From owner-freebsd-questions@FreeBSD.ORG Fri May 26 15:13:15 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF62B16A4C6 for ; Fri, 26 May 2006 15:13:14 +0000 (UTC) (envelope-from mailinglists+freebsd-questions@g-noc.net) Received: from g-noc.net (ip-209-172-57-244.reverse.privatedns.com [209.172.57.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1405A43D4C for ; Fri, 26 May 2006 15:13:13 +0000 (GMT) (envelope-from mailinglists+freebsd-questions@g-noc.net) Received: from [192.168.2.102] (toronto-HSE-ppp4001143.sympatico.ca [70.48.27.75]) (authenticated bits=0) by g-noc.net (8.13.4/8.13.4) with ESMTP id k4QFD6Xn086433 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 26 May 2006 11:13:07 -0400 (EDT) (envelope-from mailinglists+freebsd-questions@g-noc.net) Message-ID: <44771B54.4020003@g-noc.net> Date: Fri, 26 May 2006 11:14:28 -0400 From: Alexis Dorais-Joncas User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.1 required=5.0 tests=RCVD_IN_SORBS_DUL autolearn=no version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on g-noc.net Subject: PF spamd : trouble with homemade blacklist X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 15:13:17 -0000 Hey all, I have been running spamd from OpenBSD on : FreeBSD g-noc.net 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 for a while now, and I just encountered a small problem. I want to create a home-made blacklist so that all connexions made from any of the addresses to my port 25 are tarpitted. However, even if the address is added in the table by spamd-setup, new connexions still show up as "grey", instead of being spotted as being blacklisted and then tarpitted. Here is the relevent configs, followed by evidence of the problem. Hope someone can point me to a solution ! ----- spamd.conf: (comments trimmed out) ----- all:\ spews1:beck:blackl spews1:\ :black:\ :msg="SPAM. Your address %A is in the spews level 1 database\n\ See http://www.spews.org/ask.cgi?x=%A for more details":\ :method=http:\ :file=www.openbsd.org/spamd/spews_list_level1.txt.gz: # Provided by Bob Beck at the University of Alberta beck:\ :black:\ :msg="SPAM. Your address %A appears in a list of known spammers":\ :method=http:\ :file=(location hidden): blackl:\ :black:\ :msg="SPAM. Your address %A appears in my homemade list of known spammers":\ :file=/var/mail/blacklist.txt: ----- pf.conf ----- [...] table persist table persist table persist file "/var/mail/whitelist.txt" rdr pass inet proto tcp from to any port smtp -> 127.0.0.1 port smtp rdr pass inet proto tcp from to any port smtp -> 127.0.0.1 port spamd rdr pass inet proto tcp from ! to any port smtp -> 127.0.0.1 port spamd [...] ----- /var/mail/blacklist.txt ----- (only one single line, no empty line at the end) 83.100.146.104 ----- spamd-setup output : ----- [xxxx@g-noc.net.]$ sudo spamd-setup -d Getting http://www.openbsd.org/spamd/spews_list_level1.txt.gz blacklist spews1 14939 entries Getting http://www.[location hidden] blacklist beck 17251 entries blacklist blackl 1 entries ----- We see here that the IP address is effectively added to the table, and the daemon should know that it is blacklisted : [xxxx@g-noc.net.]$ sudo pfctl -t spamd -vTshow|grep -A5 83.100.146.104 No ALTQ support in kernel ALTQ related functions disabled 83.100.146.104 Cleared: Fri May 26 10:43:24 2006 In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 30 Bytes: 1568 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 30 Bytes: 2280 ] ----- However, logs show that when an incoming connexion is made, instead of being tarpitted, it is treated as a normal one and is considered grey : May 26 10:55:05 g-noc spamd[85889]: 83.100.146.104: connected (1/0) May 26 10:55:06 g-noc spamd[85889]: (GREY) 83.100.146.104: <> -> May 26 10:55:06 g-noc spamd[85889]: 83.100.146.104: disconnected after 1 seconds. $ spamdb |grep 83.100.146.104 GREY|83.100.146.104|<>||1148654694|1148669094|1148669094|4|0 So, my question is : how can I create a list that spamd will know about and will tarpit every connexion with a source address contained in the list and with destination port = 25 ? I'm sure I'm very close, but I have been trying for a while now and can't figure this one out. Thanks for any help you guys can provide ! Alexis