Re: [AMaViS-user] p0f with dual sendmail?
Tapani, Yes, moving from dual sendmail to milter would be an obvious solution, but my past experiences with milter under heavy load discourage me from going that route. It's been some time since I looked at it though, perhaps the issues have been solved since. I wouldn't recommend it either. The concept of runnig heavy-weight content filters before-queue is fundamentally problematic and is not suitable for larger sites. It would be possible to make a small milter to query p0f and insert the information in mail header. Right, but doing that without performance problems may not be as easy as it sounds. Don't know, I don't see any problems there. A lookup by a milter into p0f-analyzer's cache would be almost instantaneous (a dozen of milliseconds). A third way would be to write a SA plugin that would query p0f-analyzer directly, after obtaining client IP address from the first trusted Received header field, which is already parsed and known by SA. This would perhaps be the most general purpose solution, and other users of SA would benefit. Indeed, that sounds like the ideal solution. I've never looked at writing SA plugins though, and not enough time to do it now, so I guess I'll have to forego p0f for now. :-( Maybe later... Any volunteers to prepare a SA plugin for p0f lookup? Should be quite straightforward. Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
On Fri, 24 Nov 2006, Mark Martinec wrote: A third way would be to write a SA plugin that would query p0f-analyzer directly, after obtaining client IP address from the first trusted Received header field, which is already parsed and known by SA. This would perhaps be the most general purpose solution, and other users of SA would benefit. Indeed, that sounds like the ideal solution. I've never looked at writing SA plugins though, and not enough time to do it now, so I guess I'll have to forego p0f for now. :-( Maybe later... Any volunteers to prepare a SA plugin for p0f lookup? Should be quite straightforward. Hi Mark, Suppose I have script like this: package P0f; use Mail::SpamAssassin::Plugin; use Mail::SpamAssassin::Logger; use strict; use warnings; use bytes; use vars qw(@ISA); @ISA = qw(Mail::SpamAssassin::Plugin); sub new { my $class = shift; my $mailsaobject = shift; $class = ref($class) || $class; my $self = $class-SUPER::new($mailsaobject); bless ($self, $class); $self-register_eval_rule(p0f_lookup); return $self; } sub p0f_lookup { my ($self, $pms) = @_; # get the first trusted header if ($pms-{num_relays_trusted} 0) { my $frstru = $pms-{relays_trusted}-[-1]; .. . What to do next? } } I am still not clear how the fingering printing information get available to SA. Mark Vincent Li http://pingpongit.homelinux.com Opensource .Implementation. .Consulting. Platform.Fedora. .Debian. .Mac OS X. Bloghttp://bl0g.blogdns.com - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
Vincent, Any volunteers to prepare a SA plugin for p0f lookup? Should be quite straightforward. Suppose I have script like this: ... sub p0f_lookup { # get the first trusted header . What to do next? I am still not clear how the fingering printing information get available to SA. - somehow determine the SMTP client's IP address following SA mechanisms on trusted/internal etc settings and parsed Received header fields. (can't help there, ask on SA list if necessary) This should be an IP address of the remote host which connected to our MX host on which p0f and p0f-analyzer.pl must be running. - query p0f-analyzer.pl process by using my example code in: http://marc.theaimsgroup.com/?l=postfix-usersm=116312480114045 http://marc.theaimsgroup.com/?l=spamassassin-usersm=116406420110311 - the result will contain one line as returned by p0f. Plugin may insert this information into a header, or supply it as scoring rules. Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
On Fri, 24 Nov 2006, Mark Martinec wrote: - somehow determine the SMTP client's IP address following SA mechanisms on trusted/internal etc settings and parsed Received header fields. (can't help there, ask on SA list if necessary) This should be an IP address of the remote host which connected to our MX host on which p0f and p0f-analyzer.pl must be running. - query p0f-analyzer.pl process by using my example code in: http://marc.theaimsgroup.com/?l=postfix-usersm=116312480114045 http://marc.theaimsgroup.com/?l=spamassassin-usersm=116406420110311 A crude p0f SA plugin,untested :) package P0f; use Mail::SpamAssassin::Plugin; use Mail::SpamAssassin::Logger; use IO::Socket::INET; use Time::HiRes; use strict; use warnings; use bytes; use vars qw(@ISA); @ISA = qw(Mail::SpamAssassin::Plugin); my $p0f_service = q{inet:mx_host:2345}; my $p0f_regexp = qr{^Windows\b}; sub new { my $class = shift; my $mailsaobject = shift; $class = ref($class) || $class; my $self = $class-SUPER::new($mailsaobject); bless ($self, $class); $self-register_eval_rule(p0f_lookup); return $self; } sub p0f_lookup { my ($self, $pms) = @_; # we can only match this if we have at least 1 untrusted header if ($pms-{num_relays_untrusted} 0) { #if ($pms-{num_relays_trusted} 0) { my $lastunt = $pms-{relays_untrusted}-[0]; #my $lastunt = $pms-{relays_trusted}-[-1]; my ($cl_ip) = $lastunt-{ip}; if (defined($p0f_service) defined($p0f_regexp) $cl_ip ne '' $cl_ip ne '0.0.0.0' $cl_ip ne '::') { my $nonce = int(rand(10)); # not too clever, but good enough my $os_fingerprint_obj = $self-_p0f_init($pms, $p0f_service, 0.050, $cl_ip, $nonce); if (defined($os_fingerprint_obj)) { my $os_fingerprint = $self-_p0f_collect_response($pms, $os_fingerprint_obj); # 95% of mail from remote Windows hosts is spam coming from zombized # machines, so it is worth to greylist return 1 if $os_fingerprint ne '' $os_fingerprint =~ /$p0f_regexp/; } return 0; } } } . ... Just copy and paste Mark's sub p0f_init, p0f_collect_response, and some minor changes . __END__ p0f.cf: loadplugin P0f /etc/mail/spamassassin/P0f.pm header WINDOWS_SMTP_CLIENT eval:p0f_lookup() describe WINDOWS_SMTP_CLIENT The last untrust smtp client to connect to our MX host is Windows scoreWINDOWS_SMTP_CLIENT 0.1 - the result will contain one line as returned by p0f. Plugin may insert this information into a header, or supply it as scoring rules. Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ Vincent Li http://pingpongit.homelinux.com Opensource .Implementation. .Consulting. Platform.Fedora. .Debian. .Mac OS X. Bloghttp://bl0g.blogdns.com - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
Tapani, Is it possible to use p0f with dual-sendmail setup? Release notes only talk about sendmail/milter and postfix, and mention postfix needs xforward extension - does sendmail have/need something similar? xforward is Postfix-specific extension, sendmail can not pass such information over SMTP to a client. If amavisd-new is used with sendmail in a milter setup using Petr Rehor's milter and AM.PDP protocol, client IP address is again available to amavisd (passed over AM.PDP protocol). It would be possible to make a small milter to query p0f and insert the information in mail header. This way SA could obtain the information on client OS fingerprint from the header. A third way would be to write a SA plugin that would query p0f-analyzer directly, after obtaining client IP address from the first trusted Received header field, which is already parsed and known by SA. This would perhaps be the most general purpose solution, and other users of SA would benefit. In my implementation I just chose whatever was simplest for me to implement at that time, which was to do it in amavisd. Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f with dual sendmail?
On Thu, Nov 23, 2006 at 01:56:37PM +0100, Mark Martinec ([EMAIL PROTECTED]) wrote: Is it possible to use p0f with dual-sendmail setup? xforward is Postfix-specific extension, sendmail can not pass such information over SMTP to a client. :-( If amavisd-new is used with sendmail in a milter setup using Petr Rehor's milter and AM.PDP protocol, client IP address is again available to amavisd (passed over AM.PDP protocol). Yes, moving from dual sendmail to milter would be an obvious solution, but my past experiences with milter under heavy load discourage me from going that route. It's been some time since I looked at it though, perhaps the issues have been solved since. It would be possible to make a small milter to query p0f and insert the information in mail header. Right, but doing that without performance problems may not be as easy as it sounds. A third way would be to write a SA plugin that would query p0f-analyzer directly, after obtaining client IP address from the first trusted Received header field, which is already parsed and known by SA. This would perhaps be the most general purpose solution, and other users of SA would benefit. Indeed, that sounds like the ideal solution. I've never looked at writing SA plugins though, and not enough time to do it now, so I guess I'll have to forego p0f for now. :-( Maybe later... -- Tapani Tarvainen - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/