brainstorming this topic: Re: [Mimedefang] Spam with more than one recipient - reject or not?

2005-09-06 Thread Steffen Kaiser 

On Tue, 6 Sep 2005, Wesley Peters wrote:

While writing the former reply, some idea developed, it tries to extend 
Greylisting:


Consider a message for multiple recipients, some do like it, some do not.

+ During filter_end() you score why the recipients don't like it (e.g. 
some reasons might not be appropriate for this idea); then you save the 
pair (envelope sender, envelope recipient) into a database.


+ The whole message is tempfailed.

+ When a message arrives, you check in filter_recipient(), if the DB 
contains the pair (sender, recipient), if so, the recipient is tempfailed.


+ The database entries are deleted after, say, one hour.

+ Eventually within the grace time of 1h, the message with the mixed 
recipients is retried, the recipients, who don't like the message, get 
tempfailed, the others pass.


+ When the message is retried again after the grace time, all recipients 
don't like the mail and it is bounced.


The basic idea is to assume that a sender will send SPAM the next time, 
too.


This assumption is also the weak point because of all the faked sender 
addresses. There will be well-known senders that, when arriving from 
certain hosts, are no SPAM mostly, so they can be exempted from this 
technique.


There will be several scenarios, that make this technique cumbersome, 
because it is possible that a mail gets tempfailed forever without being 
scanned at all.


E.g.:

+ Mail A of faked sender S arrives has multiple recipients, recipient R 
don't like the message; the pair (S, R) is stored into the DB.


+ Mail B arrives from real sender S to R (single recipient) within grace 
time. But it is tempfailed. You don't know whether this is message has one 
or recipients, hence, you must honor the DB any time.


--> When message A is never retried _within_ the grace time, it will 
tempfailed forever and possibly prevent scanning and delivery of Mail B 
that way.


Does anybody has some idea to eliminate the weak points?

Bye,

--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Spam with more than one recipient - reject or not?

2005-09-06 Thread Steffen Kaiser 

On Tue, 6 Sep 2005, Wesley Peters wrote:


On Wed, 2005-08-17 at 07:54 -0400, David F. Skoll wrote:

Michal Jankowski wrote:


I have received a suggestion to stream by recipient.



But that's a big no-no. Once you do that, you have effectively
accepted the smtp transaction. So you cannot 'bounce' and the only way
to notify sender is by mail, which should be avoided at all cost.


Well, in that case, you just discard instead of bounce.

Can you suggest a viable alternative?  (Other than re-writing SMTP, of course.)


Tempfail all the recipients who use different rules than the first?


That's falls into the field of "re-writing SMTP"; because the recipients 
are sent amd acknowledged (or rejected)  _before_ the contents comes in, 
you can't tempfail individual recipients based on the contents.


Also, another idea:

+ tempfail the message awhole, &
+ when the mail transfer is attempted again, you know the old score and 
tempfail the recipients, who does not like the mail.


Well, won't work as well, because when the recipients are sent, you only 
know the connecting host, the HELO string and the envelope sender. Not 
enough information to reliably identify a message.
Some (mostly larger hosters) have mail clusters, where, possibly, a 
message is retried from another host, which should use another HELO string 
as well.


So one can only act on the tuple (sender, recipient), and, you can't even 
rely on that the order of the recipients keeps the same on retry.
-> Well, this is much like conditional greylisting, where you hope that 
the attempt for re-transfer is a good sign for non-SPAM.


Bye,

--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: exiting the filter before any processing

2005-09-06 Thread Rolf 
Yes that is a good point and I have decided not to skip some checks on 
outgoing mail.


thanks.

r.


On Jan 27,  5:57pm, Rolf wrote:
}
} If $RelayAddr is the address of the ISP mail server then processing
} continues as usual. If, however, it is the address of the LAN mail
} server then spam, attachments, size, and so on that the filter checks
} are all to be ignored, but append_text_boilerplate() is to be 
applied.

} I can easily apply the boilerplate routine to the right msgs, but I
} can't find a simple way to ignore the rest of the processing for the
} same msg.

 In addition to what everybody else has said, I just have to point
out that this is dangerous.  At the very least, you should virus check
outgoing mail.  This will help to catch internal machines that get
viruses early on, and it will help prevent you from attacking others,
which will affect your reputation.

}-- End of excerpt from Rolf
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang



___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: exiting the filter before any processing

2005-09-06 Thread John Nemeth 
On Jan 27,  5:57pm, Rolf wrote:
} 
} If $RelayAddr is the address of the ISP mail server then processing 
} continues as usual. If, however, it is the address of the LAN mail 
} server then spam, attachments, size, and so on that the filter checks 
} are all to be ignored, but append_text_boilerplate() is to be applied.
} I can easily apply the boilerplate routine to the right msgs, but I 
} can't find a simple way to ignore the rest of the processing for the 
} same msg.

 In addition to what everybody else has said, I just have to point
out that this is dangerous.  At the very least, you should virus check
outgoing mail.  This will help to catch internal machines that get
viruses early on, and it will help prevent you from attacking others,
which will affect your reputation.

}-- End of excerpt from Rolf
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Email web form exploits

2005-09-06 Thread David F. Skoll 
Kenneth Porter wrote:

>> http://www.rhyolite.com/anti-spam/freemail-adb
> Nice list. Anyone have a SpamAssassin plugin to use it like a SURBL?

It's not really appropriate for that; I don't think most people can
afford to reject (or even score) mail from hotmail.com, gmail.com,
etc.

However, we have some web forms that we like people to fill out before
we give them moderately sensitve information, and for that situation,
we've weighed the risks and decided not to accept e-mail addresses
from free or semi-anonymous domains.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Blacklisting senders of forbidden phrases.

2005-09-06 Thread M Jerome Garrett 
I stole some code off of somebody on here that posted a script to add to the
mimedefang-filter file.  This script goes into a subjects.db file and
searches for words/phrases in the subject line that are in the subjects.db
database.  If they are then the messages is rejected and management is
happy.  I call the search like this.

 

if (lookup_subject() && $auto_whitelist < 1) {
action_bounce("Access denied. Subject \"$Subject\" suggests MSG may
contain SPAM/WORM/VIRUS/HOAX.", "553", "5.7.1");
return action_discard();
}


I want to be able to add a line in the (lookup_subject) function (something
like addline to /etc/mail/blacklist "$Sender REJECT" )to be able to add a
line to my blacklist.db file (which is very similar to the (lookup_subjects)
function) But I do not know perl well enough to know how to complete this
task.  Does anybody know how to add a line to a file in this case? 

 
Attached is the (lookup_subjects) function:

$DBFilenameSUBS = "/etc/mail/subjects.db";
sub lookup_subject() {
# convert incoming subject to lower-case
my $lc_subject = lc($Subject);
my $subject_result = 0;

my %GDB;
if (tie(%GDB,'DB_File', $DBFilenameSUBS, O_RDONLY)) {
# remove white space from the middle so that
# "free s tu f f here" becomes "free s t u f f here"
$lc_subject =~ s/(\s)\s+/$1/g;
# next 2 lines collapse "free  s t u f f  here" into "free stuff
here"
$lc_subject =~ s!((^|\s)\S\s(\S(\s|$)){2,})!
my $lc_subject_x=$1;$lc_subject_x=~s/\s//g;sprintf
"%s","$lc_subject_x ";!ego;
$lc_subject =~ s/^\s+//;  # Trim leading whitespace
$lc_subject =~ s/\s+$//;  # Trim trailing whitespace
$lc_subject =~ s/^re://;  # Trim leading "re:"
$lc_subject =~ s/^fw://;  # Trim leading "fw:"
$lc_subject =~ s/^fwd://; # Trim leading "fwd:"
$lc_subject =~ s/\s+/./g; # Collapse whitespace into periods

# Scan database for a complete match (only)
if ($GDB{$lc_subject}) {
$subject_result = 1;
md_graphdefang_log("Subject_Line", "Subject-line found in
subjects.db");
} else {
# See if any one word in the subject appears as a record
@subject_array = split (/\./, $lc_subject);
foreach $subject_word (@subject_array)
{
if ($GDB{$subject_word}) {
$subject_result = 1;
md_graphdefang_log("Subject_Word",
"Subject-word \"$subject_word\" found in
subjects.db");
last;
}
}
}
if (!$subject_result)
{
# here we reverse the logic... see if any record in the database
# is found as a substring in the subject.  if a record contains
# "free.stuff" and the subject says "get your free stuff here",
# then flag it as a hit.
my $subject_record;
foreach $subject_record (keys %GDB)
{
if ($lc_subject =~ m/(^|\.)\Q$subject_record\E($|\.)/)
{
$subject_result = 1;
md_graphdefang_log("Subject_Substring",
"Subject-substring \"$subject_record\" found in
subject line");
last;
}
}
}
untie %GDB;
} else {
md_syslog('warning', "subject: Cannot open file $DBFilenameSUBS");
}
return $subject_result;
}
#


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Re: exiting the filter before any processing

2005-09-06 Thread Rolf 
> Thanks.  But I do want to do more processing. That's just the point. 
> Its like I want to say at each point 'if the mail is from  then
> jump over the virus scanning bit" and likewise avoid the mimetype bit
> and so on.

That's exactly what you need to do.

Thank you.

The supplied filter is just an example.  MIMEDefang
admins are expected to modify it to suit local requirements.  But if
you know Perl, it shouldn't take you more than a minute to make the changes

Yes, I only know basic perl, but given the supplied filter is so suitable out-of-the-box and is perfectly easy to understand, I have been able to modify it variously thus far.  
I only asked in the first place in the hope that there was some non-obvious way to get a specific, I would have thought common, behaviour (mail travelling from the internet to the LAN is treated differently from mail in the opposite direction).

Thank you very much for your help.

r.___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Spam with more than one recipient - reject or not?

2005-09-06 Thread Wesley Peters 
On Wed, 2005-08-17 at 07:54 -0400, David F. Skoll wrote:
> Michal Jankowski wrote:
> 
> > I have received a suggestion to stream by recipient.
> 
> > But that's a big no-no. Once you do that, you have effectively
> > accepted the smtp transaction. So you cannot 'bounce' and the only way
> > to notify sender is by mail, which should be avoided at all cost.
> 
> Well, in that case, you just discard instead of bounce.
> 
> Can you suggest a viable alternative?  (Other than re-writing SMTP, of 
> course.)

Tempfail all the recipients who use different rules than the first?

Sorry this reply is coming so late, I'm playing catchup from several
weeks of vacation and working on other tasks.


-- 
 "Where am I, and what am I doing in this handbasket?"

Wes Peters Software Engineer
[EMAIL PROTECTED]   St. Bernard Software

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Email web form exploits

2005-09-06 Thread Kenneth Porter 
--On Monday, September 05, 2005 10:59 PM -0400 "David F. Skoll" 
<[EMAIL PROTECTED]> wrote:



Also, our Web forms reject anyone who puts in an e-mail address in
Vernon Schruyver's free email domain list at
http://www.rhyolite.com/anti-spam/freemail-adb


Nice list. Anyone have a SpamAssassin plugin to use it like a SURBL?


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Re: OT: Email web form exploits

2005-09-06 Thread Ian Mitchell 

Not to make a statement here, but as I have worked as/with the "feds" for
many years, I think these attacks are a tad prejudice and ill placed on
this mailing list.

However, in regards to your statements about or against contacting the
"feds" to alert them of this new exploit. The comment made earlier of
people being clueless is inaccurate. There are organizations across the
world, some of which are indeed "feds" that make it their sole purpose to
know these sorts of things.

I would recommend contacting the vendors first, if they're homegrown
scripts, contact the author. Give them a chance to secure their code. Then
after a set amount of time, disclose your vulnerability to the bugtraq
list at www.securityfocus.com, might even decide to submit it to the
various CERT's out there for investigation. cert.mil, cert.gov, cert.org,
etc...

In the very least, your investigation and reporting of the incidents at
hand can help folks in the Snort community and other IA communities do
develop rules to catch network traffic that does exploit it.

Don't nessassarily expect a response. These oganizations get millions of
emails a day (undoubtly) so there may be some disconnect. But they do take
things seriously. You're best bet to let it be known is to publish it to
places like Bugtraq. (AFTER you contact the vendor)

Heck you may even consider bouncing it off the handlers at isc.sans.org
and see if they're detecting an increase in traffic across the Internet
that is indeed exploiting it. Might just be that you found an isolated
incident. Who knows.

Best of luck.
Ian.

>>  If I was the Feds I would simply tell you to go away and secure
>>your system.  And, if you are working for an organisation where your
>>systems must be secure by law, I would sic the appropriate agency on
>>you.
>
> And, you already sound like a government worker.  Totally bad attitude.  I
> expect to speak to someone like you today.  I am sure I will find a way
> around the front guard, then maybe not.  There are plenty of folks like
> you
> in the government.
>


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Email web form exploits

2005-09-06 Thread Kelson 

Chris Gauch wrote:

Just wanted to hear how others are being hit by this latest scam.  As an ISP
that hosts hundreds of websites that use Email web forms, we have had lots
of forms come through with fake email addresses throughout the form (see the
article below for more info):


I've seen several of these over the past week.  Mostly on forms that 
don't actually accept aribitrary recipients, though I did have to audit 
and fix a few.  I actually laughed at one that came through with a 
12-line-long "Subject" header where they'd tried to insert their own 
recipient, received, and other fields.  On the other hand, that was 
partly a function of which scripts they hit.  If it had worked, I 
would've been too busy fixing the code to laugh.


--
Kelson Vibber
SpeedGate Communications 
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Email web form exploits

2005-09-06 Thread Les Mikesell 
On Tue, 2005-09-06 at 10:25, John wrote:
> >
> >What would you like them to do?
> 
> Be aware.  None of us have an overall picture of the security issues of our 
> Nation.  Only selected groups have that knowledge.  I am just going to feed 
> them some data.  What they do with it is up to them.  The persistence of 
> this issue is the key factor here.  I personally have never had a spammer 
> piss around for days on end.  Too many other easy marks out there.  Maybe 
> somebody in a more dense area of the world with more top site exposure is 
> used to this, but here in Blgs, we are not.  Maybe it's just our turn in 
> the barrel, but it is extremely unusual activity in our little pew.
> 
> Noteworthy to say the least.

I think you've just been lucky so far.  If you have forms that allow
the post'ed data to provide arbitrary destination addresses and content
you can pretty much expect someone to fill your bandwidth sending junk.

-- 
  Les Mikesell
   [EMAIL PROTECTED]


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Email web form exploits

2005-09-06 Thread John 

At 08:42 AM 9/6/2005, you wrote:

On Tue, 2005-09-06 at 07:45, John wrote:
> >
> >  Contacted them for what purpose?  To tell them that you're a lousy
> >programmer?  Or perhaps to tell them that you stick random unverified
> >code on your system (i.e. you're a lousy sysadmin)?
>
> We also, are an ISP.  We, as a company, do not control content.  We 
should,

> I agree, but company policy says "Not"...

So what is it that you expect someone else to do about it?  Shouldn't
you be contacting the clients that do control this made-to-exploit
content?


I don't expect them to do anything about it.  I have already contacted 
clients and shut down scripts.


I have been doing this for years.  I have seen the kiddie scripters come 
and go.  They are not an issue.  These are much different than what I have 
seen in the past.  I am going to make the Feds aware of this, just in case 
there is something here that is not apparent on the surface.  Expect them 
to shut something down?  Nada, on the contrary, I want them to see if 
something on the dark side is up (If they are interested).




> >  If I was the Feds I would simply tell you to go away and secure
> >your system.  And, if you are working for an organisation where your
> >systems must be secure by law, I would sic the appropriate agency on
> >you.
>
> And, you already sound like a government worker.  Totally bad attitude.  I
> expect to speak to someone like you today.  I am sure I will find a way
> around the front guard, then maybe not.  There are plenty of folks like 
you

> in the government.

What would you like them to do?


Be aware.  None of us have an overall picture of the security issues of our 
Nation.  Only selected groups have that knowledge.  I am just going to feed 
them some data.  What they do with it is up to them.  The persistence of 
this issue is the key factor here.  I personally have never had a spammer 
piss around for days on end.  Too many other easy marks out there.  Maybe 
somebody in a more dense area of the world with more top site exposure is 
used to this, but here in Blgs, we are not.  Maybe it's just our turn in 
the barrel, but it is extremely unusual activity in our little pew.


Noteworthy to say the least.



--
  Les Mikesell
[EMAIL PROTECTED]



John Jaeger - Billings, Montana

EMail To: 
Home Page   : 

PGP:
RSA Key ID: 0xAAEC7751  

"Our liberty is protected by four boxes...
The ballot box, the jury box, the soap box, and the cartridge box."
   - Anonymous

"Soap Box" didn't work, now using the "Cartridge Box" 3/20/2003

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Email web form exploits

2005-09-06 Thread Les Mikesell 
On Tue, 2005-09-06 at 07:45, John wrote:
> >
> >  Contacted them for what purpose?  To tell them that you're a lousy
> >programmer?  Or perhaps to tell them that you stick random unverified
> >code on your system (i.e. you're a lousy sysadmin)?
> 
> We also, are an ISP.  We, as a company, do not control content.  We should, 
> I agree, but company policy says "Not"...

So what is it that you expect someone else to do about it?  Shouldn't
you be contacting the clients that do control this made-to-exploit
content?

> >  If I was the Feds I would simply tell you to go away and secure
> >your system.  And, if you are working for an organisation where your
> >systems must be secure by law, I would sic the appropriate agency on
> >you.
> 
> And, you already sound like a government worker.  Totally bad attitude.  I 
> expect to speak to someone like you today.  I am sure I will find a way 
> around the front guard, then maybe not.  There are plenty of folks like you 
> in the government.

What would you like them to do? 

-- 
  Les Mikesell
[EMAIL PROTECTED]


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: exiting the filter before any processing

2005-09-06 Thread Rolf 

return('ACCEPT_AND_NO_MORE_FILTERING',"ok");

That should throw you straight out and not do anymore processing


Thanks.  But I do want to do more processing. That's just the point.  
Its like I want to say at each point 'if the mail is from  then 
jump over the virus scanning bit" and likewise avoid the mimetype bit 
and so on. I don't want to stop the processing, I want to be selective 
about it.


It is sounding like I need to significantly adjust the supplied filter 
script and incorporate many conditions.  I was hoping there was a 
simpler way.


r.


-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Behalf Of Rolf


hello

Yesterday I received several helpful responses to the question below. 
All suggested using filter_relay to avoid further processing.


I have now discovered that what I was initially trying doesn't match 
what the business wants. What is required is that some parts of the 
filter are to be avoided based on the sending mail server:


If $RelayAddr is the address of the ISP mail server then processing 
continues as usual. If, however, it is the address of the LAN mail 
server then spam, attachments, size, and so on that the filter checks 
are all to be ignored, but append_text_boilerplate() is to be applied.
I can easily apply the boilerplate routine to the right msgs, but I 
can't find a simple way to ignore the rest of the processing for the 
same msg.


Is the only method to insert a collection of conditionals that avoid 
each of the checks through each of the subroutines? Of the kind "if 
the relay address is not from then LAN then do this 
virus/spam/mimetype check..."? Seems the only way, and rather clumsy. 
Is there a better construct?



___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: exiting the filter before any processing

2005-09-06 Thread David F. Skoll 
Rolf wrote:

> Thanks.  But I do want to do more processing. That's just the point. 
> Its like I want to say at each point 'if the mail is from  then
> jump over the virus scanning bit" and likewise avoid the mimetype bit
> and so on.

That's exactly what you need to do.

> It is sounding like I need to significantly adjust the supplied filter
> script and incorporate many conditions.  I was hoping there was a
> simpler way.

Unfortunately, not.  The supplied filter is just an example.  MIMEDefang
admins are expected to modify it to suit local requirements.  But if
you know Perl, it shouldn't take you more than a minute to make the changes
you need.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Re: exiting the filter before any processing

2005-09-06 Thread Mack 
Oops, Slightly Misread your requriment's there,
Yes you will need to enter each part of the filter and perform the IP check, 

using something like

sub filter_end ($) {
return if message_rejected();
my($entity) = @_;
if ($ip=~ /x.x.x.x$/i){
append_text_boilerplate($entity,"Your Boilerplate", 0);
append_html_boilerplate($entity,"Your Boilerplate", 
0);  
return('CONTINUE',"ok");
}
# Carry on with spam checks av checks etc here



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mack
Sent: Tuesday 06 September 2005 14:36
To: mimedefang@lists.roaringpenguin.com
Subject: [Mimedefang] Re: exiting the filter before any processing


return('ACCEPT_AND_NO_MORE_FILTERING',"ok");

That should throw you straight out and not do anymore processing




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rolf
Sent: Tuesday 06 September 2005 14:22
To: mimedefang@lists.roaringpenguin.com
Subject: [Mimedefang] Re: exiting the filter before any processing


hello

Yesterday I received several helpful responses to the question below. All 
suggested using filter_relay to avoid further processing.

I have now discovered that what I was initially trying doesn't match what the 
business wants. What is required is that some parts of the filter are to be 
avoided based on the sending mail server: 

If $RelayAddr is the address of the ISP mail server then processing continues 
as usual. If, however, it is the address of the LAN mail server then spam, 
attachments, size, and so on that the filter checks are all to be ignored, but 
append_text_boilerplate() is to be applied. 
I can easily apply the boilerplate routine to the right msgs, but I can't find 
a simple way to ignore the rest of the processing for the same msg. 

Is the only method to insert a collection of conditionals that avoid each of 
the checks through each of the subroutines? Of the kind "if the relay address 
is not from then LAN then do this virus/spam/mimetype check..."? Seems the only 
way, and rather clumsy. Is there a better construct?

The man page says that the boilerplate routine is only available in filter_end 
so it seems that any message wanting that kind of processing will at least need 
to "enter" the filter in the first place.

Many thanks.

r.




From: Rolf <[EMAIL PROTECTED]>
Date: 5 September 2005 9:23:55 PM
To: mimedefang@lists.roaringpenguin.com
Subject: exiting the filter before any processing

hello

I've tried so many combinations and none work. Feeling a bit silly.

Where can I put in mimedefang-filter a statement so that the filter exits 
before any processing happens based on $RelayAddr ??

I've tried a simple: return if ($RelayAddr eq "ip address"); in various parts 
of the filter but none make any difference. Do I need such a statement in each 
of the subroutines?

What am I missing and/or misunderstanding?

thanks

r.


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

This Email Has Been Anti-Virus Scanned


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Re: exiting the filter before any processing

2005-09-06 Thread Mack 
return('ACCEPT_AND_NO_MORE_FILTERING',"ok");

That should throw you straight out and not do anymore processing




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rolf
Sent: Tuesday 06 September 2005 14:22
To: mimedefang@lists.roaringpenguin.com
Subject: [Mimedefang] Re: exiting the filter before any processing


hello

Yesterday I received several helpful responses to the question below. All 
suggested using filter_relay to avoid further processing.

I have now discovered that what I was initially trying doesn't match what the 
business wants. What is required is that some parts of the filter are to be 
avoided based on the sending mail server: 

If $RelayAddr is the address of the ISP mail server then processing continues 
as usual. If, however, it is the address of the LAN mail server then spam, 
attachments, size, and so on that the filter checks are all to be ignored, but 
append_text_boilerplate() is to be applied. 
I can easily apply the boilerplate routine to the right msgs, but I can't find 
a simple way to ignore the rest of the processing for the same msg. 

Is the only method to insert a collection of conditionals that avoid each of 
the checks through each of the subroutines? Of the kind "if the relay address 
is not from then LAN then do this virus/spam/mimetype check..."? Seems the only 
way, and rather clumsy. Is there a better construct?

The man page says that the boilerplate routine is only available in filter_end 
so it seems that any message wanting that kind of processing will at least need 
to "enter" the filter in the first place.

Many thanks.

r.




From: Rolf <[EMAIL PROTECTED]>
Date: 5 September 2005 9:23:55 PM
To: mimedefang@lists.roaringpenguin.com
Subject: exiting the filter before any processing

hello

I've tried so many combinations and none work. Feeling a bit silly.

Where can I put in mimedefang-filter a statement so that the filter exits 
before any processing happens based on $RelayAddr ??

I've tried a simple: return if ($RelayAddr eq "ip address"); in various parts 
of the filter but none make any difference. Do I need such a statement in each 
of the subroutines?

What am I missing and/or misunderstanding?

thanks

r.


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Re: exiting the filter before any processing

2005-09-06 Thread Rolf 
hello

Yesterday I received several helpful responses to the question below.  All suggested using filter_relay to avoid further processing.

I have now discovered that what I was initially trying doesn't match what the business wants.  What is required is that some parts of the filter are to be avoided based on the sending mail server: 

If $RelayAddr is the address of the ISP mail server then processing continues as usual. If, however, it is the address of the LAN mail server then spam, attachments, size, and so on that the filter checks are all to be ignored, but append_text_boilerplate() is to be applied.  
I can easily apply the boilerplate routine to the right msgs, but I can't find a simple way to ignore the rest of the processing for the same msg. 

Is the only method to insert a collection of conditionals that avoid each of the checks through each of the subroutines?  Of the kind "if the relay address is not from then LAN then do this virus/spam/mimetype check..."?  Seems the only way, and rather clumsy.  Is there a better construct?

The man page says that the boilerplate routine is only available in filter_end so it seems that any message wanting that kind of processing  will at least need to "enter" the filter in the first place.

Many thanks.

r.



From: Rolf <[EMAIL PROTECTED]>
Date: 5 September 2005 9:23:55 PM
To: mimedefang@lists.roaringpenguin.com
Subject: exiting the filter before any processing

hello

I've tried so many combinations and none work.  Feeling a bit silly.

Where can I put in mimedefang-filter a statement so that the filter exits before any processing happens based on $RelayAddr ??

I've tried a simple: return if ($RelayAddr eq "ip address");  in various parts of the filter but none make any difference. Do I need such a statement in each of the subroutines?

What am I missing and/or misunderstanding?

thanks

r.

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Email web form exploits

2005-09-06 Thread John 

At 11:23 PM 9/5/2005, you wrote:

On Jan 26,  5:16pm, John wrote:
}
} I am a System Administrator in Billings, MT.  I am having the same issue,
} however I do not feel this is to be taken lightly.  Mine started with IP's
} in Egypt & Iran.  I have attempted to contact the FBI & Dept. of Homeland
} Security.  Also have alerted AOL's Fraud Dept. as that's where the test
} emails were sent originally while testing.
}
} I attempted Federal contact Saturday when I realized what was
} transpiring.  Unfortunately, they are an 8-5 system unless someone's life
} is at stake.

 Contacted them for what purpose?  To tell them that you're a lousy
programmer?  Or perhaps to tell them that you stick random unverified
code on your system (i.e. you're a lousy sysadmin)?


We also, are an ISP.  We, as a company, do not control content.  We should, 
I agree, but company policy says "Not"...




} This has been a continuous, saturated attack, not at all like a simple
} spammer or script kiddy.  Think about what would happen if a subversive
} group like, and including, Bin Laden's boys found open mail forms that
} could be used to send coded messages in plain text with impunity and being
} relatively anonymous.

 The people running insecure web sites should be nailed.


I agree 100%.  However, in the real world, when you have hundreds of sites 
and may be 75-80 developers, that's what happens.



  There is
a ton of information out there on how to write secure forms!  This is
not a new attack.


Not like this one has been.


  This is old stuff.

} I want some answers from the Feds on this issue and I can assure you I will
} be on the phone at 8:00 in the morning...

 If I was the Feds I would simply tell you to go away and secure
your system.  And, if you are working for an organisation where your
systems must be secure by law, I would sic the appropriate agency on
you.


And, you already sound like a government worker.  Totally bad attitude.  I 
expect to speak to someone like you today.  I am sure I will find a way 
around the front guard, then maybe not.  There are plenty of folks like you 
in the government.



John Jaeger - Billings, Montana

EMail To: 
Home Page   : 

PGP:
RSA Key ID: 0xAAEC7751  

"Our liberty is protected by four boxes...
The ballot box, the jury box, the soap box, and the cartridge box."
   - Anonymous

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang