No constantine - the solution is to simply not use the "log" keyword on such traffic
All of my boxen I run this on also rewite the traffic to (pool) of mailservers so this is not accurate. Simply don't log the traffic you don't want spamlogd to see. the *point* of spamlogd is to ensure all continuing valid connections *stay* whitelisted. On Wed, Mar 6, 2013 at 1:08 PM, Constantine A. Murenin <[email protected]> wrote: > Hi, > > I've started using spamlogd, and since then, every single connection attempt > results in the host being whitelisted. > > I log some `rdr-to 127.0.0.1 port spamd` connection attempts into pflog, and > it would seem like spamlogd filter (for port 25) is picking up the original > dport, not the rewritten one (with hdr->dport containing original port, > too). > > Not sure of the correct solution, but one of the options is to look at the > hdr->rewritten field, and only act if it is false. This might impact > someone who does pf rewrites for sendmail itself, but at least it's not > going to let all the spam in for someone who simply logs stuff up. A patch > is attached. > > Cheers, > Constantine. > > Cns# tail /var/log/spamd > Mar 6 08:12:53 Cns spamlogd[1082]: inbound 74.122.155.17 > Mar 6 08:50:27 Cns spamd[5220]: 46.53.132.165: connected (1/0) > Mar 6 08:50:27 Cns spamlogd[1082]: inbound 46.53.132.165 > Mar 6 08:50:30 Cns spamd[5220]: 46.53.132.165: disconnected after 3 > seconds. > Mar 6 08:51:37 Cns spamd[5220]: 178.127.228.161: connected (1/0) > Mar 6 08:51:37 Cns spamlogd[1082]: inbound 178.127.228.161 > Mar 6 08:51:40 Cns spamd[5220]: 178.127.228.161: disconnected after 3 > seconds. > Mar 6 09:21:54 Cns spamlogd[1082]: inbound 46.241.252.81 > Mar 6 09:21:55 Cns spamd[5220]: 46.241.252.81: connected (1/0) > Mar 6 09:21:58 Cns spamd[5220]: 46.241.252.81: disconnected after 3 > seconds. > > Cns# fgrep 46.241.252.81 /var/log/spamd > Mar 6 09:21:54 Cns spamlogd[1082]: inbound 46.241.252.81 > Mar 6 09:21:55 Cns spamd[5220]: 46.241.252.81: connected (1/0) > Mar 6 09:21:58 Cns spamd[5220]: 46.241.252.81: disconnected after 3 > seconds. > > Cns# tcpdump -o -n -e -ttt -r /var/log/pflog host 46.241.252.81 | tail > tcpdump: WARNING: snaplen raised from 116 to 160 > Mar 06 09:21:54.834606 rule 43/(match) pass in on re0: 46.241.252.81.3748 > > 127.0.0.1.8025: S (src OS: Windows 2000 RFC1323, Windows XP RFC1323) > 4277363076:4277363076(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,sackOK> > (DF) > > Cns# fgrep 46.241.252.81 /var/log/maillog > > Cns# spamdb | fgrep 46.241.252.81 > WHITE|46.241.252.81|||1362590514|1362590514|1365700914|1|0 > > Cns# date -r 1362590514 > Wed Mar 6 09:21:54 PST 2013 > > Cns# uname -rms > OpenBSD 5.2 amd64 > > (Logs were rorated several days ago, so, what you see is what's there.) > > Index: spamlogd.c > =================================================================== > RCS file: /cvs/OpenBSD-CVS/src/libexec/spamlogd/spamlogd.c,v > retrieving revision 1.21 > diff -u -d -p -8 -r1.21 spamlogd.c > --- spamlogd.c 18 Mar 2011 22:37:06 -0000 1.21 > +++ spamlogd.c 6 Mar 2013 19:44:32 -0000 > @@ -174,20 +174,22 @@ logpkt_handler(u_char *user, const struc > > /* We're interested in passed packets */ > if (hdr->action != PF_PASS) > return; > > af = hdr->af; > if (af == AF_INET) { > ip = (const struct ip *)(sp + hdrlen); > - if (hdr->dir == PF_IN) > + if (hdr->dir == PF_IN) { > + if (hdr->rewritten == 1) > + return; > inet_ntop(af, &ip->ip_src, ipstraddr, > sizeof(ipstraddr)); > - else if (hdr->dir == PF_OUT && !flag_inbound) > + } else if (hdr->dir == PF_OUT && !flag_inbound) > inet_ntop(af, &ip->ip_dst, ipstraddr, > sizeof(ipstraddr)); > } > > if (ipstraddr[0] != '\0') { > if (hdr->dir == PF_IN) > logmsg(LOG_DEBUG,"inbound %s", ipstraddr); > else >
