Re: [AMaViS-user] p0f with dual sendmail?
Tapani, Yes, moving from dual sendmail to milter would be an obvious solution, but my past experiences with milter under heavy load discourage me from going that route. It's been some time since I looked at it though, perhaps the issues have been solved since. I wouldn't recommend it either. The concept of runnig heavy-weight content filters before-queue is fundamentally problematic and is not suitable for larger sites. It would be possible to make a small milter to query p0f and insert the information in mail header. Right, but doing that without performance problems may not be as easy as it sounds. Don't know, I don't see any problems there. A lookup by a milter into p0f-analyzer's cache would be almost instantaneous (a dozen of milliseconds). A third way would be to write a SA plugin that would query p0f-analyzer directly, after obtaining client IP address from the first trusted Received header field, which is already parsed and known by SA. This would perhaps be the most general purpose solution, and other users of SA would benefit. Indeed, that sounds like the ideal solution. I've never looked at writing SA plugins though, and not enough time to do it now, so I guess I'll have to forego p0f for now. :-( Maybe later... Any volunteers to prepare a SA plugin for p0f lookup? Should be quite straightforward. Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
On Fri, 24 Nov 2006, Mark Martinec wrote:
A third way would be to write a SA plugin that would query
p0f-analyzer directly, after obtaining client IP address
from the first trusted Received header field, which is
already parsed and known by SA. This would perhaps be the
most general purpose solution, and other users of SA would
benefit.
Indeed, that sounds like the ideal solution. I've never
looked at writing SA plugins though, and not enough time
to do it now, so I guess I'll have to forego p0f for now. :-(
Maybe later...
Any volunteers to prepare a SA plugin for p0f lookup?
Should be quite straightforward.
Hi Mark,
Suppose I have script like this:
package P0f;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Logger;
use strict;
use warnings;
use bytes;
use vars qw(@ISA);
@ISA = qw(Mail::SpamAssassin::Plugin);
sub new {
my $class = shift;
my $mailsaobject = shift;
$class = ref($class) || $class;
my $self = $class-SUPER::new($mailsaobject);
bless ($self, $class);
$self-register_eval_rule(p0f_lookup);
return $self;
}
sub p0f_lookup {
my ($self, $pms) = @_;
# get the first trusted header
if ($pms-{num_relays_trusted} 0) {
my $frstru = $pms-{relays_trusted}-[-1];
..
.
What to do next?
}
}
I am still not clear how the fingering printing information get available
to SA.
Mark
Vincent Li http://pingpongit.homelinux.com
Opensource .Implementation. .Consulting.
Platform.Fedora. .Debian. .Mac OS X.
Bloghttp://bl0g.blogdns.com
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
Vincent,
Any volunteers to prepare a SA plugin for p0f lookup?
Should be quite straightforward.
Suppose I have script like this:
...
sub p0f_lookup {
# get the first trusted header
.
What to do next?
I am still not clear how the fingering printing information
get available to SA.
- somehow determine the SMTP client's IP address following SA mechanisms
on trusted/internal etc settings and parsed Received header fields.
(can't help there, ask on SA list if necessary)
This should be an IP address of the remote host which connected
to our MX host on which p0f and p0f-analyzer.pl must be running.
- query p0f-analyzer.pl process by using my example code in:
http://marc.theaimsgroup.com/?l=postfix-usersm=116312480114045
http://marc.theaimsgroup.com/?l=spamassassin-usersm=116406420110311
- the result will contain one line as returned by p0f. Plugin may
insert this information into a header, or supply it as scoring rules.
Mark
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
On Fri, 24 Nov 2006, Mark Martinec wrote:
- somehow determine the SMTP client's IP address following SA mechanisms
on trusted/internal etc settings and parsed Received header fields.
(can't help there, ask on SA list if necessary)
This should be an IP address of the remote host which connected
to our MX host on which p0f and p0f-analyzer.pl must be running.
- query p0f-analyzer.pl process by using my example code in:
http://marc.theaimsgroup.com/?l=postfix-usersm=116312480114045
http://marc.theaimsgroup.com/?l=spamassassin-usersm=116406420110311
A crude p0f SA plugin,untested :)
package P0f;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Logger;
use IO::Socket::INET;
use Time::HiRes;
use strict;
use warnings;
use bytes;
use vars qw(@ISA);
@ISA = qw(Mail::SpamAssassin::Plugin);
my $p0f_service = q{inet:mx_host:2345};
my $p0f_regexp = qr{^Windows\b};
sub new {
my $class = shift;
my $mailsaobject = shift;
$class = ref($class) || $class;
my $self = $class-SUPER::new($mailsaobject);
bless ($self, $class);
$self-register_eval_rule(p0f_lookup);
return $self;
}
sub p0f_lookup {
my ($self, $pms) = @_;
# we can only match this if we have at least 1 untrusted header
if ($pms-{num_relays_untrusted} 0) {
#if ($pms-{num_relays_trusted} 0) {
my $lastunt = $pms-{relays_untrusted}-[0];
#my $lastunt = $pms-{relays_trusted}-[-1];
my ($cl_ip) = $lastunt-{ip};
if (defined($p0f_service) defined($p0f_regexp)
$cl_ip ne '' $cl_ip ne '0.0.0.0' $cl_ip ne '::') {
my $nonce = int(rand(10)); # not too clever, but good
enough
my $os_fingerprint_obj = $self-_p0f_init($pms, $p0f_service,
0.050,
$cl_ip, $nonce);
if (defined($os_fingerprint_obj)) {
my $os_fingerprint = $self-_p0f_collect_response($pms,
$os_fingerprint_obj);
# 95% of mail from remote Windows hosts is spam coming from zombized
# machines, so it is worth to greylist
return 1 if $os_fingerprint ne ''
$os_fingerprint =~ /$p0f_regexp/;
}
return 0;
}
}
}
.
...
Just copy and paste Mark's sub p0f_init, p0f_collect_response, and some minor
changes
.
__END__
p0f.cf:
loadplugin P0f /etc/mail/spamassassin/P0f.pm
header WINDOWS_SMTP_CLIENT eval:p0f_lookup()
describe WINDOWS_SMTP_CLIENT The last untrust smtp client to connect to our MX
host is Windows
scoreWINDOWS_SMTP_CLIENT 0.1
- the result will contain one line as returned by p0f. Plugin may
insert this information into a header, or supply it as scoring rules.
Mark
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Vincent Li http://pingpongit.homelinux.com
Opensource .Implementation. .Consulting.
Platform.Fedora. .Debian. .Mac OS X.
Bloghttp://bl0g.blogdns.com
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
Tapani, Is it possible to use p0f with dual-sendmail setup? Release notes only talk about sendmail/milter and postfix, and mention postfix needs xforward extension - does sendmail have/need something similar? xforward is Postfix-specific extension, sendmail can not pass such information over SMTP to a client. If amavisd-new is used with sendmail in a milter setup using Petr Rehor's milter and AM.PDP protocol, client IP address is again available to amavisd (passed over AM.PDP protocol). It would be possible to make a small milter to query p0f and insert the information in mail header. This way SA could obtain the information on client OS fingerprint from the header. A third way would be to write a SA plugin that would query p0f-analyzer directly, after obtaining client IP address from the first trusted Received header field, which is already parsed and known by SA. This would perhaps be the most general purpose solution, and other users of SA would benefit. In my implementation I just chose whatever was simplest for me to implement at that time, which was to do it in amavisd. Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
On Thu, Nov 23, 2006 at 01:56:37PM +0100, Mark Martinec ([EMAIL PROTECTED]) wrote: Is it possible to use p0f with dual-sendmail setup? xforward is Postfix-specific extension, sendmail can not pass such information over SMTP to a client. :-( If amavisd-new is used with sendmail in a milter setup using Petr Rehor's milter and AM.PDP protocol, client IP address is again available to amavisd (passed over AM.PDP protocol). Yes, moving from dual sendmail to milter would be an obvious solution, but my past experiences with milter under heavy load discourage me from going that route. It's been some time since I looked at it though, perhaps the issues have been solved since. It would be possible to make a small milter to query p0f and insert the information in mail header. Right, but doing that without performance problems may not be as easy as it sounds. A third way would be to write a SA plugin that would query p0f-analyzer directly, after obtaining client IP address from the first trusted Received header field, which is already parsed and known by SA. This would perhaps be the most general purpose solution, and other users of SA would benefit. Indeed, that sounds like the ideal solution. I've never looked at writing SA plugins though, and not enough time to do it now, so I guess I'll have to forego p0f for now. :-( Maybe later... -- Tapani Tarvainen - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
