Re: [Mimedefang] Removing read receipts for particular account.
Hi Thanks for the reply My problem about read receipts is just this. I have a group id whenever an external user sends mail to this group id; all the users of this group knowingly or unknowingly send read receipts to the sender. So wanted to block read receipts request for that particular group id. I wanted to block these headers Return-Receipt-To: Disposition-Notification-To X-Confirm-Reading-To Thanks in advance Regards, Prashanth Prashanth, Can any one help me in how to remove read receipts for a particular email id? Automaticaly generated emails such as return receipts, delivery notices, read receipts and out of office replies provide a wealth of information to a potential attacker, for example, * operating systems and versions * email server software and versions * email client software and versions * email architecture Here are some headers to drop on incoming emails to prevent requests for a receipts. Please let me know if you are aware of other headers. Disposition-Notification-To: Receipt-Requested-To: Confirm-Reading-To: MDRcpt-To: MDSend-Notifications-To: Smtp-Rcpt-To: Return-Receipt-To: Also consider dropping outbound NDN notices, that is, email where * From address is the null address * Small, say under 5000-1 bytes * The subject contains one of the following (again, suggections?) DELIVERY FAILURE: Undeliverable: Undeliverable message Delivery Status Notification Returned mail: Limiting actions to users or domains has been covered in many times on this list - search the list (look at email headers for the URIs). Yours sincerely, Mark SuterMiju Systems http://www.miju.com.au/ Phone: +61 411 262 316PO Box 176, Corinda Q 4075, Australia Email: [EMAIL PROTECTED] ABN 48 065 548 496 Fax: +61 7 3278 2343 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Why did my Filter Reject this?
Mark Penkower wrote: It appears that my filter bounced an email with a .doc extension. I have not instructed the filter to block this extension. Please explain why the filter bounced this, and what changes I can make to the filter to allow this in the future. MDLOG,i45JH3SL032136,bad_filename ,T. Rowe Price letter.doc,application/msword,[EMAIL PROTECTED],[EMAIL PROTECTED] enet.com,comment letters I thought that the the filter did not like the naming convention, so I make a word document and called it: T. Rowe Price letter.doc What you are seeing here is the difference between T. Rowe Price\nletter.doc and T. Rowe Price letter.doc The newline is what it would be catching. -- Daniel Taylor VP OperationsVocal Laboratories, Inc. [EMAIL PROTECTED] http://www.vocalabs.com/(952)941-6580x203 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] multi AV scanners
From: Stewart James [EMAIL PROTECTED] I have a question about having multiple scanners. At the moment I only have one. TrendMicro. I am waiting on Debian to update to 0.70 of clam and I am going to introduce that one into the Fray as well as File::Scan (which from what I am reading is faster than both of those (I could be wrong). First I want to ensure that if ONE of the scanners detects a virus, none of the others are ran? AFAIK it's only in 2.42 that the ability to run multiple scanners was introduced, before that you had to hack that yourself. A trawl of the logic should show what's happening, but I have a vague memory that it stops on the first virus - the list archive does hold the answer to that. Second, Looking at the log entries there is nothing that shows which scanner detected the virus. Now, this would be quite beneficial. Considering it would be cool to be able to do reports saying clam found 100% - trend never found them (because clam is run before trend). Details of a mod for this are in the list archive - I know 'cos that's where I found this myself. Please DO NOT send me ANY email directly unless it's a privacy issue. Reply-to mangled to assist those who don't read the above. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] installation problem -- Makefile error
Hello, I am trying to install mimedefang 2.42 on a Fedora box, following http://www.rudolphtire.com/mimedefang-howto/ I have run into a problem regarding the Makefiles of the perl libraries. I installed them in order of the howto and when I started mimedefang it gave this error: May 7 11:44:14 murat mimedefang-multiplexor: Slave 0 stderr: Mail::Header defines neither package nor VERSION--version check failed at /usr/lib/perl5/site_perl/5.8.3/MIME/Head.pm line 119. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.3/MIME/Head.pm line 119. Compilation failed in require at /usr/lib/perl5/site_perl/5.8.3/MIME/Parser.pm line 147. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.3/MIME/Parser.pm line 147. Compilation failed in require at /usr/bin/mimedefang.pl line 151. BEGIN failed--compilation aborted at /usr/bi Tracking down the problem to the very roots, Ic ame across something I should have noticed but missed as I compiled the perl libs. When I give perl Makefile.PL to MIME-tools-5.411a-RP-Patched-02 it returns this error: Warning: prerequisite Mail::Header 1.01 not found. We have unknown version. It does it for all the dependencies in the Makefile.pl as VERSION_FROM = lib/MIME/Tools.pm, PREREQ_PM= {Mail::Header = 1.01, Mail::Internet= 1.0203, Mail::Field = 1.05, MIME::QuotedPrint = 2.03, MIME::Base64 = 2.04, IO::Stringy = 1.211, File::Spec= 0.6, File::Path= 1, I tried it by taking out the lines one by one. Whichever is the first one, make file cant find it. I installed Mail Tools before this and it is in the right place. I did the same process on the clean install fedora and mimedefang worked so I am assuming that something is wrong with the perl structure of my constantly used and played-around-wth fedora. Does anybody have any idea about what the problem might be? What would prevent Makefile.pl from finding out the versions of loaded modules? Have a nice day. Murat Isik ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Removing read receipts for particular account.
- Original Message - From: David F. Skoll [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 06, 2004 11:09 PM Subject: Re: [Mimedefang] Removing read receipts for particular account. On Fri, 7 May 2004, Mark Suter wrote: Also consider dropping outbound NDN notices, Please don't do that. NDN's were invented for a reason: To make e-mail reliable. If you drop NDN's, you chip away at e-mail's reliability, which is worse for people's confidence in e-mail than spam. Unless somebody can come up with a way to distinguish real NDNs from a) Spam disguised as an NDN and b) NDNs of forged mail that I never sent in the first place (of which I get hundreds if not thousands of a day), then all NDNs on my system get ignored anyway. -- Dave Williss -- Meddle not in the affairs of dragons, for you are crunchy and taste good with catsup ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Removing read receipts for particular account.
On Fri, 7 May 2004, Dave Williss wrote: Unless somebody can come up with a way to distinguish real NDNs from a) Spam disguised as an NDN and b) NDNs of forged mail that I never sent in the first place (of which I get hundreds if not thousands of a day), then all NDNs on my system get ignored anyway. Case (a) is not that common yet, and is easily picked up by content-filters. Case (b) is a lot more difficult to deal with, I admit. If your server can correlate incoming NDN's with previously-sent outgoing mail, it's possible to do something intelligent, but getting this correlation is tricky, because different NTA's preserve different information from the original message. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] evolution forging HELO?
On Fri, 7 May 2004, Ole Craig wrote: However, I can't find any setting responsible for this in evolution. Has anyone else run into this? I don't use Evolution, but in general, HELO checks are inappropriate on a server that MUAs connect to directly. They should really only be used on a server that only expects to talk to other MTAs. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Greylisting for mime-defang.
Hello, any pointers to a good greylisting implementations for mimedefang? Code that I can cut-and-paste and adapt? Sincerely, - Henrik ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Greylisting implementation @ puremagic
Hello, will the greylisting milter implementation found on puremagic coexists with mimedefang? How do two milters coexist in sendmail? Sincerely, - henrik ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Heads up: Change in behvior for 2.43
Hi, all. I just wanted to give everyone a heads-up on some behavior that will change with the next release of MIMEDefang. Currently, filter_relay is not called until after the MAIL command. The next release will call filter_relay immediately after the remote machine connects. This has the following implications: 1) The $helo argument is not available; filter_relay will be called with only two arguments ($hostip and $hostname). 2) No Sendmail queue identifier will exist yet; therefore, no MIMEDefang working directory will exist either. You will not be able to use file-based tricks to pass information from filter_relay to later functions. I don't think this will have a huge impact on people; just move any tests that require $helo and/or a Sendmail queue ID into filter_sender. When 2.43 comes out, our reasons for this change will be clear. Regards, David. -- David F. Skoll [EMAIL PROTECTED]Roaring Penguin Software Inc. +1 (613) 231-6599 ext. 100 http://www.roaringpenguin.com/ For CanIt technical support, please mail: [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting implementation @ puremagic
On Fri, May 07, 2004 at 11:10:11AM -0500, Henrik Schmiediche wrote: Hello, will the greylisting milter implementation found on puremagic coexists with mimedefang? How do two milters coexist in sendmail? You can use several milters easily using several INPUT_MAIL_FILTER statements : INPUT_MAIL_FILTER(`filter1', `S=local:/var/filter1/filter1.sock, F=T, T=S:10m;R:10m;E:10m') INPUT_MAIL_FILTER(`filter2', `S=local:/var/filter2/filter2.sock, F=T, T=S:10m;R:10m;E:10m') You can have a look at milter-greylist as second Milter : http://hcpnet.free.fr/milter-greylist/ Check the README in libmilter directory for more info about using several Milter applications. Regards, SL/ --- Stephane Lentz Alcanet International, Europe South, Internet Services ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Heads up: Change in behvior for 2.43
David F. Skoll wrote: Currently, filter_relay is not called until after the MAIL command. The next release will call filter_relay immediately after the remote machine connects. [...] I don't think this will have a huge impact on people; just move any tests that require $helo and/or a Sendmail queue ID into filter_sender. Does this mean that for those of us who reject on invalid EHLO/HELO this rejection will now have to take place after the DATA phase, instead of after MAIL? In the past four days, my relay has rejected 17,463 delivery attempts due to EHLO/HELO parameters that contain my domain, or are bare IP addresses. Do you think that the impact of having to accept DATA from these relays before being able to reject will be noticeable? Or is there another approach that I'm missing? ___ Michael Sims Project Analyst - Information Technology Crye-Leike Realtors Office: (901)758-5648 Pager: (901)769-3722 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] evolution forging HELO?
At 07:57 AM 5/7/2004, Ole Craig wrote: He's using evolution, and it insists on sending HELO mail.cs.umass.edu which of course is my server, and not his laptop. Hmm. I don't use Evolution normally, but I have a copy for tech support purposes. I just sent myself a test message, and HELO'ed with its own IP address. (FWIW, this is Evolution 1.4 as provided by Fedora Core 1.) Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter based on From/To headers?
On Wed, May 05, 2004 at 05:45:18PM -0400, David F. Skoll wrote: On Wed, 5 May 2004, Michael Sims wrote: One caveat: I believe it is possible for the To header to contain multiple lines. When MIMEDefang writes the HEADERS file, it explicitly unwraps the lines to ensure that exactly one complete header appears on each line. David, are there any circumstances when MD will not write out a HEADERS file? I've got mail passing through the system that my code in filter_begin doesn't seem to see. ... if ( open(HEADER, HEADERS) ) { while(HEADER) { next unless /^(To|From|Cc):/; if ( /mx\.sonic\.net/i ) { md_syslog('err',found hostname in header:: $_); } } close(HEADER); } else { mdsyslog('err',couldn't open HEADERS for hostname information :: $!\n); } ... I don't see how this code could fail - and yet it is. Is it possible that I'm encountering a char set issue -- most of the '[EMAIL PROTECTED] spam' I see is coming in from .tw in a multi-byte charset. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Administrator 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax)http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter based on From/To headers?
On Fri, 7 May 2004, Kelsey Cummings wrote: David, are there any circumstances when MD will not write out a HEADERS file? I don't think so. What error gets logged? Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] filter based on From/To headers?
-Original Message- From: Kelsey Cummings [mailto:[EMAIL PROTECTED] Sent: Friday, May 07, 2004 12:34 PM David, are there any circumstances when MD will not write out a HEADERS file? I've got mail passing through the system that my code in filter_begin doesn't seem to see. ... if ( open(HEADER, HEADERS) ) { while(HEADER) { next unless /^(To|From|Cc):/; To, From, and Cc are not case sensitive. to: email at example.com TO: email at example.com are both valid. Try: next unless /^(To|From|Cc):/i; ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter based on From/To headers?
On Fri, May 07, 2004 at 01:40:10PM -0400, David F. Skoll wrote: On Fri, 7 May 2004, Kelsey Cummings wrote: David, are there any circumstances when MD will not write out a HEADERS file? I don't think so. What error gets logged? No errors at all. I was thinking maybe HEADERS might be created empty, or, I suppose, not flushed to (ram)disk. I'm expecting to see something like the following: May 6 19:36:11 host mimedefang.pl[9925]: found hostname in header:: From: [EMAIL PROTECTED] However, I know I'm not getting them for all of the mail that matches the pattern. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Administrator 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax)http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] filter awareness of which scanner detected a virus?
What's the recommended clean way to tell which scanner found a virus for use in mimedefang-filter? I'm interested in being able to log it for troubleshooting purposes. After looking through the example filter, mimedefang.pl, I had in mind to define my own message_contains_virus that would return it, but I'd prefer to use the built-in routines whenever possible. I would make a feature request for message_contains_virus() to return the scanner as well: --- /usr/local/bin/mimedefang.plFri Apr 16 15:02:59 2004 +++ mimedefang.pl.scanner-name Fri May 7 11:34:20 2004 @@ -6048,7 +6048,7 @@ foreach $scanner (@VirusScannerMessageRoutines) { ($scode, $scat, $sact) = $scanner(); if ($scat eq virus) { - return (wantarray ? ($scode, $scat, $sact) : $scode); + return (wantarray ? ($scode, $scat, $sact, $scanner) : $scode); } if ($scat ne ok) { $code = $scode; @@ -6084,7 +6084,7 @@ foreach $scanner (@VirusScannerEntityRoutines) { ($scode, $scat, $sact) = $scanner($e); if ($scat eq virus) { - return (wantarray ? ($scode, $scat, $sact) : $scode); + return (wantarray ? ($scode, $scat, $sact, $scanner) : $scode); } if ($scat ne ok) { $code = $scode; ... but I'm not sure that I understand all of the ramifications of doing so. I assume that the prototyping would break some people's filters if they're defining their own *_contains_virus() routines. I know that I'd have to chop off [message|entity]_contains_virus_ from the returned value, but that's something that would belong in the filter anyway, IMO. -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Heads up: Change in behvior for 2.43
Does this mean that for those of us who reject on invalid EHLO/HELO this rejection will now have to take place after the DATA phase, instead of after MAIL? In the past four days, my relay has rejected 17,463 delivery attempts due to EHLO/HELO parameters that contain my domain, or are bare IP addresses. Do you think that the impact of having to accept DATA from these relays before being able to reject will be noticeable? Or is there another approach that I'm missing? Michael, about your helo check... Where I had the following in filter_relay(): #sub filter_relay { # # my ($hostip, $hostname, $helo) = @_; I now use this, in filter_sender(): sub filter_sender { my ($sender, $ip, $name, $helo) = @_; filter_sender takes four arguements, where filter_relay took three. The names change slightly, but if you start the functions as I did, allowing for four arguements, and then change the names of the corresponding variables in your helo check, that should be all you need (in addition to ensuring you start mimedefang with the -s switch, to activate the filter_sender function.) KEN CORMACK, RHCE Sr. UNIX Systems Analyst, Open Systems Group Sr. Software Analyst, TSG Midrange Systems Group AFFILIATED COMPUTER SERVICES, INC. If that that is 'is' is that that is not 'not is', is that that is 'not is' that that is not 'is'? It is! - Ken Cormack Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken. - Unknown ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting for mime-defang.
On Fri, 7 May 2004 10:57:35 -0500, Henrik Schmiediche wrote: any pointers to a good greylisting implementations for mimedefang? This's gotta be in the archives by now, it comes up regularly, but here goes: My filter at http://whatever.frukt.org/mimedefang-filter.shtml; implements greylisting. Code that I can cut-and-paste and adapt? Sure, copy away. But you'll have to read the code to find out what you need to copy. Also note that it uses the O_EXLOCK flag for locking the database, and that flag isn't available on all systems (I only know for sure that it's available on FreeBSD). If it's not available you'll have to use another locking mechanism. Regards /Jonas -- Jonas Eckerman, [EMAIL PROTECTED] http://www.fsdb.org/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Detecting bogus AOL addresses
I recently came across the specification for valid AOL addresses. It's simple, and easy to put into a regexp. It's only blocked 8 messages in the last few hours since I went from logging to rejecting, but that's 8 messages that didn't need to be scanned for viruses or spam. In case anyone else might find it useful, here's an abbreviated version of my filter_sender: sub filter_sender () { my ($sender, $ip, $name, $helo) = @_; $sender =~ s/.*\//; $sender =~ s/\.*//; $sender = lc($sender); # Check for bogus AOL addresses as described at # http://postmaster.aol.com/faq/mailerfaq.html#syntax # - all alphanumeric, starting with a letter, from 3 to 16 characters long. if ($sender =~ /[EMAIL PROTECTED]/i $sender ne '[EMAIL PROTECTED]' $sender !~ /^[a-z][a-z0-9]{2,[EMAIL PROTECTED]/i) { return ('REJECT', 'Forged AOL address detected.'); #md_syslog 'info', $QueueID: Forged AOL address detected.; } return ('CONTINUE', 'ok'); } -- Kelson Vibber SpeedGate Communications, www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang