Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

karma: only *lower* tarpit for friendly connects #582

Merged
merged 7 commits into from

2 participants

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jun 10, 2014
  1. @msimerson
  2. @msimerson

    karma: make default config more conservative

    msimerson authored
    default config can cause deliverability problems on new installs. This back's off the strictness a bit, and the user can crank it up by tweaking karma.ini
  3. @msimerson
Commits on Jun 13, 2014
  1. @msimerson
  2. @msimerson
Commits on Jun 22, 2014
  1. @msimerson
  2. @msimerson
This page is out of date. Refresh to see the latest.
Showing with 37 additions and 36 deletions.
  1. +19 −17 config/karma.ini
  2. +12 −9 plugins/karma.js
  3. +6 −10 tests/plugins/karma.js
View
36 config/karma.ini
@@ -30,7 +30,7 @@ max=4
[thresholds]
; negative: the threshold below which a connection is denied/rejected
; Be conservative to avoid false positives!
-negative=-5
+negative=-8
; score above which connections are considered 'good'
positive=3
@@ -82,9 +82,9 @@ reset=10
; maximum number of recipients allowed
[recipients]
-bad=1
-neutral=5
-good=25
+bad=5
+neutral=15
+good=50
[spammy_tlds]
@@ -144,15 +144,17 @@ results.connect.geoip.distance@8 = -1 if gt 8000
results.connect.p0f.os_name@fbsd = 1 if match freebsd
results.connect.p0f.os_name@win = -2 if match windows
-notes.connect.rdns_access@w = 3 if equals white
-notes.connect.rdns_access@b = -10 if equals black
-
results.connect.fcrdns.fcrdns@0 = 1 if length gt 0
results.connect.fcrdns.fail@0 = -1 if length gt 0
results.connect.fcrdns.fail@1 = -2 if length gt 1
results.connect.fcrdns.no_rdns = -3
results.connect.fcrdns.ip_in_rdns= -1
+; results.access.whitelist = 8 if whitelist
+; results.access.rdns = 8 if in pass connect.rdns_access.whitelist
+; results.access.mail_pass = 8 if in pass mail_from.access.whitelist
+; results.access.rcpt_pass = 8 if in pass rcpt_to.access.whitelist
+
; these are cumulative, failing multiple adds up fast
results.dnsbl.fail@0 = -2 if length gt 0
results.dnsbl.fail@1 = -2 if length gt 1
@@ -166,7 +168,8 @@ results.helo.checks.fail@forward_dns = -1 if match
results.helo.checks.fail@dynamic = -2 if match
results.helo.checks.fail@reverse_dns = -1 if match
-relaying = 3
+notes.tls.authorized = 1
+relaying = 5
notes.auth_user = 7
notes.auth_fails@1 = -1 if gt 0
notes.auth_fails@2 = -2 if gt 1
@@ -174,9 +177,6 @@ notes.auth_fails@3 = -3 if gt 2
notes.auth_fails@4 = -4 if gt 3
early_talker = -4
-results.mail_from.access.pass = 10 if length gt 1
-results.mail_from.access.fail = -10 if length gt 0
-
; SPF survey in March 2014: over 95% of ham has SPF Pass
; over 60% of spam has SPF Pass
; None, Pass, Fail, SoftFail, Neutral, TempError, PermError
@@ -191,8 +191,6 @@ transaction.results.spf.result@1 = -1 if equals None
results.karma.fail@rfc5321mf = -1 if in fail rfc5321.MailFrom
results.karma.fail@rfc5321rt = -1 if in fail rfc5321.RcptTo
-results.rcpt_to.access.pass = 10 if in pass whitelisted
-results.rcpt_to.access.fail = -10 if length gt 0
results.rcpt_to.qmail_deliverable.fail@0 = -3 if length gt 0
results.rcpt_to.qmail_deliverable.fail@1 = -3 if length gt 1
results.rcpt_to.qmail_deliverable.fail@3 = -5 if length gt 3
@@ -203,9 +201,11 @@ results.headers.fail@f2 = -3 if length gt 1
results.headers.fail@f3 = -3 if length gt 2
results.headers.fail@from_match = -1 if match
-results.data.uribl.fail = -2 if length gt 0
-results.data.uribl.fail = -2 if length gt 1
-results.data.uribl.fail = -2 if length gt 2
+results.data.uribl.fail@1 = -2 if length gt 0
+results.data.uribl.fail@2 = -2 if length gt 1
+results.data.uribl.fail@3 = -2 if length gt 2
+
+results.bounce.fail@1 = -5 if length gt 0
notes.bounce@invalid = -3 if equals
notes.spamassassin.hits@h0 = 1 if lt 0
@@ -216,7 +216,9 @@ notes.spamassassin.hits@s2 = -1 if gt 2
notes.spamassassin.hits@s3 = -1 if gt 3
notes.spamassassin.hits@s4 = -1 if gt 4
notes.spamassassin.hits@s5 = -1 if gt 5
-notes.spamassassin.hits@s6 = -1 if gt 6
+notes.spamassassin.hits@s7 = -2 if gt 7
+notes.spamassassin.hits@s9 = -4 if gt 9
+notes.spamassassin.hits@s20 = -10 if gt 20
results.clamd.fail@virus = -16 if match
results.clamd.fail@phish = -6 if match
View
21 plugins/karma.js
@@ -6,14 +6,6 @@ var phase_prefixes = ['connect','helo','mail_from','rcpt_to','data'];
exports.register = function () {
var plugin = this;
- plugin.register_hook('init_master', 'karma_init');
- plugin.register_hook('init_child', 'karma_init');
- plugin.register_hook('connect', 'max_concurrent');
- plugin.register_hook('connect', 'karma_penalty');
-};
-
-exports.karma_init = function (next, server) {
- var plugin = this;
plugin.deny_hooks = ['unrecognized_command','helo','data','data_post'];
var load_config = function () {
@@ -30,6 +22,14 @@ exports.karma_init = function (next, server) {
};
load_config();
+ plugin.register_hook('init_master', 'karma_init');
+ plugin.register_hook('init_child', 'karma_init');
+ plugin.register_hook('connect', 'max_concurrent');
+ plugin.register_hook('connect', 'karma_penalty');
+};
+
+exports.karma_init = function (next, server) {
+ var plugin = this;
plugin.init_redis_connection();
return next();
};
@@ -82,7 +82,7 @@ exports.apply_tarpit = function (connection, hook, score, next) {
// be less punitive to roaming users
if (([587,465].indexOf(connection.local_port) !== -1) && /^(ehlo|connect|quit)$/.test(hook)) {
- max = 2;
+ if (max > 2) { max = 2; }
// Reduce penalty for good history
if (k.history > 0) {
delay = parseFloat(delay - 2);
@@ -158,6 +158,8 @@ exports.hook_deny = function (next, connection, params) {
// exceptions, whose 'DENY' should not be captured
if (pi_name === 'karma') return next(); // myself
if (pi_name === 'access') return next(); // ACLs
+ if (pi_name === 'helo.checks') return next(); // has granular reject
+ if (pi_name === 'data.headers') return next(); // has granular reject
if (pi_hook === 'rcpt_to') return next(); // RCPT hooks are special
if (pi_hook === 'queue') return next();
@@ -686,6 +688,7 @@ exports.max_recipients = function (connection) {
var score = connection.results.get('karma').connect;
if (score > 3 && count <= plugin.cfg.recipients.good) return;
if (score >= 0 && count <= plugin.cfg.recipients.neutral) return;
+ if (count <= plugin.cfg.recipients.bad) return;
return 'too many recipients (' + count + ') for ' + desc + ' karma';
};
View
16 tests/plugins/karma.js
@@ -41,16 +41,12 @@ function _tear_down(callback) {
exports.karma_init = {
setUp : _set_up,
tearDown : _tear_down,
- 'init': function (test) {
- test.expect(4);
- var cb = function (rc) {
- test.equal(undefined, rc);
- test.ok(this.plugin.cfg.asn);
- test.ok(this.plugin.deny_hooks);
- test.ok(this.plugin.db);
- test.done();
- }.bind(this);
- this.plugin.karma_init(cb);
+ 'register': function (test) {
+ test.expect(2);
+ this.plugin.register();
+ test.ok(this.plugin.cfg.asn);
+ test.ok(this.plugin.deny_hooks);
+ test.done();
},
};
Something went wrong with that request. Please try again.