[nycbug-talk] CIDR Network Subtraction Tool?

[Tim A.]

Marc Spitzer wrote:
> Why not just run a white list as well as a black list, if its in both
> white wins.  Makes auditing easier as well
>
> Marc

Thats what I expected to do. They are whitelisted. I'm using pfsense
though and for some reason spamd (on pfsense) is not working like that.

It doesn't offer blacklist-only option via the GUI, I fiddle with the
startup script after reboot to set it to blacklist mode (they get
generated via pfsense configs on bootup).
Because... although most spammers won't try resending (and hence get
whitelisted) quite a few are doing that now. Maybe they're adapting to
spamd's growing popularity, idk. Quite a bit of spam is getting past it
though. While I can live with that from the netblock we have to, I'm
choosing to just blacklist everything I don't have to allow by default.

In blacklist-only mode a pf table <blacklist> gets populated with the
items from blacklist sources, but the whitelist doesn't get populated.
Looking at the pf rules, it seems that is the problem.
But I don't really understand spamd internals. I don't know why its
acting like that. I'm betting its a problem with the pfsense
implementation not being designed to allow for blacklist only option.

I'm thinking of just forwarding port 25 to a real bsd vm to have a
standard spamd install.
Better yet, one of these days I'll break the pfsense habit and just do
it like the big boys do. These damn GUIs are just so addictive.