[nycbug-talk] some C help?

Okan Demirmen okan at demirmen.com
Sat Mar 10 16:28:31 EST 2007

On Sat 2007.03.10 at 00:24 -0500, Charles Sprickman wrote:
> Hi All,
> I'm playing around with a FreeBSD port of spamd/spamlogd from OpenBSD that 
> someone posted here some time ago.
> Spamd seems to work, spamlogd seems to almost work.  It's C, so I'm a 
> little lost, but I am able to find the area where things are getting 
> screwed up.  In short, spamlogd runs tcpdump with some very specific flags 
> to look for inbound or outbound mail, finds an IP in the tcpdump output, 
> and then throws it into the spamd db as whitelisted.  For example, in my 
> case I'm looking at outbound mail - generally mxers that *I* send to are 
> not going to be spamming me - they are more likely going to be legit 
> servers.
> So I have a pf rule to tag the traffic, and spamlogd is catching it, but 
> some pattern matching must be going awry.  Here I'm sending mail to a host 
> at, and this is what tcpdump sees (called with the same args 
> spamlogd is using):
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68 
> bytes
> rule 12/0(match): pass out on fxp0: > [|tcp]
> But then it spits this out to syslog:
> Mar 10 00:09:24 slimjim spamlogd[72636]: invalid ip address 10.10.10
> Note the lack of the final octet.
> This is (I hope) the area where spamlogd parses the output of tcpdump:

yes, it is, but no need to analyze it...

it does its job correctly.

> That chunk makes very little sense to me.
> Can anyone give me a quick shove in the right direction?

...and the reason yours is failing is not because of that chunk of code,
but rather your pflog interface.  it should look like:

	[blah] > [blah]

where XXXX is an ephemeral port...basically your log is dropping the
port number. why? i don't know - what does your pf rule look like?


More information about the talk mailing list