[nycbug-talk] some C help?

Charles Sprickman spork at bway.net
Sat Mar 10 00:24:10 EST 2007

Hi All,

I'm playing around with a FreeBSD port of spamd/spamlogd from OpenBSD that 
someone posted here some time ago.

Spamd seems to work, spamlogd seems to almost work.  It's C, so I'm a 
little lost, but I am able to find the area where things are getting 
screwed up.  In short, spamlogd runs tcpdump with some very specific flags 
to look for inbound or outbound mail, finds an IP in the tcpdump output, 
and then throws it into the spamd db as whitelisted.  For example, in my 
case I'm looking at outbound mail - generally mxers that *I* send to are 
not going to be spamming me - they are more likely going to be legit 

So I have a pf rule to tag the traffic, and spamlogd is catching it, but 
some pattern matching must be going awry.  Here I'm sending mail to a host 
at, and this is what tcpdump sees (called with the same args 
spamlogd is using):

listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68 
rule 12/0(match): pass out on fxp0: > [|tcp]

But then it spits this out to syslog:

Mar 10 00:09:24 slimjim spamlogd[72636]: invalid ip address 10.10.10

Note the lack of the final octet.

This is (I hope) the area where spamlogd parses the output of tcpdump:

            if (strstr(buf, "pass out") != NULL) {
                     * this is outbound traffic - we whitelist
                     * the destination address, because we assume
                     * that a reply may come to this outgoing mail
                     * we are sending.
                 if (!inbound && (cp = (strchr(buf, '>'))) != NULL) {
                         if (sscanf(cp, "> %s", buf2) == 1) {
                                 cp = strrchr(buf2, '.');
                                 if (cp != NULL) {
                                         *cp = '\0';
                                         cp = buf2;
                                         syslog_r(LOG_DEBUG, &sdata,
                                             "outbound %s\n", cp);
                           } else
                                cp = NULL;

                } else {
                   /* next is the inbound check...  */

That chunk makes very little sense to me.

Can anyone give me a quick shove in the right direction?



More information about the talk mailing list