exempting user or domain from one RBL check ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

exempting user or domain from one RBL check ?

Voytek
I have a user's inbound mail blocked by barracudacentral, is there a way
to exempt this particular user/domain from this particular RBL check ?

or what else can or should I do ?

this is the only known issue with barracuda I have and, otherwise it seems
quite effective, I think ?


smtpd_recipient_restrictions =
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unlisted_recipient,
 check_policy_service inet:127.0.0.1:7777,
 permit_mynetworks,
 check_sasl_access hash:/etc/postfix/sasl_access
 permit_sasl_authenticated,
 reject_unauth_destination,
 check_recipient_access hash:/etc/postfix/recipient_no_checks,
 check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
 check_helo_access hash:/etc/postfix/helo_checks,
 check_sender_access hash:/etc/postfix/sender_checks,
 check_client_access hash:/etc/postfix/client_checks,
 check_client_access pcre:/etc/postfix/client_checks.pcre,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client b.barracudacentral.org,
 reject_rhsbl_client dbl.spamhaus.org,
 reject_rhsbl_sender dbl.spamhaus.org,
 reject_rbl_client psbl.surriel.com,
 reject_rbl_client ix.dnsbl.manitu.net,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client cbl.abuseat.org,
 reject_rhsbl_sender dsn.rfc-ignorant.org,
 check_policy_service inet:127.0.0.1:10031


 pflogsumm /var/log/maillog.1 | grep block
    blocked using b.barracudacentral.org (total: 482)
    blocked using bl.spamcop.net (total: 40)
    blocked using dbl.spamhaus.org (total: 133)
    blocked using ix.dnsbl.manitu.net (total: 37)
    blocked using psbl.surriel.com (total: 14)
    blocked using zen.spamhaus.org (total: 3438)


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

/dev/rob0
On Mon, Aug 07, 2017 at 01:17:54PM +1000, Voytek wrote:
> I have a user's inbound mail blocked by barracudacentral, is
> there a way to exempt this particular user/domain from this
> particular RBL check ?
>
> or what else can or should I do ?

Share the looging of this rejection and be more specific.  The
problem is with one specific client, or more?

> this is the only known issue with barracuda I have and,
> otherwise it seems quite effective, I think ?

Yes, but like Spamcop, it's an automated list, so it lists some
legitimate outbound servers at times.

Large senders often do content filtering on outbound streams,
directing questionable content to a certain subgroup of their
outbound farms.  Members of those subgroups tend to be listed by
Spamcop and BRBL.

I use BRBL in postscreen with 2 points and a threshold of 3.  But I
had the same problem [I think] you had: intermittent rejections of
good mail.  So I don't use it with reject_rbl_client now.

> smtpd_recipient_restrictions =
>  reject_unknown_sender_domain,
>  reject_unknown_recipient_domain,
>  reject_non_fqdn_sender,
>  reject_non_fqdn_recipient,
>  reject_unlisted_recipient,
>  check_policy_service inet:127.0.0.1:7777,

>  permit_mynetworks,
>  check_sasl_access hash:/etc/postfix/sasl_access
>  permit_sasl_authenticated,

You should separate submission from your inbound stream.  If you must
accept user-submitted mail on port 25, use a different IP address.

>  reject_unauth_destination,
>  check_recipient_access hash:/etc/postfix/recipient_no_checks,
>  check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
>  check_helo_access hash:/etc/postfix/helo_checks,
>  check_sender_access hash:/etc/postfix/sender_checks,
>  check_client_access hash:/etc/postfix/client_checks,
>  check_client_access pcre:/etc/postfix/client_checks.pcre,
>  reject_rbl_client zen.spamhaus.org,
>  reject_rbl_client b.barracudacentral.org,
>  reject_rhsbl_client dbl.spamhaus.org,
>  reject_rhsbl_sender dbl.spamhaus.org,

>  reject_rbl_client psbl.surriel.com,
>  reject_rbl_client ix.dnsbl.manitu.net,
>  reject_rbl_client bl.spamcop.net,

I don't know manitu firsthand, so I wouldn't use that restriction.
I *do* know PSBL and Spamcop firsthand, and I definitely wouldn't
recommend those restrictions.

>  reject_rbl_client cbl.abuseat.org,

Wasted lookup, as this is included in Zen.

>  reject_rhsbl_sender dsn.rfc-ignorant.org,

Ralf discontinued the RFCI lists some years back.

>  check_policy_service inet:127.0.0.1:10031
>
>
>  pflogsumm /var/log/maillog.1 | grep block
>     blocked using b.barracudacentral.org (total: 482)
>     blocked using bl.spamcop.net (total: 40)
>     blocked using dbl.spamhaus.org (total: 133)
>     blocked using ix.dnsbl.manitu.net (total: 37)
>     blocked using psbl.surriel.com (total: 14)
>     blocked using zen.spamhaus.org (total: 3438)

--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Alex JOST-2
In reply to this post by Voytek
Am 07.08.2017 um 05:17 schrieb Voytek:
> I have a user's inbound mail blocked by barracudacentral, is there a way
> to exempt this particular user/domain from this particular RBL check ?
>
> or what else can or should I do ?

You could rearrange your restrictions and add check_*_access before the
Barracuda test to stop the restriction processing for that recipient.


Alternatively you can add a restriction class:

   http://www.postfix.org/RESTRICTION_CLASS_README.html

--
Alex JOST
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Matus UHLAR - fantomas
In reply to this post by Voytek
On 07.08.17 13:17, Voytek wrote:
>I have a user's inbound mail blocked by barracudacentral, is there a way
>to exempt this particular user/domain from this particular RBL check ?

according to the config line below, putting senders in
/etc/postfix/sender_checks should prevent postfix from rejecting them at
SMTP level.

Is someone rejected despite being in sender_checks?

>smtpd_recipient_restrictions =
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unlisted_recipient,
> check_policy_service inet:127.0.0.1:7777,
> permit_mynetworks,
> check_sasl_access hash:/etc/postfix/sasl_access
> permit_sasl_authenticated,
> reject_unauth_destination,
> check_recipient_access hash:/etc/postfix/recipient_no_checks,
> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
> check_helo_access hash:/etc/postfix/helo_checks,
> check_sender_access hash:/etc/postfix/sender_checks,
> check_client_access hash:/etc/postfix/client_checks,
> check_client_access pcre:/etc/postfix/client_checks.pcre,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client b.barracudacentral.org,
> reject_rhsbl_client dbl.spamhaus.org,
> reject_rhsbl_sender dbl.spamhaus.org,
> reject_rbl_client psbl.surriel.com,
> reject_rbl_client ix.dnsbl.manitu.net,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client cbl.abuseat.org,

are you aware that this blacklist is included in spamhaus zen?

> reject_rhsbl_sender dsn.rfc-ignorant.org,

are you aware that this blacklist is dead for years?

> check_policy_service inet:127.0.0.1:10031

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Benny Pedersen-2
In reply to this post by Voytek
Voytek skrev den 2017-08-07 05:17:
> I have a user's inbound mail blocked by barracudacentral, is there a
> way
> to exempt this particular user/domain from this particular RBL check ?

no thats completely impossible without logs

things to consider, postscreen, remove rbl client ip from your rules and
move this to postscreen, then whitelist ips in postscreen that should
not be client ip blocked

so remove reject_rbl_client and check_client_access in your config, this
can be done better in postscreen

keep the rest as good, more help show logs

>
> or what else can or should I do ?
>
> this is the only known issue with barracuda I have and, otherwise it
> seems
> quite effective, I think ?
>
>
> smtpd_recipient_restrictions =
>  reject_unknown_sender_domain,
>  reject_unknown_recipient_domain,
>  reject_non_fqdn_sender,
>  reject_non_fqdn_recipient,
>  reject_unlisted_recipient,
>  check_policy_service inet:127.0.0.1:7777,
>  permit_mynetworks,
>  check_sasl_access hash:/etc/postfix/sasl_access
>  permit_sasl_authenticated,
>  reject_unauth_destination,
>  check_recipient_access hash:/etc/postfix/recipient_no_checks,
>  check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
>  check_helo_access hash:/etc/postfix/helo_checks,
>  check_sender_access hash:/etc/postfix/sender_checks,
>  check_client_access hash:/etc/postfix/client_checks,
>  check_client_access pcre:/etc/postfix/client_checks.pcre,
>  reject_rbl_client zen.spamhaus.org,
>  reject_rbl_client b.barracudacentral.org,
>  reject_rhsbl_client dbl.spamhaus.org,
>  reject_rhsbl_sender dbl.spamhaus.org,
>  reject_rbl_client psbl.surriel.com,
>  reject_rbl_client ix.dnsbl.manitu.net,
>  reject_rbl_client bl.spamcop.net,
>  reject_rbl_client cbl.abuseat.org,
>  reject_rhsbl_sender dsn.rfc-ignorant.org,
>  check_policy_service inet:127.0.0.1:10031
>
>
>  pflogsumm /var/log/maillog.1 | grep block
>     blocked using b.barracudacentral.org (total: 482)
>     blocked using bl.spamcop.net (total: 40)
>     blocked using dbl.spamhaus.org (total: 133)
>     blocked using ix.dnsbl.manitu.net (total: 37)
>     blocked using psbl.surriel.com (total: 14)
>     blocked using zen.spamhaus.org (total: 3438)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Dominic Raferd
In reply to this post by Matus UHLAR - fantomas


On 7 August 2017 at 09:15, Matus UHLAR - fantomas <[hidden email]> wrote:
On 07.08.17 13:17, Voytek wrote:
I have a user's inbound mail blocked by barracudacentral, is there a way
to exempt this particular user/domain from this particular RBL check ?

according to the config line below, putting senders in
/etc/postfix/sender_checks should prevent postfix from rejecting them at
SMTP level.

and the action should be OK (not DUNNO) e.g.
domain-exempted.dom OK

The OK means that mails from domain-exempted.dom will skip all subsequent checks in this restriction list (but will not skip any other restriction lists or tests).



Is someone rejected despite being in sender_checks?


smtpd_recipient_restrictions =
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:7777,
permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/recipient_no_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
check_sender_access hash:/etc/postfix/sender_checks,
check_client_access hash:/etc/postfix/client_checks,
check_client_access pcre:/etc/postfix/client_checks.pcre,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org,
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Voytek
In reply to this post by /dev/rob0
On Mon, August 7, 2017 3:46 pm, /dev/rob0 wrote:
> On Mon, Aug 07, 2017 at 01:17:54PM +1000, Voytek wrote:

> Share the looging of this rejection and be more specific.  The
> problem is with one specific client, or more?

ooops, sorry, I thought I did include, here it is(1):

also, this is Postfix 2.1x

> Wasted lookup, as this is included in Zen.
> Ralf discontinued the RFCI lists some years back.

thanks, I'll remove it

thanks for other comments, I'll read in detail tomorrow

(1)
Aug  6 22:12:48 emu postfix/smtpd[24963]: NOQUEUE: reject: RCPT from
sydney.sge.net[152.91.65.147]: 554 5.7.1 Service unavailable; Client host
[152.91.65.147] blocked using b.barracudacentral.org; Client host blocked
using Barracuda Reputation, see
http://www.barracudanetworks.com/reputation/?r=1&ip=152.91.65.147; from=<>
to=<[hidden email]> proto=ESMTP helo=<sydney.sge.net>
Aug  7 11:52:54 emu postfix/smtpd[28167]: NOQUEUE: reject: RCPT from
sydney.sge.net[152.91.65.147]: 554 5.7.1 Service unavailable; Client host
[152.91.65.147] blocked using b.barracudacentral.org; Client host blocked
using Barracuda Reputation, see
http://www.barracudanetworks.com/reputation/?r=1&ip=152.91.65.147;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<sydney.sge.net>
Aug  7 12:18:28 emu postfix/smtpd[1834]: NOQUEUE: reject: RCPT from
sydney.sge.net[152.91.65.147]: 554 5.7.1 Service unavailable; Client host
[152.91.65.147] blocked using b.barracudacentral.org; Client host blocked
using Barracuda Reputation, see
http://www.barracudanetworks.com/reputation/?r=1&ip=152.91.65.147;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<sydney.sge.net>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Voytek
In reply to this post by Benny Pedersen-2
On Mon, August 7, 2017 8:19 pm, Benny Pedersen wrote:

> no thats completely impossible without logs

thanks, sorry, thought I did, just sent now

I'm on Postfx 2.1, (nxt project is set a new up to date server with more
current Postfix (question on upgrading etc coming soon))

> things to consider, postscreen, remove rbl client ip from your rules and
> move this to postscreen, then whitelist ips in postscreen that should not
> be client ip blocked
>
> so remove reject_rbl_client and check_client_access in your config, this
> can be done better in postscreen
>
> keep the rest as good, more help show logs


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Benny Pedersen-2
In reply to this post by Voytek
Voytek skrev den 2017-08-07 15:19:

> thanks for other comments, I'll read in detail tomorrow
>
> (1)
> Aug  6 22:12:48 emu postfix/smtpd[24963]: NOQUEUE: reject: RCPT from
> sydney.sge.net[152.91.65.147]: 554 5.7.1 Service unavailable; Client
> host
> [152.91.65.147] blocked using b.barracudacentral.org; Client host
> blocked
> using Barracuda Reputation, see
> http://www.barracudanetworks.com/reputation/?r=1&ip=152.91.65.147; 
> from=<>
> to=<[hidden email]> proto=ESMTP helo=<sydney.sge.net>

https://www.dnswl.org/s/?s=36576

i noticed you did not use dns based whitelist at all, not that you need
to, but sometimes ips being fp listed aswell

if its really spam, report it to dnswl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Benny Pedersen-2
In reply to this post by Voytek
Voytek skrev den 2017-08-07 15:30:

>> no thats completely impossible without logs
> thanks, sorry, thought I did, just sent now

i was a bit of my humoristisk side, but still with a bit of serious side

> I'm on Postfix 2.1, (nxt project is set a new up to date server with
> more
> current Postfix (question on upgrading etc coming soon))

good all in track then

>> things to consider, postscreen, remove rbl client ip from your rules
>> and
>> move this to postscreen, then whitelist ips in postscreen that should
>> not
>> be client ip blocked
>>
>> so remove reject_rbl_client and check_client_access in your config,
>> this
>> can be done better in postscreen
>>
>> keep the rest as good, more help show logs

but still read other replyes on this threads here
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

/dev/rob0
In reply to this post by Benny Pedersen-2
On Mon, Aug 07, 2017 at 03:38:59PM +0200, Benny Pedersen wrote:

> Voytek skrev den 2017-08-07 15:19:
>
> > thanks for other comments, I'll read in detail tomorrow
> >
> > (1)
> > Aug 6 22:12:48 emu postfix/smtpd[24963]: NOQUEUE: reject: RCPT
> > from sydney.sge.net[152.91.65.147]: 554 5.7.1 Service
> > unavailable; Client host [152.91.65.147] blocked using
> > b.barracudacentral.org; Client host blocked using Barracuda
> > Reputation, see
> > http://www.barracudanetworks.com/reputation/?r=1&ip=152.91.65.147; 
> > from=<> to=<[hidden email]> proto=ESMTP helo=<sydney.sge.net>
>
> https://www.dnswl.org/s/?s=36576
>
> i noticed you did not use dns based whitelist at all, not that you
> need to, but sometimes ips being fp listed aswell

DNS whitelisting and postscreen, as Benny suggested, are good bits of
advice, but they of course were not available that many years ago.  
Postfix 2.1 saw its final update over 12 years ago.  That's a very
long time in terms of software.  You simply cannot expect to continue
using Postfix 2.1 in this decade.

The best (albeit partial) solution is to upgrade.  That said,
check_client_access did exist Way Back Then.  Precede your DNSBL
lookups with this check_client_access lookup:

sydney.sge.net permit_auth_destination

I don't think the cidr: maptype was implemented back then, but a
cidr_table(5) is a good way to do check_client_access without (as per
my example) relying on reverse DNS lookups.

Much better tools have existed for a very long time!
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Matus UHLAR - fantomas
In reply to this post by Voytek
>On Mon, August 7, 2017 3:46 pm, /dev/rob0 wrote:
>> Wasted lookup, as this is included in Zen.
>> Ralf discontinued the RFCI lists some years back.

On 07.08.17 23:19, Voytek wrote:
>thanks for other comments, I'll read in detail tomorrow
>
>(1)
>Aug  6 22:12:48 emu postfix/smtpd[24963]: NOQUEUE: reject: RCPT from
>sydney.sge.net[152.91.65.147]: 554 5.7.1 Service unavailable; Client host
>[152.91.65.147] blocked using b.barracudacentral.org; Client host blocked
>using Barracuda Reputation, see
>http://www.barracudanetworks.com/reputation/?r=1&ip=152.91.65.147; from=<>
>to=<[hidden email]> proto=ESMTP helo=<sydney.sge.net>

I think me and Dominic Rafedr have already explained all that's needed:

1. your setup is good, just use the /etc/postfix/sender_checks

2. put OK instead of DUNNO there - that will stop checking in blacklists.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

/dev/rob0
On Mon, Aug 07, 2017 at 06:52:05PM +0200,
   Matus UHLAR - fantomas wrote:

> On 07.08.17 23:19, Voytek wrote:
> > Aug 6 22:12:48 emu postfix/smtpd[24963]: NOQUEUE: reject: RCPT
> > from sydney.sge.net[152.91.65.147]: 554 5.7.1 Service
> > unavailable; Client host [152.91.65.147] blocked using
> > b.barracudacentral.org; Client host blocked using Barracuda
> > Reputation, see
> > http://www.barracudanetworks.com/reputation/?r=1&ip=152.91.65.147; 
> > from=<> to=<[hidden email]> proto=ESMTP helo=<sydney.sge.net>
>
> I think me and Dominic Rafedr have already explained all that's
> needed:
>
> 1. your setup is good, just use the /etc/postfix/sender_checks

1. The sender in the log line above is null sender, a bounce.  It's
probably a very bad idea to whitelist the null sender address
universally.

2. Whitelisting by commonly-forged sender addresses is generally
wrong.  Spammers are likely to use sender addresses you have seen.

3. Whitelisting IP addresses or client hostnames is safe and
reasonable, except that the hostname whitelist depends on successful
DNS lookups.

> 2. put OK instead of DUNNO there - that will stop checking in
> blacklists.

A safer lookup result is "permit_auth_destination".
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exempting user or domain from one RBL check ?

Matus UHLAR - fantomas
>> On 07.08.17 23:19, Voytek wrote:
>> > Aug 6 22:12:48 emu postfix/smtpd[24963]: NOQUEUE: reject: RCPT
>> > from sydney.sge.net[152.91.65.147]: 554 5.7.1 Service
>> > unavailable; Client host [152.91.65.147] blocked using
>> > b.barracudacentral.org; Client host blocked using Barracuda
>> > Reputation, see
>> > http://www.barracudanetworks.com/reputation/?r=1&ip=152.91.65.147;
>> > from=<> to=<[hidden email]> proto=ESMTP helo=<sydney.sge.net>

>On Mon, Aug 07, 2017 at 06:52:05PM +0200,
>   Matus UHLAR - fantomas wrote:
>> I think me and Dominic Rafedr have already explained all that's
>> needed:
>>
>> 1. your setup is good, just use the /etc/postfix/sender_checks

On 07.08.17 12:15, /dev/rob0 wrote:
>1. The sender in the log line above is null sender, a bounce.  It's
>probably a very bad idea to whitelist the null sender address
>universally.

missed it, sorry :-) the rest of senders was not null though.

>2. Whitelisting by commonly-forged sender addresses is generally
>wrong.  Spammers are likely to use sender addresses you have seen.

I believe that this "whitelisting" is used only for avoid rejection at
SMTP-time, but the mail is scanned by content filter later.

In these cases it's quite safe to avoid blacklisting for known senders.
Expecially when someone does not use postscreen for scored blacklisting.

...this may apply for null sender too, although I agree whitelisting null
sender is bad idea.

>> 2. put OK instead of DUNNO there - that will stop checking in
>> blacklists.
>
>A safer lookup result is "permit_auth_destination".

luckily the reject_unauth_destination precedes all access checks in the OP's
configuration, so even OK would not cause troubles.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
Loading...