RE: [Mimedefang] URIBL/SURBL support
--On Monday, November 27, 2006 15:49 -0600 Damrose, Mark [EMAIL PROTECTED] wrote: -Original Message- From: Joseph Brennan # check it my $resolver = new Net::DNS::Resolver; $resolver-tcp_timeout(10); $resolver-port(530); my $query = $resolver-query($domainname); Quick question. Why is the port 530? Are you running a local rsync of surbl using rbldnsd? For those using public DNS resolution, that should be 53 (or not set), right? Yes, that's a local nameserver with an rsync of surbl. Sorry I forgot about that. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Faked Received + Old Lists
How OLD are the lists spammers use? The stock spam below was sent to [EMAIL PROTECTED] cu20b was retired in 1987! The lower Received header is faked. columbia.edu resolves to external-smtp-multi-vif.cc.columbia.edu, but that's a virtual interface, not a host. No Received would ever have by external... in it. This is a variation on the recently described Received forgery. We have been checking already for by columbia.edu in Received, and I will add this variation today. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology Forwarded Message . . . Received: from ppp25-145.adsl.forthnet.gr (ppp25-145.adsl.forthnet.gr [212.251.108.145]) by longan.cc.columbia.edu (8.13.7/8.13.6) with SMTP id kAS8pfii018311 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 03:51:49 -0500 (EST) X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from [212.251.108.145] (port=40748 helo=ppp25-145.adsl.forthnet.gr) by external-smtp-multi-vif.cc.columbia.edu with esmtp id 515070-515070-81 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 10:51:44 +0200 (EET) Message-ID: [EMAIL PROTECTED] From: Misty [EMAIL PROTECTED] To: Amado [EMAIL PROTECTED] Subject: AggressiveInvestorsAlert Date: Tue, 28 Nov 2006 10:51:44 +0200 (EET) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_001_24F6_01C712CA.6E04A380 . . . BLNM Price Climbs 92% and Volume is up 10,000% In Just Two Days Trading! It's not to late to get in! Company: Bralorne Mining Company Symbol: BLNM.OB Price: $0.31 (+92% in 2 days) 5 Day Target: $1.15 -- End Forwarded Message -- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Faked Received + Old Lists
-Original Message- From: Joseph Brennan The lower Received header is faked. columbia.edu resolves to external-smtp-multi-vif.cc.columbia.edu, but that's a virtual interface, not a host. Received: from [212.251.108.145] (port=40748 helo=ppp25-145.adsl.forthnet.gr) by external-smtp-multi-vif.cc.columbia.edu with esmtp id 515070-515070-81 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 10:51:44 +0200 (EET) I've been seeing these as well. After a couple of false starts with false positives, here's the rules that seem to be working header __ECC_FORGED_SMTPGATE3_RCVD1 Received =~ /(?!via\ssmtpd\s\(for\s)smtpgate3\.elgin\.edu\s(?!\(MIMEDefang\)\swith\ sESMTP)/ header __ECC_FORGED_SMTPGATE3_RCVD2 Received =~ /by\ssmtpgate3.elgin.edu\swith\sesmtp/ meta ECC_FORGED_SMTPGATE3_RCVD __ECC_FORGED_SMTPGATE3_RCVD1 || __ECC_FORGED_SMTPGATE3_RCVD2 smtpgate3.elgin.edu is my MX host. According to what you posted, they must be using the rdns to generate the header. So you may need multiple rules if you have different rdns on multiple interfaces. The RCVD2 rule catches this exact variation. The RCVD1 rule catches any mention of my host name in a received header except if proceeded by via smtpd (for as generated by MS smtpd or followed by (MIMEDefang) with ESMTP as generated by MD. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Faked Received + Old Lists
-Original Message- From: Damrose, Mark After a couple of false starts with false positives, here's the rules that seem to be working header __ECC_FORGED_SMTPGATE3_RCVD1 Received =~ /(?!via\ssmtpd\s\(for\s)smtpgate3\.elgin\.edu\s(?!\(MIMEDefan g\)\swith\ sESMTP)/ header __ECC_FORGED_SMTPGATE3_RCVD2 Received =~ /by\ssmtpgate3.elgin.edu\swith\sesmtp/ meta ECC_FORGED_SMTPGATE3_RCVD __ECC_FORGED_SMTPGATE3_RCVD1 || __ECC_FORGED_SMTPGATE3_RCVD2 Doh! One more false positive to add... Mail from an internal mail server that passes outbound to a list and comes back. The real sendmail Received header is not exactly the same as the one MD adds. I added a rule that matched the internal host (sorry, not posting the details here) and changed the meta rule to: meta ECC_FORGED_SMTPGATE3_RCVD ( __ECC_FORGED_SMTPGATE3_RCVD1 || __ECC_FORGED_SMTPGATE3_RCVD2 ) ! __ECC_VALID_EXCHANGE ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md is not the first relay
HI. I have an MD installation that is behind another mail relay which I am not administaring. As far as I understand, in that scenario, some DNSBL checks do not work, for example checking if the email came directly from a dial-up connection, as well as some HELO checks. The configuration is: internet == mailrelay1 == my mimedefang server == internal mail server. How should I configure MD/SpamAssassin to use the HELO information from the top (or second?) Received by header? Thanks Yizhar Hurwitz ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md is not the first relay
On Tue, 28 Nov 2006, Yizhar Hurwitz wrote: The configuration is: internet == mailrelay1 == my mimedefang server == internal mail server. How should I configure MD/SpamAssassin to use the HELO information from the top (or second?) Received by header? Does the section PRESERVING RELAY INFORMATION from the mimedefang-filter(5) manpage help you? Regards, Kees. -- Kees Theunissen F.O.M.-Institute for Plasma Physics Rijnhuizen, Nieuwegein, Netherlands E-mail: [EMAIL PROTECTED], Tel: (+31|0)306096724, Fax: (+31|0)306031204 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md is not the first relay
On Tue, Nov 28, 2006 at 09:45:52PM +0200, Yizhar Hurwitz wrote: HI. I have an MD installation that is behind another mail relay which I am not administaring. As far as I understand, in that scenario, some DNSBL checks do not work, for example checking if the email came directly from a dial-up connection, as well as some HELO checks. The configuration is: internet == mailrelay1 == my mimedefang server == internal mail server. How should I configure MD/SpamAssassin to use the HELO information from the top (or second?) Received by header? Add the IP address of mailrelay1 (as seen by your mimedefang server) to the trusted_networks config in spamassassin. See: man Mail::SpamAssassin::Conf Note that that doesn't set $Helo or $RelayAddr in mimedefang, it will only fix things up for spamassassin. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang