[nycbug-talk] some C help?
Charles Sprickman
spork at bway.net
Sat Mar 10 00:24:10 EST 2007
Hi All,
I'm playing around with a FreeBSD port of spamd/spamlogd from OpenBSD that
someone posted here some time ago.
Spamd seems to work, spamlogd seems to almost work. It's C, so I'm a
little lost, but I am able to find the area where things are getting
screwed up. In short, spamlogd runs tcpdump with some very specific flags
to look for inbound or outbound mail, finds an IP in the tcpdump output,
and then throws it into the spamd db as whitelisted. For example, in my
case I'm looking at outbound mail - generally mxers that *I* send to are
not going to be spamming me - they are more likely going to be legit
servers.
So I have a pf rule to tag the traffic, and spamlogd is catching it, but
some pattern matching must be going awry. Here I'm sending mail to a host
at 10.10.10.10, and this is what tcpdump sees (called with the same args
spamlogd is using):
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68
bytes
rule 12/0(match): pass out on fxp0: 10.10.10.9 > 10.10.10.10: [|tcp]
But then it spits this out to syslog:
Mar 10 00:09:24 slimjim spamlogd[72636]: invalid ip address 10.10.10
Note the lack of the final octet.
This is (I hope) the area where spamlogd parses the output of tcpdump:
if (strstr(buf, "pass out") != NULL) {
/*
* this is outbound traffic - we whitelist
* the destination address, because we assume
* that a reply may come to this outgoing mail
* we are sending.
*/
if (!inbound && (cp = (strchr(buf, '>'))) != NULL) {
if (sscanf(cp, "> %s", buf2) == 1) {
cp = strrchr(buf2, '.');
if (cp != NULL) {
*cp = '\0';
cp = buf2;
syslog_r(LOG_DEBUG, &sdata,
"outbound %s\n", cp);
}
} else
cp = NULL;
}
} else {
/* next is the inbound check... */
That chunk makes very little sense to me.
Can anyone give me a quick shove in the right direction?
Thanks,
Charles
More information about the talk
mailing list