Re: Filtering based on the recipients
onsdag 05 april 2006 06:43 skrev Philip Prindeville: I was looking on the FAQ and the Wiki, but couldn't find this... How do I filter based on the recipient mailbox address? For instance, I'm running Linux, so if I get email sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] then I know they're bogus... And can probably block it, even if some of the recipients are valid email addresses. You might want to make sure that your MTA adds headers for envelope recipients, for example Envelope-To:. Then you can use blacklist_to [EMAIL PROTECTED] blacklist_to [EMAIL PROTECTED] but I would be careful because one *could* legitimately guess addresses, especially if it's difficult to find detailed contact information on the corresponding website. (Generally speaking; I don't know anything about your website or to which addresses it would be plausible to send mail at your domains.) Your MTA does reject nonexistent recipients, and you just want to block mail that is sent to certain nonexistent recipients *and* one or more existant ones, I presume? -- Magnus Holmgren pgpLfdkRVCc8o.pgp Description: PGP signature
Re: Filtering based on the recipients
Don't do this from spamassassin, reject messages sent to nonexistent users from your MTA (postfix, exim4, whatever you use). This will also lower the backscatter mail volume from your system (sending bounces to forged sender addresses). Gabor Sipos I was looking on the FAQ and the Wiki, but couldn't find this... How do I filter based on the recipient mailbox address? For instance, I'm running Linux, so if I get email sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] then I know they're bogus... And can probably block it, even if some of the recipients are valid email addresses. Thanks, -Philip
Re: Filtering based on the recipients
I was looking on the FAQ and the Wiki, but couldn't find this... How do I filter based on the recipient mailbox address? For instance, I'm running Linux, so if I get email sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] then I know they're bogus... you accept them in your mta ? And can probably block it, even if some of the recipients are valid email addresses. does it makes sense ?
Re: Filtering based on the recipients
Philip Prindeville wrote: I was looking on the FAQ and the Wiki, but couldn't find this... How do I filter based on the recipient mailbox address? For instance, I'm running Linux, so if I get email sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] then I know they're bogus... And can probably block it, even if some of the recipients are valid email addresses. First, as everyone pointed out, you should reject the ones sent to the bogus accounts at the MTA layer. However, that doesn't deal with the even if some of the recipients are valid case. If you have a message that is carpet bombed and addressed To: many users, you can use SA's blacklist_to feature. But if the message is BCCed to many users at your site, there's nothing that SA can do. SA doesn't (generally) know the difference between a single-recipient message and one that's BCCed to many users. It has no access to the message envelope, only the headers and body, so this information isn't accessible to SA.
RE: Filtering based on the recipients
Matt Kettler wrote: [It] has no access to the message envelope, only the headers and body, so this information isn't accessible to SA. Well, unless you add an Apparently-To header in the MTA prior to calling SpamAssassin. MIMEDefang has an $AddApparentlyToForSpamAssassin variable you can set to 1 in mimedefang-filter for this. I assume SpamAssassin uses this header? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Filtering based on the recipients
[EMAIL PROTECTED] wrote: Matt Kettler wrote: [It] has no access to the message envelope, only the headers and body, so this information isn't accessible to SA. Well, unless you add an Apparently-To header in the MTA prior to calling SpamAssassin. MIMEDefang has an $AddApparentlyToForSpamAssassin variable you can set to 1 in mimedefang-filter for this. I assume SpamAssassin uses this header? Yes, but I've never seen an Apparently-To implementation that listed all the recipients of a multi-recipient message... All the implementations I've seen add this after the message has been split up and only the current recipient is added, which doesn't help. We are trying to detect one which has a BCC to another user.
Re: Filtering based on the recipients
[EMAIL PROTECTED] writes: Matt Kettler wrote: [It] has no access to the message envelope, only the headers and body, so this information isn't accessible to SA. Well, unless you add an Apparently-To header in the MTA prior to calling SpamAssassin. MIMEDefang has an $AddApparentlyToForSpamAssassin variable you can set to 1 in mimedefang-filter for this. I assume SpamAssassin uses this header? Yep, it's used in all_to_addrs(), which is used for whitelist/blacklist_to etc. --j.
RE: Filtering based on the recipients
Matt Kettler wrote:
[EMAIL PROTECTED] wrote:
Matt Kettler wrote:
Well, unless you add an Apparently-To header in the MTA prior to
calling SpamAssassin.
Yes, but I've never seen an Apparently-To implementation that listed
all the recipients of a multi-recipient message...
You have now. :) From mimedefang.pl:
if ($AddApparentlyToForSpamAssassin and
($#Recipients = 0)) {
push(@sahdrs, Apparently-To: .
join(, , @Recipients) . \n);
}
(@Recipients stores the list of recipients)
Caveat... this only adds the recipients the MTA knows about. If something is
BCC'd to an ungodly number of recipients, the MSA will usually send it in
several MAIL FROM commands. The MTA will only know about the recipients for
the current MAIL FROM command.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
RE: Filtering based on the recipients
[EMAIL PROTECTED] wrote:
Matt Kettler wrote:
[EMAIL PROTECTED] wrote:
Matt Kettler wrote:
Well, unless you add an Apparently-To header in the MTA prior to
calling SpamAssassin.
Yes, but I've never seen an Apparently-To implementation that
listed all the recipients of a multi-recipient message...
You have now. :) From mimedefang.pl:
if ($AddApparentlyToForSpamAssassin and
($#Recipients = 0)) {
push(@sahdrs, Apparently-To: .
join(, , @Recipients) . \n);
}
(@Recipients stores the list of recipients)
Caveat... this only adds the recipients the MTA knows about. If
something is BCC'd to an ungodly number of recipients, the MSA will
usually send it in several MAIL FROM commands. The MTA will only
know about the recipients for the current MAIL FROM command.
Hmmm... Is this header removed prior to delivery? If not, doesn't it
violate the entire idea of a BCC by letting the recipients know about
each other?
--
Bowie
Re: Filtering based on the recipients
onsdag 05 april 2006 15:02 skrev Bowie Bailey:
[EMAIL PROTECTED] wrote:
You have now. :) From mimedefang.pl:
if ($AddApparentlyToForSpamAssassin and
($#Recipients = 0)) {
push(@sahdrs, Apparently-To: .
join(, , @Recipients) . \n);
}
(@Recipients stores the list of recipients)
Caveat... this only adds the recipients the MTA knows about. If
something is BCC'd to an ungodly number of recipients, the MSA will
usually send it in several MAIL FROM commands. The MTA will only
know about the recipients for the current MAIL FROM command.
Hmmm... Is this header removed prior to delivery? If not, doesn't it
violate the entire idea of a BCC by letting the recipients know about
each other?
Indeed. One must make sure that such headers are present only during internal
processing and removed prior to delivery, local or remote.
--
Magnus Holmgren
pgpAnNnZvKoi9.pgp
Description: PGP signature
RE: Filtering based on the recipients
Bowie Bailey wrote:
[EMAIL PROTECTED] wrote:
You have now. :) From mimedefang.pl:
if ($AddApparentlyToForSpamAssassin and
($#Recipients = 0)) {
push(@sahdrs, Apparently-To: .
join(, , @Recipients) . \n);
}
Hmmm... Is this header removed prior to delivery? If not, doesn't it
violate the entire idea of a BCC by letting the recipients know about
each other?
A copy of the message is made, certain headers are appended (Return-Path,
Received, Apparently-To), and the copy is passed to SpamAssassin. The return
result of the SpamAssassin is captured and the message copy is discarded.
So the Apparently-To header is ONLY seen by SpamAssassin, and is not on the
message as delivered to recipients.
Based on what SpamAssassin returns, the original may have headers appended to
it (X-Spam-Status, etc.) -- or the mail might be discarded, tempfailed, or
rejected.
It might, in theory, be possible for a clever user to be able to infer that
someone was BCC'd under certain circumstances... for example, if there was a
MAIL_APPARENTLY_TO_JOE_AT_EXAMPLE_DOT_COM rule.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Filtering based on the recipients
On Tue, 4 Apr 2006, Philip Prindeville wrote: How do I filter based on the recipient mailbox address? For instance, I'm running Linux, so if I get email sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] then I know they're bogus... And can probably block it, even if some of the recipients are valid email addresses. Block *all* mail to a given user? /etc/aliases: bogus_user: /dev/null -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Senator, when you took your oath of office, you placed your hand on the Bible and swore to uphold the Constitution. You didn't place your hand on the Constitution and swear to uphold the Bible. -- Jamie Raskin, Professor of Law at American University, testifying before the Maryland Senate --- 8 days until Thomas Jefferson's 263rd Birthday
RE: Filtering based on the recipients
[EMAIL PROTECTED] wrote:
Bowie Bailey wrote:
[EMAIL PROTECTED] wrote:
You have now. :) From mimedefang.pl:
if ($AddApparentlyToForSpamAssassin and
($#Recipients = 0)) {
push(@sahdrs, Apparently-To: .
join(, , @Recipients) . \n);
}
Hmmm... Is this header removed prior to delivery? If not, doesn't
it violate the entire idea of a BCC by letting the recipients know
about each other?
A copy of the message is made, certain headers are appended
(Return-Path, Received, Apparently-To), and the copy is passed to
SpamAssassin. The return result of the SpamAssassin is captured and
the message copy is discarded.
So the Apparently-To header is ONLY seen by SpamAssassin, and is not
on the message as delivered to recipients.
Makes sense. I was just curious as I hadn't seen this before. That's
a good way of dealing with it. I had forgotten (or didn't know) that
mimedefang does not use SA's markup.
Based on what SpamAssassin returns, the original may have headers
appended to it (X-Spam-Status, etc.) -- or the mail might be
discarded, tempfailed, or rejected.
It might, in theory, be possible for a clever user to be able to
infer that someone was BCC'd under certain circumstances... for
example, if there was a MAIL_APPARENTLY_TO_JOE_AT_EXAMPLE_DOT_COM
rule.
Right.
--
Bowie
Re: Filtering based on the recipients
John D. Hardin wrote: On Tue, 4 Apr 2006, Philip Prindeville wrote: How do I filter based on the recipient mailbox address? For instance, I'm running Linux, so if I get email sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] then I know they're bogus... And can probably block it, even if some of the recipients are valid email addresses. Block *all* mail to a given user? /etc/aliases: bogus_user: /dev/null -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Senator, when you took your oath of office, you placed your hand on the Bible and swore to uphold the Constitution. You didn't place your hand on the Constitution and swear to uphold the Bible. -- Jamie Raskin, Professor of Law at American University, testifying before the Maryland Senate --- 8 days until Thomas Jefferson's 263rd Birthday A good choice... and another way to accomplish the task (assuming sendmail, I'm not sure about other MTAs): /etc/mail/access bogus_userERROR 550 Go away - you are not welcome here or bogus_userREJECT (acknowledge reject message) or bogus_userDISCARD (drops message) also see: http://www.sendmail.org/tips/relaying.html (at page bottom) http://www.seifried.org/security/os/linux/redhat/20011031-rh72-sendmail.html (at page bottom) http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/sendmail.html http://www.sendmail.org/m4/anti_spam.html http://www2.yo-linux.com/cgi-bin/mail-access (use at own risk) ...you get the idea. -- Steve Lindemann __ Network Administrator //\\ ASCII Ribbon Campaign Marmot Library Network, Inc. \\// against HTML/RTF email, url: http://www.marmot.org //\\ vCards M$ attachments email: mailto:[EMAIL PROTECTED] voice: +1.970.242.3331 ext 16 fax: +1.970.245.7854
RE: Filtering based on the recipients
Steve Lindemann wrote: A good choice... and another way to accomplish the task (assuming sendmail, I'm not sure about other MTAs): /etc/mail/access bogus_user ERROR 550 Go away - you are not welcome here or bogus_userREJECT (acknowledge reject message) or bogus_user DISCARD (drops message) I do To:[EMAIL PROTECTED]RELAY To:[EMAIL PROTECTED]RELAY ... To:[EMAIL PROTECTED]RELAY To:example.tld ERROR:5.1.1:550 User unknown (Enumerate Goodness) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Filtering based on the recipients
Magnus Holmgren wrote: onsdag 05 april 2006 06:43 skrev Philip Prindeville: I was looking on the FAQ and the Wiki, but couldn't find this... How do I filter based on the recipient mailbox address? For instance, I'm running Linux, so if I get email sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] then I know they're bogus... And can probably block it, even if some of the recipients are valid email addresses. You might want to make sure that your MTA adds headers for envelope recipients, for example Envelope-To:. Then you can use blacklist_to [EMAIL PROTECTED] blacklist_to [EMAIL PROTECTED] but I would be careful because one *could* legitimately guess addresses, especially if it's difficult to find detailed contact information on the corresponding website. (Generally speaking; I don't know anything about your website or to which addresses it would be plausible to send mail at your domains.) Actually, a lot of these boilerplate email addresses like daemon, uucp, etc. all get aliased to root, and root goes to me. The legitimate addresses are few and go to different mailboxes. Your MTA does reject nonexistent recipients, and you just want to block mail that is sent to certain nonexistent recipients *and* one or more existant ones, I presume? Yes. -Philip
Re: Filtering based on the recipients
Matt Kettler wrote:
[EMAIL PROTECTED] wrote:
Matt Kettler wrote:
[It] has no access to the message envelope, only the headers and
body, so this information isn't accessible to SA.
Well, unless you add an Apparently-To header in the MTA prior to calling
SpamAssassin. MIMEDefang has an $AddApparentlyToForSpamAssassin variable you
can set to 1 in mimedefang-filter for this.
I assume SpamAssassin uses this header?
Yes, but I've never seen an Apparently-To implementation that listed
all the recipients of a multi-recipient message...
All the implementations I've seen add this after the message has been
split up and only the current recipient is added, which doesn't help. We
are trying to detect one which has a BCC to another user.
Exactly.
I'm using Sendmail and Mimedefang 2.56 if that helps any. Looking at
spam_assassin_mail() in Mimedefang, I see:
if ($AddApparentlyToForSpamAssassin and
($#Recipients = 0)) {
push(@sahdrs, Apparently-To: .
join(, , @Recipients) . \n);
}
Are you sure the value of @Recipients is fragmented at this point?
-Philip
Re: Filtering based on the recipients
Philip Prindeville wrote:
Matt Kettler wrote:
[EMAIL PROTECTED] wrote:
Matt Kettler wrote:
[It] has no access to the message envelope, only the headers and
body, so this information isn't accessible to SA.
Well, unless you add an Apparently-To header in the MTA prior to calling
SpamAssassin. MIMEDefang has an $AddApparentlyToForSpamAssassin variable
you can set to 1 in mimedefang-filter for this.
I assume SpamAssassin uses this header?
Yes, but I've never seen an Apparently-To implementation that listed
all the recipients of a multi-recipient message...
All the implementations I've seen add this after the message has been
split up and only the current recipient is added, which doesn't help. We
are trying to detect one which has a BCC to another user.
Exactly.
I'm using Sendmail and Mimedefang 2.56 if that helps any. Looking at
spam_assassin_mail() in Mimedefang, I see:
if ($AddApparentlyToForSpamAssassin and
($#Recipients = 0)) {
push(@sahdrs, Apparently-To: .
join(, , @Recipients) . \n);
}
Are you sure the value of @Recipients is fragmented at this point?
-Philip
Oh, never mind. Hadn't yet caught up with all of the comments.
Regarding using the /etc/mail/access file... yeah, I could do that, but
I can
get much more powerful filtering in mimedefang or spamassassin, so I'm
gradually going through the process of moving all of that functionality
out of sendmail and into either SA or MdF.
-Philip
Filtering based on the recipients
I was looking on the FAQ and the Wiki, but couldn't find this... How do I filter based on the recipient mailbox address? For instance, I'm running Linux, so if I get email sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] then I know they're bogus... And can probably block it, even if some of the recipients are valid email addresses. Thanks, -Philip
