Re: [AMaViS-user] bypass spam check for domain
On 3/27/08, Miguel wrote: Hi to all, i got a questiong regarding the spam_lovars_maps static maps, i undestand that if i want to bypass all spam check for a particular recipient/domains, i just need to list them in @spam_lovers_maps, however, i found this tutorial http://www200.pair.com/mecham/spam/bypassing.html#9 where it says that you have to do it with @bypass_spam_checks_maps and additional to add them to @spam_lovars_maps i just want to do the right thing. What is the official, recommended way to do this? regards, With @spam_lovers_maps, the message is still processed by spamassassin and a score is assigned, but the message is passed regardless of the score. With @bypass_spam_checks_maps, the message is usually not processed by spamassassin, so this saves processing power. However, when the message is addressed to multiple recipients, and the recipients disagree whether scanning should occur or not, the message will be scanned. There is the possibility in this case that the recipient(s) in the @bypass_spam_checks_maps will not get a copy of the message. Possibly the best way to set this up so you save as much processing as possible, but still ensure that spam is passed, is to include the recipients in both maps. One other thing to consider however. For any messages that are not scanned by spamassassin, those messages will not included in the messages that are learned by Bayes (assuming autolearn is active). So, you decide. Another thing to consider. Depending on your default kill_level and your quarantine setup, spam that is passed to recipients in @spam_lovers_maps may also have a copy of the message sent to quarantine. Assuming one is using default static lookups, consider also creating a @spam_kill_level_maps where the spam lovers are given a high kill_level (which prevents quarantine), e.g.: @spam_kill_level_maps = ( { '[EMAIL PROTECTED]' = , '.example.com' = }, # those in @spam_lovers_maps \$sa_kill_level_deflt, # catchall default - everyone not in @spam_lovers_maps ); -- Gary V - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Net::DNS .060 allows remote attackers to cause DOS
From: http://search.cpan.org/src/OLAF/Net-DNS-0.63/Changes Fix rt.cpan.org #30316 Security issue with Net::DNS Resolver. Net/DNS/RR/A.pm in Net::DNS 0.60 build 654 allows remote attackers to cause a denial of service (program croak) via a crafted DNS response (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341). Packet parsing routines are now enclosed in eval blocks to trap exception and avoid premature termination of user program. Fix: Update to 0.63. Note: to Freebsd Ports SpamAssassin users: A minor update to SA will include dependency on 0.63. pt-Net-DNS was updated on ports tree 10 days ago: http://www.freebsd.org/cgi/query-pr.cgi?pr=120702 An official update to SA ports version 3.4.2_3 will be send to ports shortly. -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ http://www.technosium.com/hotcompanies/ _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _ - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Net::DNS .060 allows remote attackers to cause DOS
Justin Mason wrote: This issue has no security impact. The flaw will cause Net::DNS to croak, which in turn should be handled by the calling application. In the case of RHEL, the only known application that uses this functionality is Spamassassin. Spamassassin handles this failure gracefully and continues to function, minus the DNS tests. we haven't seen details of the vulnerability, but I think Josh's take on the issue sounds correct. if anyone has a demo of the bug, please pass it on so we can try it out. i guess a 'croak' isn't a dos... ;-) its in freebsd ports, a 'portupgrade p5-Net-DNS' should update it quickly. --j. -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ http://www.technosium.com/hotcompanies/ _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _ - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] bypass spam check for domain
Gary V escribió: On 3/27/08, Miguel wrote: Hi to all, i got a questiong regarding the spam_lovars_maps static maps, i undestand that if i want to bypass all spam check for a particular recipient/domains, i just need to list them in @spam_lovers_maps, however, i found this tutorial http://www200.pair.com/mecham/spam/bypassing.html#9 where it says that you have to do it with @bypass_spam_checks_maps and additional to add them to @spam_lovars_maps i just want to do the right thing. What is the official, recommended way to do this? regards, With @spam_lovers_maps, the message is still processed by spamassassin and a score is assigned, but the message is passed regardless of the score. With @bypass_spam_checks_maps, the message is usually not processed by spamassassin, so this saves processing power. However, when the message is addressed to multiple recipients, and the recipients disagree whether scanning should occur or not, the message will be scanned. What is that mean?, that i have @example.com for bypass spam check and i also have another setting somewhere for [EMAIL PROTECTED] to do spam checks? There is the possibility in this case that the recipient(s) in the @bypass_spam_checks_maps will not get a copy of the message. Possibly the best way to set this up so you save as much processing as possible, but still ensure that spam is passed, is to include the recipients in both maps. One other thing to consider however. For any messages that are not scanned by spamassassin, those messages will not included in the messages that are learned by Bayes (assuming autolearn is active). So, you decide. Another thing to consider. Depending on your default kill_level and your quarantine setup, spam that is passed to recipients in @spam_lovers_maps may also have a copy of the message sent to quarantine. Assuming one is using default static lookups, consider also creating a @spam_kill_level_maps where the spam lovers are given a high kill_level (which prevents quarantine), e.g.: @spam_kill_level_maps = ( { '[EMAIL PROTECTED]' = , '.example.com' = }, # those in @spam_lovers_maps \$sa_kill_level_deflt, # catchall default - everyone not in @spam_lovers_maps ); Ok, i do not quarantine any messages ($QUARANTINEDIR = undef), so i guess the @spam_kill_lelvel_maps is not necesary. All is clearer now, Thanks Gary . - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] X-Spam headers from another amavisd/SA
On 3/26/08, Crosby, Scott F. wrote: Is there a way to configure amavisd to completely ignore X-Spam-* headers that may have previously been applied by an earlier pass through amavisd on a different host? I realize that this could be a Very Bad Thing, but here's my problem: We send mail to several customer domains across private connections that do not traverse the internet. For various security reasons, many of these customers require dedicated relays for their mail. The problem lies with one of those private networks (actually several of them, but we'll focus on one.) Let's call it bar.com. All outbound mail from our domain (foo.com) is delivered to bar.com via a private connection, and some of the inbound mail from bar.com is returned via the same path. No problem there. But some divisions within the super maga corp bar.com don't route outbound mail back across this private line... they route mail across the internet. In accordance with the agreements made with some divisions of bar.com, our outbound mail to their domain may not traverse any internet-connected relay. This is only an issue with respect to amavis' penpal support. Inbound replies sent in response to messages that went out across the private line do not benefit from the penpal score reduction because the original messages were never seen and logged by the internet-facing relays. We use sql logging, so my solution is to insert a dummy amavisd on one of the common internal mail exchanger hosts and log all traffic to a common database. This dummy amavisd has the virus scanners and spamassassin disabled, but it's destroying the X-Spam headers for inbound internet-originated mail that was scanned on its way in by our internet-facing amavisd/SA machines. The original headers are replaced with this: X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=x tests=[] Hmm, this says the score is zero, which indicates to me that that message was scanned (by what? - nothing? I dunno). How did you disable spam scanning? To disable spam scanning try: @bypass_spam_checks_maps = (1); You may also desire: @bypass_virus_checks_maps = (1); @bypass_banned_checks_maps = (1); @bypass_header_checks_maps = (1); Also, if you want to keep existing headers, add: $remove_existing_spam_headers = 0; The dummy amavisd appears to be inserting these header lines even if they don't already exist. The penpal feature is very important to us because this particular customer domain is very commonly forged by spammers and the contents of their legitimate communications are very sensitive to spam filters (their messages are often quite spam-like.) So, how can I get amavisd to leave pre-existing X-Spam headers alone AND not insert them if they don't already exist? Basically, to completely ignore these headers. Here are what I believe are the relevant portions of the amavisd.conf file on the dummy server: @bypass_virus_checks_maps = (1); @bypass_spam_checks_maps = (1); $bypass_decode_parts = 1; $mydomain = 'foo.com'; @local_domains_maps = ( ['.foo.com'] ); X-Spam headers are only inserted if the domain is considered local. If it makes no difference, try: @local_domains_maps = ( [''] ); but it may not matter if spam and virus scanning are disabled. @mynetworks = qw( 127.0.0.0/8 192.168.2.0/23 192.168.4.0/24 ); $sa_tag_level_deflt = undef; $sa_tag2_level_deflt = undef; $sa_kill_level_deflt = undef; $sa_dsn_cutoff_level = undef; $sa_crediblefrom_dsn_cutoff_level = undef $final_spam_destiny = D_PASS; If spam scanning is truly disabled, none of this should matter. I've also tried arbitrarily high values (1000) for the various sa_tag settings with no effect. Blanking @mynetworks also had no effect. SpamAssassin isn't even installed on the machine with the dummy amavisd. We're using amavisd-new 2.6.0pre1. Any thoughts? I could probably do what I want by hacking on the amavisd script itself, but I'd rather not do that if I don't have to. On an unrelated note, has anyone thought of using the penpals feature to check inbound NDRs for a corresponding outbound message? If the message ID contained within the inbound NDR doesn't match a valid message ID from the apparent sender, such messages could be dropped. Parsing the inbound NDR for the message ID might be difficult, but I don't think that it would be impossible. -- Gary V - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
Re: [AMaViS-user] bypass spam check for domain
On 3/27/08, Miguel wrote: With @spam_lovers_maps, the message is still processed by spamassassin and a score is assigned, but the message is passed regardless of the score. With @bypass_spam_checks_maps, the message is usually not processed by spamassassin, so this saves processing power. However, when the message is addressed to multiple recipients, and the recipients disagree whether scanning should occur or not, the message will be scanned. What is that mean?, that i have @example.com for bypass spam check and i also have another setting somewhere for [EMAIL PROTECTED] to do spam checks? I'm not sure I understand your question. Here is an axample. A message is addressed to [EMAIL PROTECTED] and [EMAIL PROTECTED] (both of which are domains you are responsible for). @bypass_spam_checks_maps = ( [example.com] ); This message will still be scanned because [EMAIL PROTECTED] is not included in @bypass_spam_checks_maps. [EMAIL PROTECTED] is in the map, but in this case this recipient may not receive a copy of the message (assuming it is spam). @bypass_spam_checks_maps does not guarantee delivery of spam. To guarantee delivery of a message that has been scanned by spamassassin and subsequently marked as spam, you want to also include the recipient in @spam_lovers_maps. -- Gary V - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] bypass spam check for domain
Gary V wrote: Another thing to consider. Depending on your default kill_level and your quarantine setup, spam that is passed to recipients in @spam_lovers_maps may also have a copy of the message sent to quarantine. Assuming one is using default static lookups, consider also creating a @spam_kill_level_maps where the spam lovers are given a high kill_level (which prevents quarantine), e.g.: Well, yes, high kill level does disable quarantine (because spam level never reaches a high kill level, so mail is never considered spam and quarantining does not apply), but it also makes spam_lovers redundant, as mail is never considered spam, so there is no need to bother with spam_lovers, mail will be delivered normally. So setting kill level high to some recipients achieves both: they will receive mail (same as spam_lovers), and no spam quarantining takes place (same as disabling quarantine for these users). Quarantining has its direct control too, so to turn off quarantining for spam lovers, @spam_quarantine_to_maps can be set to false (an empty string or undef) for such recipients: @spam_quarantine_to_maps = ( [qw( [EMAIL PROTECTED] [EMAIL PROTECTED] !.example.net )], \$spam_quarantine_to, ); or: @spam_quarantine_to_maps = ( {'[EMAIL PROTECTED]' = '', '[EMAIL PROTECTED]' = '', '.example.net' = '', '.' = $spam_quarantine_to, } ); But I admit it is awkward to automatically construct a @spam_quarantine_to_maps list if one already has a nontrivial list in @spam_lovers_maps. Mark - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] bypass spam check for domain
Gary, But what if you have one recipient in a @bypass_spam_checks_maps and another that is not? Would you still not need to place the recipient in the @bypass_spam_checks_maps in the @spam_lovers_maps? @bypass_spam_checks_maps is pretty much independent from everything else. If at least one recipient requires spam checking (has bypass at false), then spam checking is performed. Or in other words, if all recipients have bypass at true, spam checking need not be performed (but the result may still be available, e.g. when cached). What happens next depends on whether mail is considered spam (above kill level for this recipient), or not. If it is not spam, it is delivered normally and not quarantined. If it is spam, it gets quarantined unless quarantining is disabled, and it is blocked, unless recipient is a spam lover. As you can see, if mail is not considered spam (e.g. when mail is clean or recipient has a high kill level, same thing), the @spam_lovers_maps is irrelevant. See first couple of items under: http://www.ijs.si/software/amavisd/amavisd-new-docs.html Mark - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] X-Spam headers from another amavisd/SA
Hmm, this says the score is zero, which indicates to me that that message was scanned (by what? - nothing? I dunno). How did you disable spam scanning? To disable spam scanning try: @bypass_spam_checks_maps = (1); You may also desire: @bypass_virus_checks_maps = (1); @bypass_banned_checks_maps = (1); @bypass_header_checks_maps = (1); Yes, this is the method I used to disable the various scanners. I did not have bypass_header_checks_maps set earlier, but I've set it now and still see the following when I send a test message without a valid Date field: X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: Date Shouldn't that also disappear if I truly have header tests disabled? This is a side issue, of course, but it is curious. Also, if you want to keep existing headers, add: $remove_existing_spam_headers = 0; Ah, that was part of what I was looking for. Thanks! X-Spam headers are only inserted if the domain is considered local. If it makes no difference, try: @local_domains_maps = ( [''] ); but it may not matter if spam and virus scanning are disabled. I had tried @local_domains_maps = (); without luck. Alas, your suggestion also does not appear to have worked. By the way, I'm running 2.6.0-rc1, not -pre1 as stated earlier. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] X-Spam headers from another amavisd/SA
I had tried @local_domains_maps = (); without luck. Alas, your suggestion also does not appear to have worked. By the way, I'm running 2.6.0-rc1, not -pre1 as stated earlier. Ah, found it. The policy defined in the sql policy table for the servers in the DMZ was overriding the settings in the config file for the internal 'dummy' amavisd. I should be able to get around that by setting @lookup_sql_dsn to undef and leaving @storage_sql_dsn set. Thanks for the help! $remove_existing_spam_headers answered the other half of the issue, as well. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] bypass spam check for domain
On 3/27/08, Mark Martinec wrote: Gary, But what if you have one recipient in a @bypass_spam_checks_maps and another that is not? Would you still not need to place the recipient in the @bypass_spam_checks_maps in the @spam_lovers_maps? @bypass_spam_checks_maps is pretty much independent from everything else. If at least one recipient requires spam checking (has bypass at false), then spam checking is performed. Or in other words, if all recipients have bypass at true, spam checking need not be performed (but the result may still be available, e.g. when cached). What happens next depends on whether mail is considered spam (above kill level for this recipient), or not. If it is not spam, it is delivered normally and not quarantined. If it is spam, it gets quarantined unless quarantining is disabled, and it is blocked, unless recipient is a spam lover. As you can see, if mail is not considered spam (e.g. when mail is clean or recipient has a high kill level, same thing), the @spam_lovers_maps is irrelevant. See first couple of items under: http://www.ijs.si/software/amavisd/amavisd-new-docs.html Mark I see. Oops, for some reason I must have casually assumed that because mail is tagged as spam at tag2_level, this alone might be sufficient to short circuit delivery of a message to a recipient in @bypass_spam_checks_maps. Now I imagine this is actually a result of $final_destiny being set to anything other than D_PASS. Thus, if kill_level is beyond any possible spam score, the action in $final_destiny never takes place. All spam is delivered. -- Gary V - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Net::DNS .060 allows remote attackers to cause DOS
Michael Scheidell wrote: From: http://search.cpan.org/src/OLAF/Net-DNS-0.63/Changes Fix rt.cpan.org #30316 Security issue with Net::DNS Resolver. Net/DNS/RR/A.pm in Net::DNS 0.60 build 654 allows remote attackers to cause a denial of service (program croak) via a crafted DNS response (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341). Packet parsing routines are now enclosed in eval blocks to trap exception and avoid premature termination of user program. Fix: Update to 0.63. Note: to Freebsd Ports SpamAssassin users: A minor update to SA will include dependency on 0.63. pt-Net-DNS was updated on ports tree 10 days ago: http://www.freebsd.org/cgi/query-pr.cgi?pr=120702 An official update to SA ports version 3.4.2_3 will be send to ports shortly. you mean 3.4.2_3 I guess. PS. shouldn't the audit db be updated? - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/