up_the_irons: just rolled out console server info to everyone (see portal) sroute: checking...
@market
typing in the wrong console window means it must be time for sleep.
so... on that note... up_the_irons: g'night ***: Nat_UB has quit IRC ("leaving")
Nat_UB has joined #arpnetworks
nuke^ has quit IRC (Read error: 110 (Connection timed out))
nuke^ has joined #arpnetworks
vtoms has quit IRC ("Leaving.")
heavysixer has quit IRC ()
ballen|away is now known as ballen
ballen is now known as ballen|away
ballen|away is now known as ballen
timburke has quit IRC (lindbohm.freenode.net irc.freenode.net)
Nat_UB has quit IRC (lindbohm.freenode.net irc.freenode.net)
Thorgrimr has quit IRC (lindbohm.freenode.net irc.freenode.net)
vxp has quit IRC (lindbohm.freenode.net irc.freenode.net)
up_the_irons has quit IRC (lindbohm.freenode.net irc.freenode.net)
nuke` has quit IRC (lindbohm.freenode.net irc.freenode.net)
jester1 has quit IRC (lindbohm.freenode.net irc.freenode.net)
sbp__ has quit IRC (lindbohm.freenode.net irc.freenode.net)
nuke^ has quit IRC (lindbohm.freenode.net irc.freenode.net)
ballen has quit IRC (lindbohm.freenode.net irc.freenode.net)
Rada has quit IRC (lindbohm.freenode.net irc.freenode.net)
jeev has quit IRC (lindbohm.freenode.net irc.freenode.net)
baklava has quit IRC (lindbohm.freenode.net irc.freenode.net)
mxb__ has quit IRC (lindbohm.freenode.net irc.freenode.net)
mhoran has quit IRC (lindbohm.freenode.net irc.freenode.net)
nerdd has quit IRC (lindbohm.freenode.net irc.freenode.net)
sroute has quit IRC (lindbohm.freenode.net irc.freenode.net)
toddf has quit IRC (lindbohm.freenode.net irc.freenode.net)
d^_^b has quit IRC (lindbohm.freenode.net irc.freenode.net)
coil has quit IRC (lindbohm.freenode.net irc.freenode.net)
obsidieth has quit IRC (lindbohm.freenode.net irc.freenode.net)
toddf has joined #arpnetworks
irc.freenode.net sets mode: +o toddf
coil has joined #arpnetworks
obsidieth has joined #arpnetworks
up_the_irons has joined #arpnetworks
vxp has joined #arpnetworks
Thorgrimr has joined #arpnetworks
nuke` has joined #arpnetworks
jester1 has joined #arpnetworks
sbp__ has joined #arpnetworks
mhoran has joined #arpnetworks
Rada has joined #arpnetworks
jeev has joined #arpnetworks
sroute has joined #arpnetworks
mxb__ has joined #arpnetworks
nerdd has joined #arpnetworks
baklava has joined #arpnetworks
timburke has joined #arpnetworks
Nat_UB has joined #arpnetworks
nuke^ has joined #arpnetworks
ballen has joined #arpnetworks
irc.freenode.net sets mode: +oooo up_the_irons mhoran sroute ballen
d^_^b has joined #arpnetworks toddf: are we split back together yet? ;-)
up_the_irons: I'm playing an evil trick on my VM system, so you know, incase someone contacts you with `interesting' observations about what ports are open... ballen: heh
wha ya doin toddf: # spamd(8) gets fuzzing and we get to play ornery tricks on scanners
pass in log on egress proto tcp rdr-to 127.0.0.1 port spamd
hmm, I guess I intended that to be 'inet proto tcp' fixing but anyway
at first I was just gonna do it for m$ ports, but then realized it could be more fun for all ports
incase you're not familiar, spamd(8) on OpenBSD takes a tcp connection and lowers the transmission size to 1 char per packet and only responds one byte per second ballen: heh
why toddf: because it `punishes' those who are doing spamming and costs very little cpu in userland to do ballen: ah makes sense toddf: 12:26:21.894864 rule 1/(match) [uid 0, pid 26121] pass in on em0: 109.108.32.237.2698 > 208.79.89.90.445: S [tcp sum ok] 1673148574:1673148574(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) (ttl 120, id 10405, len 48)
muhahaha I love victims ballen: so when are connections 'punished', ie. under what conditions toddf: if the remote host attempts to do spamming
its limited in how many open connections it can keep
so holding onto one for longer and causing one to use more resources
is punishment
you kinda have to know how spamd works and then you'll have your answer
I'd point you to the man page online, but the cgi server is down atm
basically ballen: yea I get the basics toddf: the firewall in OpenBSD redirects all connections to port 25 (in the typical scenario where spamd is in use) to the spamd
spamd then does the 1 byte thing for about 5 secs then flips to `normal' tcp mode
the remote hosts then attempt to deliver mail to spamd
which says temp failure ballen: so greylisting ? toddf: the remote ip, rcpt to, mail from, and time are stored in a db
if it retries after 26mins it is added to a whitelist
in the pf firewall ballen: yea std greylisting toddf: which bypasses the rdr to spamd and hits the real mta whatever that may be
it is std greylisting for OpenBSD ballen: I use postgrey for similar thing toddf: I've seen e.g. postfix that will require greylisting for every recipient individually every 24hrs
it is insane ballen: thats a bit over board toddf: once spamd(8) learns of an IP it is whitelisted for 31 days, and advanced to 31 days out each time the remote IP is sent a piece of mail or receives a piece of mail ballen: I keep whitelisted reciept + sender IP pair for 30 days
yea
good toddf: but see, instead of taking up a MTA process for greylisting
spamd(8) is a single process in a non blocking fd poll loop
very efficient at whittling down the mail flow
;-) vxp: ;-) ***: Rada is now known as Black
Black is now known as Rada
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
visinin has joined #arpnetworks
ballen is now known as ballen|away
ballen|away is now known as ballen sroute: policyd-weight -- if you run Postfix, you should really give this very simple package a try. I don't block ANY spam using other techniques. What little makes it's way through just gets tagged and delivered. Hugely effective with only a minor amount of tweaking of the default rules.
What it will do is provide weighted rejection, not based on a single RBL but on multiples. I've patched mine to take into account IP location via GeoIP, and I pre-weight certain countries such that unless they exhibit some "good" behaviour, their mail just won't make it through. Sure nuff, the only legitimate mail I get from the Netherlands, for example, makes it, while most phony lotto messages are
rejected.
Even if you were to keep your existing greylisting, (although with pf not sure how that would work) policyd-weight can help reduce the load by rejecting *before the mail his the mail queue* the truly obviously bad stuff, which is the bulk of everything coming in these days. Thus greylisting, or content inspection, will have to deal with a much smaller subset of *mostly* legitimate messages. I find
support time goes down as a result. ***: ballen is now known as ballen|away toddf: greylisting takes zero time
just mem to keep track of the ip list
since it only works on src ip, mail from, and rcpt to
policyd-weight .. sounds like a linux package? pf is not available for linux sroute: policyd-weight is a single file perl daemon available for Linux / BSDs. It's a postfix-specific solution.
Greylisting I personally do not like because it slows down legitimate mail too, at least until it first comes through. I find it workable for smaller groups but didn't like it for a big diverse set of users -- found we got too many support requests. Some senders are brain dead as well. One Canadian telco company (not one of the really big ones but still...) never retried, just gave up. Bizzare.
Anyway, I found we didn't need it once we implemented policyd-weight which I have run for many years now. ***: Rada has quit IRC (Read error: 104 (Connection reset by peer))
ballen|away is now known as ballen toddf: interesting, have to look into it; greylisting works quite well once you have fleshed out a whitelist.txt .. ;-) ***: ballen is now known as ballen|away
ballen|away is now known as ballen
ballen is now known as ballen|away
visinin has quit IRC ("sleep")
ballen|away is now known as ballen jeev: yea i have too important time sensitive email
i can't consider greylisting ***: ballen is now known as ballen|away
heavysixer has quit IRC ()
ballen|away is now known as ballen
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
ballen has quit IRC ()
heavysixer has quit IRC ()
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
ballen has joined #arpnetworks
ChanServ sets mode: +o ballen