Re: Design of spamd

2011-12-01 Thread Boudewijn Dijkstra 
Op Wed, 30 Nov 2011 20:02:38 +0100 schreef Han Boetes  
h...@mijncomputer.nl:

Boudewijn Dijkstra wrote:

Op Tue, 29 Nov 2011 21:54:37 +0100 schreef Han Boetes
h...@mijncomputer.nl :
 At the moment all spamd greylisting cares about is, does it retry
 connecting? Unfortunately a lot of spammers do a spamrun and
 simply try sending a spam message or 10 and then move on to the
 next smtp server on their list and that get's them white listed in
 a matter of seconds.

No it doesn't.  Your passtime is too short (default is 25 minutes).


Yes I thought that was weird too.

This is how I start spamd:
   sudo /usr/libexec/spamd -G 25:4:864 -v

 -G passtime:greyexp:whiteexp
  Adjust the three time parameters for greylisting. passtime defaults to
  25 (minutes), greyexp to  4  (hours),  and  whiteexp  to  864  (hours,
  approximately 36 days).

So for some reason passtime is ignored on my machine. I've tested
this with telnet quite extensively. And after 3,4,5 attempts in a
minute or so the address is whitelisted.


Are you also using spamlogd(8)?


 I don't make it up, it's that simple.

 Anyway. Wouldn't it be nice if spamd would do the checks that
 postfix does so the mailserver protecting code can be separated
 from the real functionality?

 So spamd would use the stuttering time to figure out if the ip is
 not on an rbl, if the dnsname is reverse resolvable, if the helo
 is valid, if the sender is not matching silly pattern, etc etc

A few years ago I started work on a Java application that remotely
tabulates, sorts and correlates the data, looks up DNS information
and verifies recipients with a Postfix server.  Via right-click menus
I can manipulate the database.  Have been using it daily ever since
it became slightly usable, but there is still a lot of work to do...


Doesn't postfix do al that stuff already?


Yes, but I don't want it to make decisions for me.  Also, the application  
provides me with information to do other stuff, like whitelisting things  
earlier, trapping legitimate MTA's, adding netblocks to mywhite,  
removing Hotmail servers from the traplist when necessary, inform a  
colleague when an important client makes a typo, etc.  And I forgot to  
mention it also does GeoIP country lookup.




--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: Design of spamd

2011-11-30 Thread Boudewijn Dijkstra 
Op Tue, 29 Nov 2011 21:54:37 +0100 schreef Han Boetes  
h...@mijncomputer.nl:

At the moment all spamd greylisting cares about is, does it retry
connecting? Unfortunately a lot of spammers do a spamrun and
simply try sending a spam message or 10 and then move on to the
next smtp server on their list and that get's them white listed in
a matter of seconds.


No it doesn't.  Your passtime is too short (default is 25 minutes).


Not really a problem. I use postfix and with a few smart
configuration statements it can fend for itself pretty well. You
can make it check for various things like being on a rbl,


spamd.conf(5) allows adding blacklists.


not
having a reverse dns, not posting with a real helo etc etc. And
all result in an entry in the logfiles which contains NOQUEUE.

So I wrote the little script below which checks the spamdb output and
the postfix logfile output:

So far I am only bothered with one spam group. And they have been
sending spam with the same silly pattern for over five years now:

  g[a-z][0-9]{5}@mydomain.com


As sender or recipient?  If recipient, then spamd.alloweddomains should  
take care of that.



I don't make it up, it's that simple.

Anyway. Wouldn't it be nice if spamd would do the checks that
postfix does so the mailserver protecting code can be separated
from the real functionality?

So spamd would use the stuttering time to figure out if the ip is
not on an rbl, if the dnsname is reverse resolvable, if the helo
is valid, if the sender is not matching silly pattern, etc etc


A few years ago I started work on a Java application that remotely  
tabulates, sorts and correlates the data, looks up DNS information and  
verifies recipients with a Postfix server.  Via right-click menus I can  
manipulate the database.  Have been using it daily ever since it became  
slightly usable, but there is still a lot of work to do...



[...]


# Kick spammerts who got through back to the blacklist
for i in $(awk '/NOQUEUE/ {print $10}' /var/log/maillog|sed -e  
's|.*\[\(.*\)].*|\1|'|sort|uniq); do

if grep -q WHITE|$i| $SPAMDB; then
Trap $i
echo $(date) $i got through! Gotcha bastard!!  /var/log/greytoblack
fi
done


If I read this correctly, this is actually dangerous, as it could trap  
people who make typos.  Or mailers that use old addresses.



--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: Design of spamd

2011-11-30 Thread Kevin Chadwick 
On Wed, 30 Nov 2011 20:00:27 +0100
Han Boetes wrote:

 So for some reason passtime is ignored on my machine. I've tested
 this with telnet quite extensively. And after 3,4,5 attempts in a
 minute or so the address is whitelisted.

What version of OpenBSD are you running? Does it do this without your
addon scripts?

Re: Design of spamd

2011-11-30 Thread Han Boetes 
Kevin Chadwick wrote:
 On Wed, 30 Nov 2011 20:00:27 +0100
 Han Boetes wrote:

  So for some reason passtime is ignored on my machine. I've tested
  this with telnet quite extensively. And after 3,4,5 attempts in a
  minute or so the address is whitelisted.

 What version of OpenBSD are you running? 

5.0

 Does it do this without your addon scripts?

How would that affect it? It merely blacklists a few entries.



# Han