On 2013-W10-4 19:20 -0700, Bob Beck wrote:
> I think this should not only be addressed in the documentation (for
> pcap-filter, spamd -M / spamlogd, pf.conf log/rdr-to / pflogd,
> tcpdump), but in the actual spamlogd code changes, too -- it should
> be smart enough to not automatically whitelist the connections that
> are rewritten to the default spamd port.
Constantine, this statement of yours makes no sense. spamlogd only
pays attention to connections to port 25. spamlogd listens on 8025.
Unless you are doing something crazy in your pf.conf.
Nothing crazier than what's in my prior message, just a few extra rules for
gif0.
I'm telling you, Bob, spamlogd whitelists those connections that
go to spamd, to port 8025! No kidding! Yes, not 25, but 8025!
This is a sample rule that causes the default
spamlogd to immediately whitelist the spammer:
pass in log on re0 proto tcp from any os Windows to any port smtp \
rdr-to 127.0.0.1 port spamd
If you don't believe me, just try it out.
Else, and although not related to pcap(3), how do you expect that
spamd -M works, when the dst address gets rewritten to 127.0.0.1?
I'm surprised I'm the first person with this problem; I presume
a lot of prior people just thought they were crazy, and gave up.
I have a vague recollection of encountering it back in 3.6 days or so.
So, you do agree this is not something that should be happening, right?
Cheers,
Constantine.
