From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 26 16:02:38 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0433616A415
	for <questions@freebsd.org>; Thu, 26 Oct 2006 16:02:38 +0000 (UTC)
	(envelope-from mwlucas@bewilderbeast.blackhelicopters.org)
Received: from bewilderbeast.blackhelicopters.org
	(bewilderbeast.blackhelicopters.org [198.22.63.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 94CE143D53
	for <questions@freebsd.org>; Thu, 26 Oct 2006 16:02:35 +0000 (GMT)
	(envelope-from mwlucas@bewilderbeast.blackhelicopters.org)
Received: from bewilderbeast.blackhelicopters.org (localhost [127.0.0.1])
	by bewilderbeast.blackhelicopters.org (8.13.8/8.13.8) with ESMTP id
	k9QG22J1004948; Thu, 26 Oct 2006 12:02:02 -0400 (EDT)
	(envelope-from mwlucas@bewilderbeast.blackhelicopters.org)
Received: (from mwlucas@localhost)
	by bewilderbeast.blackhelicopters.org (8.13.8/8.13.7/Submit) id
	k9QG218B004947; Thu, 26 Oct 2006 12:02:01 -0400 (EDT)
	(envelope-from mwlucas)
Date: Thu, 26 Oct 2006 12:02:01 -0400
From: "Michael W. Lucas" <mwlucas@blackhelicopters.org>
To: "Peter N. M. Hansteen" <peter@bgnett.no>
Message-ID: <20061026160201.GA4801@bewilderbeast.blackhelicopters.org>
References: <87ods3wo27.fsf@amidala.kakemonster.bsdly.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87ods3wo27.fsf@amidala.kakemonster.bsdly.net>
User-Agent: Mutt/1.4.2.2i
Cc: questions@freebsd.org
Subject: Re: pfspamd greylisting stuttering at everything
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2006 16:02:38 -0000

On Mon, Oct 23, 2006 at 08:20:32AM +0200, Peter N. M. Hansteen wrote:
> > I'm set up just like the man page, but every incoming connection is
> > being stuttered at.  This plays havoc with incoming legit mail, of
> > course, and I've been forced to fall back on older antispam tools.
> 
> Are you sure you are actually seeing stuttering, not just the
> greylisting database getting (slowly) initialized?  

[sorry for the delay answering, I needed to spend some quality time
with my mailserver to answer this thoroughly.]

Well, if I manually telnet to port 25 from any machine, I get about
one character a second.  And I get taunted.  I don't think that's the
innocuous 451 error mentioned in the manual.

> You should expect a 'silent period' while the machines which are
> trying to send you mail prove their good intentions to your
> greylister.  The point of greylisting, after all, is to force
> correspondents to retry 'within a reasonable time'.  The lower
> threshold for 'reasonable' is set with the first of the -G arguments
> to spamd.  The other factor is how long the correspondent takes to
> actually retry, which depends on a number of other factors you really
> can't influence much, such as the size of that server's outgoing
> queue.

I've let it run for three hours this morning.

Before starting pfspamd today, I checked my spamdb.  spamdb listed 12
entries.  After 3 hours, spamdb listed the same 12 entries.  My spamd
logs to /var/log/spam, which has many interesting entries in it:

Oct 26 11:18:31 bewilderbeast spamd[731]: (GREY) 216.136.204.119: <owner-doc-committers@FreeBSD.org> -> <mwlucas@blackhelicopters.org>
Oct 26 11:18:40 bewilderbeast spamd[731]: 204.127.192.84: connected (12/1)
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: From: Leila Wood <uzzfnh@fantasy-heaven.de>
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: To: mwlucas@blackhelicopters.org
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Subject: caustic assent
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: This is a multi-part message in MIME format.
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: --------------060605040706020008040508
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: Content-Type: text/html; charset=ISO-8859-1
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: Content-Transfer-Encoding: 7bit
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: <html>
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body: <head>
Oct 26 11:18:47 bewilderbeast spamd[731]: 89.110.7.178: Body:  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Oct 26 11:19:13 bewilderbeast spamd[731]: 204.152.190.11: disconnected after 390 seconds.
Oct 26 11:19:15 bewilderbeast spamd[731]: 12.130.136.42: disconnected after 390 seconds.
Oct 26 11:19:34 bewilderbeast spamd[731]: 89.110.7.178: disconnected after 390 seconds.
Oct 26 11:19:48 bewilderbeast spamd[731]: 200.52.66.237: connected (10/1)

So, bad stuff is making it there.

Good stuff is as well, though.  I sent an email from work to test the
setup:

bewilderbeast~;grep gkn /var/log/spamd
Oct 26 11:33:59 bewilderbeast spamd[4622]: (GREY) 194.76.60.27: <Michael.Lucas@gkndriveline.com> -> <mwlucas@blackhelicopters.org>
Oct 26 11:35:42 bewilderbeast spamd[4622]: 194.76.60.27: From: "Michael Lucas \(DL\)" <Michael.Lucas@gkndriveline.com>
Oct 26 11:35:42 bewilderbeast spamd[4622]: 194.76.60.27: Body: michael.lucas@gkndriveline.com
Oct 26 11:41:50 bewilderbeast spamd[4622]: (GREY) 194.76.60.27: <Michael.Lucas@gkndriveline.com> -> <mwlucas@blackhelicopters.org>
Oct 26 11:43:33 bewilderbeast spamd[4622]: 194.76.60.27: From: "Michael Lucas \(DL\)" <Michael.Lucas@gkndriveline.com>
Oct 26 11:43:33 bewilderbeast spamd[4622]: 194.76.60.27: Body: michael.lucas@gkndriveline.com

Ten minute delay between the first and last attempt.
I'm running spamd as below:

pfspamd_flags="-v -G7:4:864 -r451"

This tells me that after seven minutes, the next attempt should be
graylisted and handed to my mail server.

bewilderbeast~;grep gkn /var/log/maillog
bewilderbeast~;

Nothing.

bewilderbeast~;spamdb | grep gkn
bewilderbeast~;

Nothing again.

> I would give the initial database buildup a few hours at least.  If
> you're impatient and you have a few addresses which you consider
> 'known good', you could whitelist them using 
> 
>       # spamdb -a nnn.nnn.nnn.nnn

I'd rather avoid whitelisting manually, except perhaps my home IP,
until I know greylisting works on its own.

> see spamdb(8) for details.  I suppose that man page could do with a
> bit more text.

All of spamd could use some documentation, but that'll happen.  ;-)

> PS  My favorite quote about spamd and greylisting at the moment is this
>     recent message to openbsd-misc: 
>     http://marc.theaimsgroup.com/?l=openbsd-misc&m=116136841831550&w=2

That's what inspired me to try this.

Thanks for your help, it's nice to know I'm not missing anything
really obvious.

==ml 

-- 
Michael W. Lucas mwlucas@FreeBSD.org,mwlucas@BlackHelicopters.org
		http://www.BlackHelicopters.org/~mwlucas/
	    Latest book: PGP & GPG -- http://www.pgpandgpg.com
"The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur