R: Relay Checker Plugin (code review please?)
So, if people could take a look at it, test it, see if it does what it
advertises, and see if it's as accurate as my experience indicates, I
would appreciate getting feedback. If it pans out, I'll see about
putting it in a tar ball, and submitting it to the wiki's list of plugins.
if ( ($hostname =~ /(\S?0*($a|$b|$c|$d|$e|$f|$g|$h|$i)){2,4}/) ||
($hostname =~ /$e/) ) {
# hostname contains two or more octets of its own IP addr
# in hex or decimal form ... or the entire thing in decimal
# probably a spambot since this is an untrusted relay
Mail::SpamAssassin::Plugin::dbg(RelayChecker: ipinhostname);
$ipinhostname = 1;
}
Wow, how rude this is! Almost all customers of my ISP (Telecom Italia) would be
banned from the e-mail world...
Telecom Italia is used to put RDNSes with something like this:
host1-84-static.48-88-b.business.telecomitalia.it.
Cheers,
---
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100
MAI inviare una e-mail a:
NEVER send an e-mail to:
[EMAIL PROTECTED]
John
SpamAssassin confusion and upgrading
Hello, I'm novice in Linux and I wish to add SpamAssassin to my current Fedora 3 server, I'm currently using my ISP mail accounts and I have tested with SAproxy in Windows and it works fine. However when I installed the bundled SpamAssassin (3.0.4), I couldn't find any settings to key in my ISP email server address it should connect to (just like in SAproxy) Now here comes the questions: 1. Does SpamAssassin work just like SAproxy in Fedora 3? Does it work as standalone mail proxy or have to work with mail servers+procmail together? 2. I tried to upgrade my SA to 3.1.x, I have read the upgrade notes but it doesn't contain instructions for how to upgrade... I googled and found someone using apt-get command but seems I need a special package to do that... What do I need? 3. I tried to build the rpm file from the tarball although Linux said I do not have the rpmbuild command file... Where could I find them? I have read through the FAQ but couldn't find any answers to my questions... Thanks for helping.
Re: R: Relay Checker Plugin (code review please?)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31.10.2006 09:13, * Giampaolo Tomassoni wrote:
So, if people could take a look at it, test it, see if it does what it
advertises, and see if it's as accurate as my experience indicates, I
would appreciate getting feedback. If it pans out, I'll see about
putting it in a tar ball, and submitting it to the wiki's list of plugins.
if ( ($hostname =~ /(\S?0*($a|$b|$c|$d|$e|$f|$g|$h|$i)){2,4}/) ||
($hostname =~ /$e/) ) {
# hostname contains two or more octets of its own IP addr
# in hex or decimal form ... or the entire thing in decimal
# probably a spambot since this is an untrusted relay
Mail::SpamAssassin::Plugin::dbg(RelayChecker: ipinhostname);
$ipinhostname = 1;
}
Wow, how rude this is! Almost all customers of my ISP (Telecom Italia) would
be banned from the e-mail world...
Telecom Italia is used to put RDNSes with something like this:
host1-84-static.48-88-b.business.telecomitalia.it.
Cheers,
---
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100
MAI inviare una e-mail a:
NEVER send an e-mail to:
[EMAIL PROTECTED]
John
Same here in Switzerland, at least one of the main national ISPs calls
his clients nn-nn-nn-nn.static.cablecom.ch
But we had already rejections and spam-tags from many places even before
that plugin came out. But they give you a reverse DNS entry of your own
hostname if you ask for.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFRwgkV5MZZmyxvGgRAv5wAKDTycC4mesnutBGmaCdaJR6nSl01gCgx71a
wzXKhjS1sbFk8LCX1oEyfzI=
=0GOX
-END PGP SIGNATURE-
R: R: Relay Checker Plugin (code review please?)
Same here in Switzerland, at least one of the main national ISPs calls his clients nn-nn-nn-nn.static.cablecom.ch But we had already rejections and spam-tags from many places even before that plugin came out. But they give you a reverse DNS entry of your own hostname if you ask for. Well, you know, swiss is well known to be exact. Here in Italy it is a bit more difficult to get a RDNS changed by Telecom Italia: FWIK, they really don't care about RDNS and have no defined policies about it. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFRwgkV5MZZmyxvGgRAv5wAKDTycC4mesnutBGmaCdaJR6nSl01gCgx71a wzXKhjS1sbFk8LCX1oEyfzI= =0GOX -END PGP SIGNATURE-
R: R: R: Relay Checker Plugin (code review please?)
On 31.10.2006 09:32, * Giampaolo Tomassoni wrote: Same here in Switzerland, at least one of the main national ISPs calls his clients nn-nn-nn-nn.static.cablecom.ch But we had already rejections and spam-tags from many places even before that plugin came out. But they give you a reverse DNS entry of your own hostname if you ask for. Well, you know, swiss is well known to be exact. Here in Italy it is a bit more difficult to get a RDNS changed by Telecom Italia: FWIK, they really don't care about RDNS and have no defined policies about it. A few months ago the said addresses were called nn-nn-nn-nn.webcom.cablecom.ch until that day when SORBS just put all these netblocks in its RBL as dynamic. And they refused to take it out until the ISP changed the names to todays nn-nn-nn-nn.static.cablecom.ch So it looks to me that this plugin should exclude hosts which have *static*, *sta* or *fixed* in their DNS names. I agree with this. SORBS uses the following Internet Draft for determining whether networks are statically or dynamically by rDNS: http://tools.ietf.org/wg/dnsop/draft-msullivan-dnsop-generic-namin g-schemes-00.txt Right. Also, SORBS goes a bit (too?) further by including the pool word in RDNS as a dynamic address indicator. This sounds not that correct to me. (Again) Telecom Italia uses it to mark address pools on statically-assigned chunks: host1-231.pool8175.interbusiness.it. This means the host 231.1 in the 81.75 address pool and, believe me, has nothing to do with dynamic addresses: that's statically assigned (uses CLIP, too...). -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFRxCLV5MZZmyxvGgRAkiZAKDX361SHB3MOeQaMtBmbPLHiccJBACePirl CIkcQgKV3DkAWRI8UDfdmGQ= =QKJl -END PGP SIGNATURE-
How to score mail to a defined address when not coming from a defined IP list
Hi, I have a small site with some users and a sendmail mailing lists that contain all users. This mailing list is used almost exclusively by internal users, sending mail to all other users. Unfortunately, I receive a lot of spam (about 60% of total spam) to this address, and this is bad because all users get the spams. I'd like to add a custum rule that add a score (say 2.5) if a message is destinated to this address AND not come from a list of my IPs. I am using SA 3.1 with MailScanner. So the questions are: 1) What do you think of the effectiveness of this rule? 2) Do you know a better way for achieving the same result? 3) Is there a function that parse the Received field and return the originating IP? Which is it? Thanks, Fabio -- Funghetto o scherzetto? Gioca e vinci con Best Western! In palio oltre 50 weekend da sogno per due persone in tutta Italia http://click.libero.it/bestwestern31ott
Re: How to score mail to a defined address when not coming from a defined IP list
On Tue, 31 Oct 2006 11:19:40 +0100, Fabio [EMAIL PROTECTED] wrote: Hi, I have a small site with some users and a sendmail mailing lists that contain all users. This mailing list is used almost exclusively by internal users, sending mail to all other users. Unfortunately, I receive a lot of spam (about 60% of total spam) to this address, and this is bad because all users get the spams. I'd like to add a custum rule that add a score (say 2.5) if a message is destinated to this address AND not come from a list of my IPs. I am using SA 3.1 with MailScanner. So the questions are: 1) What do you think of the effectiveness of this rule? 2) Do you know a better way for achieving the same result? 3) Is there a function that parse the Received field and return the originating IP? Which is it? Thanks, Fabio Is there an option to allow only those on the list to post to it? I don't know about SM but mine certainly has that option. Nigel
Re: R: Relay Checker Plugin (code review please?)
Giampaolo Tomassoni wrote:
So, if people could take a look at it, test it, see if it does what it
advertises, and see if it's as accurate as my experience indicates, I
would appreciate getting feedback. If it pans out, I'll see about
putting it in a tar ball, and submitting it to the wiki's list of plugins.
if ( ($hostname =~ /(\S?0*($a|$b|$c|$d|$e|$f|$g|$h|$i)){2,4}/) ||
($hostname =~ /$e/) ) {
# hostname contains two or more octets of its own IP addr
# in hex or decimal form ... or the entire thing in decimal
# probably a spambot since this is an untrusted relay
Mail::SpamAssassin::Plugin::dbg(RelayChecker: ipinhostname);
$ipinhostname = 1;
}
Wow, how rude this is! Almost all customers of my ISP (Telecom Italia) would be
banned from the e-mail world...
Telecom Italia is used to put RDNSes with something like this:
host1-84-static.48-88-b.business.telecomitalia.it.
They would not be banned from the e-mail world.
Instead, they would:
a) be heavily encouraged to get a custom RDNS record, OR
b) be heavily encouraged to send outgoing email through their ISP*, OR
c) be heavily encouraged to use a hosted email service that has a custom
RDNS record instead of a client-looking RDNS record, OR
d) accept that their email is going to be quarantined (not banned).
(* which they should do -- I'm not their email server, so unless they
can make themselves look like a server, instead of a client, they have
no business connecting directly to my email server; they should connect
to their own email server, which should have a custom RDNS record, and
then have that machine connect to my email server)
If they can't do (a) because their ISP doesn't offer that, then they'd
be encouraged to switch to an ISP that does offer custom RNDS records
... or do (b) or (c).
I'm personally comfortable with insisting that the people who want to
connect to my email servers conform to those options. It's certainly a
nicer set of options than having (d) be: accept that their email wont be
accepted at all (which is what I've done in the past).
Re: R: R: R: Relay Checker Plugin (code review please?)
Giampaolo Tomassoni wrote: On 31.10.2006 09:32, * Giampaolo Tomassoni wrote: Same here in Switzerland, at least one of the main national ISPs calls his clients nn-nn-nn-nn.static.cablecom.ch But we had already rejections and spam-tags from many places even before that plugin came out. But they give you a reverse DNS entry of your own hostname if you ask for. Well, you know, swiss is well known to be exact. Here in Italy it is a bit more difficult to get a RDNS changed by Telecom Italia: FWIK, they really don't care about RDNS and have no defined policies about it. A few months ago the said addresses were called nn-nn-nn-nn.webcom.cablecom.ch until that day when SORBS just put all these netblocks in its RBL as dynamic. And they refused to take it out until the ISP changed the names to todays nn-nn-nn-nn.static.cablecom.ch So it looks to me that this plugin should exclude hosts which have *static*, *sta* or *fixed* in their DNS names. I agree with this. I've considered the exact opposite (adding static to the check for keywords). My rules are really looking more for is this a _client_ host, not is this a dynamic host. That one check looks for dynamic, but I'm not interested in exempting anyone because they're static. They've still got a hostname that looks like an end-client, and an end-client shouldn't be connecting to other people's mail servers. Any end-client that connects to someone else's email server should be treated like it's a spam/virus zombie. SORBS uses the following Internet Draft for determining whether networks are statically or dynamically by rDNS: http://tools.ietf.org/wg/dnsop/draft-msullivan-dnsop-generic-namin g-schemes-00.txt Right. Also, SORBS goes a bit (too?) further by including the pool word in RDNS as a dynamic address indicator. This sounds not that correct to me. I've also thought about adding pool to my list of keywords ... I just thought it might be a little too generic.
Re: R: R: Relay Checker Plugin (code review please?)
Alain Wolf wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 31.10.2006 09:32, * Giampaolo Tomassoni wrote: Same here in Switzerland, at least one of the main national ISPs calls his clients nn-nn-nn-nn.static.cablecom.ch But we had already rejections and spam-tags from many places even before that plugin came out. But they give you a reverse DNS entry of your own hostname if you ask for. Well, you know, swiss is well known to be exact. Here in Italy it is a bit more difficult to get a RDNS changed by Telecom Italia: FWIK, they really don't care about RDNS and have no defined policies about it. A few months ago the said addresses were called nn-nn-nn-nn.webcom.cablecom.ch until that day when SORBS just put all these netblocks in its RBL as dynamic. And they refused to take it out until the ISP changed the names to todays nn-nn-nn-nn.static.cablecom.ch So it looks to me that this plugin should exclude hosts which have *static*, *sta* or *fixed* in their DNS names. SORBS uses the following Internet Draft for determining whether networks are statically or dynamically by rDNS: http://tools.ietf.org/wg/dnsop/draft-msullivan-dnsop-generic-naming-schemes-00.txt It should only exempt static hosts if the larger rule is targeting dynamic hosts. That one regular expression is after dynamic hosts ... but the larger rule is after clients, not dynamic hosts. Therefore, exempting static or fixed hostnames doesn't fit.
R: R: R: R: Relay Checker Plugin (code review please?)
...omissis... I've considered the exact opposite (adding static to the check for keywords). My rules are really looking more for is this a _client_ host, not is this a dynamic host. That one check looks for dynamic, but I'm not interested in exempting anyone because they're static. They've still got a hostname that looks like an end-client, and an end-client shouldn't be connecting to other people's mail servers. Any end-client that connects to someone else's email server should be treated like it's a spam/virus zombie. I'm not comfortable with this: the border between an end-client and a server is really unclean. Also, what about and end-client server? :) I don't understand the push toward using the ISP's mail server to send mail. I guess that an end-client may legitimally run its own mail server without relaing its outgoing mail to its internet provider. I can, however, well understand the need for a legitimate mx to be tied to a static address. That make sense for identification purposes. What's wrong with small businesses running their own mx? Just guessing: isn't that the blame about this originates from large ISPs that just want to tight their customers? --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED] SORBS uses the following Internet Draft for determining whether networks are statically or dynamically by rDNS: http://tools.ietf.org/wg/dnsop/draft-msullivan-dnsop-generic-namin g-schemes-00.txt Right. Also, SORBS goes a bit (too?) further by including the pool word in RDNS as a dynamic address indicator. This sounds not that correct to me. I've also thought about adding pool to my list of keywords ... I just thought it might be a little too generic.
R: R: Relay Checker Plugin (code review please?)
I would prefer not to have to deal with a single, computed RELAY_CHECKER score, but with many different ones for each of the triggered cases. This way it would be easier to tune scores from this plugin. To me, your plugin could trigger the following tags: RELAY_CHECKER (at least one rule had been triggered. According to your code would score 4 by default); RC_NORDNS (scores 1); RC_BADRDNS (scores 1); RC_BADDNS (scores 1); RC_IPINHOSTNAME (scores 1); RC_DYNHOSTNAME (scores 1); I was actually thinking of something slightly different. One static score that can be adjusted in the cf file. Say, 6 (this makes more sense than the current situation of sometimes you get 5, sometimes you get 6, in my opinion). Then a bunch of individual scores (like you suggest) that are dynamically scored (the way the plugin records its current score, giving each of those hits as 0 or .01). This would give a score range of 6.01 to 6.05. The basic idea is if you get hit by this plugin at all, you're going to get a 6, but the .01 scores will show up in a detailed report header, letting you know which specific characteristics were triggered. When someone wants to run tests, they'd just set the static score from 6 to .01 (yielding an overall score from .01 to .05). My intention was to use this plugin for some checks but not for others. I would assign 0 score to RELAY_CHECKER, RC_BADDNS and RC_IPINHOSTNAME, then the score I like to, say, RC_DYNHOSTNAME, RC_NORDNS and RC_BADRDNS (maybe a 1 to 2 score). I would like to use this plugin to give hints to my SA, not to definitely stop a source. :) The other two things I'm looking at changing are: a) having a relaycheck_exempt cf configuration, b) looking at the auth part of the untrusted relay data. The result would be that instead of looking at the first untrusted relay, it would skip past untrusted relays that were in the relaycheck_exempt list. Then, if the untrusted relay it's left with had used authentication, the rule wouldn't trigger. Fine. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED]
Re: R: Relay Checker Plugin (code review please?)
Massimiliano Hofer wrote: We have rather successfull anti-spam legislation and, except for botnets, really little spam originates here. Right ... but it's those botnets that this plugin is trying to catch. And, while I may be a little unyielding wrt to people whose ISPs are like Telecom Italia, I'm not unsympathetic. I think, in this case, if Italy did get mass quarantined by the rest of the world, it might cause enough of an uproar to force Telecom Italia to change its practices and allow custom RDNS. That wont make your life any easier in the meantime, though. I understand that ... but I honestly think it's the right stand to take from my side of each SMTP transaction. I suppose the rate at which people may or may not adopt this plugin when it's finished will tell us how many people agree with my stance.
Re: R: Relay Checker Plugin (code review please?)
Giampaolo Tomassoni wrote:
RELAY_CHECKER (at least one rule had been triggered. According to your code
would score 4 by default);
RC_NORDNS (scores 1);
RC_BADRDNS (scores 1);
RC_BADDNS (scores 1);
RC_IPINHOSTNAME (scores 1);
RC_DYNHOSTNAME (scores 1);
Agreed. This way the plugin could also add some rules for ham.
I'm doing something similar myself in MIMEDefang. I've got a number of checks.
My resulting rules (applyed after the SA checks) are:
IP_FQDN_0 - IP_FQDN_5
USER_FQDN_0 - USER_FQDN_3
MAIL_FQDN_0 - MAIL_FQDN_3
NO_FQDN_0 - NO_FQDN_1
and I can then use meta rules for the scoring based on those results.
I don't know if such fine grained rules are really needed for this.
The MAIL_FQDN_* rules are ham-signs from this check:
sub check_mail_fqdn {
my $fqdn = shift;
my $xxx = '(mail|relay|smtp|out)';
return 3 if ($fqdn =~ /^(|.*[._-])$xxx\d{0,5}(|[._-].*)$/i);
return 2 if ($fqdn =~ /^(|.*[._-])$xxx[-._]?$xxx\d{0,5}(|[._-].*)$/i);
return 1 if ($fqdn =~ /(mail|smtp|relay)/i);
return 0;
}
That should be changed to include static in $xxx.
Just for the sake of comparison, below are the other checks as well:
---8---
sub check_ip_parts {
my $x = shift;
return 0 if ($x @_ != 4);
my $ic = 0;
my $hc = 0;
foreach my $p (@_) {
unless ($x) {
my @pp = split(/-/,$p);
return 3 if (check_ip_parts(1,@pp));
@pp = split(/_/,$p);
return 3 if (check_ip_parts(1,@pp));
}
my $i = ($p =~ /^\d{1,3}$/ $p = 0 $p = 255);
my $h = 0;
if ($p =~ /^[0-9A-Fa-f]{1,2}$/) {
my $i = hex $p;
$h = ($i = 0 $i = 255);
}
$ic ++ if ($i);
$hc ++ if ($h);
return 2 if ($ic == 4);
return 1 if ($hc == 4);
}
return 0;
}
sub check_ip_fqdn {
my $fqdn = shift;
my $ip = shift;
return 0 if ($fqdn =~ /^\[$ip\]$/);
if ($ip =~ /^\d+\.\d+\.\d+\.\d+$/) {
my $rip = join('.',reverse split(/\./,$ip));
$ip =~
s/(\d+)/sprintf('(%1$u|%1$x|%1$02u|%1$02x|%1$03u)',$1)/ge;
$rip =~
s/(\d+)/sprintf('(%1$u|%1$x|%1$02u|%1$02x|%1$03u)',$1)/ge;
$ip =~ s/\./[-._]/g;
$rip =~ s/\./[-._]/g;
return 5 if ($fqdn =~ /(|.*\.)$ip\./i);
return 5 if ($fqdn =~ /(|.*\.)$rip\./i);
$ip =~ s/\[-\._\]//g;
$rip =~ s/\[-\._\]//g;
return 4 if ($fqdn =~ /(|.*\.)$ip\./i);
return 4 if ($fqdn =~ /(|.*\.)$rip\./i);
}
return check_ip_parts(0,split(/\./,$fqdn));
}
sub check_user_fqdn {
my $fqdn = shift;
return 3 if ($fqdn =~
/^(|.*[._-])(a?dsl|cable|dial[-._]?up|dynamic|dynamicip|customer|dhcp)(|[._-].*)$/i);
return 2 if ($fqdn =~ /^(|.*[._-])(cust|kund)(|[._-].*)$/i);
return 1 if ($fqdn =~ /^(|.*[._-])(a?dsl[a-z]|cable)\d*(|[._-].*)$/i);
return 0;
}
sub check_mail_fqdn {
my $fqdn = shift;
my $xxx = '(mail|relay|smtp|out)';
return 3 if ($fqdn =~ /^(|.*[._-])$xxx\d{0,5}(|[._-].*)$/i);
return 2 if ($fqdn =~ /^(|.*[._-])$xxx[-._]?$xxx\d{0,5}(|[._-].*)$/i);
return 1 if ($fqdn =~ /(mail|smtp|relay)/i);
return 0;
}
---8---
Regards
/Jonas
--
Jonas Eckerman, FSDB Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
R: R: Relay Checker Plugin (code review please?)
Massimiliano Hofer wrote: We have rather successfull anti-spam legislation and, except for botnets, really little spam originates here. Right ... but it's those botnets that this plugin is trying to catch. I use greylisting for this, and it works great to me. Also, it simply challenges the peer about some Rfc 2821 compliance (a 4xx error is a temporary one and every good 2821-compliant server MUST retry). And, while I may be a little unyielding wrt to people whose ISPs are like Telecom Italia, I'm not unsympathetic. I think, in this case, if Italy did get mass quarantined by the rest of the world, it might cause enough of an uproar to force Telecom Italia to change its practices and allow custom RDNS. That wont make your life any easier in the meantime, though. I understand that ... but I honestly think it's the right stand to take from my side of each SMTP transaction. The problem is not only Telecom Italia (who, besides, may even care nothing about their customers' mail being dropped: it's basicly a monopoly). I see also a theoretical one. Internet is meant to be a medium with much more freedom than other ones. Basicly, the main idea behind internet is that you get a static IP and you do whatever (legal) thing you like with it, without having to further rely on your connectivity provider for this. This include even run a legitimate mx. There is no RFC stating you need to relay your mail to your ISP if you're too small. And it wouldn't make sense as long as even RFCs (i.e.: the interoperability standard) are available to everybody for free. This is a concept which is far away from other media. Try to get ITU-T or ANSI standards for free: while you have to be a big company if you want to run your own telephone system, it isn't needed to run your own mx. Of course, this doesn't mean that the destinator of an e-mail has to accept each and every e-mails: he/she too has the freedom to accept or discard it. But I wouldn't like to be discriminated just because of my company's size: this is well out of the Internet idea. By strictly enforcing DNS/RDNS ruling you basicly discriminate small companies (the ones that can't afford buying a /24 net from Ripe or Arin and run their own RDNS) from the big ones (the ones for which a /24 would even be ridiculus). You are not going to create troubles to Telecom Italia this way, you are going to help them to stay in their big business: their customers will be enforced to use Telecom's servers to relay mail, which means to have to adjust to their off-service schedules and maybe even e-mail policies. Actually it doesn't happen, but what if Telecom wakes up in a morning with the idea that its customers have to pay a fee for each domain for which they relay mail through its servers? This is why I think that your plugin is a useful mean to give hints to SA, but I would like to definitely lower its scores. I suppose the rate at which people may or may not adopt this plugin when it's finished will tell us how many people agree with my stance. Not quite, if they lower the scores... :) --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED]
Re: Relay Checker Plugin (code review please?)
John Rudd wrote: Rick Macdougall wrote: John Rudd wrote: Hi, Right off the bat I've disabled it. It, of course, hits on all mail my local users send. That's not really acceptable in an ISP situation so I've turned it off until tomorrow when I have the time to look at the code and see if I can disable the check for specific IP's or host names. I can say it was hitting on a lot of spam that was passing through as clean before, so there is quite a bit of merit to the idea. It would just need the ability to ignore local clients. Are those users on your trusted network? It should only be looking at your first untrusted relay. Though, if they're authenticated, I wouldn't mind trying to figure out how to extract that from the information, and exempt those. I could easily add a list of exemptions though. Hi, No, they aren't in my trusted networks because I don't trust them. The reasoning behind the scanning is to pro-actively catch infected users spewing spam before much damage is done. We run a script every 5 minutes to check for local IP's that are sending spam and if we get a pre-defined number of matches it sends us an email. I may try it later today on one of our external facing MX servers and see how it fairs there. (After coffee and fully waking up). Regards, Rick
RE: R: R: R: Relay Checker Plugin (code review please?)
John Rudd wrote: I've considered the exact opposite (adding static to the check for keywords). [...] They've still got a hostname that looks like an end-client, and an end-client shouldn't be connecting to other people's mail servers. Any end-client that connects to someone else's email server should be treated like it's a spam/virus zombie. Except that addresses from the Static pools are typically given to customers of the small business packages, specifically for the purpose of running their own servers. (For cable operators in the US, that is basically the only difference between the residental and the small business packages.) So what you're really saying is, They've got a hostname that looks like a small business, and a small business shouldn't be connecting to other people's mail servers. Now, some of the ISPs do let residential customers pay extra for a static address. But I'm willing to wager that anyone who's paying extra for a static IP is going to be smarter than the average bear, and not let themselves get zombified. I like what you've got so far (though I haven't put it on my own server yet...looking for more feedback from others first), but I disagree with adding static to the keywords.
Re: How to score mail to a defined addr ess when not coming from a defined IP list
On Tue, 31 Oct 2006 11:19:40 +0100, Fabio [EMAIL PROTECTED] wrote: Hi, I have a small site with some users and a sendmail mailing lists that contain all users. This mailing list is used almost exclusively by internal users, sending mail to all other users. Unfortunately, I receive a lot of spam (about 60% of total spam) to this address, and this is bad because all users get the spams. I'd like to add a custum rule that add a score (say 2.5) if a message is destinated to this address AND not come from a list of my IPs. I am using SA 3.1 with MailScanner. So the questions are: 1) What do you think of the effectiveness of this rule? 2) Do you know a better way for achieving the same result? 3) Is there a function that parse the Received field and return the originating IP? Which is it? Thanks, Fabio Is there an option to allow only those on the list to post to it? I don't know about SM but mine certainly has that option. Nigel This is not possible, as I need that all users does not need to subscribe and I need that also some external user can occasionally send mail to the list. What I need is only a rule that add a score like 2.5, so messages from real users (which get a score of 0) pass, while spam messages (which usually get a score 2.5) get filtered. So is there a SA function that return the sender address? Fabio -- Funghetto o scherzetto? Gioca e vinci con Best Western! In palio oltre 50 weekend da sogno per due persone in tutta Italia http://click.libero.it/bestwestern31ott
Re: SpamAssassin confusion and upgrading
Louis Li wrote: Hello, I'm novice in Linux and I wish to add SpamAssassin to my current Fedora 3 server, I'm currently using my ISP mail accounts and I have tested with SAproxy in Windows and it works fine. However when I installed the bundled SpamAssassin (3.0.4), I couldn't find any settings to key in my ISP email server address it should connect to (just like in SAproxy) Now here comes the questions: 1. Does SpamAssassin work just like SAproxy in Fedora 3? Does it work as standalone mail proxy or have to work with mail servers+procmail together? SpamAssassin scans mail for spam. You need to give messages to spamassassin and then decide what you want to do with them when spamassassin is finished. If you want to something like SAproxy, then you will need to install an e-mail proxy that can call spamassassin. The spamassassin wiki has some information: http://wiki.apache.org/spamassassin/MailProxy Some e-mail clients can also be configured to run messages through spamassassin: http://wiki.apache.org/spamassassin/IntegratedInMua I don't use spamassassin in either of the above methods, so I don't think I can be of much help to you, but there are lots of ways to do it. -- Chris
bayes_auto_learn_threshold_nonspam
Is there a way to set the bayes auto-learn thresholds to ignore the score modifications from bayes and whitelists? It seems silly to teach SA that a spam whose only flag was BAYES_20 is ham, or that spam from a whitelisted friend's virus-infected computer is ham. (Maybe this is done already? I don't see mention of this on the wiki or list archives.) My current workaround is to set USER_IN_WHITELIST to the same value as BAYES_00 and set large thresholds like: bayes_auto_learn_threshold_nonspam = [0 - 5 - BAYES_00] bayes_auto_learn_threshold_spam = [required_score + 5 + BAYES_99] (I see no reason to auto-train within five points of the 0-required_score range) I would love to not have to worry about the whitelist or bayes scores when auto-learning. My proposal is to ignore bayesian scores in determining auto-learn threshold and give an option (like bayes_auto_learn_ignores_whitelist 1) to ignore the whitelist altogether (conceivably, it doesn't matter -- that's its purpose, after all). Thanks, Adam Katz
Re: Simple script that rejects mail from spammers
On Tue, 31 Oct 2006, sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. I just set up something similar to block at the firewall (Linux iptables, sendmail logfile). If they keep hitting SBL-XBL why let them try at all? I'll publish it if anyone's interested. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Today: Halloween
Re: problems with redirected mail
I assume that I scan all mail automatically (obviously there might be some setup errors). Still I don't know why some redirected e-mails get through when others not, even if both are scored as spam on my local server. Thank's Wojtek Magnus Holmgren wrote: On Monday 30 October 2006 21:41, Wojciech Potrzebowski took the opportunity to say: I understand that there are different configurations of two servers but I am wondering if there is any possibility to catch these mail (not treated as spam with remote server) on my local server. Well, certainly. Why not just ignore the result from the remote server and run SpamAssassin yourself, as you've apparently managed to do? Do you need help setting SA up so that all mail is scanned automatically? What you *shouldn't* do is to reject mail forwarded by the remote server, because then it will start sending bounces to innocent people whose addresses where forged as senders of the spam.
RE: increase score of rules
Pablo Allietti wrote: Hi all i want to increase the score of a images rules how can i do that ? for example HTML_IMAGE_ONLY_28 HTML_IMAGE_RATIO_02 i want to modify the score about this rules for example 4.0 which file i need to modify? how? Just drop the new score rules into your local.cf file. score HTML_IMAGE_ONLY_28 4.0 score HTML_IMAGE_RATIO_02 4.0 By making the modifications here, you don't have to worry about them being wiped the next time the ruleset is updated. (and if you have SA 3.1.6, upgrade to 3.1.7 to avoid having these lines cause problems with sa-update) -- Bowie
Re: R: R: R: Relay Checker Plugin (code review please?)
Steven Dickenson wrote: On Oct 31, 2006, at 6:09 AM, John Rudd wrote: I've considered the exact opposite (adding static to the check for keywords). My rules are really looking more for is this a _client_ host, not is this a dynamic host. That one check looks for dynamic, but I'm not interested in exempting anyone because they're static. They've still got a hostname that looks like an end-client, and an end-client shouldn't be connecting to other people's mail servers. Any end-client that connects to someone else's email server should be treated like it's a spam/virus zombie I can't agree with this. Many small businesses in the US get just these kind of static connections from broadband ISPs. Comcast, for example, has all of their static customers using rDNS that would fail your tests, and they refuse to set up a custom PTR record or delegate the record to someone else. Most of these static customers are legitimate business networks running their own mail server, and have neither the need nor desire to relay their mail through Comcast's SMTP servers. I think your general idea is very good, but you're reaching a little too far with this one. I think based on all of the feedback I'm getting on this, I'm going to have a config option for something like relaychecker_skip_statichostname=1 with 1 being the default. It will cause both the IP in hostname and dynamic hostname checks to be skipped if \bstatic\b is in the hostname. I may also have a relaychecker_skip_iphostname and relaychecker_skip_dynamichostname, which default to 0 ... to allow places like Italian sites to skip those entirely if they just want the basic DNS checks. It may be a couple days before I can make the changes I've put forward... we're having a problem at work (not related to this; it's at the network level), and I wont be able to put much coding/testing time into this until that problem gets handled. John
Rule Updates
I'm a little confused on rule updates. If you are using SA version 3.04 and run sa-update and/or rulesdujour, will the rules be updated only to the 3.0 branch or will they be updated to the most current branch and just fail if there are dependency issues? [EMAIL PROTECTED] CocoNet Corporation SW Florida's First ISP 825 SE 47th Terrace Cape Coral, FL 33904 (239) 540-2626 Voice
Re: R: Age of a domain name - a new test?
On Mon, 30 Oct 2006, Jeff Chan wrote: On Monday, October 30, 2006, 11:28:39 PM, Giampaolo Tomassoni wrote: Ok. Why not combine an age check with Hardin's spam-friendly registar plugin? I mean, a brand-new domain from a SFR (Spam-friendly registar) is really bad (scores 5?). A brand-new domain from a non-SFR is not that bad (scores 1?). That's also likely to have FPs. So score accordingly. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Today: Halloween
Re: Rule Updates
Patrick schrieb: I'm a little confused on rule updates. If you are using SA version 3.04 and run sa-update and/or rulesdujour, will the rules be updated only to the 3.0 branch or will they be updated to the most current branch and just fail if there are dependency issues? rulesdujour: You should not use (pre) 3.0 rules, what damage this does i dont know, (i assume some rules made it in later SA releases?). hth MH
Re: Day '31' out of range 1..30
On Tue, Oct 31, 2006 at 11:56:35AM +0100, Yves Goergen wrote: I've installed SpamAssassin 3.1.6 on Debian Linux 3.1. Is there a way to get rid of this error message? The whole message follows: Oct 31 10:53:06 mond spamd[19424]: Day '31' out of range 1..30 at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Util.pm line 446 Can you open a bugzilla ticket about this and attach (not cut/paste) the message causing the issue to the ticket? Line 446 is: $time = timegm($ss, $mm, $hh, $dd, $mmm-1, $); So it's not SA specifically throwing the warning out, but Util could have issues with the dates in the message causing timegm to complain. -- Randomly Selected Tagline: Well, that's more-or-less what I was saying, though obviously addition is a little more cosmic than the bitwise operators. - Larry Wall pgpdLiMVtTO93.pgp Description: PGP signature
Re: Simple script that rejects mail from spammers
On Tue, 31 Oct 2006, sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. I just set up something similar to block at the firewall (Linux iptables, sendmail logfile). If they keep hitting SBL-XBL why let them try at all? I'll publish it if anyone's interested. I'd be interested in seeing it.
Re: How to score mail to a defined address when not coming from a defined IP list
On Tue, 2006-10-31 at 11:19 +0100, Fabio wrote: Hi, I have a small site with some users and a sendmail mailing lists that contain all users. This mailing list is used almost exclusively by internal users, sending mail to all other users. Unfortunately, I receive a lot of spam (about 60% of total spam) to this address, and this is bad because all users get the spams. I'd like to add a custum rule that add a score (say 2.5) if a message is destinated to this address AND not come from a list of my IPs. I am using SA 3.1 with MailScanner. So the questions are: 1) What do you think of the effectiveness of this rule? 2) Do you know a better way for achieving the same result? 3) Is there a function that parse the Received field and return the originating IP? Which is it? Thanks, Fabio header MAILLIST_ORIG_IP Received !~ /your.ip.address.scheme/ describe MAILLIST_ORIG_IP Message from local LAN header MAILLIST_TO_ADDRESS =~ /[EMAIL PROTECTED]/i describe MAILLIST_TO_ADDRESS Email to Internal Mailing List metaPRIV_MAILLIST (MAILLIST_ORIG_IP MAILLIST_TO_ADDRESS) score PRIV_MAILLIST 3.5 That *should* give you a rule that scores a 3.5 to mail sent to your mailing list from an IP outside of your network. You'll need to tinker probably but that should get you started. Rubin -- Rubin Bennett RB Technologies http://thatitguy.com [EMAIL PROTECTED] (802)223-4448 They that can give up essential liberty to obtain a little temporary security deserve neither liberty nor safety --Benjamin Franklin, Historical Review of Pennsylvania, 1759
Re: Age of a domain name - a new test?
Jeff Chan wrote: Generally speaking whois queries is a poor way to determine domain age, at least for client applications. The whois infrastructure is simply not designed to support the volume of queries required, even if locally cached. Perhaps CRISP is part of the answer to this problem. http://www.completewhois.com/other_projects.htm -- Andreas
Simple script that rejects mail from spammers
Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. The backgroung is as follows: Once I found that our MX is nearly down. Running top exposed a lot of spamd instances, cosuming almost all CPU time. Examining maillog showed, that one of our subscribers sent about 4000 messages within approximately 15 minutes, and all them were spam. I manually banned that subscriber in /etc/mail/access and informed their personel about possible zombie infection. Now I have script that runs from cron and instantly blocks hosts that have sent us more than some maximum number of spam messages within last hour (or any duration of your choice). The script is availble from http://sa-russian.narod.ru/block_spammers.bash Understanding of some fundamentals of BASH scripting is expected. The only MTA supported is sendmail. Look at the comments inside the script to tailor it to your installation. Best regargs, Alan M. Makoev
Re: Relay Checker Plugin (code review please?)
Hi, On Mon, Oct 30, 2006 at 03:23:21PM -0800, John Rudd wrote: I've written a plugin for Spam Assassin that does the relay checks I ...and here was me just working out how to get exim to check this, and have SpamAssassin add a score, and your mail arrived :-) 1) no RDNS for the machines that aren't intended to talk to the outside world 2) RDNS that doesn't lead back to a valid A record 3) RDNS that is forged (leads to an A record which doesn't resolve back to the IP you started with) 4) Contains the hosts IP address within the hostname 5) Contains standard key words within the hostname (but not in the TLD nor registered domain name), such as dhcp, dialup, dial-up, dsl, etc. I'm also thinking about connections that use one of these I'm on an ADSL line-type names for the HELO string. Not directly rejecting, again, just adding a score on. If this really was just home connections, then I'd block directly. As there are some legitimate businesses (with braindead ISPs) as already pointed out, adding an extra score shouldn't matter for them (unless they actually are sending spam, which is a different matter altogether). The two files you need (put them in /etc/mail/spamassassin ... or wherever you want to put your plugins) are: I'll drop it on our mailers (probably with a smaller score than the default) and let you know how many times the phone rings before I have to tweak it or remove it ;-). Matthew -- Matthew Newton [EMAIL PROTECTED] UNIX and e-mail Systems Administrator, Network Support Section, Computer Centre, University of Leicester, Leicester LE1 7RH, United Kingdom
increase score of rules
Hi all i want to increase the score of a images rules how can i do that ? for example HTML_IMAGE_ONLY_28 HTML_IMAGE_RATIO_02 i want to modify the score about this rules for example 4.0 which file i need to modify? how?
Re: Simple script that rejects mail from spammers
sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. The backgroung is as follows: Once I found that our MX is nearly down. Running top exposed a lot of spamd instances, cosuming almost all CPU time. Examining maillog showed, that one of our subscribers sent about 4000 messages within approximately 15 minutes, and all them were spam. I manually banned that subscriber in /etc/mail/access and informed their personel about possible zombie infection. Now I have script that runs from cron and instantly blocks hosts that have sent us more than some maximum number of spam messages within last hour (or any duration of your choice). The script is availble from http://sa-russian.narod.ru/block_spammers.bash Understanding of some fundamentals of BASH scripting is expected. The only MTA supported is sendmail. Look at the comments inside the script to tailor it to your installation. Best regargs, Alan M. Makoev Here's something similar: http://fut.patch.com/
Re: Thunderbird Forwarding Spam
I edited the script to be able to run it from command line, it parses every
file under $dirname variable
and save the results (tripped emails) under $path.
I am not a Perl Coder (But a Java One ;) ) so comments are welcome. I made
it available here:
#!/usr/bin/perl
#
my $path = Spam/;
use Mail::SpamAssassin::Message;
use Data::UUID;
my $dirname = MailsSpamToProcess/;
opendir(DIR, $dirname) or die can't opendir $dirname: $!;
while (defined($file = readdir(DIR))) {
#print $dirname . $file;
open(INFO, $dirname . $file); # Open the file
@message = INFO; # Read it into an array
#print @message;
my $msg = Mail::SpamAssassin::Message-new(
{
'message' = [EMAIL PROTECTED],
}
) || die Message error?;
print @message;
foreach my $p ($msg-find_parts(qr/^message\b/i, 0)) {
eval {
#no warnings ;
my $type = $p-{'type'};
my $ug = new Data::UUID;
my $uuid1 = $ug-create_str();
my $attachname = $path . $uuid1 . .eml;
open OUT, , $attachname || die Can't write file
$attachname:$!;
binmode OUT;
print OUT $p-decode();
};
}
close(INFO);
}
closedir(DIR)
I have one more question, before i enable bayes filter on my site, what if
no bayes_path is specified on local.cf? Will it use the default path
(/root/.spamassassin/) ?
Thanks :) !
I haven't tested this script by running it manually and this script is
not written by me. But you can run it manually as it is a script it
can be run from the command line. I don't know about the parameters
may be you can pass a fake or unwanted email to this script.
--
View this message in context:
http://www.nabble.com/Thunderbird-Forwarding-Spam-tf2539303.html#a7098708
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Simple script that rejects mail from spammers
I'm intrested how do I get it? Cheers, Raul - Sent from my Treo 650 Smartphone -Original Message- From: John D. Hardin [EMAIL PROTECTED] Subj: Re: Simple script that rejects mail from spammers Date: Tue Oct 31, 2006 11:48 am Size: 924 bytes To: sa-russian [EMAIL PROTECTED] cc: users@spamassassin.apache.org users@spamassassin.apache.org On Tue, 31 Oct 2006, sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. I just set up something similar to block at the firewall (Linux iptables, sendmail logfile). If they keep hitting SBL-XBL why let them try at all? I'll publish it if anyone's interested. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Today: Halloween
Re: Simple script that rejects mail from spammers
At 09:36 AM 10/31/2006, you wrote: Here's something similar: http://fut.patch.com/ I'd be interested in something for postfix / ipfw... :)
Re: bayes_auto_learn_threshold_nonspam
Adam Katz wrote: Is there a way to set the bayes auto-learn thresholds to ignore the score modifications from bayes and whitelists? It seems silly to teach SA that a spam whose only flag was BAYES_20 is ham, or that spam from a whitelisted friend's virus-infected computer is ham. (Maybe this is done already? I don't see mention of this on the wiki or list archives.) Running grep noautolearn /usr/share/spamassassin/* returns the list of tests with noautolearn set. GTUBE AWL USER_IN_BLACKLIST USER_IN_WHITELIST USER_IN_DEF_WHITELIST USER_IN_BLACKLIST_TO USER_IN_WHITELIST_TO USER_IN_MORE_SPAM_TO USER_IN_ALL_SPAM_TO USER_IN_DKIM_WHITELIST USER_IN_DEF_DKIM_WL ENV_AND_HDR_DKIM_MATCH USER_IN_SPF_WHITELIST USER_IN_DEF_SPF_WL ENV_AND_HDR_SPF_MATCH SUBJECT_IN_WHITELIST SUBJECT_IN_BLACKLIST No Bayes in this list. If your bayes database is well trained, then I don't see why it shouldn't be used to determine and train more spam or ham. My current workaround is to set USER_IN_WHITELIST to the same value as BAYES_00 and set large thresholds like: bayes_auto_learn_threshold_nonspam = [0 - 5 - BAYES_00] bayes_auto_learn_threshold_spam = [required_score + 5 + BAYES_99] (I see no reason to auto-train within five points of the 0-required_score range) I would love to not have to worry about the whitelist or bayes scores when auto-learning. My proposal is to ignore bayesian scores in determining auto-learn threshold and give an option (like bayes_auto_learn_ignores_whitelist 1) to ignore the whitelist altogether (conceivably, it doesn't matter -- that's its purpose, after all). I suspect this has been debated and decided in the past, but if you want to disable autolearn for specific rules, then add noautolearn to the tflags line: /usr/share/spamassassin/23_bayes.cf tflags BAYES_00 nice learn noautolearn tflags BAYES_05 nice learn noautolearn tflags BAYES_20 nice learn noautolearn tflags BAYES_40 nice learn noautolearn tflags BAYES_50 learn noautolearn tflags BAYES_60 learn noautolearn tflags BAYES_80 learn noautolearn tflags BAYES_95 learn noautolearn tflags BAYES_99 learn noautolearn -- Chris
Re: increase score of rules
Pablo Allietti wrote: Hi all i want to increase the score of a images rules how can i do that ? for example HTML_IMAGE_ONLY_28 HTML_IMAGE_RATIO_02 i want to modify the score about this rules for example 4.0 which file i need to modify? how? You read the documentation like a good little SA user. Specifically: http://wiki.apache.org/spamassassin/AdjustRuleScore -Jim
Re: Simple script that rejects mail from spammers
sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. The backgroung is as follows: Once I found that our MX is nearly down. Running top exposed a lot of spamd instances, cosuming almost all CPU time. Examining maillog showed, that one of our subscribers sent about 4000 messages within approximately 15 minutes, and all them were spam. I manually banned that subscriber in /etc/mail/access and informed their personel about possible zombie infection. Now I have script that runs from cron and instantly blocks hosts that have sent us more than some maximum number of spam messages within last hour (or any duration of your choice). The script is availble from http://sa-russian.narod.ru/block_spammers.bash Understanding of some fundamentals of BASH scripting is expected. The only MTA supported is sendmail. Look at the comments inside the script to tailor it to your installation. Best regargs, Alan M. Makoev Have a look at fail2ban. I believe it can do the same thing (as well as more): http://fail2ban.sourceforge.net/wiki/index.php/Main_Page -- Chris
Re: Simple script that rejects mail from spammers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 31 Oct 2006 19:29:37 +0300 (MSK), sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. The backgroung is as follows: Once I found that our MX is nearly down. Running top exposed a lot of spamd instances, cosuming almost all CPU time. Examining maillog showed, that one of our subscribers sent about 4000 messages within approximately 15 minutes, and all them were spam. I manually banned that subscriber in /etc/mail/access and informed their personel about possible zombie infection. Now I have script that runs from cron and instantly blocks hosts that have sent us more than some maximum number of spam messages within last hour (or any duration of your choice). The script is availble from http://sa-russian.narod.ru/block_spammers.bash Understanding of some fundamentals of BASH scripting is expected. The only MTA supported is sendmail. Look at the comments inside the script to tailor it to your installation. Best regargs, Alan M. Makoev You just reinvented the wheel. http://www.spamshield.org/ Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6 [EMAIL PROTECTED] http://www.chem.utoronto.ca PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=indexsearch=Frank+Bures -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0 OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wj8DBQFFR4Nqih0Xdz1+w+wRAmyQAKC1oNWOAFiemeHDJVDftXkFXNflWACfV1TS mnvkcX8QAAVrcm4wt0/Jx88= =SRPS -END PGP SIGNATURE-
whitelist_from_rcvd
Hello! Praise... I have not used spamassassin for several years. I switched companies recently and they were getting killed with spam. I have really enjoyed relearning spamassassin and reading the mailing list. Spamassassin has done and incredible job of reducing the amount of spam coming into the company. I just wanted to say thanks to all of you who have had a hand in developing this awesome program! Ok, now myquestion... My company has several other companies that it does business with and I want to put those companies andall thedomains we own into a white list. Can I find the needed information inthe headers of an email to create a whitelist_from_rcvd entry in local.cf? If so, what information do I need? If not, where would I go about finding it. Thanks! ---Chris Edwards
Re: Rule Updates
On Tue, Oct 31, 2006 at 11:17:56AM -0500, Patrick wrote: I'm a little confused on rule updates. If you are using SA version 3.04 and run sa-update and/or rulesdujour, will the rules be updated only to the 3.0 branch or will they be updated to the most current branch and just fail if there are dependency issues? 3.0 doesn't have support for sa-update, and so there are no updates available for 3.0. You'd have to upgrade to 3.1.x (x0) for sa-update. -- Randomly Selected Tagline: Leela: Bender, why are you spending so much time in the bathroom? Are you jacking on in there? pgpCATqI0YyyI.pgp Description: PGP signature
Re: R: R: R: Relay Checker Plugin (code review please?)
On Oct 31, 2006, at 6:09 AM, John Rudd wrote: I've considered the exact opposite (adding static to the check for keywords). My rules are really looking more for is this a _client_ host, not is this a dynamic host. That one check looks for dynamic, but I'm not interested in exempting anyone because they're static. They've still got a hostname that looks like an end-client, and an end-client shouldn't be connecting to other people's mail servers. Any end-client that connects to someone else's email server should be treated like it's a spam/virus zombie I can't agree with this. Many small businesses in the US get just these kind of static connections from broadband ISPs. Comcast, for example, has all of their static customers using rDNS that would fail your tests, and they refuse to set up a custom PTR record or delegate the record to someone else. Most of these static customers are legitimate business networks running their own mail server, and have neither the need nor desire to relay their mail through Comcast's SMTP servers. I think your general idea is very good, but you're reaching a little too far with this one. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Day '31' out of range 1..30
On 31.10.2006 17:42 CE(S)T, Theo Van Dinter wrote: On Tue, Oct 31, 2006 at 11:56:35AM +0100, Yves Goergen wrote: I've installed SpamAssassin 3.1.6 on Debian Linux 3.1. Is there a way to get rid of this error message? The whole message follows: Oct 31 10:53:06 mond spamd[19424]: Day '31' out of range 1..30 at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Util.pm line 446 Can you open a bugzilla ticket about this and attach (not cut/paste) the message causing the issue to the ticket? Line 446 is: Does someone already have an account for that? -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory.
Re: Simple script that rejects mail from spammers
Evan Platt wrote: At 09:36 AM 10/31/2006, you wrote: Here's something similar: http://fut.patch.com/ I'd be interested in something for postfix / ipfw... :) Currently analyzes log files based on behavior of OpenSSH v4.2, Postfix v2.2.4, and ProFTPD v1.2 as packaged for Debian systems.
Re: Day '31' out of range 1..30
On Tue, Oct 31, 2006 at 07:16:46PM +0100, Yves Goergen wrote: Can you open a bugzilla ticket about this and attach (not cut/paste) the message causing the issue to the ticket? Line 446 is: Does someone already have an account for that? You should create yourself an account and then you'll be able to create tickets. -- Randomly Selected Tagline: The random quantum fluctuations of my brain are historical accidents that happen to have decided that the concepts of dynamic scoping and lexical scoping are orthogonal and should remain that way. - Larry Wall pgpRvjPg3QBry.pgp Description: PGP signature
Help
Hello.. I have received lots of spam mails like the one i have attached... So I would like to make a rule to detect this kind of spam I have gone through SARE and i did't get any rule to aviod this and iam ver new to spam assassin Anyone who can make this rule? Any kind of help is much appreciated Thanks... http://www.nabble.com/file/3930/acce.htm acce.htm -- View this message in context: http://www.nabble.com/Help-tf2547637.html#a7100155 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: R: Age of a domain name - a new test?
--On Tuesday, October 31, 2006 8:28 AM +0100 Giampaolo Tomassoni [EMAIL PROTECTED] wrote: Ok. Why not combine an age check with Hardin's spam-friendly registar plugin? Where can I find out more about this plugin? I searched the wiki for registrar and it doesn't turn up.
Re: Simple script that rejects mail from spammers
On Tue, 31 Oct 2006, Will Nordmeyer wrote: On Tue, 31 Oct 2006, sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. I just set up something similar to block at the firewall (Linux iptables, sendmail logfile). If they keep hitting SBL-XBL why let them try at all? I'll publish it if anyone's interested. I'd be interested in seeing it. http://www.impsec.org/~jhardin/antispam/spammer-firewall Warning: very Q'n'D, just something I hacked together quickly for my hosted mail server. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Today: Halloween
SpamAssassin + sql user prefs
Hello: I have not been able to find the answer to my question so I thought I'd try this mailing list. I have SpamAssassin 3.1.7 (using spamc/spamd) installed on a Red Hat 7.1 system, with Perl 5.6.1. We currently have SQL user prefs enabled in a MySQL db, and put the entries in /etc/procmailrc to enable system-wide scanning. My question is: Are there any settings for SpamAssassin that users would set in their prefs, that would bypass scanning of their email? My reason for asking is that if we have users that do not want any scanning, we'd like to free up the load on the server so it's no scanning messages and scoring them for no reason. Right now we're using the sasql plugin for Squirrelmail as the front-end for the user settings, and one of the settings is to set the level to '99' = _(Don't Filter). But I'm just trying to figure out if this will force SpamAssassin (spamd) to just pass the message through without examining the content, to lighten up the load on the server. Does anybody know which setting (if any) will accomplish this? Thank you very much for the feedback. -- Chris
Re: Simple script that rejects mail from spammers
Evan Platt wrote: At 09:36 AM 10/31/2006, you wrote: Here's something similar: http://fut.patch.com/ I'd be interested in something for postfix / ipfw... :) Currently analyzes log files based on behavior of OpenSSH v4.2, Postfix v2.2.4, and ProFTPD v1.2 as packaged for Debian systems. The same for Qmail: http://inter7.com/?page=tcpblocker From Inter7 guys
Re: SpamAssassin + sql user prefs
Chris Szilagyi wrote: Hello: I have not been able to find the answer to my question so I thought I'd try this mailing list. I have SpamAssassin 3.1.7 (using spamc/spamd) installed on a Red Hat 7.1 system, with Perl 5.6.1. We currently have SQL user prefs enabled in a MySQL db, and put the entries in /etc/procmailrc to enable system-wide scanning. My question is: Are there any settings for SpamAssassin that users would set in their prefs, that would bypass scanning of their email? My reason for asking is that if we have users that do not want any scanning, we'd like to free up the load on the server so it's no scanning messages and scoring them for no reason. Right now we're using the sasql plugin for Squirrelmail as the front-end for the user settings, and one of the settings is to set the level to '99' = _(Don't Filter). But I'm just trying to figure out if this will force SpamAssassin (spamd) to just pass the message through without examining the content, to lighten up the load on the server. Does anybody know which setting (if any) will accomplish this? Thank you very much for the feedback. There is nothing in SA to tell it not to scan something. If you dont want SA to scan a piece of mail, then you have to tell whatever calls SA (Procmail it seems, in your setup) not to pass that particular mail to it. I've never used procmail myself but im sure someone here can offer some help with that. Jim
Re: R: Age of a domain name - a new test?
On Tue, 31 Oct 2006, Kenneth Porter wrote: --On Tuesday, October 31, 2006 8:28 AM +0100 Giampaolo Tomassoni [EMAIL PROTECTED] wrote: Ok. Why not combine an age check with Hardin's spam-friendly registar plugin? Where can I find out more about this plugin? I searched the wiki for registrar and it doesn't turn up. I haven't really offically released it yet. http://www.impsec.org/~jhardin/SURBL_registrar/ -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Today: Halloween
Re: SpamAssassin + sql user prefs
On Tue, 31 Oct 2006, Jim Maul wrote: My question is: Are there any settings for SpamAssassin that users would set in their prefs, that would bypass scanning of their email? My reason for asking is that if we have users that do not want any scanning, we'd like to free up the load on the server so it's no scanning messages and scoring them for no reason. There is nothing in SA to tell it not to scan something. If you dont want SA to scan a piece of mail, then you have to tell whatever calls SA (Procmail it seems, in your setup) not to pass that particular mail to it. I've never used procmail myself but im sure someone here can offer some help with that. One possibility: :0 20 * ! ^List-Id: .*[EMAIL PROTECTED]? * ? test -f $HOME/enable_spamassassin | /usr/bin/spamc They'd have to create a file in their home directory (opt in) to use spamassassin. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Today: Halloween
imap-connection for sa-learn
I want to filter my spam mail by amavis/spamassassion (SuSE V10) for a linux box (evolution) and also for a second W2K box with outlook. Everything is working fine, but I cannot put spam-mails in an imap folder to transfer those mails back to the mail-server to learn via sa-learn --spam. On my old mail-server everthing was working fine. Therefore I think that I have a problem with my SSL-keys. At the last installation I wrote many things to my docu, but I think not all :-((( == Problem: IMAP, new CA-Key and Keys-imap.mailserver.at What I did: create CA (in /etc/ssl): openssl -config openssl.cnf -new -x509 -keyout private/ \ DOMAINCA-key.pem -out private/DOMAINCA-key.pem -days 366 PassPhrase AAA AT/././DOMAIN/.DOMAIN root Certificate/[EMAIL PROTECTED] openssl req -config wo -new -x509 -keyout private/\ DOMAINCA-key.pem -out DOMAINCA-cert.pem -days 366 AT/././DOMAIN./DOMAIN root Certificate/[EMAIL PROTECTED] openssl x509 -in DOMAINCA-cert.pem -out DOMAINCA-cert.crt == cp DOMAINCA-cert.crt /srv/www/htdocs/ssl == scp DOMAINCA-cert.crt -- linux-client /tmp == Insert into evolution imap.domain.at-certificate (ping to imap.domain.at is OK): == openssl req -config wo -new -keyout newreq.pem -out newreq.pem -days 366 AT/././DOMAIN./Mail/[EMAIL PROTECTED]/imap.domain.at/[EMAIL PROTECTED]/./. openssl ca -config wo -policy policy_anything -out newcert.pem \ -infiles newreq.pem openssl x509 -in newcert.pem -out newcert.crt then my docu is not complete: ??? move which files (newcert.pem oder .crt) to which subdirectory in /etc/ssl ??? which file to insert into evolution (.pem or .crt) As I can remember I also needed to convert the imap-Key to pk12 for outlook. ??? How can I do this My /etc/ssl/openssl.cnf === HOME= . RANDFILE= $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database= $dir/index.txt# database index file. # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/private/DOMAINCA-cert.pem # The CA certificate serial = $dir/serial # The current serial number # commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/DOMAINCA-key.pem # The private key RANDFILE= $dir/private/.rand# private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt= ca_default# Subject Name options cert_opt= ca_default# Certificate field options default_days= 3650 # how long to certify for default_crl_days= 30# how long before next CRL default_md = md5 # which md to use. preserve= no# keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = optinal organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AT countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Vienna localityName= Locality Name (eg, city) localityName_default= Vienna 0.organizationName = Organization Name (eg, company) 0.organizationName_default = DOMAIN organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = DOMAIN CA commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress= Email Address emailAddress_default= [EMAIL PROTECTED] emailAddress_max
Re: SpamAssassin + sql user prefs
On Tue, October 31, 2006 20:01, Chris Szilagyi wrote: the front-end for the user settings, and one of the settings is to set the level to '99' = _(Don't Filter). But I'm just trying to figure out if this will force SpamAssassin (spamd) to just pass the message through without examining the content, to lighten up the load on the server. how do you know the score without scanning in the first place ? Does anybody know which setting (if any) will accomplish this? Thank you very much for the feedback. remove spamc from procmailrc in the users home dir ? -- This message was sent using 100% recycled spam mails.
Re: R: R: Age of a domain name - a new test?
On Tue, 31 Oct 2006, Giampaolo Tomassoni wrote: Where can I find out more about this plugin? I searched the wiki for registrar and it doesn't turn up. http://www.impsec.org/~jhardin/SURBL_registrar/ It was on an Hardin's message (id [EMAIL PROTECTED]) sent yesterday to this list. Brand-new stuff... It's been around for a couple of months, I just haven't been pushing it too vocally as I don't have a good idea how truly useful it is (my mail volume is pretty low) and I do have concerns about the whois traffic (as has been discussed). -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Today: Halloween
Script question.
Hello all, I have a bit of a problem. I am trying to come up with a solution that I think will help a lot of people who use the qmail toaster mail server. I have my toaster setup to drop mail tagged as spam into spam directories in each users mailbox. I am planning on putting a Ham box in their web mail as well. I would like to come up with a script for the toaster community that will tell spamassassin to learn from the mail in each of these directories on a regular basis. I would like the script to delete mail in the spam and ham dirs on a regular basis. Any help on this would be greatly apperciated. Thanks Kyle Quillen
Re: Relay Checker Plugin (code review please?)
Stuart Johnston wrote: John Rudd wrote: 2) This sort of replaces the other set of rules I created, that did this with metarules instead of a plugin. This made some of the checks less useful. You probably don't need to use both methods. So, what is the point of doing this as a plugin instead of using existing rules? The obvious disadvantage is the additional dns lookups. The advantages are: a) being sure that the hostname in RDNS points back to the IP address you started with. Thus detecting forgeries (which shouldn't happen with _any_ legitimate service) b) just using the rules version of what I wrote, you can only check if the decimal IP address, in individual segments, is in the hostname. You can't check if the entire decimal IP address (one large number) is in the IP address, nor can you check if the hexidecimal segments are in the hostname. (a) requires more DNS work, yes. (b) does not. It just requires a bit more math.
Re: Script question.
On Tue, 31 Oct 2006, Kyle Quillen wrote: I have my toaster setup to drop mail tagged as spam into spam directories in each users mailbox. I am planning on putting a Ham box in their web mail as well. I would like to come up with a script for the toaster community that will tell spamassassin to learn from the mail in each of these directories on a regular basis. I would like the script to delete mail in the spam and ham dirs on a regular basis. I posted a script that does that (at least for mailboxes, not maildir) a bit ago... searches http://www.nabble.com/sa-learn-question-tf2320488.html#a6456600 Rather than deleting the messages, you might be better served by aging the files. If you need to wipe and retrain your Bayes database, or find out where it was mistrained, having the SPAM and HAM corpa can help a lot. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Today: Halloween
Re: Relay Checker Plugin (code review please?)
John Rudd wrote: Stuart Johnston wrote: John Rudd wrote: 2) This sort of replaces the other set of rules I created, that did this with metarules instead of a plugin. This made some of the checks less useful. You probably don't need to use both methods. So, what is the point of doing this as a plugin instead of using existing rules? The obvious disadvantage is the additional dns lookups. The advantages are: a) being sure that the hostname in RDNS points back to the IP address you started with. Thus detecting forgeries (which shouldn't happen with _any_ legitimate service) Postfix does this for you. It is easy enough to write an SA rule to look at the Postfix headers. I don't know about other MTAs. b) just using the rules version of what I wrote, you can only check if the decimal IP address, in individual segments, is in the hostname. You can't check if the entire decimal IP address (one large number) is in the IP address, nor can you check if the hexidecimal segments are in the hostname. (a) requires more DNS work, yes. (b) does not. It just requires a bit more math. This is just my opinion, of course, but: I'd probably make the plugin just do (b). It might be nice if SA did (a) as part of its standard checks although in my experience, way too many legitimate mail servers fail on this for it to be useful anyway.
What has happened to RulesDuJour?
If I go to the RulesDuJour site (http://www.exit0.us/index.php?pagename=RulesDuJour), I get: Object not found! The requested URL was not found on this server. The link on the referring page seems to be wrong or outdated. Please inform the author of that page about the error. If you think this is a server error, please contact the webmaster Error 404 www.exit0.us Tue 31 Oct 2006 03:48:05 PM EST Apache What is going on here? Has the site moved?
Re: SpamAssassin + sql user prefs
On 31-Oct-06, at 12:01 PM, Chris Szilagyi wrote: I have SpamAssassin 3.1.7 (using spamc/spamd) installed on a Red Hat 7.1 system, with Perl 5.6.1. We currently have SQL user prefs enabled in a MySQL db, and put the entries in /etc/procmailrc to enable system-wide scanning. My question is: Are there any settings for SpamAssassin that users would set in their prefs, that would bypass scanning of their email? My reason for asking is that if we have users that do not want any scanning, we'd like to free up the load on the server so it's no scanning messages and scoring them for no reason. Right now we're using the sasql plugin for Squirrelmail as the front-end for the user settings, and one of the settings is to set the level to '99' = _(Don't Filter). But I'm just trying to figure out if this will force SpamAssassin (spamd) to just pass the message through without examining the content, to lighten up the load on the server. Does anybody know which setting (if any) will accomplish this? Thank you very much for the feedback. We've used Amavisd-new to make this happen - basically, what happens is this: 1. Mail comes into Postfix. 2. Postfix hands it off to Amavisd-new 3. Amavisd-new checks for viruses using clamav and discards if it finds one (can be overridden by the end user if they want). 4. Amavisd-new checks the DB to see if this user has turned on spam filtering - if they haven't it just passes it through. Works great here - we only enable spam filtering if it's been asked for - otherwise it can be a little too big of a hassle for support sometimes. -- darron froese principal nonfiction studios inc. t 403.686.8887 c 403.819.7887 f 403.313.9233 w http://nonfiction.ca/ e [EMAIL PROTECTED]
RE: Script question.
Kyle Quillen wrote: Hello all, I have a bit of a problem. I am trying to come up with a solution that I think will help a lot of people who use the qmail toaster mail server. I have my toaster setup to drop mail tagged as spam into spam directories in each users mailbox. I am planning on putting a Ham box in their web mail as well. I would like to come up with a script for the toaster community that will tell spamassassin to learn from the mail in each of these directories on a regular basis. I would like the script to delete mail in the spam and ham dirs on a regular basis. That is fairly easy to do and I think there has already been one script posted. I just wanted to comment on what it sounds like you are doing. Please make sure that you are only learning messages that have been sorted by a person. Otherwise, false positives and false negatives will very quickly make your Bayes DB useless. Leave the autolearning on if you like, but manual learning should be limited to manually sorted mail, otherwise it is not helpful. -- Bowie
Re: bayes_auto_learn_threshold_nonspam
Chris Purves wrote: Running grep noautolearn /usr/share/spamassassin/* returns the list of tests with noautolearn set. ... No Bayes in this list. If your bayes database is well trained, then I don't see why it shouldn't be used to determine and train more spam or ham. It doesn't need to be in the list. Autolearn acts on the non-Bayes score sets. man Mail::SpamAssassin::Conf Note that certain tests are ignored when determining whether a mes- sage should be trained upon: - rules with tflags set to 'learn' (the Bayesian rules) - rules with tflags set to 'userconf' (user white/black-listing rules, etc) - rules with tflags set to 'noautolearn' Also note that auto-training occurs using scores from either score- set 0 or 1, depending on what scoreset is used during message check. It is likely that the message check and auto-train scores will be different. Remember, scores sets are: 0 - no bayes, no network 1 - no bayes, network 2 - bayes, no network 3 - bayes, network This does mean that the score used for autolearn isn't quite the same as just taking the real score and subtracting/adding the bayes score. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Simple script that rejects mail from spammers
On Tue, Oct 31, 2006 at 08:48:16AM -0800, John D. Hardin wrote: On Tue, 31 Oct 2006, sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. I just set up something similar to block at the firewall (Linux iptables, sendmail logfile). If they keep hitting SBL-XBL why let them try at all? I'll publish it if anyone's interested. Please do. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Today: Halloween -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! Beware Linux the Microsoft of Unixes
Re: Rule Updates
Matthias Haegele wrote: Patrick schrieb: I'm a little confused on rule updates. If you are using SA version 3.04 and run sa-update and/or rulesdujour, will the rules be updated only to the 3.0 branch or will they be updated to the most current branch and just fail if there are dependency issues? In general, RDJ is just a blind update. It will download the file, test it with spamassassin --lint, and if that passes, it will load it. And as theo pointed out, there is no sa-update that actually works for SA versions older than 3.1.1. rulesdujour: You should not use (pre) 3.0 rules, what damage this does i dont know, (i assume some rules made it in later SA releases?). That or there's a 3.1 version of the ruleset that takes advantage of newer features in the SA code, or some other feature of 3.1 made the set obsolete. Also of note, with RDJ, don't do Antidrug if you are using SA 3.0.0 or higher. They're included already. (I am the author of antidrug).
Re: Help
san wrote: Hello.. I have received lots of spam mails like the one i have attached... So I would like to make a rule to detect this kind of spam I have gone through SARE and i did't get any rule to aviod this and iam ver new to spam assassin Anyone who can make this rule? Any kind of help is much appreciated Thanks... http://www.nabble.com/file/3930/acce.htm acce.htm That looks like just a text-only capture, so we're only seeing part of the message, not the actual message. I'm making a guess, but does the spam in question have an image (.gif file) attached that contains the advertisement? If so, the SARE stocks ruleset is your best bet. Make sure your SA is set up to use DNSBLs, as most of these image spams are sent from hosts listed in XBL. To do this, make sure you have the Net::DNS perl module installed, and make sure you're not using the -L parameter to spamassassin/spamc. Aggressive bayes training with sa-learn helps some, but it's not highly effective against this wave. It does help keep them in the BAYES_50 zone, instead of lower, but that's not going to catch the spam by itself. Others have been using the FuzzyOCR plugin, but this is a bit expensive in terms of CPU load. It also seems some of the more recent ones are adapting by using cluttered backgrounds.
Re: whitelist_from_rcvd
Chris Edwards wrote: Hello! Praise... I have not used spamassassin for several years. I switched companies recently and they were getting killed with spam. I have really enjoyed relearning spamassassin and reading the mailing list. Spamassassin has done and incredible job of reducing the amount of spam coming into the company. I just wanted to say thanks to all of you who have had a hand in developing this awesome program! Ok, now my question... My company has several other companies that it does business with and I want to put those companies and all the domains we own into a white list. Can I find the needed information in the headers of an email to create a whitelist_from_rcvd entry in local.cf? If so, what information do I need? If not, where would I go about finding it. whitelist_from_rcvd needs to match two parts: 1) A From address. This could be the From: header, but could also be a Return-Path, Envelope-Sender, or similar header with the Envelope Mail FROM recorded in it. Which one you pick for most cases doesn't matter, but matching a Return-Path is useful for public mailing lists where the From: header changes constantly, but the Return-Path is always the list server. Note: you can use file-glob style wildcards for the addresses here. ie: [EMAIL PROTECTED] 2) The Reverse DNS hostname for the host that delivered the message to your network. So find the Received: header your MX added. Then grab the hostname that appears before the IP address. For example, let's look at one header that apache.org added: Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 31 Oct 2006 10:14:47 -0800 In this case herse.apache.org is the reverse DNS hostanme. Note: you don't have to match the whole hostname. You can use a substring like apache.org and it will match herse.apache.org or example.apache.org. Nine times out of ten, a whitelist_from_rcvd simply looks like: whitelist_from_rcvd [EMAIL PROTECTED] example.com But it never hurts to check the headers, as some folks use servers that have non-matching domain names to send. (typical when a server is used for multiple domains. It can only RDNS as one of them...) Thanks! --- Chris Edwards
Re: Relay Checker Plugin (code review please?)
Stuart Johnston wrote: John Rudd wrote: Stuart Johnston wrote: John Rudd wrote: 2) This sort of replaces the other set of rules I created, that did this with metarules instead of a plugin. This made some of the checks less useful. You probably don't need to use both methods. So, what is the point of doing this as a plugin instead of using existing rules? The obvious disadvantage is the additional dns lookups. The advantages are: a) being sure that the hostname in RDNS points back to the IP address you started with. Thus detecting forgeries (which shouldn't happen with _any_ legitimate service) Postfix does this for you. It is easy enough to write an SA rule to look at the Postfix headers. I don't know about other MTAs. Sendmail does some of it, but since I didn't find detailed documentation on the Trusted/Untrusted Relay pseudo-headers, I don't know if its represented in there. Nor do I know if it's on the meta-information I can get from permessagestatus when I ask for the untrusted relay entries (whose hash keys are, I assume, the names of the fields in the trusted/untrusted relays lines) If I could get that same information without the DNS checks, I would. (though, honestly, with a little more investigation, I can probably eliminate ONE of my two DNS checks by looking at more of the pseudo-header). b) just using the rules version of what I wrote, you can only check if the decimal IP address, in individual segments, is in the hostname. You can't check if the entire decimal IP address (one large number) is in the IP address, nor can you check if the hexidecimal segments are in the hostname. (a) requires more DNS work, yes. (b) does not. It just requires a bit more math. This is just my opinion, of course, but: I'd probably make the plugin just do (b). It might be nice if SA did (a) as part of its standard checks although in my experience, way too many legitimate mail servers fail on this for it to be useful anyway. I have yet to have a legitimate message rejected by that check, when I've been doing it in mimedefang.
pyzor server address
I have a simple question... someone know a good pyzor server?Right now pyzor discover give me 66.250.40.33:24441and a pyzor ping give me 66.250.40.33:24441 TimeoutError:So I suppose this server is just dead...ThanksFrancois Rousseau
Re[2]: why this spam has a negative score?
Dobrý den, 24. ríjna 2006, 8:05:06, napsal jste: [EMAIL PROTECTED] wrote to me off list: So, how whitelist the e-mail from users in my domain? I'd be asking myself why there's a need to whitelist my own users. Afterall, if you have to whitelist them to avoid their messages being marked as spam, what do you expect is going to happen when their mail arrives at other domains? In any case, you could use whitelist_from_rcvd, whitelist_from_spf whitelist_from_dkim or whitelist_from_dk. Or don't even bother scanning local mail. Daryl I edit my local.cf to: # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # ### # # rewrite_header Subject *SPAM* rewrite_header Subject *SPAM* # report_safe 1 # trusted_networks 212.17.35. # lock_method flock whitelist_from [EMAIL PROTECTED] trusted_networks 10.0.0/23 127/8 whitelist_from_rcvd [EMAIL PROTECTED] muvalmez.cz ## use_bayes 1 bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - czech english german polish russian slovak ok_languagescs # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales cs bayes_path /var/spool/spamassassin/bayes/bayes bayes_file_mode 0777 although I find this spam with negative score: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on fw.muvalmez.cz X-Spam-Status: No, score=-80.4 required=5.0 tests=BAYES_50,EXTRA_MPART_TYPE, FROM_LOCAL_NOVOWEL,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_90_100, HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MY_CID_AND_CLOSING, MY_CID_AND_STYLE,SARE_GIF_ATTACH,SARE_GIF_STOX,UNPARSEABLE_RELAY, USER_IN_WHITELIST autolearn=no version=3.1.5 X-Spam-Level: X-Original-To: [EMAIL PROTECTED] Received: from adsl-074-246-243-216.sip.ard.bellsouth.net (adsl-074-246-243-216.sip.ard.bellsouth.net [74.246.243.216]) by fw.muvalmez.cz (Postfix) with ESMTP id 5DC9E2C092 for [EMAIL PROTECTED]; Tue, 31 Oct 2006 22:17:37 +0100 (CET) Received: from mail.roschemanagement.de (port=15557 helo=hfksmjdhqtfa) by adsl-074-246-243-216.sip.ard.bellsouth.net with smtp id 46D6-mPwO8R8w-Hn4 for [EMAIL PROTECTED]; Tue, 31 Oct 2006 16:17:39 -0500 Message-ID: [EMAIL PROTECTED] From: Ricky Martin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: your spiritual side of the rising in all, the. I fuse a Date: Tue, 31 Oct 2006 16:17:39 -0500 -- S pozdravem, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Net::DNS and Perl 5.8.1
Itś possible on perl version 5.8.1 install the Net::DNS? [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
