How to use BUILD_SPAMC=no ?
In Makefile.PL we observe 'BUILD_SPAMC' ,# Set to 'no' to skip build of spamc. 'BUILD_SPAMD', # Set to 'no' to skip build of spamd. Does this mean we can do perl Makefile.PL BUILD_SPAMC=no BUILD_SPAMD=no ? But if I see cd spamc /usr/bin/perl version.h.pl in the compilation, does that mean I have made a mistake?
Re: Spam with attachments and UNPARSEABLE_RELAY
On 2016-11-25 13:57, Bill Cole wrote: > It LOOKS like that is being generated by a PHP script on the host that's > delivering it, which appears to be running some atrocious mail handler > calling itself 'nullmailer' that doesn't do Received headers in any > useful way. FWIW nullmailer is a respected minimalist MTA: [1+0]~$ apt-cache show nullmailer Package: nullmailer Version: 1:1.13-1+deb8u1 Installed-Size: 2360 Maintainer: Nick LevertonArchitecture: amd64 Replaces: mail-transport-agent Provides: mail-transport-agent Depends: lsb-base, debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.15), libgnutls-deb0-28 (>= 3.3.0), libstdc++6 (>= 4.1.1) Recommends: rsyslog | system-log-daemon Conflicts: mail-transport-agent Description-en: simple relay-only mail transport agent Nullmailer is a replacement MTA for hosts, which relay to a fixed set of smart relays. It is designed to be simple to configure and especially useful on slave machines and in chroots. Description-md5: cf5bb13c21a01ffa34dc0048e9689c33 Homepage: http://untroubled.org/nullmailer/ Tag: interface::daemon, mail::transport-agent, network::server, protocol::smtp, role::program, works-with::mail Section: mail Priority: extra Filename: pool/main/n/nullmailer/nullmailer_1.13-1+deb8u1_amd64.deb Size: 92642 -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Re: Spam with attachments and UNPARSEABLE_RELAY
On 25 Nov 2016, at 5:28, geoff.sa_users_161...@alphaworks.co.uk wrote: On 25/11/2016 10:26, Paul Stead wrote: On 25/11/16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote: X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message X-Antivirus-Status: Infected X-Attachment: INVOICE_.zip#1783656308|>HQ2s9y6f.js Virus: JS:LockyDownloader [Trj] Deleted Your AV correctly identified the bad attachment - generally these don't even get as far as SA in my setup This all depends on the glue used and ordering within your MTA and how it reacts to malware attachments I don't have a lot of control over my setup as it's a hosted VPS. The AV is locally on my PC so comes late in the process... That might explain why there's no valid Received header in the whole message... It LOOKS like that is being generated by a PHP script on the host that's delivering it, which appears to be running some atrocious mail handler calling itself 'nullmailer' that doesn't do Received headers in any useful way. It might help to know what the 'x.x.x.x' was, but I suspect not much. The mess of headers MAY be secondary to your AV mangling the message and reconstructing it without the original headers.
Re: Spam with attachments and UNPARSEABLE_RELAY
On 25/11/2016 11:22, Matus UHLAR - fantomas wrote: On 24.11.16 10:23, Geoff Soper wrote: Subject: Spam with attachments and UNPARSEABLE_RELAY For a few weeks I've been suffering spam messages with attachments getting through with a suspicious score of 0.0. Upon inspection, they all had the following lines in the header: On 25.11.16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote: 1. See attached example. I've removed the username and replaced it with . 2. Other mail is getting correctly identified as spam so that's something... Return-Path:X-Spam-Report: * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines Received: (nullmailer pid 36796 invoked by uid 7637323); Fri, 25 Nov 2016 12:23:11 +0500 X-No-Auth: unauthenticated sender Received: from internal (unknown [x.x.x.x]) Received: (nullmailer pid 36796 invoked by uid 7637323); Fri, 25 Nov 2016 12:23:11 +0500 X-PHP-Originating-Script: 7637323:SendMail.class.php This says that the mail was received from webpage on your server, and the local mailer "nullmailer" seems have delivered it directly to you. in fact, you don't know anything about this mail - it was apparently received via HTTP, but the SendMail.class.php running under uid 7637323 did not provide even remote IP address. apparently SA can't parse nullmailer headers - apparently because nullmailer provides no useful headers. in this case it's really hard to detect anything, since all information about mail is lost in PHP. Maybe PHP could at least provide client's IP (maybe all in x-forwarded-for path) and that could help us. Thanks for this analysis, this rings alarm bells. Can you be sure that this is definitely coming from a PHP on my server? I'll start investigating on the assumption that it is. Many thanks, Geoff
Re: Spam with attachments and UNPARSEABLE_RELAY
On 24.11.16 10:23, Geoff Soper wrote: Subject: Spam with attachments and UNPARSEABLE_RELAY For a few weeks I've been suffering spam messages with attachments getting through with a suspicious score of 0.0. Upon inspection, they all had the following lines in the header: On 25.11.16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote: 1. See attached example. I've removed the username and replaced it with . 2. Other mail is getting correctly identified as spam so that's something... Return-Path:X-Spam-Report: * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines Received: (nullmailer pid 36796 invoked by uid 7637323); Fri, 25 Nov 2016 12:23:11 +0500 X-No-Auth: unauthenticated sender Received: from internal (unknown [x.x.x.x]) Received: (nullmailer pid 36796 invoked by uid 7637323); Fri, 25 Nov 2016 12:23:11 +0500 X-PHP-Originating-Script: 7637323:SendMail.class.php This says that the mail was received from webpage on your server, and the local mailer "nullmailer" seems have delivered it directly to you. in fact, you don't know anything about this mail - it was apparently received via HTTP, but the SendMail.class.php running under uid 7637323 did not provide even remote IP address. apparently SA can't parse nullmailer headers - apparently because nullmailer provides no useful headers. in this case it's really hard to detect anything, since all information about mail is lost in PHP. Maybe PHP could at least provide client's IP (maybe all in x-forwarded-for path) and that could help us. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Spam with attachments and UNPARSEABLE_RELAY
On 25/11/2016 10:26, Paul Stead wrote: On 25/11/16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote: X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message X-Antivirus-Status: Infected X-Attachment: INVOICE_.zip#1783656308|>HQ2s9y6f.js Virus: JS:LockyDownloader [Trj] Deleted Your AV correctly identified the bad attachment - generally these don't even get as far as SA in my setup This all depends on the glue used and ordering within your MTA and how it reacts to malware attachments I don't have a lot of control over my setup as it's a hosted VPS. The AV is locally on my PC so comes late in the process...
Re: Spam with attachments and UNPARSEABLE_RELAY
On 25/11/16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote: X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message X-Antivirus-Status: Infected X-Attachment: INVOICE_.zip#1783656308|>HQ2s9y6f.js Virus: JS:LockyDownloader [Trj] Deleted Your AV correctly identified the bad attachment - generally these don't even get as far as SA in my setup This all depends on the glue used and ordering within your MTA and how it reacts to malware attachments Paul -- Paul Stead Systems Engineer Zen Internet
Re: Spam with attachments and UNPARSEABLE_RELAY
On 24/11/2016 13:15, Matus UHLAR - fantomas wrote: On 24.11.16 10:23, Geoff Soper wrote: Subject: Spam with attachments and UNPARSEABLE_RELAY For a few weeks I've been suffering spam messages with attachments getting through with a suspicious score of 0.0. Upon inspection, they all had the following lines in the header: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on server.alphaworks.co.uk X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=UNPARSEABLE_RELAY autolearn=unavailable autolearn_force=no version=3.4.1 X-Spam-Score: 0.0 1. can you post headers from any such mail? 2. do other mails get catched or at least score different from 0.0 ? Hi, 1. See attached example. I've removed the username and replaced it with . 2. Other mail is getting correctly identified as spam so that's something... Many thanks, Geoff Return-Path:X-Spam-Relays-External: X-Spam-Relays-Untrusted: X-Spam-Flag: NO X-Spam-Status: No, Score=0.0 X-Spam-Report: * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on server.alphaworks.co.uk X-Spam-Score: 0.0 X-Original-To: @alphaworks.co.uk Delivered-To: @alphaworks.co.uk X-No-Auth: unauthenticated sender Received: (nullmailer pid 36796 invoked by uid 7637323); Fri, 25 Nov 2016 12:23:11 +0500 X-No-Auth: unauthenticated sender Received: from internal (unknown [x.x.x.x]) Received: (nullmailer pid 36796 invoked by uid 7637323); Fri, 25 Nov 2016 12:23:11 +0500 To: @alphaworks.co.uk> Subject: *** VIRUS ***It Is Important X-PHP-Originating-Script: 7637323:SendMail.class.php From: "Esmeralda Gardner" Date: Fri, 25 Nov 2016 12:23:11 +0500 MIME-Version: 1.0 Content-Type: multipart/related; boundary="4863c15906b03373f7d9d5b584584773" Message-Id: <1124330643.045726.43998.sendm...@alphaworks.co.uk> X-Procmail-Alphaworks-Geoff: 27/01/2014 X-Procmail-HeaderInclude: 27/01/2014 X-Procmail-Alphaworks-Whitelist: 27/01/2014 X-Procmail-DomainInclude: 27/01/2014 X-Procmail-Alphaworks-Blacklist: 27/01/2014 X-Procmail-BounceInclude: 27/01/2014 X-Procmail-DotInclude: 25/12/2009 X-Procmail-SpamAssassinInclude: 25/12/2009 X-Procmail-FooterInclude: 25/12/2009 X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message X-Antivirus-Status: Infected X-Attachment: INVOICE_.zip#1783656308|>HQ2s9y6f.js Virus: JS:LockyDownloader [Trj] Deleted --4863c15906b03373f7d9d5b584584773 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Dear , we received your invoice but couldn't pay, = because your requisites were invalid. Sending you the report of the problem - please open the attachment and = check the data. --4863c15906b03373f7d9d5b584584773--