[Mimedefang] MD doesn't log anything
I'm having some weird logging problem with MD on a FreeBSD box: it just won't log mimedefang events. The mimedefang-filter has the corresponding md_graphdefang_log_enable() call enabled. More so, the mimedefang-filter looks a lot like the one in the relay (this is on the internal server, just for virus/and attachment filter, no spam filtering inside) and the relay does log the MD events. I even replaced the internal mimedefang-filter with the one from the relay, but nothing happened. Any sugestions, pointers will be apreciated. Fer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD doesn't log anything
On 3/9/06, Fernando Gleiser [EMAIL PROTECTED] wrote: I'm having some weird logging problem with MD on a FreeBSD box: it just won't log mimedefang events. The mimedefang-filter has the corresponding md_graphdefang_log_enable() call enabled. More so, the mimedefang-filter looks a lot like the one in the relay (this is on the internal server, just for virus/and attachment filter, no spam filtering inside) and the relay does log the MD events. I even replaced the internal mimedefang-filter with the one from the relay, but nothing happened. Any sugestions, pointers will be apreciated. Version of MD? Version of FreeBSD? Does your syslog work (ie, are you getting mail logs)? Did you install from ports or by hand? -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD doesn't log anything
On Thu, 9 Mar 2006, Rob MacGregor wrote: Version of MD? Version of FreeBSD? mimedefang-2.56, 4.8-RELEASE-p35 Does your syslog work (ie, getting mail logs)? Yes, syslog works fine. I see the sendmail data in /var/log/maillog, it's just the MD data that doesn't get logged Did you install from ports or by hand? By ports. I cvsupped the ports collection yesterday, reinstalled MD but that didn't fix it. Fer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: [SURBL-Discuss] Fw: Interesting Phishing Trick
DFS wrote on 03/08/2006 10:12:51 PM: Ooh! You're onto something! Allowing only strictly-validated HTML would have the same effect as disallowing HTML altogether, but would be far easier to justify to the PHBs as a security/compliance/standards/pick_your_buzzword issue... I like it! Can I place a request to have it added to CanIt? Perhaps as a per stream option in Pro? I am still kicking myself for not starting to block all incoming HTML messages as a security/compliance/standards/pick_your_buzzword issue... when I first started filtering. This would be a nice compromise that should make it past management. I was told at an IBM/Lotus presentation that it is corporate policy that all email must be sent as HTML. Hope they format it correctly. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: [SURBL-Discuss] Fw: Interesting Phishing Trick
[EMAIL PROTECTED] wrote: I like it! Can I place a request to have it added to CanIt? Perhaps as a per stream option in Pro? Probably not... too difficult to implement and too little demand, alas... I was told at an IBM/Lotus presentation that it is corporate policy that all email must be sent as HTML. Good grief... If I worked at a place like that, my e-mails would all look like this: htmlheadtitlePHB-decreed HTML mail/title/head body pre Hello, This is a plain-ASCII e-mail. But it's HTML. Really! /pre /body/html Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: [SURBL-Discuss] Fw: Interesting Phishing Trick
DFS wrote on 03/09/2006 11:11:05 AM: Probably not... too difficult to implement and too little demand, alas... OK, but it does sound like a nice feature. If I worked at a place like that, my e-mails would all look like this: htmlheadtitlePHB-decreed HTML mail/title/head [snip] Guess that's why you started your own company. ;) The HTML is generated by the mail server (Domino in the case of IBM, but I'm sure Exchange works the same way), so the end user wouldn't have much control over it. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MUA tracking?
I'm interested in gathering statistics on which MUAs our users use (so we can find out what mail clients are popular enough to officially support, which old clients we can drop support for, who's using old versions and should be gently encouraged to upgrade, etc.). I figure that MIMEDefang can track this by grabbing the X-Mailer: header of messages as they go through, and I thought that I'd ask the list to see if anyone's already done this before I go write some code. Alternatively, would there be a better way of doing this? Josh Kelley ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Return-Path: [EMAIL PROTECTED] Received: from murder (soyloaf-eth1.cc.columbia.edu [128.59.33.163]) by liverwurst.cc.columbia.edu (Cyrus v2.3-alpha) with LMTPSA (version=TLSv1/SSLv3
--On Thursday, March 9, 2006 12:04 -0500 Josh Kelley [EMAIL PROTECTED] wrote: I'm interested in gathering statistics on which MUAs our users use (so we can find out what mail clients are popular enough to officially support, which old clients we can drop support for, who's using old versions and should be gently encouraged to upgrade, etc.). I figure that MIMEDefang can track this by grabbing the X-Mailer: header of messages as they go through, and I thought that I'd ask the list to see if anyone's already done this before I go write some code. Yes, we have! First you open HEADERS and grab the string in the X-Mailer and User-Agent headers, if they exist. Most clients identify themselves in one of those two headers. Store in $xmailer and $useragent. (We test various header fields, so we open HEADER once and store a set of values to be tested afterwards. Maybe I should use an array but because of how this grew it's just numerous variables.) We require smtp authentication, so we can identify our own users by whether they used it. This includes people who use some other address as sender, and excludes spammers who fake the sender. The sampling code itself is just this. # client sampling if (defined($SendmailMacros{auth_type}) ) { my($client) = unknown; if ($xmailer) { chomp($xmailer); $client = $xmailer; } elsif ($useragent) { chomp($useragent); $client = $useragent; } syslog(LOG_INFO, Client,$RelayAddr,uni=$SendmailMacros{'auth_authen'},$client); } Then just grep syslog lines with ',Client,' in them and add how often each client appears. That tells you how many messages were sent per client-- which is almost right. However you might have someone sending 100 a day with client A and 100 people sending 1 a day with client B. That isn't really the same thing. Note we also record what uni (user) it was. One of my colleagues here feeds the data into SAS and gets us counts of how many different *people* use each client, and then by matching to databases, how many faculty use each client, how many students in each division use each client, etc. It's interesting stuff that we use to get budget money. Don't ask me how SAS works though. Joe Brennan ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MUA tracking?
Are you interested in just what your users are using, or what is still out there? If the former only, then you'll want to either just look at stuff coming in that's authenticated, or coming in on your submission port, or else coming from your internal networks... Or on messages that have no Received: lines... -Philip Josh Kelley wrote: I'm interested in gathering statistics on which MUAs our users use (so we can find out what mail clients are popular enough to officially support, which old clients we can drop support for, who's using old versions and should be gently encouraged to upgrade, etc.). I figure that MIMEDefang can track this by grabbing the X-Mailer: header of messages as they go through, and I thought that I'd ask the list to see if anyone's already done this before I go write some code. Alternatively, would there be a better way of doing this? Josh Kelley ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] [OT] Fw: Interesting Phishing Trick
I ran the rule below through the NightlyMassCheck with a 0 HAM hit and a 0 SPAM hit on those corpuses so the technique might not be very prevalent. However, this rule does trigger on the technique I sent. I want to work on the nested anchor idea as well but in the meantime, I'd like to hear feedback on this trigger. It seemed REALLY spammy to me. Anyone get any hits with this against their HAM or SPAM corpuses? #PHISHING TEST rawbody KAM_PHISH1 /u style=cursor: pointer/ describeKAM_PHISH1 Test for PHISH that changes the cursor score KAM_PHISH1 0.01 Regards, KAM Is there an SA rule that checks for nested anchors? (Either in 3.1 or SARE.) Any signs of this idiom in ham corpuses? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Training Spamassassin
I am using mimedefang, spamassassin and clamav to filter my email. Once it is filtered it then send to an Exchange server so no email stays on the filtering server. I have enabled bayes and auto learning but a lot of spam is not being caught. On my old server I can get a file of spam and then use it to train spamassassin using sa-learn. Since the email doesn't stay on the filtering server how can I do that now? Paul Crittenden Computer Systems Manager Simpson College Phone: 515-961-1680 Email: [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick
Kevin A. McGrail [EMAIL PROTECTED] wrote: However, this rule does trigger on the technique I sent. I want to work on the nested anchor idea as well but in the meantime, I'd like to hear feedback on this trigger. It seemed REALLY spammy to me. Anyone get any hits with this against their HAM or SPAM corpuses? # PHISHING TEST rawbody KAM_PHISH1 /u style=cursor: pointer/ describeKAM_PHISH1 Test for PHISH that changes the cursor score KAM_PHISH1 0.01 Something sent with Incredimail! has this in it (originally one line) TD id=INCREDITEXTREGION style=FONT-SIZE: 18pt; CURSOR: auto vAlign=top width=100% Something in Spanish that was reported as spam had this (again, originally one line): table title='' onselectstart='return false;' style='cursor:hand; display:inline' border=0 width='100' cellpadding=0 cellspacing=0 That's five days of reported spam, 1,920 messages. Is there an SA rule that checks for nested anchors? (Either in 3.1 or SARE.) Any signs of this idiom in ham corpuses? I must have missed this original message. Was there an example? I've been working on an MD subroutine using HTML::TokeParser. It goes into 'state' when it comes to an a tag, and checks what comes from there up to the next /a. I had not thought of needing to nest them. Or is it just a test of bad html to come across a when you're already in an a? Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Greylist Exclusions
Hi, I have been running a Mimedefang Integrated MySQL variation of greylisting now for the past 3-4 months, which has dropped the amount of SPAM we have to reject after the DATA phase by 3 quarters! However, I am getting requests from users who want to have particular sender domains excluded from the greylisting. Does anyone have any ideas as to the best way to go about this? I know I could do a sub filter_sender { if $sender =~ /[EMAIL PROTECTED]?$/i { $NO_GREYLISTING_FOR_THIS_MSG = 1; } But is there a better way of bypassing greylisting for selected sending domains? Thanks Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Greylist Exclusions
A separate table could be used to hold whitelist data, by IP/segment. Then your greylisting code could first perform a lookup of the relaying IP in the whitelist table. If found there, skip the resto of your greylisting logic. Else, fall through to the rest of your logic and handle the greylisting/tempfailing as you currently do. That's what I do (along with tossing an entry into the log to indicate the exemption from greylisting.) Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roland Pope Sent: Thursday, March 09, 2006 3:43 PM To: mimedefang@lists.roaringpenguin.com Subject: [Mimedefang] Greylist Exclusions Hi, I have been running a Mimedefang Integrated MySQL variation of greylisting now for the past 3-4 months, which has dropped the amount of SPAM we have to reject after the DATA phase by 3 quarters! However, I am getting requests from users who want to have particular sender domains excluded from the greylisting. Does anyone have any ideas as to the best way to go about this? I know I could do a sub filter_sender { if $sender =~ /[EMAIL PROTECTED]?$/i { $NO_GREYLISTING_FOR_THIS_MSG = 1; } But is there a better way of bypassing greylisting for selected sending domains? Thanks Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick
--On Thursday, March 09, 2006 3:31 PM -0500 Joseph Brennan [EMAIL PROTECTED] wrote: I must have missed this original message. Was there an example? http://thread.gmane.org/gmane.comp.jakarta.tomcat.user/127749 (As I pasted the link into this note I noticed the original group and thought Gmane had barfed. But the original thread was really cross-posted to the MD, SURBL, and Tomcat mailing lists!) ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick
Philip Prindeville wrote: /[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)=window\.status=/ You might want to change that regexp to something like: /a[^]{1,200}href\s{0,10}=.{0,200}(onmouseover|onmousemouse)\s{0,10}=\s{0,10}window\.status\s{0,10}=/i You probably don't want to use the '*' quantifier in a SpamAssassin rule regexp; it can exhibit very long execution time on long messages. You might also want to not get sidetracked by people who add spaces to throw you off. And you may as well make the whole thing case-insensitive. Finally, you'd want to match something like a title=foo href=bar onMouseOver=... which the original regexp would miss. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick
Philip: This rule won't hit on the phishing email I was discussing. It doesn't use a mouseover. It uses a nested a tag to hide to real link. Thanks to Kenneth Porter, here's my original post: http://thread.gmane.org/gmane.comp.jakarta.tomcat.user/127749 P.S. I didn't post it to the tomcat group, I posted it to the Apache SpamAssassin Users list. Something somewhere is skewed! Regards, KAM rawbody __L_PHISH /[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)=window\.status=/ meta L_PHISH(__CTYPE_HTML __L_PHISH) describe L_PHISHTest for PHISH overwriting the status bar score L_PHISH 6.0 and it seems to work well enough... If anyone wants to drop the score down to 0.01 and tell me how many hits they get on a high volume site, I'd be fascinated to know how well it performs elsewhere. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick
David F. Skoll wrote: You might want to change that regexp to something like: /a[^]{1,200}href\s{0,10}=.{0,200}(onmouseover|onmousemouse)\s{0,10}=\s{0,10}window\.status\s{0,10}=/i Ah, yes. Thanks. And it's onmousemove, not onmousemouse... Sloppy typing... The a, href, and onmousemove are case insensitive, but the window.status isn't... If that makes any difference. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick
Kevin A. McGrail wrote: Philip: This rule won't hit on the phishing email I was discussing. It doesn't use a mouseover. It uses a nested a tag to hide to real link. Thanks to Kenneth Porter, here's my original post: http://thread.gmane.org/gmane.comp.jakarta.tomcat.user/127749 Kevin, I get that. The larger point that I was trying to make (and I could have done a better job of connecting the dots) is this: * sometimes someone will send out HTML that will look like: a href=http://www.foo.com/...;http://www.bar.com/.../a where you think you're going to www.bar.com, but you're actually going to www.foo.com. * Some browsers will display (below in the status bar) the real URL contents when you put your mouse over the anchor in the status bar (as visual confirmation of where you're about to go). * the connection I was trying to make is that if the attributes of the a contain: onMouseOver=window.status=' ... you can override what the contents of the status bar end up looking like, thus circumventing the limited security that browsers provide (in the form of visual feedback above). Hope this is more clear. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick
Philip Prindeville wrote: * sometimes someone will send out HTML that will look like: a href=http://www.foo.com/...;http://www.bar.com/.../a We've had a fair bit of luck with a variant of this: # Catch common phishing sequence full HTTP_CLAIMS_HTTPS /a[^]{0,190}http:[^]{0,190}[^]{0,190}https:/is describe HTTP_CLAIMS_HTTPS HTTP link claiming to be HTTPS -- Phish score HTTP_CLAIMS_HTTPS 5 That's an HTTP link whose text claims to be an HTTPS link, like this: a href=http://1.2.3.4/fake/.ebay.dll;https://secure.ebay.com/a You can see our catches at: http://www.roaringpenguin.com/canit/showtrap.php?status=spamr=HTTP_CLAIMS (login demo/demo) Of course, our Bayes data nails most phishing scams now too... Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang