Re: Spamd question with Spamtrap

[Boudewijn Dijkstra]

Op Mon, 13 Mar 2017 18:25:30 +0100 schreef Mik J :
Spamd has been really efficient in blocking spam. A few of them passed  
through once in a while but there's no discomfort.


So this is not really an OpenSMTPd question.


But, I'm not able to use spamtrap.
# spamdb -T -a ""


The example in the manpage doesn't use angle brackets. Remove them.


# spamdb | grep SPAMTRAP
SPAMTRAP|
But when I telnet port 25 and try to send a mail, a GREY entry is  
created, and after the holdtime mail are passing through


When a SPAMTRAP is hit, no GREY entry is created.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamd question

[Patrick Dohman]

Is there such a thing as set skip on lo for ldap ;)

Regards
Patrick

> On Sep 13, 2016, at 4:03 AM, Kasper Haitsma  wrote:
> 
> Happy days, spamd-sync is working.
> 
> - pf.conf still needs rdr-to instead of divert-to
> - rc.conf.local is picky on the quotes for -n and sequence of -Y and
> -y (no sync proc in ps list)
> - the 5.0 machines are not using spamd.key :(
> 
> I'm glad it is all well documented
> 
> Date: Fri, 9 Sep 2016 12:14:18 +0100
> From: Craig Skinner 
> To: misc@openbsd.org
> Subject: Re: spamd question
> Message-ID: <20160909121418.3117d12f@fir.internal>
> 
> Hi Kasper,
> 
> On Thu, 8 Sep 2016 17:51:45 +0200 Kasper Haitsma wrote:
>>>> 5.9 -> 5.9 nothing at all
>>> 
>>> Fix this problem first.
>> 
>> if this is fixed, I trust, all is fixed.
> 
> Hopefully it's on to happy days then!!!
> 
> 
> As you've got spamd_flags=" -y bge1 & -Y bge1"
> 
> Try changing the bge1 to ipv4 addresses & restarting spamd.
> 
> If that works, then change back to bge1 and check if you also have
> 'multicast=YES' in /etc/rc.conf.local?
> 
> In older versions, it the rc parameter was called 'multicast_host', but
> the '_host' bit got dropped: http://www.openbsd.org/faq/upgrade59.html
> 
> Enabling that would need either a root 'sh /etc/netstart' or reboot.
> 
> Cheers,
> --
> Craig Skinner

Re: spamd question

[Kasper Haitsma]

Happy days, spamd-sync is working.

- pf.conf still needs rdr-to instead of divert-to
- rc.conf.local is picky on the quotes for -n and sequence of -Y and
-y (no sync proc in ps list)
- the 5.0 machines are not using spamd.key :(

I'm glad it is all well documented

Date: Fri, 9 Sep 2016 12:14:18 +0100
From: Craig Skinner 
To: misc@openbsd.org
Subject: Re: spamd question
Message-ID: <20160909121418.3117d12f@fir.internal>

Hi Kasper,

On Thu, 8 Sep 2016 17:51:45 +0200 Kasper Haitsma wrote:
> >> 5.9 -> 5.9 nothing at all
> >
> > Fix this problem first.
>
> if this is fixed, I trust, all is fixed.

Hopefully it's on to happy days then!!!


As you've got spamd_flags=" -y bge1 & -Y bge1"

Try changing the bge1 to ipv4 addresses & restarting spamd.

If that works, then change back to bge1 and check if you also have
'multicast=YES' in /etc/rc.conf.local?

In older versions, it the rc parameter was called 'multicast_host', but
the '_host' bit got dropped: http://www.openbsd.org/faq/upgrade59.html

Enabling that would need either a root 'sh /etc/netstart' or reboot.

Cheers,
--
Craig Skinner

Re: spamd question

[Craig Skinner]

Hi Kasper,

On Thu, 8 Sep 2016 17:51:45 +0200 Kasper Haitsma wrote:
> >> 5.9 -> 5.9 nothing at all
> >
> > Fix this problem first.
> 
> if this is fixed, I trust, all is fixed.

Hopefully it's on to happy days then!!!


As you've got spamd_flags=" -y bge1 & -Y bge1"

Try changing the bge1 to ipv4 addresses & restarting spamd.

If that works, then change back to bge1 and check if you also have
'multicast=YES' in /etc/rc.conf.local?

In older versions, it the rc parameter was called 'multicast_host', but
the '_host' bit got dropped: http://www.openbsd.org/faq/upgrade59.html

Enabling that would need either a root 'sh /etc/netstart' or reboot.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: spamd question

[Kasper Haitsma]

>> 5.9 -> 5.9 nothing at all
>
> Fix this problem first.

if this is fixed, I trust, all is fixed.

>>
>> pf.conf is the same on all 4 boxes
>
> spamd's pf rules changed in 5.8:
> http://www.openbsd.org/faq/upgrade58.html

well http://www.openbsd.org/plus58.html reveals:
Change in spamd(8) to use divert-to instead of rdr-to
although the pf.conf man page on the server (and on-line) still
displays rdr-to in it's example..
pfctl does not report an error about it either (it did when I replaced
all rdr-to into divert-to)
this makes troubleshooting troublesome

suggestions are welcome about  other changes in spamd/pf.conf between
5.0 and 5.9

oh by the way, changing rdr-to into divert-to for the spamd line makes
no difference in behaviour

Re: spamd question

[Craig Skinner]

Hi Kasper,

On 2016-09-07 Wed 15:07 PM |, Kasper Haitsma wrote:
> 5.9 -> 5.9 nothing at all

Fix this problem first.

> 
> pf.conf is the same on all 4 boxes

spamd's pf rules changed in 5.8:
http://www.openbsd.org/faq/upgrade58.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: spamd question

[Kasper Haitsma]

> You've got 2 5.0 machines syncing.
>
> Can you get 2 5.9 machines syncing?
No, unfortunately not
When I telnet (port 25) into a 5.9 box, a GREY entry is created on
that box, but it is not synced to the other 5.9 box, nor are WHITE
entries

5.0 -> 5.0 sync OK (since before I came to this company)
5.0 -> 5.9 no sync (packages sent, but nothing in spamdb)
5.9 -> 5.9 nothing at all

pf.conf is the same on all 4 boxes
spamd_flags similar (-h -y -Y: hardware/host specific)

Thnx

Re: spamd question

[Craig Skinner]

Hi Kasper,

On 2016-09-05 Mon 17:26 PM |, Kasper Haitsma wrote:
> spamd-sync packages arrive at the 5.9 box, but 

You've got 2 5.0 machines syncing.

Can you get 2 5.9 machines syncing?

Re: spamd question

[Kasper Haitsma]

Also, when I manually create a message (telnet to port 25) to a 5.9
host, a GREY entry is created, but not "published"

spamd_black=NO
spamd_flags="-h  -n \"Sendmail 8.11.4/8.11.1\" -v -w1 -y bge1 -Y bge1"
spamlogd_flags="-I -i lo0"

where bge1 is the interface to the internal network


2016-09-05 17:26 GMT+02:00 Kasper Haitsma :
> Does anyone have an explanation for this?
> even with pf off (pf -F all), spamd-sync packages arrive at the 5.9
> box, but no GREY entries are added to spamdb
> However WHITE entries are added..
>
> Help is appreciated
>
> 2016-08-29 15:49 GMT+02:00 Kasper Haitsma :
>> Thanks Peter for responding.
>>
>> The logging goes to it's own file (/var/log/spamd.log)
>> Indeed entries are written there for various events.
>> now I see GREY and WHITE records added nicely in the 5.0 spamdb.
>> they are syncing between each other, and the syncpackages seem to be
>> received by the 5.9 nodes but the 5.9 nodes do not register these records in
>> spamdb
>> - any idea why?
>> - any idea how to troubleshoot?
>>
>> root@<5.9-1> ~# tcpdump -i bge1 port 8025
>> tcpdump: listening on bge1, link-type EN10MB
>> 15:44:21.056732 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 164
>> 15:44:22.679540 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 132
>> 15:44:23.453386 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 132
>> 15:44:23.804945 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 148
>> 15:44:24.242281 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 132
>>
>> ^C
>> 2475 packets received by filter
>> 0 packets dropped by kernel
>> root@<5.9-1> ~#
>>
>> thanks

Re: spamd question

[Kasper Haitsma]

Does anyone have an explanation for this?
even with pf off (pf -F all), spamd-sync packages arrive at the 5.9
box, but no GREY entries are added to spamdb
However WHITE entries are added..

Help is appreciated

2016-08-29 15:49 GMT+02:00 Kasper Haitsma :
> Thanks Peter for responding.
>
> The logging goes to it's own file (/var/log/spamd.log)
> Indeed entries are written there for various events.
> now I see GREY and WHITE records added nicely in the 5.0 spamdb.
> they are syncing between each other, and the syncpackages seem to be
> received by the 5.9 nodes but the 5.9 nodes do not register these records in
> spamdb
> - any idea why?
> - any idea how to troubleshoot?
>
> root@<5.9-1> ~# tcpdump -i bge1 port 8025
> tcpdump: listening on bge1, link-type EN10MB
> 15:44:21.056732 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 164
> 15:44:22.679540 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 132
> 15:44:23.453386 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 132
> 15:44:23.804945 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 148
> 15:44:24.242281 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 132
>
> ^C
> 2475 packets received by filter
> 0 packets dropped by kernel
> root@<5.9-1> ~#
>
> thanks

Re: spamd question

[Kasper Haitsma]

Thanks Peter for responding.
​
The logging goes to it's own file (/var/log/spamd.log)
Indeed entries are written there for various events.
now I see GREY and WHITE records added nicely in the 5.0 spamdb.
they are syncing between each other, and the syncpackages seem to be
received by the 5.9 nodes but the 5.9 nodes do not register these records
in spamdb
- any idea why?
- any idea how to troubleshoot?

root@<5.9-1> ~# tcpdump -i bge1 port 8025
tcpdump: listening on bge1, link-type EN10MB
15:44:21.056732 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 164
15:44:22.679540 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 132
15:44:23.453386 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 132
15:44:23.804945 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 148
15:44:24.242281 <5.0-1>.spamd-sync > <5.9-1>.spamd-sync: udp 132

^C
2475 packets received by filter
0 packets dropped by kernel
root@<5.9-1> ~#

thanks


--
Date: Mon, 22 Aug 2016 16:28:06 +0200
From: "Peter N. M. Hansteen" 
To: misc@openbsd.org
Subject: Re: Fwd: spamd question
Message-ID: <20160822142804.ga...@skapet.bsdly.net>

On Mon, Aug 22, 2016 at 04:06:22PM +0200, Kasper Haitsma wrote:
> I have a question regarding the differences between spamd-
> ???sync???
> on OpenBSD 5.0 and OpenBSD 5.9.
> ??? I read this article
>  ???, but
there is
> no indication if this applies to my situation or not.

That's a commit that happened in 2008. OpenBSD 5.0 was released in 2011.

OpenBSD 5.0 has been out of support for a while, but this particular change
should
not be directly relevant to your particular upgrade scenario.

I see you start your spamds with the -v option. That means that you should
be
able to see log entries for syncs wherever your spamd is set up to log to
(check
your syslog.conf), something like

Aug 22 16:16:27 skapet spamd[65037]: new entry 216.126.230.221 from <
cbsupd...@herpprotcol.eu> to , helo reliefs.herpprotcol.eu

If you see something similar, your're good for that part at least.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"

Re: spamd question

[Stephan A. Rickauer]

On Fri, 2009-05-22 at 15:53 -0400, Jim Razmus wrote:

> beck@ created the greyscanner Perl script to address the issues you've
> highlighted.  It does deeper inspection of grey listed senders before
> they are white listed.  It validates the DNS setup of the sending
> server, the validity of the recipient address, and more.  You can add
> your own checks to it as well.
> 
> I find it an effective addition to spamd.
> 
> http://www.ualberta.ca/~beck/greyscanner/


And remember to populate spamd.alloweddomains with all accounts you
really have on your backend.

Re: spamd question

[Jim Razmus]

* Eric  [090522 14:41]:
> I never thought about it before, but it is clear that spamd handles the
> greylisting the same regardless of whether or not the e-mail address is
> valid.  That is, it doesn't check to make sure that the to address is
> legitimate before adding the IP address to the spamd-white table.
> 
> For example, if your domain is example.com and someone is trying to
> send to a bogus address, say 3dgeo...@example.com, then once they get
> through the greylisting, their ip address then added to the spamd-white
> table where it will remain for the next month or so, depending on the
> configuration.
> 
> On the surface, this doesn't seem to be much of a problem since the
> spammer could always do the same for a real e-mail address if he had
> one at the domain and get whitelisted for the configured period of
> time.  Furthermore, if the sender is not a spammer and just has the
> address wrong, say goe...@example.com instead of geo...@example.com, he
> gets a 5xx response much quicker telling him that the address does not
> exist so that he can correct it and resend it.
> 
> So it doesn't seem like such a bad thing.
> 
> But it also seems like this could be used by a savvy spammer to his
> benefit if he wants to have a better chance at getting past spamd on
> OpenBSD servers.  Suppose a spammer was getting ready to make a big
> spam run.  Then he could increase his probability of getting the IP
> address added to the spamd-white table by going through the various
> address lists earlier and "sending" a single e-mail to a completely
> random address at the same domain.
> 
> For example, if his address list contained geo...@example.com,
> sa...@example.com, he...@example.com, and j...@example.com, a day or
> two earlier, he could fake an e-mail something like
> 1739512349...@example.com.  Once the IP address is added to
> spamd-white, he will connect to the mail server on the next try where
> he will get a 5xx no such user error.  
> 
> The benefit he would gain by using a random made-up address instead of
> one on his list is because he won't definitively know which addresses
> on the list are spamtrap addresses.  Instead, the random address is
> unlikely to have been added with "spamdb -T -a" and so he increases his
> chances of not getting trapped.
> 
> Not only would this would make the spam run itself simpler and faster,
> but any addresses defined with spamdb as spamtrap addresses wouldn't
> cause the server to be trapped for 24 hours because since it had
> already been greylisted, spamd would never actually see the spamtrap
> addresses, if any.
> 
> If, on the other hand, the address had to be legitimate before spamd
> would send it on, the above scenario would fail.  The spammer would
> then only be able to get his IP addresses whitelisted by sending an
> e-mail to a legitimate user and avoiding the spamtrap addresses
> entirely.
> 
> I've seen no signs that the spammers are doing that now, but it might
> be worth considering an option to spamd that would check the addresses
> and use that as part of the determination of whether or not to add to
> the spamd-white list just in case they should start doing that.
> 
> Any thoughs on this?
> 
> Eric Johnson
> 

beck@ created the greyscanner Perl script to address the issues you've
highlighted.  It does deeper inspection of grey listed senders before
they are white listed.  It validates the DNS setup of the sending
server, the validity of the recipient address, and more.  You can add
your own checks to it as well.

I find it an effective addition to spamd.

http://www.ualberta.ca/~beck/greyscanner/

HTH,
Jim

Re: spamd question (4.1)

[syl]

sorry I make a mistake and send my mail at the wrong mailling list

Le 24/07/07, syl<[EMAIL PROTECTED]> a icrit :

qui ce devout pour faire le site car finalement le ror ca reste du web
donc ca reste
pas fait pour moi

2007/7/24, Stuart Henderson <[EMAIL PROTECTED]>:
> On 2007/07/24 06:37, Jacob Yocom-Piatt wrote:
> > heh. oh, and rod, you're right about the outbound IPs, that was my

confusion

> > .
>
> Masking on /24 in spamlogd would help with this for many sites.
>
>


--
Gallon sylvestre
Astek michant / Assistant CISCO
Rathaxes Core Developper
http://blog.evilkittens.org/~syl/




--
Gallon sylvestre
Astek michant / Assistant CISCO
Rathaxes Core Developper
http://blog.evilkittens.org/~syl/

Re: spamd question (4.1)

[syl]

Sorry I made a mistake and send the message at the wrong mailling list,
I'm  very confused , since this morning I do not stop to make  mistake...
Maybe the amount of beer drank yesterday may help find a reason to my
miscalculation

2007/7/24, Yannick Francois <[EMAIL PROTECTED]>:

2007/7/24, Stuart Henderson <[EMAIL PROTECTED]>:
> On 2007/07/24 13:53, syl wrote:
> > qui ce devout pour faire le site car finalement le ror ca reste du web
> > donc ca reste
> > pas fait pour moi
>
> If you're going to write in French on an English-language mailing
> list, please can you at least try and use the correct accents (it's
> a lot harder to translate without them) and avoid idioms, so we
> stand some chance of understanding you ...
>

Sorry for this message without relation with this discution.
I'm french and I think this french message is a mistake, perhaps a
mail for a french RubyOnRails mailing list ("ror" in message seems to
talk about it). It's not about spamd or openbsd (Or I don't understand
my birth language :-/ )
Sorry about this.



--
Yannick "Pouype" Francois
http://www.typouype.org
http://www.rubyfrance.org





--
Gallon sylvestre
Astek michant / Assistant CISCO
Rathaxes Core Developper
http://blog.evilkittens.org/~syl/

Re: spamd question (4.1)

[Yannick Francois]

2007/7/24, Stuart Henderson <[EMAIL PROTECTED]>:

On 2007/07/24 13:53, syl wrote:
> qui ce devout pour faire le site car finalement le ror ca reste du web
> donc ca reste
> pas fait pour moi

If you're going to write in French on an English-language mailing
list, please can you at least try and use the correct accents (it's
a lot harder to translate without them) and avoid idioms, so we
stand some chance of understanding you ...



Sorry for this message without relation with this discution.
I'm french and I think this french message is a mistake, perhaps a
mail for a french RubyOnRails mailing list ("ror" in message seems to
talk about it). It's not about spamd or openbsd (Or I don't understand
my birth language :-/ )
Sorry about this.



--
Yannick "Pouype" Francois
http://www.typouype.org
http://www.rubyfrance.org

Re: spamd question (4.1)

[Stuart Henderson]

On 2007/07/24 13:53, syl wrote:
> qui ce devout pour faire le site car finalement le ror ca reste du web
> donc ca reste
> pas fait pour moi

If you're going to write in French on an English-language mailing
list, please can you at least try and use the correct accents (it's
a lot harder to translate without them) and avoid idioms, so we
stand some chance of understanding you ...

Re: spamd question (4.1)

[syl]

qui ce devout pour faire le site car finalement le ror ca reste du web
donc ca reste
pas fait pour moi

2007/7/24, Stuart Henderson <[EMAIL PROTECTED]>:

On 2007/07/24 06:37, Jacob Yocom-Piatt wrote:
> heh. oh, and rod, you're right about the outbound IPs, that was my

confusion

> .

Masking on /24 in spamlogd would help with this for many sites.





--
Gallon sylvestre
Astek michant / Assistant CISCO
Rathaxes Core Developper
http://blog.evilkittens.org/~syl/

Re: spamd question (4.1)

[Stuart Henderson]

On 2007/07/24 06:37, Jacob Yocom-Piatt wrote:
> heh. oh, and rod, you're right about the outbound IPs, that was my confusion 
> .

Masking on /24 in spamlogd would help with this for many sites.

Re: spamd question (4.1)

[Jacob Yocom-Piatt]

Craig Skinner wrote:

On Tue, Jul 24, 2007 at 06:01:07AM -0500, Jacob Yocom-Piatt wrote:
  
even when running in pure greylisting mode, i get almost no spam 
(assuming users are not retarded and don't whitelist bad hosts). the 
only thing worth watching for is organizations that use their email as a 
short lead-time communication method. in this case people will call and 
say "where is my email from new client X!" and you have to either 
manually whitelist or tell them what they don't want to hear "well, you 
have to wait 25 minutes or more for their server to be whitelisted".





Just say that you are investigating it, and take 25 mins over your
"investigation" (surf for pictures of enema discharges to send to them),
tail the logs, and let them know that the host is now white listed. Job
done.

  


that's a shitty suggestion =).

for domains that have multiple MX records, it might be nice to have all 
those IPs whitelisted when sending to that domain. maybe this is already 
done or there is a reason it isn't :). guess someone could publish a 
list of bogus IPs in their MX records...





http://www.rfc-ignorant.org/policy-bogusmx.php

  


heh. oh, and rod, you're right about the outbound IPs, that was my 
confusion .



Can be used to weight spam assain

Re: spamd question (4.1)

[RW]

On Tue, 24 Jul 2007 06:01:07 -0500, Jacob Yocom-Piatt wrote:

>for domains that have multiple MX records, it might be nice to have all 
>those IPs whitelisted when sending to that domain. maybe this is already 
>done or there is a reason it isn't :). guess someone could publish a 
>list of bogus IPs in their MX records...
>

Outgoing server pools do not have MX records .

Some biggies use SPF (Bob Beck has good info in a presentation about
why you would not use it at your own MX to check incoming mail) and
those usually provide records that you can access with dig or host. Use
-ttxt and see. e.g. _spf.google.com has a /16, a /17, a/ 18, two /19s
and a /20 which you can add by hand to your own whitelist if you trust
all gmail clients.

Rod/
>From the land "down under": Australia.
Do we look  from up over?

Re: spamd question (4.1)

[Craig Skinner]

On Tue, Jul 24, 2007 at 06:01:07AM -0500, Jacob Yocom-Piatt wrote:
> 
> even when running in pure greylisting mode, i get almost no spam 
> (assuming users are not retarded and don't whitelist bad hosts). the 
> only thing worth watching for is organizations that use their email as a 
> short lead-time communication method. in this case people will call and 
> say "where is my email from new client X!" and you have to either 
> manually whitelist or tell them what they don't want to hear "well, you 
> have to wait 25 minutes or more for their server to be whitelisted".
> 

Just say that you are investigating it, and take 25 mins over your
"investigation" (surf for pictures of enema discharges to send to them),
tail the logs, and let them know that the host is now white listed. Job
done.

> for domains that have multiple MX records, it might be nice to have all 
> those IPs whitelisted when sending to that domain. maybe this is already 
> done or there is a reason it isn't :). guess someone could publish a 
> list of bogus IPs in their MX records...
> 

http://www.rfc-ignorant.org/policy-bogusmx.php

Can be used to weight spam assain

-- 
Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]

Re: spamd question (4.1)

[Jacob Yocom-Piatt]

RW wrote:

On Mon, 23 Jul 2007 20:51:33 -0700, Darrin Chandler wrote:

  

Also, though spamd works GREAT, it is what it is. As I mentioned above,
it will not stop spam from real mail servers, whether open relays or
spam house servers. You may get to the point where you do want to add
ports/packages). I deal with a few different domains. On some I need
more filtering, and on others I use only spamd. Don't add extra stuff
unless you find you need it. Even so, having spamd take the major brunt
will let you do additional filtering without needing a beefy server.



Well I host two domains here and spamd stops plenty of mail from real
servers or spambots that use the host's idea of an outbound MX.

I do NO content inspection whatsoever and spam into mailboxes is almost
zero.

I hate spam but my philosophy is that deleting one spam every week or
so (actually I'm getting less than one a month) is better than losing
genuine mail and hardly qualifies as a stressor.

The default blacklisting of China and Korea is OK for me as I haven't
had work in Korea since well before spamd came along.

  


even when running in pure greylisting mode, i get almost no spam 
(assuming users are not retarded and don't whitelist bad hosts). the 
only thing worth watching for is organizations that use their email as a 
short lead-time communication method. in this case people will call and 
say "where is my email from new client X!" and you have to either 
manually whitelist or tell them what they don't want to hear "well, you 
have to wait 25 minutes or more for their server to be whitelisted".


for domains that have multiple MX records, it might be nice to have all 
those IPs whitelisted when sending to that domain. maybe this is already 
done or there is a reason it isn't :). guess someone could publish a 
list of bogus IPs in their MX records...

Re: spamd question (4.1)

[RW]

On Mon, 23 Jul 2007 20:51:33 -0700, Darrin Chandler wrote:

>Also, though spamd works GREAT, it is what it is. As I mentioned above,
>it will not stop spam from real mail servers, whether open relays or
>spam house servers. You may get to the point where you do want to add
>ports/packages). I deal with a few different domains. On some I need
>more filtering, and on others I use only spamd. Don't add extra stuff
>unless you find you need it. Even so, having spamd take the major brunt
>will let you do additional filtering without needing a beefy server.

Well I host two domains here and spamd stops plenty of mail from real
servers or spambots that use the host's idea of an outbound MX.

I do NO content inspection whatsoever and spam into mailboxes is almost
zero.

I hate spam but my philosophy is that deleting one spam every week or
so (actually I'm getting less than one a month) is better than losing
genuine mail and hardly qualifies as a stressor.

The default blacklisting of China and Korea is OK for me as I haven't
had work in Korea since well before spamd came along.

Greytrapping, using Bob Beck's list plus a bunch of locally harvested
never-been-used addresses that seem to be on many spam target lists,
added to the OK domains feature that came with 4.1, does the rest.

It can be a bit of a pain dealing with the outbound server pools but I
usually spot spamdb telling me that it has the one sender/ one target
combo listed from several IPs and then I go and get the pool details
(if I can) and whitelist it. Most get through eventually.

Content inspection is "playing catchup" and most of the well heeled
spammers own a bunch of hardware filters (Barracuda etc) and run
Spamass and other cpu wasters. All of them are kept right up to date
and the mailings are rapidly changed to address the latest hurdles.

I see this because I keep one remote mailbox entirely unfiltered in
another domain. It gets NO genuine mail but its address has been put
invisibly on webpages and seeded onto similar locations. Mostly I just
junk the entire contents regularly, but on an idle day I have a sniff
at a few to see what the bastards are up to. Very educational.

Of course there are poorboys who don't have any track on the latest
bayesian-guessing toys and they seem to persist but they don't get
through here either so why waste cycles?

It's all a judgement call but I'm very happy with what the devs have
provided for our use.

I only use one BL lookup on the MX and that is zen.spamhaus.org but I
never seem to see hits from it anyway.

Good luck!

Rod/
>From the land "down under": Australia.
Do we look  from up over?

Re: spamd question (4.1)

[patrick keshishian]

On 7/23/07, Darrin Chandler <[EMAIL PROTECTED]> wrote:

It seems normal enough. What I and some others have done in addition is
to add a whitelist that bypasses spamd altogether. Into that whitelist
goes gmail (host -ttxt gmail.com) and other large providers using pools
for outgoing mail.


Good point.



If you are concerned about the entries that you saw whitelisted, have
you checked where the mail went that they sent? If this is wholly your
domain then you should be able to easily see that. If you can't look
(because it's other people's mail) then you can still ask around and see
if people have been getting spam.


I've not had a chance to examine where the white listed hosts
were trying to send to (yet).  I have yet to run sendmail to
accept incoming mail.  However, while monitoring the output
from spamdb, I did noticed most "to" addresses for the GREY
trapped hosts were bogus recipients.


Also, though spamd works GREAT, it is what it is. As I mentioned above,
it will not stop spam from real mail servers, whether open relays or
spam house servers. You may get to the point where you do want to add


I see your point about open relays and such.

Thanks for your input!
--patrick

Re: spamd question (4.1)

[Darrin Chandler]

On Mon, Jul 23, 2007 at 08:05:45PM -0700, patrick keshishian wrote:
> I'm actually curious about the expected behavior of spamd and
> how effective it is against spam on its own (i.e., without any
> additional SPAM retardants, such as SpamAssassin, etc).

Putting spamd (with greylisting) on some decently busy (for us) domains
that were getting *loads* of spam, I saw an immediate drop of about
80-95% in spam. The range is because not all spam comes in the same way.
spam from dsl/cable botnets is caught, while open relay spam is not.
Spam from vaious sources seems to come in waves.

> So, what I would like to know from spamd users/developers, if
> this is a typical and expected result?

It seems normal enough. What I and some others have done in addition is
to add a whitelist that bypasses spamd altogether. Into that whitelist
goes gmail (host -ttxt gmail.com) and other large providers using pools
for outgoing mail.

If you are concerned about the entries that you saw whitelisted, have
you checked where the mail went that they sent? If this is wholly your
domain then you should be able to easily see that. If you can't look
(because it's other people's mail) then you can still ask around and see
if people have been getting spam.

Also, though spamd works GREAT, it is what it is. As I mentioned above,
it will not stop spam from real mail servers, whether open relays or
spam house servers. You may get to the point where you do want to add
ports/packages). I deal with a few different domains. On some I need
more filtering, and on others I use only spamd. Don't add extra stuff
unless you find you need it. Even so, having spamd take the major brunt
will let you do additional filtering without needing a beefy server.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: spamd question

[Martin]

On Thursday 18 January 2007 13:02, you wrote:

>
> I need to spend more time doing scripting anyway...so it could be a good
> learning curve.  I never seem to have the time ordinarily.


But there again, it looks like it's likely impossible without doing too much 
damage.

At least I understand the issue and pitfalls better than before.

Anyway, instructive.

Best wishes...Martin

Re: spamd question

[Steve Tornio]

Martin wrote:

Can (or does) spamd look at the From:, do a MX/A record dns lookup and 
compare. it to the sender IP to see if it's valid during the SMTP 
transaction  ?


Assuming you're talking about spamd in greylisting mode, here's your 
answer from spamd (8):  spamd will use the db file in /var/db/spamd to 
track these non-blacklisted connections to spamd by connecting IP 
address, envelope-from, and envelope-to, or "tuple" for short.


spamdb does nothing more than take the tuple it's given, and then 
compare it to a subsequent connection.  If a connection is made using 
the same tuple, after a specified period of time, then the IP address is 
added to the spamd-white table.  There are no lookups of any kind, which 
is part of the reason spamd remains lightweight and efficient.


But there are other reasons why your suggestion is not a good one.



(I note if you put in a spamtrap email address it will do a straight IP block)


Yes, your answer is once more in the man page: When a host that is 
currently greylisted attempts to send mail to a spamtrap address, it is 
blacklisted for 24 hours by adding the host to the spamd blacklist 
spamd-greytrap.  This is straightforward, since the To: address is part 
of the tuple that spamd is already assembling.




e.g.

Return-Path: <[EMAIL PROTECTED]>
 Delivered-To: [EMAIL PROTECTED]
 Received: (qmail 11000 invoked from network); 17 Jan 2007 17:19:49 -
 Received: from host194.skytechinc.com (HELO mail.skytechinc.com) 
(63.111.223.194)

  by felix.chaossolutions.org with ESMTP; 17 Jan 2007 17:19:49 -
 Received: from User ([86.127.117.209]) by mail.skytechinc.com with Microsoft 
SMTPSVC(6.0.3790.1830);

 Tue, 16 Jan 2007 17:51:43 -0500
 Reply-To: <[EMAIL PROTECTED]>
 From: "Town North Bank"<[EMAIL PROTECTED]>
 Subject: Notification from North Town BANK !
 Date: Wed, 17 Jan 2007 00:51:46 +0200


dig mx tnnb.com



;; ADDITIONAL SECTION:
mx1.tnnb.com.   3600IN  A   208.217.213.106

So obviously the IP 63.111.223.194 does not belong to a tnnb.com mail server 
and can be blacklisted/tarpitted.


Is it that obvious?  Let's check a large company:

$ host -t mx hormel.com
hormel.com mail is handled by 200 hormel.com.mail6.psmtp.com.
hormel.com mail is handled by 300 hormel.com.mail7.psmtp.com.
hormel.com mail is handled by 400 hormel.com.mail8.psmtp.com.
hormel.com mail is handled by 100 hormel.com.mail5.psmtp.com.


Hormel uses Postini for all their incoming email, for spam/virus 
protection, and so an MX lookup does not tell you where their email 
originates.  How much code would you add to spamd, and still not have a 
workable solution?  Hormel is just an example I pulled from Postini's 
customer page.  There are many, many companies out there that outsource 
their incoming email for virus/spam/compliance reasons.  It is one of 
the headaches I deal with regularly, when their outgoing mail servers 
ignore the 451 message, and instead try 5-6 times in quick succession, 
then report failure (Symantec AV Gateway for Exchange, I'm looking in 
your general direction).




Of course, you may want certain IP ranges whitelisted if they are important to 
you.


You might want to allow/whitelist a specific, or a number of email addresses 
from an IP but greylist/blacklist the rest depending on your requirements.


No.  I don't want spamd to greylist each unique address that comes from 
a host.  Once a mail server has been whitelisted, I accept all mail from 
that server.  Part of the confusion here seems to be that you think 
spamd cares about DNS.  It doesn't.




Can some of the above be discussed/implemented in spamd?

Sorry, I don't program, just do some light scripting, but if I can see obvious 
SPAM's from the headers and a dns MX/A lookup, I would hope that spamd could 
be extended with options to catch and tarpit these people/servers/viruses 
etc.




It's not obvious, and that's not what spamd does.  You could certainly 
configure your mail server to do strict checking, and only accept mail 
from IPs with valid MX records (I would never do such a thing myself, 
but I'm sure it can be done).



Steve

Re: spamd question

[Martin]

On Thursday 18 January 2007 11:48, you wrote:

> This turns out not to be the case. MX records tell you where to send
> mail TO that domain, and have nothing to do with mail FROM that domain.
> While the TO/FROM servers are often the same, they are also often not
> the same, especially for large providers.
>
> Some domains provide SPF records in dns, and you can incorporate spf
> checks into your MTA, SpamAssassin, etc.


Good points, but the several hundred I have manually checked over the last few 
months, I have easily been able to tell the difference.  
Aghh, but that's because I've only been checking SPAM's, not good emails as 
well.  I have also looked at the IP range assigned when the MX or A didn't 
match.  Yes, so it's more complicated.

The  'road warrior'  issue though could be a problem for some, but not for me 
as I don't use it yet.  I think I'm going to try and do some stuff at the 
tcpserver/rbl level after it passes spamd initially just logging and 
checking.
pop before send or smtp auth could be used for the road people in the future.

I need to spend more time doing scripting anyway...so it could be a good 
learning curve.  I never seem to have the time ordinarily.

Well thanks again for all the responses.  It's appreciated.  Asking questions 
and getting excellent answers is what this list is all about.

Regards...Martin

Re: spamd question

[Darrin Chandler]

On Thu, Jan 18, 2007 at 11:27:29AM -0500, Martin wrote:
> I'm using spamd but am noticing that some SPAM is still coming though

Me, too. But spamd stops over 90% with minimal overhead.

> dig mx tnnb.com
> 
> 
> 
> ;; ADDITIONAL SECTION:
> mx1.tnnb.com.   3600IN  A   208.217.213.106
> 
> So obviously the IP 63.111.223.194 does not belong to a tnnb.com mail server 
> and can be blacklisted/tarpitted.

This turns out not to be the case. MX records tell you where to send
mail TO that domain, and have nothing to do with mail FROM that domain.
While the TO/FROM servers are often the same, they are also often not
the same, especially for large providers.

Some domains provide SPF records in dns, and you can incorporate spf
checks into your MTA, SpamAssassin, etc.

-- 
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Re: spamd question

[Otto Moerbeek]

On Thu, 18 Jan 2007, Martin wrote:

> Hello.
> 
> I'm using spamd but am noticing that some SPAM is still coming though
> 
> It's probably more dev but I don't like posting to the dev/tech lists.  If 
> the 
> ideas/info have merit, then perhaps it can be forwarded to that list.
> 
> Can (or does) spamd look at the From:, do a MX/A record dns lookup and 
> compare. it to the sender IP to see if it's valid during the SMTP 
> transaction  ?

Your idea is flawed, there's nothing requiring incoming mail to come
from an IP accepting mail for that domain.

-Otto
> 
> (I note if you put in a spamtrap email address it will do a straight IP block)
> 
> e.g.
> 
> Return-Path: <[EMAIL PROTECTED]>
>  Delivered-To: [EMAIL PROTECTED]
>  Received: (qmail 11000 invoked from network); 17 Jan 2007 17:19:49 -
>  Received: from host194.skytechinc.com (HELO mail.skytechinc.com) 
> (63.111.223.194)
>   by felix.chaossolutions.org with ESMTP; 17 Jan 2007 17:19:49 -
>  Received: from User ([86.127.117.209]) by mail.skytechinc.com with Microsoft 
> SMTPSVC(6.0.3790.1830);
>  Tue, 16 Jan 2007 17:51:43 -0500
>  Reply-To: <[EMAIL PROTECTED]>
>  From: "Town North Bank"<[EMAIL PROTECTED]>
>  Subject: Notification from North Town BANK !
>  Date: Wed, 17 Jan 2007 00:51:46 +0200
> 
> 
> dig mx tnnb.com
> 
> 
> 
> ;; ADDITIONAL SECTION:
> mx1.tnnb.com.   3600IN  A   208.217.213.106
> 
> So obviously the IP 63.111.223.194 does not belong to a tnnb.com mail server 
> and can be blacklisted/tarpitted.
> 
> Of course, you may want certain IP ranges whitelisted if they are important 
> to 
> you.
> 
> You might want to allow/whitelist a specific, or a number of email addresses 
> from an IP but greylist/blacklist the rest depending on your requirements.
> 
> Can some of the above be discussed/implemented in spamd?
> 
> Sorry, I don't program, just do some light scripting, but if I can see 
> obvious 
> SPAM's from the headers and a dns MX/A lookup, I would hope that spamd could 
> be extended with options to catch and tarpit these people/servers/viruses 
> etc.
> 
> Regards...Martin

Re: spamd question

[Marcus Popp]

On 2007-01-18T11:27, Martin wrote:
> Hello.
> 
> I'm using spamd but am noticing that some SPAM is still coming though
> 
> It's probably more dev but I don't like posting to the dev/tech lists.  If 
> the 
> ideas/info have merit, then perhaps it can be forwarded to that list.
> 
> Can (or does) spamd look at the From:, do a MX/A record dns lookup and 
> compare. it to the sender IP to see if it's valid during the SMTP 
> transaction  ?
that is not so easy. You could easily shoot in your own foot.
SPF is very similiar but needs some additional dns entries.

hth,

Marcus.