arpwatch and voluminous amounts of SPAM
-
All,
Noted a checkbox labeled "Disables Cron email notifications from other packages." - which is absolutely undesirable. However, cannot find a checkbox (or config option) to disable arpwatch from turning an already large inbox into something that looks like a receptacle for SPAM out of a horror movie.
Recently, had an issue where arpwatch was useful to determining combination of IP/MAC -> switch -> port. However, receiving one email per discovered MAC is untenable. Is there any way to address this? Could see some value in leaving it running, so that if something came up in the future - would have the firewall's notion of IP<=>MAC and possibly a hostname, as a very nice reference. Unfortunately, to make the case for leaving it enabled - it must have all emails disabled. (A could hundred emails in short order is problematic - to say the least. And there's no reason to add the superfluous overhead of everything to "auto delete" via an email filter when disabling email at the source is the right answer).
Thanks!
-
@justme2 can't you just remove the Notifications recipient email address? Now you should still get other notifications from pfsense, but arpwatch wouldn't be sending anything.
-
"notifications recipient" field is blank (nothing was ever entered). Seems to be that if it's blank and something is specified in System -> Advanced -> Notifications - that it is using that (instead of being able to override and turn off).
EDIT: to be fair, that wouldn't be "unreasonable" for simplification but then there needs to be a checkbox/override to be able to turn off notifications [all together].
-
@justme2 yeah you are right I made sure my recpt was blank... Then enable arpwatch and flood of emails as it added entries in the db, I and recently cleared, etc.
They do warn you can get lots of emails under where you put the address. But if its blank it sure shouldn't be using your default notification address in pfsense. If I had to guess, if you ever had one in there, its not being blanked out so still sending to that..
Wonder as a work around if you put in some bogus email address. That really not a good work around since now the system just going to send emails to some bogus email address.
Maybe you could put in a different email address, that you filter on for those alerts so you don't see them in your main mailbox. gmail for example allows you to use +something in your address.. You can also add . in the address, so like if your email was firstlastname@gmail.com you could use first.lastname@gmail and still get it - but would make it easy to filter mail sent to that specific address.
But I agree being able to just leave it running without notification would be nice. Or slicker even still would be just get a digest email.. Say once a day of all the new macs its found in the last 24 hours.
I got fed up with the package quite some time ago, recall versions back it would crash the system after running for length of time.. I just leave it not enabled and only turn it on if specific testing something, etc.
-
Agree - having a daily digest would be nice, but would just be happy to turn off all notifications for usefulness. Rather looking at it from a developer/maintainer perspective and the overhead of trying to add functionality that may be more complex vs. what would [hopefully] be a fairly quick solution.
Well, for now it will be added to the list of "installed, but disabled" due to problematic behavior. :(
Thanks!!!!!
-
@justme2 you could for sure put in a feature request for that.. It makes sense to me to have that option as well.
Its just arpwatch was never an oh I need this package sort of package.. Kind of slick, yeah if wasn't so noisy.. I could even live with the noise since once it finds all the devices it shouldn't really send that many.. But my latest frustration was it sending stuff for bogon.
Here is a thread from last year, where this same sort of stuff was discussed.
-
Installed the current version of arpwatch on a FreeBSD to read through the manual page and get a little more data. Appears that there is a command line parameter to stop the SPAM "-s". There's also another parameter that appears useful "-q" however that doesn't seem to accepted (perhaps collides with another parameter - didn't play to see why it wouldn't accept, it just errored). Anyways, here is a 'quick' change to the arpwatch.inc file to stop the SPAM:
```$rc['start'] .= '/usr/local/sbin/arpwatch'
.' -s '
.' '.$disable_carp
.' '.$disable_bogons
.' '.$disable_zero
.' '.$enable_zeropad
.' -f '.escapeshellarg($arp_file)
.' -i '.escapeshellarg($ifname);Probably just needs a minor change to the GUI PHP file to add a checkbox to enable/disable. Manual page suggests "-s" to be:The -s flag suppresses reports sent by email.
Cheers' -
@justme2 when I get a chance will try it out.. Today is Derby Day ;) As soon as I finish my 2nd morning Michelada its time to move to Juleps and finish watching the pre-race coverage ;)
-
Nice! Enjoy!
