PF spamd : trouble with homemade blacklist

Alexis Dorais-Joncas mailinglists+freebsd-questions at g-noc.net
Fri May 26 08:13:17 PDT 2006


Hey all,

I have been running spamd from OpenBSD on :

FreeBSD g-noc.net 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 
09:36:13 UTC 2005     root at x64.samsco.home:/usr/obj/usr/src/sys/GENERIC  
i386

for a while now, and I just encountered a small problem.

I want to create a home-made blacklist so that all connexions made from 
any of the addresses to my port 25 are tarpitted. However, even if the 
address is added in the <spamd> table by spamd-setup, new connexions 
still show up as "grey", instead of being spotted as being blacklisted 
and then tarpitted.

Here is the relevent configs, followed by evidence of the problem. Hope 
someone can point me to a solution !

-----
spamd.conf: (comments trimmed out)
-----
all:\
        spews1:beck:blackl
spews1:\
        :black:\
        :msg="SPAM. Your address %A is in the spews level 1 database\n\
        See http://www.spews.org/ask.cgi?x=%A for more details":\
        :method=http:\
        :file=www.openbsd.org/spamd/spews_list_level1.txt.gz:


# Provided by Bob Beck at the University of Alberta
beck:\
   :black:\
   :msg="SPAM. Your address %A appears in a list of known spammers":\
   :method=http:\
   :file=(location hidden):

blackl:\
        :black:\
        :msg="SPAM. Your address %A appears in my homemade list of known 
spammers":\
        :file=/var/mail/blacklist.txt:

-----
pf.conf
-----
[...]
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file "/var/mail/whitelist.txt"

rdr pass inet proto tcp from <spamd-mywhite> to any port smtp -> 
127.0.0.1 port smtp
rdr pass inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 
spamd
rdr pass inet proto tcp from !<spamd-white> to any port smtp -> 
127.0.0.1 port spamd
[...]

-----
/var/mail/blacklist.txt
-----
(only one single line, no empty line at the end)
83.100.146.104

-----
spamd-setup output :
-----
[xxxx at g-noc.net.]$ sudo spamd-setup -d
Getting http://www.openbsd.org/spamd/spews_list_level1.txt.gz
blacklist spews1 14939 entries
Getting http://www.[location hidden]
blacklist beck 17251 entries
blacklist blackl 1 entries
-----

We see here that the IP address is effectively added to the <spamd> 
table, and the daemon should know that it is blacklisted :
[xxxx at g-noc.net.]$ sudo pfctl -t spamd -vTshow|grep -A5 83.100.146.104
No ALTQ support in kernel
ALTQ related functions disabled
   83.100.146.104
        Cleared:     Fri May 26 10:43:24 2006
        In/Block:    [ Packets: 0                  Bytes: 
0                  ]
        In/Pass:     [ Packets: 30                 Bytes: 
1568               ]
        Out/Block:   [ Packets: 0                  Bytes: 
0                  ]
        Out/Pass:    [ Packets: 30                 Bytes: 
2280               ]
-----

However, logs show that when an incoming connexion is made, instead of 
being tarpitted, it is treated as a normal one and is considered grey :
May 26 10:55:05 g-noc spamd[85889]: 83.100.146.104: connected (1/0)
May 26 10:55:06 g-noc spamd[85889]: (GREY) 83.100.146.104: <> -> 
<info at xxxxxxxx.org>
May 26 10:55:06 g-noc spamd[85889]: 83.100.146.104: disconnected after 1 
seconds.

$ spamdb |grep 83.100.146.104
GREY|83.100.146.104|<>|<info at xxxxxxxx.org>|1148654694|1148669094|1148669094|4|0

So, my question is : how can I create a list that spamd will know about 
and will tarpit every connexion with a source address contained in the 
list and with destination port = 25 ? I'm sure I'm very close, but I 
have been trying for a while now and can't figure this one out.

Thanks for any help you guys can provide !

Alexis



More information about the freebsd-questions mailing list