#arpnetworks 2009-11-15,Sun

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)
WhoWhatWhen
***ballen is now known as ballen|away [01:16]
............... (idle for 1h13mn)
up_the_ironsjust rolled out console server info to everyone (see portal) [02:29]
sroutechecking... [02:34]
@market [02:43]
.... (idle for 19mn)
typing in the wrong console window means it must be time for sleep.
so... on that note... 		[03:02]
up_the_ironsg'night [03:03]
....................... (idle for 1h50mn)
***Nat_UB has quit IRC ("leaving")
Nat_UB has joined #arpnetworks
nuke^ has quit IRC (Read error: 110 (Connection timed out)) 		[04:53]
............... (idle for 1h14mn)
nuke^ has joined #arpnetworks [06:09]
.... (idle for 16mn)
vtoms has quit IRC ("Leaving.") [06:25]
......... (idle for 41mn)
heavysixer has quit IRC () [07:06]
..... (idle for 22mn)
ballen|away is now known as ballen [07:28]
......... (idle for 44mn)
ballen is now known as ballen|away [08:12]
............. (idle for 1h0mn)
ballen|away is now known as ballen [09:12]
........ (idle for 35mn)
timburke has quit IRC (lindbohm.freenode.net irc.freenode.net)
Nat_UB has quit IRC (lindbohm.freenode.net irc.freenode.net)
Thorgrimr has quit IRC (lindbohm.freenode.net irc.freenode.net)
vxp has quit IRC (lindbohm.freenode.net irc.freenode.net)
up_the_irons has quit IRC (lindbohm.freenode.net irc.freenode.net)
nuke` has quit IRC (lindbohm.freenode.net irc.freenode.net)
jester1 has quit IRC (lindbohm.freenode.net irc.freenode.net)
sbp__ has quit IRC (lindbohm.freenode.net irc.freenode.net)
nuke^ has quit IRC (lindbohm.freenode.net irc.freenode.net)
ballen has quit IRC (lindbohm.freenode.net irc.freenode.net)
Rada has quit IRC (lindbohm.freenode.net irc.freenode.net)
jeev has quit IRC (lindbohm.freenode.net irc.freenode.net)
baklava has quit IRC (lindbohm.freenode.net irc.freenode.net)
mxb__ has quit IRC (lindbohm.freenode.net irc.freenode.net)
mhoran has quit IRC (lindbohm.freenode.net irc.freenode.net)
nerdd has quit IRC (lindbohm.freenode.net irc.freenode.net)
sroute has quit IRC (lindbohm.freenode.net irc.freenode.net)
toddf has quit IRC (lindbohm.freenode.net irc.freenode.net)
d^_^b has quit IRC (lindbohm.freenode.net irc.freenode.net)
coil has quit IRC (lindbohm.freenode.net irc.freenode.net)
obsidieth has quit IRC (lindbohm.freenode.net irc.freenode.net) 		[09:47]
toddf has joined #arpnetworks
irc.freenode.net sets mode: +o toddf
coil has joined #arpnetworks
obsidieth has joined #arpnetworks
up_the_irons has joined #arpnetworks
vxp has joined #arpnetworks
Thorgrimr has joined #arpnetworks
nuke` has joined #arpnetworks
jester1 has joined #arpnetworks
sbp__ has joined #arpnetworks
mhoran has joined #arpnetworks
Rada has joined #arpnetworks
jeev has joined #arpnetworks
sroute has joined #arpnetworks
mxb__ has joined #arpnetworks
nerdd has joined #arpnetworks
baklava has joined #arpnetworks
timburke has joined #arpnetworks
Nat_UB has joined #arpnetworks
nuke^ has joined #arpnetworks
ballen has joined #arpnetworks
irc.freenode.net sets mode: +oooo up_the_irons mhoran sroute ballen
d^_^b has joined #arpnetworks 		[09:59]
.... (idle for 18mn)
toddfare we split back together yet? ;-)
up_the_irons: I'm playing an evil trick on my VM system, so you know, incase someone contacts you with `interesting' observations about what ports are open... 		[10:19]
ballenheh
wha ya doin 		[10:20]
toddf# spamd(8) gets fuzzing and we get to play ornery tricks on scanners
pass in log on egress proto tcp rdr-to 127.0.0.1 port spamd
hmm, I guess I intended that to be 'inet proto tcp' fixing but anyway
at first I was just gonna do it for m$ ports, but then realized it could be more fun for all ports
incase you're not familiar, spamd(8) on OpenBSD takes a tcp connection and lowers the transmission size to 1 char per packet and only responds one byte per second 		[10:20]
ballenheh
why 		[10:22]
toddfbecause it `punishes' those who are doing spamming and costs very little cpu in userland to do [10:23]
ballenah makes sense [10:24]
toddf12:26:21.894864 rule 1/(match) [uid 0, pid 26121] pass in on em0: 109.108.32.237.2698 > 208.79.89.90.445: S [tcp sum ok] 1673148574:1673148574(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) (ttl 120, id 10405, len 48)
muhahaha I love victims 		[10:25]
ballenso when are connections 'punished', ie. under what conditions [10:26]
toddfif the remote host attempts to do spamming
its limited in how many open connections it can keep
so holding onto one for longer and causing one to use more resources
is punishment
you kinda have to know how spamd works and then you'll have your answer
I'd point you to the man page online, but the cgi server is down atm
basically 		[10:26]
ballenyea I get the basics [10:28]
toddfthe firewall in OpenBSD redirects all connections to port 25 (in the typical scenario where spamd is in use) to the spamd
spamd then does the 1 byte thing for about 5 secs then flips to `normal' tcp mode
the remote hosts then attempt to deliver mail to spamd
which says temp failure 		[10:28]
ballenso greylisting ? [10:29]
toddfthe remote ip, rcpt to, mail from, and time are stored in a db
if it retries after 26mins it is added to a whitelist
in the pf firewall 		[10:29]
ballenyea std greylisting [10:29]
toddfwhich bypasses the rdr to spamd and hits the real mta whatever that may be
it is std greylisting for OpenBSD 		[10:29]
ballenI use postgrey for similar thing [10:29]
toddfI've seen e.g. postfix that will require greylisting for every recipient individually every 24hrs
it is insane 		[10:30]
ballenthats a bit over board [10:30]
toddfonce spamd(8) learns of an IP it is whitelisted for 31 days, and advanced to 31 days out each time the remote IP is sent a piece of mail or receives a piece of mail [10:31]
ballenI keep whitelisted reciept + sender IP pair for 30 days
yea
good 		[10:31]
toddfbut see, instead of taking up a MTA process for greylisting
spamd(8) is a single process in a non blocking fd poll loop
very efficient at whittling down the mail flow
;-) 		[10:31]
........... (idle for 51mn)
vxp;-) [11:22]
***Rada is now known as Black
Black is now known as Rada 		[11:25]
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer 		[11:34]
........... (idle for 53mn)
visinin has joined #arpnetworks [12:27]
..... (idle for 23mn)
ballen is now known as ballen|away [12:50]
............. (idle for 1h3mn)
ballen|away is now known as ballen [13:53]
........ (idle for 35mn)
sroutepolicyd-weight -- if you run Postfix, you should really give this very simple package a try. I don't block ANY spam using other techniques. What little makes it's way through just gets tagged and delivered. Hugely effective with only a minor amount of tweaking of the default rules.
What it will do is provide weighted rejection, not based on a single RBL but on multiples. I've patched mine to take into account IP location via GeoIP, and I pre-weight certain countries such that unless they exhibit some "good" behaviour, their mail just won't make it through. Sure nuff, the only legitimate mail I get from the Netherlands, for example, makes it, while most phony lotto messages are
rejected.
Even if you were to keep your existing greylisting, (although with pf not sure how that would work) policyd-weight can help reduce the load by rejecting *before the mail his the mail queue* the truly obviously bad stuff, which is the bulk of everything coming in these days. Thus greylisting, or content inspection, will have to deal with a much smaller subset of *mostly* legitimate messages. I find
support time goes down as a result. 		[14:28]
***ballen is now known as ballen|away [14:36]
toddfgreylisting takes zero time
just mem to keep track of the ip list
since it only works on src ip, mail from, and rcpt to
policyd-weight .. sounds like a linux package? pf is not available for linux 		[14:43]
.... (idle for 15mn)
sroutepolicyd-weight is a single file perl daemon available for Linux / BSDs. It's a postfix-specific solution.
Greylisting I personally do not like because it slows down legitimate mail too, at least until it first comes through. I find it workable for smaller groups but didn't like it for a big diverse set of users -- found we got too many support requests. Some senders are brain dead as well. One Canadian telco company (not one of the really big ones but still...) never retried, just gave up. Bizzare.
Anyway, I found we didn't need it once we implemented policyd-weight which I have run for many years now. 		[14:59]
.... (idle for 18mn)
***Rada has quit IRC (Read error: 104 (Connection reset by peer))
ballen|away is now known as ballen 		[15:19]
...... (idle for 27mn)
toddfinteresting, have to look into it; greylisting works quite well once you have fleshed out a whitelist.txt .. ;-) [15:48]
***ballen is now known as ballen|away [15:49]
........ (idle for 36mn)
ballen|away is now known as ballen [16:25]
.......... (idle for 46mn)
ballen is now known as ballen|away
visinin has quit IRC ("sleep")
ballen|away is now known as ballen 		[17:11]
jeevyea i have too important time sensitive email
i can't consider greylisting 		[17:17]
.... (idle for 19mn)
***ballen is now known as ballen|away
heavysixer has quit IRC ()
ballen|away is now known as ballen
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer 		[17:36]
ballen has quit IRC () [17:48]
..... (idle for 21mn)
heavysixer has quit IRC () [18:09]
.......... (idle for 46mn)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer 		[18:55]
............................... (idle for 2h32mn)
ballen has joined #arpnetworks
ChanServ sets mode: +o ballen 		[21:27]
↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)