[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: spamd issues



On Fri, May 07, 2004 at 08:47:30AM -0700, Twinspop wrote:
 > Thanks for the help!
 > 
 > On Fri, May 07, 2004 at 03:20:09PM +0200, Daniel Hartmeier wrote:
 > > 
 > > Which version of spamd is that, exactly? Can you check the $OpenBSD$ tag
 > > at the top of spamd.c?
 > 
 >    /* $OpenBSD: spamd.c,v 1.64 2004/03/17 14:42:20 beck Exp $ */
 > 
 > I'll grab 1.66 and see how it goes.
 > 
 > > Make sure you have syslogd.conf set up correctly, so it does store
 > > LOG_INFO (and LOG_DEBUG, if you want that).
 > 
 >    !spamd
 >    daemon.err;daemon.warn;daemon.info              /var/log/spamd
 > 
 > debug.log gets what I'd expect, but the spamd log never gets anything
 > but connect/disconnect messages. And of course, both die...
 > 
Use the following.
!spamd
*.*				/var/log/spamd
And make sure you have user/group '_spamd'. spamd in FreeBSD port
does not create that user/group during port installation.
Also, note, Greylisting in FreeBSD port does not work yet due to
the missing option 'p' in pfctl.
Max has patches for that but it would not be merged.(pf based
on OpenBSD 3.5 will show up in near future.)
I tried spamd with Max's patch on my local box. It worked as
expected but it required fdescfs(5).
 > > > The second issue is that all logging dies, usually in under 10 minutes:
 > > 
 > > I've never seen that, are you sure syslog is not receiving anything from
 > > spamd (like spamd's syslog handle becomes somehow invalid) as compared
 > > to syslogd stopping logging them (or, simply, newsyslogd rotating the
 > > file, and your viewer not re-opening the file ;)
 > 
 > This one's getting stranger still. After mucho troubleshooting
 > yesterday, I say with quite a lot of confidence that the logging always
 > stops on 10 minute boundaries. 18:00, or 18:10, or 18:20, etc, but not
 > on EVERY 10 minute boundary. I got it to run for 45 minutes a few times.
 > But when it died, it was at a time ending in 0 (minutes that is).
 > 
 > Stopping spamd and restarting will always get the logging going again.
 > Stopping syslogd and restarting has no effect. I'm positive it's not
 > just a new file. :-) First thing I checked. For whatever reason, the
 > syslog handle appears to be going bad.
 > 
Seems like log file rotated or some scripts modified the log file.
(You have some scripts run periodically(possibly 10 min.) by
cron to add spammers from log?)
 > > >   (GREY) 213.201.23.96: <[email protected]> -> <[email protected]>
 > > > 
 > > > Any concern here? I assume it's a harmless notice from the greylisting
 > > > code, but just verifying. :-)
 > > 
 > > It's harmless, maybe it should be suppressed if greylisting is not used,
 > > as it has little meaning in that case. It might be useful to look at if
 > > you consider enabling greylisting, but you can just ignore them.
 > 
 > It does get quite verbose though! Nearly a hundred per second sometimes.
 > While hunting around the source code for logging problems, I cleaned out
 > the greylisting pieces. :-)
 > 
 > 23843 added to <spamd> in the last 24 hrs. Weee...  (I clear out
 > addresses older than 24 hrs just to be safe.)
 > 
I guess there is possible optimization here. spamd can use kqueue(2)
(possibly libevent in OpenBSD). However, because the main purpose
of spamd is for wasting time for spammers, I wonder the effectiveness
of that approach.
 > jon
 > 
 > ps-
 > Unrelated, but interesting tidbit... while there is a wide variance in
 > connect times for clients (from 2 seconds to 600 or more), ~ 90% of them
 > are 52-4 seconds. Changing the delay to 3 seconds per char didn't change
 > it-- the mode remained 52-54 seconds. _I_ thought it was interesting
 > anyway. :-) The spambots hitting me are possibly the same client? And
 > aware of tarpits?
I'm afraid some spammer use a kind of smart tools. It seems that it
checks the getting time of 220 SMTP geeting message. When that time
exceeds some threshould it just drops the connection. I saw some
spambots just inject an entire spam without reading any SMTP
response code and drop the connection. :(
Regards,
Pyun YongHyeon
-- 
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>