Re: [expert] Help please! Cannot stop this spam
Praedor Atrebates wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have logged directly into my popmail server (yahoo) via the web and find that the spam message isn't being repeatedly sent - the same message is causing a problem over and over. Yahoo tagged it as spam and put it in my bulk mail folder on their site. When fetchmail retrieved messages, it would apparently have problems with that message and send me the error message email instead of the actual spam. fetchmail -a -K --antispam 550,451 -d 180 -f /etc/fetchmail... If that doesn't work, you can always use the SPAM Zapper. (sorry <--- Shameless plug). -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant http://www.abs-comptech.com & http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here. Founding Board of Directors of Pittsburgh FBI - InfraGard Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
On Monday 20 October 2003 03:23 pm, David Guntner wrote: > Bryan Phinney grabbed a keyboard and wrote: > > The fetchmail log should be telling you what the error code is from > > Postfix but if I had to guess, I would say it is a 501, fetchmail > > normally counts 55? codes as spam rejects by default. > > Not on *my* system, it didn't. :-) I had to put it in to cause fetchmail > to behave itself when running into those. I think that you have to up the logging level on fetchmail to get all the details. When troubleshooting the messages that were left on the ISP, I did up the detail level. However, on my system, the error code is definitely 501 and not 554 for malformed addresses, although you can change it in the postfix configuration. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
Bryan Phinney grabbed a keyboard and wrote: > > The fetchmail log should be telling you what the error code is from Postfix > but if I had to guess, I would say it is a 501, fetchmail normally counts 55? > codes as spam rejects by default. Not on *my* system, it didn't. :-) I had to put it in to cause fetchmail to behave itself when running into those. > Line should show: > > poll mail.whatever.com with proto whatever > user '[EMAIL PROTECTED]' there with password 'password' is 'localuser' here > antispam 554,550,501 Just a note for anyone reading: The "user" part above is for how you normally login to your POP or IMAP server to retrieve your mail. If you're using an ISP that has a login method of using your E-Mail address with them, then [EMAIL PROTECTED] is correct. If you're using a server that just requires a username, *don't* add the @domain.com part (I.E. don't use your address to login unless your provider requres that as your login). > Add that line and you should no longer see those errors or have misconfigured > spam piling up in your inbox. Only other way that I know of is to run > Fetchmail configured to flush the box which removes all messages that were > seen but no delivered. This is dangerous and could result in your losing > messages due to Postfix being down when fetchmail tries to pick up mail. > Another option is to periodically run fetchmail to pick up mail, then reload > fetchmail in flush mode to flush misconfigured messages, then rerun fetchmail > in normal mode. You could do this once a week but in the meantime would get > all those errors in your syslog. Last option is to simply bitbucket all > fetchmail-daemon notifications with procmail. That last option is kinda dangerous, though. :-) If you got other fetchmail errors, you would never know about them (Not saying don't do it if it's really needed, just be aware... :) --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
Praedor Atrebates grabbed a keyboard and wrote: > > I have logged directly into my popmail server (yahoo) via the web and find > that the spam message isn't being repeatedly sent - the same message is > causing a problem over and over. Yahoo tagged it as spam and put it in my > bulk mail folder on their site. When fetchmail retrieved messages, it would > apparently have problems with that message and send me the error message > email instead of the actual spam. > > I am not sure why...is there a way to fix fetchmail so it wont do this > anymore? Instead of having a problem with a message and sending me a > bazillion error messages every time it sees the undelivered/undeliverable > message/spam, can I not just set fetchmail to dump the message? Yes, if fetchmail sees an error from your local MTA, it tends to not delete the message from the remote site, because it thinks there's a problem. You *can* tell it what a spam reject on your local MTA is, however. For example, I've got a few checks at the postfix level that will reject a detected spam message before it ever *gets* to the user's mailbox. As such, spamassassin isn't coming into play yet. Spam that it detects, it rejects with a 550 error code. You can tell fetchmail that a given error code (or range of codes) is a spam reject and to not attempt redelivery (I.E., it will go ahead and delete the message from the remote server). Here's what I have in my .fetchmailrc to do this: set postmaster "postmaster" set bouncemail set no spambounce set properties "" poll with proto IMAP user '' there with password '' is '' here antispam 550 That last line ("antispam 550") tells it that a 550 code coming from postfix on my machine is a spam reject. It will then quietly delete the message from the far end as though it had delivered it. Try putting in the reject code that you're seeing at your end from your local postfix/qmail/sendmail daemon, and see if that helps. --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
On Monday 20 October 2003 11:52 am, Praedor Atrebates wrote: > Thank you, that appears to have done the trick. > > I was getting filled up with a new spam, producing the same type of > message, but adding that line to fetchmailrc did the trick. It is gone. > > I was getting quite angry and frustrated with this nonsense. > > Until a few days ago, I didn't receive any sort of message like this. Spam > came in and was dumped into /dev/null via spamd and procmail. Nothing was > getting through. These messages weren't getting through, per se, but they > were certainly causing just as much problems as normal spam by filling my > box with error messages. What's up with the misconfigured messages all of > a sudden? Why wouldn't I have run into this before now? Is something new > going on (the originating IP was completely different, as was the Subject, > than the previous viagra garbage) Well, again just a guess, but a little while ago, you were complaining about the amount of time that it was taking to route mail from Kmail through SA for filtering and I (perhaps others) suggested that you use Postfix and procmail instead so that you could process in the background. Postfix is the culprit here since Postfix is denying delivery of improperly formatted and addressed messages. Personally, I think that this is a good thing, although you can configure Postfix to not check and just deliver messages regardless of formatting. My guess would be that Kmail or whatever other client you were using does not check format or syntax but just makes a "best guess" as to the recipient based upon whatever info is there. Because there is no validation, there was no error and therefore all messages were delivered. Personally, I think that you are in better shape now, improperly formatted messages are almost always going to be generated by crappy spamware rather than real mail clients and servers, so deleting them sight unseen is in your best interest given that you are filtering. As to why it took several days, only the crappiest spamware and dumbest spammers generate such messages since ISP's often bounce them themselves so you may have just not run into any of them in that time. My own versions were rare as well, I got perhaps 2 such improper messages per month. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thank you, that appears to have done the trick. I was getting filled up with a new spam, producing the same type of message, but adding that line to fetchmailrc did the trick. It is gone. I was getting quite angry and frustrated with this nonsense. Until a few days ago, I didn't receive any sort of message like this. Spam came in and was dumped into /dev/null via spamd and procmail. Nothing was getting through. These messages weren't getting through, per se, but they were certainly causing just as much problems as normal spam by filling my box with error messages. What's up with the misconfigured messages all of a sudden? Why wouldn't I have run into this before now? Is something new going on (the originating IP was completely different, as was the Subject, than the previous viagra garbage) On Monday 20 October 2003 08:49 am, Bryan Phinney wrote: > On Monday 20 October 2003 09:11 am, Praedor Atrebates wrote: > > > Okay, we don't see the Postfix error code but based upon the text of the > message, my guess is that Postfix is rejecting this message upon the > delivery attempt by Fetchmail, fetchmail is then sending a failure message > to let you know but the message is not being deleted so upon the next poll > attempt, it tries to deliver the message again. > > The fetchmail log should be telling you what the error code is from Postfix > but if I had to guess, I would say it is a 501, fetchmail normally counts > 55? codes as spam rejects by default. [...] - -- "Our ship is in the hands of pilots who are steering directly under full sail for a rock. The whole crew may see this course to violate our liberties in full view if they look the right way." - --Samuel Adams, 1771 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/lATRaKr9sJYeTxgRAgZcAJ47HY0Hu5Mw5Pi/Hcgw3qWy3540yQCgn6yh EA+nw2VbFFmOhU2ta0x/IoE= =JDnX -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
On Monday 20 October 2003 09:38 am, Praedor Atrebates wrote: > I have logged directly into my popmail server (yahoo) via the web and find > that the spam message isn't being repeatedly sent - the same message is > causing a problem over and over. Yahoo tagged it as spam and put it in my > bulk mail folder on their site. When fetchmail retrieved messages, it > would apparently have problems with that message and send me the error > message email instead of the actual spam. > > I am not sure why...is there a way to fix fetchmail so it wont do this > anymore? Instead of having a problem with a message and sending me a > bazillion error messages every time it sees the undelivered/undeliverable > message/spam, can I not just set fetchmail to dump the message? > > If I had not logged directly into the yahoo webmail site and deleted the > spam message there, fetchmail would continue generating that annoying > message forever, procmail would have had to process that same message > forever, and yet the original message would still exist on the server. For > the moment, I have elected to turn off yahoo's spamguard and let my system > handle the crap and hope that whatever the problem was, it will now be > handled properly and directly on my end. That probably won't help. Your Postfix system is configured to reject with an error, misconfigured messages regardless of the source. Whether they are in your regular inbox or in the bulk folder, they will still be rejected if they are not configured correctly. The only way to fix it permanently is to instruct fetchmail to discard messages when it receives an error code from Postfix. That will drop the message sight unseen from the pop mailbox and is exactly what I do after getting much the same behavior from dopey misconfigured spam messages. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
On Monday 20 October 2003 09:11 am, Praedor Atrebates wrote: Okay, we don't see the Postfix error code but based upon the text of the message, my guess is that Postfix is rejecting this message upon the delivery attempt by Fetchmail, fetchmail is then sending a failure message to let you know but the message is not being deleted so upon the next poll attempt, it tries to deliver the message again. The fetchmail log should be telling you what the error code is from Postfix but if I had to guess, I would say it is a 501, fetchmail normally counts 55? codes as spam rejects by default. So, one way to deal with this is to add the 501 error message to your fetchmail config file as a spam reject, in which case, it will delete the message from the server. That is what I do for my accounts since I don't want to receive improperly formatted or addressed messages anyway. Your mileage may vary. Under your poll line in .fetchmailrc, add the option antispam 554,550,501 Line should show: poll mail.whatever.com with proto whatever user '[EMAIL PROTECTED]' there with password 'password' is 'localuser' here antispam 554,550,501 Add that line and you should no longer see those errors or have misconfigured spam piling up in your inbox. Only other way that I know of is to run Fetchmail configured to flush the box which removes all messages that were seen but no delivered. This is dangerous and could result in your losing messages due to Postfix being down when fetchmail tries to pick up mail. Another option is to periodically run fetchmail to pick up mail, then reload fetchmail in flush mode to flush misconfigured messages, then rerun fetchmail in normal mode. You could do this once a week but in the meantime would get all those errors in your syslog. Last option is to simply bitbucket all fetchmail-daemon notifications with procmail. Again, all of this is just a guess on my part without having access to the logs running at a sufficient detail level to record the actual error. The changes I have suggested will only result in your dropping messages that are not correctly configured or addressed or coming from valid hosts. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have logged directly into my popmail server (yahoo) via the web and find that the spam message isn't being repeatedly sent - the same message is causing a problem over and over. Yahoo tagged it as spam and put it in my bulk mail folder on their site. When fetchmail retrieved messages, it would apparently have problems with that message and send me the error message email instead of the actual spam. I am not sure why...is there a way to fix fetchmail so it wont do this anymore? Instead of having a problem with a message and sending me a bazillion error messages every time it sees the undelivered/undeliverable message/spam, can I not just set fetchmail to dump the message? If I had not logged directly into the yahoo webmail site and deleted the spam message there, fetchmail would continue generating that annoying message forever, procmail would have had to process that same message forever, and yet the original message would still exist on the server. For the moment, I have elected to turn off yahoo's spamguard and let my system handle the crap and hope that whatever the problem was, it will now be handled properly and directly on my end. praedor On Monday 20 October 2003 08:11 am, Praedor Atrebates wrote: > Here is the syslog entry associated with this repetitive spam (based on the > [EMAIL PROTECTED] message): [...] - -- "Our ship is in the hands of pilots who are steering directly under full sail for a rock. The whole crew may see this course to violate our liberties in full view if they look the right way." - --Samuel Adams, 1771 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/k+U7aKr9sJYeTxgRAvNLAJ4zkDU27NeHrRL2x5z+0qhMCJYM1gCfeqPc l+1tKsfpMsF32BSJ1UCh9ew= =KVn6 -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here is the syslog entry associated with this repetitive spam (based on the [EMAIL PROTECTED] message): ^[[B^[[BOct 20 08:57:26 lapdog postfix/smtpd[9542]: connect from localhost.localdomain[127.0.0.1] Oct 20 08:57:26 lapdog postfix/smtpd[9542]: warning: Illegal address syntax from localhost.localdomain[127.0.0.1] in MAIL command: Oct 20 08:57:27 lapdog postfix/smtpd[9543]: connect from localhost.localdomain[127.0.0.1] Oct 20 08:57:27 lapdog postfix/smtpd[9543]: 6E5C86F97: client=localhost.localdomain[127.0.0.1] Oct 20 08:57:27 lapdog postfix/cleanup[9544]: 6E5C86F97: message-id=<[EMAIL PROTECTED]> Oct 20 08:57:27 lapdog postfix/nqmgr[1657]: 6E5C86F97: from=<[EMAIL PROTECTED]>, size=2068, nrcpt=1 (queue active) Oct 20 08:57:27 lapdog postfix/smtpd[9543]: disconnect from localhost.localdomain[127.0.0.1] Oct 20 08:57:28 lapdog postfix/smtpd[9542]: disconnect from localhost.localdomain[127.0.0.1] Here is the message I see in full, separated into headers and message body: Headers: Return-Path: <[EMAIL PROTECTED]> X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by lapdog.ravenhome.net (Postfix) with ESMTP id 64EB36F36 for <[EMAIL PROTECTED]>; Mon, 20 Oct 2003 09:00:30 -0400 (EDT) X-Apparently-To: [EMAIL PROTECTED] via 216.136.173.225; Mon, 20 Oct 2003 05:57:26 -0700 Received: from pop.vip.sc5.yahoo.com [216.136.173.10] by localhost with POP3 (fetchmail-6.2.1) for [EMAIL PROTECTED] (single-drop); Mon, 20 Oct 2003 08:00:30 -0500 (EST) Received: from 128.210.210.51 (EHLO lapdog.ravenhome.net) (128.210.210.51) by mta104.mail.scd.yahoo.com with SMTP; Mon, 20 Oct 2003 05:57:26 -0700 Received: from localhost (localhost.localdomain [127.0.0.1]) by lapdog.ravenhome.net (Postfix) with SMTP id 6E5C86F97 for ; Mon, 20 Oct 2003 08:57:27 -0400 (EDT) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="foo-mani-padme-hum-1777-1-1066654647" Message-Id: <[EMAIL PROTECTED]> Date: Mon, 20 Oct 2003 08:57:27 -0400 (EDT) X-Spam-Status: No, hits=1.2 required=5.0 tests=MAILTO_TO_SPAM_ADDR,NO_REAL_NAME version=2.54 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 2.54 (1.174.2.17-2003-05-11-exp) Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: End of Headers. Message body: General SMTP/ESMTP error. X-Apparently-To: [EMAIL PROTECTED] via 216.136.173.226; Fri, 17 Oct 2003 22:52:58 -0700 X-YahooFilteredBulk: 24.61.30.135 Received: from 24.61.30.135 (HELO 67.164.237.213) (24.61.30.135) by mta154.mail.scd.yahoo.com with SMTP; Fri, 17 Oct 2003 22:52:58 -0700 Received: from [177.34.196.8] by f64.law4.hotmail.com with NNFMP; Oct, 18 2003 12:36:28 AM -0200 Received: from 105.183.205.243 ([105.183.205.243]) by smtp-server1.cfl.rr.com with QMQP; Oct, 17 2003 11:27:32 PM +1200 From: uvnRuth Cawdell <[EMAIL PROTECTED]> To: Undisclosed [EMAIL PROTECTED] Cc: [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] Subject: Presription Meds givp Sender: uvnRuth Cawdell <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Date: Sat, 18 Oct 2003 01:54:51 -0400 X-Mailer: Microsoft Outlook Build 10.0.2627 End of message body. Here is the actual spam file contents attached to the above message: Reporting-MTA: dns; localhost Final-Recipient: rfc822; [EMAIL PROTECTED] Last-Attempt-Date: Mon, 20 Oct 2003 07:57:27 -0500 (EST) Action: failed Status: 5.0.0 Diagnostic-Code: 501 Bad address syntax End of misconfigured spam. I get a new one of these every time my fetchmail daemon contacts my ISP pop mail server. I can eliminate the messages if I add this to my /etc/procmailrc (I run it globally): :0 * [EMAIL PROTECTED] /dev/null When I have tried to key off components of the message, such as "X-YahooFilteredBulk: 24.61.30.135" or variations I still get the message. Spamassassin doesn't catch this message as it is screwed up (it gives a 1.2/5.0, far below what would be needed to identify it as spam and get /dev/nulled by my other procmailrc recipe (which is working fine): :0 * ^X-Spam-Status: Yes /dev/null As it is, EVERY time I hear the tone indicating new messages, I am absolutely certain to see more of these messages unless I /dev/null anything from fetchmail-daemon, which seems rather problematic - there may be messages from the daemon I would be interested in receiving. praedor On Monday 20 October 2003 05:59 am, Bryan Phinney wrote: > On Sunday 19 October 2003 09:17 pm, Praedor Atrebates wrote: > > I have receive over 100 of these today alone. Nothing i've tried with > > procmail recipes has wo
Re: [expert] Help please! Cannot stop this spam
On Sunday 19 October 2003 09:17 pm, Praedor Atrebates wrote: > I have receive over 100 of these today alone. Nothing i've tried with > procmail recipes has worked. I cannot stop this nonsense. The from > address is my own fetchmail-daemon: > [EMAIL PROTECTED] > > I am considering having all fetchmail-daemon emails sent to dev/null but > fear the repercussions. You should probably try to see what the exact message is. If Fetchmail is encountering an error, you may need to fix the error. For instance, my Postfix mail server is set to reject messages with invalid From headers and sometimes malformed spam is sent to my ISP mailbox with just such invalid headers. Since the ISP mail server is not as picky, Fetchmail tries to deliver to Postfix which rejects the message and then Fetchmail, doesn't delete the message because it did not recieve an ack from the mail server. It will try to do this repeatedly until the message is cleared. If you know what is causing the problem, you can instruct Fetchmail to regard the error code generated by Postfix as a bounce and then Fetchmail will discard the message. Your message may be something similar. Why not attach a copy so that we can see it? -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Help please! Cannot stop this spam
> I have receive over 100 of these today alone. Nothing i've tried with > procmail recipes has worked. I cannot stop this nonsense. The from > address > is my own fetchmail-daemon: > [EMAIL PROTECTED] > > I am considering having all fetchmail-daemon emails sent to dev/null but > fear > the repercussions. > What recipe are you using? If it's coming from the same daemon just match on the sender field. What is the text of the message? Is it real spam or just a fetchmail process that's wonked? A few other ideas: If you're running fetchmail via a cron job (i.e., no daemonized) then try sending errors to /dev/null. Stop it at your reader.. Add a spamassassin rule. -- The Digital Hermit Unix and Linux Solutions http://www.digitalhermit.com [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[expert] Help please! Cannot stop this spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have receive over 100 of these today alone. Nothing i've tried with procmail recipes has worked. I cannot stop this nonsense. The from address is my own fetchmail-daemon: [EMAIL PROTECTED] I am considering having all fetchmail-daemon emails sent to dev/null but fear the repercussions. - -- Faith is the very antithesis of reason, injudiciousness a critical component of spiritual devotion. - --Krakauer -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/kze0b1CLurEA6xURAgneAKCrjrCK439cSzwvoCs13y8hphlrYQCfUo7p 3xd7h2Y/mh7xlIGI1nafR9I= =7Qd3 -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com