Re: spamd greylisting: false positives

[Stuart Henderson]

On 2012-05-28, David Diggles da...@elven.com.au wrote:
 So there you have it.  Don't use spamd with greytrapping if your
 secondary MX is going to deliver a bounce.  It will confuse SMTP
 servers into giving up.

well, that doesn't just apply to spamd.. you are better off not listing
a secondary MX unless it's A) working and B) has equalyl strong or better
spam controls as the primary MX

Re: spamd greylisting: false positives

[Stuart Henderson]

On 2012-05-27, David Diggles da...@elven.com.au wrote:
From:   Stuart Henderson stu () spacehopper ! org
Date:   2012-05-27 22:29:50

On 2012-05-27, David Diggles da...@elven.com.au wrote:
 Bummer, I have forgotten to pflog the spamd connections to lo0

So this breaks spamlogd which means servers will expire from the
greylist even if they mail you regularly..

 Do you mean this pf rule

 pass in log on egress proto tcp from any to egress \
 port smtp rdr-to 127.0.0.1 port spamd synproxy state

 breaks spamlogd?

 Would you mind explaining why, and how I can un-break it?



Ah sorry I misread, I thought you had written that you weren't logging the
SMTP connections, not the spamd connections..

Re: spamd greylisting: false positives

[Peter N. M. Hansteen]

David Diggles da...@elven.com.au writes:

 So there you have it.  Don't use spamd with greytrapping if your
 secondary MX is going to deliver a bounce.  It will confuse SMTP
 servers into giving up.

Secondary MXes that are not set up to actually receive mail for your
domain is one thing (annoying, but just a simple misconfiguration),
another thing you need to do is make sure the secondaries have the same
or equivalent level of spam and malware protection.  That's where things
like spamd's syncronization options come in handy. 

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: spamd greylisting: false positives

[Henning Brauer]

* David Diggles da...@elven.com.au [2012-05-28 02:44]:
 Why shouldn't I?
 
 These guys do in their example.
 https://calomel.org/spamd_config.html

that alone is a reason to not do it.

really, everything on calomel.org is garbage. you are best off to
ignore it.

i wish somebody would track this guy don, explain hom how his garbage
hurts the community, and makes him remove it.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: spamd greylisting: false positives

[Peter N. M. Hansteen]

In response to various tidbits that popped up in this thread, I put
together some notes on setting up a sane email system, in a works for
me article:

http://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: spamd greylisting: false positives

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David
Diggles
Skickat: den 27 maj 2012 02:53
Till: misc@openbsd.org
Dmne: Re: spamd greylisting: false positives

This may seem like a dead horse to some by now, but I am disappointed no one
replied to the msg, I supplied the detailed event information with
timestamps, regarding lists.openbsd.org mails not being whitelisted by spamd
when run in greylist mode.

RFC282, 4.5.4.1 Sending Strategy:

   The sender MUST delay retrying a particular destination after one
   attempt has failed.  In general, the retry interval SHOULD be at
   least 30 minutes; however, more sophisticated and variable strategies
   will be beneficial when the SMTP client can determine the reason for
   non-delivery.

   Retries continue until the message is transmitted or the sender gives
   up; the give-up time generally needs to be at least 4-5 days.  The
   parameters to the retry algorithm MUST be configurable.

Yet I have been advised not to mess with the default timings with -G option.
It looks to me like the retry intervals of lists.openbsd.org are not
sufficient to get it whitelisted by spamd.

I am well beyond assuming anything, and prepared to learn / accept any
constructive advice.

Can anyone confirm they have the following scenario?

* A clean installed OpenBSD 5.1 configured as a primary MX
* Clean spamd settings, clean /var/db/spamd
* Default spamd with no options
* Default spamlogd with no options
* The pf.conf uses spamd entries from the example pf.conf from etc.tgz
* No manual whitelist entry for lists.openbsd.org
* Incoming from lists.openbsd.org is eventually whitelisted by spamd

I am just trying to learn the cause, and I have been fully prepared to wear
egg on my face if my own configuration is causing the problem.  I have not
yet proven this is the case.

I believe I have checked everything anyone suggested to check.

I really don't want my next check be to roll back to 4.9 and see if
lists.openbsd.org will auto whitelist like it previously did.

In hope,
David

On Sat, May 26, 2012 at 01:19:38PM +1000, David Diggles wrote:
 Ok I am still not getting emails from lists.openbsd.org (so
 please if you reply, cc to me).

 I restarted spamd at this time after deleting /var/db/spamd and
 clearing the bypass tables in pf at this time:

 2012-05-26 02:13:12 # /usr/libexec/spamd

 Here is the last message to make it to sendmail from misc:

 fgrep from= /var/log/maillog|fgrep owner-misc|tail -1|awk '{print
$1,$2,$3}'
 May 26 01:54:35

 The pf rules for spamd I have are taken from the default pf.conf:

 pass in on egress inet proto tcp from any to any port = 25 flags S/SA
 rdr-to 127.0.0.1 port 8025 pass in on egress proto tcp from nospamd
 to any port = 25 flags S/SA pass in log on egress proto tcp from
 spamd-white to any port = 25 flags S/SA pass out log on egress proto
 tcp from any to any port = 25 flags S/S

 It is currently Sat May 26 12:54:31 EST 201

 Times of passed smtp connections for May 26:

 tcpdump -n -e -ttt -r /var/log/pflog 21|fgrep .25:|\ fgrep 'May
 26'|awk '{print $3}'
 01:14:53.793995
 04:17:11.846707
 05:00:19.443080
 05:15:01.487277
 07:17:51.114440
 09:35:58.120098
 10:14:21.444822
 11:53:33.611903

 So I will skip the first entry when I grep for the ip addresses, with
 a tail +2 because it occurred
 *before* I reset everything.

 tcpdump -n -e -ttt -r /var/log/pflog 21|fgrep .25:|\ fgrep 'May
 26'|awk '{print $10}'|tail +2|\ awk -F. '{print
 $1.$2.$3.$4}'|sort -n
 17.254.6.112
 74.125.82.47
 113.172.232.215
 129.21.208.44
 202.58.38.80
 203.59.1.110
 206.46.252.115

 I have the following tables.

 pfctl -s Tables
 nospamd
 spamd-white

 Confirming against the spamd-white table

 pfctl -t spamd-white -Ts
17.254.6.112
74.125.82.47
113.172.232.215
129.21.208.44
202.58.38.80
203.59.1.110
206.46.252.115

 lists.openbsd.org = 192.43.244.163

 So nothing from misc has made it to sendmail since I emptied nospamd
 and spamd-white on pf.conf

 These are all the attempts from lists.openbsd.org since I cleared the
 spamdb and pf tables.

 fgrep 192.43.244.163 /var/log/spamd|fgrep 'May 26'
 May 26 02:53:48 skitL spamd[25502]: 192.43.244.163: connected (1/0)
 May 26 02:54:00 skitL spamd[25502]: 192.43.244.163: disconnected after 12
seconds.
 May 26 03:00:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
 May 26 03:00:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12
seconds.
 May 26 04:41:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
 May 26 04:41:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12
seconds.
 May 26 05:04:19 skitL spamd[25502]: 192.43.244.163: connected (2/1)
 May 26 05:04:31 skitL spamd[25502]: 192.43.244.163: disconnected after 12
seconds.
 May 26 05:15:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
 May 26 05:15:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12
seconds.
 May 26 05:19:36 skitL spamd[25502

Re: spamd greylisting: false positives

[David Diggles]

 Hi again David.
 If all the spamd settings are back to default, I would recommend trying to
 pinpoint where the problem is.
 Just to check if it could be something wrong with the syntax of your pf
 rules regarding spamd, just comment them out.
 pfctl -f /etc/pf.conf and run for a while and see if you receive any mails.
 
 /Hasse

I am running spamd in blacklist mode now, so I am once again receiving
the mailing list.

I think the default spamd timings do not give lists.openbsd.org enough time
to retransmit in the whitelist window.  It would be nice if someone else had
the time to attempt reproducing this.

This one you sent me earlier has some advice about tuning the timings,
https://calomel.org/spamd_config.html

In this section:
We suggest setting the pass time to as high as you are comfortable with.
Use a time between 10 and 55 minutes. You are welcome to set it as low as
2 minutes, but it is possible that some spammers might get white listed. After
setting up spamd take some time, go through the logs and look for patterns.
Adjust the pass time as necessary. ...

I realise I have been advised in the list here not to mess around with
the timings :P

Re: spamd greylisting: false positives

[David Diggles]

 What do you mean by running in blacklist mode ?
 Which settings are different from Grey trapping ?
 Are Openbsd mailing list the only list or mail you have problems with ?
 
 /Hasse

By blacklist mode, I mean this:

spamd -b
spamd-setup -b

pf.conf:
table spamd persist
pass in on egress proto tcp from spamd to any port smtp \
rdr-to 127.0.0.1 port spamd

The OpenBSD mailing list was not the only smtp server I was having
problems with.

Others included:

1. test email from my work account
2. business email from a wholesaler I have been organising purchase with

For sake of 2. I need to play safe for the time being, and suffer a
few extra incoming spams a day.  Once I have that sorted out, I will
be ready to try greylisting again.

Re: spamd greylisting: false positives

[Benny Lofgren]

Hi David,

On 2012-05-27 11.51, David Diggles wrote:
 Hi again David.
 If all the spamd settings are back to default, I would recommend trying to
 pinpoint where the problem is.
 Just to check if it could be something wrong with the syntax of your pf
 rules regarding spamd, just comment them out.
 pfctl -f /etc/pf.conf and run for a while and see if you receive any mails.

 /Hasse
 
 I am running spamd in blacklist mode now, so I am once again receiving
 the mailing list.
 
 I think the default spamd timings do not give lists.openbsd.org enough time
 to retransmit in the whitelist window.  It would be nice if someone else had
 the time to attempt reproducing this.

No, I really don't think that's your problem. The default settings
give spamd a four-hour window for retransmittions to occur. Judging
from the log excerpt you included in one of your earlier mails the
misc list server does a number of retries in that time and should
easily make it.

What does spamdb | fgrep 192.43.244.163 say?

Could you add the '-v' (verbose) flag to your spamd startup options?
That enables spamd to log the source and destination address for any
mails it greylists, so you can check that you're actually getting
the same tuples for each retry.

Remember that greylisting is based on the combination of three entities,
the source IP, the source mail address and the destination mail address
(what's called a tuple in greylisting terminology).

All three of those must be the same between retransmit attempts for the
greylisting to recognize the attempt. Otherwise it will just add another
entry to spamdb and mark it GREY, pending either timeout or another
connect with the same tuple (in which case it either does nothing if the
attempt was too soon or lets it through and changes the entry to WHITE
in spamdb).

Also remember that it actually takes three tries to get the mail through.
First the initial attempt, which is rejected with a 451 temporary error.
Then the next attempt, which gives the IP address clearance and adds it
to the spamd-white PF table, but still results in a 451 temporary error
back to the originating mail server. The third attempt will be routed by
PF directly to your real SMTP server and will never be seen by spamd.

I often find it helpful, when debugging mail problems such as yours, to
simulate a sending SMTP server by using telnet your.smtp.server smtp
and entering SMTP commands to the server manually, like this:

$ telnet mailgate.internetlabbet.net 25
Trying 217.75.101.10...
Connected to mailgate.internetlabbet.net.
Escape character is '^]'.
220 mailgate.internetlabbet.net ESMTP spamd IP-based SPAM blocker; Sun
May 27 12:36:26 2012
HELO lofgren.biz
250 Hello, spam sender. Pleased to be wasting your time.
MAIL FROM: bl-li...@lofgren.biz
250 You are about to try to deliver spam. Your time will be spent, for
nothing.
RCPT TO: bl-li...@lofgren.biz
250 This is hurting you more than it is hurting me.
DATA
451 Temporary failure, please try again later.
Connection closed by foreign host.
$ _

The above results in these lines in my syslog:

May 27 12:36:26 fw1 spamd[836]: 66.7.199.108: connected (2/1)
May 27 12:37:06 fw1 spamd[836]: (GREY) 66.7.199.108:
bl-li...@lofgren.biz - bl-li...@lofgren.biz
May 27 12:37:16 fw1 spamd[836]: 66.7.199.108: disconnected after 50 seconds.

And the following in spamdb:

# spamdb | fgrep 66.7.199.108
GREY|66.7.199.108|lofgren.biz|bl-li...@lofgren.biz|bl-li...@lofgren.biz|1338115026|1338201426|1338201426|1|0

Then I wait passtime minutes and retry the same thing, and check
my logs and spamdb. Then I try again to verify that I'm this time
indeed talking to my sendmail (or your smtp server of choice).


Regards,
/Benny


 This one you sent me earlier has some advice about tuning the timings,
 https://calomel.org/spamd_config.html
 
 In this section:
 We suggest setting the pass time to as high as you are comfortable with.
 Use a time between 10 and 55 minutes. You are welcome to set it as low as
 2 minutes, but it is possible that some spammers might get white listed. After
 setting up spamd take some time, go through the logs and look for patterns.
 Adjust the pass time as necessary. ...
 
 I realise I have been advised in the list here not to mess around with
 the timings :P
 

-- 
internetlabbet.se / work:   +46 8 551 124 80  / Words must
Benny Lofgren/  mobile: +46 70 718 11 90 /   be weighed,
/   fax:+46 8 551 124 89/not counted.
   /email:  benny -at- internetlabbet.se

Re: spamd greylisting: false positives

[Stuart Henderson]

On 2012-05-27, David Diggles da...@elven.com.au wrote:
 What do you mean by running in blacklist mode ?
 Which settings are different from Grey trapping ?
 Are Openbsd mailing list the only list or mail you have problems with ?
 
 /Hasse

 By blacklist mode, I mean this:

 spamd -b
 spamd-setup -b

 pf.conf:
 table spamd persist
 pass in on egress proto tcp from spamd to any port smtp \
 rdr-to 127.0.0.1 port spamd

 The OpenBSD mailing list was not the only smtp server I was having
 problems with.

 Others included:

 1. test email from my work account
 2. business email from a wholesaler I have been organising purchase with

 For sake of 2. I need to play safe for the time being, and suffer a
 few extra incoming spams a day.  Once I have that sorted out, I will
 be ready to try greylisting again.

Greylisting behaves a bit differently when used on a low-volume mail
server compared to a large campus/organisation mail system where most
of the big providers will be constantly auto-whitelisted due to the
volume of mail they're sending (i.e. big sites get a lot more inbound
mail so the problem mailhosts tend to stay in the database at most
times).

For the smaller setups I've built when I used greylisting I often
needed to maintain separate whitelists. The only actively-maintained
public whitelist I know of (dnswl.org) is only usable via DNS queries
unless you pay for high volume access (and spamd doesn't support
doing this via DNS lookups), so you are stuck with an outdated
public list, and/or manual listings.

Not sure if these particular ones are still a problem, but here are
examples of some senders I had problems with at various times in
the past (excessive delays or retries which were too slow to get
past greylisting) : amazon, aol, bigfish, ebay, gmail, messagelabs,
orange, paypal, postini, yahoo. Now I either use dnswl to exempt
known problem hosts from greylistikg (with some manual whitelists
on top; not done via spamd) - or in several cases just stopped
using greylisting altogether.

Re: spamd greylisting: false positives

[David Diggles]

Hi everyone, sorry about the whiney tone.

I am really appreciating all the help.

On Sunday 27 May 2012, David Diggles wrote:
 This may seem like a dead horse to some by now, but I am disappointed

Re: spamd greylisting: false positives

[David Diggles]

Just made a minor change to pf.conf, to modulate state all tcp
and keep state all udp:

I am getting tired, it is late here.  Hope I have not made any
silly mistakes in this :D

#---
# defaults
#---
set loginterface egress
match in all scrub (no-df max-mss 1440)
antispoof quick for egress
pass
pass proto tcp modulate state
pass proto udp keep state
block in log on egress
#---
# ssh
#---
table ssh-black persist file /etc/pf/ssh-black
table ssh-white persist file /etc/pf/ssh-white
pass in on egress inet proto tcp from ssh-white to egress port ssh \
modulate state
pass in on egress inet proto tcp from !ssh-black to egress port ssh \
modulate state \
(max-src-conn-rate 1/30, overload ssh-black flush)
#---
# authpf
#---
table authpf_users persist
pass in on egress from authpf_users
pass in on egress proto tcp from authpf_users modulate state
pass in on egress proto udp from authpf_users keep state
#---
# spamd - greylist mode
#---
table spamd-white persist
table nospamd persist file /etc/mail/nospamd
pass in on egress proto tcp from any to egress port smtp \
rdr-to 127.0.0.1 port spamd
pass in on egress proto tcp from nospamd to egress port smtp \
modulate state
pass in log on egress proto tcp from spamd-white to egress port smtp \
modulate state
pass out log on egress proto tcp to any port smtp modulate state
#---

There is one GREY entry from lists.openbsd.org so far.

root@skitL:~:0# spamdb|fgrep 192.43.244.163
GREY|192.43.244.163|shear.ucar.edu|owner-misc+M122933=david=elven.com...@openbsd.org|da...@elven.com.au|1338127686|1338142086|1338142086|1|0
root@skitL:~:0# date
Mon May 28 00:44:18 EST 2012
root@skitL:~:0# date -r 1338127686
Mon May 28 00:08:06 EST 2012

I need to go sleep now, so I will check again in the morning before I
go to work.

Cheers,
.d.d.

Re: spamd greylisting: false positives

[David Diggles]

After sleeping on it 6 hours, this is what I can report from
the logs.

root@skitL:log:0# cat spamd|fgrep 192.43.244.163|fgrep May 28
May 28 00:07:55 skitL spamd[21325]: 192.43.244.163: connected (1/0)
May 28 00:08:06 skitL spamd[21325]: (GREY) 192.43.244.163: 
owner-misc+M122933=david=elven.com...@openbsd.org - da...@elven.com.au
May 28 00:08:07 skitL spamd[21325]: 192.43.244.163: disconnected after 12 
seconds.
May 28 00:49:51 skitL spamd[20306]: 192.43.244.163: connected (1/0)
May 28 00:50:03 skitL spamd[20306]: (GREY) 192.43.244.163: 
owner-misc+M122934=david=elven.com...@openbsd.org - da...@elven.com.au
May 28 00:50:03 skitL spamd[20306]: 192.43.244.163: disconnected after 12 
seconds.
root@skitL:log:0# spamdb
WHITE|202.58.38.80|||1338136570|1338140183|1341250605|2|0
TRAPPED|106.79.132.74|1338226638
TRAPPED|180.215.141.229|1338226988
GREY|186.206.211.111|baced36f.virtua.com.br|packer8...@reb.com|d...@elven.com.au|1338143338|1338157738|1338157738|1|0
GREY|95.180.252.146|59.167.212.41|and...@bb-dsh.org|d...@elven.com.au|1338152111|1338166511|1338166511|1|0
TRAPPED|64.20.227.133|1338241213
TRAPPED|217.149.28.204|1338241498
TRAPPED|174.123.14.196|1338232031
TRAPPED|83.169.61.34|1338235874
TRAPPED|95.180.252.146|1338238511

Bummer, I have forgotten to pflog the spamd connections to lo0

root@skitL:log:0# tcpdump -n -e -r /var/log/pflog port spamd
tcpdump: WARNING: snaplen raised from 116 to 160
root@skitL:log:0# tcpdump -n -e -r /var/log/pflog port smtp
tcpdump: WARNING: snaplen raised from 116 to 160
01:00:38.572058 rule 16/(match) pass out on xl0: 172.25.101.7.33057  
66.49.254.25.25: S 3802061083:3802061083(0) win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 2973717195[|tcp] (DF)
01:30:37.983151 rule 17/(match) pass out on xl0: 172.25.101.7.23127  
66.49.254.25.25: S 3663599646:3663599646(0) win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 862970203[|tcp] (DF)
04:36:24.378104 rule 16/(match) pass in on xl0: 202.58.38.80.25350  
172.25.101.7.25: S 1021603063:1021603063(0) win 16384 mss 
1420,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop
04:36:31.105838 rule 17/(match) pass out on xl0: 172.25.101.7.3605  
173.194.79.27.25: S 2304184706:2304184706(0) win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 451645464[|tcp] (DF)

So I have just loaded a new pf.conf with logging turned on for spamd,
this is what I have running now.

#---
# defaults
#---
set loginterface egress
set skip on lo
match in all scrub (no-df max-mss 1440)
antispoof quick for egress
pass
pass proto tcp modulate state
pass proto udp keep state
block in log on egress
#---
# ssh
#---
table ssh-black persist file /etc/pf/ssh-black
table ssh-white persist file /etc/pf/ssh-white
pass in on egress inet proto tcp from ssh-white to egress \
port ssh modulate state
pass in on egress inet proto tcp from !ssh-black to egress \
port ssh modulate state \
(max-src-conn-rate 1/30, overload ssh-black flush)
#---
# squid
#---
table squid-white persist file /etc/pf/squid-white
pass in on egress inet proto tcp from squid-white to egress \
port 3128 modulate state
#---
# authpf
#---
table authpf_users persist
pass in on egress from authpf_users
pass in on egress proto tcp from authpf_users modulate state
pass in on egress proto udp from authpf_users keep state
#---
# spamd - greylist mode
#---
table spamd-white persist
table nospamd persist file /etc/mail/nospamd
pass in log on egress proto tcp from any to egress \
port smtp rdr-to 127.0.0.1 port spamd synproxy state
pass in on egress proto tcp from nospamd to egress \
port smtp synproxy state
pass in log on egress proto tcp from spamd-white to egress \
port smtp synproxy state
pass out log on egress proto tcp to any port smtp modulate state
#---

Re: spamd greylisting: false positives

[Stuart Henderson]

On 2012-05-27, David Diggles da...@elven.com.au wrote:
 Bummer, I have forgotten to pflog the spamd connections to lo0

So this breaks spamlogd which means servers will expire from the
greylist even if they mail you regularly..

Re: spamd greylisting: false positives

[David Diggles]

From:   Stuart Henderson stu () spacehopper ! org
Date:   2012-05-27 22:29:50

On 2012-05-27, David Diggles da...@elven.com.au wrote:
 Bummer, I have forgotten to pflog the spamd connections to lo0

So this breaks spamlogd which means servers will expire from the
greylist even if they mail you regularly..

Do you mean this pf rule

pass in log on egress proto tcp from any to egress \
port smtp rdr-to 127.0.0.1 port spamd synproxy state

breaks spamlogd?

Would you mind explaining why, and how I can un-break it?

Re: spamd greylisting: false positives

[David Diggles]

Or did you mean, this breaks spamlogd, rather?

pass in on egress proto tcp from any to egress \
port smtp rdr-to 127.0.0.1 port spamd synproxy state

This is what it was.  The logging is on now.

On Mon, May 28, 2012 at 08:53:09AM +1000, David Diggles wrote:
 From:   Stuart Henderson stu () spacehopper ! org
 Date:   2012-05-27 22:29:50
 
 On 2012-05-27, David Diggles da...@elven.com.au wrote:
  Bummer, I have forgotten to pflog the spamd connections to lo0
 
 So this breaks spamlogd which means servers will expire from the
 greylist even if they mail you regularly..
 
 Do you mean this pf rule
 
 pass in log on egress proto tcp from any to egress \
 port smtp rdr-to 127.0.0.1 port spamd synproxy state
 
 breaks spamlogd?
 
 Would you mind explaining why, and how I can un-break it?

Re: spamd greylisting: false positives

[Peter N. M. Hansteen]

David Diggles da...@elven.com.au writes:

 Or did you mean, this breaks spamlogd, rather?

 pass in on egress proto tcp from any to egress \
 port smtp rdr-to 127.0.0.1 port spamd synproxy state

 This is what it was.  The logging is on now.

The important ones to log are the rules that pass smtp traffic from the
members of the spamd-white table (and nospamd if you're using that) plus
the one that passes smtp traffic from your real mail server to
elsewhere. See the spamd and spamlogd man pages, it's explained there.

But why are you synproxying for spamd?

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: spamd greylisting: false positives

[David Higgs]

On Sun, May 27, 2012 at 7:19 PM, Peter N. M. Hansteen pe...@bsdly.net
wrote:
 David Diggles da...@elven.com.au writes:

 Or did you mean, this breaks spamlogd, rather?

 pass in on egress proto tcp from any to egress \
 port smtp rdr-to 127.0.0.1 port spamd synproxy state

 This is what it was.  The logging is on now.

 The important ones to log are the rules that pass smtp traffic from the
 members of the spamd-white table (and nospamd if you're using that) plus
 the one that passes smtp traffic from your real mail server to
 elsewhere. See the spamd and spamlogd man pages, it's explained there.

 But why are you synproxying for spamd?

 - P
 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.


Perhaps off-topic, but I've been working under the assumption that
synproxy (or some portion thereof) has been broken for the last few
releases.  Whether or not it was actually useful to my configuration,
enabling synproxy shouldn't hurt anything, right?  Because switching
from synproxy to modulate state seemed to fix intermittent download
issues for Windows machines sitting behind my pf NAT.  Never had an
issue on the OpenBSD device itself, FWIW.

Can anyone confirm with better-than-anecdotal knowledge?

--david

Re: spamd greylisting: false positives

[David Diggles]

List:   openbsd-misc
Subject:Re: spamd greylisting: false positives
From:   peter () bsdly ! net (Peter N !  M !  Hansteen)
Date:   2012-05-27 23:19:47
Message-ID: 87sjel43fw.fsf () deeperthought ! bsdly ! net
[Download message RAW]

 Or did you mean, this breaks spamlogd, rather?

 pass in on egress proto tcp from any to egress \
 port smtp rdr-to 127.0.0.1 port spamd synproxy state

 This is what it was.  The logging is on now.

The important ones to log are the rules that pass smtp traffic from the
members of the spamd-white table (and nospamd if you're using that) plus
the one that passes smtp traffic from your real mail server to
elsewhere. See the spamd and spamlogd man pages, it's explained there.

Ok, I was doing this.  I just started logging the rdr-to spamd rule too.

But why are you synproxying for spamd?

Why shouldn't I?

These guys do in their example.
https://calomel.org/spamd_config.html

delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

It's cool to see an on-topic sig.

.d.d.

Re: spamd greylisting: false positives

[Rod Whitworth]

It amazes me that nobody has yet given you the calomel warning.
Not the best source of clues. That is the most polite comment you will
see about that website.

On Mon, 28 May 2012 10:43:08 +1000, David Diggles wrote:

These guys do in their example.
https://calomel.org/spamd_config.html

delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

It's cool to see an on-topic sig.


*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: spamd greylisting: false positives

[Amit Kulkarni]

But why are you synproxying for spamd?

 Why shouldn't I?

 These guys do in their example.
 https://calomel.org/spamd_config.html

don't ever recommend calomel on a openbsd mailing list, search the
archives for why.

here's a hint: they work spectacularly

Re: spamd greylisting: false positives

[Peter N. M. Hansteen]

David Diggles da...@elven.com.au writes:

But why are you synproxying for spamd?

 Why shouldn't I?

The synproxy was added way back as a way to protect back ends that were
less intelligent about connection setup and IIRC even had one or more
known SYN-related vulnerabilities, so we had a way to only pass valid,
completed connections.  In relation to spamd, it doesn't add any
security, but carries with it the slight overhead of the syn proxying.

 These guys do in their example.
 https://calomel.org/spamd_config.html

I'd ask them the same question.  It rarely if ever makes sense to pile
on options just because they're available.

- P

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: spamd greylisting: false positives

[David Diggles]

Ok, I took synproxy out.  What about modulate state?

The pf.conf example in spamd(8) does not include it.

I think I can guess, the answer will be: not needed 

Oh, thanks for the heads up about calomel.org.  Someone else
on list recommended it to me.

Re: spamd greylisting: false positives

[David Diggles]

Ok, I searched calomel and had a good laugh.

smells like calomel

Re: spamd greylisting: false positives

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David
Diggles
Skickat: den 28 maj 2012 03:54
Till: misc@openbsd.org
Dmne: Re: spamd greylisting: false positives

Ok, I searched calomel and had a good laugh.

smells like calomel

Grow up !

I recommended Calomel because that site gave me some good advice and
understanding of spamd.
First I tried Peters site, with no up to dates rules. Therefore I don't
recommend it.
Otherwise Peter is my kind of Guru but a bit focused on selling his books,
and therefore dont
Want to give away the full recipe for free.

As always, you can not expect copy and paste.
But a site that realy made a difference for me and my use of spamd :
http://www.benzedrine.cx/relaydb.html

/hasse

Re: spamd greylisting: false positives

[David Diggles]

Solved!

I caused the cause of the problem with misconfigured DNS.

I had a secondary MX defined in DNS for elven.com.au that
is not yet configured to receive for elven.com.au.

I tested again from work, and got this error:

   - The following addresses had permanent fatal errors -
da...@elven.com.au
(reason: 550 relay not permitted)

   - Transcript of session follows -
... while talking to mx.bincrow.net.:
 DATA
 451 Temporary failure, please try again later.
... while talking to smtp.free2air.net.:
 DATA
 550 relay not permitted
550 5.1.1 da...@elven.com.au... User unknown
 503 valid RCPT command must precede DATA

First attempt goes to the primary MX,  mx.bincrow.net (where I have
spamd running).  Gets the 451, then retries on the secondary MX,
gets 550 user unknown, then gives up (I verified this by watching the
spamdb output and the counter in tuples of problem emails stayed at 1)

I have removed the secondary MX from the DNS for elven.com.au then
lists.openbsd.org did the expected retries and became whitelisted.

Re: spamd greylisting: false positives

[David Diggles]

So there you have it.  Don't use spamd with greytrapping if your
secondary MX is going to deliver a bounce.  It will confuse SMTP
servers into giving up.

On Mon, May 28, 2012 at 03:38:16PM +1000, David Diggles wrote:
 I had a secondary MX defined in DNS for elven.com.au that
 is not yet configured to receive for elven.com.au.

Re: spamd greylisting: false positives

[Stuart Henderson]

On 2012-05-25, David Diggles da...@elven.com.au wrote:
 I wasn't receiving email, from lists.openbsd.org and also from my
 work email address, until I added the respective smtp servers to
 the whitelist table in pf.

do you have spamlogd running?

 Seriously though, if I have to keep manually adding smtp servers
 to a whitelist, I will run in blacklist only mode.

yes, you do, various large sites use either pools of senders with a
shared queue, or senders behind large nats, or bad retry cycles
etc. you really need something like the dnswl list (only available
by dns lookup for the mos part).

one thing that can help is to restrict spamd to only affecting
windows hosts (using 'from any os windows' in pf rules).

Re: spamd greylisting: false positives

[David Diggles]

This may seem like a dead horse to some by now, but I am disappointed
no one replied to the msg, I supplied the detailed event information with
timestamps, regarding lists.openbsd.org mails not being whitelisted by
spamd when run in greylist mode.

RFC282, 4.5.4.1 Sending Strategy:

   The sender MUST delay retrying a particular destination after one
   attempt has failed.  In general, the retry interval SHOULD be at
   least 30 minutes; however, more sophisticated and variable strategies
   will be beneficial when the SMTP client can determine the reason for
   non-delivery.

   Retries continue until the message is transmitted or the sender gives
   up; the give-up time generally needs to be at least 4-5 days.  The
   parameters to the retry algorithm MUST be configurable.

Yet I have been advised not to mess with the default timings with -G option.
It looks to me like the retry intervals of lists.openbsd.org are not
sufficient to get it whitelisted by spamd.

I am well beyond assuming anything, and prepared to learn / accept
any constructive advice.

Can anyone confirm they have the following scenario?

* A clean installed OpenBSD 5.1 configured as a primary MX
* Clean spamd settings, clean /var/db/spamd
* Default spamd with no options
* Default spamlogd with no options
* The pf.conf uses spamd entries from the example pf.conf from etc.tgz
* No manual whitelist entry for lists.openbsd.org
* Incoming from lists.openbsd.org is eventually whitelisted by spamd

I am just trying to learn the cause, and I have been fully prepared to wear
egg on my face if my own configuration is causing the problem.  I have not
yet proven this is the case.

I believe I have checked everything anyone suggested to check.

I really don't want my next check be to roll back to 4.9 and see if
lists.openbsd.org will auto whitelist like it previously did.

In hope,
David

On Sat, May 26, 2012 at 01:19:38PM +1000, David Diggles wrote:
 Ok I am still not getting emails from
 lists.openbsd.org (so please if you reply, cc to me).
 
 I restarted spamd at this time after deleting /var/db/spamd and
 clearing the bypass tables in pf at this time:
 
 2012-05-26 02:13:12 # /usr/libexec/spamd
 
 Here is the last message to make it to sendmail from misc:
 
 fgrep from= /var/log/maillog|fgrep owner-misc|tail -1|awk '{print $1,$2,$3}'
 May 26 01:54:35
 
 The pf rules for spamd I have are taken from the default pf.conf:
 
 pass in on egress inet proto tcp from any to any port = 25 flags S/SA rdr-to 
 127.0.0.1 port 8025
 pass in on egress proto tcp from nospamd to any port = 25 flags S/SA
 pass in log on egress proto tcp from spamd-white to any port = 25 flags S/SA
 pass out log on egress proto tcp from any to any port = 25 flags S/S
 
 It is currently Sat May 26 12:54:31 EST 201
 
 Times of passed smtp connections for May 26:
 
 tcpdump -n -e -ttt -r /var/log/pflog 21|fgrep .25:|\
 fgrep 'May 26'|awk '{print $3}'
 01:14:53.793995
 04:17:11.846707
 05:00:19.443080
 05:15:01.487277
 07:17:51.114440
 09:35:58.120098
 10:14:21.444822
 11:53:33.611903
 
 So I will skip the first entry when I grep for the
 ip addresses, with a tail +2 because it occurred
 *before* I reset everything.
 
 tcpdump -n -e -ttt -r /var/log/pflog 21|fgrep .25:|\
 fgrep 'May 26'|awk '{print $10}'|tail +2|\
 awk -F. '{print $1.$2.$3.$4}'|sort -n
 17.254.6.112
 74.125.82.47
 113.172.232.215
 129.21.208.44
 202.58.38.80
 203.59.1.110
 206.46.252.115
 
 I have the following tables.
 
 pfctl -s Tables
 nospamd
 spamd-white
 
 Confirming against the spamd-white table
 
 pfctl -t spamd-white -Ts
17.254.6.112
74.125.82.47
113.172.232.215
129.21.208.44
202.58.38.80
203.59.1.110
206.46.252.115
 
 lists.openbsd.org = 192.43.244.163
 
 So nothing from misc has made it to sendmail since I emptied
 nospamd and spamd-white on pf.conf
 
 These are all the attempts from lists.openbsd.org since
 I cleared the spamdb and pf tables.
 
 fgrep 192.43.244.163 /var/log/spamd|fgrep 'May 26'
 May 26 02:53:48 skitL spamd[25502]: 192.43.244.163: connected (1/0)
 May 26 02:54:00 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
 seconds.
 May 26 03:00:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
 May 26 03:00:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
 seconds.
 May 26 04:41:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
 May 26 04:41:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
 seconds.
 May 26 05:04:19 skitL spamd[25502]: 192.43.244.163: connected (2/1)
 May 26 05:04:31 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
 seconds.
 May 26 05:15:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
 May 26 05:15:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
 seconds.
 May 26 05:19:36 skitL spamd[25502]: 192.43.244.163: connected (1/0)
 May 26 05:19:48 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
 seconds.
 May 26 05:26:38 skitL spamd[25502]: 192.43.244.163: connected 

Re: spamd greylisting: false positives

[David Diggles]

/var/log/spamd
spamd[11000]: queueing deletion of x.x.x.x mx1.example.com f...@example.com 
da...@elven.com.au
spamd[11000]: queueing deletion of y.y.y.y mx2.example.com f...@example.com 
da...@elven.com.au

Both of these emails I wished to receive, as I corresponded
with them yesterday. :(

I am now trying spamd with the following:

/usr/libexec/spamd -d -G5:1:864

On Fri, May 25, 2012 at 11:26:19AM +0530, Girish Venkatachalam wrote:
 Dear David,
 
 I don't understand how spamd deletes any message. It never does.
 
 Can you clarify? I am certain your observation is wrong; it is something
  else. I wish to know more.
 
 Thanks.
 
 -Girish
 
 On Fri, May 25, 2012 at 10:56 AM, David Diggles da...@elven.com.au wrote:
  Since upgrading from 4.9 to 5.1, I am getting a lot of false positives
  with spamd running in greylisting mode, from email addresses I
  previously did not.
 
  A number of false negatives are still getting through, too.
 
  Eg: I needed to add lists.openbsd.org to /etc/mail/nospamd to receive
  messages from this list, or spamdb would delete the messages.
 
  How can I tune this to make spamd more forgiving? ?The default -G
  options in spamd(8) do not seem to be taking effect. ?I emailed
  someone yesterday, received a reply. Then today, they emailed me again
  from the same address and their messages were deleted by spamdb.
 
  What conditions cause an address to move from grey to white, or grey
  to black?
 
  Trying to get my head around this, and losing emails all the while..
 
  .d.d.
 
 
 
 
 -- 
 Gayatri Hitech
 http://gayatri-hitech.com

Re: spamd greylisting: false positives

[David Diggles]

Can messages get dropped if mail servers fail to resend within
time interval, after receiving the initial temporary failure message?

Re: spamd greylisting: false positives

[David Diggles]

Here are the logs for my failed attempts at joining the
misc mailing list.

All with default spamd settings.

Like I said, it did not succeed until I added lists.openbsd.org
to the /etc/mail/nospamd and reloaded the pf rule.

May 15 23:48:58 mx spamd[6698]: new entry 192.43.244.163 from 
owner-majord...@openbsd.org to da...@elven.com.au, helo shear.ucar.edu
May 15 23:48:58 mx spamd[6698]: new entry 192.43.244.163 from 
owner-majordomo+tf691-ac35-2...@openbsd.org to da...@elven.com.au, helo 
shear.ucar.edu
May 16 03:49:42 mx spamd[11000]: queueing deletion of 192.43.244.163 
shear.ucar.edu owner-majord...@openbsd.org da...@elven.com.au
May 16 03:49:42 mx spamd[11000]: queueing deletion of 192.43.244.163 
shear.ucar.edu owner-majordomo+tf691-ac35-2...@openbsd.org 
da...@elven.com.au
May 16 06:17:03 mx spamd[6698]: new entry 192.43.244.163 from 
owner-majordomo+t7fa9-267c-0...@openbsd.org to da...@elven.com.au, helo 
shear.ucar.edu
May 16 06:17:03 mx spamd[6698]: new entry 192.43.244.163 from 
owner-majord...@openbsd.org to da...@elven.com.au, helo shear.ucar.edu
May 16 06:23:34 mx spamd[6698]: new entry 192.43.244.163 from 
owner-majordomo+t380a-276c-0...@openbsd.org to da...@elven.com.au, helo 
shear.ucar.edu
May 16 06:28:40 mx spamd[6698]: new entry 192.43.244.163 from 
owner-majordomo+t26ad-c7af-0...@openbsd.org to da...@elven.com.au, helo 
shear.ucar.edu
May 16 10:17:46 mx spamd[11000]: queueing deletion of 192.43.244.163 
shear.ucar.edu owner-majordomo+t7fa9-267c-0...@openbsd.org 
da...@elven.com.au
May 16 10:17:46 mx spamd[11000]: queueing deletion of 192.43.244.163 
shear.ucar.edu owner-majord...@openbsd.org da...@elven.com.au
May 16 10:23:47 mx spamd[11000]: queueing deletion of 192.43.244.163 
shear.ucar.edu owner-majordomo+t380a-276c-0...@openbsd.org 
da...@elven.com.au
May 16 10:28:47 mx spamd[11000]: queueing deletion of 192.43.244.163 
shear.ucar.edu owner-majordomo+t26ad-c7af-0...@openbsd.org 
da...@elven.com.au

On Fri, May 25, 2012 at 11:26:19AM +0530, Girish Venkatachalam wrote:
 Dear David,
 
 I don't understand how spamd deletes any message. It never does.
 
 Can you clarify? I am certain your observation is wrong; it is something
  else. I wish to know more.
 
 Thanks.
 
 -Girish
 
 On Fri, May 25, 2012 at 10:56 AM, David Diggles da...@elven.com.au wrote:
  Since upgrading from 4.9 to 5.1, I am getting a lot of false positives
  with spamd running in greylisting mode, from email addresses I
  previously did not.
 
  A number of false negatives are still getting through, too.
 
  Eg: I needed to add lists.openbsd.org to /etc/mail/nospamd to receive
  messages from this list, or spamdb would delete the messages.
 
  How can I tune this to make spamd more forgiving? ?The default -G
  options in spamd(8) do not seem to be taking effect. ?I emailed
  someone yesterday, received a reply. Then today, they emailed me again
  from the same address and their messages were deleted by spamdb.
 
  What conditions cause an address to move from grey to white, or grey
  to black?
 
  Trying to get my head around this, and losing emails all the while..
 
  .d.d.
 
 
 
 
 -- 
 Gayatri Hitech
 http://gayatri-hitech.com

Re: spamd greylisting: false positives

[Matthew Weigel]

On 25.05.2012 01:09, David Diggles wrote:

Can messages get dropped if mail servers fail to resend within
time interval, after receiving the initial temporary failure message?


A qualified yes.  The message isn't dropped if the sending server 
fails
to resend before greyexp hours, it is dropped the first time delivery 
is
attempted; if other attempts to deliver occur before passtime minutes 
pass,

or after greyexp hours, the message will continue to be dropped.

You reduced the whitelisting interval from (25 minutes, 240 minutes] to
(5 minutes, 60 minutes], a pretty big cut.  Perhaps that is your 
problem.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: spamd greylisting: false positives

[Matthew Weigel]

On 25.05.2012 01:09, David Diggles wrote:

Can messages get dropped if mail servers fail to resend within
time interval, after receiving the initial temporary failure message?


It's dropped when it's first received, and it will continue to get 
dropped
until passtime minutes have passed.  If it is then received before 
greyexp

hours have passed, it will be delivered and the remote host will be
whitelisted for sending mail.  If greyexp hours pass without seeing 
that
tuple again, the tuple is deleted and it's back to the beginning for 
that

host.

You reduced greyexp to 1 hour, which may well be causing your problems.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: spamd greylisting: false positives

[Barry Grumbine]

On Thu, May 24, 2012 at 11:09 PM, David Diggles da...@elven.com.au wrote:
 Can messages get dropped if mail servers fail to resend within
 time interval, after receiving the initial temporary failure message?


Yes, but that is entirely up to the sending mailserver.

If you do not receive a message that was initially greylisted
and then subsequently whitelisted by hand (spamdb -a x.x.x.x)
it is because the sending mailserver failed to  re-send the
message, not because spamd dropped it.

spamd does not delete e-mail, it refuses to accept e-mail.

Read spamdb(8); I cannot find immediate references, but I am
pretty sure those log messages refer to the deletion of entries
from the database.

Also read the GREYTRAPPING section of spamd(8),
spamd.alloweddomains may be of some use to you.

Re: spamd greylisting: false positives

[David Diggles]

Like I said, it was in default mode when this behavior
started.  Now I am messin with the timings trying to
overcome this dropping of messages.

Are you saying I should be increasing this from 25 minutes?

On Fri, May 25, 2012 at 02:03:03AM -0500, Matthew Weigel wrote:
 On 25.05.2012 01:09, David Diggles wrote:
 Can messages get dropped if mail servers fail to resend within
 time interval, after receiving the initial temporary failure message?
 
 A qualified yes.  The message isn't dropped if the sending server
 fails
 to resend before greyexp hours, it is dropped the first time
 delivery is
 attempted; if other attempts to deliver occur before passtime
 minutes pass,
 or after greyexp hours, the message will continue to be dropped.
 
 You reduced the whitelisting interval from (25 minutes, 240 minutes] to
 (5 minutes, 60 minutes], a pretty big cut.  Perhaps that is your
 problem.
 -- 
  Matthew Weigel
  hacker
  unique  idempot . ent

Re: spamd greylisting: false positives

[David Diggles]

Oh, so if I am relying on remote mailservers being configured
to resend after a temporary failure, how do I second guess
the time intervals they are configured with?  If they even
resend at all?

Eg: lists.openbsd.org failed with default grey settings in spamd.

I guess I don't have the skills to run a greytrappin spamd, and
still receive the mails I want to receive, and ought to run in
blacklist mode instead ;-)

On Fri, May 25, 2012 at 02:03:03AM -0500, Matthew Weigel wrote:
 On 25.05.2012 01:09, David Diggles wrote:
 Can messages get dropped if mail servers fail to resend within
 time interval, after receiving the initial temporary failure message?
 
 A qualified yes.  The message isn't dropped if the sending server
 fails
 to resend before greyexp hours, it is dropped the first time
 delivery is
 attempted; if other attempts to deliver occur before passtime
 minutes pass,
 or after greyexp hours, the message will continue to be dropped.
 
 You reduced the whitelisting interval from (25 minutes, 240 minutes] to
 (5 minutes, 60 minutes], a pretty big cut.  Perhaps that is your
 problem.
 -- 
  Matthew Weigel
  hacker
  unique  idempot . ent

Re: spamd greylisting: false positives

[David Diggles]

I am now trying it with -G120:6:864

Although I can't think how to reproduce the problem in a controlled way,
other than wait and see what emails I don't get :/

On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote:
 On 25.05.2012 01:09, David Diggles wrote:
 Can messages get dropped if mail servers fail to resend within
 time interval, after receiving the initial temporary failure message?
 
 It's dropped when it's first received, and it will continue to get
 dropped
 until passtime minutes have passed.  If it is then received before
 greyexp
 hours have passed, it will be delivered and the remote host will be
 whitelisted for sending mail.  If greyexp hours pass without seeing
 that
 tuple again, the tuple is deleted and it's back to the beginning for
 that
 host.
 
 You reduced greyexp to 1 hour, which may well be causing your problems.
 -- 
  Matthew Weigel
  hacker
  unique  idempot . ent

Re: spamd greylisting: false positives

[Henning Brauer]

* David Diggles da...@elven.com.au [2012-05-25 09:18]:
 Like I said, it was in default mode when this behavior
 started.  Now I am messin with the timings trying to
 overcome this dropping of messages.
 
 Are you saying I should be increasing this from 25 minutes?

the defaults are fine, afaict almost everybody is running with them.
that is not your problem, something in your setup is very wrong. first
sanity check would be the clock, tho I have a hard time seeing how it
could jump repeatedly.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: spamd greylisting: false positives

[Kevin Chadwick]

On Fri, 25 May 2012 17:22:04 +1000
David Diggles wrote:

 Eg: lists.openbsd.org failed with default grey settings in spamd.

I find it hard to believe lists.openbsd.org isn't RFC compliant. I
guess you have another problem.

If you send me an address privately. I'll send a mail from Yahoo. I
know Yahoo mails get through tighter than default settings.

Re: spamd greylisting: false positives

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David
Diggles
Skickat: den 25 maj 2012 11:14
Till: misc@openbsd.org
Dmne: Re: spamd greylisting: false positives

I am now trying it with -G120:6:864

Although I can't think how to reproduce the problem in a controlled way,
other than wait and see what emails I don't get :/

On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote:
 On 25.05.2012 01:09, David Diggles wrote:
 Can messages get dropped if mail servers fail to resend within time
 interval, after receiving the initial temporary failure message?

 It's dropped when it's first received, and it will continue to get
 dropped until passtime minutes have passed.  If it is then received
 before greyexp hours have passed, it will be delivered and the remote
 host will be whitelisted for sending mail.  If greyexp hours pass
 without seeing that tuple again, the tuple is deleted and it's back to
 the beginning for that host.

 You reduced greyexp to 1 hour, which may well be causing your problems.
 --
  Matthew Weigel
  hacker
  unique  idempot . ent

Ahh...
Just struck me  Please check the syntax of your pf rules
This is what's working for me :

table spamd-white persist

pass in log on egress proto tcp from spamd-white rdr-to 127.0.0.1 port
smtp
pass in log on egress proto tcp from !spamd-white rdr-to 127.0.0.1 port
spamd

/Hasse

Re: spamd greylisting: false positives

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David
Diggles
Skickat: den 25 maj 2012 11:14
Till: misc@openbsd.org
Dmne: Re: spamd greylisting: false positives

I am now trying it with -G120:6:864

Although I can't think how to reproduce the problem in a controlled way,
other than wait and see what emails I don't get :/

On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote:
 On 25.05.2012 01:09, David Diggles wrote:
 Can messages get dropped if mail servers fail to resend within time
 interval, after receiving the initial temporary failure message?

 It's dropped when it's first received, and it will continue to get
 dropped until passtime minutes have passed.  If it is then received
 before greyexp hours have passed, it will be delivered and the remote
 host will be whitelisted for sending mail.  If greyexp hours pass
 without seeing that tuple again, the tuple is deleted and it's back to
 the beginning for that host.

 You reduced greyexp to 1 hour, which may well be causing your problems.
 --
  Matthew Weigel
  hacker
  unique  idempot . ent

Hello

Not a behavior I can recognize.
I would recommend to start over the configuration from the beginning, after
checking the obvious system settings.
Standard settings should be fine as a starter. Later on, adjust to your
likings.
You can find some good instructions (explainations) here :
http://www.pantz.org/software/spamd/configspamd.html
https://calomel.org/spamd_config.html

Regards Hasse

Re: spamd greylisting: false positives

[David Diggles]

The spamd pf.conf rules I have are:

table spamd-white persist
table nospamd persist file /etc/mail/nospamd
pass in on egress proto tcp from any to any port smtp \
rdr-to 127.0.0.1 port spamd
pass in on egress proto tcp from nospamd to any port smtp
pass in log on egress proto tcp from spamd-white to any port smtp
pass out log on egress proto tcp to any port smtp

Henning, the clock seems fine.  Ntpd is not complaining about losing time.
I will return all the spamd options to default.

spamd-setup is running from cron, 13 mins after every hour.

On 15th of May, I upgraded to 5.1 with a clean install.  Maybe the problem
is not spamd, but my configuration of sendmail.

On Fri, May 25, 2012 at 12:20:45PM +0200, obsd wrote:
 -Ursprungligt meddelande-
 Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David
 Diggles
 Skickat: den 25 maj 2012 11:14
 Till: misc@openbsd.org
 Dmne: Re: spamd greylisting: false positives
 
 I am now trying it with -G120:6:864
 
 Although I can't think how to reproduce the problem in a controlled way,
 other than wait and see what emails I don't get :/
 
 On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote:
  On 25.05.2012 01:09, David Diggles wrote:
  Can messages get dropped if mail servers fail to resend within time
  interval, after receiving the initial temporary failure message?
 
  It's dropped when it's first received, and it will continue to get
  dropped until passtime minutes have passed.  If it is then received
  before greyexp hours have passed, it will be delivered and the remote
  host will be whitelisted for sending mail.  If greyexp hours pass
  without seeing that tuple again, the tuple is deleted and it's back to
  the beginning for that host.
 
  You reduced greyexp to 1 hour, which may well be causing your problems.
  --
   Matthew Weigel
   hacker
   unique  idempot . ent
 
 Ahh...
 Just struck me  Please check the syntax of your pf rules
 This is what's working for me :
 
 table spamd-white persist
 
 pass in log on egress proto tcp from spamd-white rdr-to 127.0.0.1 port
 smtp
 pass in log on egress proto tcp from !spamd-white rdr-to 127.0.0.1 port
 spamd
 
 /Hasse

Re: spamd greylisting: false positives

[Kurt Mosiejczuk]

David Diggles wrote:

I am now trying it with -G120:6:864

Although I can't think how to reproduce the problem in a controlled way,
other than wait and see what emails I don't get :/


Stop playing with those settings, you are freaking out about log entries 
that don't mean what you think they mean.


spamd seems to have a queue for updates to the database.  This is based 
off of a 2 minute look at the code in question, but it seems to use the 
to do all changes from a scan run at once, so it can do all the 
necessary changes in one burst.


What you are seeing are messages about it deleting stuff from its own 
database, not email.  spamd doesn't accept email.  The email never gets 
to your smtp daemon until it's gotten through spamd's delays.


Are you actually not receiving email?  Or assuming there is a problem 
based upon your panicked look at the logs?


If emails aren't getting through, they may either need to be explicitly 
whitelisted (providers like gmail do things that mean they may never get 
through graylisting), or you have misconfigured your setup.


--Kurt

Re: spamd greylisting: false positives

[David Diggles]

I wasn't receiving email, from lists.openbsd.org and also from my
work email address, until I added the respective smtp servers to
the whitelist table in pf.

I could see them in the greylist when I typed spamdb.

Yes. I did misunderstand the spamd log entry about deletion.

Though I would not bother playing with settings if the expected
emails were being received.

I will go ahead and flush the spamdb database, and the pf tables
and start over with default everything, no whitelist pf entries.

This time I will sit on my hands and wait.  Maybe I was not
being patient enough.

When you say I misconfigured my setup, what do you mean?
What else is there to spamd other than adding it to rc.conf.local
and a few pf rules?

As for gmail;
I have not had this issue sending email from gmail to spamd.

Seriously though, if I have to keep manually adding smtp servers
to a whitelist, I will run in blacklist only mode.

On Fri, May 25, 2012 at 11:07:12AM -0400, Kurt Mosiejczuk wrote:
 David Diggles wrote:
 I am now trying it with -G120:6:864
 
 Although I can't think how to reproduce the problem in a controlled way,
 other than wait and see what emails I don't get :/
 
 Stop playing with those settings, you are freaking out about log
 entries that don't mean what you think they mean.
 
 spamd seems to have a queue for updates to the database.  This is
 based off of a 2 minute look at the code in question, but it seems
 to use the to do all changes from a scan run at once, so it can do
 all the necessary changes in one burst.
 
 What you are seeing are messages about it deleting stuff from its
 own database, not email.  spamd doesn't accept email.  The email
 never gets to your smtp daemon until it's gotten through spamd's
 delays.
 
 Are you actually not receiving email?  Or assuming there is a
 problem based upon your panicked look at the logs?
 
 If emails aren't getting through, they may either need to be
 explicitly whitelisted (providers like gmail do things that mean
 they may never get through graylisting), or you have misconfigured
 your setup.
 
 --Kurt

Re: spamd greylisting: false positives

[Matthew Weigel]

On 25.05.2012 10:50, David Diggles wrote:

I wasn't receiving email, from lists.openbsd.org and also from my
work email address, until I added the respective smtp servers to
the whitelist table in pf.

I could see them in the greylist when I typed spamdb.


In the greylist, or in the whitelist (both are stored in
/var/db/spamdb)?  I'm wondering now whether your /var/db/spamdb
got wiped out when you upgraded.  If that happened, then all
pre-existing whitelist entries would be gone, and emails would
have to go through greylisting again.

Also, if your standard procedure when making changes was as below
(wiping out spamdb), you would be pretty much guaranteed to drop
a lot of mail on the floor given exponential back off.


I will go ahead and flush the spamdb database, and the pf tables
and start over with default everything, no whitelist pf entries.


Presumably you have at least some whitelist entries there, and some
mail in transit that you would like to eventually receive.  Flushing
the database now would mean that anything currently greylisted is
very unlikely to be whitelisted, and anything whitelisted will be
greylisted next time it tries to deliver mail.


This time I will sit on my hands and wait.  Maybe I was not
being patient enough.


With default settings, you need to be patient for 4 hours.  Past 4
hours, the chances are close to nil that you'll get that mail.  Until
4 hours have passed, though, it's completely possible you'll still
receive the mail.


As for gmail;
I have not had this issue sending email from gmail to spamd.


You will.


Seriously though, if I have to keep manually adding smtp servers
to a whitelist, I will run in blacklist only mode.


It's pretty straightforward to script pulling SPF records from Google
and whitelisting them.  Facebook is another company that sends a lot
of mail through many servers, but documents those servers in SPF
records you can poll (say, on a weekly basis).  There are very few
other mail server clusters that have that behavior, so once you
identify those two, and script it, the problem is basically solved.

For example, you could move your current nospamd file to
/etc/mail/nospamd.constant, and then do the following in
/etc/weekly.local:

next_part Whitelisting Google mail servers
/usr/sbin/dig _spf.google.com TXT + short | tr \  \n | grep ip4: \
 | cut -d: -f2 | sort -n  /etc/mail/nospamd.dynamic
cat /etc/mail/nospamd.constant /etc/mail/nospamd.dynamic  
/etc/mail/nospamd

/sbin/pfctl -t gmail-white -T replace -f /etc/mail/nospamd 21 \
 | grep -v 'no changes'

That's very close to something someone else shared on misc@ many
moons ago, I don't remember who.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: spamd greylisting: false positives

[Nicolai]

On Sat, May 26, 2012 at 01:50:40AM +1000, David Diggles wrote:
 I will go ahead and flush the spamdb database, and the pf tables
 and start over with default everything, no whitelist pf entries.

spamd acts up for me occasionally.  In such cases I just

 /etc/rc.d/spamd stop
 rm /var/db/spamd
 /etc/rc.d/spamd start

 When you say I misconfigured my setup, what do you mean?

He might have assumed that because you described your problem more with
narration than with logs or copy/paste, and when you did copy and paste,
it was incomplete.  For example:

  I am now trying it with -G120:6:864

Is that from rc.conf.local?  The command line?  If it was the command
line, were you calling spamd directly, or using rc.d?  Is that the
entire argument list passed?  Only what you thought was relevant to the
issue?  We don't know.

And when you say spamd was deleting email... that's just not possible
because spamd returns a 4xy/5xy after DATA.

There's no reason to narrate when logs tell a better story.

Nicolai

Re: spamd greylisting: false positives

[David Diggles]

Thanks for also replying directly.  Since I cleared nospamd
override table in pf, I am no longer receiving emails from misc.

 I wasn't receiving email, from lists.openbsd.org and also from my
 work email address, until I added the respective smtp servers to
 the whitelist table in pf.
 
 I could see them in the greylist when I typed spamdb.
 
 And how many attempts were listed?  Was there any whitelist entries
 when you checked?  How long had it been since the email was sent and
 you still hadn't received it?

Some emails did not get through at all.  I didn't check for whitelist
entries or number of attempts at the time.

 Yes. I did misunderstand the spamd log entry about deletion.
 
 Though I would not bother playing with settings if the expected
 emails were being received.
 
 The default graylist settings are almost certainly the only thing
 definitively not causing your problems.  And the way you tweaked
 them were more likely to completely break things.

Ok, I have returned the greylist settings to default now and I will
go through the pf log and try find out why lists.openbsd.org is
once again not making it to my inbox.

 I will go ahead and flush the spamdb database, and the pf tables
 and start over with default everything, no whitelist pf entries.
 
 That almost certainly will *not* help.  The only real entries that
 cause problems are TRAPPED entries.  GREY entries mean the sender is
 partway through getting whitelisted.  If you delete the entries, you
 set them back to square one.  And since they have been backing off
 on trying, the odds are much greater that the sending side will give
 up.

I am not trying to help, I am reproducing the problem by reverting
to the original conditions.  Now it's the weekend, I have time to spend
on solving it.

 This time I will sit on my hands and wait.  Maybe I was not
 being patient enough.
 
 With greylisting, that is usually the case.  Once it has been
 running for a while, most things have no delays, but until a sender
 has been whitelisted by getting through the greylisting process, you
 will have probably an hour delay.

I restarted spamd and flushed all the pf tables almost 10 hours ago now.
Still nothing from lists.openbsd.org.

 When you say I misconfigured my setup, what do you mean?
 What else is there to spamd other than adding it to rc.conf.local
 and a few pf rules?
 
 The pf rules are important.  You get them wrong and it doesn't work.

The spamd pf rules I am using are simply uncommented from the
default OpenBSD pf.conf file.

I will audit pf rules and ensure I don't have other rules interfering
with spamd.

 Seriously though, if I have to keep manually adding smtp servers
 to a whitelist, I will run in blacklist only mode.
 
 Generally you don't need to, but there *are* misbehaving setups out
 there, and if you never monitor your email server, they won't get
 through.
 
 A quick google search turns up
 http://www.greylisting.org/whitelisting.shtml, which can help you
 pre-populate entries if you can't be bothered.

Thanks for googling that one for me.

I must have a misconfiguration.

My apologies for dumping on the list, wasting peoples time etc.

Re: spamd greylisting: false positives

[David Diggles]

Ok I am still not getting emails from
lists.openbsd.org (so please if you reply, cc to me).

I restarted spamd at this time after deleting /var/db/spamd and
clearing the bypass tables in pf at this time:

2012-05-26 02:13:12 # /usr/libexec/spamd

Here is the last message to make it to sendmail from misc:

fgrep from= /var/log/maillog|fgrep owner-misc|tail -1|awk '{print $1,$2,$3}'
May 26 01:54:35

The pf rules for spamd I have are taken from the default pf.conf:

pass in on egress inet proto tcp from any to any port = 25 flags S/SA rdr-to 
127.0.0.1 port 8025
pass in on egress proto tcp from nospamd to any port = 25 flags S/SA
pass in log on egress proto tcp from spamd-white to any port = 25 flags S/SA
pass out log on egress proto tcp from any to any port = 25 flags S/S

It is currently Sat May 26 12:54:31 EST 201

Times of passed smtp connections for May 26:

tcpdump -n -e -ttt -r /var/log/pflog 21|fgrep .25:|\
fgrep 'May 26'|awk '{print $3}'
01:14:53.793995
04:17:11.846707
05:00:19.443080
05:15:01.487277
07:17:51.114440
09:35:58.120098
10:14:21.444822
11:53:33.611903

So I will skip the first entry when I grep for the
ip addresses, with a tail +2 because it occurred
*before* I reset everything.

tcpdump -n -e -ttt -r /var/log/pflog 21|fgrep .25:|\
fgrep 'May 26'|awk '{print $10}'|tail +2|\
awk -F. '{print $1.$2.$3.$4}'|sort -n
17.254.6.112
74.125.82.47
113.172.232.215
129.21.208.44
202.58.38.80
203.59.1.110
206.46.252.115

I have the following tables.

pfctl -s Tables
nospamd
spamd-white

Confirming against the spamd-white table

pfctl -t spamd-white -Ts
   17.254.6.112
   74.125.82.47
   113.172.232.215
   129.21.208.44
   202.58.38.80
   203.59.1.110
   206.46.252.115

lists.openbsd.org = 192.43.244.163

So nothing from misc has made it to sendmail since I emptied
nospamd and spamd-white on pf.conf

These are all the attempts from lists.openbsd.org since
I cleared the spamdb and pf tables.

fgrep 192.43.244.163 /var/log/spamd|fgrep 'May 26'
May 26 02:53:48 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 02:54:00 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 03:00:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 03:00:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 04:41:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 04:41:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 05:04:19 skitL spamd[25502]: 192.43.244.163: connected (2/1)
May 26 05:04:31 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 05:15:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 05:15:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 05:19:36 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 05:19:48 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 05:26:38 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 05:26:50 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 05:31:10 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 05:31:22 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 05:37:54 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 05:38:06 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 05:43:38 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 05:43:50 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 06:32:55 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 06:33:08 skitL spamd[25502]: 192.43.244.163: disconnected after 13 
seconds.
May 26 07:00:31 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 07:00:43 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 07:29:59 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 07:30:11 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 07:53:46 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 07:53:58 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 08:26:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 08:26:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 09:14:32 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 09:14:44 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 10:12:59 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 10:13:10 skitL spamd[25502]: 192.43.244.163: disconnected after 11 
seconds.
May 26 11:44:37 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 11:44:49 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.
May 26 11:54:40 skitL spamd[25502]: 192.43.244.163: connected (1/0)
May 26 11:54:52 skitL spamd[25502]: 192.43.244.163: disconnected after 12 
seconds.

spamd greylisting: false positives

[David Diggles]

Since upgrading from 4.9 to 5.1, I am getting a lot of false positives
with spamd running in greylisting mode, from email addresses I
previously did not.

A number of false negatives are still getting through, too.

Eg: I needed to add lists.openbsd.org to /etc/mail/nospamd to receive
messages from this list, or spamdb would delete the messages.

How can I tune this to make spamd more forgiving?  The default -G
options in spamd(8) do not seem to be taking effect.  I emailed
someone yesterday, received a reply. Then today, they emailed me again
from the same address and their messages were deleted by spamdb.

What conditions cause an address to move from grey to white, or grey
to black?

Trying to get my head around this, and losing emails all the while..

.d.d.