SpamAssassin && postfix && mysql virtual users && courier-imap help
Greetings, I'm testing a new mailserverr now based on the HOWTO at workaround.org/articles/ispmail-sarge/ and have a couple of remaining issues before I can actually deploy this. 1. How do I use whitelists in a configuration where users don't have their own UID/GID since everything is owned by the "virtual" mail account? 2. Any good ideas on how to make spamassassin move messages marked as spam to /home/virtual/[EMAIL PROTECTED]/spam/ (keeping in mind that this is a courier/Maildir setup) ? I really appreciate any help! --- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile
Re: Delivery failure (users@spamassassin.apache.org)
Anyone else seeing this junk when sending messages to the list? gbierman at mochamail.com, apparently the address at this site subscribed to the SA users list - please tell the postmaster of your system to fix this. On Sun, Sep 19, 2004 at 12:03:01PM -0700, [EMAIL PROTECTED] wrote: > users@spamassassin.apache.org > Delivery failed > 550 SPF forgery: Please see > http://spf.pobox.com/why.html?sender=sa-users%40veggiechinese.net&ip=147.208.128.11&receiver=hermes.apache.org Please fix your brokenware 1) The envelope-sender of mail from the SA-users mailing list would be the list address, not my address. SPF is supposed to check the envelope-sender address, not the "From: " address in the message headers. See also: http://spf.pobox.com/faq.html#whichfield which specifically explains the issues you must 2) Your system is also apparently sending the delivery failure to the "From: " address of the email, rather than to the envelope-sender. > Reporting-MTA: dns; rockpub4.rockliffe.com > Received-From-MTA: dns; rockpub4.rockliffe.com (mail.rockliffe.com > [10.42.2.30]) > Arrival-Date: Sun, 19 Sep 2004 12:02:58 -0700 > > Final-Recipient: rfc822; users@spamassassin.apache.org > Action: failed > Status: 5.0.0 (Permanent failure - no additional status information available) > Remote-MTA: dns; mail.apache.org > Diagnostic-Code: smtp; 550 SPF forgery: Please see > > http://spf.pobox.com/why.html?sender=sa-users%40veggiechinese.net&ip=147.208.128.11&receiver=hermes.apache.org > X-Spam-Score: 1 > Received: from rockpub4.rockliffe.com (mail.rockliffe.com [10.42.2.30]) by > rockliffe.com > (Rockliffe SMTPRA 6.1.16) with ESMTP id <[EMAIL PROTECTED]> for > ; > Sun, 19 Sep 2004 12:02:58 -0700 > X-Spam-Score: 1 > Received: from mail.apache.org (hermes.apache.org [209.237.227.199]) by > rockliffe.com > (Rockliffe SMTPRA 6.1.16) with SMTP id <[EMAIL PROTECTED]> for <[EMAIL > PROTECTED]>;
Re: AWL DoS?
On Sun, Sep 19, 2004 at 08:08:24AM -0700, Bill Landry wrote: > From: "Raymond Dijkxhoorn" <[EMAIL PROTECTED]> > > > Much better to simply not spam filter critical e-mail accounts > > > like postmaster/abuse/support/sales/etc. > > With around 35.000-70.000 mails to those above boxes daily thats not > > really do-able... > Do you see a lot of spam to these addresses? The reason I'm asking is > because we don't. At our organization, we see a /LOT/ of spam and viruses to these addresses, especially because we're already exempting them from our usual dnsbl checks. And, of course, most of the spam that hits these addresses is not even worth reporting - sent via open proxies, hosted via rogue ISPs overseas. abuse@ we don't filter for obvious reasons. Just making a rough guess, I'd say we probably get 30-40 spam / virus messages for every actual actual message of any sort... I just did a quick straw poll, and since yesterday afternoon (<24 hours) our abuse box received about 28 viruses / bounces from viruses, and 30 spams. Support gets a ton as well - but we ultimately just started only allowing through messages from addresses that are in our customer database, or responses to ongoing support cases; obviously we have other ways for customers to submit support tickets if they're unable to email us. Not perfect, perhaps, but neither is deleting huge volumes of spam from our customer support system's interface.
Re: After starting spamd, spamc fails to connect to it and spamd stops running!?
After all that it seems my problems were related to having changed versions of perl and spamd's inability to find the new libraries on it's path. Many thanks all for your help! hugh - Original Message - From: "Chris Santerre" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Spamassassin-Talk (E-mail)" <[EMAIL PROTECTED]> Sent: Friday, September 17, 2004 3:09 PM Subject: RE: After starting spamd, spamc fails to connect to it and spamd stops running!? > > > >-Original Message- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > >Sent: Friday, September 17, 2004 7:02 AM > >To: users@spamassassin.apache.org > >Subject: After starting spamd, spamc fails to connect to it and spamd > >stops running!? > > > > > >Will anyone please help me? > > > > I've recently had a working sitewide install of spamassassin > >stop working > >and it's very upsetting! :( > > > >Many thanks. > > > >hugh > > > > > >-- My problem: > *snip* > >-- My setup: > > > >Red Hat 7.3 > >SA 2.64 (site wide install using /etc/procmailrc - see below) > >Perl 5.6.1 > > > >-- Contents of /etc/procmailrc: > > > >DROPPRIVS=yes > >:0fw > >| /usr/bin/spamc -f > > > >-- From /var/log/maillog > > > >Sep 17 11:20:24 wibble spamc[6273]: connect(AF_INET) to spamd > >at 127.0.0.1 > >failed, retrying (#1 of 3): Connection refused > >Sep 17 11:20:25 wibble spamc[6273]: connect(AF_INET) to spamd > >at 127.0.0.1 > >failed, retrying (#2 of 3): Connection refused > >Sep 17 11:20:26 wibble spamc[6273]: connect(AF_INET) to spamd > >at 127.0.0.1 > >failed, retrying (#3 of 3): Connection refused > >Sep 17 11:20:27 wibble spamc[6273]: connection attempt to spamd aborted > >after 3 retries > > > It might be a permissions problem. Can you call spamc with the -u and a > particular user with permissions? > > --Chris
RE: SPF Fails on SA 3.0rc5 because of lack of HELO ?
The only thing I wanted to prove with this is that line, that is created by my local mail server (the last hop, and the most important one for SPF), does indeed contains the EHLO string that isn't detected correctly by SA 3.0rc5. And since nothing is special about my own MS SMTPSVC (Win2k3 SMTP Server), I believe the behavior of received.pm should be changed to allow SA running on those machines to properly detect the EHLO string, and thus allow SPF Detection to properly execute. -Original Message- From: Kai Schaetzl [mailto:[EMAIL PROTECTED] Sent: Sunday, September 19, 2004 4:27 PM To: users@spamassassin.apache.org Subject: Re: SPF Fails on SA 3.0rc5 because of lack of HELO ? Avi Shatz wrote on Sun, 19 Sep 2004 02:52:49 +0300: > telnet mailserver.localmta.org 25 > ehlo blabla > What do you want to prove with this? What needs to happen is that [66.111.4.30] sends a HELO with an FQDN when it connects to another SMTP. Your example above doesn't prove this, it just proves that you know how to do an SMTP handshake. At least if the SMTPSVC received lines usually show the HELO then, indeed, it seems to be missing. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
Re: AWL DoS?
Hi! Much better to simply not spam filter critical e-mail accounts like postmaster/abuse/support/sales/etc. With around 35.000-70.000 mails to those above boxes daily thats not really do-able... Do you see a lot of spam to these addresses? The reason I'm asking is because we don't. To bad there's not a way to exclude certain recipient addresses like postmaster/abuse/support/sales/etc. from AWL (hint to devs). Yes we do. Especially virus crap, but that can be filtered anyway. But besided that yes, we see a lot of cap going towards abuse@ postmaster@ and so on. But thats more or less also depending on the scale of the cluster. All is relative i guess :) messages to these accounts, without potentially poisoning your AWL database when spam is forwarded to the support or spam account from customers. Yes, so far we can only disable the whole SA checks for those boxes, but that not really workable or us. Bye, Rayhmond.
Re: AWL DoS?
- Original Message - From: "Raymond Dijkxhoorn" <[EMAIL PROTECTED]> > > Probably unrealistic to expect customers to know how to "bounce" a message. > > Yes. Exactly my point. > > > Much better to simply not spam filter critical e-mail accounts like > > postmaster/abuse/support/sales/etc. > > With around 35.000-70.000 mails to those above boxes daily thats not > really do-able... Do you see a lot of spam to these addresses? The reason I'm asking is because we don't. To bad there's not a way to exclude certain recipient addresses like postmaster/abuse/support/sales/etc. from AWL (hint to devs). That way you could still run all of your other SA spam tests against messages to these accounts, without potentially poisoning your AWL database when spam is forwarded to the support or spam account from customers. Bill
Re: AWL DoS?
Hi! This is why people are encouraged to _bounce_ the original message, so the sender email address is still the original one, and then won't hurt the customer. http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport http://www.stearns.org/doc/spamassassin-setup.current.html#redirect Probably unrealistic to expect customers to know how to "bounce" a message. Yes. Exactly my point. Much better to simply not spam filter critical e-mail accounts like postmaster/abuse/support/sales/etc. With around 35.000-70.000 mails to those above boxes daily thats not really do-able... Bye, Raymond.
Re: AWL DoS?
> - Original Message - > From: "William Stearns" <[EMAIL PROTECTED]> > > > Good afternoon, Raymond, all, > > (Raymond, you probably already know this, but I wanted to quickly > > cover it for other people that may also be considering whether or not to > > use AWL). > > > [SNIP] > > That's a different issue. If the customer used _forward_ rather > > than _bounce_, SA treats the entire message as coming from that email > > address and class B network, so yes, the customer's AWL score will be > > hurt. > > This is why people are encouraged to _bounce_ the original > > message, so the sender email address is still the original one, and then > > won't hurt the customer. > > http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting > > http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport > > http://www.stearns.org/doc/spamassassin-setup.current.html#redirect > > Probably unrealistic to expect customers to know how to "bounce" a message. > Much better to simply not spam filter critical e-mail accounts like > postmaster/abuse/support/sales/etc. Sorry for replying to my own post, but just wanted to also note that many of the most commonly used e-mail clients sadly do not support the bounce feature. Bill
Re: AWL DoS?
- Original Message - From: "William Stearns" <[EMAIL PROTECTED]> > Good afternoon, Raymond, all, > (Raymond, you probably already know this, but I wanted to quickly > cover it for other people that may also be considering whether or not to > use AWL). > [SNIP] > That's a different issue. If the customer used _forward_ rather > than _bounce_, SA treats the entire message as coming from that email > address and class B network, so yes, the customer's AWL score will be > hurt. > This is why people are encouraged to _bounce_ the original > message, so the sender email address is still the original one, and then > won't hurt the customer. > http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting > http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport > http://www.stearns.org/doc/spamassassin-setup.current.html#redirect Probably unrealistic to expect customers to know how to "bounce" a message. Much better to simply not spam filter critical e-mail accounts like postmaster/abuse/support/sales/etc. Bill
Re: AWL DoS?
Hi! We turned off AWL, we had a customer that forwarded two spam messages to our helpdesk, the third normal message never came in, since his AWL beat him... That's a different issue. If the customer used _forward_ rather than _bounce_, SA treats the entire message as coming from that email address and class B network, so yes, the customer's AWL score will be hurt. This is why people are encouraged to _bounce_ the original message, so the sender email address is still the original one, and then won't hurt the customer. http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport http://www.stearns.org/doc/spamassassin-setup.current.html#redirect I know, and we also tell people to do that, but thats most of the time after they encounter a problem ;) Its hard to explain people, especially with a very large customerbase... In our case we have several /16's and larger so mail from a customer block is most likely comming in from another netblock anyway. I personnally use bounce within pine, works nice. Thanks for the pointers (webpages) those we can use to clearify things a lot easier. Bye, Raymond.
Re: AWL DoS?
Good afternoon, Raymond, all, (Raymond, you probably already know this, but I wanted to quickly cover it for other people that may also be considering whether or not to use AWL). On Sun, 19 Sep 2004, Raymond Dijkxhoorn wrote: > >> I gotta think this isn't gonna happen... but anyone know if it can? If so, > >> I'm not going to enable AWL on my server. > > > > To the best of my knowledge, this has already been addressed. > > What goes in the AWL isn't just the raw email address, it's the email > > address plus the first two octets of the source IP address. For someone > > to successfully attack this way, the attacker would need a legal IP > > address in the same class B network as the legitimate sender. > > If sent from a different network, the +1000 user would show up in > > a different AWL entry than the legitimate sender. > > We turned off AWL, we had a customer that forwarded two spam messages to > our helpdesk, the third normal message never came in, since his AWL beat > him... That's a different issue. If the customer used _forward_ rather than _bounce_, SA treats the entire message as coming from that email address and class B network, so yes, the customer's AWL score will be hurt. This is why people are encouraged to _bounce_ the original message, so the sender email address is still the original one, and then won't hurt the customer. http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport http://www.stearns.org/doc/spamassassin-setup.current.html#redirect Cheers, - Bill --- "Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its meritThe ancient concept that `a man's home is his castle' into which `not even the king may enter' has lost none of it vitalityWe therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another. If this prohibition operates to impede the flow of even valid ideas, the answer is that no one has a right to press even `good' ideas on an unwilling recipient. That we are often `captives' outside the sanctuary of the home and subject to objectionable speech and other sound does not mean we must be captives everywhereThe asserted right of a mailer, we repeat, stops at the outer boundary of every person's domain." -- Chief Justice Burger, U.S. Supreme Court http://www.euro.cauce.org/en/freespeech.html#rowan -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
Re: AWL DoS?
Hi! We turned off AWL, we had a customer that forwarded two spam messages to our helpdesk, the third normal message never came in, since his AWL beat him... Probably should not be spam filtering postmaster/abuse/support e-mails. Probably not, but at the moment its about the only way to get a normal workload there. Most spamware stuff takes those ones by default. Bye, Raymond.
Re: AWL DoS?
- Original Message - From: "Raymond Dijkxhoorn" <[EMAIL PROTECTED]> > We turned off AWL, we had a customer that forwarded two spam messages to > our helpdesk, the third normal message never came in, since his AWL beat > him... Probably should not be spam filtering postmaster/abuse/support e-mails. Bill
Re: SPF Fails on SA 3.0rc5 because of lack of HELO ?
Avi Shatz wrote on Sun, 19 Sep 2004 02:52:49 +0300: > telnet mailserver.localmta.org 25 > ehlo blabla > What do you want to prove with this? What needs to happen is that [66.111.4.30] sends a HELO with an FQDN when it connects to another SMTP. Your example above doesn't prove this, it just proves that you know how to do an SMTP handshake. At least if the SMTPSVC received lines usually show the HELO then, indeed, it seems to be missing. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
Re: Memory usage question
Matt Kettler wrote on Thu, 16 Sep 2004 21:43:01 -0400: > Chris S reported his spamd swelling to 45mb with a huge version of > bigevil.cf he was testing. > The latest bigevil.cf needs about 40 - 50 MB *alone*! Together with several SARE rules our spamd processes were around 90 MB lately. That's where I removed bigevil (and activated SURBL on 3.0) and that other big ruleset (don't remember the name at the moment), so that our spamd prcess is now about 50 MB. I didn't see much difference in detection on the 2.63 systems, so bigevil is simply not worth the huge memory consumption. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
Re: AWL DoS?
Hi! I gotta think this isn't gonna happen... but anyone know if it can? If so, I'm not going to enable AWL on my server. You're asking the right questions. To the best of my knowledge, this has already been addressed. What goes in the AWL isn't just the raw email address, it's the email address plus the first two octets of the source IP address. For someone to successfully attack this way, the attacker would need a legal IP address in the same class B network as the legitimate sender. If sent from a different network, the +1000 user would show up in a different AWL entry than the legitimate sender. We turned off AWL, we had a customer that forwarded two spam messages to our helpdesk, the third normal message never came in, since his AWL beat him... For us it didnt work out. Bye, Raymond.
Re: AWL DoS?
On Sat, 18 Sep 2004 20:05:29 -0500 "Jason J. Ellingson" <[EMAIL PROTECTED]> wrote: > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked > FROM: address of Person Y. > > 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. > > 4) Future emails from Person Y to Person X now get tagged as spam since AWL > keeps bumping up the score because of the GTUBE that was sent earlier. > = > I hope that makes sense... I would suggest to simply set GTUBE to a very low score unless you really want to test something. +---+ - Mailto: [EMAIL PROTECTED] - No HTML mails please +---+
Re: spam@uce.gov bouncing?
Not mine and I sent about 25 or so about an hour ago. I have seen it once or twice in the past but it was temporary. I attributed it to a busy or down server. On Sat, 18 Sep 2004, Roger E. Rustad, Jr. wrote: > Is anyone else's [EMAIL PROTECTED] e-mail bouncing? > > All the mail I've forwarded there over the last day or so has been > getting > returned with > > Delay reason: Connection refused . . . . . . . . . . . . . . . Randomly generated quote: What happens when your fortune cookie contradicts your horoscope?
Re: AWL DoS?
On Sat, Sep 18, 2004 at 08:05:29PM -0500, Jason J. Ellingson wrote: > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a > faked FROM: address of Person Y. > 3) Now, GTUBE scores a 1000 points, How does person Z know that person X and person Y are friends? I don't think at this point that there are a lot of spammers taking advantage of this concept... too much work for too little payback. Obviously, there are ways around most / all filters - it's just a question of whether or not it's worth the trouble. That said, I imagine there are spammers who are already starting to track relationships between people, via addressbooks on compromised Windows machines, via bots social networking websites, etc... and I think we'll see more of this sort of activity as the arms race escalates (though I don't think the default AWL score is 1000 points, is it?). Imagine, for instance, spamware which goes through an infected user's sent mail and sends similar messages (possibly even from the infected user's computer, through their provider's mail server) with marketing messages interspersed /w
Re: AWL DoS?
- Original Message - From: "Jason J. Ellingson" <[EMAIL PROTECTED]> > Okay, follow-up question: > > Where does SpamAssassin get the IP? Is it the oldest IP in the received > headers (low), or the most recent (top)? > > If it is oldest (assuming originating IP), then that could be faked easily > enough. > > If it is top, then what does it do if there is no IP (as many SpamAssassin > implementations seem to have the message processed before adding appropriate > received headers.. tisk, tisk, tisk...) > > Either way... a lot of people I know are on Comcast in the same town... they > are all on the same sub-"b" class network (/17 I think)... So entirely > possible to have this nightmare happen. I just tested this and it used the address range of the client computer I sent the message from. When I sent another message with the same e-mail address but from a totally different subnet, it registered the same e-mail address with the different client computer address range, thus, I had two entries in the AWL database for the same e-mail address but with different client ip nets. Like you said, this address can be forged, but someone would really have to put some effort into it just to IP someone's AWL database, which can then be removed from the database even easier than it went in. And using the sending client machine IP address is certainly much safer and less prone to abuse then it would be if the sending mail servers IP address were used. Bill
spam@uce.gov bouncing?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is anyone else's [EMAIL PROTECTED] e-mail bouncing? All the mail I've forwarded there over the last day or so has been getting returned with Delay reason: Connection refused Roger -BEGIN PGP SIGNATURE- Version: PGP 7.1.1 iQA/AwUBQU0rb+o/7szkRLKHEQIzCgCgqjXqhRpZ7xCVKwLWjs2cBPLAtOoAn1JL hotNYzMAyxpU/tfG4Bmnn/aA =I0K4 -END PGP SIGNATURE-
RE: AWL DoS?
Okay, follow-up question: Where does SpamAssassin get the IP? Is it the oldest IP in the received headers (low), or the most recent (top)? If it is oldest (assuming originating IP), then that could be faked easily enough. If it is top, then what does it do if there is no IP (as many SpamAssassin implementations seem to have the message processed before adding appropriate received headers.. tisk, tisk, tisk...) Either way... a lot of people I know are on Comcast in the same town... they are all on the same sub-"b" class network (/17 I think)... So entirely possible to have this nightmare happen. Perhaps then, this is a time to look at using SPF along with AWL. Have AWL use the same record for all SPF'd IPs for that domain and then the usual (change to a class "c"?) records for those falling outside the SPF's listed IPs or no SPF for that domain. It won't stop those who truly use the same server/subnet, but it should help some? Getting later at night... and I'm starting to become more muddled in my thoughts... sorry. Jason J Ellingson Technical Consultant 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED] -Original Message- From: William Stearns [mailto:[EMAIL PROTECTED] Sent: Sunday, September 19, 2004 12:25 AM To: Jason J. Ellingson Cc: ML-spamassassin-talk; William Stearns Subject: Re: AWL DoS? Good evening, Jason, On Sat, 18 Sep 2004, Jason J. Ellingson wrote: > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked > FROM: address of Person Y. > > 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. > > 4) Future emails from Person Y to Person X now get tagged as spam since AWL > keeps bumping up the score because of the GTUBE that was sent earlier. > = > I hope that makes sense... > > I gotta think this isn't gonna happen... but anyone know if it can? If so, > I'm not going to enable AWL on my server. You're asking the right questions. To the best of my knowledge, this has already been addressed. What goes in the AWL isn't just the raw email address, it's the email address plus the first two octets of the source IP address. For someone to successfully attack this way, the attacker would need a legal IP address in the same class B network as the legitimate sender. If sent from a different network, the +1000 user would show up in a different AWL entry than the legitimate sender. Cheers, - Bill --- "I am Homer of Borg! Prepare to be... OOooo! donuts!" (Courtesy of: Carlos Morgado <[EMAIL PROTECTED]>) -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
Re: AWL DoS?
Good evening, Jason, On Sat, 18 Sep 2004, Jason J. Ellingson wrote: > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked > FROM: address of Person Y. > > 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. > > 4) Future emails from Person Y to Person X now get tagged as spam since AWL > keeps bumping up the score because of the GTUBE that was sent earlier. > = > I hope that makes sense... > > I gotta think this isn't gonna happen... but anyone know if it can? If so, > I'm not going to enable AWL on my server. You're asking the right questions. To the best of my knowledge, this has already been addressed. What goes in the AWL isn't just the raw email address, it's the email address plus the first two octets of the source IP address. For someone to successfully attack this way, the attacker would need a legal IP address in the same class B network as the legitimate sender. If sent from a different network, the +1000 user would show up in a different AWL entry than the legitimate sender. Cheers, - Bill --- "I am Homer of Borg! Prepare to be... OOooo! donuts!" (Courtesy of: Carlos Morgado <[EMAIL PROTECTED]>) -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
Re: AWL DoS?
- Original Message - From: "Jason J. Ellingson" <[EMAIL PROTECTED]> > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked > FROM: address of Person Y. > > 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. > > 4) Future emails from Person Y to Person X now get tagged as spam since AWL > keeps bumping up the score because of the GTUBE that was sent earlier. > = > I hope that makes sense... Make sense, but wouldn't work unless bad guy Z was also sending his GTUBE message from the same address range that Person Y normally send his messages to Person X from. Here is a snippet from the AWL database: -2.9(-2.9/1) -- [EMAIL PROTECTED]|ip=216.33 2.0 (2.0/1) -- [EMAIL PROTECTED]|ip=64.225 5.3 (5.3/1) -- [EMAIL PROTECTED]|ip=67.171 0.4 (0.8/2) -- [EMAIL PROTECTED]|ip=205.244 -4.3(-4.3/1) -- [EMAIL PROTECTED]|ip=192.209 Note the "ip=xxx.xxx" at the end of each line, after the senders e-mail address. This helps to prevent malicious activities like you've discribed. It can happen, but not as easily as you thought (once again, the devs were thinking ahead). > I gotta think this isn't gonna happen... but anyone know if it can? If so, > I'm not going to enable AWL on my server. You're safe, go for it. Bill
Re: Two logs for each daemon?
YOu might want to direct this at a Samba list. On Sat, 18 Sep 2004, Ed Kasky wrote: > I just upgraded to 3.0.7-1 and noticed an slight oddity in the logs now beig > created. In my smb.conf I have: > > log level = 2 > log file = /var/log/samba/%m.log > > Since upgrading I now get two logs for smbd and two for nmbd... > > 114676 Sep 18 07:19 /var/log/samba/log.nmbd > 100728 Sep 18 15:35 /var/log/samba/nmbd.log > 4656 Sep 18 06:34 /var/log/samba/log.smbd > 55035 Sep 18 06:34 /var/log/samba/smbd.log > > I have not seen this with previous versions and was wondering if I might have > done something in the upgrade to cause this. > > Ed Kasky > . . . . . . . . . . . . . . . > Randomly generated quote: > Success usually comes to those who are too busy to be looking for it. > - Henry David Thoreau, naturalist and author (1817-1862) > -- Mike Burger http://www.bubbanfriends.org Visit the Dog Pound II BBS telnet://dogpound2.citadel.org or http://dogpound2.citadel.org To be notified of updates to the web site, visit http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a message to: [EMAIL PROTECTED] with a message of: subscribe
Re: AWL DoS?
Jason J. Ellingson wrote: I'm sure someone thought of this, but I don't see it asked before... so... = 1) Person X regularly gets emails from Person Y (good friends) 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked FROM: address of Person Y. 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. 4) Future emails from Person Y to Person X now get tagged as spam since AWL keeps bumping up the score because of the GTUBE that was sent earlier. = I hope that makes sense... I gotta think this isn't gonna happen... but anyone know if it can? If so, I'm not going to enable AWL on my server. Jason J Ellingson You have an evil mind. I would like a scheme like this to get back at whoever bombed me with over 1000 p0rn spams in an hour the other day. -- Jim Sabatke Hire Me!! - See my resume at http://my.execpc.com/~jsabatke Do not meddle in the affairs of Dragons, for you are crunchy and good with ketchup. NOTE: Please do not email me any attachments with Microsoft extensions. They are deleted on my ISP's server before I ever see them, and no bounce message is sent.
AWL DoS?
I'm sure someone thought of this, but I don't see it asked before... so... = 1) Person X regularly gets emails from Person Y (good friends) 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked FROM: address of Person Y. 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. 4) Future emails from Person Y to Person X now get tagged as spam since AWL keeps bumping up the score because of the GTUBE that was sent earlier. = I hope that makes sense... I gotta think this isn't gonna happen... but anyone know if it can? If so, I'm not going to enable AWL on my server. Jason J Ellingson Technical Consultant 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED]