Re: Design of spamd
Op Wed, 30 Nov 2011 20:02:38 +0100 schreef Han Boetes h...@mijncomputer.nl: Boudewijn Dijkstra wrote: Op Tue, 29 Nov 2011 21:54:37 +0100 schreef Han Boetes h...@mijncomputer.nl : At the moment all spamd greylisting cares about is, does it retry connecting? Unfortunately a lot of spammers do a spamrun and simply try sending a spam message or 10 and then move on to the next smtp server on their list and that get's them white listed in a matter of seconds. No it doesn't. Your passtime is too short (default is 25 minutes). Yes I thought that was weird too. This is how I start spamd: sudo /usr/libexec/spamd -G 25:4:864 -v -G passtime:greyexp:whiteexp Adjust the three time parameters for greylisting. passtime defaults to 25 (minutes), greyexp to 4 (hours), and whiteexp to 864 (hours, approximately 36 days). So for some reason passtime is ignored on my machine. I've tested this with telnet quite extensively. And after 3,4,5 attempts in a minute or so the address is whitelisted. Are you also using spamlogd(8)? I don't make it up, it's that simple. Anyway. Wouldn't it be nice if spamd would do the checks that postfix does so the mailserver protecting code can be separated from the real functionality? So spamd would use the stuttering time to figure out if the ip is not on an rbl, if the dnsname is reverse resolvable, if the helo is valid, if the sender is not matching silly pattern, etc etc A few years ago I started work on a Java application that remotely tabulates, sorts and correlates the data, looks up DNS information and verifies recipients with a Postfix server. Via right-click menus I can manipulate the database. Have been using it daily ever since it became slightly usable, but there is still a lot of work to do... Doesn't postfix do al that stuff already? Yes, but I don't want it to make decisions for me. Also, the application provides me with information to do other stuff, like whitelisting things earlier, trapping legitimate MTA's, adding netblocks to mywhite, removing Hotmail servers from the traplist when necessary, inform a colleague when an important client makes a typo, etc. And I forgot to mention it also does GeoIP country lookup. -- Gemaakt met Opera's revolutionaire e-mailprogramma: http://www.opera.com/mail/ (Remove the obvious prefix to reply.)
Re: Design of spamd
Op Tue, 29 Nov 2011 21:54:37 +0100 schreef Han Boetes h...@mijncomputer.nl: At the moment all spamd greylisting cares about is, does it retry connecting? Unfortunately a lot of spammers do a spamrun and simply try sending a spam message or 10 and then move on to the next smtp server on their list and that get's them white listed in a matter of seconds. No it doesn't. Your passtime is too short (default is 25 minutes). Not really a problem. I use postfix and with a few smart configuration statements it can fend for itself pretty well. You can make it check for various things like being on a rbl, spamd.conf(5) allows adding blacklists. not having a reverse dns, not posting with a real helo etc etc. And all result in an entry in the logfiles which contains NOQUEUE. So I wrote the little script below which checks the spamdb output and the postfix logfile output: So far I am only bothered with one spam group. And they have been sending spam with the same silly pattern for over five years now: g[a-z][0-9]{5}@mydomain.com As sender or recipient? If recipient, then spamd.alloweddomains should take care of that. I don't make it up, it's that simple. Anyway. Wouldn't it be nice if spamd would do the checks that postfix does so the mailserver protecting code can be separated from the real functionality? So spamd would use the stuttering time to figure out if the ip is not on an rbl, if the dnsname is reverse resolvable, if the helo is valid, if the sender is not matching silly pattern, etc etc A few years ago I started work on a Java application that remotely tabulates, sorts and correlates the data, looks up DNS information and verifies recipients with a Postfix server. Via right-click menus I can manipulate the database. Have been using it daily ever since it became slightly usable, but there is still a lot of work to do... [...] # Kick spammerts who got through back to the blacklist for i in $(awk '/NOQUEUE/ {print $10}' /var/log/maillog|sed -e 's|.*\[\(.*\)].*|\1|'|sort|uniq); do if grep -q WHITE|$i| $SPAMDB; then Trap $i echo $(date) $i got through! Gotcha bastard!! /var/log/greytoblack fi done If I read this correctly, this is actually dangerous, as it could trap people who make typos. Or mailers that use old addresses. -- Gemaakt met Opera's revolutionaire e-mailprogramma: http://www.opera.com/mail/ (Remove the obvious prefix to reply.)
Re: Design of spamd
On Wed, 30 Nov 2011 20:00:27 +0100 Han Boetes wrote: So for some reason passtime is ignored on my machine. I've tested this with telnet quite extensively. And after 3,4,5 attempts in a minute or so the address is whitelisted. What version of OpenBSD are you running? Does it do this without your addon scripts?
Re: Design of spamd
Kevin Chadwick wrote: On Wed, 30 Nov 2011 20:00:27 +0100 Han Boetes wrote: So for some reason passtime is ignored on my machine. I've tested this with telnet quite extensively. And after 3,4,5 attempts in a minute or so the address is whitelisted. What version of OpenBSD are you running? 5.0 Does it do this without your addon scripts? How would that affect it? It merely blacklists a few entries. # Han