pfspamd greylisting stuttering at everything

Michael W. Lucas mwlucas at blackhelicopters.org
Thu Oct 26 16:02:38 UTC 2006


On Mon, Oct 23, 2006 at 08:20:32AM +0200, Peter N. M. Hansteen wrote:
> > I'm set up just like the man page, but every incoming connection is
> > being stuttered at.  This plays havoc with incoming legit mail, of
> > course, and I've been forced to fall back on older antispam tools.
> 
> Are you sure you are actually seeing stuttering, not just the
> greylisting database getting (slowly) initialized?  

[sorry for the delay answering, I needed to spend some quality time
with my mailserver to answer this thoroughly.]

Well, if I manually telnet to port 25 from any machine, I get about
one character a second.  And I get taunted.  I don't think that's the
innocuous 451 error mentioned in the manual.

> You should expect a 'silent period' while the machines which are
> trying to send you mail prove their good intentions to your
> greylister.  The point of greylisting, after all, is to force
> correspondents to retry 'within a reasonable time'.  The lower
> threshold for 'reasonable' is set with the first of the -G arguments
> to spamd.  The other factor is how long the correspondent takes to
> actually retry, which depends on a number of other factors you really
> can't influence much, such as the size of that server's outgoing
> queue.

I've let it run for three hours this morning.

Before starting pfspamd today, I checked my spamdb.  spamdb listed 12
entries.  After 3 hours, spamdb listed the same 12 entries.  My spamd
logs to /var/log/spam, which has many interesting entries in it:

Oct 26 11:18:31 bewilderbeast spamd[731]: (GREY) 216.136.204.119: <owner-doc-committers at FreeBSD.org> -> <mwlucas at blackhelicopters.org>
Oct 26 11:18:40 bewilderbeast spamd[731]: 204.127.192.84: connected (12/1)
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: From: Leila Wood <uzzfnh at fantasy-heaven.de>
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: To: mwlucas at blackhelicopters.org
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Subject: caustic assent
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: This is a multi-part message in MIME format.
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: --------------060605040706020008040508
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: Content-Type: text/html; charset=ISO-8859-1
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: Content-Transfer-Encoding: 7bit
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: <html>
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: <head>
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body:  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Oct 26 11:19:13 bewilderbeast spamd[731]: 204.152.190.11: disconnected after 390 seconds.
Oct 26 11:19:15 bewilderbeast spamd[731]: 12.130.136.42: disconnected after 390 seconds.
Oct 26 11:19:34 bewilderbeast spamd[731]: 89.110.7.178: disconnected after 390 seconds.
Oct 26 11:19:48 bewilderbeast spamd[731]: 200.52.66.237: connected (10/1)

So, bad stuff is making it there.

Good stuff is as well, though.  I sent an email from work to test the
setup:

bewilderbeast~;grep gkn /var/log/spamd
Oct 26 11:33:59 bewilderbeast spamd[4622]: (GREY) 194.76.60.27: <Michael.Lucas at gkndriveline.com> -> <mwlucas at blackhelicopters.org>
Oct 26 11:35:42 bewilderbeast spamd[4622]: 194.76.60.27: From: "Michael Lucas \(DL\)" <Michael.Lucas at gkndriveline.com>
Oct 26 11:35:42 bewilderbeast spamd[4622]: 194.76.60.27: Body: michael.lucas at gkndriveline.com
Oct 26 11:41:50 bewilderbeast spamd[4622]: (GREY) 194.76.60.27: <Michael.Lucas at gkndriveline.com> -> <mwlucas at blackhelicopters.org>
Oct 26 11:43:33 bewilderbeast spamd[4622]: 194.76.60.27: From: "Michael Lucas \(DL\)" <Michael.Lucas at gkndriveline.com>
Oct 26 11:43:33 bewilderbeast spamd[4622]: 194.76.60.27: Body: michael.lucas at gkndriveline.com

Ten minute delay between the first and last attempt.
I'm running spamd as below:

pfspamd_flags="-v -G7:4:864 -r451"

This tells me that after seven minutes, the next attempt should be
graylisted and handed to my mail server.

bewilderbeast~;grep gkn /var/log/maillog
bewilderbeast~;

Nothing.

bewilderbeast~;spamdb | grep gkn
bewilderbeast~;

Nothing again.

> I would give the initial database buildup a few hours at least.  If
> you're impatient and you have a few addresses which you consider
> 'known good', you could whitelist them using 
> 
>       # spamdb -a nnn.nnn.nnn.nnn

I'd rather avoid whitelisting manually, except perhaps my home IP,
until I know greylisting works on its own.

> see spamdb(8) for details.  I suppose that man page could do with a
> bit more text.

All of spamd could use some documentation, but that'll happen.  ;-)

> PS  My favorite quote about spamd and greylisting at the moment is this
>     recent message to openbsd-misc: 
>     http://marc.theaimsgroup.com/?l=openbsd-misc&m=116136841831550&w=2

That's what inspired me to try this.

Thanks for your help, it's nice to know I'm not missing anything
really obvious.

==ml 

-- 
Michael W. Lucas mwlucas at FreeBSD.org,mwlucas at BlackHelicopters.org
		http://www.BlackHelicopters.org/~mwlucas/
	    Latest book: PGP & GPG -- http://www.pgpandgpg.com
"The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur


More information about the freebsd-questions mailing list