Re: [Mimedefang] Adding support for learning our addresses
On a bit more sophisticated level (ok a lot more sophisticated level), a guy named A.J. Fasano has developed a fantastic system that has one part of it that does the type of lookups you are referring to. He calls it relayregistry.org and it's fantastic. One of the things he focuses very well on doing is helping ham get through which is something I think is often forgotten in the anti-spam world. If you would like to use the system, email me your daily mail volume and I'll forward your request. If approved, I'll send you the MD code and SA rule files. BTW, anyone out there doing any REALLY scary mail volumes like 100Million+ daily emails? Really like to discuss if SA and MD can handle this type of volume and what type of hardware requirements, etc. Sincerely, KAM One other thing I thought about: what about detecting spammers, and then looking up the CIDR block that their address belongs to, and adding it to a blacklist automatically in filter_relay()? We could set a threshold for the number of offenses before they get added in. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Am Sa, den 28.01.2006 schrieb Philip Prindeville um 4:46: > BTW: my SpamAssassin pukes at "use_terse_report 1". What version > does that apply to? Pre SA 3.x You may now use "remove_header all Report" to remove the verbose report. > -Philip Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 05:45:09 up 54 days, 10:22, load average: 0.24, 0.28, 0.24 signature.asc Description: Dies ist ein digital signierter Nachrichtenteil ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
David F. Skoll wrote: Philip Prindeville wrote: From Perl? But the whole thing's pretty silly anyway -- unless your server is very unusual, you can hard-code its IP address(es) in your filter. Well, there are a few reasons: (1) it makes it turn-key so that neophytes can use it more easily; (2) you can run the same config on a cluster of servers unmodified; (3) mobile users with dynDNS can use it. I'm not sure, actually... I never checked. Let's see: $ whois 206.191.13.82 OrgName:Magma Communications Ltd. [...] NetRange: 206.191.0.0 - 206.191.63.255 CIDR: 206.191.0.0/18 Nope; I guess not. Hmmm. I was hoping to be able to blacklist certain countries, etc. like Romania, China, Thailand, etc. that aren't identifiable by rDNS. I suppose a way to manually reset a blacklisting could be done. Or do apply it per a criteria. BTW: my SpamAssassin pukes at "use_terse_report 1". What version does that apply to? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Philip Prindeville wrote: > Too heavy weight. Requires a fork/exec for each iteration. > Easier to just do some ioctl()'s. >From Perl? But the whole thing's pretty silly anyway -- unless your server is very unusual, you can hard-code its IP address(es) in your filter. [...] >> Too many false-positives. We own a measly 8 IP addresses where our >> colo box sits. If you block us because someone on our class C was bad, >> that's unfair. > And your farm facility doesn't allocate individual CIDR information for > clients? I'm not sure, actually... I never checked. Let's see: $ whois 206.191.13.82 OrgName:Magma Communications Ltd. [...] NetRange: 206.191.0.0 - 206.191.63.255 CIDR: 206.191.0.0/18 Nope; I guess not. -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
David F. Skoll wrote: http://search.cpan.org/~tpaba/Net-Ifconfig-Wrapper-0.09/ Too heavy weight. Requires a fork/exec for each iteration. Easier to just do some ioctl()'s. Too many false-positives. We own a measly 8 IP addresses where our colo box sits. If you block us because someone on our class C was bad, that's unfair. And your farm facility doesn't allocate individual CIDR information for clients? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding support for learning our addresses
Philip Prindeville wrote: > Hmmm I was wondering if we might want to call > ioctl(..., SIOCGIFCONF...) followed by SIOCGIFADDR to get the list > of our IP addresses... So we can do some filtering on people claiming > to be us. http://search.cpan.org/~tpaba/Net-Ifconfig-Wrapper-0.09/ > I.e. if someone connects to me and says "helo 71.36.29.88" then I know > for a fact that they aren't me... That is a very popular test: http://www.mimedefang.org/kwiki/index.cgi?UseHeloToCatchSpam2 > One other thing I thought about: what about detecting spammers, and > then looking up the CIDR block that their address belongs to, and adding > it to a blacklist automatically in filter_relay()? Too many false-positives. We own a measly 8 IP addresses where our colo box sits. If you block us because someone on our class C was bad, that's unfair. -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Issues with hotmail.com
I've noticed that I've been getting email lately that looks like: Return-Path: <[EMAIL PROTECTED]> Received: from omc1-s35.bay6.hotmail.com (omc1-s35.bay6.hotmail.com [65.54.248.237]) by mail.redfish-solutions.com (8.13.1/8.13.1) with ESMTP id k0REdJbh004285 for <[EMAIL PROTECTED]>; Fri, 27 Jan 2006 07:39:20 -0700 Received: from hotmail.com ([65.54.173.11]) by omc1-s35.bay6.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 27 Jan 2006 06:39:19 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 27 Jan 2006 06:39:18 -0800 Message-ID: <[EMAIL PROTECTED]> Received: from 81.202.24.35 by by5fd.bay5.hotmail.msn.com with HTTP; Fri, 27 Jan 2006 14:39:18 GMT X-Originating-IP: [81.202.24.35] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: "azita zaden" <[EMAIL PROTECTED]> Bcc: Subject: congratulations!!! your e-mail has won a lottery prize. Date: Fri, 27 Jan 2006 14:39:18 + Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed X-OriginalArrivalTime: 27 Jan 2006 14:39:18.0837 (UTC) FILETIME=[745E6650:01C6234F] and I was wondering about this. My theory is that the Hotmail mailer receives the email, decides that it already has an X-Originating-IP: line, and doesn't add one. The problem is this: when you then go to report this spammer to Hotmail by forwarding the mail to then, their software looks at the X-Originating-IP: address, decides it isn't one of their networks, and sends back an automatic reply saying: > Unfortunately, in order to process your request, Hotmail Support needs a valid MSN/Hotmail hosted account. and your complaint never gets handled. The spammer then continues to spam with impunity. So... Couple of questions. Anyone have a hotmail.com account that they can test my theory with? All they need to do is post this list from their email account with a forged X-Originating-IP: line in the message. And secondly... Anyone have (1) a MdF filter to use against this? And (2) a set of SpamAssassin settings that they are especially happy with? Thanks, -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Adding support for learning our addresses
Hmmm I was wondering if we might want to call ioctl(..., SIOCGIFCONF...) followed by SIOCGIFADDR to get the list of our IP addresses... So we can do some filtering on people claiming to be us. I.e. if someone connects to me and says "helo 71.36.29.88" then I know for a fact that they aren't me... One other thing I thought about: what about detecting spammers, and then looking up the CIDR block that their address belongs to, and adding it to a blacklist automatically in filter_relay()? We could set a threshold for the number of offenses before they get added in. That way, if the ratware ever gets more sophisticated and figures out how we are detecting them and gets around it... it would be too late, as they would be remembered as spammers. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slipping [EMAIL PROTECTED] virus by McAfee
Kevin A. McGrail wrote: > I recommend for uvscan the options should be: > --noboot --mime --secure --allole That's what I have in CVS. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slipping [EMAIL PROTECTED] virus by McAfee
I recommend for uvscan the options should be: --noboot --mime --secure --allole Sorry, just noticed that I believe the attached patch achieves this combination. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slipping [EMAIL PROTECTED] virus by McAfee
David: I recommend for uvscan the options should be: --noboot --mime --secure --allole Regards, KAM - Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: Sent: Friday, January 27, 2006 11:49 AM Subject: Re: [Mimedefang] Slipping [EMAIL PROTECTED] virus by McAfee Mickey Hill wrote: Without --mime, three tests were not detected by uvscan (and two made it completely past mimedefang). With --mime, all tests were correctly detected by uvscan. +1 to make this the default. Change made and committed. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slipping mywif...@mm virus by McAfee
On Fri, 2006-01-27 at 16:46 +1100, Mathew Thomas wrote:
> mail gateways running Solaris 9 with Sendmail 8-13.1 +Mimedefang 2.44
> + SpamAssassin 2.64 with Uvscan & ClamAv
>
> Some of our staff received W32/[EMAIL PROTECTED] virus which were sent to
> them as forwarded mail as Attachment. This means some MIME encoded virus
> are slipping through. I did some test by forwarding virus infected mail
> via gateway and it is getting through.
>
> In mimedefang.pl, I added "--mime" flag for uvscan.
>From uvscan(1):
--mime Scan MIME-encoded files. This type of file is not scanned by
default.
I ran the testvirus.org tests with and without --mime.
Without --mime, three tests were not detected by uvscan (and two made it
completely past mimedefang). With --mime, all tests were correctly
detected by uvscan.
+1 to make this the default.
--
Mickey Hill <[EMAIL PROTECTED]>
--- mimedefang.pl.orig 2006-01-27 10:30:10.0 -0600
+++ mimedefang.pl 2006-01-27 10:30:32.0 -0600
@@ -2537,7 +2537,7 @@
# Run uvscan
my($code, $category, $action) =
- run_virus_scanner($Features{'Virus:NAI'} . " --noboot --secure --allole
$path 2>&1", "Found");
+ run_virus_scanner($Features{'Virus:NAI'} . " --noboot --secure --mime
--allole $path 2>&1", "Found");
if ($action ne 'proceed') {
return (wantarray ? ($code, $category, $action) : $code);
}
@@ -2564,7 +2564,7 @@
# Run uvscan
my($code, $category, $action) =
- run_virus_scanner($Features{'Virus:NAI'} . " --noboot --secure --allole
./Work 2>&1", "Found");
+ run_virus_scanner($Features{'Virus:NAI'} . " --noboot --secure --mime
--allole ./Work 2>&1", "Found");
if ($action ne 'proceed') {
return (wantarray ? ($code, $category, $action) : $code);
}
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slipping [EMAIL PROTECTED] virus by McAfee
Mickey Hill wrote: > Without --mime, three tests were not detected by uvscan (and two made it > completely past mimedefang). With --mime, all tests were correctly > detected by uvscan. > +1 to make this the default. Change made and committed. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
