Hi,
I've started using spamlogd, and since then, every single
connection attempt results in the host being whitelisted.
I log some `rdr-to 127.0.0.1 port spamd` connection attempts into pflog,
and it would seem like spamlogd filter (for port 25)
is picking up the original dport, not the rewritten one
(with hdr->dport containing original port, too).
Not sure of the correct solution, but one of the options is
to look at the hdr->rewritten field, and only act if it is false.
This might impact someone who does pf rewrites for sendmail itself,
but at least it's not going to let all the spam in for someone
who simply logs stuff up. A patch is attached.
Cheers,
Constantine.
Cns# tail /var/log/spamd
Mar 6 08:12:53 Cns spamlogd[1082]: inbound 74.122.155.17
Mar 6 08:50:27 Cns spamd[5220]: 46.53.132.165: connected (1/0)
Mar 6 08:50:27 Cns spamlogd[1082]: inbound 46.53.132.165
Mar 6 08:50:30 Cns spamd[5220]: 46.53.132.165: disconnected after 3 seconds.
Mar 6 08:51:37 Cns spamd[5220]: 178.127.228.161: connected (1/0)
Mar 6 08:51:37 Cns spamlogd[1082]: inbound 178.127.228.161
Mar 6 08:51:40 Cns spamd[5220]: 178.127.228.161: disconnected after 3 seconds.
Mar 6 09:21:54 Cns spamlogd[1082]: inbound 46.241.252.81
Mar 6 09:21:55 Cns spamd[5220]: 46.241.252.81: connected (1/0)
Mar 6 09:21:58 Cns spamd[5220]: 46.241.252.81: disconnected after 3 seconds.
Cns# fgrep 46.241.252.81 /var/log/spamd
Mar 6 09:21:54 Cns spamlogd[1082]: inbound 46.241.252.81
Mar 6 09:21:55 Cns spamd[5220]: 46.241.252.81: connected (1/0)
Mar 6 09:21:58 Cns spamd[5220]: 46.241.252.81: disconnected after 3 seconds.
Cns# tcpdump -o -n -e -ttt -r /var/log/pflog host 46.241.252.81 | tail
tcpdump: WARNING: snaplen raised from 116 to 160
Mar 06 09:21:54.834606 rule 43/(match) pass in on re0: 46.241.252.81.3748 >
127.0.0.1.8025: S (src OS: Windows 2000 RFC1323, Windows XP RFC1323)
4277363076:4277363076(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF)
Cns# fgrep 46.241.252.81 /var/log/maillog
Cns# spamdb | fgrep 46.241.252.81
WHITE|46.241.252.81|||1362590514|1362590514|1365700914|1|0
Cns# date -r 1362590514
Wed Mar 6 09:21:54 PST 2013
Cns# uname -rms
OpenBSD 5.2 amd64
(Logs were rorated several days ago, so, what you see is what's there.)
Index: spamlogd.c
===================================================================
RCS file: /cvs/OpenBSD-CVS/src/libexec/spamlogd/spamlogd.c,v
retrieving revision 1.21
diff -u -d -p -8 -r1.21 spamlogd.c
--- spamlogd.c 18 Mar 2011 22:37:06 -0000 1.21
+++ spamlogd.c 6 Mar 2013 19:44:32 -0000
@@ -174,20 +174,22 @@ logpkt_handler(u_char *user, const struc
/* We're interested in passed packets */
if (hdr->action != PF_PASS)
return;
af = hdr->af;
if (af == AF_INET) {
ip = (const struct ip *)(sp + hdrlen);
- if (hdr->dir == PF_IN)
+ if (hdr->dir == PF_IN) {
+ if (hdr->rewritten == 1)
+ return;
inet_ntop(af, &ip->ip_src, ipstraddr,
sizeof(ipstraddr));
- else if (hdr->dir == PF_OUT && !flag_inbound)
+ } else if (hdr->dir == PF_OUT && !flag_inbound)
inet_ntop(af, &ip->ip_dst, ipstraddr,
sizeof(ipstraddr));
}
if (ipstraddr[0] != '\0') {
if (hdr->dir == PF_IN)
logmsg(LOG_DEBUG,"inbound %s", ipstraddr);
else
