just rolled out console server info to everyone (see portal)
checking...
@market
typing in the wrong console window means it must be time for sleep.
so... on that note...
g'night
are we split back together yet? ;-)
up_the_irons: I'm playing an evil trick on my VM system, so you know, incase someone contacts you with `interesting' observations about what ports are open...
heh
wha ya doin
# spamd(8) gets fuzzing and we get to play ornery tricks on scanners
pass in log on egress proto tcp rdr-to 127.0.0.1 port spamd
hmm, I guess I intended that to be 'inet proto tcp' fixing but anyway
at first I was just gonna do it for m$ ports, but then realized it could be more fun for all ports
incase you're not familiar, spamd(8) on OpenBSD takes a tcp connection and lowers the transmission size to 1 char per packet and only responds one byte per second
heh
why
because it `punishes' those who are doing spamming and costs very little cpu in userland to do
ah makes sense
12:26:21.894864 rule 1/(match) [uid 0, pid 26121] pass in on em0: 109.108.32.237.2698 > 208.79.89.90.445: S [tcp sum ok] 1673148574:1673148574(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) (ttl 120, id 10405, len 48)
muhahaha I love victims
so when are connections 'punished', ie. under what conditions
if the remote host attempts to do spamming
its limited in how many open connections it can keep
so holding onto one for longer and causing one to use more resources
is punishment
you kinda have to know how spamd works and then you'll have your answer
I'd point you to the man page online, but the cgi server is down atm
basically
yea I get the basics
the firewall in OpenBSD redirects all connections to port 25 (in the typical scenario where spamd is in use) to the spamd
spamd then does the 1 byte thing for about 5 secs then flips to `normal' tcp mode
the remote hosts then attempt to deliver mail to spamd
which says temp failure
so greylisting ?
the remote ip, rcpt to, mail from, and time are stored in a db
if it retries after 26mins it is added to a whitelist
in the pf firewall
yea std greylisting
which bypasses the rdr to spamd and hits the real mta whatever that may be
it is std greylisting for OpenBSD
I use postgrey for similar thing
I've seen e.g. postfix that will require greylisting for every recipient individually every 24hrs
it is insane
thats a bit over board
once spamd(8) learns of an IP it is whitelisted for 31 days, and advanced to 31 days out each time the remote IP is sent a piece of mail or receives a piece of mail
I keep whitelisted reciept + sender IP pair for 30 days
yea
good
but see, instead of taking up a MTA process for greylisting
spamd(8) is a single process in a non blocking fd poll loop
very efficient at whittling down the mail flow
;-)
;-)
policyd-weight -- if you run Postfix, you should really give this very simple package a try. I don't block ANY spam using other techniques. What little makes it's way through just gets tagged and delivered. Hugely effective with only a minor amount of tweaking of the default rules.
What it will do is provide weighted rejection, not based on a single RBL but on multiples. I've patched mine to take into account IP location via GeoIP, and I pre-weight certain countries such that unless they exhibit some "good" behaviour, their mail just won't make it through. Sure nuff, the only legitimate mail I get from the Netherlands, for example, makes it, while most phony lotto messages are
rejected.
Even if you were to keep your existing greylisting, (although with pf not sure how that would work) policyd-weight can help reduce the load by rejecting *before the mail his the mail queue* the truly obviously bad stuff, which is the bulk of everything coming in these days. Thus greylisting, or content inspection, will have to deal with a much smaller subset of *mostly* legitimate messages. I find
support time goes down as a result.
greylisting takes zero time
just mem to keep track of the ip list
since it only works on src ip, mail from, and rcpt to
policyd-weight .. sounds like a linux package? pf is not available for linux
policyd-weight is a single file perl daemon available for Linux / BSDs. It's a postfix-specific solution.
Greylisting I personally do not like because it slows down legitimate mail too, at least until it first comes through. I find it workable for smaller groups but didn't like it for a big diverse set of users -- found we got too many support requests. Some senders are brain dead as well. One Canadian telco company (not one of the really big ones but still...) never retried, just gave up. Bizzare.
Anyway, I found we didn't need it once we implemented policyd-weight which I have run for many years now.
interesting, have to look into it; greylisting works quite well once you have fleshed out a whitelist.txt .. ;-)
yea i have too important time sensitive email
i can't consider greylisting