Re: stolen
Sorry, this email address has been disabled by the KeyGhost webmaster due to an overflow of incoming spam. If you wish to contact us, please visit our website for a valid email address. Thank you, The KeyGhost Team -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Looking for a network sniffer that collects a used-ports list to help preparing a portfilter firewall script
also sprach Christian Hammers <[EMAIL PROTECTED]> [2004.11.12.1538 +0100]: > I remember a network sniffer that could be run e.g. over a week to > collects a list of all used tcp/udp ports which could then be used > as base for creating a firewall script for hosts. What an extraordinarily bad idea. You should know what you allow. Everything else should be blocked. You can use LOG and scan the kern.log file and selectively add stuff later. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Looking for a network sniffer that collects a used-ports list to help preparing a portfilter firewall script
Hello I remember a network sniffer that could be run e.g. over a week to collects a list of all used tcp/udp ports which could then be used as base for creating a firewall script for hosts. Does anybody know the name of this tool? bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim or postfix
On Fri, Nov 12, 2004 at 05:47:17PM +1100, Craig Sanders wrote: > On Fri, Nov 12, 2004 at 05:12:34AM +, John Goerzen wrote: > i like the way it works. makes it easy to model the flow of mail from > component to component. On the other hand, it introduces complexity into the system. It's a lot easier for me to write a plug-in for an Exiscan-acl filter (I could just accept a message on stdin and indicate my desires by an exit code, or my output, or whatever) than to write one for Postfix. For Postfix, I have to be a daemon, and one that speaks SMTP as both a client and a server at that. > btw, if setting up a chain of filters, you don't need to loop it through > postfix > each time. True. > > The only featureful free software filtering system for Postfix that I've > > seen in Amavis. And it sucks too. Slow, unreliable, a huge memory hog, > > leaves files all over on the disk, etc, etc, etc. > > again, i like it (amavisd-new, that is). it is a bit of a memory hog (SA is > *much* worse), but it's not unreliable and it doesn't leave files all over the > place, it uses /var/lib/amavis and cleans up after itself. speedwise, it's > not I've had a lot of trouble with Amavis. And BTW, when I say Amavis, I am speaking about amavis, amavis-new, or amavis-ng collectively. I had to write a little cron job for my server that goes and cleans up the files it leaves behind from virus scanning. If the Internet is down, the whole thing freaks out. Amavis will sit there waiting for spamassassin to do its thing. Postfix will time out, and keep trying to call Amavis later. Meanwhile, Amavis will finally deliver the message (or not). Lots of duplication. I've also had a lot of trouble on upgrades to Amavis related to Perl versions and the like. It's had some serious "silently drops all mail" type bugs before. I will grant that once it starts up and is working OK, it doesn't crash. > too shabby - insignificant time overhead compared to the time taken by SA or > even clamav. > > > That said, exiscan-acl is a lot faster than postfix+amavis on my system. > > Maybe it's because it uses about 500k of memory with a C program instead > > of 40MB of memory wiht a Perl program, or because it doesn't have to > > incorporate a full SMTP server, dunnno. > > if you use SA with it, though, it still ends up using that 40MB per process. root 262 0.0 2.0 25604 3900 ?Ss 06:22 0:03 /usr/sbin/spamd -c -m 10 -d --pidfile=/var/run/spamd.pid 3.9MB here :-) > the nice thing about amavis is that you tell it to pre-fork as many processes > as you think you'll need (adjust according to empirical observation) and you > avoid > the overhead of starting up perl and compiling SA for every message. > > dunno if exiscan-acl does something like that - i'd guess that it does because > it is an obvious optimisation. either way, whether pre-forked or not, each SA > process uses that much memory, and takes the same amount of time to run all > it's checks. Exiscan prefers to operate by communicating with spamd and clamd daemons. That way, you get all those benefits, but exiscan itself doesn't have to embed a large Perl program in its process. > i could probably get away with having SA checks during the SMTP stage. but I > agree with Wietse's attitude that a system that only works some of the time is > fundamentally broken. by doing content-filtering later and DISCARDing > messages > with scores over 13.0, i get pretty close to the same benefit without any of > the risk. Yeah, I could see that. OTOH, observation has shown that, under even high load, I can spam and virus check every message in about 2 seconds. Plus, I have Exim configured to queue only once my load exceeds 2.5 (meaning that incoming messages are scanned, then queued for the next queue run, rather than being delivered immediately), which means that load never gets much above that. (Mail is really the only thing on my server that generates load) [ snip ] > > >4779 User unknown > > > > I am stunned at how many attempts I get to send mail to non-existant > > accounts, too. > > spammers sell their lists based on the number of addresses. they don't care > if > the addresses they are selling actually exist. One theory I had for my situation is that I just turned off my backup MX. If they really were always targeting it, it would have accepted every message, so they would have thought every address was a real one. However, you seem to have blown that theory. :-) -- John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim or postfix
On Fri, Nov 12, 2004 at 10:09:36AM +0100, Adrian 'Dagurashibanipal' von Bidder wrote: > On Friday 12 November 2004 07.47, Craig Sanders wrote: > > On Fri, Nov 12, 2004 at 05:12:34AM +, John Goerzen wrote: > > > > > 4 ETRN > > > > > > Weird, people are just sending ETRN commands to you? > > me too. One is a mail server of a respected company that is apparently > misconfigured, and has been for a few years. I've written the postmaster, > I've written the IP block owners etc. - they just don't care. > > I probably should flood them with bogus email when they call in next time, > perhaps that would make them pay attention... :-] i just ignore it, same as i ignore all the probe attempts on various ports. they're annoying, and i wish they wouldn't happen, and i have to take steps to protect my systems against them, but they happen far too often to get too upset about them. block it, log it, and move on. > > > > 26 RBL Dynablock.njabl.org > > > > > > My own static DSL IP is on this one. Lots of people have legit reasons >^^ > > > for not using their ISP's sucky, crappy mail servers. > > > viruses that come from dynamic IPs. > ^^^ > > Craig, you seen that? sorry, i didn't notice that first time around. thanks for pointing it out. > Dynablock seems to include some static IPs. IIRC, dynablock notes that this can happen on their web site. they say it's typically because the ISP concerned does something like: 1. allocates static IPs from the same pool as dynamic IPs 2. has reverse DNS entries that imply dynamic IP 3. maybe some other similar reasons, i forget... unfortunately, there's nothing the end-user can do to resolve this. the only people they will listen to for requests to remove such possibly-bogus dynamic listings are the owner(s) of the netblock (i.e. the ISP). presumably that is because spammers are not above lying if it suits them and have no qualms about claiming that they are a legit mail operator on a really, truly, honest-i-tell-you static IP. possibly also because it's a way to encourage slack-arse ISPs to adopt better practices. personally, i'm inclined to still use dynamic blocks even with these errors, and add whitelist entries to my rbl_override map if and when i need to. > (I guess John is at one of those ISPs who mix static IPs and dynamic IPs in > the same IP range, or at least use the same xxx.dsl... reverse DNS.) possibly. craig -- craig sanders <[EMAIL PROTECTED]> (part time cyborg) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim or postfix
On Friday 12 November 2004 07.47, Craig Sanders wrote: > On Fri, Nov 12, 2004 at 05:12:34AM +, John Goerzen wrote: > > > 4 ETRN > > > > Weird, people are just sending ETRN commands to you? me too. One is a mail server of a respected company that is apparently misconfigured, and has been for a few years. I've written the postmaster, I've written the IP block owners etc. - they just don't care. I probably should flood them with bogus email when they call in next time, perhaps that would make them pay attention... :-] > > > 26 RBL Dynablock.njabl.org > > > > My own static DSL IP is on this one. Lots of people have legit reasons ^^ > > for not using their ISP's sucky, crappy mail servers. > viruses that come from dynamic IPs. ^^^ Craig, you seen that? Dynablock seems to include some static IPs. (I guess John is at one of those ISPs who mix static IPs and dynamic IPs in the same IP range, or at least use the same xxx.dsl... reverse DNS.) > > >4779 User unknown > > > > I am stunned at how many attempts I get to send mail to non-existant > > accounts, too. 40% former usenet accounts, 40% message-Ids, 20% things like [EMAIL PROTECTED] or so; I guess mostly it's from web harvesters that extract email addresses from mailing list archives etc. but are buggy (or try to guess antispam-protected mailadresses.) greetings -- vbi -- Oops -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim or postfix
also sprach John Goerzen <[EMAIL PROTECTED]> [2004.11.12.0612 +0100]: > And I get many legitimate e-mails with a bad HELO. In fact, > I would argue that your rule here is wrong. If I send you an > e-mail from my laptop, it is not going to send you an address of > a server that can receive mail (or has a DNS entry) in HELO, but > everything else will be valid, and I argue that this is OK. If you send me mail from your laptop without going via a proper relay, I will reject it too. Use your ISP mail relays! If the suck, switch ISPs. If that's not possible, pool with others and run a proper MTA. Or convince me (or others here) that you need a proper relay, and we'll give you SASL access. Or get a gmx.net account. Mail was not supposed to be sent from leaf nodes. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature