Re: [spamdyke-users] modifying way that filters are shown in log files
Hi, As requested here is my configuration file. Note: My ip-whitelist-file is empty and I continue to see 100s of FILTER_EARLYTALKER delay: 5 entries but no DENIED_EARLYTALKER in my maillog files. # spamdyke configuration file for spamdyke version 4.3.1. # Note: All other lines not shown below are commented out on the server greeting-delay-secs=5 reject-empty-rdns reject-ip-in-cc-rdns reject-missing-sender-mx reject-unresolvable-rdns log-level=verbose config-dir=/var/spamdyke/domain_setups connection-timeout-secs=0 idle-timeout-secs=60 reject-identical-sender-recipient ip-blacklist-file=/var/spamdyke/ip-blacklist-file recipient-blacklist-file=/var/spamdyke/recipient-blacklist-file sender-blacklist-file=/var/spamdyke/sender-blacklist-file ip-whitelist-file=/var/spamdyke/ip-whitelist-file recipient-whitelist-file=/var/spamdyke/recipient-whitelist-file sender-whitelist-file=/var/spamdyke/sender-whitelist-file dns-blacklist-file=/var/spamdyke/dns-blacklist-file smtp-auth-level=ondemand smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true tls-certificate-file=/var/qmail/control/servercert.pem local-domains-file=/var/qmail/control/rcpthosts Thanks for looking into this Sam. Regards, Shane Bywater Message: 1 Date: Tue, 1 Apr 2014 18:31:15 -0500 From: Sam Clippinger s...@silence.org Subject: Re: [spamdyke-users] modifying way that filters are shown in log files To: spamdyke users spamdyke-users@spamdyke.org Message-ID: 4c442bbf-7e36-46d4-adc0-e8544a199...@silence.org Content-Type: text/plain; charset=us-ascii I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... When I test the earlytalker filter by itself from the command line, it appears to work: root@patched:/usr/local/src/spamdyke-5.0.0/spamdyke# ./spamdyke --log-target stderr -linfo -e 10 ../tests/smtpdummy/smtpdummy helo me 220 smtpdummy ESMTP 250 HELO received mail from:f...@bar.com 250 Refused. You are not following the SMTP protocol. rcpt to:b...@foo.com 554 Refused. You are not following the SMTP protocol. spamdyke[4199]: DENIED_EARLYTALKER from: f...@bar.com to: b...@foo.com origin_ip: 0.0.0.0 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) quit 221 Refused. You are not following the SMTP protocol. So if your connections aren't being whitelisted, there may be a bug where the earlytalker filter is failing when combined with some other option(s). Could you send me your spamdyke configuration file so I can try to reproduce your setup and nail it down? -- Sam Clippinger On Mar 13, 2014, at 3:03 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I disabled all whitelist options in spamdyke.conf and restarted spamdyke. Confirmed no whitelist filters continued to be displayed in the maillog file and also confirmed that only FILTER_EARLYTALKER delay: 5 was found but still no DENIED_EARLYTALKER entries. I even checked back in maillog files from 2012 and found the same result. It just can't be an authenticated user from so many different IPs (100s) from such a long period of time as my server would certainly be listed in multiple DNS blacklists (it's currently not in any). If anyone else has the same issue I would be curious if it has anything to do with Plesk being involved. If there are no other recommendations maybe I'll try installing Spamdyke 5.0.0 unless anyone has had issues using it on a Plesk 10.4.4, CentoOS 6 server. All comments are welcomed. Regards, Shane Bywater -- Message: 1 Date: Wed, 12 Mar 2014 17:28:58 -0500 From: Sam Clippinger s...@silence.org Subject: Re: [spamdyke-users] modifying way that filters are shown in log files To: spamdyke users spamdyke-users@spamdyke.org Message-ID: a70266f0-2742-4c3b-9820-adc66fe9f...@silence.org Content-Type: text/plain; charset=us-ascii If the earlytalker filter actually blocks a connection, you should see a DENIED_EARLYTALKER message in the log. Are you sure that connection isn't whitelisted or authenticating? Either of those things would prevent the earlytalker filter from actually blocking the connection. -- Sam Clippinger On Mar 11, 2014, at 10:04 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I'm running Spamdyke 4.3.1 on a Centos 6 server. I've been successfully using spamdyke along with fail2ban to block IPs with the following characteristics: Missing RNDS and RDNS containing IP address. In the maillog files I see the following: Aug 24 04:14:42 server spamdyke[20879]: FILTER_IP_IN_CC_RDNS ip: 186.52.196.7 rdns: r186-52-196-7.dialup.adsl.anteldata.net.uy Aug 24 04:14:42 server spamdyke[20879]: DENIED_IP_IN_CC_RDNS from: birgitta.weh...@vll.ca to: u...@domain.com origin_ip: 186.52.196.7 origin_rdns: r186-52-196-7.dialup.adsl.an
Re: [spamdyke-users] modifying way that filters are shown in log files
I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... When I test the earlytalker filter by itself from the command line, it appears to work: root@patched:/usr/local/src/spamdyke-5.0.0/spamdyke# ./spamdyke --log-target stderr -linfo -e 10 ../tests/smtpdummy/smtpdummy helo me 220 smtpdummy ESMTP 250 HELO received mail from:f...@bar.com 250 Refused. You are not following the SMTP protocol. rcpt to:b...@foo.com 554 Refused. You are not following the SMTP protocol. spamdyke[4199]: DENIED_EARLYTALKER from: f...@bar.com to: b...@foo.com origin_ip: 0.0.0.0 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) quit 221 Refused. You are not following the SMTP protocol. So if your connections aren't being whitelisted, there may be a bug where the earlytalker filter is failing when combined with some other option(s). Could you send me your spamdyke configuration file so I can try to reproduce your setup and nail it down? -- Sam Clippinger On Mar 13, 2014, at 3:03 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I disabled all whitelist options in spamdyke.conf and restarted spamdyke. Confirmed no whitelist filters continued to be displayed in the maillog file and also confirmed that only FILTER_EARLYTALKER delay: 5 was found but still no DENIED_EARLYTALKER entries. I even checked back in maillog files from 2012 and found the same result. It just can't be an authenticated user from so many different IPs (100s) from such a long period of time as my server would certainly be listed in multiple DNS blacklists (it's currently not in any). If anyone else has the same issue I would be curious if it has anything to do with Plesk being involved. If there are no other recommendations maybe I'll try installing Spamdyke 5.0.0 unless anyone has had issues using it on a Plesk 10.4.4, CentoOS 6 server. All comments are welcomed. Regards, Shane Bywater -- Message: 1 Date: Wed, 12 Mar 2014 17:28:58 -0500 From: Sam Clippinger s...@silence.org Subject: Re: [spamdyke-users] modifying way that filters are shown in log files To: spamdyke users spamdyke-users@spamdyke.org Message-ID: a70266f0-2742-4c3b-9820-adc66fe9f...@silence.org Content-Type: text/plain; charset=us-ascii If the earlytalker filter actually blocks a connection, you should see a DENIED_EARLYTALKER message in the log. Are you sure that connection isn't whitelisted or authenticating? Either of those things would prevent the earlytalker filter from actually blocking the connection. -- Sam Clippinger On Mar 11, 2014, at 10:04 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I'm running Spamdyke 4.3.1 on a Centos 6 server. I've been successfully using spamdyke along with fail2ban to block IPs with the following characteristics: Missing RNDS and RDNS containing IP address. In the maillog files I see the following: Aug 24 04:14:42 server spamdyke[20879]: FILTER_IP_IN_CC_RDNS ip: 186.52.196.7 rdns: r186-52-196-7.dialup.adsl.anteldata.net.uy Aug 24 04:14:42 server spamdyke[20879]: DENIED_IP_IN_CC_RDNS from: birgitta.weh...@vll.ca to: u...@domain.com origin_ip: 186.52.196.7 origin_rdns: r186-52-196-7.dialup.adsl.an Aug 24 04:15:07 server spamdyke[23813]: FILTER_RDNS_MISSING ip: 117.207.23.39 Aug 24 04:15:07 server spamdyke[23813]: DENIED_RDNS_MISSING from: 73a8...@enerdeco.nl to: u...@domain.com origin_ip: 117.207.23.39 origin_rdns: (unknown) auth: (unknown) Aug 24 04:21:33 apexia spamdyke[25574]: FILTER_EARLYTALKER delay: 5 Aug 24 04:21:33 apexia /var/qmail/bin/relaylock[25582]: /var/qmail/bin/relaylock: mail from 101.208.35.161:51645 (not defined) My fail2ban configuration file contains: [Definition] failregex = spamdyke.+: DENIED_RDNS_MISSING from:.+origin_ip: HOST spamdyke.+: DENIED_IP_IN_CC_RDNS from:.+origin_ip: HOST spamdyke.+: FILTER_EARLYTALKER delay: 5.+from HOST --not working ignoreregex = My issue is I now want to start banning IPs that set off the FILTER_EARLYTALKER filter but as there is no corresponding DENIED_EARLYTALKER from: x...@yyy.com to u...@domain.com origin_ip: 111.222.333.444 I cannot figure out the proper failregex expression to match the exising format for FILTER_EARLYTALKER nor do I know how to change spamdyke to show a familiar DENIED_EARLYTALKER ... heading in the maillog which I could determine the proper failregex for. If anyone can provide me with some suggestions that would be appreciated. Regards, Shane Bywater ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- next part -- An HTML attachment was scrubbed... URL:
Re: [spamdyke-users] modifying way that filters are shown in log files
Hi, I disabled all whitelist options in spamdyke.conf and restarted spamdyke. Confirmed no whitelist filters continued to be displayed in the maillog file and also confirmed that only FILTER_EARLYTALKER delay: 5 was found but still no DENIED_EARLYTALKER entries. I even checked back in maillog files from 2012 and found the same result. It just can't be an authenticated user from so many different IPs (100s) from such a long period of time as my server would certainly be listed in multiple DNS blacklists (it's currently not in any). If anyone else has the same issue I would be curious if it has anything to do with Plesk being involved. If there are no other recommendations maybe I'll try installing Spamdyke 5.0.0 unless anyone has had issues using it on a Plesk 10.4.4, CentoOS 6 server. All comments are welcomed. Regards, Shane Bywater -- Message: 1 Date: Wed, 12 Mar 2014 17:28:58 -0500 From: Sam Clippinger s...@silence.org Subject: Re: [spamdyke-users] modifying way that filters are shown in log files To: spamdyke users spamdyke-users@spamdyke.org Message-ID: a70266f0-2742-4c3b-9820-adc66fe9f...@silence.org Content-Type: text/plain; charset=us-ascii If the earlytalker filter actually blocks a connection, you should see a DENIED_EARLYTALKER message in the log. Are you sure that connection isn't whitelisted or authenticating? Either of those things would prevent the earlytalker filter from actually blocking the connection. -- Sam Clippinger On Mar 11, 2014, at 10:04 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I'm running Spamdyke 4.3.1 on a Centos 6 server. I've been successfully using spamdyke along with fail2ban to block IPs with the following characteristics: Missing RNDS and RDNS containing IP address. In the maillog files I see the following: Aug 24 04:14:42 server spamdyke[20879]: FILTER_IP_IN_CC_RDNS ip: 186.52.196.7 rdns: r186-52-196-7.dialup.adsl.anteldata.net.uy Aug 24 04:14:42 server spamdyke[20879]: DENIED_IP_IN_CC_RDNS from: birgitta.weh...@vll.ca to: u...@domain.com origin_ip: 186.52.196.7 origin_rdns: r186-52-196-7.dialup.adsl.an Aug 24 04:15:07 server spamdyke[23813]: FILTER_RDNS_MISSING ip: 117.207.23.39 Aug 24 04:15:07 server spamdyke[23813]: DENIED_RDNS_MISSING from: 73a8...@enerdeco.nl to: u...@domain.com origin_ip: 117.207.23.39 origin_rdns: (unknown) auth: (unknown) Aug 24 04:21:33 apexia spamdyke[25574]: FILTER_EARLYTALKER delay: 5 Aug 24 04:21:33 apexia /var/qmail/bin/relaylock[25582]: /var/qmail/bin/relaylock: mail from 101.208.35.161:51645 (not defined) My fail2ban configuration file contains: [Definition] failregex = spamdyke.+: DENIED_RDNS_MISSING from:.+origin_ip: HOST spamdyke.+: DENIED_IP_IN_CC_RDNS from:.+origin_ip: HOST spamdyke.+: FILTER_EARLYTALKER delay: 5.+from HOST --not working ignoreregex = My issue is I now want to start banning IPs that set off the FILTER_EARLYTALKER filter but as there is no corresponding DENIED_EARLYTALKER from: x...@yyy.com to u...@domain.com origin_ip: 111.222.333.444 I cannot figure out the proper failregex expression to match the exising format for FILTER_EARLYTALKER nor do I know how to change spamdyke to show a familiar DENIED_EARLYTALKER ... heading in the maillog which I could determine the proper failregex for. If anyone can provide me with some suggestions that would be appreciated. Regards, Shane Bywater ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- next part -- An HTML attachment was scrubbed... URL: http://www.spamdyke.org/mailman/private/spamdyke-users/attachments/20140312/af220ab8/attachment-0001.html -- ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users End of spamdyke-users Digest, Vol 82, Issue 9 * ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] modifying way that filters are shown in log files
If the earlytalker filter actually blocks a connection, you should see a DENIED_EARLYTALKER message in the log. Are you sure that connection isn't whitelisted or authenticating? Either of those things would prevent the earlytalker filter from actually blocking the connection. -- Sam Clippinger On Mar 11, 2014, at 10:04 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I'm running Spamdyke 4.3.1 on a Centos 6 server. I've been successfully using spamdyke along with fail2ban to block IPs with the following characteristics: Missing RNDS and RDNS containing IP address. In the maillog files I see the following: Aug 24 04:14:42 server spamdyke[20879]: FILTER_IP_IN_CC_RDNS ip: 186.52.196.7 rdns: r186-52-196-7.dialup.adsl.anteldata.net.uy Aug 24 04:14:42 server spamdyke[20879]: DENIED_IP_IN_CC_RDNS from: birgitta.weh...@vll.ca to: u...@domain.com origin_ip: 186.52.196.7 origin_rdns: r186-52-196-7.dialup.adsl.an Aug 24 04:15:07 server spamdyke[23813]: FILTER_RDNS_MISSING ip: 117.207.23.39 Aug 24 04:15:07 server spamdyke[23813]: DENIED_RDNS_MISSING from: 73a8...@enerdeco.nl to: u...@domain.com origin_ip: 117.207.23.39 origin_rdns: (unknown) auth: (unknown) Aug 24 04:21:33 apexia spamdyke[25574]: FILTER_EARLYTALKER delay: 5 Aug 24 04:21:33 apexia /var/qmail/bin/relaylock[25582]: /var/qmail/bin/relaylock: mail from 101.208.35.161:51645 (not defined) My fail2ban configuration file contains: [Definition] failregex = spamdyke.+: DENIED_RDNS_MISSING from:.+origin_ip: HOST spamdyke.+: DENIED_IP_IN_CC_RDNS from:.+origin_ip: HOST spamdyke.+: FILTER_EARLYTALKER delay: 5.+from HOST --not working ignoreregex = My issue is I now want to start banning IPs that set off the FILTER_EARLYTALKER filter but as there is no corresponding DENIED_EARLYTALKER from: x...@yyy.com to u...@domain.com origin_ip: 111.222.333.444 I cannot figure out the proper failregex expression to match the exising format for FILTER_EARLYTALKER nor do I know how to change spamdyke to show a familiar DENIED_EARLYTALKER ... heading in the maillog which I could determine the proper failregex for. If anyone can provide me with some suggestions that would be appreciated. Regards, Shane Bywater ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users