someone themselves without requesting directly from me. What I envision: A script or extension to spamd that would allow me to input a 'from' and 'rcpt to' address. Then, the next time that combo is seen, from any IP address...it gets whitelisted automatically. I envision this only happening one time and then returning to greylisting as normal. I understand that there's a chance of someone sending spam through in that window with the proper from/to combo .. but, it's small enough to accept. Thoughts? Does this sound feasible? Is this a reasonable solution? If so, what direction would you recommend for implementation? (I'm no programmer.. but, not afraid of diving in, nonetheless.) --James
spamd blacklists
So where do I find Bob Beck's spamd list?
Spamd & stats
Hi, I'm looking for scripts to generate statistics off of /var/log/spamd Thanks, Mike Spenard
spamd inbound
Hi, The default setup in pf.conf makes spamd work on both directions: #no rdr on $ext_if proto tcp from to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # -> 127.0.0.1 port spamd What is the best way to tell PF that spamd should work only on inbound traffic? Thank you very much Regards, Jeff. -- Get a Free E-mail Account at Mail.com! Choose From 100+ Personalized Domains Visit http://www.mail.com today
Spamd variation
Hi, From the man page it appears that spamd relies on static information about spam originators. Why not a more dynamic scheme ?. Why not run the content of the mail through a spam detector (like dspam), find the spam score and make decisions based on that. I know that spam detection is no where near perfect but it can be used for assigning a 'badness score' to a site(originator of email). So a site keeps getting this score and the average (per msg) exceeds a we black list the site for fixed duration. Similarly for white listing. 'Badness score' and also be assigned for other things, like trying to send to non-existant user (a typical spammer probe), absence of mx entry etc. A milter(sendmail/postfix) can be implemented for this. Thus decisions will be more dynamic and 'configuration free'. Does this sound reasonable ? regards Praveen ___ You snooze, you lose. Get messages ASAP with AutoCheck in the all-new Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_html.html
spamd patch
I think the passtime should use "now + passtime" not "now + expire", Is it correct? Index: libexec/spamd/grey.c === RCS file: /cvs/src/libexec/spamd/grey.c,v retrieving revision 1.39 diff -u -r1.39 grey.c --- libexec/spamd/grey.c2007/03/18 18:38:57 1.39 +++ libexec/spamd/grey.c2007/06/17 06:07:45 @@ -846,7 +846,7 @@ gd.first = now; gd.bcount = 1; gd.pcount = spamtrap ? -1 : 0; - gd.pass = now + expire; + gd.pass = now + passtime; gd.expire = now + expire; memset(&dbk, 0, sizeof(dbk)); dbk.size = strlen(lookup); - [demime 1.01d removed an attachment of type application/octet-stream which had a name of spamd-grey.c.patch]
spamd problems
Hi! Some days ago spamd just started to GREY all incoming connections even if IP address already was a WHITE. Any ideas for waht and where to look? OpenBSD 4.0 Generic those ar my firewall rules: rdr pass on $ext_if proto tcp from to port 25 \ -> 127.0.0.1 port 8025 rdr pass on $ext_if proto tcp from ! to port 25 \ -> 127.0.0.1 port 8025 rdr on $ext_if proto tcp from any to any port 25 -> 127.0.0.1 Edgars
spamd DB_SCAN_INTERVAL
Hi all... What happens if we change "#define DB_SCAN_INTERVAL 60" to 600 in /usr/src/libexec/spamd/grey.h? Sorry, I'm no C coder... Basically we just want to spread out table scans for now until we get new hardware in, because it's fairly heavy on an single IDE drive. Does DB_SCAN_INTERVAL have to be smaller than `passtime` argument in spamd? Thanks :)
spamd configuration
I'm trying to make the banner from my mail server and the banner from spamd sitting in front of it match, so that it appears that you are connecting to the same machine regardless of where spamd sends you. On my mail server, it looks like this: 220 mail.greengrey.org ESMTP smtpd On spamd, I've configured it to be similar: 220 mail.greengrey.org ESMTP smtpd; Thu Jan 17 15:57:35 2008 I've mucked with the spamd config for a while now, trying to get it to not present the timestmp to no avail. Is this at all possible, short of modifying the code to spamd? Optionally, does anyone know how to add the timestamp to a Postfix welcome banner? spamd_flags from rc.conf.local: "-G 15:4:864 -r 451 -h mail.greengrey.org -g -b 127.0.0.1 -n smtpd" thanks. ryanc
spamd topology
Hi, Looking at some setups used in the past for spamd, I noticed that many prefer to use a separate internal NIC to connect to each MX instead of using the internal spamd NIC connected to a switch, where all MXs would be, including possibly other sub-domain MXs. Is there anything wrong or inadequate with this secound approach? Thanks. Regards, Jeff. -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com!
Spamd table
Hi When i ran pfctl -t spamd-white -T show it shows a list of IP addresses and those IP addresses are mostly from China and etc ... (IE spamming countries) I have enabled syslog logging with -v from the log file when tailing it, i did not see any (WHITE) entry only (GREY) and (BLACK) I am interested where do i find out the whitelisted IP address? This is the rc.local.conf spamd_flags="-v -G 2:4:864 -y fxp3 -Y fxp3 -n SolOne SMTP" OpenBSD 4.1 table persist rdr pass inet proto tcp from ! to any \ port smtp -> $spamvip port spamd ta -e
spamd-white
Greetings... By any chance, will spamd delete any IPs that I add manually to spamd-white? spamd(8) says: "spamd regularly scans the /var/db/spamd database and configures all whitelist addresses as the spamd-white pf(4) table." How exactly does spamd configure spamd-white table? The objective is to safely add my own IPs to the whitelist. Thanks :)
Spamd Q
I've just upgraded my firewall to 4.1. The firewall runs spamd, and redirects connections (that don't go to spamd) to a server behind the firewall. I modified my pf.conf per the sample in the spamd(8) man page. It's a couple of days later, and suddenly I realize that I'm only getting mail that's explicitly in my whitelist, from this rule: rdr on $ext_cable proto tcp from to port smtp -> $mail port 25 I'm thinking my problem is the "no rdr" rule, maybe that's preventing the smtp connections from getting redirected. Here's all my smtp-related rdr rules: rdr on $ext_cable proto tcp from to port smtp -> $mail port 25 no rdr on $ext_cable proto tcp from to any port smtp rdr pass on $ext_cable proto tcp from any to any port smtp -> 127.0.0.1 port spamd # Send smtp to mail server rdr on $ext_cable inet proto tcp from any to any port 25 -> $mail port 25 So, what's my best solution? Would changing the "no rdr" to a rdr -> $mail do what I want, or would I be better off moving spamd to my mail server?
spamd synchronization
I have two mail servers running 4.1-stable and am trying to get spamd synchronization working between them. During testing using a basic set of options /usr/libexec/spamd -y nfe0 -Y nfe0 -d in the resulting debug I see using multicast spam sync mode (ttl 1, group 224.0.1.240, port 8025) on the other system running 'tcpdump -nn net 224.0/8' I see the following when starting up spamd 20:11:24.546651 192.168.1.50 > 224.0.1.240: igmp nreport 224.0.1.240 [ttl 1] In the debug output I see spamd reporting that it is sending out a sync message sync grey update helo chad.here ip x.x.x.x from to sending multicast sync message But I never see the resulting message in the tcpdump capture nor does spamd on the other system see the resulting message, as I was also running it with -d. I did have them working once when I used their IPs directly instead of the default multicast. Am I doing something wrong? Thanks, Chad
Re: spamd
Many things. according to the logs you have there it didn't
even talk smtp to you, so it shouldn't pass.
* Edgars Mak??a <[EMAIL PROTECTED]> [2007-06-04 12:07]:
> Hi!
>
> I have some problems with spamd. A lot of smtp servers stops at this
> point of cycle:
> Jun 4 20:40:17 firewall spamd[7659]: xxx.yyy.zzz.ccc: connected (118/3)
> Jun 4 20:44:14 firewall spamd[7659]: xxx.yyy.zzz.ccc: disconnected
> after 374 seconds.
>
> After some retries nothing changes, they do not pass. What can be a wrong?
>
> spamd_flags"-v -G5:4:864"
>
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
Re: spamd
With one such non passable smtp server admin we tested it via phone. He said that promt is very slow (as it should be), then he got 451 Temp error. After 5, 15, 30 and 60 minutes he retried, nothing :( What is a most common options for spamd? Bob Beck wrote: Many things. according to the logs you have there it didn't even talk smtp to you, so it shouldn't pass. * Edgars Mak??a <[EMAIL PROTECTED]> [2007-06-04 12:07]: Hi! I have some problems with spamd. A lot of smtp servers stops at this point of cycle: Jun 4 20:40:17 firewall spamd[7659]: xxx.yyy.zzz.ccc: connected (118/3) Jun 4 20:44:14 firewall spamd[7659]: xxx.yyy.zzz.ccc: disconnected after 374 seconds. After some retries nothing changes, they do not pass. What can be a wrong? spamd_flags"-v -G5:4:864"
Re: spamd
On 6/4/07, Edgars Makra <[EMAIL PROTECTED]> wrote: With one such non passable smtp server admin we tested it via phone. He said that promt is very slow (as it should be), then he got 451 Temp error. After 5, 15, 30 and 60 minutes he retried, nothing :( If you tried connecting by manually performing an SMTP conversation, be sure to connect from a constant IP address and be especially careful to send exactly the same information for the MAIL FROM and RCPT TO commands. A simple typo can mess up your test and explain your problem. To prevent typing mistakes, you may want to consider scripting a test, e.g. by using nc(1) and a constant SMTP conversation. Be sure to make it a proper SMTP conversation, too, given Bob Beck's remark earlier in this thread. Hope this helps, Rogier -- If you don't know where you're going, any road will get you there.
Re: spamd
IP is static and entered commands/text is the same too. No mistakes, i was carefully checking all commands and entered text. And as i found most problematic smtp is windows based MailEnable. What else i should check? Rogier Krieger wrote: On 6/4/07, Edgars Makra <[EMAIL PROTECTED]> wrote: With one such non passable smtp server admin we tested it via phone. He said that promt is very slow (as it should be), then he got 451 Temp error. After 5, 15, 30 and 60 minutes he retried, nothing :( If you tried connecting by manually performing an SMTP conversation, be sure to connect from a constant IP address and be especially careful to send exactly the same information for the MAIL FROM and RCPT TO commands. A simple typo can mess up your test and explain your problem. To prevent typing mistakes, you may want to consider scripting a test, e.g. by using nc(1) and a constant SMTP conversation. Be sure to make it a proper SMTP conversation, too, given Bob Beck's remark earlier in this thread. Hope this helps, Rogier
Re: spamd
On 2007-06-05T06:43, Edgars Mak?a wrote: > IP is static and entered commands/text is the same too. No mistakes, i > was carefully checking all commands and entered text. > And as i found most problematic smtp is windows based MailEnable. > What else i should check? maybe your "spamlogd" is the problem. Restart it to be sure. hth, Marcus.
Re: spamd
I tried to restart spamlogd, nothing... Any other ideas? Thanks. Marcus Popp wrote: On 2007-06-05T06:43, Edgars Mak?a wrote: IP is static and entered commands/text is the same too. No mistakes, i was carefully checking all commands and entered text. And as i found most problematic smtp is windows based MailEnable. What else i should check? maybe your "spamlogd" is the problem. Restart it to be sure. hth, Marcus.
hoststated/spamd
I'm feeling lazy today, has anyone already worked out how to use greylisting with a hoststated pool that would like to share config?
Re: spamd
No, not yet. see http://www.ualberta.ca/~beck/nycbug06/spamd/
* edgarz <[EMAIL PROTECTED]> [2006-11-07 01:54]:
> Hi misc!
>
> Is it possible to keep in sync two or more spamdb over the network? :)
>
> Thanks.
> Edgars.
>
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
Re: spamd
Bad :( And when will be available greylist synchronization, and white/blacklist sharing? :) Thanks. Edgars. Bob Beck wrote: No, not yet. see http://www.ualberta.ca/~beck/nycbug06/spamd/ * edgarz <[EMAIL PROTECTED]> [2006-11-07 01:54]: Hi misc! Is it possible to keep in sync two or more spamdb over the network? :) Thanks. Edgars.
Re: spamd
On Tue, Nov 07, 2006 at 08:47:27AM -0700, Bob Beck wrote:
> No, not yet. see http://www.ualberta.ca/~beck/nycbug06/spamd/
>
> * edgarz <[EMAIL PROTECTED]> [2006-11-07 01:54]:
> > Hi misc!
> >
> > Is it possible to keep in sync two or more spamdb over the network? :)
> >
> > Thanks.
> > Edgars.
> >
>
> --
> #!/usr/bin/perl
> if ((not 0 && not 1) != (! 0 && ! 1)) {
>print "Larry and Tom must smoke some really primo stuff...\n";
> }
Great talk, BTW. I'm listening to it right now.
Have people had any complaints from users that were blacklisted due to
an attempt to send a message to a non-existant email address? It seems
to me that accidentally transposing characters in an email address is a
fairly common occurance.
-Damian
Re: spamd
Edgars wrote: Bad :( And when will be available greylist synchronization, and white/blacklist sharing? :) Not so bad. It's already available for your download if you want Bob university list. It is updated each hour and include a bunch of "needs to be castrated spamer with also a bunch of needs to be taken off the net Windows compromise boxes" and to use it, it's pretty simple. Changed your spamd.conf configuration a bit and use spamd-setup in cronjob to update it. The changes are very simple. Something like: # Grey listing from http://xxx/xxx/xxx.gz OpenBSD:\ :black:\ :msg="SPAM. Your address %A is in my black list. Good bye!!!":\ :method=http:\ :file=xxx/xxx/xxx.gz and turn on the spamd-setup in cron. If you choose to do so, however make sure you increase your standard limits for "table-entries hard limit" in pf as you will get error that it can't connect to spamd port 8026 if my memory is good when the list is updated. In any case search the archive for the location. Bob announce it once and I guess if he doesn't say it again, he must have good reason. Even in his talk to NYCBSDCon 2006 he said to search the list for the details of the location. So, I will respect that as well and no post it here. But is does work very well! (:> About an hour ago, there was almost 24 Thousand in there.
spamd question
Hello. I'm using spamd but am noticing that some SPAM is still coming though It's probably more dev but I don't like posting to the dev/tech lists. If the ideas/info have merit, then perhaps it can be forwarded to that list. Can (or does) spamd look at the From:, do a MX/A record dns lookup and compare. it to the sender IP to see if it's valid during the SMTP transaction ? (I note if you put in a spamtrap email address it will do a straight IP block) e.g. Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 11000 invoked from network); 17 Jan 2007 17:19:49 - Received: from host194.skytechinc.com (HELO mail.skytechinc.com) (63.111.223.194) by felix.chaossolutions.org with ESMTP; 17 Jan 2007 17:19:49 - Received: from User ([86.127.117.209]) by mail.skytechinc.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 16 Jan 2007 17:51:43 -0500 Reply-To: <[EMAIL PROTECTED]> From: "Town North Bank"<[EMAIL PROTECTED]> Subject: Notification from North Town BANK ! Date: Wed, 17 Jan 2007 00:51:46 +0200 dig mx tnnb.com ;; ADDITIONAL SECTION: mx1.tnnb.com. 3600IN A 208.217.213.106 So obviously the IP 63.111.223.194 does not belong to a tnnb.com mail server and can be blacklisted/tarpitted. Of course, you may want certain IP ranges whitelisted if they are important to you. You might want to allow/whitelist a specific, or a number of email addresses from an IP but greylist/blacklist the rest depending on your requirements. Can some of the above be discussed/implemented in spamd? Sorry, I don't program, just do some light scripting, but if I can see obvious SPAM's from the headers and a dns MX/A lookup, I would hope that spamd could be extended with options to catch and tarpit these people/servers/viruses etc. Regards...Martin
spamd issue
Hi, are there any known security or buffer issues with spamd in debug logging mode in the current 4.0 release? spamd quits without any error message regularly, sometimes it even hangs. As a workaround I wrode a litte shell watch-daemon script (watchspamd.sh), automatically checking and restarting the service if it get's down. Maybe anyone has a hint what may cause the trouble or has already faced similar problems. - Flo [demime 1.01d removed an attachment of type application/octet-stream which had a name of spamd.log] [demime 1.01d removed an attachment of type application/octet-stream which had a name of watchspamd.sh]
spamd greylisting
Hi All, I just configure my first spamd -g, I have a collegue in Korea who is sending me a message, however it did not get through. I tried to whitelist it, however it still did not get through. This is the spamdb WHITE|61.78.36.103|||1152841491|1152841518|1155951918|1|0 WHITE|61.78.36.104|||1152842688|1152842688|1155953088|1|0 I had to spamdb -a 61.78.36.103 -T spamdb -a 61.78.36.103 to get it whitelist, because it is not showing in my spamdb this is my /var/log/daemon Jul 14 09:15:03 puff spamd[3732]: 61.78.36.103: connected (1/1), lists: korea Jul 14 09:15:08 puff spamd[3732]: 61.78.36.103: connected (2/2), lists: korea Jul 14 09:21:37 puff spamd[3732]: 61.78.36.103: disconnected after 394 seconds. lists: korea Jul 14 09:21:41 puff spamd[3732]: 61.78.36.103: disconnected after 393 seconds. lists: korea in my spamd using pfctl -t spamd -Tshow |grep 61.78 # pfctl -t spamd -Tshow |grep 61.78 61.78.51.0/25 61.78.59.35 61.78.59.36 61.78.90.8 and spamd-white # pfctl -t spamd-white -Tshow |grep 61.78 61.78.36.103 61.78.36.104 So the mail should go through. Something missing? Thanks and looking forward for your help. Brgds, Riwan
spamd statistics
Some interesting spamd statistics gathered from /var/log/daemon: From 8am Oct 22 to noon Oct 23: 19112 "connected" messages from spamd, which means connections from IPs that are not in the whitelist. 2247 "inbound" messages from spamlogd, which mean connection from IPs that are already on the whitelist. That means only about 10% of the connections coming into our mail server are from whitelist servers. Thank you spamd for stopping the 90% crap! Spamd has been running for 76 days, and spamdb has 32752 entries. We only have about 100 mail accounts on our server.
spamd question
I never thought about it before, but it is clear that spamd handles the greylisting the same regardless of whether or not the e-mail address is valid. That is, it doesn't check to make sure that the to address is legitimate before adding the IP address to the spamd-white table. For example, if your domain is example.com and someone is trying to send to a bogus address, say 3dgeo...@example.com, then once they get through the greylisting, their ip address then added to the spamd-white table where it will remain for the next month or so, depending on the configuration. On the surface, this doesn't seem to be much of a problem since the spammer could always do the same for a real e-mail address if he had one at the domain and get whitelisted for the configured period of time. Furthermore, if the sender is not a spammer and just has the address wrong, say goe...@example.com instead of geo...@example.com, he gets a 5xx response much quicker telling him that the address does not exist so that he can correct it and resend it. So it doesn't seem like such a bad thing. But it also seems like this could be used by a savvy spammer to his benefit if he wants to have a better chance at getting past spamd on OpenBSD servers. Suppose a spammer was getting ready to make a big spam run. Then he could increase his probability of getting the IP address added to the spamd-white table by going through the various address lists earlier and "sending" a single e-mail to a completely random address at the same domain. For example, if his address list contained geo...@example.com, sa...@example.com, he...@example.com, and j...@example.com, a day or two earlier, he could fake an e-mail something like 1739512349...@example.com. Once the IP address is added to spamd-white, he will connect to the mail server on the next try where he will get a 5xx no such user error. The benefit he would gain by using a random made-up address instead of one on his list is because he won't definitively know which addresses on the list are spamtrap addresses. Instead, the random address is unlikely to have been added with "spamdb -T -a" and so he increases his chances of not getting trapped. Not only would this would make the spam run itself simpler and faster, but any addresses defined with spamdb as spamtrap addresses wouldn't cause the server to be trapped for 24 hours because since it had already been greylisted, spamd would never actually see the spamtrap addresses, if any. If, on the other hand, the address had to be legitimate before spamd would send it on, the above scenario would fail. The spammer would then only be able to get his IP addresses whitelisted by sending an e-mail to a legitimate user and avoiding the spamtrap addresses entirely. I've seen no signs that the spammers are doing that now, but it might be worth considering an option to spamd that would check the addresses and use that as part of the determination of whether or not to add to the spamd-white list just in case they should start doing that. Any thoughs on this? Eric Johnson
spamd issues
Hi, I recently put my first spamd installation into production and am quite impressed with the results, good work, folks. Nevertheless I have some questions: * it seems that when spamd scans it's database in /var/db/spamd (which is currently ~160MB of size) it doesn't accept any new requests on it's port (at least it let's the clients wait). That sucks. I see 2 spamd processes process states hanging in: biowait, pipewr - I understand that while the database is being scanned (and maybe locked) new requests maybe can't easily be written to the db, is there a plan to improve that (by creating a queue-log or something)? * Due to the fact that spamd only seems to insert pf-rules into the pf spamd-white table when doing a db-scan it seems that it creates some more delays than necessary in the greylisted mta's. Let's say I have 2 mx'es - mx1 and mx2 - my client is connecting to mx1, get's greylisted, connects to mx2 (protected by the same spamd instance), still keeps being greylisted - so my client adds a penalty time of let's say 2x5 mins. After 10 minutes it connects to spamd again, tries mx1, still gets redirected to spamd, but spamd decides to whitelist that host, and writes that into the spamdb. After being refused for mx1, my client tries mx2, and due to the fact that maybe spamd didn't scan the spamdb yet the pf-rules aren't in place yet, so it get's redirected to spamd once again, creating quite some penalty time of let's say 2x10 minutes, which wouldn't be necessary if spamd would insert that ip directly into pf on writing the whitelist-entry into the database. Are there plans to improve that? I hope this is a question that still belongs to misc and not developer, but I'm not too sure about that :) btw: I recorded 1886206 connections within the first 24 hours to spamd for that particular mai provider :) thanks for any replies; Wolfgang -- http://www.wogri.com
spamd whitelist
In this archived message; Peter explains here how to get ip address for various gmail servers - which can then be added to whitelist... http://marc.info/?l=openbsd-misc&m=136449396910976&w=2 When I try this process for yahoo.com; I get $ host -ttxt yahoo.com yahoo.com descriptive text "v=spf1 redirect=_spf.mail.yahoo.com" $ host -ttxt _spf.mail.yahoo.com _spf.mail.yahoo.com descriptive text "v=spf1 ptr:yahoo.com ptr:yahoo.net ?all" What should I do with "ptr" info?
spamd issues
I've been using spamd since 3.5 or 3.6 - It seems to be working great, so mostly I just let it do it's thing and ignore it. Today I was having some issues sending mail through a local ISP to my system (4.4 release). Some investigation showed that spamdb reports the ip address of the ISP's smtp server as both WHITE and GREY? This should not be possible, should it? $ sudo spamdb | grep 64.7.153.18 WHITE|64.7.153.18|||1231252840|1231254379|1234364784|9|0 GREY|64.7.153.18|smarthost1.sentex.ca|||1231252840|1231254390|1231267240|10|0 Is it possible to remove the GREY entry (spamdb -d only removes WHITE entires)? I'm trying to remember how many config files need to be included for this; hopefully, I don't miss any. = = /etc/pf.conf ext_if="rl0" in_mx="127.0.0.1" table persist table persist table persist scrub in rdr pass on $ext_if proto tcp from to port smtp \ -> $in_mx port smtp rdr pass on $ext_if proto tcp from to port smtp \ -> 127.0.0.1 port spamd rdr pass on $ext_if proto tcp from to port smtp \ -> $in_mx port smtp rdr pass on $ext_if proto tcp from ! to port smtp \ -> 127.0.0.1 port spamd pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state all:\ :myblack:mywhite:uatraps:nixspam:china:korea: uatraps:\ :black:\ :msg="Your address %A has sent mail to a ualberta.ca spamtrap\n\ within the last 24 hours":\ :method=http:\ :file=www.openbsd.org/spamd/traplist.gz nixspam:\ :black:\ :msg="Your address %A is in the nixspam list\n\ See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\ :method=http:\ :file=www.openbsd.org/spamd/nixspam.gz china:\ :black:\ :msg="SPAM. Your address %A appears to be from China\n\ See http://www.okean.com/asianspamblocks.html for more details":\ :method=http:\ :file=www.openbsd.org/spamd/chinacidr.txt.gz: korea:\ :black:\ :msg="SPAM. Your address %A appears to be from Korea\n\ See http://www.okean.com/asianspamblocks.html for more details":\ :method=http:\ :file=www.openbsd.org/spamd/koreacidr.txt.gz: myblack:\ :black:\ :msg="SPAM: %A has been blacklisted.":\ :method=file:\ :file=/etc/mail/spamd_black.txt: mywhite:\ :white:\ :method=file:\ :file=/etc/mail/spamd_white.txt: = = = /etc/mail/spamd_white.txt Adapted from http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt Site seems to be down at the moment; but it hadn't changed content in sometime.
spamd question
looked through spamd (8) and /etc/mail/spamd.conf. Is it better to use /etc/mail/nospamd or /var/db/override.txt? -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
spamd - Nixspam
Hi all, spamd-setup is generating a 404 not found message while trying to download /spamd/nixspam.gz Is there a process change that I have missed or is this temporarily broken ? Ta __ Get more done like never before with Yahoo!7 Mail. Learn more: http://au.overview.mail.yahoo.com/
spamd -v
According to the spamd(8) manpage, the '-v' option makes message detail including subject and recipient information logged with LOG_INFO; but the subject doesn't seem to be logged (not that I miss it): May 28 20:05:23 www spamd[13382]: 91.121.238.116: connected (1/0) May 28 20:05:34 www spamd[13382]: (GREY) 91.121.238.116: -> May 28 20:05:34 www spamd[13382]: 91.121.238.116: disconnected after 11 seconds. Neither does the message body and the SMTP dialogue get logged even if I bump syslog to daemon.debug Am I missing something obvious? Jan
spamd nitpicking
Being a happy new user of spamd and friends (thank you Bob!), I have a few nitpicking questions as I go through the manpages. (1) spamd whitelists a given host by _adding_ it as a whitelist entry; the original GREY entry is left there. Why is is kept around, now that the host is WHITE anyway? Is it because it is just easier to let it expire than to explicitly delete it? Or is it because greytrapping only applies to greylisted connections, and we want to know about even WHITE hosts sending to spamtrap? (2) The spamd(8) manpage says "Use crontab(1) to uncomment the entry in root's crontab", which I did, but experienced spamd-setup failures (see the yesterday's post). I was later advised here that having spamd-setup run at precisely '0 * * * *' might clash with all the others doing the same at that exact time. I moved the spamd-setup to a few minutes later and that solved the problem. Would a note to that effect be an appripriate addition to the spamd(8) (or spamd-setup(8)) manpage? (3) If I understand the GREYTRAPPING section right, a host can get spamtrapped even if it is WHITE: if the original GREY entry is still present and he sends to a spamtrap address within greyexp. The pf.conf example of spamd(8) makes all connections from go to the real mailserver. That means a connection from a WHITE host goes to the real mailserver even if the host is simultaneously TRAPPED. Is that correct? Is that intended? It is a political decision of course: do I allow obvious spam from WHITE hosts? (4) You can't "receive a failure": Index: spamd.8 === RCS file: /home/cvsync/openbsd/src/libexec/spamd/spamd.8,v retrieving revision 1.118 diff -u -p -r1.118 spamd.8 --- spamd.8 19 Mar 2011 23:29:45 - 1.118 +++ spamd.8 30 May 2012 08:26:15 - @@ -236,7 +236,7 @@ below. .El .Pp When run in default mode, -connections receive the pleasantly innocuous temporary failure of: +connections receive the pleasantly innocuous temporary failure message of: .Bd -literal -offset 4n 451 Temporary failure, please try again later. .Ed Thanks again for the great tool! Jan
Spamd traplist.gz
Are there any problems at the moment with the spamd data files that are hosted in various locations? I'm getting lots of FTP errors: On 12 Aug 2010, at 16:01, Cron Daemon wrote: > ftp: connect: Connection timed out > ftp: connect: Connection timed out > ftp: connect: Connection timed out > ftp: connect: Connection timed out >From machines at various sites, pointing to an error somewhere with the master servers. Running spamd-setup in debug mode: # /usr/libexec/spamd-setup -d Getting http://www.openbsd.org/spamd/traplist.gz ftp: connect: Connection timed out blacklist uatraps 0 entries Getting http://www.openbsd.org/spamd/nixspam.gz ftp: connect: Connection timed out blacklist nixspam 0 entries Getting http://www.openbsd.org/spamd/chinacidr.txt.gz ... So something somewhere is amiss. A firewall upgrade that blocked ports 20/21 in error perhaps? G. -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
spamd praise
hi there, some interesting changes in the 2.8 line of postfix, esp the postscreen(8) daemon that was partly inspired by no other than openbsd's spamd. very good job! http://www.postfix.org/postscreen.8.html -f -- questions, questions! does it ever end?!
[solved] spamd not logging to /var/log/spamd
the problem was here: > ---My modifications to syslog.conf--- > !spamd > daemon.err;daemon.warn;daemon.info /var/log/spamd When I started syslog with syslogd -d I saw this error: syslogd: unknown priority name "info /var/log/spamd" I double checked and between daemon.info and /var/log/spamd I had spaces. I changed the spaces to tab chars, restarted syslog, and now all is well. --Bryan
Re: spamd not logging to /var/log/spamd
On 4/12/06, Bryan Irvine <[EMAIL PROTECTED]> wrote: > I've just installed a new firewall, and i'm trying to get spamd to log > to /var/log/spamd. Have you SIGHUP'ed the syslogd process? It should re-read its configuration file at that point, using your new configuration. > !spamd > daemon.err;daemon.warn;daemon.info /var/log/spamd Also, if you want spamd to only log to /var/log/spamd, try !!spamd in /etc/syslog.conf. See syslog.conf(5) for more information. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: spamd not logging to /var/log/spamd
At 06:42 PM 4/11/06, Bryan Irvine wrote: I think I just need a second pair of eyes because I'm obviously missing something. I've just installed a new firewall, and i'm trying to get spamd to log to /var/log/spamd. Did you 'touch' the file? You need to create the file yourself.
Re: spamd not logging to /var/log/spamd
On Tue, Apr 11, 2006 at 03:42:09PM -0700, Bryan Irvine wrote: > > ---My modifications to syslog.conf--- > !spamd > daemon.err;daemon.warn;daemon.info /var/log/spamd > when you: $ sed -ne '/spamd/l' /etc/syslog.conf do you have !spamd\n$ daemon.err;daemon.warn;daemon.info /var/log/spamd\n$ or !spamd\n$ daemon.err;daemon.warn;daemon.info\t\t\t/var/log/spamd\n$ last sentence in first paragraph of manpage went under my radar for years and continually bit me in the ass -- jared [ openbsd 3.9-current GENERIC ( mar 15 ) // i386 ]
Re: spamd does not update /var/db/spamd
Chris Narkiewicz wrote: > Hi, > > I'm trying to use spamd to block spam using graylisting, but the spamd > database is not updated. > > I run /usr/libexec/spamd -v -d to see what's happening and I definitely > see hosts connecting to it: > > (GREY) 209.85.219.176: mytestem...@gmail.com> -> > Got Grey HELO mail-yb1-f176.google.com, IP 209.85.219.176 from > to > added 209.85.219.176 > mail-yb1-f176.google.com > > > 209.85.219.176 connected for 11 seconds. > > I also tried to submit an email using Python SMTP library and I > confirmed 451 Temporary failure response. > > But when I browse /var/db/spamd, there is nothing there. > > My spamd is running and is referring to a correct file: > > # ps aux | grep spamd > _spamd 93211 0.0 0.1 9672 1492 ?? Isp5:29AM0:00.00 spamd: > (pf update) (spamd) > _spamd 59023 0.0 0.5 10012 4836 ?? Ip 5:29AM0:00.02 spamd: > [priv] (greylist) (spamd) > _spamd 13468 0.0 0.1 9640 1172 ?? Ip 5:29AM0:00.00 spamd: > (/var/db/spamd update) (spamd) > > Database file has correct perms: > > # ls- l /var/db/spamd > -rw-r--r-- 1 _spamd _spamd 65536 Oct 30 05:30 /var/db/spamd > > # spamdb /var/db/spamd > > > My spamd config is default. > OpenBSD 6.3. > > What is wrong with it? > > Best regards, > Chris do you run spamd-setup(8)?
Re: spamd does not update /var/db/spamd
Hi Chris, You are running spamdb /var/db/spamdb, that's not the way to use it. The proper way is to use spamdb key, where key is one of the IP entries you are getting through spamd. Running just spamdb will show you all entries. /mestre On 15:44 Tue 30 Oct , Chris Narkiewicz wrote: > Hi, > > I'm trying to use spamd to block spam using graylisting, but the spamd > database is not updated. > > I run /usr/libexec/spamd -v -d to see what's happening and I definitely see > hosts connecting to it: > > (GREY) 209.85.219.176: mytestem...@gmail.com> -> > Got Grey HELO mail-yb1-f176.google.com, IP 209.85.219.176 from > to > added 209.85.219.176 > mail-yb1-f176.google.com > > > 209.85.219.176 connected for 11 seconds. > > I also tried to submit an email using Python SMTP library and I confirmed > 451 Temporary failure response. > > But when I browse /var/db/spamd, there is nothing there. > > My spamd is running and is referring to a correct file: > > # ps aux | grep spamd > _spamd 93211 0.0 0.1 9672 1492 ?? Isp5:29AM0:00.00 spamd: (pf > update) (spamd) > _spamd 59023 0.0 0.5 10012 4836 ?? Ip 5:29AM0:00.02 spamd: > [priv] (greylist) (spamd) > _spamd 13468 0.0 0.1 9640 1172 ?? Ip 5:29AM0:00.00 spamd: > (/var/db/spamd update) (spamd) > > Database file has correct perms: > > # ls- l /var/db/spamd > -rw-r--r-- 1 _spamd _spamd 65536 Oct 30 05:30 /var/db/spamd > > # spamdb /var/db/spamd > > > My spamd config is default. > OpenBSD 6.3. > > What is wrong with it? > > Best regards, > Chris >
Re: spamd does not update /var/db/spamd
W dniu 30/10/2018 o 15:56, Ricardo Mestre pisze: Hi Chris, You are running spamdb /var/db/spamdb, that's not the way to use it. According to man spamdb(8) this is how to list all entries, which I wanted to do. I see no entries, so I assume the database is empty. Best regards, Chris
Re: spamd does not update /var/db/spamd
On 10/30/18 4:44 PM, Chris Narkiewicz wrote: > Database file has correct perms: > > # ls- l /var/db/spamd > -rw-r--r-- 1 _spamd _spamd 65536 Oct 30 05:30 /var/db/spamd > > # spamdb /var/db/spamd > I think what you are seeing is that spamdb doesn't expect the database filename as a command line argument. Try running spamdb with no arguments, that should produce a dump of database content to standard output, something along the lines of [Tue Oct 30 17:52:27] peter@skapet:~$ doas spamdb | head SPAMTRAP|"._-c2b82d2"@bsdly.com SPAMTRAP|"<-to...@bsdly.net>" SPAMTRAP|0...@dataped.no SPAMTRAP|1dd5...@bsdly.net SPAMTRAP|257aa8...@bsdly.net SPAMTRAP|31a38c...@bsdly.net SPAMTRAP|5cfbc...@bsdly.net SPAMTRAP|62ea02...@bsdly.net SPAMTRAP|817ac...@bsdly.net SPAMTRAP|aat...@bsdly.net and you can of course look for GREY entries only, such as [Tue Oct 30 17:54:19] peter@skapet:~/$ doas spamdb | grep GREY | head GREY|198.210.40.39|4c8w39.spinnbitez.biz|||1540899509|1540900120|1540928309|2|0 GREY|78.142.63.211|fresh.vivawebhost.com|||1540905382|1540934182|1540934182|2|0 GREY|193.92.125.157|newsletter9.email-business.net|||1540891280|1540920080|1540920080|2|0 GREY|43.243.166.69|mail3069.app1.reasonables2.com|||1540893857|1540894233|1540922657|4|0 GREY|105.159.253.224|[105.159.253.225]|||1540902518|1540931318|1540931318|1|0 GREY|66.211.185.136|mxphxpool1033.ebay.com|||1540898855|1540907901|1540927655|2|0 GREY|77.241.66.209|mapmyinvestments.com|||1540890070|1540918870|1540918870|1|0 GREY|216.105.168.252|mail.dechaise.info|||1540905637|1540905959|1540934437|2|0 GREY|194.135.153.127|[194.135.153.127]|||1540901213|1540930013|1540930013|2|0 GREY|201.148.104.36|raven10436.ninjahosting.cl|<>||1540916570|1540945370|1540945370|2|0 See if that doesn't turn up the entries you were looking for. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd does not update /var/db/spamd
W dniu 30/10/2018 o 15:53, Solene Rapenne pisze:> do you run spamd-setup(8)? Yes, I see that it downloads nixspam and loads 20k IPs into spamd. Best regards, Chris
Re: spamd does not update /var/db/spamd
W dniu 30/10/2018 o 16:58, Chris Narkiewicz pisze: W dniu 30/10/2018 o 15:56, Ricardo Mestre pisze: Hi Chris, You are running spamdb /var/db/spamdb, that's not the way to use it. I'm sorry, you were right. I misread both your e-mail and man page. Thank you all for help. Best regards, Chris
Spamd and Greylisting
To the developers and *everyone* who has contributed to the various threads on spamd over the last few months, thank you, thank you, thank you. I finally got around to implementing it and it is the most time saving and effective addition to the OBSD base I have used in a long time (if not ever)! After having probs with the initial implementation, the threads in misc have been a lifesaver. I have been running it now for nearly a week, and keeping a close eye on the logs, and I can't see one spam that has got through. This, of course, will probably change over a long period of time, but at the moment the batting rate is over 1000 for over 1000. Thanks again, and keep up the great work. While I have been running it with the defaults, I would be interested to know if anyone has tried it on anything other than the 1 character/sec stutter? If so, does it tie up the offending MTA that normally disconnects in less than say 60 secs for twice as long? My record at the moment is tying up one offender for 1927 seconds. For the last day, my list is as follows: 1 1927 2 667 1 568 2 563 1 561 1 435 1 397 4 395 3 394 10 393 30 392 47 391 56 390 40 389 38 388 27 387 9 386 2 385 5 384 1 188 5 167 4 166 2 165 1 118 1 89 4 88 9 87 6 86 1 84 1 57 4 54 3 53 5 52 1 46 1 45 1 22 2 21 1 20 1 14 1 13 1 6 6 5 1 4 7 3 1 2 Cheers
spamd in 3.7
Just upgraded to 3.7 and like the new GREYTRAP feature in spamd. Is there a way to define a spamd version banner which contains spaces? 3.6 wouldn't let me do this. I remember reading something on here that this is possible in 3.7, tho' a search of the archives reveals nothing. Thanks for any help.
Spamd SMTP Banner
I've run into an interesting problem with the spamd SMTP banner. I have a few OpenBSD 3.7 mail gateways running Postfix that are members (from a DNS perspective) of an internal DNS domain such as mail.company.org. They are MX destinations for mail for company.com, and postfix reports to external SMTP servers as mail.company.com (the servers are NAT translated). The issue I have is that spamd uses gethostname to build the SMTP banner so the name shown in the banner is of course mail.company.org and not mail.company.com. Postfix of course reports as mail.company.com. I'm wondering if changes could be made to spamd to accommodate this perhaps by allowing more customisation of the spamd SMTP banner, or perhaps adding a simple command line switch where the hostname could be supplied (eg: spamd -H mail.company.com). For the moment, although my C knowledge isn't that great, I have compiled a custom version of spamd with hard coded hostnames and this works OK. My interest with this is that initial connections to spamd are thus exposing the servers internal name. Whilst this is not really a great security problem in this situation it is undesirable. Any thoughts? Cheers, Tim.
Tweaks for spamd
I've been tweaking the options for spamd in an attempt to both prevent spam to my network and up the pain levels to the spammers. In particular, grey-trapping works very well indeed and appears to cut out a good deal of spam. I use the "-n" switch to spamd to change the default banner to a sendmail-like one. That appears to prevent early disconnects from semi-intelligent mailers. I use the "-s" switch to set a delay to 9 seconds. This appears to work well. Has anyone any experience of using even longer delays. Is it worth it? Any other tips for using spamd to reduce spam and making life difficult for the spammers? Tim
spamd and comcast
Has anyone notice a huge amount of problems with spamd(8) and Comcast/ATT Worldnet Service mail servers? Seems that things like 204.127.198.34, and almost everything in 204.127 is in spews1. If anyone has a way around this (to only greylist the poor souls that use comcast), please lemme know. I'd love to continue using spews[12], but too many people complain. Thanks. - Eric
Re: spamd sync
On Tue, 2005-09-20 at 22:29:16 -0400, Mike Spenard proclaimed... > Has anyone written a utility to keep /var/db/spamd in sync across multiple > spamd servers? Answer: Yes! Question: Have you thought about checking the archives?
Re: spamd extension
spamdb -a `spamdb | grep '<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>' | cut -d '|' -f 2` -Bob * James Harless <[EMAIL PROTECTED]> [2005-10-25 15:50]: > I would like some advice on extending spamd functionality. I'm not > sure the best approach to this problem. > > Problem: > > I administer several independent mail gateway / firewall devices that > greylist for their networks. I've done a fair job of educating users > about how greylisting will affect their email but, inevitably a user > will contact me to request that an incoming email be whitelisted. The > only information they have is 1) sending email address and 2) > receiving email address. Of course, spamd only deals in IP addresses > and it may be difficult to find the ip address of the sending mail > server. Additionally, I'd like to provide some method to the users > where they could whitelist someone themselves without requesting > directly from me. > > What I envision: > > A script or extension to spamd that would allow me to input a 'from' > and 'rcpt to' address. Then, the next time that combo is seen, from > any IP address...it gets whitelisted automatically. I envision this > only happening one time and then returning to greylisting as normal. > I understand that there's a chance of someone sending spam through in > that window with the proper from/to combo .. but, it's small enough to > accept. > > > Thoughts? Does this sound feasible? Is this a reasonable solution? > If so, what direction would you recommend for implementation? (I'm no > programmer.. but, not afraid of diving in, nonetheless.) > > --James
Re: spamd extension
I appreciate the suggestions, but, not quite what I'm looking for yet. Either of these would allow me to whitelist someone AFTER they had been greylisting. What I'm looking for is a way to whitelist them based on user input.. before their initial email has been sent. In this somewhat typical scenario, the user has contacted me and said "I don't want mail from [EMAIL PROTECTED] to be delayed... whitelist them, please." --James On 10/25/05, Bob Beck <[EMAIL PROTECTED]> wrote: > > > spamdb -a `spamdb | grep '<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>' | cut -d > '|' > -f 2` > > -Bob > > * James Harless <[EMAIL PROTECTED]> [2005-10-25 15:50]: > > I would like some advice on extending spamd functionality. I'm not > > sure the best approach to this problem. > > > > Problem: > > > > I administer several independent mail gateway / firewall devices that > > greylist for their networks. I've done a fair job of educating users > > about how greylisting will affect their email but, inevitably a user > > will contact me to request that an incoming email be whitelisted. The > > only information they have is 1) sending email address and 2) > > receiving email address. Of course, spamd only deals in IP addresses > > and it may be difficult to find the ip address of the sending mail > > server. Additionally, I'd like to provide some method to the users > > where they could whitelist someone themselves without requesting > > directly from me. > > > > What I envision: > > > > A script or extension to spamd that would allow me to input a 'from' > > and 'rcpt to' address. Then, the next time that combo is seen, from > > any IP address...it gets whitelisted automatically. I envision this > > only happening one time and then returning to greylisting as normal. > > I understand that there's a chance of someone sending spam through in > > that window with the proper from/to combo .. but, it's small enough to > > accept. > > > > > > Thoughts? Does this sound feasible? Is this a reasonable solution? > > If so, what direction would you recommend for implementation? (I'm no > > programmer.. but, not afraid of diving in, nonetheless.) > > > > --James > > > -- What would Bilano do?
Re: spamd extension
James, The more I think about this one, the more I think there is no solution to your issue. Well okay there are two choices, either use spamd or not. :) You would have to have ESP to know from which IP address a particular sender would be sending. If I'm sitting in a hotel and using their WiFi then it is very probable that my message will be coming from their SMTP server, not that which I use normally. Given only my mail address you have no way of determining for sure, which server I use to send mail. The server I submit a message to does not have to be the server that eventually connects to the recipients server in DNS. You can't provide an email address to spamd as the redirection happens before spamd, rather with PF. The default is to send the packets to spamd. Once the connection gets rdr to spamd, I'm not aware of anyway to say, redirect again to your real MTA. That brings us back to knowing the connecting servers IP address. You could disable spamd protection and see how long it takes for your users to complain about the amount of spam they are getting. :) -Chad On Oct 25, 2005, at 9:57 PM, James Harless wrote: I appreciate the suggestions, but, not quite what I'm looking for yet. Either of these would allow me to whitelist someone AFTER they had been greylisting. What I'm looking for is a way to whitelist them based on user input.. before their initial email has been sent. In this somewhat typical scenario, the user has contacted me and said "I don't want mail from [EMAIL PROTECTED] to be delayed... whitelist them, please." --James
Re: spamd extension
On Tue, 25 Oct 2005 20:57:15 -0500 James Harless <[EMAIL PROTECTED]> wrote: > What I'm looking for is a way to whitelist them based on user > input.. before their initial email has been sent. In this somewhat typical > scenario, the user has contacted me and said "I don't want mail from > [EMAIL PROTECTED] to be delayed... whitelist them, please." Sure, it can be done as long as you can figure out what server [EMAIL PROTECTED] will use to send their email and that's not as easy as it may initially seem. xxx might not always send using the same provider, the provider may have multiple outbound relays, he/she may be using a friends computer, he/she may use a wifi hotspot etc etc. Bottom line is that there's no reliable way to determine this ahead of time. Just whitelisting email addresses themselves deafeats the purpose of spamd. --- Lars Hansson Message from: Lars Hansson <[EMAIL PROTECTED]>
Re: spamd extension
Chad, I appreciate the insight. I do realize it's a difficult problem but, I think that there's a solution (albeit possibly from someone smarter than I). I do have variables that are known (the sender email address and the recipient email address). The problem is tying them to the IP Address of the MTA when it's seen @ spamd. It may be that there isn't a solution without direct modification of spamd. If that's the case, then I hope the developer(s) will consider this suggestion. I definitely won't be disabling spamd ;). I would have a minor revolution on my hands if my users suddenly had spam again...heh. OpenBSD greylisting has been very effective for us thus far. --James On 10/26/05, Chad M Stewart <[EMAIL PROTECTED]> wrote: > James, > > The more I think about this one, the more I think there is no > solution to your issue. Well okay there are two choices, either use > spamd or not. :) > > You would have to have ESP to know from which IP address a particular > sender would be sending. If I'm sitting in a hotel and using their > WiFi then it is very probable that my message will be coming from > their SMTP server, not that which I use normally. Given only my mail > address you have no way of determining for sure, which server I use > to send mail. The server I submit a message to does not have to be > the server that eventually connects to the recipients server in DNS. > > You can't provide an email address to spamd as the redirection > happens before spamd, rather with PF. The default is to send the > packets to spamd. Once the connection gets rdr to spamd, I'm not > aware of anyway to say, redirect again to your real MTA. That brings > us back to knowing the connecting servers IP address. > > You could disable spamd protection and see how long it takes for your > users to complain about the amount of spam they are getting. :) > > > -Chad > > > On Oct 25, 2005, at 9:57 PM, James Harless wrote: > > > I appreciate the suggestions, but, not quite what I'm looking for yet. > > Either of these would allow me to whitelist someone AFTER they had > > been > > greylisting. What I'm looking for is a way to whitelist them based > > on user > > input.. before their initial email has been sent. In this somewhat > > typical > > scenario, the user has contacted me and said "I don't want mail from > > [EMAIL PROTECTED] to be delayed... whitelist them, please." > > > > --James > > > -- What would Bilano do?
Re: spamd extension
--On 26 October 2005 08:21 -0500, James Harless wrote: I do have variables that are known (the sender email address and the recipient email address). The problem is tying them to the IP Address of the MTA when it's seen @ spamd. It may be that there isn't a solution without direct modification of spamd. By design, spamd can't do this. It neither accepts mail itself, nor proxies to the real backend server. It always sends a tempfail result code, and if it's the second time it's seen client_ip|src|dest, it adds to a table at the same time, so that on the third attempt the real mailserver is hit instead. I definitely won't be disabling spamd ;) The type of functionality you're looking for needs something with hooks directly into the mail server itself, there's no way with spamd to avoid delaying a connection unless you /already/ know the IP address. Maybe milter-greylist or postgrey already do what you're looking for, or if not they'll likely be easier to adapt.
Re: spamd extension
At 09:57 PM 10/25/05, James Harless wrote: I appreciate the suggestions, but, not quite what I'm looking for yet. Either of these would allow me to whitelist someone AFTER they had been greylisting. What I'm looking for is a way to whitelist them based on user input.. before their initial email has been sent. In this somewhat typical scenario, the user has contacted me and said "I don't want mail from [EMAIL PROTECTED] to be delayed... whitelist them, please." spamd only delays the *first* message between the two parties. After that there is no delay - as long as sender continues to use the same SMTP server. Have you tried whitelisting these servers: http://greylisting.org/whitelisting.shtml Is there an underlying assumption in your question that spamd is the actual problem? During the initial weeks of using spamd on my server, half of the complaints about undelivered email were not the fault of spamd.
Re: spamd extension
On 10/26/05, Frank Bax <[EMAIL PROTECTED]> wrote: > > At 09:57 PM 10/25/05, James Harless wrote: > > >I appreciate the suggestions, but, not quite what I'm looking for yet. > >Either of these would allow me to whitelist someone AFTER they had been > >greylisting. What I'm looking for is a way to whitelist them based on > user > >input.. before their initial email has been sent. In this somewhat > typical > >scenario, the user has contacted me and said "I don't want mail from > >[EMAIL PROTECTED] to be delayed... whitelist them, please." > > > spamd only delays the *first* message between the two parties. After that > there is no delay - as long as sender continues to use the same SMTP > server. My experience is that greylisting requires at least 2 failed attempts. Maybe my pf.conf isn't setup properly. But, there's always 1 'extra' failure that seems to me should pass through. Have you tried whitelisting these servers: > http://greylisting.org/whitelisting.shtml > > Is there an underlying assumption in your question that spamd is the > actual > problem? During the initial weeks of using spamd on my server, half of the > complaints about undelivered email were not the fault of spamd. > > I do whitelist the servers on greylisting.org <http://greylisting.org>. There's no real doubt that greylisting is part of my 'issue'. It's not unmanageable, by any means, but, I'm just wondering if there isn't a way to correct the problem. Greylisting is 99% of the time not a problem. But, sometimes, the client is on the phone with a customer or in some other situation where they need to receive the email quickly. With my current greylisting setups, I can't guarantee any time when they'll receive the first email from a contact other than 'will take at least 5 mins and can take much longer depending on how their mail server is configured'. In any case, it's not unmanageable. I just set expectations with customers and they're not wanting to move away from greylisting. But, it does *feel* like a 'solvable problem'. --James -- What would Bilano do?
Re: spamd extension
If you are using spamlogd correctly, so that it is whitelisting the destination addresses of target mailservers, I find the actual need for this to be near zero, since most people send mail to [EMAIL PROTECTED] and as soon as they do the server is whitelisted for the reply - this is not the case with some big sites where their inbound mx differs from the ip their outbound mail comes from, but it works to speed up the process "most of the time." - and when it doesn't the email is delayed a half hour or a little more. Basically, the correct answer is "suck it up princess, in pathological cases someone's email might be delayed by a short while getting to you" in normal cases it won't. Usually users ask for this when you tell them what you are doing and they don't understand that in 95% of the cases they never see a delay. -Bob * James Harless <[EMAIL PROTECTED]> [2005-10-25 20:09]: > I appreciate the suggestions, but, not quite what I'm looking for yet. > Either of these would allow me to whitelist someone AFTER they had been > greylisting. What I'm looking for is a way to whitelist them based on user > input.. before their initial email has been sent. In this somewhat typical > scenario, the user has contacted me and said "I don't want mail from > [EMAIL PROTECTED] to be delayed... whitelist them, please." > > --James > > On 10/25/05, Bob Beck <[EMAIL PROTECTED]> wrote: > > > > > > spamdb -a `spamdb | grep '<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>' | cut -d > > '|' > > -f 2` > > > > -Bob > > > > * James Harless <[EMAIL PROTECTED]> [2005-10-25 15:50]: > > > I would like some advice on extending spamd functionality. I'm not > > > sure the best approach to this problem. > > > > > > Problem: > > > > > > I administer several independent mail gateway / firewall devices that > > > greylist for their networks. I've done a fair job of educating users > > > about how greylisting will affect their email but, inevitably a user > > > will contact me to request that an incoming email be whitelisted. The > > > only information they have is 1) sending email address and 2) > > > receiving email address. Of course, spamd only deals in IP addresses > > > and it may be difficult to find the ip address of the sending mail > > > server. Additionally, I'd like to provide some method to the users > > > where they could whitelist someone themselves without requesting > > > directly from me. > > > > > > What I envision: > > > > > > A script or extension to spamd that would allow me to input a 'from' > > > and 'rcpt to' address. Then, the next time that combo is seen, from > > > any IP address...it gets whitelisted automatically. I envision this > > > only happening one time and then returning to greylisting as normal. > > > I understand that there's a chance of someone sending spam through in > > > that window with the proper from/to combo .. but, it's small enough to > > > accept. > > > > > > > > > Thoughts? Does this sound feasible? Is this a reasonable solution? > > > If so, what direction would you recommend for implementation? (I'm no > > > programmer.. but, not afraid of diving in, nonetheless.) > > > > > > --James > > > > > > > > > -- > What would Bilano do?
Re: spamd extension
On Wed, 2005-10-26 at 09:06:11 -0600, Bob Beck proclaimed... > Basically, the correct answer is "suck it up princess, in > pathological cases someone's email might be delayed by a short while > getting to you" in normal cases it won't. Usually users ask for this > when you tell them what you are doing and they don't understand > that in 95% of the cases they never see a delay. Hell, I usualy just blame the other ISP and by the time the customer argues, the mail is re-sent and waiting for them :-)
Re: spamd extension
> My experience is that greylisting requires at least 2 failed attempts. > Maybe my pf.conf isn't setup properly. But, there's always 1 'extra' failure > that seems to me should pass through. James is right, it's a design flaw of spamd that two failed attempts are required. This is what happens: 1) first attempt, goes to spamd, is logged. 2) second attempt, goes to spamd, is marked as good ... *BUT* it still went to spamd. spamd is not an application relay, so it has no way of passing that currently-active second attempt through to the true MTA, so ... 3) third attempt, redirected to true MTA The only fix for this is a *major* redesign of spamd (or equivalently incorporating spamd's greylisting code into a spamfilter which *does* relay connections at the IP level to an MTA - which is actually what I'm working on at the moment) One of the pre-requisites (in my opinion) for a filter which relays connections (rather than routing them through) is full transparency, i.e. the MTA sees the IP of the original caller, not the IP of the relay. This is so that the MTA continues to do third-party relay rejection and does not require you to duplicate that logic in your relay host. Fortunately for us, OpenBSD+pf have exactly the facilities needed to transparently forward at the TCP/IP session level, albeit not a common or easy thing to do. Graham
Re: spamd extension
On 10/26/05, James Harless <[EMAIL PROTECTED]> wrote: > Chad, > > I appreciate the insight. I do realize it's a difficult problem but, > I think that there's a solution (albeit possibly from someone smarter > than I). Nope there's just not. > I do have variables that are known (the sender email address and the > recipient email address). The problem is tying them to the IP Address > of the MTA when it's seen @ spamd. It may be that there isn't a > solution without direct modification of spamd. If that's the case, > then I hope the developer(s) will consider this suggestion. How would you find an unknown ip of an unknown machine? About the only *chance* you have is doing MX lookup's and hoping that email comes from that same server. If their organization uses various relays and proxies to send, you are out of luck. There's no way to get that information without a previously harvested email and looking at the message headers. --Bryan
Re: spamd extension
On Oct 26, 2005, at 11:54 AM, Graham Toal wrote: My experience is that greylisting requires at least 2 failed attempts. Maybe my pf.conf isn't setup properly. But, there's always 1 'extra' failure that seems to me should pass through. James is right, it's a design flaw of spamd that two failed attempts are required. This is what happens: 1) first attempt, goes to spamd, is logged. 2) second attempt, goes to spamd, is marked as good ... *BUT* it still went to spamd. spamd is not an application relay, so it has no way of passing that currently-active second attempt through to the true MTA, so ... 3) third attempt, redirected to true MTA I agree this is how things work. I disagree that this is a design flaw. Instead this is the fundamental thing that makes spamd so great at what it does. Maybe I'm a little too RFC biased, but if the standards say XYZ MUST be done, then if the sending MTA is not playing by the rules, I don't want their mail. Though I'm happy to talk and work with them to get their servers fixed. The side effect being that all those spammer zombie machines don't get a message into my servers. :) spamd is ensuring that MTAs are following the standards. The standards say that a sending MTA must wait 30 minutes before attempting a retry, thus the default passtime for spamd is 25 minutes, which I think is a good buffer. If MTAs should retry in say 15 minutes, I don't know what spamd does, I've not tested that scenario. I would hope that maybe spamd would update the initial time to the most recent attempt and wait to put the IP in the whitelist pool until passtime has passed between retries. I often see delays of either an hour or two when first getting a message via a new MTA. Which makes sense to me, and I think is tolerable. Email is not instant messaging. If it absolutely has to be there NOW, then use something else. :) 00:00 -- first connection attempted 00:30 -- second connection attempted 00:31 -- IP now whitelisted I've found that some MTAs will try make a 3rd attempt 60 minutes from the first attempt, while others seem to wait 60 minutes or more from the 2nd attempt. -Chad
Re: spamd extension
> How would you find an unknown ip of an unknown machine? About the > only *chance* you have is doing MX lookup's and hoping that email > comes from that same server. If their organization uses various > relays and proxies to send, you are out of luck. There's no way to > get that information without a previously harvested email and looking > at the message headers. > Well, that's exactly the point... you don't find the ip. You put in a temporal entry that says 'whitelist the next ip address that connects attempting to send mail from $sender to $rcpt'. After that, the entry expires. It's been pointed out here that it just isn't possible, currently. I'm ok with that. The issue is smaller than the problem that it solves (removing most of the spam from my networks). Thanks for all the input. --James
Re: spamd extension
Graham Toal wrote: The only fix for this is a *major* redesign of spamd (or equivalently incorporating spamd's greylisting code into a spamfilter which *does* relay connections at the IP level to an MTA - which is actually what I'm working on at the moment) Why start from scratch ? There are enough seasoned, full featured MTA's around that will allow you to incorparate greylisting. And you get all the other stuff like STARTTLS, AUTH etc gratis. I'd either accept spamd's few limitiations or incorparate greylisting into a MTA. Just my thoughts. Hans
Re: spamd extension
--On 26 October 2005 09:12 -0400, Frank Bax wrote: Have you tried whitelisting these servers: http://greylisting.org/whitelisting.shtml That list by policy only includes 'shared queue' servers on blocks larger than /24 (the greylisting software written by the list compiler usually masks the last byte of the address anyway). If your spamd box regularly receives mail from users at large sites that use different machines for outbound and inbound mail, where a shared queue is involved, and don't have enough users yourself to ensure that the most common of these are already whitelisted, greylisting software other than spamd might be a better choice. As luck would have it these are also often the sites with crappy retry cycles delaying mail multiple hours. But then, I wouldn't want to run a full mta on the small hardware I usually run spamd on sitting in front of mail servers, and larger sites that are less affected by this problem probably don't want to devote full mta resources to their spam senders either, so it's good that there are both lightweight and more featureful choices.
Re: spamd extension
At 11:05 AM 10/26/05, James Harless wrote: On 10/26/05, Frank Bax <[EMAIL PROTECTED]> wrote: > spamd only delays the *first* message between the two parties. After that > there is no delay - as long as sender continues to use the same SMTP > server. My experience is that greylisting requires at least 2 failed attempts. Maybe my pf.conf isn't setup properly. But, there's always 1 'extra' failure that seems to me should pass through. Correct. One *message* - two (or more) failed attempts before delivery. Extra failed attempts can sometimes happen - it depends on sender's retry frequency compared to spamd_flags values.
Re: spamd extension
Stuart Henderson wrote: --On 26 October 2005 08:21 -0500, James Harless wrote: I do have variables that are known (the sender email address and the recipient email address). The problem is tying them to the IP Address of the MTA when it's seen @ spamd. It may be that there isn't a solution without direct modification of spamd. By design, spamd can't do this. It neither accepts mail itself, nor proxies to the real backend server. It always sends a tempfail result code, and if it's the second time it's seen client_ip|src|dest, it adds to a table at the same time, so that on the third attempt the real mailserver is hit instead. I definitely won't be disabling spamd ;) The type of functionality you're looking for needs something with hooks directly into the mail server itself, there's no way with spamd to avoid delaying a connection unless you /already/ know the IP address. Maybe milter-greylist or postgrey already do what you're looking for, or if not they'll likely be easier to adapt. Not to venture off topic, but it's at this point that I would suggest you look at qpsmtpd (http://smtpd.develooper.com) for your anti-spam needs. It's an SMTP server written entirely in perl and is incredibly extensible (easy to do so as well.) It's nice and speedy: apache.org and perl.org receive all of their mail through it. It can tie into Postfix and qmail, and there is an experimental SMTP proxy function as well. I hope to getting around to creating an interface to sendmail as well. Its connections can be managed by an internal polling server (using epoll or kqueue under linux/bsd if available), a forkserver model, tcpserver (with speedy-cgi/pperl/forkserver), or apache2 (via mod_perl). It is my current perl love, and I would highly recommend at least a peek at it. For a quick summary by one of the main developers, see: http://www.oreillynet.com/pub/a/sysadmin/2005/09/15/qpsmtpd.html
Re: spamd extension
> >The only fix for this is a *major* redesign of spamd (or equivalently > >incorporating spamd's greylisting code into a spamfilter which *does* > >relay connections at the IP level to an MTA - which is actually what I'm > >working on at the moment) > Why start from scratch ? There are enough seasoned, full featured MTA's > around that will allow you to incorparate greylisting. And you get all > the other stuff like STARTTLS, AUTH etc gratis. > > I'd either accept spamd's few limitiations or incorparate greylisting > into a MTA. > > Just my thoughts. There *are* several greylisting implementations using MTAs if that is what you want. The attractive feature of spamd+openbsd/pf is that it is MTA-agnostic. After it does its thing it simply routes your connection through to the real MTA at the IP level. Anyway, it's not starting from scratch for me - I have a mature pseudo-transparent SMTP filter that works well and has been in service for over a year - it's just that I have not publicised it much because in its current form it requires configuration, such as telling it what domains you accept mail for, which IPs are local, etc. I needed to learn about transparent bridging first and recode the I/O so that the filtering is not visible at the IP level. Which I now have, mostly. My filter uses spamassassin plus spamprobe plus uvscan plus clamav, with some automatic detection of spamtrap addresses thrown in. I haven't yet added greylisting to it, and indeed our deployment at the University where I work has an openbsd running spamd sitting in front of my filter sitting in front of the real MTA! By incorporating the logic from spamd into my code, I can remove one piece of hardware. And improve spamd while I'm at it, because with thi sarchitecture I can forward that second connection attempt to the MTA, and avoid having two delays rather than one. Graham
Re: spamd extension
> On 10/26/05, James Harless <[EMAIL PROTECTED]> wrote: > > Chad, > > > > I appreciate the insight. I do realize it's a difficult problem but, > > I think that there's a solution (albeit possibly from someone smarter > > than I). > > Nope there's just not. There is, but not with spamd as currently implemented. The fix would involve this: 1) accept the connection, remember the target IP 2) go through the rcpt from/mail to protocol, and when you have the information, check it in your whitelist. If it is present, open a connection with the original target, repeat the rcpt/mail exchange (not forgetting the HELO) and then sit back and transparently proxy the rest of the connection. It's doable, it's just not easy. That plus a lot more is what the filter I was talking about in the other thread does; maybe if it's not too difficult, I'll do a shorter version which doesn't have the majority of my code, but just adds the logic above to spamd, if there's any interest? It does require spamd to be running in a transparent bridge. *NOT* a NAT gateway, which is the most common configuration. By the way, the other improvement I'd make in spamd if I had my druthers, is that it would have the option of accepting the initial email and returning the tempfail code at the end of the data exchange rather than before it as it currently does. This would allow proper QA on the rejected mails. You'ld need to create a signature of an email and when the mail went through successfully on the second attempt, locate the original copy using the signature and remove it from the cache; mails which never retried would remain in the cache, and would be swept after an appropriate time out, giving you a good record of rejected mails. You could either use this info to generate stats, or you could run the mails through a traditional spam filter as a consistency check, to try to detect genuine connections that had been inadvertently blocked. Or if you're sure all the rejects were genuinely spam, you could feed the saved copies into spam filter training, or to a cooperative net project like Vipul. Lots of scope there for new features. Graham
Re: spamd extension
Hello! On Wed, Oct 26, 2005 at 09:12:34AM -0400, Frank Bax wrote: >spamd only delays the *first* message between the two parties. After that >there is no delay - as long as sender continues to use the same SMTP server. And there's no mailout pool with shared queue involved, and if the envelope sender address is always the same (i.e. no VERP, no SES, no self-signed SRS, no SRS-enabled forwards, etc.). >Have you tried whitelisting these servers: >http://greylisting.org/whitelisting.shtml >Is there an underlying assumption in your question that spamd is the actual >problem? During the initial weeks of using spamd on my server, half of the >complaints about undelivered email were not the fault of spamd. So the other half *was* the fault of spamd? Kind regards, Hannah.
Re: spamd extension
> From: Hannah Schroeter <[EMAIL PROTECTED]> > And there's no mailout pool with shared queue involved, and if the > envelope sender address is always the same (i.e. no VERP, no SES, > no self-signed SRS, no SRS-enabled forwards, etc.). Surprisingly few. > >problem? During the initial weeks of using spamd on my server, half of the > >complaints about undelivered email were not the fault of spamd. > > So the other half *was* the fault of spamd? Oh, you floccinaucinihilipilificatrix, you! The very paranoid among us will read the disclaimers involved in greylisting and never get round to implementing it. The braver souls will just do it and see what happens. It turns out that it is an *extremely* valuable tool - far more so than simple content filters, no matter how good they are - and it is well worth having. And I say that as someone who started off at the paranoid end of the spectrum and who implemented greylisting a lot sooner than planned solely because a new CIO had used it at his previous site and insisted we put it up. Yes, there are a few teething troubles, but they mostly get taken care of in the first month where you're monitoring everything closely anyway. There were only two systematic problems we had: 1) some sites issue an RSET, before the RSET code was in spamd. 2) People using older installations of Cisco PIX firewalls had SMTP masking enabled (visible by connecting to their server and seeing stars (***) where text should be.) Asking them to turn off this useless and broken misfeature fixed the problem, or if they weren't willing to do that, have them mask only incoming connections, not outgoing ones. At our University we have some very demanding faculty with a low tolerance for email glitches. Despite this the greylisting not only went without complaints, it has generated more praise for the IT dept than any other measure in the last year (which is probably a bit galling to the guys working on the hard stuff ;-) ) My advice, just do it. Graham
Re: spamd extension
At 02:22 PM 10/28/05, Hannah Schroeter wrote: On Wed, Oct 26, 2005 at 09:12:34AM -0400, Frank Bax wrote: >During the initial weeks of using spamd on my server, half of the >complaints about undelivered email were not the fault of spamd. So the other half *was* the fault of spamd? Sorry, spamd was not at fault - let me rewrite that sentence. During the initial weeks of using spamd on my server, half of the complaints about undelivered email had nothing to do with spamd.
spamd -s option
Hello All In the source to to spamd, specifically spamd.c , I see that the maximum value of the -s option is 10 (seconds). What is the reason for this please? Anyone know or hazard a guess? Thanks. Tim -- Email: [EMAIL PROTECTED] WWW: http://www.skyhook.ath.cx/tides/
Re: Spamd & stats
On 19 May 2006, at 21:28, Mike Spenard wrote: > I'm looking for scripts to generate statistics off of /var/log/spamd If you don't mind using rrdtool to collate the information, I have some scripts here: http://vanhegan.net/software/ In the Misc section down the bottom, you'll find my php/rrd/spamd scripts. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: Spamd & stats
I got this script (spamd_parser.tgz) from a guy called Christopher Kruslicky so all credit goes to him. It uses RRD Tool and provides a fairly nice graph. It also runs as a daemon. I butchered his code to produce two Perl daemons (spamd.zip) - one that monitors the spamd log and updates the RRD database, and another that builds new graphs from that database. The reason I did it this way is that the graphs are hosted on another server and I needed to be able to fetch, via SCP, a completed graph to be shown on the web page as opposed to generating the graphs on demand. Keep in mind that although it seems to work perfectly and has done so for over a year, my Perl skills are newbie level so I'm sure I've done a few things that may not be the best. Any way, feel free to use them if you wish. Tim. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Spenard Sent: Saturday, 20 May 2006 6:29 AM To: misc@openbsd.org Subject: Spamd & stats Hi, I'm looking for scripts to generate statistics off of /var/log/spamd Thanks, Mike Spenard [demime 1.01d removed an attachment of type application/x-compressed which had a name of spamd_parser.tgz] [demime 1.01d removed an attachment of type application/x-zip-compressed which had a name of spamd.zip]
Spamd log question
I can't seem to find an explanation for this in the man pages (excuse my blindness if it is stated), but what does the '(17/16)' indicate in log entries such as this.. Jun 1 00:01:33 guardian spamd[9554]: 209.59.102.252: connected (17/16) Mike
Re: hoststated/spamd
On 2007/06/08 16:02, Bob Beck wrote: > > rdr-anchor "hoststated/smtp" from > > rdr proto tcp from ! to $MX port smtp -> 127.0.0.1 port spamd > > The fact that those two table names are different looks suspiciously > wrong to me. It took you pointing this out for me to work out exactly how anchors with wildcards and host restrictions work, but it does work for me; rdr-anchor "hoststated/smtp" from - is handled by hoststated rules in the anchor, rdr proto tcp from ! to $MX port smtp -> 127.0.0.1 port spamd - normal hosts hit this reasonably normal spamd rdr, rdr-anchor "hoststated/*" - , holding hosts exempted from greylisting, has fallen through from the first two; this and non-smtp services are handled by hoststated rules.
Re: Spamd variation
On Tue, 12 Jun 2007 03:04:23 -0700 (PDT), Praveen wrote: >Hi, > From the man page it appears that spamd relies on >static information about spam originators. >Why not a more dynamic scheme ?. > >Why not run the content of the mail through a spam >detector (like dspam), find the spam score and make >decisions based on that. I know that spam detection >is no where near perfect but it can be used for >assigning a 'badness score' to a site(originator of >email). So a site keeps getting this score and the >average (per msg) exceeds a we black list the site for >fixed duration. Similarly for white listing. > >'Badness score' and also be assigned for other things, >like trying to send to non-existant user (a typical >spammer probe), absence of mx entry etc. > > >A milter(sendmail/postfix) can be implemented for >this. >Thus decisions will be more dynamic and 'configuration >free'. > >Does this sound reasonable ? > No. That would make spamd into bloatware and much less efficient. People who want milters, content-inspection, RBL lookups and whatever can run them in conjunction with their MTA. spamd does all I want it to do with no measureable load on my system. I do NO content inspection and there have been only 3 spams total which got to any user in this domain since 1/1/7. Content inspection practitioners are always playing catchup and fiddling with ham/spam training for their toys and then along comes the next trick of the spammers = back to square one. Thanks to beck@ and company I don't have to play that silly game. R\/\/. In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: Spamd variation
Praveen wrote: From the man page it appears that spamd relies on static information about spam originators. greylisting is pretty dynamic. --- Lars Hansson
Re: Spamd variation
RW wrote: > On Tue, 12 Jun 2007 03:04:23 -0700 (PDT), Praveen wrote: > > >> Hi, >> From the man page it appears that spamd relies on >> static information about spam originators. >> Why not a more dynamic scheme ?. >> >> Why not run the content of the mail through a spam >> detector (like dspam), find the spam score and make >> decisions based on that. I know that spam detection >> is no where near perfect but it can be used for >> assigning a 'badness score' to a site(originator of >> email). So a site keeps getting this score and the >> average (per msg) exceeds a we black list the site for >> fixed duration. Similarly for white listing. >> >> 'Badness score' and also be assigned for other things, >> like trying to send to non-existant user (a typical >> spammer probe), absence of mx entry etc. >> >> >> A milter(sendmail/postfix) can be implemented for >> this. >> Thus decisions will be more dynamic and 'configuration >> free'. >> >> Does this sound reasonable ? >> >> > > No. > > That would make spamd into bloatware and much less efficient. > > People who want milters, content-inspection, RBL lookups and whatever > can run them in conjunction with their MTA. > > spamd does all I want it to do with no measureable load on my system. I > do NO content inspection and there have been only 3 spams total which > got to any user in this domain since 1/1/7. > > Content inspection practitioners are always playing catchup and > fiddling with ham/spam training for their toys and then along comes the > next trick of the spammers = back to square one. > > i second this. started working at my current job and there was a ton of spam coming through until i setup spamd. some spam outfits, e.g. OptInBig.com, took a bit of energy and analysis to block (thrown into blacklists) but now that it's done, we get very little spam. the amount of energy i have to expend on a regular basis to keep spamd working effectively is approximately 0. > Thanks to beck@ and company I don't have to play that silly game. > > here here! carefully reading the RFCs can be a beautiful thing indeed. cheers, jake > R\/\/. > > In the beginning was The Word > and The Word was Content-type: text/plain > The Word of Rod.
Re: Spamd variation
* Praveen <[EMAIL PROTECTED]> [2007-06-12 05:14]: > Hi, >From the man page it appears that spamd relies on > static information about spam originators. > Why not a more dynamic scheme ?. No, it doesn't. please read the man page instead of trolling. > > Why not run the content of the mail through a spam > detector (like dspam), find the spam score and make > decisions based on that. I know that spam detection > is no where near perfect but it can be used for > assigning a 'badness score' to a site(originator of > email). So a site keeps getting this score and the > average (per msg) exceeds a we black list the site for > fixed duration. Similarly for white listing. > No. spamd does not do content filtering. > 'Badness score' and also be assigned for other things, > like trying to send to non-existant user (a typical > spammer probe), absence of mx entry etc. > > A milter(sendmail/postfix) can be implemented for > this. > Thus decisions will be more dynamic and 'configuration > free'. As it is, spamd in greylisting mode (the default) is very configuration free. but it sounds like you actually don't run it, and are just trolling. -Bob
Re: hoststated/spamd
I still don't see how hosts in spamd-white are not sent to spamd.
what if a host is in spamd-white, but not in spamd-exempt..
-Bob
* Stuart Henderson <[EMAIL PROTECTED]> [2007-06-11 17:21]:
> On 2007/06/08 16:02, Bob Beck wrote:
> > > rdr-anchor "hoststated/smtp" from
> > > rdr proto tcp from ! to $MX port smtp -> 127.0.0.1 port
> > > spamd
> >
> > The fact that those two table names are different looks suspiciously
> > wrong to me.
>
> It took you pointing this out for me to work out exactly how anchors
> with wildcards and host restrictions work, but it does work for me;
>
> rdr-anchor "hoststated/smtp" from
> - is handled by hoststated rules in the anchor,
>
> rdr proto tcp from ! to $MX port smtp -> 127.0.0.1 port spamd
> - normal hosts hit this reasonably normal spamd rdr,
>
> rdr-anchor "hoststated/*"
> - , holding hosts exempted from greylisting, has fallen
> through from the first two; this and non-smtp services are handled by
> hoststated rules.
>
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
Re: hoststated/spamd
On 2007/06/12 09:04, Bob Beck wrote:
> I still don't see how hosts in spamd-white are not sent to spamd.
> what if a host is in spamd-white, but not in spamd-exempt..
# pfctl -sn -vv|grep -E '(smtp|hoststated)'
@0 rdr-anchor "hoststated/smtp" from to any
@1 rdr inet proto tcp from ! to XXX port = smtp -> 127.0.0.1
port 8025
@2 rdr inet proto tcp from ! to YYY port = smtp -> 127.0.0.1
port 8025
@3 rdr-anchor "hoststated/*" all
hosts in spamd-white are handled by the anchor at @0 (see below)
hosts in spamd-exempt fall through this, past @1/@2, and hit the anchor at @3
now I worked out how to display translation rules under anchors
(pfctl -sn -a '*' doesn't recurse through them), so here they are:
# pfctl -sn -vv -a hoststated/smtp|grep smtp
@0 rdr on vlan2204 inet proto tcp from any to XXX port = smtp -> port 25
round-robin
@1 rdr on vlan2244 inet proto tcp from any to XXX port = smtp -> port 25
round-robin
@2 rdr on vlan2204 inet proto tcp from any to YYY port = smtp -> port 25
round-robin
@3 rdr on vlan2244 inet proto tcp from any to YYY port = smtp -> port 25
round-robin
..smtp parts of hoststated.conf:
table smtp-lb {
real port smtp
check send "" expect "220*SMTP*"
host XXX
host YYY
}
service smtp {
virtual host XXX port smtp interface vlan2244
virtual host XXX port smtp interface vlan2204
virtual host YYY port smtp interface vlan2244
virtual host YYY port smtp interface vlan2204
table smtp-lb
}
