Re: sa 32x-branch 'make test' fails @ t/spamc_optL.t (among others ...) on freebsd
first of all, try setting the env var SPAMD_HOST to the IP address the jail can use for localhost. if that doesn't work open a bug -- but bear in mind that it will probably only get attention from other jail users if the local security policy inhibits use of localhost, the typical answer would be well, fix the security policy then! --j. On Dec 31, 2007 12:13 AM, snowcrash+sa [EMAIL PROTECTED] wrote: noting that (a) these errors have appeared before (b) you've some suspicion that it may be related to issue w/ solaris zones (c) y'all are goin' great-guns on -devel wrapping up bugs for 324 should i open a bug on this? or is it something that'll get some attention anyway? thanks!
Re: SA 32x build not finding openssl headers on FreeBSD?
some suggestions: cd /usr/local/build/spamassassin perl Makefile.PL \ PREFIX=/usr/local \ DATADIR=/usr/local/etc/SA/Dist \ CONFDIR=/usr/local/etc/SA/Local \ LOCALSTATEDIR=/usr/local/etc/SA/Updates \ ENABLE_SSL=yes so far so good... cd /usr/local/build/spamassassin/spamc perl version.h.pl ./configure --enable-ssl cd ../ those should not be necessary. Makefile.PL will call the spamc configure script with the appropriate args (including a few you're missing)... --j. make make install kind of odd that the CFLAGS spec is req'd ... don't know whether that's expected behavior /or something that can/should be accommodated in the port. cheers!
Re: SA 32x build not finding openssl headers on FreeBSD?
cd /usr/local/build/spamassassin/spamc perl version.h.pl ./configure --enable-ssl cd ../ those should not be necessary. Makefile.PL will call the spamc configure script with the appropriate args (including a few you're missing)... admittedly, those are fairly-old-problem holdovers ... and i stand corrected. with 'just', setenv LDFLAGS -L/usr/local/lib setenv CPPFLAGS -I/usr/local/include setenv CFLAGS$CPPFLAGS perl Makefile.PL \ PREFIX=/usr/local \ DATADIR=/usr/local/etc/SA/Dist \ CONFDIR=/usr/local/etc/SA/Local \ LOCALSTATEDIR=/usr/local/etc/SA/Updates \ ENABLE_SSL=yes make install i get, ls -al /usr/local/bin/spamc -r-xr-xr-x 1 root wheel 54578 Dec 31 07:03 /usr/local/bin/spamc* ldd /usr/local/bin/spamc /usr/local/bin/spamc: libssl.so.5 = /usr/local/lib/libssl.so.5 (0x80063b000) libcrypto.so.5 = /usr/local/lib/libcrypto.so.5 (0x800784000) libz.so.3 = /lib/libz.so.3 (0x800a1a000) libc.so.6 = /lib/libc.so.6 (0x800b2e000) i.e., for now, for me, just the CFLAGS == CPPFLAGS is req'd. thanks.
Re: sa 32x-branch 'make test' fails @ t/spamc_optL.t (among others ...) on freebsd
hi justin, first of all, try setting the env var SPAMD_HOST to the IP address the jail can use for localhost. ok. tried that. didn't help :-/ although, take a look at the test details @ http://issues.apache.org/SpamAssassin/attachment.cgi?id=4222action=edit despite setting SPAMD_HOST, there's still a lot of 127.0.0.1 refs ... and none to the IP I set. the ENV var isn't picking up -- did i bork that as well? if that doesn't work open a bug done. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5761 but bear in mind that it will probably only get attention from other jail users heh. understood. and, expected. alas, i know it's wasted breath to argue that the prevalence of SA-( everything else, for that matter)-in-jails/VMs is only going to increase, and that this will not be an atypical use-case ... but, for now, NIH-syndrome, i s'pose ;-) thanks! cheers.
Re: sa 32x-branch 'make test' fails @ t/spamc_optL.t (among others ...) on freebsd
On Dec 31, 2007, at 10:23 AM, snowcrash+sa wrote: but bear in mind that it will probably only get attention from other jail users heh. understood. and, expected. alas, i know it's wasted breath to argue that the prevalence of SA-( everything else, for that matter)-in-jails/VMs is only going to increase, and that this will not be an atypical use-case ... but, for now, NIH-syndrome, i s'pose ;-) Not wasted breath as long as you'll accept: Patches Welcome! as a response :) Michael
Re: sa 32x-branch 'make test' fails @ t/spamc_optL.t (among others ...) on freebsd
Not wasted breath as long as you'll accept: Patches Welcome! as a response :) heh! you have that reponse on auto dial, doncha? come on, now -- fess up ;-) (p.s., i wasn't referring to those -- such as yourself -- already *on* the 'right' side of the argument) yes. patches. once a problem is understood as actually *being* a problem. or just plain understood. which, in this case, it isn't. works on OSX, doesn't on FreeBSD/JAIL. no clue -- yet -- as to why. and, might i suggest, soliciting accepting such patches from a first-timer (namely, atm, 'me'), is a questionable venture ... but i'll happily 'spew-n-share' if/when/how i do! cheers.
DDOS, Dictionary Attack... not sure what it is...
Hi All, A bit off topic since the users are all unknown so the traffic never makes it to my spamassassin. But I am hoping that someone here may have seen the same thing and have a solution for making the problem go-away :-) I'm not sure whether it's supposed to be a DDOS attack, a dictionary attack, bunch-o-bots or what. Since about the 26th of Dec I've had one particular mailserver that has been dealing with a constant stream of crap... all emails to unknown users, all of the email addresses seem consistent (either 3 'syllables'... an uppercased 'syllable', a lowercased 'syllable' and another uppercased 'syllable'... or 2 uppercased 'syllables'). They don't seem to be coming from any consistent IP address (or region). Problem is of course that the mailserver's connections get tied up processing rejecting this crap (and of course it's chewing up my transfer allocation bit by tiny bit). The addresses are similar to these... IgnaciogalvestonBriggs@ DallasexhibitionAlvarado@ ReginaldFleming@ Even tried yanking the IP address off of the server over the holidays in the hope that whatever it was would just give up. No such luck, within a minute of reactivating the IP to the server this morning the traffic was back to full flow. Cheers, Mike
Re: sa 32x-branch 'make test' fails @ t/spamc_optL.t (among others ...) on freebsd
On Dec 31, 2007 5:37 PM, snowcrash+sa [EMAIL PROTECTED] wrote: Not wasted breath as long as you'll accept: Patches Welcome! as a response :) heh! you have that reponse on auto dial, doncha? come on, now -- fess up ;-) (p.s., i wasn't referring to those -- such as yourself -- already *on* the 'right' side of the argument) yes. patches. once a problem is understood as actually *being* a problem. or just plain understood. which, in this case, it isn't. works on OSX, doesn't on FreeBSD/JAIL. no clue -- yet -- as to why. and, might i suggest, soliciting accepting such patches from a first-timer (namely, atm, 'me'), is a questionable venture ... but i'll happily 'spew-n-share' if/when/how i do! I should point out -- half of the attention from jail users comment has to do with another issue -- only people with jails can effectively test any potential fix. That poses a big problem for developers testing. --j.
Re: DDOS, Dictionary Attack... not sure what it is...
Mike Cisar wrote: Hi All, A bit off topic since the users are all unknown so the traffic never makes it to my spamassassin. But I am hoping that someone here may have seen the same thing and have a solution for making the problem go-away :-) I'm not sure whether it's supposed to be a DDOS attack, a dictionary attack, bunch-o-bots or what. Since about the 26th of Dec I've had one particular mailserver that has been dealing with a constant stream of crap... all emails to unknown users, all of the email addresses seem consistent (either 3 'syllables'... an uppercased 'syllable', a lowercased 'syllable' and another uppercased 'syllable'... or 2 uppercased 'syllables'). They don't seem to be coming from any consistent IP address (or region). Problem is of course that the mailserver's connections get tied up processing rejecting this crap (and of course it's chewing up my transfer allocation bit by tiny bit). The addresses are similar to these... IgnaciogalvestonBriggs@ DallasexhibitionAlvarado@ ReginaldFleming@ Even tried yanking the IP address off of the server over the holidays in the hope that whatever it was would just give up. No such luck, within a minute of reactivating the IP to the server this morning the traffic was back to full flow. I don't know that it will really help, but I know that on the qmail servers that I've been building, John Simpson wrote a patch that looks for that. It's called validrcptto. It looks for users existing on the system before accepting any emails (using a cdb file format), and rejects those instantly that don't exist.For situations like yours, it has a 'strikes' rule that you can enable. That is, if a specific IP address tries sending to bad users more than X number of times, it then blocks that IP address from connecting at all for a set period of time. Whatever your MTA might be, there may be similar functionality that you can build into the SMTPD process, or at least, that you can put in FRONT of the SMTPD process. Good luck with it!
Re: sa 32x-branch 'make test' fails @ t/spamc_optL.t (among others ...) on freebsd
I should point out -- half of the attention from jail users comment has to do with another issue -- only people with jails can effectively test any potential fix. That poses a big problem for developers testing. i think syndey's seeing it in/on non-jail osx, as well cref: the bug. cheers.
Re: DDOS, Dictionary Attack... not sure what it is...
On Mon, 31 Dec 2007, Mike Cisar wrote: Even tried yanking the IP address off of the server over the holidays in the hope that whatever it was would just give up. No such luck, within a minute of reactivating the IP to the server this morning the traffic was back to full flow. Tarpit 'em. http://sourceforge.net/projects/labrea -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Users mistake widespread adoption of Microsoft Office as the development of a standard document format. --- 145 days until the Mars Phoenix lander arrives at Mars
RE: DDOS, Dictionary Attack... not sure what it is...
I'm not sure whether it's supposed to be a DDOS attack, a dictionary attack, bunch-o-bots or what. Since about the 26th of Dec I've had one particular mailserver that has been dealing with a constant stream of crap... That is, if a specific IP address tries sending to bad users more than X number of times, it then blocks that IP address from connecting at all for a set period of time. That was my first thought, unfortunately I don't seem to get any more than 1 or 2 attempts from any given IP address (probably due to my server dropping the connection based on some existing configuration I have in place). But the same will then happen from another IP, in a different part of the world, addressed to a different but similar non-existing address... and so on, and so on. I haven't counted, but based on the flow, I'd estimate I've seen about 1000 distinct IP's... that is what leads me to believe it's some sort of distributed attack. There are some repeat recipients, from different IP's at different times. Like a whole bunch of little zombies all working off of the same list. Cheers, Mike
Re: DDOS, Dictionary Attack... not sure what it is...
Mike Cisar [EMAIL PROTECTED] wrote: They don't seem to be coming from any consistent IP address (or region). Problem is of course that the mailserver's connections get tied up processing rejecting this crap (and of course it's chewing up my transfer allocation bit by tiny bit). The addresses are similar to these... IgnaciogalvestonBriggs@ DallasexhibitionAlvarado@ ReginaldFleming@ I see them here too (columbia.edu). Sometimes the sender domain does not exist, and otherwise the recipient is no good. There are not many that get as far as a milter, but here are some. Looks like gambling. Example 1: Rejected for a one-word HELO (i.e. it had no dots). Its subject was Single-hand blackjack.. Example 2: Sender host was in Spamhaus. Come see what it means to be a VIP. Example 3: Another Spamhaus catch. Get your bonus and walk the red carpet to winnings and fun. Note in passing, envelope senders =~ /[A-Z][a-z]+[A-Z][a-z]\@/ seem to be quite rare, other than spam. I don't know what is in the header From: since I can't find any reported to us. The unknown senders and recipients should be a fast rejection. You can stop at MAIL or RCPT. You can't get better than that unless you can reject by sender IP, which is not practical with a botnet. Joseph Brennan Columbia University Information Technology
RE: DDOS, Dictionary Attack... not sure what it is...
--On Monday, December 31, 2007 4:00 PM -0700 Mike Cisar [EMAIL PROTECTED] wrote: I haven't counted, but based on the flow, I'd estimate I've seen about 1000 distinct IP's... that is what leads me to believe it's some sort of distributed attack. There are some repeat recipients, from different IP's at different times. Like a whole bunch of little zombies all working off of the same list. That's what a spam botnet looks like. There are usually a few hundred thousand hosts working the same list. If you have not seen this many times before, lucky you. Joseph Brennan Columbia University Information Technology
Re: DDOS, Dictionary Attack... not sure what it is...
John D. Hardin wrote: On Mon, 31 Dec 2007, Mike Cisar wrote: Even tried yanking the IP address off of the server over the holidays in the hope that whatever it was would just give up. No such luck, within a minute of reactivating the IP to the server this morning the traffic was back to full flow. Tarpit 'em. http://sourceforge.net/projects/labrea Tarpitting may not be the right answer, because they have a lot more resources than us (greetpause seems to work, if you use an asynchronous server or proxy, i.e. one which can do other things while sleeping). you can reduce the load by having your server drop the connection when it rejects the mail, using 421 code. depending on the server, it may be possible to do this at connection time using zen.spamhaus.org (which lists many zombies). It may also be good to reduce the timeout when the server is under attack.
Re: DDOS, Dictionary Attack... not sure what it is...
Happy New Year everyone :-) Am/On Tue, 1 Jan 2008 04:20:42 +0100 schrieb/wrote mouss: John D. Hardin wrote: On Mon, 31 Dec 2007, Mike Cisar wrote: Even tried yanking the IP address off of the server over the holidays in the hope that whatever it was would just give up. No such luck, within a minute of reactivating the IP to the server this morning the traffic was back to full flow. Tarpit 'em. http://sourceforge.net/projects/labrea Tarpitting may not be the right answer, because they have a lot more resources than us (greetpause seems to work, if you use an asynchronous server or proxy, i.e. one which can do other things while sleeping). you can reduce the load by having your server drop the connection when it rejects the mail, using 421 code. depending on the server, it may be possible to do this at connection time using zen.spamhaus.org (which lists many zombies). It may also be good to reduce the timeout when the server is under attack. but could this not also cause loosing legitimate email? my server was also under attack 2 or 3 month ago. I tried the same thing as the op (listing ips in the fw etc), but these things didn't help at all. Most of the mails (90%) were already dropped, because the ip didn't resolve (cannot find your hostname), the next 9.9% were caught by blacklists and only a very little number was rejected, because of unknown user name. One possibility might be to do the ip-check already through a hardware- firewall. But one actually can't do anything against the traffic coming to one's indoor. best wishes to everybody (not to the spamsenders of course ;-) for 2008 Matthias
