just rolled out console server info to everyone (see portal) checking... @market typing in the wrong console window means it must be time for sleep. so... on that note... g'night are we split back together yet? ;-) up_the_irons: I'm playing an evil trick on my VM system, so you know, incase someone contacts you with `interesting' observations about what ports are open... heh wha ya doin # spamd(8) gets fuzzing and we get to play ornery tricks on scanners pass in log on egress proto tcp rdr-to 127.0.0.1 port spamd hmm, I guess I intended that to be 'inet proto tcp' fixing but anyway at first I was just gonna do it for m$ ports, but then realized it could be more fun for all ports incase you're not familiar, spamd(8) on OpenBSD takes a tcp connection and lowers the transmission size to 1 char per packet and only responds one byte per second heh why because it `punishes' those who are doing spamming and costs very little cpu in userland to do ah makes sense 12:26:21.894864 rule 1/(match) [uid 0, pid 26121] pass in on em0: 109.108.32.237.2698 > 208.79.89.90.445: S [tcp sum ok] 1673148574:1673148574(0) win 65535 (DF) (ttl 120, id 10405, len 48) muhahaha I love victims so when are connections 'punished', ie. under what conditions if the remote host attempts to do spamming its limited in how many open connections it can keep so holding onto one for longer and causing one to use more resources is punishment you kinda have to know how spamd works and then you'll have your answer I'd point you to the man page online, but the cgi server is down atm basically yea I get the basics the firewall in OpenBSD redirects all connections to port 25 (in the typical scenario where spamd is in use) to the spamd spamd then does the 1 byte thing for about 5 secs then flips to `normal' tcp mode the remote hosts then attempt to deliver mail to spamd which says temp failure so greylisting ? the remote ip, rcpt to, mail from, and time are stored in a db if it retries after 26mins it is added to a whitelist in the pf firewall yea std greylisting which bypasses the rdr to spamd and hits the real mta whatever that may be it is std greylisting for OpenBSD I use postgrey for similar thing I've seen e.g. postfix that will require greylisting for every recipient individually every 24hrs it is insane thats a bit over board once spamd(8) learns of an IP it is whitelisted for 31 days, and advanced to 31 days out each time the remote IP is sent a piece of mail or receives a piece of mail I keep whitelisted reciept + sender IP pair for 30 days yea good but see, instead of taking up a MTA process for greylisting spamd(8) is a single process in a non blocking fd poll loop very efficient at whittling down the mail flow ;-) ;-) policyd-weight -- if you run Postfix, you should really give this very simple package a try. I don't block ANY spam using other techniques. What little makes it's way through just gets tagged and delivered. Hugely effective with only a minor amount of tweaking of the default rules. What it will do is provide weighted rejection, not based on a single RBL but on multiples. I've patched mine to take into account IP location via GeoIP, and I pre-weight certain countries such that unless they exhibit some "good" behaviour, their mail just won't make it through. Sure nuff, the only legitimate mail I get from the Netherlands, for example, makes it, while most phony lotto messages are rejected. Even if you were to keep your existing greylisting, (although with pf not sure how that would work) policyd-weight can help reduce the load by rejecting *before the mail his the mail queue* the truly obviously bad stuff, which is the bulk of everything coming in these days. Thus greylisting, or content inspection, will have to deal with a much smaller subset of *mostly* legitimate messages. I find support time goes down as a result. greylisting takes zero time just mem to keep track of the ip list since it only works on src ip, mail from, and rcpt to policyd-weight .. sounds like a linux package? pf is not available for linux policyd-weight is a single file perl daemon available for Linux / BSDs. It's a postfix-specific solution. Greylisting I personally do not like because it slows down legitimate mail too, at least until it first comes through. I find it workable for smaller groups but didn't like it for a big diverse set of users -- found we got too many support requests. Some senders are brain dead as well. One Canadian telco company (not one of the really big ones but still...) never retried, just gave up. Bizzare. Anyway, I found we didn't need it once we implemented policyd-weight which I have run for many years now. interesting, have to look into it; greylisting works quite well once you have fleshed out a whitelist.txt .. ;-) yea i have too important time sensitive email i can't consider greylisting