[01:16] *** ballen is now known as ballen|away
[02:29] <up_the_irons> just rolled out console server info to everyone (see portal)
[02:34] <sroute> checking...
[02:43] <sroute> @market
[03:02] <sroute> typing in the wrong console window means it must be time for sleep.
[03:02] <sroute> so... on that note...
[03:03] <up_the_irons> g'night
[04:53] *** Nat_UB has quit IRC ("leaving")
[04:53] *** Nat_UB has joined #arpnetworks
[04:55] *** nuke^ has quit IRC (Read error: 110 (Connection timed out))
[06:09] *** nuke^ has joined #arpnetworks
[06:25] *** vtoms has quit IRC ("Leaving.")
[07:06] *** heavysixer has quit IRC ()
[07:28] *** ballen|away is now known as ballen
[08:12] *** ballen is now known as ballen|away
[09:12] *** ballen|away is now known as ballen
[09:47] *** timburke has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** Nat_UB has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** Thorgrimr has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** vxp has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** up_the_irons has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** nuke` has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** jester1 has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** sbp__ has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** nuke^ has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** ballen has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** Rada has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** jeev has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** baklava has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** mxb__ has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** mhoran has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** nerdd has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** sroute has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** toddf has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** d^_^b has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** coil has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:47] *** obsidieth has quit IRC (lindbohm.freenode.net irc.freenode.net)
[09:59] *** toddf has joined #arpnetworks
[09:59] *** irc.freenode.net sets mode: +o toddf
[10:00] *** coil has joined #arpnetworks
[10:00] *** obsidieth has joined #arpnetworks
[10:00] *** up_the_irons has joined #arpnetworks
[10:00] *** vxp has joined #arpnetworks
[10:00] *** Thorgrimr has joined #arpnetworks
[10:00] *** nuke` has joined #arpnetworks
[10:00] *** jester1 has joined #arpnetworks
[10:00] *** sbp__ has joined #arpnetworks
[10:00] *** mhoran has joined #arpnetworks
[10:00] *** Rada has joined #arpnetworks
[10:00] *** jeev has joined #arpnetworks
[10:00] *** sroute has joined #arpnetworks
[10:00] *** mxb__ has joined #arpnetworks
[10:00] *** nerdd has joined #arpnetworks
[10:00] *** baklava has joined #arpnetworks
[10:00] *** timburke has joined #arpnetworks
[10:00] *** Nat_UB has joined #arpnetworks
[10:00] *** nuke^ has joined #arpnetworks
[10:00] *** ballen has joined #arpnetworks
[10:00] *** irc.freenode.net sets mode: +oooo up_the_irons mhoran sroute ballen
[10:01] *** d^_^b has joined #arpnetworks
[10:19] <toddf> are we split back together yet? ;-)
[10:20] <toddf> up_the_irons: I'm playing an evil trick on my VM system, so you know, incase someone contacts you with `interesting' observations about what ports are open...
[10:20] <ballen> heh
[10:20] <ballen> wha ya doin
[10:20] <toddf> # spamd(8) gets fuzzing and we get to play ornery tricks on scanners
[10:20] <toddf> pass in log on egress proto tcp rdr-to 127.0.0.1 port spamd
[10:21] <toddf> hmm, I guess I intended that to be 'inet proto tcp' fixing but anyway
[10:21] <toddf> at first I was just gonna do it for m$ ports, but then realized it could be more fun for all ports
[10:22] <toddf> incase you're not familiar, spamd(8) on OpenBSD takes a tcp connection and lowers the transmission size to 1 char per packet and only responds one byte per second
[10:22] <ballen> heh
[10:22] <ballen> why
[10:23] <toddf> because it `punishes' those who are doing spamming and costs very little cpu in userland to do
[10:24] <ballen> ah makes sense
[10:25] <toddf> 12:26:21.894864 rule 1/(match) [uid 0, pid 26121] pass in on em0: 109.108.32.237.2698 > 208.79.89.90.445: S [tcp sum ok] 1673148574:1673148574(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) (ttl 120, id 10405, len 48)
[10:25] <toddf> muhahaha I love victims
[10:26] <ballen> so when are connections 'punished', ie. under what conditions
[10:26] <toddf> if the remote host attempts to do spamming
[10:26] <toddf> its limited in how many open connections it can keep
[10:27] <toddf> so holding onto one for longer and causing one to use more resources
[10:27] <toddf> is punishment
[10:27] <toddf> you kinda have to know how spamd works and then you'll have your answer
[10:27] <toddf> I'd point you to the man page online, but the cgi server is down atm
[10:28] <toddf> basically
[10:28] <ballen> yea I get the basics
[10:28] <toddf> the firewall in OpenBSD redirects all connections to port 25 (in the typical scenario where spamd is in use) to the spamd
[10:28] <toddf> spamd then does the 1 byte thing for about 5 secs then flips to `normal' tcp mode
[10:29] <toddf> the remote hosts then attempt to deliver mail to spamd
[10:29] <toddf> which says temp failure
[10:29] <ballen> so greylisting ?
[10:29] <toddf> the remote ip, rcpt to, mail from, and time are stored in a db
[10:29] <toddf> if it retries after 26mins it is added to a whitelist
[10:29] <toddf> in the pf firewall
[10:29] <ballen> yea std greylisting
[10:29] <toddf> which bypasses the rdr to spamd and hits the real mta whatever that may be
[10:29] <toddf> it is std greylisting for OpenBSD
[10:29] <ballen> I use postgrey for similar thing
[10:30] <toddf> I've seen e.g. postfix that will require greylisting for every recipient individually every 24hrs
[10:30] <toddf> it is insane
[10:30] <ballen> thats a bit over board
[10:31] <toddf> once spamd(8) learns of an IP it is whitelisted for 31 days, and advanced to 31 days out each time the remote IP is sent a piece of mail or receives a piece of mail
[10:31] <ballen> I keep whitelisted reciept + sender IP pair for 30 days
[10:31] <ballen> yea
[10:31] <ballen> good
[10:31] <toddf> but see, instead of taking up a MTA process for greylisting
[10:31] <toddf> spamd(8) is a single process in a non blocking fd poll loop
[10:31] <toddf> very efficient at whittling down the mail flow
[10:31] <toddf> ;-)
[11:22] <vxp> ;-)
[11:25] *** Rada is now known as Black
[11:25] *** Black is now known as Rada
[11:34] *** heavysixer has joined #arpnetworks
[11:34] *** ChanServ sets mode: +o heavysixer
[12:27] *** visinin has joined #arpnetworks
[12:50] *** ballen is now known as ballen|away
[13:53] *** ballen|away is now known as ballen
[14:28] <sroute> policyd-weight -- if you run Postfix, you should really give this very simple package a try. I don't block ANY spam using other techniques. What little makes it's way through just gets tagged and delivered. Hugely effective with only a minor amount of tweaking of the default rules.
[14:31] <sroute> What it will do is provide weighted rejection, not based on a single RBL but on multiples. I've patched mine to take into account IP location via GeoIP, and I pre-weight certain countries such that unless they exhibit some "good" behaviour, their mail just won't make it through. Sure nuff, the only legitimate mail I get from the Netherlands, for example, makes it, while most phony lotto messages are
[14:31] <sroute> rejected.
[14:33] <sroute> Even if you were to keep your existing greylisting, (although with pf not sure how that would work) policyd-weight can help reduce the load by rejecting *before the mail his the mail queue* the truly obviously bad stuff, which is the bulk of everything coming in these days. Thus greylisting, or content inspection, will have to deal with a much smaller subset of *mostly* legitimate messages. I find
[14:33] <sroute> support time goes down as a result.
[14:36] *** ballen is now known as ballen|away
[14:43] <toddf> greylisting takes zero time
[14:43] <toddf> just mem to keep track of the ip list
[14:43] <toddf> since it only works on src ip, mail from, and rcpt to
[14:44] <toddf> policyd-weight .. sounds like a linux package? pf is not available for linux
[14:59] <sroute> policyd-weight is a single file perl daemon available for Linux / BSDs. It's a postfix-specific solution.
[15:01] <sroute> Greylisting I personally do not like because it slows down legitimate mail too, at least until it first comes through. I find it workable for smaller groups but didn't like it for a big diverse set of users -- found we got too many support requests. Some senders are brain dead as well. One Canadian telco company (not one of the really big ones but still...) never retried, just gave up. Bizzare.
[15:01] <sroute> Anyway, I found we didn't need it once we implemented policyd-weight which I have run for many years now.
[15:19] *** Rada has quit IRC (Read error: 104 (Connection reset by peer))
[15:21] *** ballen|away is now known as ballen
[15:48] <toddf> interesting, have to look into it; greylisting works quite well once you have fleshed out a whitelist.txt .. ;-)
[15:49] *** ballen is now known as ballen|away
[16:25] *** ballen|away is now known as ballen
[17:11] *** ballen is now known as ballen|away
[17:13] *** visinin has quit IRC ("sleep")
[17:15] *** ballen|away is now known as ballen
[17:17] <jeev> yea i have too important time sensitive email
[17:17] <jeev> i can't consider greylisting
[17:36] *** ballen is now known as ballen|away
[17:37] *** heavysixer has quit IRC ()
[17:39] *** ballen|away is now known as ballen
[17:43] *** heavysixer has joined #arpnetworks
[17:43] *** ChanServ sets mode: +o heavysixer
[17:48] *** ballen has quit IRC ()
[18:09] *** heavysixer has quit IRC ()
[18:55] *** heavysixer has joined #arpnetworks
[18:55] *** ChanServ sets mode: +o heavysixer
[21:27] *** ballen has joined #arpnetworks
[21:27] *** ChanServ sets mode: +o ballen