Re: [Mimedefang] Reputation Reporting Protocol submitted to IETF as an I-D
- wrote: I can say this right off: Encoding the timestamp as an integer with an anchor year is going to be a problem (e.g in 2038 or 2106) requiring a future version upgrade. No, it's not. We are not encoding the timestamp. If you read the RFC carefully, you'll see that we're encoding the low-order 32 bits of the timestamp. The *only* purpose of that field is to help detect and fend off replay attacks. If an attacker wants to hold onto a packet for 2^32 seconds (~136 years) and then reinject it... well yeah, we don't protect against that. Maybe you don't care about the 27-year timebomb you're giving yourself. Absolutely we don't care; see above. IP-address-types: Consider adding as a separate value spamtrap that occurs as a result of delivery to a spamtrap address. IMO, that's the same as AUTO-SPAM, but I suppose we could add another TYPE code. Section 8 - Example Report: Should use an IPv6 address from the documentation prefix (2001:DB8::/32) instead of a live address. OK; I'll fix that in the next version. -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] action_drop_with_warning error (Steffen Kaiser)
Hello, Please find the filter rules which relates to action_drop_with_warning. #*** sub filter { my($entity, $fname, $ext, $type) = @_; return if message_rejected(); # Avoid unnecessary work # Block message/partial parts if (lc($type) eq message/partial) { md_graphdefang_log('message/partial'); action_bounce(MIME type message/partial not accepted here); return action_discard(); } if (filter_bad_filename($entity)) { md_graphdefang_log('bad_filename2', $fname, $type); return action_drop_with_warning(An attachment named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arra nge an alternate means of receiving it.\n); } return action_accept(); } #*** #*** # This procedure returns true for entities with bad filenames. sub filter_bad_filename { my($entity) = @_; my($bad_exts, $re); # Bad extensions my $rcp = $Recipients[0]; $rcp =~ s/[]//g; my($r_user,$r_domain) = split(/\@/,$rcp); my ($new_r_domain) = strip_domain($r_user,$r_domain); my ($aa,$bb,$cc,$yy,$zz) = spam_config_check($r_user,$new_r_domain,2); #This function prvides the custom list of bad extensions in $yy variable. if($yy eq ) { $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|in f|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|s h|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})'; } else { $bad_exts = '('. $yy .'|\{[^\}]+\})'; } if ($Lohg == 1) {md_syslog('warning',MsgID: $MsgID in bad-filename: user is $r_user,domain is $new_r_domain, bad_ex are $bad_exts);} # Do not allow: # - CLSIDs {foobarbaz} # - bad extensions (possibly with trailing dots) at end $re = '\.' . $bad_exts . '\.*$'; return 1 if (re_match($entity, $re)); # Look inside ZIP files if (re_match($entity, '\.zip$') and $Features{Archive::Zip}) { my $bh = $entity-bodyhandle(); if (defined($bh)) { my $path = $bh-path(); if (defined($path)) { return re_match_in_zip_directory($path, $re); } } } return 0; } #* Please assist. Regards. Message: 2 Date: Wed, 16 Jun 2010 16:35:09 +0200 (CEST) From: Steffen Kaiser skmimedef...@smail.inf.fh-bonn-rhein-sieg.de Subject: Re: [Mimedefang] action_drop_with_warning error To: mimedefang@lists.roaringpenguin.com Message-ID: alpine.deb.1.10.1006161633510.10...@pc-2m63a.inf.fh-bonn-rhein-sieg.de Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 16 Jun 2010, Shridhar wrote: The message it throws in the maillogs is Jun 16 18:35:39 mail105 mimedefang-multiplexor[9973]: Slave 1 stderr: open body: Invalid argument at /usr/local/lib/perl5/site_perl/5.8.8/MIME/Entity.pm line 1863. Jun 16 18:35:39 mail105 mimedefang-multiplexor[9973]: Slave 1 died prematurely -- check your filter rules I use action_drop_with_warning function to drop the attachment. I also tried upgrading the MIME-tools version to 5.428 but with no success. Well, check your filter rules is the advice in the log. show them. Regards, - -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Reputation Reporting Protocol submitted to IETF as an I-D
David F. Skoll d...@roaringpenguin.com wrote: I've submitted the Reputation Reporting Protocol (for collecting information about IP addresses) as an Internet Draft; please see http://datatracker.ietf.org/doc/draft-dskoll-reputation-reporting/ Comments are solicited; if you're interested, please join the mailing list at http://lists.roaringpenguin.com/cgi-bin/mailman/listinfo/reputation-reporting The home page for the project is http://www.mimedefang.org/reputation IMHO you should generalize support for different signature types e.g. 1 extra byte for signature length and 1 extra byte for signature type -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu The Almighty in His infinite wisdom did not see fit to create Frenchmen in the image of Englishmen. -- Winston Churchill, 1942 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Reputation Reporting Protocol submitted to IETF as an I-D
Andrzej Adam Filip wrote: IMHO you should generalize support for different signature types e.g. 1 extra byte for signature length and 1 extra byte for signature type I'm not sure what you mean by signature types. Could you explain? Are you referring to the truncated HMAC? By the way, your outbound SMTP server 213.180.147.167 has a rather poor reputation. We've been running the Reputation Reporting Protocol with several hundred sensors for a few months now and we keep a window of 45 days' worth of events (about 1.6 x 10^9 events in total; ~400/second). Here's the score for 213.180.147.167: $ canit-reputation-check 213.180.147.167 213.180.147.167: smtpout7.poczta.onet.pl gl=142 ug=33 hs=21 hh=2 as=15177 ah=87 vr=17209 ir=13022 activity=6.1 That means 142 greylisting events, 33 ungreylisting events, 21 messages hand-voted as spam, 2 hand-voted as non-spam, 15177 auto-detected as spam, 87 auto-detected as non-spam, 17209 valid RCPT commands and 13022 invalid RCPT commands. activity=6.1 is a log-scale measure of how much activity our sensors have picked up; 213.180.147.167 is a fairly active SMTP client. You need to get your ISP to clean up its act. :-) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Reputation Reporting Protocol submitted to IETF as an I-D
David F. Skoll d...@roaringpenguin.com wrote: Andrzej Adam Filip wrote: IMHO you should generalize support for different signature types e.g. 1 extra byte for signature length and 1 extra byte for signature type I'm not sure what you mean by signature types. Could you explain? Are you referring to the truncated HMAC? [...] Yes. IMHO you should create protocol capable to support other sender signature types even if for long time only one type is going to be supported. -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu Luck, that's when preparation and opportunity meet. -- P. E. Trudeau ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Reputation in practice
David F. Skoll d...@roaringpenguin.com wrote: Andrzej Adam Filip wrote: [...] By the way, your outbound SMTP server 213.180.147.167 has a rather poor reputation. We've been running the Reputation Reporting Protocol with several hundred sensors for a few months now and we keep a window of 45 days' worth of events (about 1.6 x 10^9 events in total; ~400/second). Here's the score for 213.180.147.167: $ canit-reputation-check 213.180.147.167 213.180.147.167: smtpout7.poczta.onet.pl gl=142 ug=33 hs=21 hh=2 as=15177 ah=87 vr=17209 ir=13022 activity=6.1 That means 142 greylisting events, 33 ungreylisting events, 21 messages hand-voted as spam, 2 hand-voted as non-spam, 15177 auto-detected as spam, 87 auto-detected as non-spam, 17209 valid RCPT commands and 13022 invalid RCPT commands. activity=6.1 is a log-scale measure of how much activity our sensors have picked up; 213.180.147.167 is a fairly active SMTP client. You need to get your ISP to clean up its act. :-) I use onet.(eu|pl) as a dual purpose free email accounts used also as spamtraps. The addresses have been advertised for *many* years, I do not want to waste the accumulated effort ;-) IMHO onet is too close to philosophy no money, no (true) responsibility. I could switch to gmail at any time but gmail dev-nulls my own mails sent by mail list servers, it keeps *only* copy of message sent to mailing list. It is behavior I double +dislike so I use gmail to receive messages from mailing lists and another account to send to mailing lists. Could you suggest another free email account/service for sending to mailing lists? -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu Certainly there are things in life that money can't buy, But it's very funny -- did you ever try buying them without money? -- Ogden Nash ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang