I've been VERY pleased with spamd performance on my system. My mail
volume is so low (~300 msgs/day) that I may consider removing
SpamAssassin, because spamd catches just about everything. I've gone
from about 80 spam messages caught by SA to less than 2 caught, per day.
Users are also reporting few to NO spam making it past the filters.
However, I also have controls in place on my Postfix installation to
prevent delivery of messages to non-existent accounts. The weird thing
is, for about the last month or so, I've been catching just about 100%
spam BEFORE it gets to SpamAssassin. However, Postfix has been catching
between 5 and 20 messages per day that have a null sender address.
So I have two main questions at this point:
1) Does it make sense to have spamd discard malformed sender / recipient
addresses? In this case, there is no envelope sender address at all,
which I seem to recall violates an RFC
2) Spamd was seemingly targeted by this spammer. However, to date there
hasn't been a big influx of spam to my site. It almost seems like a
surgical strike to get IP addresses added to my spamdb whitelist, until
the "second wave" of overwhelming junk can come through.
Only one message came in, and obviously it wasn't too important to the
spammer to get anyone to read it, so it almost seems like a decoy. What
additional information should I look for to keep this from happening in
the future?
If this is a weakness of spamd, I'm perfectly happy to rely on a second
or third layer to handle spam removal -- I have Postfix and SA in place
to do just that. But since spamd is the "cheapest" solution, I prefer to
do as much there as I can. :)
For example, yesterday's Postfix report showed the following:
message reject detail
---------------------
RCPT
Recipient address rejected: User unknown in local recipient table
(total: 5)
1 [EMAIL PROTECTED] (<>)
1 [EMAIL PROTECTED] (<>)
1 [EMAIL PROTECTED] (<>)
1 [EMAIL PROTECTED] (<>)
1 [EMAIL PROTECTED] (<>)
2 of the 5 messages came to me via a backup MX, so I don't expect spamd
to be much help there -- that IP sends me lots of mail, so it's
naturally whitelisted. On the other hand, 3 of them came from unique IPs
that I first saw yesterday.
The message to [EMAIL PROTECTED] showed the following in my maillog:
Jan 16 22:47:10 thomas postfix/smtpd[3009]: connect from
ns.cvlan.net[82.103.87.1]
Jan 16 22:47:11 thomas postfix/smtpd[3009]: NOQUEUE: reject: RCPT from
ns.cvlan.net[82.103.87.1]: 550 5.1.1 <[EMAIL PROTECTED]>: Recipient address
rejected: User unknown in local recipient table
Jan 16 22:47:11 thomas postfix/smtpd[3009]: disconnect from
ns.cvlan.net[82.103.87.1]
And that IP showed up in my spamd log:
Jan 16 21:47:07 thomas spamd[18929]: 82.103.87.1: connected (1/0)
Jan 16 21:47:19 thomas spamd[18929]: 82.103.87.1: disconnected after 12
seconds.
Jan 16 21:53:49 thomas spamd[18929]: 82.103.87.1: connected (1/0)
Jan 16 21:54:00 thomas spamd[18929]: 82.103.87.1: disconnected after 11
seconds.
Jan 16 22:13:49 thomas spamd[18929]: 82.103.87.1: connected (1/0)
Jan 16 22:14:00 thomas spamd[18929]: 82.103.87.1: disconnected after 11
seconds.
And spamdb showed the following:
WHITE|82.103.87.1|||1169002039|1169003640|1172116030|3|1
The first time is Jan 16, 21:47 and the second time is Jan 16, 22:14
OpenBSD 4.0-stable (GENERIC.MP) #1: Wed Jan 10 15:29:35 EST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 594 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
real mem = 536436736 (523864K)
avail mem = 481337344 (470056K)
using 4256 buffers containing 26923008 bytes (26292K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 08/03/00, BIOS32 rev. 0 @
0xffe90, S
bios0: Dell Computer Corporation PowerEdge 2450
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc320/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:15:0 ("ServerWorks OSB4" rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x600
mainbus0: Intel MP Specification (Version 1.4) (DELL POWEREDGE A6)
cpu0 at mainbus0: apid 1 (boot processor)
cpu0: apic clock running at 98 MHz
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 594 MHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type PCI
mainbus0: bus 3 is type ISA
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 11, 16 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
ioapic1 at mainbus0: apid 3 pa 0xfec01000, version 11, 16 pins
ioapic1: misconfigured as apic 0, remapped to apid 3
esm0 at mainbus0
esm0: PowerEdge 2450 Embedded Server Management 5.24
esm0: Primary System Backplane 1.16
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "ServerWorks CNB20LE Host" rev 0x06
pchb1 at pci0 dev 0 function 1 "ServerWorks CNB20LE Host" rev 0x06
pci1 at pchb1 bus 1
ppb0 at pci1 dev 2 function 0 "Intel i960 RM PCI-PCI" rev 0x02
pci2 at ppb0 bus 2
ahc0 at pci2 dev 4 function 0 "Adaptec AIC-7899 U160" rev 0x01: apic 3
int 15
scsibus0 at ahc0: 16 targets
ahc1 at pci2 dev 4 function 1 "Adaptec AIC-7899 U160" rev 0x01: apic 3
int 14
scsibus1 at ahc1: 16 targets
fxp0 at pci1 dev 8 function 0 "Intel 8255x" rev 0x08, i82559: apic 3 int
0 (ir
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ami0 at pci0 dev 8 function 0 "AMI MegaRAID Series 428" rev 0x04: apic 3
int 6
ami0: AMI 428, 32b, FW Uc77, BIOS v1.47, 32MB RAM
ami0: 2 channels, 16 targets, 1 logical drives
scsibus2 at ami0: 1 targets
sd0 at scsibus2 targ 0 lun 0: <AMI, Host drive #00, > SCSI2 0/direct fixed
sd0: 34556MB, 34556 cyl, 64 head, 32 sec, 512 bytes/sec, 70770688 sec total
vga1 at pci0 dev 14 function 0 "ATI Mach64 GY" rev 0x7a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
piixpm0 at pci0 dev 15 function 0 "ServerWorks OSB4" rev 0x50: SMI
iic0 at piixpm0
"unknown" at iic0 addr 0x18 not configured
"unknown" at iic0 addr 0x1a not configured
"unknown" at iic0 addr 0x20 not configured
"unknown" at iic0 addr 0x21 not configured
"unknown" at iic0 addr 0x22 not configured
"unknown" at iic0 addr 0x23 not configured
"unknown" at iic0 addr 0x24 not configured
"unknown" at iic0 addr 0x25 not configured
"unknown" at iic0 addr 0x26 not configured
"unknown" at iic0 addr 0x27 not configured
"unknown" at iic0 addr 0x28 not configured
"unknown" at iic0 addr 0x29 not configured
"unknown" at iic0 addr 0x2a not configured
"unknown" at iic0 addr 0x2b not configured
"unknown" at iic0 addr 0x2c not configured
"unknown" at iic0 addr 0x2d not configured
"unknown" at iic0 addr 0x2e not configured
"unknown" at iic0 addr 0x2f not configured
"unknown" at iic0 addr 0x48 not configured
"unknown" at iic0 addr 0x49 not configured
"unknown" at iic0 addr 0x4a not configured
"unknown" at iic0 addr 0x4b not configured
"unknown" at iic0 addr 0x4c not configured
"unknown" at iic0 addr 0x4d not configured
"unknown" at iic0 addr 0x4e not configured
pciide0 at pci0 dev 15 function 1 "ServerWorks OSB4 IDE" rev 0x00: DMA
atapiscsi0 at pciide0 channel 0 drive 0
scsibus3 at atapiscsi0: 2 targets
cd0 at scsibus3 targ 0 lun 0: <TEAC, CD-224E, 3.7D> SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2
ohci0 at pci0 dev 15 function 2 "ServerWorks OSB4/CSB5 USB" rev
0x04pci_intr_m
pci_intr_map: no MP mapping found
: irq 10, version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 0 netmask 0 ttymask 0
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
