Re: [Clamav-users] sober.p and german adverts?
Jef Poskanzer wrote: ..snip... And finally, if you want to run a check on the HELO string, I find that just rejecting outside connections that claim a HELO of your own hostname gets rid of a very high proportion of crapmail. This very simple check is successful enough that I'll probably publish a "notme_milter" at some point after spfmilter gets out of beta status. I already do this with MIMEDefang. it's proven quite effective. I don't bother with any of the other checks because they either take too many resources or have potentially too much collateral damage. alan ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Mon, 16 May 2005, Todd Lyons wrote: From: Todd Lyons [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Date: Mon, 16 May 2005 10:14:26 -0700 Subject: Re: [Clamav-users] sober.p and german adverts? Reply-To: ClamAV users ML clamav-users@lists.clamav.net ... Some ISP's don't allow you to relay mail through them if it's not for @ispdomain.com. In that case, you should offer them a value add service to relay mail for them and then configure SSL (583) so that they don't have that problem. Make that port 587, mail message submission described in RFC2476. You may also need to configure a listener on the obsolete SMTPS port, 465, for the benefit of crippleware clients that require tls-on-connect. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 5:43 PM, Dennis Peterson wrote: Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. To me, that price is learning how to do it right. Price isn't always monetary. I wouldn't argue with the idea of having to tell your provider that you need your particular connection unfiltered and leave it unfiltered because you're setting up the server. I'm paying for the bandwidth of a connection. If anything you're saving the ISP money in labor to maintain your mail spool, you're saving them disk space, and you're saving them liability...because you're willing to shoulder the burden yourself. The price here is you're doing the administration, you're sacrificing your disk space, and you're sacrificing the ability to complain to them when the disk dies and there's not a backup and you don't have 24/7 connection reliability, only a reasonable connection. It's kinda stupid to me that you'd save them some space and time and liability and have to pay them for taking away a sliver of a headache, if all you want is a connection...and you may even be one of the small percentage that if you run the services yourself, you won't be on their tech support line. Seems like that's the biggest cost for ISPs. For people who are willing to learn and put work into maintaining it the cost of getting a business class connection is so high that...well...they'd have to be a business to get it. Or at least get it and not subsist on bologna and Cheerios for meals. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
One final point here, I know I, and I'm sure many of you, have seen or come into contact with infected exchange serverson static ip addresses. The fact that it's static, or in fact, a business connection, speaks not a thing for the competence of the administrator, or the security of the server. My point before was this: my ip in no way says you should trust me, I can be infected and misconfigured on a static ip as a dynamic one. Also, I'm being penalized for microsoft's inability to engineer and distribute a secure os. You have every right to block whatever address ranges you want, and when I get the bounce, I'll add you to my transport file for postfix. All else, I'll manage the queue myself. On Tuesday 17 May 2005 06:48 am, Bart Silverstrim wrote: On May 16, 2005, at 5:43 PM, Dennis Peterson wrote: Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. To me, that price is learning how to do it right. Price isn't always monetary. I wouldn't argue with the idea of having to tell your provider that you need your particular connection unfiltered and leave it unfiltered because you're setting up the server. I'm paying for the bandwidth of a connection. If anything you're saving the ISP money in labor to maintain your mail spool, you're saving them disk space, and you're saving them liability...because you're willing to shoulder the burden yourself. The price here is you're doing the administration, you're sacrificing your disk space, and you're sacrificing the ability to complain to them when the disk dies and there's not a backup and you don't have 24/7 connection reliability, only a reasonable connection. It's kinda stupid to me that you'd save them some space and time and liability and have to pay them for taking away a sliver of a headache, if all you want is a connection...and you may even be one of the small percentage that if you run the services yourself, you won't be on their tech support line. Seems like that's the biggest cost for ISPs. For people who are willing to learn and put work into maintaining it the cost of getting a business class connection is so high that...well...they'd have to be a business to get it. Or at least get it and not subsist on bologna and Cheerios for meals. ___ http://lurker.clamav.net/list/clamav-users.html -- John Jolet Technology Solutions Your On-Demand IT Department 512-762-0729 www.jolet.net [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 2:17 AM, Alan Premselaar wrote: Jef Poskanzer wrote: ..snip... And finally, if you want to run a check on the HELO string, I find that just rejecting outside connections that claim a HELO of your own hostname gets rid of a very high proportion of crapmail. This very simple check is successful enough that I'll probably publish a notme_milter at some point after spfmilter gets out of beta status. I already do this with MIMEDefang. it's proven quite effective. I don't bother with any of the other checks because they either take too many resources or have potentially too much collateral damage. What I'd like is a system that takes incoming mail, strips rich text/html and reinterprets it into plain text, strips attachments and puts them into an ACL-controlled quarantine so users can get to them only if they really wanted them (within X days before it's wiped from the database and storage area) whether it's a networked fileshare or (probably better) a website. Stick headers in as to probability of message being spam so client filtering can work still. Have DNS lookups on the helo string...not valid, don't take it. Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? Enough to be significant? Build in some tarpitting if the same site keeps hitting users on your site that are invalid more than X times when checking against your user database. How much collateral damage would a system like this cause, I wonder? After yet another day of putting up with all this crap from viruses, there's a part of me that wonders what would happen if someone wrote a virus that would pull a sober.p infectinfectinfect...sleep...payload trick where instead of turning the computer into a spambot would instead delete some system files so Windows wouldn't boot again, forcing people to STOP CLICKING ON RANDOM ATTACHMENTS and fixing the problem systems. Isn't that the primary trick being used now to spread spam and viruses? People are clicking and running attachments from other viruses and are clueless about NOT CLICKING RANDOM ATTACHMENTS? Although I already know people abhor the idea and it's definitely not the first time that idea's been entertained in some twisted form of vigilante online justice. *sigh* too much of this stuff makes Johnny a dull boy. Need more sleep. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim said: On May 16, 2005, at 5:43 PM, Dennis Peterson wrote: Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. To me, that price is learning how to do it right. Price isn't always monetary. I wouldn't argue with the idea of having to tell your provider that you need your particular connection unfiltered and leave it unfiltered because you're setting up the server. What you are paying for is their trust that you are doing your part correctly. As an ISP my greatest investment aside from my hardware is my IP. Anything that puts it at risk puts all at risk. Policy describes I do all I can to protect that investment so I set the rules. I don't have to trust my average customers because I manage the resources. If you come to me and ask me to loosen my rules I will do that but you have to invest in my trust in you. By requiring you to have a higher liability I encourage you to avoid activities that put your investment in jeopardy. Imagine I am an ISP and you are a customer and you spam the world with your own machine, drawing attention to my IP block. As is the norm, my IP is blacklisted and I have to go to the blacklist vendors, hat in hand, to explain that you, not I, did the dirty deed, and that I've pulled your account. Personally I would probably find you and kick your ass, but technically, I could have avoided the problem by requiring you to use my smtp server and my traffic policies. Now imagine you are one of 25,000 customers I have to deal with. Where do you think I'm going to put my effort? It can be argued that true spammers are so profitable they can afford to throw away any reasonable fees I might impose. It is certainly true, but what I advocate is not directed at them. I'm just trying to help keep the 99.9% honest people out there from screwing up my business because they use a POS Windows system that even Bill Gates, Inc. can't keep clean. But let's get back to anti-virus issues - 0.85.1 is out and appears to have an interesting issue with permissions and there's an easy solution. I wonder who will find it first. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 8:48 AM, Dennis Peterson wrote: Bart Silverstrim said: To me, that price is learning how to do it right. Price isn't always monetary. I wouldn't argue with the idea of having to tell your provider that you need your particular connection unfiltered and leave it unfiltered because you're setting up the server. What you are paying for is their trust that you are doing your part correctly. I'm not sure of that...maybe that's your relationship with your provider, but I know what I was looking for when I bought access :-) As an ISP my greatest investment aside from my hardware is my IP. Anything that puts it at risk puts all at risk. Your intellectual property? Or do you mean your address? Policy describes I do all I can to protect that investment so I set the rules. I don't have to trust my average customers because I manage the resources. And vice-versa. If you want to offload the responsibility and liability. I'm telling you there are people who don't want that, and if they're willing to shoulder the burden it should be shifted to them. Second, as a business, businesses cater to market desires. If you don't want to do that then that's your business. You probably won't lose a huge number of people because of it but there are some that would leave if they couldn't find a solution that fits them. Most businesses understand that there's a balance...give customers what they want, and they will be your customers instead of your competitor's. Other businesses don't really care or don't want to serve that kind of market. If you come to me and ask me to loosen my rules I will do that but you have to invest in my trust in you. By requiring you to have a higher liability I encourage you to avoid activities that put your investment in jeopardy. *shrug* fine with me. :-) Imagine I am an ISP and you are a customer and you spam the world with your own machine, drawing attention to my IP block. As is the norm, my IP is blacklisted and I have to go to the blacklist vendors, hat in hand, to explain that you, not I, did the dirty deed, and that I've pulled your account. Personally I would probably find you and kick your ass, but technically, I could have avoided the problem by requiring you to use my smtp server and my traffic policies. Ahh...see...there are other things that can draw unwanted attention. And while using just your resources may be one way to prevent the problem, there are others as well, and it's not a guarantee that you'll be entirely protected still. There are trojans now spamming through the legit servers now. Blocking ports can have oddball side effects...secondary collateral damage. Not always significance, but non-blocking is one less thing to worry about. And why must I trust you? Is there something else you're doing to the email that I don't know about? After all, you could be subpoenaed into handing over copies of my email to other people without my knowledge or permission. What if I want to have my email stored on my servers with my own resources instead? Unless you're covering something up, perhaps? So if you're going to shoulder the burden of protecting me from my own stupidity to keep yourself looking better and off lists, what else are you going to block or monitor? I mean, RIAA surely must be knocking at your door if you have more than a hundred users out there. So you block those ports too? Monitor for any and all programs that can be used for file sharing? Mandatory website traffic blocking to prevent porn from hitting the end user? Maybe you could require users to only run Linux or OS X, immune to most attacks and thus making your network better and safer? Or probe your customer's systems to see that they have the latest updates, and if not, cut off access at your router and have them redirected to a site that has the latest updates for Windows and not allow access until the updates are installed? There are some colleges that take that approach. I wouldn't want the liability of forcing a customer to update to the latest service pack and possibly having it keep them from booting or wiping some data, but hey, to each their own. Now imagine you are one of 25,000 customers I have to deal with. Where do you think I'm going to put my effort? Serving the customer the service they want? :-) If I don't want anything other than access, that's all I'm looking for. I don't want to pay for blocking, filtering, or storage space on your servers. It can be argued that true spammers are so profitable they can afford to throw away any reasonable fees I might impose. Considering that they're A) using zombied Wintel crap to spam and/or B) using foreign soil systems to spam, I don't think that's the problem. It is certainly true, but what I advocate is not directed at them. I'm just trying to help keep the 99.9% honest people out there from screwing up my business because they use a POS Windows system that even
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Bart Silverstrim wrote: After yet another day of putting up with all this crap from viruses, there's a part of me that wonders what would happen if someone wrote a virus that would pull a sober.p infectinfectinfect...sleep...payload trick where instead of turning the computer into a spambot would instead delete some system files so Windows wouldn't boot again, forcing people to STOP CLICKING ON RANDOM ATTACHMENTS and fixing the problem systems. Isn't that the primary trick being used now to spread spam and viruses? People are clicking and running attachments from other viruses and are clueless about NOT CLICKING RANDOM ATTACHMENTS? Although I already know people abhor the idea and it's definitely not the first time that idea's been entertained in some twisted form of vigilante online justice. Would the person who implements this do me a favor and make the virus pretend to be a viagra spam? If we format the hard drives of people that buy from spammers, and the media picks up on it, then everyone will be informed of how dangerous spam is. Nobody will click it anymore, and spammer profits will plummet. This has a very real chance of eliminating the spam problem. Kill two birds with one stone... I like it. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim wrote: Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? The sending server isn't guaranteed to be a MX, so any DNS MX or reverse connection tests would fail. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 12:17 PM, Matt Fretwell wrote: Bart Silverstrim wrote: Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? The sending server isn't guaranteed to be a MX, so any DNS MX or reverse connection tests would fail. No guarantees in life :-) No matter what solution is put into place, there's going to be problems for some group that they would need to adapt to. There has to be some sensible solution that doesn't involve fifty patches and hacks and sub-scanners... ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim wrote: On May 17, 2005, at 12:17 PM, Matt Fretwell wrote: Bart Silverstrim wrote: Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? The sending server isn't guaranteed to be a MX, so any DNS MX or reverse connection tests would fail. No guarantees in life :-) Actually, having separate servers for incoming and outgoing mail is quite common. That's why people have tried to devise standards like RMX, SPF, Caller-Id, Sender-Id, and Domain Keys instead of just making the simple MX check you suggest. And even *those* solutions have problems. -- Kelson Vibber SpeedGate Communications www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: Bart Silverstrim wrote: Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? The sending server isn't guaranteed to be a MX, so any DNS MX or reverse connection tests would fail. But that doesn't mean you can't connect to an MX for the sender's domain to confirm they exist -- that you could send mail *to* them. This is a fairly regular check some mail systems perform. I was amused by one recent system that did this against my MX but did it from a host with a name that didn't match it's IP address, so mine rejected it... haha Bill ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Mon, 16 May 2005, Bill Taroli wrote: Matt Fretwell wrote: plenty of legitimate MTA setups running on dynamic IP's. [...] What really does amaze me though, is that these are generally the admins who will turn around and say, 'Don't block (variable), you will lose too much legitimate mail'. Where is the logic in that? They will allow a crappily configured multinational corporation or ISP to connect, yet not give dynamics the slightest chance to prove their reliability. I don't think it's a matter of reliability... it's more an issue of accountability and traceability. How can one trace back to a dynamically IP'ed MTA when it's dynamic? DynDNS doesn't prove itself in the majority of cases, or isn't even used. Some of these are even worse because the mail is coming from a NAT'ed host from behind a dyn IP firewall, which won't even allow return messages -- and I suspect this is extremely common. Kind of like an inverse roach motel for email. I don't disagree that there may well be many people running wholesome MTAs on dynamic IP's that suffer for the rest. But it's that rest we're all concerned with. I honestly wonder whether an authorization framework such as SPF would be the salvation of such setups... permitting them to prove themselves worthy without the need for static IP addresses. But until that time comes, any host who appears to lie about it's identity by giving a host name that doesn't match it's visible IP address is getting the door slammed in it's face by my MTA. Once upon a time, email was simple. It carried text. Later people got smart and started UUEncoding binary data into emails and other proggies like shar (still text) were born to transfer data across email. Since then, email has blown up and we have lost much of the MTA standardization which existed when during a younger Internet. The encoding mechanisms (base64, etc) are all RFC standards and MUA's follow them, but the MTA's need to be setup a little bit stricter. Requiring forward-and-back dns lookups is a good idea if everyone would cooperate. Back in the early 90's, most addresses would forward-and-back dns lookups and certainly all MTA's or servers offering a real service (http/ftp/rdiff) did. It seems that we have moved away from a consistent Internet with rules which were followed as a courtesy to sysadmins. We have now moved into a much more liberal (broken?) Internet where we try to make anything go and still have it function. Remarkably, it does for the most part despite all the garbage that floats across the line (just tcpdump a cable line sometime and see whats there). For email transfer and MTA's alike, putting SPF in DNS to help authenticate the source is a step in the right direction. If SPF is a good idea, and it is dns based, then so should forward-and-back lookups. If additional mail standardization can take place (again) then spam can be reduced to a certain degree. I much like Brian Read's idea of blocking mail xfer from sites which are not authenticated (SASL) or who cannot give a proper reverse lookup. Every ISP we have worked with have been happy to create or change a PTR entry in their dns, even if it took a lot of work to get the ISP to do so (I even offered to do it for one isp and they finally did it themself). If we can standardize the set of rules and protocols required for an MTA to accept an email, then spam will reduce. Either that or we need to build a better mousetrap. This is jut my $0.02. Your thoughts? -Eric -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] wrote: If we can standardize the set of rules and protocols required for an MTA to accept an email, then spam will reduce. Either that or we need to build a better mousetrap. This is jut my $0.02. Your thoughts? What time is the next rocketship to this planet you have found? :) Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 2005-05-17 at 12:06 -0700, [EMAIL PROTECTED] wrote: On Mon, 16 May 2005, Bill Taroli wrote: Matt Fretwell wrote: plenty of legitimate MTA setups running on dynamic IP's. [...] What Once upon a time, email was simple. It carried text. Later people got ... ... ... If we can standardize the set of rules and protocols required for an MTA to accept an email, then spam will reduce. Either that or we need to build a better mousetrap. This is jut my $0.02. Your thoughts? This seems more like a discussion for another mailing list or a Usenet group on MTAs/SMTP IMHO -- Steffen Winther Soerensen [EMAIL PROTECTED] private luser ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Matt Fretwell wrote: If we can standardize the set of rules and protocols required for an MTA to accept an email, then spam will reduce. Either that or we need to build a better mousetrap. This is jut my $0.02. Your thoughts? What time is the next rocketship to this planet you have found? :) Its at like noon, gmt -- whenever that is. *shrug*. Is it always noon in Greenwich? -Eric ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 3:21 PM, [EMAIL PROTECTED] wrote: On Tue, 17 May 2005, Damian Menscher wrote: Would the person who implements this do me a favor and make the virus pretend to be a viagra spam? If we format the hard drives of people that buy from spammers, and the media picks up on it, then everyone will be informed of how dangerous spam is. Nobody will click it anymore, and spammer profits will plummet. This has a very real chance of eliminating the spam problem. Kill two birds with one stone... I like it. Nice. That couldn't be cleaner. There are plenty of ways of harmlessly disabling a system (no lost data, just no boot) and that would certainly be an awakening call for everyone across the board. People would get to reinstall their os and loose at least 2hrs of time. I really miss the days of destructive viruses. We just don't really see 'em like we used to. Remember Michaelangelo? What was his birthday again? /me stops reminiscing of the good ol' days. Actually I don't know if users would be effected by an hour or two charge of reinstalling the OS. Lose their favorite bookmarks or the report they were working on, they might remember that. But just hitting next a couple times...then again, re-entering a 50 digit key and reactivating XP is a pain in the butt. :-) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 3:39 PM, Dennis Peterson wrote: [EMAIL PROTECTED] said: For email transfer and MTA's alike, putting SPF in DNS to help authenticate the source is a step in the right direction. If SPF is a good idea, and it is dns based, then so should forward-and-back lookups. If additional mail standardization can take place (again) then spam can be reduced to a certain degree. I much like Brian Read's idea of blocking mail xfer from sites which are not authenticated (SASL) or who cannot give a proper reverse lookup. Every ISP we have worked with have been happy to create or change a PTR entry in their dns, even if it took a lot of work to get the ISP to do so (I even offered to do it for one isp and they finally did it themself). If we can standardize the set of rules and protocols required for an MTA to accept an email, then spam will reduce. Either that or we need to build a better mousetrap. This is jut my $0.02. Your thoughts? -Eric How would you handle the PTR record for an SMTP server that hosts 500 virtual domains? Guess by charging a nominal fee for those hosts to have the record maintained? :-) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: [EMAIL PROTECTED] wrote: If we can standardize the set of rules and protocols required for an MTA to accept an email, then spam will reduce. Either that or we need to build a better mousetrap. This is jut my $0.02. What time is the next rocketship to this planet you have found? :) Now, now. I agree it's a lofty goal... but I think it's a worthwhile one. It's how we respond to the challenge that will determine our ultimate success. I move that we kick Microsoft out of the game with their proprietary solutions, for a start. Keep the focus on effective, easily implementable, STANDARD, and **OPEN** solutions and I think we'll be quite successful. Then the remaining challenge is getting the word out and getting people to adopt these solutions. I can't gauge how far SPF has spread yet, but in my own spot checking, I'm finding an increasing number of senders that my MTA sees are being positively or negatively acknowledged by SPF, rather than just none, neutral, or unknown cases. Still in the minority, but growing... to the point that I finally threw the lever on kicking responses that come back error or failed. Bill ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Steffen Winther Soerensen wrote: This seems more like a discussion for another mailing list or a Usenet group on MTAs/SMTP IMHO I don't disagree... are there any good ones for SPF or similar debates? I do think -- much as you'd find in the Amavisd list -- that these issues do tend to intersect and overlap in various ways. While clamav is obviously about virii, it routinely gets deployed right along side spam and other tools. Bill ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Dennis Peterson wrote: How would you handle the PTR record for an SMTP server that hosts 500 virtual domains? Yes, I realize that getting everyone to change would be a pain in the butt and if we can do the following it would certainly reduce spam. We host many domains and I can't think of a reason that it would break our virtual domain system since rDNS(IP) == HELO == SMTP's 220. This is not to say that a spammer can't put a system like this together, but if they do it will certainly be easier to blacklist. This won't get rid of it all, but it should drop rouge virus mailers with their own smtp-sending engine. IMO, a sending MTA should never have its smtp port closed unless it is an end-user. If they are an end user then SASL should be used to authenticate. Dynamic SMTP servers are ok provided that the constraints below are accurate. If you ignore SASL authenticated connections, we can better authenticate mail connections with the following list of constraints: 1. fDNS(rDNS(IP)) == IP # trivial 2. rDNS(IP) == HELO # should be trivial 3. rDNS(IP) == IP:smtp's 220 string. 4. SMTP FROM domain has an MX # trivial 5. SMTP FROM domain MX has a 220 string of itself, rDNS or HELO. Caveats: (please add your caveats here) #3 #5: Sending server must have something on port 25 to issue a 220 string. This server does not need to have any more than a 220 response, though it should be friendly enough to wait for a quit. This can be done with a few lines of perl. We don't implement this 100% but our system is moving that direction. We will also tie SPF to the list of constraints. Those who send email through us as their mail gateway will use SASL. For what other reasons might this not work? What can we do to fortify this? -Eric ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Bart Silverstrim wrote: Kill two birds with one stone... I like it. Nice. That couldn't be cleaner. There are plenty of ways of harmlessly disabling a system (no lost data, just no boot) and that would certainly be an awakening call for everyone across the board. People would get to reinstall their os and loose at least 2hrs of time. I really miss the days of destructive viruses. We just don't really see 'em like we used to. Remember Michaelangelo? What was his birthday again? /me stops reminiscing of the good ol' days. Actually I don't know if users would be effected by an hour or two charge of reinstalling the OS. Lose their favorite bookmarks or the report they were working on, they might remember that. But just hitting next a couple times...then again, re-entering a 50 digit key and reactivating XP is a pain in the butt. :-) Especially if XP decides that you need to call MS! -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Bart Silverstrim wrote: If we can standardize the set of rules and protocols required for an MTA to accept an email, then spam will reduce. Either that or we need to build a better mousetrap. This is jut my $0.02. How would you handle the PTR record for an SMTP server that hosts 500 virtual domains? Guess by charging a nominal fee for those hosts to have the record maintained? :-) If the sysadmin of an MTA can't maintain these or have them maintained, then we have bigger problems ... ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bill Taroli wrote: This seems more like a discussion for another mailing list or a Usenet group on MTAs/SMTP IMHO I don't disagree... are there any good ones for SPF or similar debates? Postfix list: SPF practically banned except for implementation questions. Exim list: Will probably be pointed to a link regarding why *not* to use SPF. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim wrote: On May 17, 2005, at 3:21 PM, [EMAIL PROTECTED] wrote: On Tue, 17 May 2005, Damian Menscher wrote: Would the person who implements this do me a favor and make the virus pretend to be a viagra spam? If we format the hard drives of people that buy from spammers, and the media picks up on it, then everyone will be informed of how dangerous spam is. Nobody will click it anymore, and spammer profits will plummet. This has a very real chance of eliminating the spam problem. Kill two birds with one stone... I like it. Nice. That couldn't be cleaner. There are plenty of ways of harmlessly disabling a system (no lost data, just no boot) and that would certainly be an awakening call for everyone across the board. People would get to reinstall their os and loose at least 2hrs of time. I really miss the days of destructive viruses. We just don't really see 'em like we used to. Remember Michaelangelo? What was his birthday again? /me stops reminiscing of the good ol' days. Actually I don't know if users would be effected by an hour or two charge of reinstalling the OS. Lose their favorite bookmarks or the report they were working on, they might remember that. But just hitting next a couple times...then again, re-entering a 50 digit key and reactivating XP is a pain in the butt. :-) No, I wouldn't delete files... just replace their content with repeated strings of I won't click on links in Viagra emails or I won't randomly click on links to unknown web sites ... :-) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] wrote: IMO, a sending MTA should never have its smtp port closed unless it is an end-user. Once again, a sending server does not have to be a MX. Something within that domain should be listening on port 25, but not always the machine which is connecting to yours. Look at the hostname of my machine in the headers. You will see it has rDNS and fDNS, but is not a MX for the domain. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: [EMAIL PROTECTED] wrote: IMO, a sending MTA should never have its smtp port closed unless it is an end-user. Once again, a sending server does not have to be a MX. Something within that domain should be listening on port 25, but not always the machine which is connecting to yours. Look at the hostname of my machine in the headers. You will see it has rDNS and fDNS, but is not a MX for the domain. I think that was a typo, since the criteria he gave say the domain has an MX that... and not the MTA is an MX that... Basically, just edit sending MTA to MX for the sender's domain and I think we're good. :-) Bill ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
What about the users (like me) that have one ip address to play with? Do I use the ONE ptr record for mail, web, dns, ftp or whatever else I choose to make available to the world. Generally, only mail has a loose 'requirement' for front to back dns a/ptr records, but back in the day, so did ftp servers for the client side. So, if I choose to advertise my PTR as fw.domain.name, you consider my mail server suspect, unless it was advertised as fw.domain.name? Just because I don't have an easy way to provide 10's of addresses to the world? My system is secured and my ISP reserves the right to scan the ip space they provide (and they do check) for a number of 'questionable' or worse servers/services and disable those ips until repaired. That may or may not be the case for other ISPs, but I shouldn't have to use my ISPs servers, just 'cuz I can't have 10's of ip addresses. Some of us do this internet thing for fun and not for profit. If I am causing you problems, contact my ISP or blacklist my ip. I use Sendmail, Spamassassin, ClamAV and milter-greylist. Works well enough and if there is a server that is sending me things I don't care to get, I just add them to my private rbl list. No more mail. Might not work for a corporate server, but it works great for me. Takes time, yes. Impose restrictions on legit mail servers.? NOPE. Until SPF or cost based email systems get accepted, you'll have to be creative in your filtering of mail. Punish the 'criminals' not the responsible persons. Eric Wisti On Tue, 17 May 2005, [EMAIL PROTECTED] wrote: Date: Tue, 17 May 2005 12:06:53 -0700 (PDT) From: [EMAIL PROTECTED] Reply-To: ClamAV users ML clamav-users@lists.clamav.net To: ClamAV users ML clamav-users@lists.clamav.net Subject: Re: [Clamav-users] sober.p and german adverts? On Mon, 16 May 2005, Bill Taroli wrote: Matt Fretwell wrote: plenty of legitimate MTA setups running on dynamic IP's. [...] What really does amaze me though, is that these are generally the admins who will turn around and say, 'Don't block (variable), you will lose too much legitimate mail'. Where is the logic in that? They will allow a crappily configured multinational corporation or ISP to connect, yet not give dynamics the slightest chance to prove their reliability. I don't think it's a matter of reliability... it's more an issue of accountability and traceability. How can one trace back to a dynamically IP'ed MTA when it's dynamic? DynDNS doesn't prove itself in the majority of cases, or isn't even used. Some of these are even worse because the mail is coming from a NAT'ed host from behind a dyn IP firewall, which won't even allow return messages -- and I suspect this is extremely common. Kind of like an inverse roach motel for email. I don't disagree that there may well be many people running wholesome MTAs on dynamic IP's that suffer for the rest. But it's that rest we're all concerned with. I honestly wonder whether an authorization framework such as SPF would be the salvation of such setups... permitting them to prove themselves worthy without the need for static IP addresses. But until that time comes, any host who appears to lie about it's identity by giving a host name that doesn't match it's visible IP address is getting the door slammed in it's face by my MTA. Once upon a time, email was simple. It carried text. Later people got smart and started UUEncoding binary data into emails and other proggies like shar (still text) were born to transfer data across email. Since then, email has blown up and we have lost much of the MTA standardization which existed when during a younger Internet. The encoding mechanisms (base64, etc) are all RFC standards and MUA's follow them, but the MTA's need to be setup a little bit stricter. Requiring forward-and-back dns lookups is a good idea if everyone would cooperate. Back in the early 90's, most addresses would forward-and-back dns lookups and certainly all MTA's or servers offering a real service (http/ftp/rdiff) did. It seems that we have moved away from a consistent Internet with rules which were followed as a courtesy to sysadmins. We have now moved into a much more liberal (broken?) Internet where we try to make anything go and still have it function. Remarkably, it does for the most part despite all the garbage that floats across the line (just tcpdump a cable line sometime and see whats there). For email transfer and MTA's alike, putting SPF in DNS to help authenticate the source is a step in the right direction. If SPF is a good idea, and it is dns based, then so should forward-and-back lookups. If additional mail standardization can take place (again) then spam can be reduced to a certain degree. I much like Brian Read's idea of blocking mail xfer from sites which are not authenticated (SASL) or who cannot give a proper reverse lookup. Every ISP we have worked with have been happy to create or change a PTR entry in their dns, even if it took a lot of work to get
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] said: On Tue, 17 May 2005, Bart Silverstrim wrote: If we can standardize the set of rules and protocols required for an MTA to accept an email, then spam will reduce. Either that or we need to build a better mousetrap. This is jut my $0.02. How would you handle the PTR record for an SMTP server that hosts 500 virtual domains? Guess by charging a nominal fee for those hosts to have the record maintained? :-) If the sysadmin of an MTA can't maintain these or have them maintained, then we have bigger problems ... What do you think the PTR for a host with 500 virtual domains might look like? dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Dennis Peterson wrote: What do you think the PTR for a host with 500 virtual domains might look like? It doesn't matter -- as long as it points to some name that points back to the same IP. mail723.theprovidersdomain.com would work. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Matt Fretwell wrote: [EMAIL PROTECTED] wrote: IMO, a sending MTA should never have its smtp port closed unless it is an end-user. Once again, a sending server does not have to be a MX. Something within that domain should be listening on port 25, but not always the machine which is connecting to yours. Look at the hostname of my machine in the headers. You will see it has rDNS and fDNS, but is not a MX for the domain. True, but it could helo with its hostname and then it would match connecting back to check its 220 string. Even if its a sending server, it should listen on 25 to verify that it is a mail server, even if it doesn't accept mail. If it doesn't listen on 25 (or isn't accessable) then it is a client and should be using some type of smtp-auth with the server to relay through it, or to one of its recipients. IMO, If you send a lot of mail, you should listen on port 25, even if you don't accept mail. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Bill Taroli wrote: Matt Fretwell wrote: IMO, a sending MTA should never have its smtp port closed unless it is an end-user. Once again, a sending server does not have to be a MX. Something within that domain should be listening on port 25, but not always the machine which is connecting to yours. Look at the hostname of my machine in the headers. You will see it has rDNS and fDNS, but is not a MX for the domain. I think that was a typo, since the criteria he gave say the domain has an MX that... and not the MTA is an MX that... Basically, just edit sending MTA to MX for the sender's domain and I think we're good. :-) Thank you for the correction -- has an MX, not necessarily /is/ an MX. -Eric ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Eric J. Wisti wrote: What about the users (like me) that have one ip address to play with? Do I use the ONE ptr record for mail, web, dns, ftp or whatever else I choose to make available to the world. Generally, only mail has a loose 'requirement' for front to back dns a/ptr records, but back in the day, so did ftp servers for the client side. So, if I choose to advertise my PTR as fw.domain.name, you consider my mail server suspect, unless it was advertised as fw.domain.name? Just because I don't have an easy way to provide 10's of addresses to the world? I guess I'm saying that if I telnet to fw.domain.name on 25, I should see something like 220 fw.domain.name ESMTP mail relay. If it doesn't say that, then it is lying to anyone who connects to it. Forward and back dns should resolve to the name spit out by the smtp 220 string. This should be verifiable. If you host http and ftp on it as well then I think you can agree that these services do not need to be as picky about the rdns/fdns stuff. Many host http virtual domains on a single ip. This is ok 'cause it is identified in the Host: header of the http connection. My system is secured and my ISP reserves the right to scan the ip space they provide (and they do check) for a number of 'questionable' or worse servers/services and disable those ips until repaired. That may or may not be the case for other ISPs, but I shouldn't have to use my ISPs servers, just 'cuz I can't have 10's of ip addresses. True. So don't. If they let you host your services, then host them :) Some of us do this internet thing for fun and not for profit. If I am causing you problems, contact my ISP or blacklist my ip. I use Sendmail, Spamassassin, ClamAV and milter-greylist. Works well enough and if there is a server that is sending me things I don't care to get, I just add them to my private rbl list. No more mail. Might not work for a corporate server, but it works great for me. Takes time, yes. Impose restrictions on legit mail servers.? NOPE. Until SPF or cost based email systems get accepted, you'll have to be creative in your filtering of mail. hehe... iptables -A INPUT -p tcp --dport 25 -j DROP No worries :) Punish the 'criminals' not the responsible persons. Yep -- that's the hard part and hopefully we will be there someday. Eric Wisti Great name, btw! -Eric ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Dennis Peterson wrote: What do you think the PTR for a host with 500 virtual domains might look like? dp If the hosting company is some-hoster.com then (adjusting file pathing appropriately) it might look like so: Forward: (/var/named/some-hoster.com) mail.some-hoster.com IN A 1.2.3.4 PTR: (/var/named/3.2.1.0-arpa) 4 IN PTR mail.some-hoster.com. The hosting company should send/receive from their mail server no matter how many accounts they have. If they need more than one mail server, then use 1.2.3.5 and call it mail2 or something. The server should also spit out something like this when you telnet to them: [EMAIL PROTECTED] ewheeler]$ telnet mail.some-hoster.com 25 Trying 1.2.3.4... Connected to mail.some-hoster.com (1.2.3.4). Escape character is '^]'. 220 mail.some-hoster.com ESMTP mail relay. ^]q By doing this, the rdns, fdns and 220 banner all match and senders should be happy :) -Eric Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: What do you think the PTR for a host with 500 virtual domains might look like? Big :) Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] said: On Tue, 17 May 2005, Eric J. Wisti wrote: What about the users (like me) that have one ip address to play with? Do I use the ONE ptr record for mail, web, dns, ftp or whatever else I choose to make available to the world. Generally, only mail has a loose 'requirement' for front to back dns a/ptr records, but back in the day, so did ftp servers for the client side. So, if I choose to advertise my PTR as fw.domain.name, you consider my mail server suspect, unless it was advertised as fw.domain.name? Just because I don't have an easy way to provide 10's of addresses to the world? I guess I'm saying that if I telnet to fw.domain.name on 25, I should see something like 220 fw.domain.name ESMTP mail relay. If it doesn't say that, then it is lying to anyone who connects to it. Forward and back dns should resolve to the name spit out by the smtp 220 string. This should be verifiable. If I have a server with 500 virt hosts you could get a helo from any one of them. If you telnet back to it on port 25 what do you think you might see? One of about 499 liars, maybe? dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] wrote: Once again, a sending server does not have to be a MX. Something within that domain should be listening on port 25, but not always the machine which is connecting to yours. Look at the hostname of my machine in the headers. You will see it has rDNS and fDNS, but is not a MX for the domain. True, but it could helo with its hostname and then it would match connecting back to check its 220 string. Even if its a sending server, it should listen on 25 to verify that it is a mail server, even if it doesn't accept mail. If it doesn't listen on 25 (or isn't accessable) then it is a client and should be using some type of smtp-auth with the server to relay through it, or to one of its recipients. IMO, If you send a lot of mail, you should listen on port 25, even if you don't accept mail. By that theory, we should ban most large providers and mailing lists. There are a countless number of companies that allow outgoing connections only from their servers. That theory is vastly flawed and will not work. Period. Also, any sending server is a client, irrelevant of whether it works in client and server mode. The connecting machine is *always* a client. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Christopher X. Candreva said: On Tue, 17 May 2005, Dennis Peterson wrote: What do you think the PTR for a host with 500 virtual domains might look like? It doesn't matter -- as long as it points to some name that points back to the same IP. mail723.theprovidersdomain.com would work. Just play along and see where Mr. Wheeler is taking us. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Dennis Peterson wrote: I guess I'm saying that if I telnet to fw.domain.name on 25, I should see something like 220 fw.domain.name ESMTP mail relay. If it doesn't say that, then it is lying to anyone who connects to it. Forward and back dns should resolve to the name spit out by the smtp 220 string. This should be verifiable. If I have a server with 500 virt hosts you could get a helo from any one of them. If you telnet back to it on port 25 what do you think you might see? One of about 499 liars, maybe? Well I am assuming that you would be doing a forward-reverse-forward to and comparing it to there. If a forward of mail.someclient.com is 1.2.3.4 and a reverse of 1.2.3.4 is fw.domain.name and a forward of fw.domain.name is 1.2.3.4 then it's not lying. In fact, that is quite common. I'm saying there should be a consistent forward-reverse mapping for the actual mail server and that that mapping should match the 220 string. If someclient.com has more than one priority MX server to handle mail then whatever server is handling it (fw2.domain.name?) should have proper forward-and-back mappings. -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Nice. That couldn't be cleaner. There are plenty of ways of harmlessly disabling a system (no lost data, just no boot) and that would certainly be an awakening call for everyone across the board. People would get to reinstall their os and loose at least 2hrs of time. I really miss the days of destructive viruses. We just don't really see 'em like we used to. Remember Michaelangelo? What was his birthday again? Actually, I think a little stealth would be better. Something like silently intercepting and dropping any attempts at opening an outbound email connection. --- Jef Jef Poskanzer [EMAIL PROTECTED] http://www.acme.com/jef/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bill Taroli wrote: Steffen Winther Soerensen wrote: This seems more like a discussion for another mailing list or a Usenet group on MTAs/SMTP IMHO I don't disagree... are there any good ones for SPF or similar debates? You're welcome to discuss things related to SPF on spf-discuss: http://spf.pobox.com/mailinglist.html mailto:[EMAIL PROTECTED] pgpDD7r9i9auQ.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] said: On Tue, 17 May 2005, Dennis Peterson wrote: I guess I'm saying that if I telnet to fw.domain.name on 25, I should see something like 220 fw.domain.name ESMTP mail relay. If it doesn't say that, then it is lying to anyone who connects to it. Forward and back dns should resolve to the name spit out by the smtp 220 string. This should be verifiable. If I have a server with 500 virt hosts you could get a helo from any one of them. If you telnet back to it on port 25 what do you think you might see? One of about 499 liars, maybe? Well I am assuming that you would be doing a forward-reverse-forward to and comparing it to there. If a forward of mail.someclient.com is 1.2.3.4 and a reverse of 1.2.3.4 is fw.domain.name and a forward of fw.domain.name is 1.2.3.4 then it's not lying. In fact, that is quite common. I'm saying there should be a consistent forward-reverse mapping for the actual mail server and that that mapping should match the 220 string. If someclient.com has more than one priority MX server to handle mail then whatever server is handling it (fw2.domain.name?) should have proper forward-and-back mappings. -- Eric Wheeler I give up. I was really thinking the light was about to go on, too. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bill Taroli wrote: Eric Wheeler wrote: [...] For email transfer and MTA's alike, putting SPF in DNS to help authenticate the source is a step in the right direction. If SPF is a good idea, and it is dns based, then so should forward-and-back lookups. I totally agree that some solution is desirable to these issues. There are several efforts underway, including SPF -- which now appears (according to a recent visit to http://spf.pobox.com/) to be a formal part (or companion) to Sender ID. Uhm, no. There is SPF (AKA SPF Classic), and there is Sender-ID. S-ID is based on SPF, but SPF is independent from S-ID. The SPF project is currently working to set up a new website. Significant parts of http://spf.pobox.com are outdated. But this is mostly off-topic here. For more information, join the spf-discuss mailing list: http://spf.pobox.com/mailinglist.html mailto:[EMAIL PROTECTED] pgpDZm1OsjFAZ.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Matt Fretwell wrote: True, but it could helo with its hostname and then it would match connecting back to check its 220 string. Even if its a sending server, it should listen on 25 to verify that it is a mail server, even if it doesn't accept mail. If it doesn't listen on 25 (or isn't accessable) then it is a client and should be using some type of smtp-auth with the server to relay through it, or to one of its recipients. IMO, If you send a lot of mail, you should listen on port 25, even if you don't accept mail. By that theory, we should ban most large providers and mailing lists. There are a countless number of companies that allow outgoing connections only from their servers. That theory is vastly flawed and will not work. Period. Also, any sending server is a client, irrelevant of whether it works in client and server mode. The connecting machine is *always* a client. What I am saying is that if you can't do some type of verification, whether it is connect-back (remember the old dialup callback-verification-system?) to the sending server or SPF or some other type of authentication mechanism, then you can't trust the sender. Really even SPF isn't great because DNS can be spoofed. Unless the source can can prove its origin, it can not be trusted. In fact, most spam is a form of false identification and that, in of itself, is the problem. Authenticate all of the MTAs in a way that MTA's trust each other and you have fixed much of the problem. Setting up DNS properly is a step in the right direction since most spammers/virus pushers do not properly implement DNS. The ultimate goal is only to send email from real addresses to real addresses. That way spammers would need real accounts to send through. Currently, most spam comes from addresses which do not exist. Many MTA's fail to require that an MX exists for the MAIL FROM domain and accept huge amounts of spam. To really fix the problem we would need to talk about a trusted third party and certificates for mail servers, much as https is handled to avoid repudiation of origin attacks like spam. I think that is where Microsoft is going, but I don't like it. I'm hoping for a simpler solution and SPF is heading in the right direction though it is not right for all situations. The hard part is that SMTP is the worlds least secure protocol so we are trying to patch it with DNS and other mechanisms, but the reality is that it is a broken design from a security standpoint. What I am arguing will reduce the exposure to the problem, not eliminate it. I'm not sure what is next, but I look forward to the RFC which replaces SMTP as a standard. In the next ten years, this will all be different and it may take less time than that. -Eric -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Dennis Peterson wrote: Christopher X. Candreva said: On Tue, 17 May 2005, Dennis Peterson wrote: What do you think the PTR for a host with 500 virtual domains might look like? It doesn't matter -- as long as it points to some name that points back to the same IP. mail723.theprovidersdomain.com would work. Just play along and see where Mr. Wheeler is taking us. Probably to that rocket-ship from earlier which is likely bound for planet Utopia! This is open discussion. I want to tighten up our mail server and see what your thoughts are as system administrators. The collective experience on this list is more than I could ever hope to have individually. If you lookup MX on our network you will see that we haven't implemented this strategy. We are in the middle of a infrastructure redesign to handle the growth we are experiencing and I appreciate discussions like this which raise a bit of controversy. When our MTA's are rebuilt for the new network some of the strategies discussed in this thread will be implemented. Others will be implemented in a test-and-alert-me-only setup to see how effective it is. If it breaks only 1% of the mta's out there then that is an acceptable casualty rate and those sysadmins can be contacted. Messages would be 450'd and we may notify netadmin for the CIDR block automatically. If they do have a rouge spammer on their network, they might wish to know about it anyway. -Eric -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] wrote: What I am saying is that if you can't do some type of verification, whether it is connect-back (remember the old dialup callback-verification-system?) to the sending server or SPF or some other type of authentication mechanism, then you can't trust the sender. Really even SPF isn't great because DNS can be spoofed. SAV probes are little less than content free spam. I have firewall rules for offenders who don't cache their SAV results for a reasonable amount of time. Anyhow, I digress upon this subject. You obviously have a far more idealistic, (and pipe dream), outlook than I. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Jef Poskanzer wrote: Actually, I think a little stealth would be better. Something like silently intercepting and dropping any attempts at opening an outbound email connection. Ohh, you mean the New.net plugin? -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] wrote: If they do have a rouge spammer on their network, they might wish to know about it anyway. I assume that should have been rogue. ( Unless spammers have a predilection for make up :) Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] said: On Tue, 17 May 2005, Matt Fretwell wrote: True, but it could helo with its hostname and then it would match connecting back to check its 220 string. Even if its a sending server, it should listen on 25 to verify that it is a mail server, even if it doesn't accept mail. If it doesn't listen on 25 (or isn't accessable) then it is a client and should be using some type of smtp-auth with the server to relay through it, or to one of its recipients. IMO, If you send a lot of mail, you should listen on port 25, even if you don't accept mail. By that theory, we should ban most large providers and mailing lists. There are a countless number of companies that allow outgoing connections only from their servers. That theory is vastly flawed and will not work. Period. Also, any sending server is a client, irrelevant of whether it works in client and server mode. The connecting machine is *always* a client. What I am saying is that if you can't do some type of verification, whether it is connect-back (remember the old dialup callback-verification-system?) to the sending server or SPF or some other type of authentication mechanism, then you can't trust the sender. Really even SPF isn't great because DNS can be spoofed. It is impossible to get verification this way. All you have that you can depend on (and only just barely) is the IP of the source. the helo greeting and mail from: can be and frequently are faked or from virtual hosts. Even if the info is true there is still no way for you to guarantee it. Spammers buy throw-away domain names by the thousands, you know. There is no reason a host need identify itself using the name in its DNS PTR records. There is no reason a sending host needs an MX record. If I have 30 hosts behind a BigIP box you're going to see one IP regardless of which host is connected to you. I may have dozens of hosts that resolve to a single IP, and hosts that resolve to dozens of IP's. The closest thing you have is SPF and it's barely implemented and voluntary. Sure glad it's been a quiet day :-) dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Julian Mehnle wrote: Bill Taroli wrote: Eric Wheeler wrote: [...] For email transfer and MTA's alike, putting SPF in DNS to help authenticate the source is a step in the right direction. If SPF is a good idea, and it is dns based, then so should forward-and-back lookups. I totally agree that some solution is desirable to these issues. There are several efforts underway, including SPF -- which now appears (according to a recent visit to http://spf.pobox.com/) to be a formal part (or companion) to Sender ID. Uhm, no. There is SPF (AKA SPF Classic), and there is Sender-ID. S-ID is based on SPF, but SPF is independent from S-ID. I did say (or companion), no? :-) And the other part of Sender ID is Microsloth, yes? I shudder at the thought of Microsoft's involvement, other than the potential benefit of better security in their products -- to avoid impact to the rest of us. The SPF project is currently working to set up a new website. Significant parts of http://spf.pobox.com are outdated. Glad to hear it. It's where I usually send folks asking about SPF -- or when I send other admins email about why their mail is getting rejected and to get more information. But this is mostly off-topic here. For more information, join the spf-discuss mailing list: http://spf.pobox.com/mailinglist.html Thank you for the pointer. Finished subscribing a few minutes ago. Bill ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: [EMAIL PROTECTED] said: On Tue, 17 May 2005, Dennis Peterson wrote: I guess I'm saying that if I telnet to fw.domain.name on 25, I should see something like 220 fw.domain.name ESMTP mail relay. If it doesn't say that, then it is lying to anyone who connects to it. Forward and back dns should resolve to the name spit out by the smtp 220 string. This should be verifiable. If I have a server with 500 virt hosts you could get a helo from any one of them. If you telnet back to it on port 25 what do you think you might see? One of about 499 liars, maybe? Well I am assuming that you would be doing a forward-reverse-forward to and comparing it to there. If a forward of mail.someclient.com is 1.2.3.4 and a reverse of 1.2.3.4 is fw.domain.name and a forward of fw.domain.name is 1.2.3.4 then it's not lying. In fact, that is quite common. I'm saying there should be a consistent forward-reverse mapping for the actual mail server and that that mapping should match the 220 string. If someclient.com has more than one priority MX server to handle mail then whatever server is handling it (fw2.domain.name?) should have proper forward-and-back mappings. I give up. I was really thinking the light was about to go on, too. Actually, I think you're agreeing and don't realize it. If I read the point properly, he is not suggesting that the name returned in PTR necessarily match that of the 220 reply... but he is suggesting that the forward lookup against the 220 reply result in an IP consistent with what you looked up in PTR originally. And, yes, this is pretty typical of hosted setups. If my IP results in domain.com but my mail server 220 says domain.org, that's OK... because both of them forward lookup to the same IP. Or did I misunderstand the posting? Bill ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED] wrote: When our MTA's are rebuilt for the new network some of the strategies discussed in this thread will be implemented. Others will be implemented in a test-and-alert-me-only setup to see how effective it is. If it breaks only 1% of the mta's out there then that is an acceptable casualty rate and those sysadmins can be contacted. Just as a last note on this subject, if you implement some of the ideas you have been running by the list, your FP rate, at a very rough guess, would be closer to ten to fifteen percent than one. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Matt Fretwell wrote: [EMAIL PROTECTED] wrote: If they do have a rouge spammer on their network, they might wish to know about it anyway. I assume that should have been rogue. ( Unless spammers have a predilection for make up :) Hmm. I guess aspell thinks that is a word... and probably some spammers do, rofl. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Matt Fretwell wrote: Big :) The 100+ subscribers of this mailing list would prefer not to receive your meaningless one-word responses to every post. Not even if you're correcting someone else's typo (rouge-rogue). I don't want to single you out, though. Others have been going off on arrogant ramblings about how their setup is better than everyone else's, but they can't seem to justify why. This thread has nothing whatsoever to do with ClamAV. How about taking it elsewhere? The sober.p stuff can be trivially blocked using appropriate tools [0] and pipe dreams about replacing SMTP are a bit off-topic for this list. [0] http://www.itg.uiuc.edu/~menscher/soberP.cf Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Jef Poskanzer wrote: I really miss the days of destructive viruses. We just don't really see 'em like we used to. Remember Michaelangelo? What was his birthday again? Actually, I think a little stealth would be better. Something like silently intercepting and dropping any attempts at opening an outbound email connection. Internal clients on a network, (and I am referring to a LAN, not an ISP's clients, before anyone says anything), shouldn't be allowed to connect outbound on port 25 anyway. Everything internal should go through the MTA. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
It IS a word...just not the one you wanted. swine spellchekers On Tuesday 17 May 2005 05:12 pm, [EMAIL PROTECTED] wrote: On Tue, 17 May 2005, Matt Fretwell wrote: [EMAIL PROTECTED] wrote: If they do have a rouge spammer on their network, they might wish to know about it anyway. I assume that should have been rogue. ( Unless spammers have a predilection for make up :) Hmm. I guess aspell thinks that is a word... and probably some spammers do, rofl. ___ http://lurker.clamav.net/list/clamav-users.html -- John Jolet Technology Solutions Your On-Demand IT Department 512-762-0729 www.jolet.net [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] sober.p and german adverts?
John Jolet wrote: On Tue, 17 May 2005, Matt Fretwell wrote: [EMAIL PROTECTED] wrote: If they do have a rouge spammer on their network, they might wish to know about it anyway. I assume that should have been rogue. ( Unless spammers have a predilection for make up :) Hmm. I guess aspell thinks that is a word... and probably some spammers do, rofl. It IS a word...just not the one you wanted. swine spellchekers On that note: http://jobsearch.monster.com/jobsearch.asp?q=manger -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Dennis Peterson wrote: What I am saying is that if you can't do some type of verification, whether it is connect-back (remember the old dialup callback-verification-system?) to the sending server or SPF or some other type of authentication mechanism, then you can't trust the sender. Really even SPF isn't great because DNS can be spoofed. It is impossible to get verification this way. All you have that you can depend on (and only just barely) is the IP of the source. the helo greeting and mail from: can be and frequently are faked or from virtual hosts. Even if the info is true there is still no way for you to guarantee it. Spammers buy throw-away domain names by the thousands, you know. There is no reason a host need identify itself using the name in its DNS PTR records. There is no reason a sending host needs an MX record. If I have 30 hosts behind a BigIP box you're going to see one IP regardless of which host is connected to you. I may have dozens of hosts that resolve to a single IP, and hosts that resolve to dozens of IP's. The closest thing you have is SPF and it's barely implemented and voluntary. Sure glad it's been a quiet day :-) Heh - quiet day here too. I would say that if a sending domain does not have an MX, then I don't want its mail. Even mail-list domains should receive mail for (un)subscribe. You are right, a sending host doesn't need an MX, but whatever ip it is coming out of should answer on port 25 to fly a 220 banner unless it is an end user. I also realize that many don't listen on port 25, however, it sure would help with the spam problem if they would. I think what this is coming down to is try it and see. -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Bill Taroli wrote: If I have a server with 500 virt hosts you could get a helo from any one of them. If you telnet back to it on port 25 what do you think you might see? One of about 499 liars, maybe? Well I am assuming that you would be doing a forward-reverse-forward to and comparing it to there. If a forward of mail.someclient.com is 1.2.3.4 and a reverse of 1.2.3.4 is fw.domain.name and a forward of fw.domain.name is 1.2.3.4 then it's not lying. In fact, that is quite common. I'm saying there should be a consistent forward-reverse mapping for the actual mail server and that that mapping should match the 220 string. If someclient.com has more than one priority MX server to handle mail then whatever server is handling it (fw2.domain.name?) should have proper forward-and-back mappings. I give up. I was really thinking the light was about to go on, too. Actually, I think you're agreeing and don't realize it. If I read the point properly, he is not suggesting that the name returned in PTR necessarily match that of the 220 reply... but he is suggesting that the forward lookup against the 220 reply result in an IP consistent with what you looked up in PTR originally. And, yes, this is pretty typical of hosted setups. If my IP results in domain.com but my mail server 220 says domain.org, that's OK... because both of them forward lookup to the same IP. Or did I misunderstand the posting? Thank you, this is exactly where I am going :) -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Dennis Peterson wrote: Damian Menscher said: Since you are speaking for all of us what do we think of your 5 line sig? I bet some of us think it sux. As do I. But I think you'll agree it is about as dense as possible given the amount of information (I work two jobs, and my employers require me to include that fifth line when posting to public lists). But that's off-topic for this list also. I found the DNS discussion interesting and it helps to understand what other mail admins are thinking about the processes around clamav and email. It's mildly interesting, but has nothing to do with ClamAV. And did you not find the clamd log permissions debugging segment in another thread educational? I did. I found Stephen Gran's comment interesting, in that he beat me to finding the bug (I'd wasted time looking in clamav-milter.c first). The rest of the posts, including your arrogant ramblings, were worthless. It was an informative day with no major new clamav issues - that's a good thing. Well, the LogFile thing is major in the sense that it confused a lot of newbies. But the rest of the discussion here today has been a complete waste. You people really need to spend more time reading what others have done, rather than spending all day screaming your heads off about your own little viewpoints. Regards, Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Damian Menscher said: On Tue, 17 May 2005, Dennis Peterson wrote: I found Stephen Gran's comment interesting, in that he beat me to finding the bug (I'd wasted time looking in clamav-milter.c first). The rest of the posts, including your arrogant ramblings, were worthless. I'll be damned. And here I thought making folks incrementally aware that starting clamav with intelligent scripts and as the actual clamav runtime user and not as root would be very helpful in dealing with what you thought was a bug. I had this bug solved before I finished my breakfast coffee without looking at a single line of code and took the time to explain it all. Silly me. Or silly you... which? dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: SAV probes are little less than content free spam. I have firewall rules for offenders who don't cache their SAV results for a reasonable amount of time. We get hammered by these non-stop. We don't have rules targeting them specifically, but the badly-behaved ones dig their own virtual graves. You see, we limit the number of concurrent connections a host can make to our mail server. Once they use up all their alloted connections on our primary MX, instead of doing something sensible, like noticing that they're trying to open a zillion simultaneous connections to the same server (all to verify the same forged address), they just drop to the next MX, use up those connections and drop to the next Eventually they get down to our ultra-low priority decoy MX that we set up to attract spammers, and they land in our tar pit. -- Kelson Vibber SpeedGate Communications www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Dennis Peterson wrote: Damian Menscher said: I found Stephen Gran's comment interesting, in that he beat me to finding the bug (I'd wasted time looking in clamav-milter.c first). The rest of the posts, including your arrogant ramblings, were worthless. I'll be damned. And here I thought making folks incrementally aware that starting clamav with intelligent scripts and as the actual clamav runtime user and not as root would be very helpful in dealing with what you thought was a bug. I had this bug solved before I finished my breakfast coffee without looking at a single line of code and took the time to explain it all. Silly me. Or silly you... which? The bug wouldn't affect me as I use the LogSyslog option. IMHO it's silly for applications to do their own logging. The explanation for the LogFile existing as an option was, I think, that Windows doesn't provide a syslog() functionality. So, I don't feel silly. Up to you if you want to call yourself silly for wasting a day talking about a non-issue. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Damian Menscher wrote: And did you not find the clamd log permissions debugging segment in another thread educational? I did. I found Stephen Gran's comment interesting, in that he beat me to finding the bug (I'd wasted time looking in clamav-milter.c first). The rest of the posts, including your arrogant ramblings, were worthless. Firstly Damian, it is not a bug. If you think the logfile issue is a bug, you and I obviously have vastly different opinions regarding bugs. Secondly, debates on a subject are not 'arrogant ramblings' just because you do not think they fit within the general discussion area of a list. And how you have the indecency to accuse someone of posting offtopic responses, when that is exactly what you have just done, is pure hypocrisy. Full example below: You people really need to spend more time reading what others have done, rather than spending all day screaming your heads off about your own little viewpoints. Do not dare to criticise, and then have the gross indecency to commit the same. A polite request one may have abided by, inate ignorance however, is a different thing. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Damian Menscher said: On Tue, 17 May 2005, Dennis Peterson wrote: Damian Menscher said: I found Stephen Gran's comment interesting, in that he beat me to finding the bug (I'd wasted time looking in clamav-milter.c first). The rest of the posts, including your arrogant ramblings, were worthless. I'll be damned. And here I thought making folks incrementally aware that starting clamav with intelligent scripts and as the actual clamav runtime user and not as root would be very helpful in dealing with what you thought was a bug. I had this bug solved before I finished my breakfast coffee without looking at a single line of code and took the time to explain it all. Silly me. Or silly you... which? The bug wouldn't affect me as I use the LogSyslog option. IMHO it's silly for applications to do their own logging. The explanation for the LogFile existing as an option was, I think, that Windows doesn't provide a syslog() functionality. It didn't impact me either, big sig guy, but I had a solution so hopefully between you and me we helped some folks out today and maybe even raised some awareness about starting and running processes and administrative empowerment. How bad could that be? dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 4:03 PM, Bill Taroli wrote: Steffen Winther Soerensen wrote: This seems more like a discussion for another mailing list or a Usenet group on MTAs/SMTP IMHO I don't disagree... are there any good ones for SPF or similar debates? I do think -- much as you'd find in the Amavisd list -- that these issues do tend to intersect and overlap in various ways. While clamav is obviously about virii, it routinely gets deployed right along side spam and other tools. I'd argue that ClamAV is no longer even just an AV. It was crossing the line to malware detector when it started filtering phishing attempts that have nothing to do with viruses, much as Spybot now detects several Bagle variants. Not saying it's good or bad...just stating the way it appears to be from this observer's viewpoint. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 7:06 PM, Damian Menscher wrote: On Tue, 17 May 2005, Dennis Peterson wrote: Damian Menscher said: Since you are speaking for all of us what do we think of your 5 line sig? I bet some of us think it sux. As do I. But I think you'll agree it is about as dense as possible given the amount of information (I work two jobs, and my employers require me to include that fifth line when posting to public lists). But that's off-topic for this list also. You don't have a personal email address to use in the lists? And what about the other four lines each and every time? I found the DNS discussion interesting and it helps to understand what other mail admins are thinking about the processes around clamav and email. It's mildly interesting, but has nothing to do with ClamAV. Then give it some time and the thread will die, as all the other threads do eventually. Everyone gets tired of this stuff eventually. But it's also important to acknowledge that this is a ClamAV user community, and obviously there are some members of the community that have found a topic that strike a nerve...let'm play it out or it'll just keep coming up again. And did you not find the clamd log permissions debugging segment in another thread educational? I did. I found Stephen Gran's comment interesting, in that he beat me to finding the bug (I'd wasted time looking in clamav-milter.c first). The rest of the posts, including your arrogant ramblings, were worthless. I'm sure people looking through archives and seeing how members of the community regard others' input as worthless and arrogant will certainly reflect nicely on the community... Does it occur to anyone that maybe within this ClamAV community some people have found others that they think may have respectable opinions worth listening to, that they may not find in the other groups? That maybe these people here are a good resource from which to learn? Just because I have a friend that is big on Fieros doesn't mean he doesn't have other interests or experiences that I respect hearing about, even if it's while he's working on the Fiero at the time... It was an informative day with no major new clamav issues - that's a good thing. Well, the LogFile thing is major in the sense that it confused a lot of newbies. But the rest of the discussion here today has been a complete waste. You people really need to spend more time reading what others have done, rather than spending all day screaming your heads off about your own little viewpoints. When a thread seems to just take up space to me, I just use the thread view so all the messages to a particular thread are in one group, then highlight it and hit delete. Unlike spam, no one is trying to munge, mangle, or hide the origin of these messages. They're fairly easy to actually hit delete and have go away. And also unlike spam, when I ignore a thread, it goes away after a relatively short time and it's also easy to redirect to a clamav folder for organization... But that's just my arrogant, worthless opinion. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim wrote: On May 17, 2005, at 4:03 PM, Bill Taroli wrote: Steffen Winther Soerensen wrote: This seems more like a discussion for another mailing list or a Usenet group on MTAs/SMTP IMHO I don't disagree... are there any good ones for SPF or similar debates? I do think -- much as you'd find in the Amavisd list -- that these issues do tend to intersect and overlap in various ways. While clamav is obviously about virii, it routinely gets deployed right along side spam and other tools. I'd argue that ClamAV is no longer even just an AV. It was crossing the line to malware detector when it started filtering phishing attempts that have nothing to do with viruses, much as Spybot now detects several Bagle variants. Not saying it's good or bad...just stating the way it appears to be from this observer's viewpoint. Good point. That said, I do admit this discussion probably would have been better received in the SPF mail lists. Already been reading them some and figure that this discussion might well move there. :-) Bill ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] sober.p and german adverts?
Some more info... I see in our amavis logs on our ClamAV system (postfix pre-filter FreeBSD for email) this kind of listing... /usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED (Worm.Sober.P), [EMAIL PROTECTED] - f-Ge2_bV@address snipped, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0 That address had been hammering us over and over for awhile with sober.p. Now it's become quiet. I notice a huge amount of german messages coming in, getting past the AV and our spam filter. I went into the Exchange server and there was one sample message in one of the recipient mailboxes with the following in the headers: Received: from oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.com [24.25.128.223]) The message has the German subject line and the text appears to be just a link to a website...? Perhaps we now know what happened to sober.p? (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posting. Thanks Mike On 5/16/05, Bart Silverstrim [EMAIL PROTECTED] wrote: Some more info... I see in our amavis logs on our ClamAV system (postfix pre-filter FreeBSD for email) this kind of listing... /usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED (Worm.Sober.P), [EMAIL PROTECTED]http://aolclient-24-25-128-223.aol.nycap.res.rr.com - f-Ge2_bV@address snipped, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0 That address had been hammering us over and over for awhile with sober.p. Now it's become quiet. I notice a huge amount of german messages coming in, getting past the AV and our spam filter. I went into the Exchange server and there was one sample message in one of the recipient mailboxes with the following in the headers: Received: from oncsbuv.com http://oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25-128-223.aol.nycap.res.rr.com[ 24.25.128.223 http://24.25.128.223]) The message has the German subject line and the text appears to be just a link to a website...? Perhaps we now know what happened to sober.p? (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 9:00 AM, Mike Blonder wrote: I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posting. I'm new to the sleuthing aspect, so forgive me if I'm offbase here...(education/explanations always welcome! Plus it's made harder because the messages I have to work with are on a Unix system and managled headers off an Exchange final destination) I know that usually they alter the headers and spoof (viruses, that is) but I thought it strange that we've been hammered by sober.p with that same address showing up over and over again in our amavis logs : # grep 24-25-128-223 amavis.log|grep Sober.P |wc -l 16546 Usually it should vary things, I'd think. But then one of the first german gibberish messages I had found in a mailbox had the following right in the header: Received: from oncsbuv.com http://oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25 -128-223.aol.nycap.res.rr.com[ 24.25.128.223 http://24.25.128.223]) Coincidence? The first set I grepped was the IP of Sober.P's being stopped at the bastion server over the past couple weeks looking for that specific IP name. The second was a sample german message that managed to find it's way to the administrator mail account on the exchange server. I mean,...spoofing I understand, and expect...but is it really coincidental that these just happened to hit that IP? That's why I wondered if maybe there wasn't a link between the two...that sober.p is now a mass mailing spam tool. Are there any analysis papers out on sober.p yet? And can anyone else corroborate the theory I have, or am I totally off-base here? I'm still trying to figure it out from what I can piece together between phone calls for other tasks here :-) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim wrote: Are there any analysis papers out on sober.p yet? And can anyone else corroborate the theory I have, or am I totally off-base here? I'm still trying to figure it out from what I can piece together between phone calls for other tasks here :-) If I remember correctly, a sideline of sober.p is to install sober.q on the infected machine, which then spews these messages. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
OK. I think I get it. You had identified the oncbuv.com http://oncbuv.comaddress as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage. Thanks Mike I will check the next batch I receive (I hope I don't) for the same address On 5/16/05, Bart Silverstrim [EMAIL PROTECTED] wrote: On May 16, 2005, at 9:00 AM, Mike Blonder wrote: I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posting. I'm new to the sleuthing aspect, so forgive me if I'm offbase here...(education/explanations always welcome! Plus it's made harder because the messages I have to work with are on a Unix system and managled headers off an Exchange final destination) I know that usually they alter the headers and spoof (viruses, that is) but I thought it strange that we've been hammered by sober.p with that same address showing up over and over again in our amavis logs : # grep 24-25-128-223 amavis.log|grep Sober.P |wc -l 16546 Usually it should vary things, I'd think. But then one of the first german gibberish messages I had found in a mailbox had the following right in the header: Received: from oncsbuv.com http://oncsbuv.com http://oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25-128-223.aol.nycap.res.rr.com http://aolclient-24-25 -128-223.aol.nycap.res.rr.com http://128-223.aol.nycap.res.rr.com[ 24.25.128.223 http://24.25.128.223 http://24.25.128.223]) Coincidence? The first set I grepped was the IP of Sober.P's being stopped at the bastion server over the past couple weeks looking for that specific IP name. The second was a sample german message that managed to find it's way to the administrator mail account on the exchange server. I mean,...spoofing I understand, and expect...but is it really coincidental that these just happened to hit that IP? That's why I wondered if maybe there wasn't a link between the two...that sober.p is now a mass mailing spam tool. Are there any analysis papers out on sober.p yet? And can anyone else corroborate the theory I have, or am I totally off-base here? I'm still trying to figure it out from what I can piece together between phone calls for other tasks here :-) ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] sober.p and german adverts?
Hi Please see http://www.theregister.co.uk/2005/05/16/sober_spews_spam/ Rgds John Taylor Network Security Manager Synstar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Blonder Sent: 16 May 2005 15:00 To: ClamAV users ML Subject: Re: [Clamav-users] sober.p and german adverts? OK. I think I get it. You had identified the oncbuv.com http://oncbuv.comaddress as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage. Thanks Mike I will check the next batch I receive (I hope I don't) for the same address On 5/16/05, Bart Silverstrim [EMAIL PROTECTED] wrote: On May 16, 2005, at 9:00 AM, Mike Blonder wrote: I am also getting inundated with German gibberish spam. Would you mind explaining the significance (if any) of the email address that you posted? I am finding that the German Gibberish garbage is spoofing a different email address with each posting. I'm new to the sleuthing aspect, so forgive me if I'm offbase here...(education/explanations always welcome! Plus it's made harder because the messages I have to work with are on a Unix system and managled headers off an Exchange final destination) I know that usually they alter the headers and spoof (viruses, that is) but I thought it strange that we've been hammered by sober.p with that same address showing up over and over again in our amavis logs : # grep 24-25-128-223 amavis.log|grep Sober.P |wc -l 16546 Usually it should vary things, I'd think. But then one of the first german gibberish messages I had found in a mailbox had the following right in the header: Received: from oncsbuv.com http://oncsbuv.com http://oncsbuv.com (aolclient-24-25-128-223.aol.nycap.res.rr.comhttp://aolclient-24-25 -128-223.aol.nycap.res.rr.com http://aolclient-24-25 -128-223.aol.nycap.res.rr.com http://128-223.aol.nycap.res.rr.com[ 24.25.128.223 http://24.25.128.223 http://24.25.128.223]) Coincidence? The first set I grepped was the IP of Sober.P's being stopped at the bastion server over the past couple weeks looking for that specific IP name. The second was a sample german message that managed to find it's way to the administrator mail account on the exchange server. I mean,...spoofing I understand, and expect...but is it really coincidental that these just happened to hit that IP? That's why I wondered if maybe there wasn't a link between the two...that sober.p is now a mass mailing spam tool. Are there any analysis papers out on sober.p yet? And can anyone else corroborate the theory I have, or am I totally off-base here? I'm still trying to figure it out from what I can piece together between phone calls for other tasks here :-) ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 9:59 AM, Mike Blonder wrote: OK. I think I get it. You had identified the oncbuv.com http://oncbuv.comaddress as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage. Sort of. I can't find oncbuv.com so it's spoofed. The IP actually reverses to a RoadRunner address. I was hammered by the RR address, then administrator had one message in german gibberwocky from that appeared to be from that IP. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51 Maybe you should have simply entered it into google? I'm quite sure that google would have lead you to the right place. Yes, google can search for german strings too! IMOH ;-) I did enter it in when I first discovered it, but there were no hits. I thought perhaps it was too new at the time, and then turned to the lists to corroborate what I was seeing. and the text appears to be just a link to a website...? Yes, it is. Many of them are pointing to websites of reputated printed newletters/magazins like Der Spiegel. Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters...or at least not enough to cross the threshold of spam vs. regular mail. Perhaps we now know what happened to sober.p? See: http://www.viruslist.com/en/weblog http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM%5FSOBER%2EUVSect=P Details in german: http://www.heise.de/newsticker/meldung/59562 Well...I'm somewhat proud of myself that so far my hunches and (amateurish) deductions had me on the right track :-) (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) Write complaints to the owners of the IP blocks! The MAIL FROM is always faked. The URL-owner is mostly innocent too. Block all mails from dynamic IP. They are 99,99% spam. Is there a way to do that with the access file/postmap in postfix? Block sender IP's/IP blocks? I thought it was odd that our hammering from particular sober.p infections were consistent in IP. If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. -- Cheers Brian http://www.abandonmicrosoft.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] sober.p and german adverts?
It's easy to block. Check the handler's Diary at http://isc.sans.org/ and follow the links. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Silverstrim Sent: 16 May 2005 16:05 To: ClamAV users ML Subject: Re: [Clamav-users] sober.p and german adverts? On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51 Maybe you should have simply entered it into google? I'm quite sure that google would have lead you to the right place. Yes, google can search for german strings too! IMOH ;-) I did enter it in when I first discovered it, but there were no hits. I thought perhaps it was too new at the time, and then turned to the lists to corroborate what I was seeing. and the text appears to be just a link to a website...? Yes, it is. Many of them are pointing to websites of reputated printed newletters/magazins like Der Spiegel. Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters...or at least not enough to cross the threshold of spam vs. regular mail. Perhaps we now know what happened to sober.p? See: http://www.viruslist.com/en/weblog http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM%5FSOBER%2EUVSect=P Details in german: http://www.heise.de/newsticker/meldung/59562 Well...I'm somewhat proud of myself that so far my hunches and (amateurish) deductions had me on the right track :-) (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) Write complaints to the owners of the IP blocks! The MAIL FROM is always faked. The URL-owner is mostly innocent too. Block all mails from dynamic IP. They are 99,99% spam. Is there a way to do that with the access file/postmap in postfix? Block sender IP's/IP blocks? I thought it was odd that our hammering from particular sober.p infections were consistent in IP. If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over? ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 11:08 AM, Randal, Phil wrote: It's easy to block. Check the handler's Diary at http://isc.sans.org/ and follow the links. Thank you, that's my next task when I get a block of time today. Thanks again! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Brian Read wrote: Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. There are reasonable ISP's, (pricewise), with regards to static ranges. There is however the fact that whether the IP's are static or dynamic, business or domestic class, some ISP's, (mentioning no names), impose relay restrictions by the domain part in the *sender* address, if you try doing it the 'relay through ISP's mailhost' way. Which does leave the choice of having the MTA connect directly to retain the correct domain part of the senders mail address. This bumph about people shouldn't be allowed to run a direct MTA to MTA setup unless they have static IP's is nonsense. One might even say that it is MTA (elitism|snobbery). There are plenty of legitimate MTA setups running on dynamic IP's. A lot of the time they are configured in a better fashion than the service providers own MTA's that most would have them relay through. There really is no legitimate reason for blocking dynamic IP ranges at the outset. What really does amaze me though, is that these are generally the admins who will turn around and say, 'Don't block (variable), you will lose too much legitimate mail'. Where is the logic in that? They will allow a crappily configured multinational corporation or ISP to connect, yet not give dynamics the slightest chance to prove their reliability. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim schrieb: That address had been hammering us over and over for awhile with sober.p. Now it's become quiet. Yes. Now the infected hosts are sending out spam containing (very) right-wing political propaganda. Perhaps we now know what happened to sober.p? Yes. The same thing has happened last year, IIRC with another version of sober. (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) Those senders are faked. -thh ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Todd Lyons wrote: You should make their ISP's mail servers be the smarthost or relayhost for that customer's mail server. Oh yes, really. Some ISP's don't allow you to relay mail through them if it's not for @ispdomain.com. They don't allow you to do that so that they can charge you more than your service charge per month for the 'ability to use your own domain name in outgoing mail'. Dream on about using them as a relayhost. This restriction bit me in the arse with several customers before finding out what the problem was. The fact that the information on this point is buried away, and in no way any reference, or hint, supplied in any 5** responses, doesn't make life any easier. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: Brian Read wrote: Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. There are reasonable ISP's, (pricewise), with regards to static ranges. There is however the fact that whether the IP's are static or dynamic, business or domestic class, some ISP's, (mentioning no names), impose relay restrictions by the domain part in the *sender* address, if you try doing it the 'relay through ISP's mailhost' way. Which does leave the choice of having the MTA connect directly to retain the correct domain part of the senders mail address. This bumph about people shouldn't be allowed to run a direct MTA to MTA setup unless they have static IP's is nonsense. One might even say that it is MTA (elitism|snobbery). There are plenty of legitimate MTA setups running on dynamic IP's. A lot of the time they are configured in a better fashion than the service providers own MTA's that most would have them relay through. There really is no legitimate reason for blocking dynamic IP ranges at the outset. What really does amaze me though, is that these are generally the admins who will turn around and say, 'Don't block (variable), you will lose too much legitimate mail'. Where is the logic in that? They will allow a crappily configured multinational corporation or ISP to connect, yet not give dynamics the slightest chance to prove their reliability. Matt ___ http://lurker.clamav.net/list/clamav-users.html This email, for instance was sent from a properly configured mta running antispam and antivirus scanning in BOTH directions, from a dynamic ip. If my wife sends email from her computer, it goes to the isp's mta, which does inbound only scanning. I have several rules in place for postfix to force it to use my isp's mta for domains that refuse traffic from dynamic or residential ip addresses. The price for a non-residential ip from my isp is nearly double that for residential. Do I get any added-value service for that? No, in fact, I lose the ability to take faulty equipment directly to the service center for replacement, instead of waiting for a service call. I think more people running mtas would take the tack of examining the TRAFFIC, not the IP it came from. That's just laziness. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 11:05 I did enter it in when I first discovered it, but there were no hits. Ok, next time mention it ;-) I thought perhaps it was too new at the time, and then turned to the lists to corroborate what I was seeing. Many of them are pointing to websites of reputated printed newletters/magazins like Der Spiegel. Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters... There is a list of known subjects which can be feed into spamassasign. But in a few days that spam will stop. or at least not enough to cross the threshold of spam vs. regular mail. Write complaints to the owners of the IP blocks! The MAIL FROM is always faked. The URL-owner is mostly innocent too. Block all mails from dynamic IP. They are 99,99% spam. Is there a way to do that with the access file/postmap in postfix? Block sender IP's/IP blocks? Sounds good. There are RBL realtime black list which lists all known dynamic IPs. Another way ist to trigger on the strings link dial dyn ADSL cable in the reverse name. Rejecting all IP which do not have an rDNS is helpfull too. But have an exact look on the logfiles! I thought it was odd that our hammering from particular sober.p infections were consistent in IP. I scanned out logfile today: there where If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over? They use 16000 different home PCs infected before. TCP IP spoofing is very difficult, and if they could it, they would use it just to sent spam. But too there are bigger engine owned. Rainer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED](Brian Read) 16.05.05 16:08 Once upon a time Brian Read shaped the electrons to say... Block all mails from dynamic IP. They are 99,99% spam. No they aren't that rule causes quite a few of my customers a headache, Thats the missing 0.01% i know. as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. But most offer a smart host. If not, you have the wrong ISP. To be realistic: It is already not wise to sent emails from a dynamic IP to unknown recipients. Too many ISP rejects such mails to, have to reject as the worm traffic has already an unbeleavable amount. Rainer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
[EMAIL PROTECTED](Todd Lyons) 16.05.05 10:14 Brian Read wanted us to know: Block all mails from dynamic IP. They are 99,99% spam. Agreed. No they aren't that rule causes quite a few of my customers a headache, as the (linux) mailserver I often install sends the email direct, irrespective of whether there Ip is dynamic or static. Some ISPs charge an arm and a leg for static IPs. You should make their ISP's mail servers be the smarthost or relayhost for that customer's mail server. Some ISP's don't allow you to relay mail through them if it's not for @ispdomain.com. In that case, you should offer them a value add service to relay mail for them and then configure SSL (583) so that they don't have that problem. But very often the domain hoster relays mails for all domains he hosts (that's why he is called domain hoster? ;-)). SMTP AUTH is required, but no problem today. Rainer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 11:06 AM, Thomas Hochstein wrote: Bart Silverstrim schrieb: That address had been hammering us over and over for awhile with sober.p. Now it's become quiet. Yes. Now the infected hosts are sending out spam containing (very) right-wing political propaganda. Don't read German, and haven't had the pleasure of the English versions (yet?)...so, I guess it's another case of I'm not the target audience. (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) Those senders are faked. Thanks to someone else's posting, I found some regex lists to put into the header_check file for postfix...should put a stop to it. I HATE that solution simply because it's too easy to forget about it and people who may send such headings in the subject line are blocked as well (there are courses here where you never know...the German course may have someone send info on Dresden in 1945...). I also know there can be collateral damage from it. Weigh...invalid bounce, or silently dropping messages that may be legit...hmm... Some days it's just not worth using the Internet anymore. -Bart ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 1:41 PM, John Jolet wrote: This email, for instance was sent from a properly configured mta running antispam and antivirus scanning in BOTH directions, from a dynamic ip. If my wife sends email from her computer, it goes to the isp's mta, which does inbound only scanning. I have several rules in place for postfix to force it to use my isp's mta for domains that refuse traffic from dynamic or residential ip addresses. The price for a non-residential ip from my isp is nearly double that for residential. Do I get any added-value service for that? No, in fact, I lose the ability to take faulty equipment directly to the service center for replacement, instead of waiting for a service call. I think more people running mtas would take the tack of examining the TRAFFIC, not the IP it came from. That's just laziness. Also...what if you don't trust your provider? What if you want to have more control over the spam filtering, the virus handling...data retention...remember, in the US, your ISP records can be searched now without them being able to notify you, and your messages logged from their mail server. Yes, there are ways around it, but why make it really easy for the people the tin-foil-hat brigade fears? And what if you believe that people willing to take responsibility for their connections should be allowed to do so? It's the irresponsible, the lazy, and the foolish that are setting up open relays today. If someone is willing to take the time to wear the sysadmin hat and do it right, they should be able to run their own mail service. The ISP should be just that. Internet Service Provider. Gimme my connection and leave the rest to me, thank you! :-) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 1:54 PM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 11:05 I did enter it in when I first discovered it, but there were no hits. Ok, next time mention it ;-) Here I thought it was common sense now! :-) Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters... There is a list of known subjects which can be feed into spamassasign. But in a few days that spam will stop. I used someone's advice from the list to add to the header_check file for postfix. Seems to have stemmed the spam. I'm gonna be ticked if it stops now that I just got that all set up... :-/ I thought it was odd that our hammering from particular sober.p infections were consistent in IP. I scanned out logfile today: there where ? Missing part of that? If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over? They use 16000 different home PCs infected before. That one IP showed up in the log as hitting us 16000 times. Unless you're saying there were 16000 pc's all spoofing that same IP. If so, I pity the owner of that IP lease. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
John Jolet said: Matt Fretwell wrote: This email, for instance was sent from a properly configured mta running antispam and antivirus scanning in BOTH directions, from a dynamic ip. If my wife sends email from her computer, it goes to the isp's mta, which does inbound only scanning. I have several rules in place for postfix to force it to use my isp's mta for domains that refuse traffic from dynamic or residential ip addresses. The price for a non-residential ip from my isp is nearly double that for residential. Do I get any added-value service for that? No, in fact, I lose the ability to take faulty equipment directly to the service center for replacement, instead of waiting for a service call. I think more people running mtas would take the tack of examining the TRAFFIC, not the IP it came from. That's just laziness. Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. Which means all sites running qmail! Yay! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Monday 16 May 2005 04:43 pm, Dennis Peterson wrote: John Jolet said: Matt Fretwell wrote: This email, for instance was sent from a properly configured mta running antispam and antivirus scanning in BOTH directions, from a dynamic ip. If my wife sends email from her computer, it goes to the isp's mta, which does inbound only scanning. I have several rules in place for postfix to force it to use my isp's mta for domains that refuse traffic from dynamic or residential ip addresses. The price for a non-residential ip from my isp is nearly double that for residential. Do I get any added-value service for that? No, in fact, I lose the ability to take faulty equipment directly to the service center for replacement, instead of waiting for a service call. I think more people running mtas would take the tack of examining the TRAFFIC, not the IP it came from. That's just laziness. Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. dp ___ That was my point. My mail IS filtered outbound. So I should have to pay double for the privilege of controlling my own email? How about this...I send an email to a client via my isp's mta. There's a problem, but I don't find out about it for 5 days. I lose business. On the other hand, I send the email direct, I've got my installation set to notify me of problems after minutes, not days. I can do that because I'm my only customer. I know nearly every email that gets sent out and can be very responsive to problems. I should double my fee for that single advantage? Not sure I buy that. That's a microsoft-type business plan. -- John Jolet Technology Solutions Your On-Demand IT Department 512-762-0729 www.jolet.net [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. That, I cannot argue with :) Although if I remember correctly, there are some on this list who are guilty of not filtering outbound. I think, (was it Julian who accused us of it?), misanthropic.admins.org might be a good name :) Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell said: Dennis Peterson wrote: Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. That, I cannot argue with :) Although if I remember correctly, there are some on this list who are guilty of not filtering outbound. I think, (was it Julian who accused us of it?), misanthropic.admins.org might be a good name :) Matt I like it when they admit it - it helps me populate my access_db file. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
John Jolet said: On Monday 16 May 2005 04:43 pm, Dennis Peterson wrote: John Jolet said: Nobody should send mail directly unless it is filtered outbound. In fact, that would be a good blacklist: real-time-morons.org. I'd even toss in systems that NDR after the connection is closed as they have no idea at that point whe the sender is. dp ___ That was my point. My mail IS filtered outbound. So I should have to pay double for the privilege of controlling my own email? How about this...I send an email to a client via my isp's mta. There's a problem, but I don't find out about it for 5 days. I lose business. On the other hand, I send the email direct, I've got my installation set to notify me of problems after minutes, not days. I can do that because I'm my only customer. I know nearly every email that gets sent out and can be very responsive to problems. I should double my fee for that single advantage? Not sure I buy that. That's a microsoft-type business plan. -- John Jolet How am I to know that you are filtering your mail? If your IP is in the middle of a block of dynamic IP's you are fair game for me to block. The world experience is that Windows drones on dialups or cable/dsl are a major source of spam/viruses. Nothing distinguishes you from them. You get out of that mess by purchasing a fixed IP from an ISP that keeps track of non-dynamic IP's for all of our benefits. Nobody said this was easy or cheap. In Microsoft's plan there would be no room for you to make money. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: That was my point. My mail IS filtered outbound. So I should have to pay double for the privilege of controlling my own email? How am I to know that you are filtering your mail? If your IP is in the middle of a block of dynamic IP's you are fair game for me to block. The world experience is that Windows drones on dialups or cable/dsl are a major source of spam/viruses. Nothing distinguishes you from them. You get out of that mess by purchasing a fixed IP from an ISP that keeps track of non-dynamic IP's for all of our benefits. Nobody said this was easy or cheap. That is coming back to the dynamic elitist viewpoint. Just as a sideline question on this, how many corporate machines, on static IP ranges, are running outdated, security wise, IIS machines which are guaranteed to spew crap as soon as anything hits? [ price != competence ] Also, this does not take into account the fact that quite a large amount of dynamic ISP accounts are practically static, except in name. I have no problem with blocking a /24 range if attempts are seen from that block of addresses, (static or otherwise), but I still cannot see the point of penalising dynamic IP's just because they are dynamic, without good cause. If one was going down the OS fingerprinting route tallied to a dynamic IP check, then that might be feasible, but a straight block with no absolute reason? Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell said: Dennis Peterson wrote: That was my point. My mail IS filtered outbound. So I should have to pay double for the privilege of controlling my own email? How am I to know that you are filtering your mail? If your IP is in the middle of a block of dynamic IP's you are fair game for me to block. The world experience is that Windows drones on dialups or cable/dsl are a major source of spam/viruses. Nothing distinguishes you from them. You get out of that mess by purchasing a fixed IP from an ISP that keeps track of non-dynamic IP's for all of our benefits. Nobody said this was easy or cheap. That is coming back to the dynamic elitist viewpoint. Just as a sideline question on this, how many corporate machines, on static IP ranges, are running outdated, security wise, IIS machines which are guaranteed to spew crap as soon as anything hits? [ price != competence ] We do what we can with what we have, one step at a time. Also, this does not take into account the fact that quite a large amount of dynamic ISP accounts are practically static, except in name. I have no problem with blocking a /24 range if attempts are seen from that block of addresses, (static or otherwise), but I still cannot see the point of penalising dynamic IP's just because they are dynamic, without good cause. If one was going down the OS fingerprinting route tallied to a dynamic IP check, then that might be feasible, but a straight block with no absolute reason? Here's how it works, Matt - if you have a dynamic IP, even one that has a long life time, other people will still block mail from your IP block. That seldom happens if you have a true fixed IP, all other things being equal. And you know what? You have no say in it. It is out of your control. And if the number of Windows drones continues to grow at the current rate you can expect to be blocked pretty damn soon as there's just about nothing else left to do. And I'm ok with that. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: Here's how it works, Matt - if you have a dynamic IP, even one that has a long life time, other people will still block mail from your IP block. That seldom happens if you have a true fixed IP, all other things being equal. And you know what? You have no say in it. It is out of your control. And if the number of Windows drones continues to grow at the current rate you can expect to be blocked pretty damn soon as there's just about nothing else left to do. And I'm ok with that. Just for later 'discussion' purposes, as your headers for this mail will prove, I am on a static IP range. I am not in the same boat as John, but I still would not dream of penalising without a proven, (with regards to what my own logs say), reason. The really annoying thing is, it is easy to set up an automated system to add offending IP's or IP blocks to your own local rbl's, so any IP, whether it be dynamic or static has a one shot chance. There is no need to block outright from the outset. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell said: Dennis Peterson wrote: Here's how it works, Matt - if you have a dynamic IP, even one that has a long life time, other people will still block mail from your IP block. That seldom happens if you have a true fixed IP, all other things being equal. And you know what? You have no say in it. It is out of your control. And if the number of Windows drones continues to grow at the current rate you can expect to be blocked pretty damn soon as there's just about nothing else left to do. And I'm ok with that. Just for later 'discussion' purposes, as your headers for this mail will prove, I am on a static IP range. I'm using you in the generic sense for discussion. Not refering to you, Matt. I could have been more clear on that. I am not in the same boat as John, but I still would not dream of penalising without a proven, (with regards to what my own logs say), reason. The really annoying thing is, it is easy to set up an automated system to add offending IP's or IP blocks to your own local rbl's, so any IP, whether it be dynamic or static has a one shot chance. There is no need to block outright from the outset. As I mentioned earlier, I'm getting slammed from comcast.net from relays all over the US. It is far easier to block by obvious dsl/cable host identifiers than to spend hours trying to figure out what /24 IP ranges to tweek. I see the problem as comcasts, not mine. Your milage may vary - I know mine did. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Dennis Peterson wrote: There is no need to block outright from the outset. As I mentioned earlier, I'm getting slammed from comcast.net from relays all over the US. It is far easier to block by obvious dsl/cable host identifiers than to spend hours trying to figure out what /24 IP ranges to tweek. I see the problem as comcasts, not mine. Your milage may vary - I know mine did. The point with the above is different. Comcast had the initial, with you, opportunity and made a mess of it. With that level of abuse, if its related to their network in any way or form, it would be blocked. Even I wouldn't bother with a /24 block for that level of abuse. By that point, I would merrily block their entire network, rhsbl and rbl, without giving it a second thought. There is no need to blanket ban every other providers dsl yet, though :) All the best, Matt ___ http://lurker.clamav.net/list/clamav-users.html