[Mimedefang] Re: MIMEDefang Digest, Vol 9, Issue 30
> Perl5.8.4 is needed to be able to reload the mimedefang config without > stop and start. Perl 5.6.1 has bugs which prevent this. I think you mean perl 5.8.x, since I run perl 5.8.3 on Fedora 2, and MIMEDefang is set to use embedded mode, and runs fine (reloads work great, and the makefile tests also say it works). -- Jeff Rife| Radio Shack...you've got questions, SPAM bait: | we've got puzzled looks. [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Is there a way to change "To:" header?
Our users have MS Outlook as the e-mail client, so they can't match on abitrary headers. There are some political issues with changing the subject on false positives, especially when it is then replied to and the original sender sees we think they are a SPAMmer. So, my idea was to add an innocuous name to the "To:" header. Since this is not used by sendmail to do any delivery (the envelope recipients are used instead), I think it is safe, and Outlook *can* filter on it. The question is: how? MIMEDefang exposes a global variable $Subject that makes adding to the subject easy, but I can't find anything similar for other headers. I'm not a Perl guru, though, so I might have missed the setting in mimedefang.pl. -- Jeff Rife| Sam: How's life treatin' you, Norm? SPAM bait: | [EMAIL PROTECTED] | Norm: Well, Sammy, it's not...so I sure [EMAIL PROTECTED] | hope you are. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: MIMEDefang Digest, Vol 9, Issue 34
> I have not tested this, but it is where I would start. I'd test something
> like the following line:
>
> action_add_header("To:", "$Recipients, SpammyMail");
This is close, but, here's what I came up with after testing:
action_change_header("To", "$Recipients, SpammyMail");
This will end up with just one "To:" header.
Unfortunately, "$Recipients" is undefined, thus it always ends up looking
like:
To: , [EMAIL PROTECTED]
Even if $Recipients was defined, though, I don't think it's what I want,
since the @Recipients array has *all* envelope recipients, which
generally includes things that were in any of "To:", "Cc:", "Bcc:", and
"Resent-To:" headers.
I also tried using $entity->head->get('To') in both filter() and
filter_multipart(), which the MIME::Tools docs seem to indicate would
return a header, but I get nothing when I do this.
So, does anybody know of a way to extract the contents just one header
from the message and stay within mimedefang-filter/Perl? I could use
formail, but that's a major hack.
--
Jeff Rife|
SPAM bait: |
http://www.nabs.net/Cartoons/OverTheHedge/VelveetaAndRotel.gif
[EMAIL PROTECTED] |
[EMAIL PROTECTED] |
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: MIMEDefang Digest, Vol 9, Issue 35
> On Fri, 18 Jun 2004, Jeff Rife wrote:
>
> > So, does anybody know of a way to extract the contents just one header
> > from the message and stay within mimedefang-filter/Perl?
>
> Open and parse ./HEADERS
Ouch. I guess it's time to really learn Perl.
> I wouldn't recommend changing the To: header, because Sendmail also
> changes it. If you must change that header, put your changes in an
> RFC2822 comment:
>
> action_change_header("To:", "$original_to (Spammy)");
If I can ever get the changes to work, then I'll have to see if OE can
find that, since the UI implies that it doesn't filter on the comments,
only on actual recipients.
But, thanks all for the hints.
--
Jeff Rife| "Ahhh, what an awful dream! Ones and zeroes
SPAM bait: | everywhere...and I thought I saw a two!"
[EMAIL PROTECTED] | -- Bender, "Futurama"
[EMAIL PROTECTED] |
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: MIMEDefang Digest, Vol 9, Issue 34
> Our users have MS Outlook as the e-mail client, so they can't match on > abitrary headers. There are some political issues with changing the > subject on false positives, especially when it is then replied to and the > original sender sees we think they are a SPAMmer. It turns out that Outlook 2003 has the ability to filter on abitrary text in the headers, so it can find the "X-Spam-Score" header. The users say this is a new feature (only a few of the tech people use Outlook), so that has solved my problem. Again, thanks for all the hints. -- Jeff Rife| "Having your book turned into a movie is like SPAM bait: | seeing your ox turned into bouillon cubes." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- John Le CarrT ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: MIMEDefang Digest, Vol 9, Issue 37
> So I have this in my sa-mimedefang.cf file:
>
> required_hits 6.0
> auto_report_threshold 20
> use_bayes 1
> bayes_auto_learn1
> bayes_path /var/spool/MD-Quarantine/bayes/bayes
> bayes_auto_expire 0
> bayes_auto_learn_threshold_nonspam 0.5
> bayes_auto_learn_threshold_spam 5.5
> bayes_expiry_max_db_size10
> bayes_file_mode 0644
> bayes_ignore_header X-Spam-Status:
> bayes_ignore_header X-Spam-Score:
> bayes_journal_max_size 10240
> bayes_journal_max_size 512
> bayes_learn_to_journal 1
> bayes_min_ham_num 50
> bayes_min_spam_num 50
>
>
> ...and yet, I don't see bayes do didly squat. I just deleted all of
> the bayes files, and fed it a new spam and ham content. All the files
> in /var/spool/MD-Quarantine/bayes/ are owned by defang.defang. What
> else am I missing, or have not configured properly?
First, try looking in ~defang/.spamassassin/ for the bayes_* files. I
wouldn't be surprised if you find them there.
This is because the "userstate_dir" is set by default to ~/.spamassassin
in Mail::SpamAssassin, and there is no configuration file setting that
allows you to override this.
After hammering on this for a while, I found out the following:
1. If I renamed sa-mimedefang.cf to something else ("site-prefs", in my
case) and told MIMEDefang about it (by changing the spam_assassin_init
call in /etc/mail/mimedefang-filter to include the filename), I found
that I got bayes files in ~defang/.spamassassin because the use_bayes
default is 1, but the bayes_path just didn't seem to be read
correctly.
2. With the spam_assassin_init line referencing a non-existent file,
/etc/mail/spamassassin/sa-mimedefang.cf gets read by the SA startup
as a "site rule" file because of the directory it is in and the .cf
extension. This resulted in bayes* files in *both*
~defang/.spamassassin and my chosen path (/var/spool/SA-MIMEDefang/).
3. Even without mucking about with filenames, I would sometimes get
bayes* files in both places.
This same issue also causes problems with the auto-whitelist file.
My solution (and it's a real hack) was to add the "userstate_dir" option
to the constructor initializer list for the Mail::SpamAssassin object in
mimedefang.pl:
$SASpamTester = Mail::SpamAssassin->new({
local_tests_only => $SALocalTestsOnly,
dont_copy_prefs=> 1,
userprefs_filename => $config,
userstate_dir => "/var/spool/SA-MIMEDefang"});
I now have the bayes* files and the auto-whitelist file in that
directory, and they are being used. My only problem is that
"bayes_learn_to_journal" seems to be ignored. There aren't any speed
issues, so I don't really care to pin this down right now, since all of
these changes have also fixed auto-learning, which didn't seem to be
working before, either.
These changes were implemented on my test system, which does get some
high-value SPAM, but wasn't adding them to the auto-learn database (the
number of learned SPAMs was always zero, since I hadn't run sa-learn). I
rolled out a new server yesterday with these mods (for a domain that gets
a *lot* of SPAM), and there are 152 auto-learned SPAMs in the database.
--
Jeff Rife| "As usual, a knife-wielding maniac
SPAM bait: | has shown us the way."
[EMAIL PROTECTED] |
[EMAIL PROTECTED] | -- Bart Simpson
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: MIMEDefang Digest, Vol 9, Issue 44
> sa-learn -D as a debug tool is your friend. > Run as the user defang. This only partially helps. For my setup, I tell MIMEDefang to use /etc/mail/spamassassin/site-prefs as the user prefs file. I also have ~defang/.spamassassin/user_prefs symbolically linked to this file. In the file, the bayes_min_spam_num is set to 500. I started getting rule hits on the BAYES_* rules the other day, and I checked and the number of SPAM in the database was 204. There should be no hits on these rules until there are at least 500 SPAM in the DB. But, the default for bayes_min_spam_num is 200 if you don't have this value in your user_prefs file, which /root/.spamassassin/user_prefs did not. Setting the right value there (by removing that file and linking it to the site-prefs file) seems to have solved the problem. Basically, I have no clue anymore where the various SpamAssassin values are read from when MIMEDefang runs as a daemon as user "defang", so I'm shotgunning the whole thing. -- Jeff Rife| SPAM bait: | "Resistance...is *futile*" [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Data, "Star Trek: First Contact" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIMEDefang 2.43 does not use my SpamAssassin prefs file
In mimedefang-filter, I have:
#
# The next lines force SpamAssassin modules to be loaded and rules
# to be compiled immediately. This may improve performance on busy
# mail servers. Comment the lines out if you don't like them.
if ($Features{"SpamAssassin"})
{
spam_assassin_init("/etc/mail/spamassassin/site-prefs")->compile_now(1) if
defined(spam_assassin_init());
# If you want to use auto-whitelisting:
if (defined($SASpamTester))
{
use Mail::SpamAssassin::DBBasedAddrList;
my $awl = Mail::SpamAssassin::DBBasedAddrList->new();
$SASpamTester->set_persistent_address_list_factory($awl) if defined($awl);
}
}
#
The only change from the shipping version is the parameter to
spam_assassin_init, which tells it to use my own user-prefs file. When I
got a message today with an incorrect score for a rule that was in the
prefs file, I investigated by changing mimedefang.pl by adding a logging
line to spam_assassin_init:
#
sub spam_assassin_init (;$) {
unless ($Features{"SpamAssassin"}) {
md_syslog('err', "$MsgID: Attempt to call SpamAssassin function, but
SpamAssassin is not installed.");
return undef;
}
if (!defined($SASpamTester)) {
my $config = shift;
unless ($config)
{
if (-r "/etc/mail/spamassassin/sa-mimedefang.cf") {
$config = "/etc/mail/spamassassin/sa-mimedefang.cf";
} elsif (-r "/etc/mail/spamassassin/local.cf") {
$config = "/etc/mail/spamassassin/local.cf";
} else {
$config = "/etc/mail/spamassassin.cf";
}
}
### Added logging line
md_syslog('notice',"User-prefs files set to $config");
$SASpamTester = Mail::SpamAssassin->new({
local_tests_only => $SALocalTestsOnly,
dont_copy_prefs=> 1,
userprefs_filename => $config});
}
return $SASpamTester;
}
#
Here are the lines this generates in the log file:
#
Jun 23 11:33:51 HOSTNAME mimedefang-multiplexor[29252]: started; minSlaves=2,
maxSlaves=10, maxRequests=500, maxIdleTime=300, busyTimeout=120, clientTimeout=10
Jun 23 11:33:53 HOSTNAME mimedefang.pl[29252]: User-prefs files set to
/etc/mail/spamassassin.cf
Jun 23 11:33:57 HOSTNAME mimedefang.pl[29252]: Initialized embedded Perl interpreter
Jun 23 11:33:57 HOSTNAME mimedefang.pl[29252]: Starting slave 0 (pid 29271) (1
running): Bringing slaves up to minSlaves (2)
Jun 23 11:33:57 HOSTNAME mimedefang[29265]: Multiplexor alive - entering main loop
Jun 23 11:34:00 HOSTNAME mimedefang.pl[29252]: Starting slave 1 (pid 29273) (2
running): Bringing slaves up to minSlaves (2)
#
As far as I can tell, the "unless ($config)" is always returning false,
which means that $config is uninitialized for some reason. I'm not a
Perl guru, so I couldn't figure out why. The limit of my guesses was
changing the "" around the filename to '', and that didn't help.
--
Jeff Rife|
SPAM bait: |
http://www.nabs.net/Cartoons/Dilbert/MoneyToConsultants.gif
[EMAIL PROTECTED] |
[EMAIL PROTECTED] |
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]
On 29 Jun 2004 at 17:54, Shawn Button wrote:
> How do I set up auto-whitelisting in SA when running mimedefang? I
> uncommented the lines in my mimedefang-filter but it seems like I
> should do something to my sa-mimedefang.cf.
>
> I have SA 2.63 and mimedefang 2.39
First, in the default MD/SA installs, sa-mimedefang.cf is read twice (at
least on my system): once because it is in the default rules path for SA
and is named *.cf, and once because MD tells SA to use it as the user-
prefs file. I don't know if this causes problems. It shouldn't, but one
never knows.
Second, SA stores auto-whitelist and bayes* files in the directory
specified by the "userstate_dir" option to the SpamAssassin constructor.
The default is ~/.spamassassin. Since MD does not pass this option in
the constructor, that's where the files are stored. Settings in sa-
mimedefang.cf seem to make no difference. Depending on what user you run
MD as, you can figure out which directory things end up in (usually
~defang/.spamassassin).
To get auto-whitelisting working correctly, I had to do the following
(note that /var/spool/SA-MIMEDefang is where I put *my* AWL and bayes*
files...you can put them wherever you want):
1. Change the call to the SpamAssassin constructor in the
spam_assassin_init function in mimedefang.pl:
$SASpamTester = Mail::SpamAssassin->new({
local_tests_only => $SALocalTestsOnly,
dont_copy_prefs=> 1,
userprefs_filename => $config,
userstate_dir => '/var/spool/SA-MIMEDefang'});
2. Set the following in the sa-mimedefang.cf file:
auto_learn 1
bayes_auto_expire 1
bayes_learn_to_journal 1
bayes_file_mode 0775
bayes_path /var/spool/SA-MIMEDefang/bayes
auto_whitelist_file_mode0775
auto_whitelist_path /var/spool/SA-MIMEDefang/auto-whitelist
Yes, I know that those file paths don't seem to do anything without
the change to mimedefang.pl, but I have them there, just in case.
3. Change mimedefang-filter to uncomment the auto-whitelist stuff, like
you did.
All of those steps were required to solve the problem for me, but they
*do* solve the problem...AWL and bayes* works on a system-wide basis.
As one last bit of paranoia, you could do the following:
rm -fr ~defang/.spamassassin
ln -s /var/spool/SA-MIMEDefang ~defang/.spamassassin
rm -fr /root/.spamassassin
ln -s /var/spool/SA-MIMEDefang /root/.spamassassin
--
Jeff Rife| "Eternity with nerds. It's the Pasadena Star
SPAM bait: | Trek convention all over again."
[EMAIL PROTECTED] |
[EMAIL PROTECTED] | -- Nichelle Nichols, "Futurama"
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]
On 30 Jun 2004 at 14:01, Jeff Grossman wrote: > I don't personally use AWL, but I am not sure why you have problems with the > bayes path statement. Here is the relevant portion of my sa-mimedefang.cf > file in /etc/mail/spamassassin: > > #Bayes information > use_bayes 1 > bayes_path /etc/mail/spamassassin/bayes/bayes > bayes_file_mode 0700 > bayes_use_hapaxes 1 > auto_learn_threshold_nonspam0.0 > auto_learn_threshold_spam 8.0 > > > And, my bayes database goes in the directory specified in that file. I have > never made any changes to mimedefang.pl. All I know is that I had bayes* files appear in ~defang/.spamassassin until I made this change. I run MIMEDefang 2.43 and SpamAssassin 2.63. -- Jeff Rife| SPAM bait: | "He chose...poorly." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Grail Knight, "Indiana Jones and the Last Crusade" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] local socket unsafe
On 2 Jul 2004 at 11:48, Adam Lanier wrote: > Under what conditions is the following error generated: > > Milter (mimedefang): local socket name > /var/spool/MIMEDefang/mimedefang.sock unsafe > > I had thought (perhaps naively) that this was caused by incorrect > permissions on the socket. Are there other causes as well? Yes. The latest sendmails track back the directory permissions all the way up to the root. So all of the following must not be group-writable (and, of course, not world-writable, but that's rarely the problem): / /var /var/spool /var/spool/MIMEDefang -- Jeff Rife| "If the world were destroyed and you were the SPAM bait: | last man within a thousand mile radius, I would [EMAIL PROTECTED] | swim across the ocean on a rumor that Screech [EMAIL PROTECTED] | from 'Saved by the Bell' was spotted in Japan." | -- Ellen ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Bogus HELO filtering
I've seen a bit about this subject lately on the list, so I thought I
throw in my solution and see what people think.
In filter_sender:
###
if ($ip =~ /^(127\.0\.0\.1|$TrustedNetworks)/)
{
return ('ACCEPT_AND_NO_MORE_FILTERING', "OK");
}
my $MyDomains = '\.(domain1\.tld|domain2\.tld|domain3\.tld)$';
# Bogus IPs...I'm using my real ones in the actual filter
my $MyPublicIPs = '^434\.300\.377\.38[789])$';
if (($helo =~ /($MyDomains|$MyPublicIPs)/) and ($ip !~ /$MyPublicIPs/))
{
md_syslog('info', "md_info: bad HELO ($helo): $hostname [$ip]");
# don't really reject for now...just log it
# return ('REJECT', "Bad HELO: $hostname [$ip] is not $helo");
}
###
My logic was:
- If it is from a trusted network (for me, behind my firewall), don't do
anything...I don't care about outgoing SPAM as it's a firing offense.
- If the HELO says it is from something I control (ends in a domain I
control or is in an IP block I control, but the actual connecting IP
isn't one I control, then reject. All the machines from all the
domains are guaranteed to be in those IP blocks.
- I don't care if things match perfectly, so a machine that is in an IP
block that I control might announce itself as the "wrong" name (like
mail.domain2.tld instead of the correct mail.domain3.tld), but it
still obviously has a right to do this. This allows slight errors in
DNS to be ignored; although they are a problem in the long run, they
aren't a SPAM source.
Questions:
1. Does this get the job done?
2. Is there a more efficient way that doesn't involve listing out all
legal machines? I have 3 public class C IP blocks, so that would be
some real work.
2a. The real domain list is 20 or so, and growing. Is there a better
way to deal with that list?
3. Am I breaking any rules by doing this?
Thanks.
--
Jeff Rife|
SPAM bait: | http://www.nabs.net/Cartoons/FoxTrot/Blackboard.gif
[EMAIL PROTECTED] |
[EMAIL PROTECTED] |
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Bogus HELO filtering
On 7 Jul 2004 at 9:48, Damrose, Mark wrote:
> I'd change to
> my $MyDomains = '(^|\.)(domain1\.tld|domain2\.tld|domain3\.tld)$';
> so it will catch domain1.tld as well as anything.domain1.tld.
I just thought of this myself this morning and added it. It caught a
*lot* more bogus HELOs.
> Since you anchor your public IPs, you miss the case where someone
> follows the RFC and encloses the IP in square brackets.
> my $MyPublicIPs = '^\[?434\.300\.377\.38[789])\]?$';
That's what I was missing! Thanks.
> If you have a full /24, then
> my $MyPublicIPs = '^\[?434\.300\.377\.\d{1,3})\]?$';
> Should work for the full 24. You don't need to list each one individually.
Yeah, I'm actually doing this with two different companies, and they have
almost the same setup, but one just has a 16-IP public block, which is
what I sort of listed here in the e-mail. The 3 class-Cs were already as
you said.
> Is there any case where someone could legally use your public IP that isn't
> listed in trusted networks?
> If not, then change to:
> if ($helo =~ /($MyDomains|$MyPublicIPs)/)
> No sense testing if the Relay is your public IP, if that IP can't be
> legally used, and/or has already been accepted.
The public IPs aren't trusted because, well, they are public and outside
our firewall. It's theoretically possible that somebody gets in. Since
we restrict outgoing port 25 connects at our router, they would have to
bounce SPAM off our mail server.
> > 3. Am I breaking any rules by doing this?
>
> Technically yes. The RFCs say you MUST NOT reject mail solely on the basis
> of the HELO. However it is generally accepted that you can reject on
> HELOs that absolutely can not be. The trick is to correctly pick
> tests for values that can not be.
That's what I thought, and I wanted to know if I was being too broad.
> $s =~ s/^\ $s =~ s/[EMAIL PROTECTED]//;
> if ( $s =~ m/$H/i ) {
> $status=1;
Since hacking mimedefang-filter is my first Perl experience, this is a
bit over my head. I've got a decent background in sed and grep REs, but
I'll have peruse the Perl manual a bit to follow this.
--
Jeff Rife| "I feel an intense ambivalence, some of which
SPAM bait: | doesn't border entirely on the negative."
[EMAIL PROTECTED] |
[EMAIL PROTECTED] | -- Ned Dorsey, "Ned and Stacey"
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bogus HELO filtering
On 7 Jul 2004 at 9:21, Chris Myers wrote:
> > ###
> > if ($ip =~ /^(127\.0\.0\.1|$TrustedNetworks)/)
> > {
> > return ('ACCEPT_AND_NO_MORE_FILTERING', "OK");
> > }
>
> If you use stream_by_domain() or stream_by_recipient(), you really really
> don't want to have the 127.0.0.1 in the IP regexp.
I don't use these, and I really need 127.0.0.1 to keep the server load
down, as it generally forwards all mail to the server where our internal
users retrieve their e-mail (I have all the valid users available at this
machine, though). With sendmail 8.12.x, this means that it is re-sent
via SMTP, and I don't want to take any time to do any scanning.
--
Jeff Rife| "My God, what if the secret ingredient is people?"
SPAM bait: | "No, there's already a soda like that: Soylent Cola."
[EMAIL PROTECTED] | "Oh. How is it?"
[EMAIL PROTECTED] | "It varies from person to person."
| -- Fry and Leela, "Futurama"
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Still outbound messages are getting blocked by spamassassin
On 9 Jul 2004 at 10:41, Vivek Kumar wrote:
> sub filter_relay($$$){
> my ($hostip,$hostname,$helo) = @_;
> my $internal_net1 = "191.0.0";
> my $internal_net2 = "191.0.1";
> $hostip=~ /^(\d+\.\d+\.\d+)./ ;
> my $mailip = $1;
> if($mailip eq $internal_net1 || $mailip eq $internal_net2) {
> return("ACCEPT_AND_NO_MORE_FILTERING","It's from us it
> gotta
> be good");
> }
> return("CONTINUE","");
> }
I'm not a Perl guru, so I'm probably wrong, but wouldn't the following be
a lot cleaner:
sub filter_relay($$$)
{
my ($hostip, $hostname, $helo) = @_;
if ($hostip =~ /^191\.0\.[01]\./)
{
return('ACCEPT_AND_NO_MORE_FILTERING', "It's from us");
}
return('CONTINUE', "");
}
--
Jeff Rife| "When I first heard that Marge was joining the
SPAM bait: | police academy, I thought it would be fun and
[EMAIL PROTECTED] | zany, like that movie: Spaceballs. But instead
[EMAIL PROTECTED] | it was dark and disturbing, like that movie:
| Police Academy."
| -- Homer Simpson
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Reject vs. bounce
In filter_relay, filter_sender, and filter_recipient, you can return a value that tells sendmail to reject the message. This alerts the sender via DSN without requiring an extra e-mail, and guarantees that the server that connected to you to send you the e-mail gets the error message. In filter_begin, filter, and filter_end, you can't return a "reject", but can only do something like call "action_bounce", which generates a separate e-mail to a possibly forged source address, and is a bad thing. Why is this? Has sendmail completely closed the connection by the time "filter_begin" is called? Would having "delay_checks" set in sendmail.mc help? Is there *any* way to do a true SMTP DSN-based reject based on the DATA portion of the e-mail? -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/MotherGooseAndGrimm/GatewaySource.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Reject vs. bounce
On 18 Jul 2004 at 20:54, David F. Skoll wrote: > On Sun, 18 Jul 2004, Jeff Rife wrote: > > > In filter_begin, filter, and filter_end, you can't return a "reject", but > > can only do something like call "action_bounce", which generates a > > separate e-mail to a possibly forged source address, > > That's not true. Read the documentation carefully. I thought I had. This is what worried me: "action_bounce() may generate spurious bounce messages if the sender address is faked" What I'm mostly trying to avoid is lots of e-mail from postmasters coming back to my server. As far as I can tell, if you reject while the sendmail connection is still open, this should never happen. If that's the case with "action_bounce", then that's all I need to know. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/RhymesWithOrange/MailerDaemon.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD 2.44 - sa-mimedefang.cf
On 19 Jul 2004 at 14:39, Tony Nelson wrote:
> According to the Changelog for 2.44 I was supposed to move my
> sa-mimedefang.cf from /etc/mail/spamassassin to /etc/mail .. which I
> did.
>
> Shortly thereafter, I noticed that none of my custom rules,
> whitelists, etc were being acted on.
>
> I symlinked sa-mimedefang.cf back into /etc/mail/spamassassin and
> restarted everything and now it's work as expected.
I think this is the same bug (or related to it) that I ran into before.
The bug is in spam_assassin_init in mimedefang.pl. Add the following
line right before the Mail::SpamAssassin->new line:
md_syslog('notice',"User-prefs files set to $config");
If it doesn't say that /etc/mail/sa-mimedefang.cf is being used, then
that's your problem.
I found that no matter what I did, $config got set to one of the default
values, even if I passed a value to spam_assassin_init.
Another gotcha is that all /etc/mail/spamassassin/*.cf files are
automatically read as if they are "site rules", so that it even if things
weren't working before to set your own prefs file, the file got read as
if it was extra rules, which are treated the same way.
--
Jeff Rife| "Eternity with nerds. It's the Pasadena Star
SPAM bait: | Trek convention all over again."
[EMAIL PROTECTED] |
[EMAIL PROTECTED] | -- Nichelle Nichols, "Futurama"
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] problem with archive-zip-1.12
On 20 Jul 2004 at 10:29, Paul Murphy wrote:
> > This is line 348:
> > my $tfname = Archive::Zip::tempFileName('.');
>
> >From the docs:
>
> Archive::Zip::tempFile( [$tmpdir] )
>
> I believe they changed the function name in 1.12 for some reason.
Because "tempFileName" implies that only a name is returned. "tempFile"
suggests that a file is opened/created, which is in fact what is
happening.
--
Jeff Rife|
SPAM bait: |
http://www.nabs.net/Cartoons/Dilbert/SalesToFriends.gif
[EMAIL PROTECTED] |
[EMAIL PROTECTED] |
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Creating better idiots (spam blocking)
On 27 Jul 2004 at 0:30, Ashley M. Kirchner wrote: > Every day you come up with a way to block charsets you don't want, and > someone makes a better idiot. So here's the next "problem". How do I > scan and properly block these? Notice the 'big5' charset > > Subject: > =?big5?Q?=A7=D6=A8=D3=B3=F8=A6W->=A1u=A5x=B4=C1=AB=FC=C4=B9=AEa=AFZ=A1v=A7K=B6O=C1=BF=AEy?= The "raw" scans of SpamAssassin (they don't interpret MIME and encodings) can catch this sort of thing. I use a few extra rulesets, but I was catching this before I started using them. Make sure you have the following in your SA config file, and you should at least get the e-mail marked as SPAM: ok_locales en ok_languagesen If you change the scoring for these rules, you can make the score high enough to meet a "drop" threshold. Some of the rules that work with this (and their default scores in SA 2.63): score BODY_8BITS 1.500 score CHARSET_FARAWAY3.200 score CHARSET_FARAWAY_HEADER 3.200 score HTML_CHARSET_FARAWAY 0.500 score MIME_CHARSET_FARAWAY 2.450 score UNWANTED_LANGUAGE_BODY 2.800 -- Jeff Rife| Coach: How's a beer sound, Norm? SPAM bait: | [EMAIL PROTECTED] | Norm: I dunno. I usually finish them before [EMAIL PROTECTED] |they get a word in. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bad RCPT Throttle in the Real World
On 5 Aug 2004 at 17:27, Ashley M. Kirchner wrote: > Hey, I never said they were *valid* responses, but it's a response > no less. I don't like to advertise what version of mailer we're using, > so I changed it all. Security by obscurity isn't really much help at all. There are lots of ways to find out what version of mail server you have. Helpful messages are good for real people who have some sort of issue with your server, and don't help hackers or SPAMmers enough to justify not using them. -- Jeff Rife| "During the day you take orders from your SPAM bait: | girlfriend, and at night you reclaim your [EMAIL PROTECTED] | manhood by speeding around in a giant, metal [EMAIL PROTECTED] | penis." | "No, it's a Corvette, so it's giant fiberglass | penis." | -- Kate and Drew, "The Drew Carey Show" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] /usr/local/bin/mimedefang: smfi_register failed
On 8 Aug 2004 at 13:48, Gilad Galad wrote: > The "smfi_register: version mismatch application" error looks scary. Has > anyone any idea why this comes about? The headers and milter library you used to compile sendmail aren't the same as the ones you used to compile MIMEDefang. It's actually a common error, and not that "scary". Just make sure the only sendmail source (i.e., the header files) and libraries on your machine are the actual ones used to compile the running sendmail, then do a "make clean" and "make" on MIMEDefang. -- Jeff Rife| /"\ ASCII Ribbon Campaign SPAM bait: | \ / against HTML e-mail [EMAIL PROTECTED] | X and USENET posts [EMAIL PROTECTED] | / \ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Question regarding stream_by_recipient()
On 9 Aug 2004 at 10:14, [EMAIL PROTECTED] wrote: > 1) Configure MIMEDefang to change the "spam score" header to the > following format: > > Spam-Score: (8.5) > That is, put the asterisks before the number. > > 2) Configure his email-reader to filter spam based on the "header > contains" > Spam-Score: *** > (seven asterisks, say) I use a slightly different version of this in that I use periods (.) instead of asterisks (*), because my mail client uses the asterisk as a wildcard. The asterisk screws up the sort of filtering you suggest (and that I use), so some other character was necessary. I just picked a period because it wasn't used for anything special in my mail client. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/AngryTVGod.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 9 Aug 2004 at 20:21, Kevin A. McGrail wrote: > I thought about the statement below a lot because it seemed correct at first > that pushing valid emails to all the gateways would solve the issue. > However, the more I thought about it, invalid bounces are a big problems and > SPF is a reasonable solution to start cutting down on them. Large batches > of outbound false emails that don't match SPF or get repeated bounces should > trigger a shutdown of a clients outbound mailing ability especially as > worms/virii that forge headers become the norm. If the receiving MX servers always knew all valid recipient addresses *at (E)SMTP connection time*, then there would be no bounces...only rejections. This solves the problem without introducing anything new to (E)SMTP. -- Jeff Rife| "Space. It seems to go on and on forever. But SPAM bait: | then you get to the end and a gorilla starts [EMAIL PROTECTED] | throwing barrels at you." [EMAIL PROTECTED] | -- Philip J. Fry, "Futurama" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 9 Aug 2004 at 21:03, Kevin A. McGrail wrote: > > If the receiving MX servers always knew all valid recipient addresses > > *at (E)SMTP connection time*, then there would be no bounces...only > > rejections. > > > > This solves the problem without introducing anything new to (E)SMTP. > > At the core, this solution ignores the concept and purpose of a backup MX > which is a reality and necessity for many companies where email is critical. There is no reason a backup MX server can't know if an address is valid or not. -- Jeff Rife| "These are not scraps. These are historic SPAM bait: | remains of a once-great society of hair." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- George Costanza ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Deadline for SPF records *long w/morbid horoscop e*
On 10 Aug 2004 at 7:59, Damrose, Mark wrote: > Yes, but you can't get all the deliverable addresses - e.g. > system addresses such as postmaster and abuse. Those could be added "manually" to the list after the export. > I also don't know > of any way to do this automatically. Almost anything that you can do in the Exchange UI is exposed as a COM object interface. -- Jeff Rife| Sam: How's life treatin' you, Norm? SPAM bait: | [EMAIL PROTECTED] | Norm: Well, Sammy, it's not...so I sure [EMAIL PROTECTED] | hope you are. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 10 Aug 2004 at 9:00, Joseph Brennan wrote: > --On Monday, August 9, 2004 11:17 PM -0400 Jeff Rife <[EMAIL PROTECTED]> > wrote: > > >> At the core, this solution ignores the concept and purpose of a backup MX > >> which is a reality and necessity for many companies where email is > >> critical. > > > I dispute this statement. That's as may be, but check your quoting next time, because I didn't write it. -- Jeff Rife| "Wheel of morality, SPAM bait: | Turn, turn, turn. [EMAIL PROTECTED] | Tell us the lesson [EMAIL PROTECTED] | That we should learn" | -- Yakko, "Animaniacs" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 10 Aug 2004 at 9:04, Graham Dunn wrote: > > There is no reason a backup MX server can't know if an address is valid > > or not. > > How about "scaling"? I'm pretty sure my ISP will run (screaming, no > doubt), from a scenario in which they rely on their customers to keep > their list of valid addresses current. If your ISP allows you to have mail servers behind theirs and they are the "front line MX" and forward everything to you, then your ISP is really odd. If, on the other hand, you just use your ISP as backup MX, *and* they don't run MIMEDefang, etc., then you lose a lot of the benefits of running MIMEDefang. The solution my small (less than 300 employees) company chose was to put another Linux server *that we control* somewhere else. We can do this because we have a couple of different ISPs for our different physical locations. > How about "MS Exchange"? :] How about it? There are lots of ways you can automatically generate all valid e-mail addresses from an Exchange server, and get those to a Linux box in a way that MIMEDefang can use to verify. We, instead, chose to educate our president and officers about the actual costs of Exchange, and it left the building quite unceremoniously. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/AngryTVGod.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 10 Aug 2004 at 14:29, Ben Kamen wrote: > >>If your ISP allows you to have mail servers behind theirs and they are > >>the "front line MX" and forward everything to you, then your ISP is > >>really odd. > > > > > > This is not odd at all. > > I concur. > > This is not odd at all and is actually the goal of people like MSN.com. To their > mail server, your mail server could be an MTA, MSA or MUA. They don't care... > they'll take anything. I don't think this is true about MSN.com. Yes, you could have your MSN account forward to your "real" account, or you could use something like fetchmail to retrieve your MSN mail and drop it into your local sendmail queue and then do whatever you want. But, the MSN.com mailserver doesn't accept all mail for "mydomain.com" and then pass it on to a lower-numbered MX for "mydomain.com". This is because MSN isn't a "real" ISP...they only provide service to individuals, and *only* provide one domain. Now, for *real* ISPs (like, say Comcast, who provide both connectivity *and* service), most also will not be the MX for *your* domain, unless you set up the domain with them and tell them what e-mail addresses should be accepted for delivery. Even so, most still won't then pass that on to your server...they assume you are an individual or a group of individuals who don't know how to set up a server...that's why they offer the service. Basically, there are 2 ways to deal with domain e-mail: 1. receive it yourself on a server you control 2. contract out the receiving in some way The companies that offer #2 also offer ways for you to retrieve the e- mail with your MUA software, so they don't *want* to deal with passing it on to an MTA. > Now for business accounts, that's another story. And, most ISP accounts that involve domains that aren't the ISPs domain fall under this heading. So, again, I think it's pretty odd for an ISP to be *the* MX for your domain but then just pass it along to your server. -- Jeff Rife| "I once did a news report on the dangers of SPAM bait: | plastic surgery, and do you know what the [EMAIL PROTECTED] | statistics say?" [EMAIL PROTECTED] | "Yes...that 9 out of 10 men prefer women | with big boobs." | "And the 10th guy preferred the 9 other men." | -- "Just Shoot Me" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 11 Aug 2004 at 10:38, Cor Bosman wrote: > > The companies that offer #2 also offer ways for you to retrieve the e- > > mail with your MUA software, so they don't *want* to deal with passing > > it on to an MTA. > > This is not true. Im not sure how many 'most' ISPs you are talking > about, but I know quite a few ISPs that accept all email for a > domain and forward to a customer. This is most prevalent in > dialup/isdn situations where you basically 'store and forward' all > email for customers that are mostly offline. When they come online > that triggers a queuerun towards the customer. In many cases, this is handled not by server-to-server, but by a client contacting the ISP server and retrieving the e-mail and then sorting it out in whatever way. In any case, this is in reality no different from a client calling up and getting the mail from a server. Because the ISP is the only MX, it should know about all the deliverable addresses, simply to avoid dictionary e-mailings to these "offline" domains. > You perhaps confuse ISP with US ISP? I think I confuse ISP with "quality ISP". > > So, again, I think it's pretty odd for an ISP to be *the* MX for your > > domain but then just pass it along to your server. > > And again, you are wrong :) Not for "real" domains. If the ISP is the *only* MX and you retrieve your e-mail as if you are a client (not an MTA), then it is the responsibility of the MX machine to know what is and is not deliverable. Again, this completely solves the issue of forged return address bounce e-mails. -- Jeff Rife| "In those days Mars was a dreary uninhabitable SPAM bait: | wasteland much like Utah, but unlike Utah, Mars [EMAIL PROTECTED] | was eventually made livable." [EMAIL PROTECTED] | -- Professor Farnsworth, "Futurama" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 12 Aug 2004 at 10:20, Cor Bosman wrote: > > In any case, this is in reality no different from a client calling up > > and getting the mail from a server. Because the ISP is the only MX, it > > should know about all the deliverable addresses, simply to avoid > > dictionary e-mailings to these "offline" domains. > > In theory this sounds fine, in practise this is irrealistic. > Im assuming you dont run an ISP? The company I work for provides Internet services to clients. If you want to use your own mail server, you can, and e-mail goes directly to you through our link to the Internet (in other words, we provide connectivity only). If not, our server is MX and you give us the list of valid e-mail addresses and retrieve via POP (no IMAP because we don't want to be storing all their e-mail). You can have a server of your own to distribute e-mail, but you must get it off our server using "client" tools (like fetchmail or any MUA). The result is close to zero bogus e-mails hitting the postmaster account(s). > > I think I confuse ISP with "quality ISP". > > There is no need to be abusive to try and make your point. It makes your > point seem less valid. I'm not being abusive. More and more ISPs are heading towards things that reduce network abuse. One thing that does is having the full list of legal addresses on the answering MX. This is obviously more work for them in some ways, but the work it saves is worth the trouble to them and it has the nice side effect of reducing work for *other* Internet users. That's being "quality" or "responsible" in my book. > And what do you think the command ETRN is for? It's an optional part of SMTP that doesn't have to be supported, and does have some security issues. > One could give these > hosts a lower MX, but on the other hand, if they're almost never > online you'd have to wonder if thats a good thing. If they are almost never online, they are "clients", not servers, so they need to be treated as such. Harsh, I know, but treating them as clients in other ways (forcing them to use your server through the MSP port instead of the MTA port, for example) goes a long way to combatting network abuse. >This discussion started with implementing SPF, and > for an ISP implementing SPF has a lot of problems. Not unsolvable, > but it wont be pretty. On that, we agree. The biggest issue I see is the return-on-investment for making sure that everything is correct. In some cases, many just won't do things 100% because the "goal" (spam-reduction) doesn't seem to be something that SPF really will do. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/OverTheHedge/HDTV.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 12 Aug 2004 at 10:14, Kelson Vibber wrote: > 1. Spammer targets the backup MX (us), assuming it's less protected. > 2. We queue, reject, or discard the message. > 3. Mail ends up at customer's primary mail server, which rejects *on > different criteria*. > 4. Customer's server issues an SMTP reject to our server. > > At this point, we technically *should* generate a bounce. The > address we sent it on to was valid, but the message could not be > delivered. I admit that I used shorthand to describe the process of making sure that the MX has the list of valid addresses. I should expand on that to say that if the MX accepts it, then it is deliverable. My solution to this would be if I had to use different rejection criteria from the MX that gets the mail first, I would not bounce the message, but instead just eat it. That's not the best thing to do, but my contract with the Internet is that once an MX that answers for me accepts the mail, the Internet doesn't need to be bothered any more. > On the other hand, if we > *did* have that information, we could have blocked the mail without > even queueing it up for the primary MX. > > Now if you run all your MXes yourself, you can make sure they all use the > same criteria and only reject mail at the border. But that's a bit more > difficult when one is in-house and the other belongs to your ISP We solve this merely by have a point of presence with enough ISPs (we have divisions or even just workers like me who use a different ISP) to allow us to run multiple MXs each with different connections to the backbone. > And then there's the scenario in which the forged message makes it > through to a valid address, someone reads it and fires off a > complaint to the person they think sent it... That's something that only user education will fix, so I'm not counting on seeing it happen anytime soon. :) -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/LostNetworkPassword.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 12 Aug 2004 at 12:33, Kelson Vibber wrote: > - Some of those criteria (such as spam filters) are hard to keep in sync > across multiple implementations. Spam isn't really a big deal in the bounce area. For us, once it hits analysis (SpamAssassin through MIMEDefang), we never send anything back to the sending server. DNSBL, forged HELO and virues get REJECTed (no bounce e-mail), but SPAM is silently dropped (for high scores) or sent on to the user. I just don't feel that any spammer deals with bad addresses well enough to make rejection worth while, nor is there a reason to tell somebody that they sent me spam, since the scores we use make it obvious that they already know. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/UserFriendly/GeekCommunication.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On 13 Aug 2004 at 8:41, Steffen Kaiser wrote: > > It's an optional part of SMTP that doesn't have to be supported, and > > does have some security issues. > > Which ones? > It simply triggers a queue run filtering mail for a target server. Depending on the ability of your sendmail installation to determine spoofed connections, it *can* result in a DoS type of behavior. Based on the "MinQueueAge" and "Timeout.hoststatus" in sendmail.cf, it's possible to use a spoofing system to keep e-mail from getting to the right place in a timely fashion. Basically, you spoof to start the queue run and the server tries to send to the unconnected system. This generates a "touch" of the queue and a refresh of the host status directory (to failure). When the *real* place connects up to the Internet and calls to execute the ETRN, nothing gets sent because things had been tried sooner than the timeouts. The system hangs up off the Internet assuming that there is no mail. This could in theory go on long enough to result in a "non- deliverable" e-mail. -- Jeff Rife| "You keep using that word. I do not think it SPAM bait: | means what you think it means." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Inigo Montoya, "The Princess Bride" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] /usr/local/bin/mimedefang: smfi_register failed
On 17 Aug 2004 at 6:43, Gilad Galad wrote: > I have a previous installation of sendmail which is part of the eoe.sw.base > IRIX subsystem. That's your problem. I suspect that sendmail was not compiled with the same options/libraries/etc. as the ones you used to build the libs that MIMEDefang uses. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/DoomedProject.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] sender: <>
On 17 Aug 2004 at 8:39, [EMAIL PROTECTED] wrote: > Strangely enough, this also touches on the original question of > "what do I do if an MX resolves to 127.0.0.1" - the following > paragraph is a quote from the above URL: > > If any of the valid MX servers for a domain have private, reserved, > or otherwise bogus IP addresses, then the domain would be listed [in > dsn.rfc-ignorant.org]. (E.g., given an address of <[EMAIL PROTECTED]>, > if the MX for example.tld is mail.example.tld, and the A record > listed in DNS for mail.example.tld is 127.0.0.1, then example.tld > would be listed.) The MIMEDefang-centric way I deal with this is to just increase the scores on the RFC-Ignorant SpamAssassin tests. Then, if the score is too high, I reject. This allows me to let somebody else do most of the hard work. -- Jeff Rife| "...the flames began at a prophylactic recycling SPAM bait: | plant, near the edge of the forest..." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- "WarGames" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] sendmail spf milter plugin for sendmail 8.13.0
On 17 Aug 2004 at 18:24, Lucas Albers wrote: > http://www.sendmail.net/dk-milter/ > " > As part of our broad-reaching effort to spur the testing and eventual > broad adoption of sender-based email authentication to address fraud and > spam in email, Sendmail, Inc. is releasing an open source implementation > of the DomainKeys by Yahoo! specification for testing on the Internet. > " Oh, yuck. Sorry for the long rant, but... Basically, the description memo says it takes the actual domain in the "From:" header, looks up a public key from the DNS server for that domain, and then uses that public key along with the signature in the "DomainKey-Signature:" header to see if the message is OK. Anybody see the problem with this? If the receiving server doesn't reject, but instead bounces, the bounce goes to the *envelope sender* (per the RFC). Thus, if a bad guy doesn't like a domain, they just have to put a bogus envelope sender from that domain, a bad "DomainKey-Signature:" header/"From:" header combo, and then send the e-mail to someplace that checks DomainKeys but bounces instead of rejecting. Second, if a server gets an e-mail with a "From:" address of "[EMAIL PROTECTED]" and example.tld says (in DNS) "our e-mail must be signed", do you reject? The problem this creates is the same one that SPF creates...road warriors must send all e-mail through their "home server". There are a lot of big ISPs that *never* want to make this sort of functionality available. Next, let's talk about mailing lists. All messages in this list seem to have a "From:" header that isn't a roaringpenguin.com address. Now, if there were already a "DomainKey-Signature:" header, the rp.com server shouldn't add one or modify the existing one because they can't sign for "example.tld". But, the nice footer at the bottom of the e- mail can't be added, since that would screw up the signature. And, so would "Received:" headers (or *any* tampering with the headers) since "the default signature is an RSA signed SHA1 digest of the email headers and content". This *requires* that my signing MTA talk directly to the final endpoint "checking" MTA. Their description of the workaround for "Received:" headers basically means that you either trust that somebody else did the check correctly or that you must jump through some hoops to do the check yourself. There's also the issue of making it impossible for a mail server to translate 7-bit to 8-bit or vice versa. Their "solution" (that won't work at all) for e-mail lists: "A final possibility is that MLMs may not need to participate in DomainKeys as recipients have other means of sufficiently recognizing legitimate MLM traffic, such as List-ID: headers". Well, gee, even if they don't "participate", if the e-mail comes from a "participant", and ends up at a "participant", end users may never get a say in whether to reject the e-mail or not. Last (and this is really the one I hate), they also have hooks for a CA system that means you would now have to pay money each year to have your e-mail "certified". Sure, it wouldn't start out that way, but *some* large site would start refusing e-mail unless the public key had a CA-cert chain to somebody *they* trust. -- Jeff Rife| "Because he was human; because he had goodness; SPAM bait: | because he was moral they called him insane. [EMAIL PROTECTED] | Delusions of grandeur; visions of splendor; [EMAIL PROTECTED] | A manic-depressive, he walks in the rain." | -- Rush, "Cinderella Man" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] sendmail spf milter plugin for sendmail 8.13.0
On 18 Aug 2004 at 12:05, [EMAIL PROTECTED] wrote: > >This *requires* that my signing MTA talk > > directly to the final endpoint "checking" MTA. > > To the "checking" MTA, sure - not necessarily the final endpoint. If you > have a pass-through MTA running MimeDefang in front of your Exchange server, > just make sure to do the checking on the MimeDefang server. I was thinking more of multiple MXs, or any other sort of thing that forwards e-mail in some way. > Once > your DomainKey checking is complete, you can add/change/delete any > headers you like. Maybe add a X-DomainKey-Result: Pass, for example. If there is already a header, you either decide to ignore it and check again, or hope that the other guy didn't add anything *after* checking. > > Their description of the workaround for "Received:" headers basically > > means that you either trust that somebody else did the check correctly > > or that you must jump through some hoops to do the check yourself. > > There's also the issue of making it impossible for a mail server to > > translate 7-bit to 8-bit or vice versa. > > Translate at will - after you do the check. Nope, because then the next guy that gets it can't just drop the headers you were supposed to add that don't impact the signature and get the same result. > > Well, gee, even if they don't > > "participate", if the e-mail comes from a "participant", and ends up at > > a "participant", end users may never get a say in whether to reject the > > e-mail or not. > > Or just check on the Sender: header rather than the From:... You can't do that because nobody else is, plus the signature comes from the "From:" domain...it almost certainly won't match. > Ehhh... DomainKeys can be trivially saved from this trivial defeat. > Just have the sending MTA create separate envelopes for each recipient. > Then add an X-Envelope-To: header. Finally have the MTA sign each envelope > independently before delivery. If the DomainKeys system signed envelopes in the first place, we wouldn't be having a lot of this discussion. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/StupidCoWorkers.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] sendmail spf milter plugin for sendmail 8.13.0
On 18 Aug 2004 at 13:20, [EMAIL PROTECTED] wrote: > > This then breaks forwarding, one of the advantages of DomainKeys over > > SPF. > > How so? Email forwarding works, so long as the forwarding agent (say, > forwarder.example.com) signs the forwarded email with their DomainKey. You haven't read the spec enough. To do this, the forwarder would have to change the "From:" header. Although this is benign, this is a type of forgery of the "From:" header, and forgery of the "From:" header is what DomainKeys is supposed to stop. -- Jeff Rife| "Damn it, I miss the sound of her voice. I tried SPAM bait: | putting silverware down the disposal, but it [EMAIL PROTECTED] | wasn't the same." [EMAIL PROTECTED] | | -- Ned Dorsey, "Ned and Stacey" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] DomainKeys
On 19 Aug 2004 at 14:14, SM wrote: > The DomainKeys draft does not address this question yet. The > mailing list MTA could use the List-Id header to sign the message > and the recipient's mail server would verify on that header instead > of the From: header. So this would be quite a few headers that need to be checked by the receiving MTA, and some fairly serious thought about what to do if more than one kind of header shows up. > >Their "solution" (that won't work at all) for e-mail lists: "A final > >possibility is that MLMs may not need to participate in DomainKeys as > >recipients have other means of sufficiently recognizing legitimate MLM > >traffic, such as List-ID: headers". Well, gee, even if they don't > >"participate", if the e-mail comes from a "participant", and ends up at > >a "participant", end users may never get a say in whether to reject the > >e-mail or not. > > I don't follow what you are getting at here. Basically, by not "participating" in DomainKeys, a mailing list must either remove all DomainKeys-related data or not touch the message in any way that makes the signature check fail. The first just isn't an option, since (let's use this list as an example) my domain nabs.net might say "please reject unsigned e-mail" in the DNS. Then, the roaringpenguin.com server would strip all the DomainKeys info, and *your* server would honor my DNS request and reject the e-mail. This is not acceptable. The second solution means that the nice footer at the end of this e- mail must not be added, *and* no headers can be added, because that breaks the signature. In particular, if I was checking DomainKeys, the e-mail I am responding to (that you sent) would probably be rejected if you didn't have "testing" mode set. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/ShermansLagoon/FrozenLemmings.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] sendmail spf milter plugin for sendmail 8.13.0
On 19 Aug 2004 at 23:20, Jose Marcio Martins da Cruz wrote: > The only thing DomainKeys is to tell : "OK ! This is a message sent by > my domain". No, it doesn't do that. The only thing DomainKeys does is say "this message has some random user-generated text (the From: header) with my domain name". It may have come from *anywhere*, as David outlined: 1. Send yourself a message from Yahoo to someplace else so you get a message signed with DomainKeys. 2. Feed the resulting received e-mail with *no* changes that alter the signature into the SMTP pipeline (which sends based on envelope recipient)...forge the envelope sender, of course. You can use almost any very simple script to do this. 3. Watch as Yahoo gets berated because "this junk came from you...I verified it with the tool you designed!" -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/ShermansLagoon/OtherWhiteMeat.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] sendmail spf milter plugin for sendmail 8.13.0
s? Also, if I get to the point where I have decided I can't trust the message, do I really want a user to have *any* chance of seeing it? Go ask Citibank, or Chase, or Bank of America, or eBay and see what answer you get. If a receiving site doesn't reject on DomainKeys signature verification failures, then DomainKeys helps improve trust by so little that it is useless. Likewise, if there is a reason the designers of DomainKeys think I shouldn't let a e-mail with a verified DomainKeys signature through, then even *they* don't believe in its effectiveness, so why should I? > The server will sign it only if it was sent from trusted machines. > If a spammer can be able to get a signed spam from some other domain, > this meant that it succeeded to penetrate on that domain. So the > problem isn't DomainKey but the security of that domain. No, any domain that signs outgoing mail with DomainKeys *and* gives away free e-mail addresses allows you to get a signed e-mail from that domain, and it can contain anything you want. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/TechSupport.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [PATCH] MIME-tools-6.200_02
On 21 Aug 2004 at 23:20, Les Mikesell wrote: > The real trick would be to also package clamav and make them > work together when both are installed (i.e. make clamd run > as the defang user) -- and provide the new sendmail.cf to > activate it. It would be great to have the whole mess > automatically stay up to date with the apt-get or yum > tools without worrying about breaking the integration. Well, once you configure ClamAV, you can use yum to keep it up to date and it doesn't break anything, so it really can be separate, as it already is. I added the following to my yum.conf to be able to get (and keep updated) the Fedora-ready versions of ClamAV: ## Crash-Hat ## [crash-hat] name=CrashHat (Fedora Core $releasever - $basearch) baseurl=http://crash.fce.vutbr.cz/crash-hat/$releasever/ gpgcheck=1 -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/OverTheHedge/VelveetaAndRotel.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New spam kills mimedefang/spamassassin with newlines
On 22 Aug 2004 at 8:54, Martin Blapp wrote: > I wonder if there is a way to circumvent this in mimedefang, > or should it be done in spamassassin ? I'd call it a SpamAssassin bug. I don't think any of the multi-line rules rely on newlines remaining exactly the same. One newline is generally considered equal to any number of consecutive ones. SA should crush the input by stripping every blank line after the first two in a group (in other words, if it finds more than 3 consecutive newlines, it should delete newlines 4 to N). This would solve the problem, and shouldn't change any rule hits. -- Jeff Rife| SPAM bait: | "He chose...poorly." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Grail Knight, "Indiana Jones and the Last Crusade" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] greylisting and pop-before-smtp don't play together
On 31 Aug 2004 at 16:31, James Miller wrote: > The problem is the greylisting function doesn't know about and/or doesn't > exempt the newly authenticated imap clients and when they try to send a > message they get the '4.3.0 message to try again in 1min'. As other messages have pointed out, POP-before-SMTP is not the best way to do things. But, you can solve the problem by requiring that your users submit mail not to port 25 but to the submission port (587). Then, you can exempt anything that comes into that port from greylist, since you know it has passed your authenitcation test. This is the right way to do things no matter what authentication system (POP-before-SMTP, SMTP AUTH, etc.) you use. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Peanuts/TenPin.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] 2 different scores spam getting through
On 2 Sep 2004 at 9:42, Ray Goniea wrote:
> We use a site wide procmail file to deliver spam marked email to a
> local folder on the server.
I suspect this is your problem, because MIMEDefang is being run on the
e-mail as it comes in and after procmail forwards it.
> After looking at the header of an email it essentially shows 2
> scores, like it is being scanned twice using different rulesets.
This was exactly what I experienced because all my e-mail gets
forwarded, and I was scanning twice because the latest sendmails use
SMTP to do their forwarding. See the archives about how to avoid
scanning mail that originates on the server.
It's something like the following in filter_sender (filter_relay is
similar):
my ($sender, $ip, $hostname, $helo) = @_;
if ($ip eq "127.0.0.1")
{
return ('ACCEPT_AND_NO_MORE_FILTERING', "OK");
}
--
Jeff Rife| "What's goin' on down here?"
SPAM bait: | "Oh, we're playing house."
[EMAIL PROTECTED] | "But, that boy is all tied up."
[EMAIL PROTECTED] | "...Roman Polanski's house."
| -- Lois and Stewie Griffin, "Family Guy"
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT but interesting hopefully - Spammers embrace email authentication
On 3 Sep 2004 at 9:05, Kelson wrote: > If it does > match, you can move on to accreditation (such as "SPF has verified that > this came from knownspammer.biz, therefore I can safely reject it" or > "SPF has verified that this came from mybusinesspartner.tld, therefore I > can accept it with less filtering." The second part, I can see. The first isn't possible due to the fact that domains cost basically nothing to buy. A bad guy can have 50 domains waiting in the wings, and send SPF-accurate SPAM from each one until they start getting caught by rules like you say. Then, they move on to the next domain. Multiply that by thousands of bad guys, and life sucks. On the other hand, although your second filter is accurate, it's not necessary. All legitimate e-mail gets through right now, and auto- whitelisting with SpamAssassin gives me the same thing that SPF is supposed to: large "non-SPAM" scores for e-mail that comes from people I regularly do business with. BTW, I *have* had e-mail rejected because my SPF record wasn't 100% correct (I forgot an alternate name for a listserver). -- Jeff Rife| "Grab a shovel...I'm only one skull SPAM bait: | short of a Mouseketeer reunion." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Bender, "Futurama" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Suspicious Chars
On 3 Sep 2004 at 8:19, Chris Masters wrote: > We have genuine mail generated by buggy client or sent > through buggy servers that needs to be quarantined > rather than dropped but would like to filter out > obvious spam (by far the majority as you would > expect)from this lot prior to quarantining. In over 219,000 messages, I have only 15 that got dropped due to the "suspicious characters" check, so I don't think that you really need to do other checks before quarantining...you won't have that many to look through. -- Jeff Rife| "I have a question that could affect our entire SPAM bait: | relationship...did you kill Coach Mattay?" [EMAIL PROTECTED] | "No!" [EMAIL PROTECTED] | "But, you did dress him up like a woman...?" | "Yeah." | "Just checking." | -- Alex Lambert and Brian Hackett, "Wings" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT but interesting hopefully - Spammers embrace email authentication
On 3 Sep 2004 at 10:42, Kelson wrote: > Check out www.surbl.org. They're actually quite effective at catching > spam based on domain names - in this case of the websites being > spamvertized - despite the turnover potential. Correct, but SPF alone can't do anything about domains like this. If you use some other check (like SURBL), then you don't need SPF at all, because all the current SPAM tests know how to hunt out forgeries. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Zits/Merging.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Suspicious Chars
On 4 Sep 2004 at 1:07, Chris Masters wrote: > Just checked last hour an I got 11 in 7000 had > suspicious chars. It's not the number of checks that's > a problem - it's whether the MIME parsing > functionality of MIMEDefang could be vulnerable like > certain email clients. I don't see how MIMEDefang could be vulnerable. All it would do with malformed MIME is to not have a 100% accurate scan, since it never tries to open the attached files (at least not by default). This could obviously leave you vulnerable if your mail client has a problem that MIMEDefang doesn't catch, but that's already the case for well-formed MIME of a new attack type. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/RhymesWithOrange/CatBed.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] counting emails flagged as spam
On 6 Sep 2004 at 12:37, Mike Campbell wrote:
> Anyone have a good way to keep a running count of how many email
> messages have been flagged as spam by spamassassin?
I just add a line like this:
md_graphdefang_log('spam', $hits, $RelayAddr);
Then, you can use various tools that process the sendmail log to do
whatever you want.
For "high value" SPAM that I don't pass to the final recipient, the log
line looks like:
md_graphdefang_log('SPAM', $hits, $RelayAddr);
This allows me to do a case-insensitive log search for all SPAM, or a
case-sensitive one for delivered/dropped.
--
Jeff Rife|
SPAM bait: | "Resistance...is *futile*"
[EMAIL PROTECTED] |
[EMAIL PROTECTED] | -- Data, "Star Trek: First Contact"
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT but interesting hopefully - Spammers embrace email authentication
On 7 Sep 2004 at 9:21, Kelson wrote: > My point was not to compare SURBL to SPF, but to use SURBL as an > example of how quickly anti-spam solutions can react to spammers > setting up throwaway domains. They aren't quick enough. "Throwaway domain" now means "lifetime of several hours". That's too quick for anything really accurate to keep up with. >If SPF (or something similar) can > tell you that the message definitely came from XYZ, and you have a > list of spammers' domains that includes XYZ, bang, you know it's > spam and you can kick it out before they finish sending the headers. Again, knowing that "bad-domain.com" is bad really doesn't help you if there is *never* another message from that domain. You never get to check against SPF records. > You know, doing with domain names what we've been doing with IP > addresses for years. One of the reasons that IP addresses work for these checks is that somebody other than the spammer controls them. Anybody can just register a new domain, but to get connectivity, you must have an IP address, and that's limited by the providers you can use. > As for current spam tests being able to detect forgeries, the only > ones I know of focus on a few big names. Do you know of any "current > spam test" that can detect forged mail claiming to be from > speed.net? SpamAssassin has tests for bad Message-IDs, Message-IDs added by a relay, "Received" headers that don't look kosher, MUA identifiers that aren't right, etc. They don't catch everything, but they often add enough score to push things into the "just discard it" category. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/LostPassword.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Catching the porn spams
On 7 Sep 2004 at 17:04, Jim McCullars wrote: >How are other people blocking this stuff? Even the SARE rulesets > are not catching it. Try the SpamCop URI SpamAssassin ruleset. It catches URLs in the body that match sites that are advertised through SPAM. This is all the extra rules I use, and I don't get much porn SPAM at all: 70_sare_genlsubj0.cf 70_sare_oem.cf 70_sare_ratware.cf 70_sare_specific.cf 72_sare_bml_post25x.cf 99_sare_fraud_post25x.cf bogus-virus-warnings.cf sober_g.cf spamcop_uri.cf tripwire.cf Use RulesDuJour (and the nice front end "My RulesDuJour") to keep all these updated in a timely mannner. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/MoneyNotDogs.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT but interesting hopefully - Spammers embrace email authentication
On 7 Sep 2004 at 15:06, Kelson wrote: > > They aren't quick enough. "Throwaway domain" now means "lifetime of > > several hours". > > My logs say otherwise: 88% of messages that SpamAssassin labeled this > week have included SURBL hits. > > At least for websites, they seem to be fast enough. Today they aren't *too* bad, but most of what you are seeing are *very* "old" domains that just keep up the SPAM attack. In the future, though, it'll get worse as more and more servers think a good SPF record but no listing on a blacklist means "OK". As that happens, expect even faster turnaround on domain names. > Meanwhile, spammers have to buy multiple domain names every day. I > wonder how much overhead that adds? Less than $5 per domain, I suspect. That's easily paid for by just *one* extra taker on the SPAM. And, if it's some sort of fraud (Nigerian scams, etc.), then one extra taker is worth *hundreds* of domains. > > SpamAssassin has tests for bad Message-IDs, Message-IDs added by a > > relay, "Received" headers that don't look kosher, MUA identifiers that > > aren't right, etc. They don't catch everything, but they often add > > enough score to push things into the "just discard it" category. > > How does that help if the message-IDs, MUA IDs, etc. all look valid? The point is that they *don't* because they *aren't*. You can do what you want to fake "Received" headers, but my server knows who you really are, and adds enough info to allow SpamAssassin to figure out that the trail is fake. Same with Message-IDs when SA can figure out the MTAs being used. -- Jeff Rife| "Only one human captain has ever survived battle SPAM bait: | with a Minbari fleet...he is behind me...you are [EMAIL PROTECTED] | in front of me. If you value your lives, [EMAIL PROTECTED] | be somewhere else." | -- Ambassador Delenn, 2260 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Catching the porn spams
On 8 Sep 2004 at 15:27, David F. Skoll wrote: > REQUEST: > > Please send me more dirty words and phrases that I didn't think of. All > the MD list readers are an imaginitive bunch; I'm sure you can improve > on my efforts. :-) There's a George Carlin video that pretty much has them all. It's got the sequel to the "Seven Words" sketch where he says "it's increased a bit" and unrolls a 25-foot long, single-spaced list of words, and then reads them. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/LoveRanking.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT but interesting hopefully - Spammers embrace email authentication
On 7 Sep 2004 at 17:38, Kelson wrote: > Jeff Rife wrote: > > In the future, > > though, it'll get worse as more and more servers think a good SPF > > record but no listing on a blacklist means "OK". As that happens, > > expect even faster turnaround on domain names. > > Please read the article I linked to, then address this point again. > > Anyone who thinks "SPF Pass" is supposed to mean "Not Spam" hasn't been > paying attention. I don't see what you mean. I said that if the SPF matches but the domain isn't on a blacklist, then you have to do *exactly* the same content scanning you do now...SpamAssassin, etc. So, why bother with SPF at all, since spammers will eventually *always* send from domains not on blacklists but with accurate SPF info? > Suppose that you get a message claiming to be from speed.net. Suppose > it's actually been sent using Outlook, or Eudora, or something that > imitates it well enough that all the headers are typical of "real" mail. > Now, how can you tell whether it's really from speed.net or not? I don't really care, and most other people don't, either, if the content says "this is SPAM". If it *isn't* SPAM, then SPF isn't really enough to give somebody confidence in saying "yes, this is authentic" or "no, it isn't", for several reasons: - The envelope return address (and *everything* but the "From:" content) can be forged to be "@speed.net", and accurate SPF data used for the "From:" address. - The "From:" address can be close enough to "@speed.net" to be used in phishing e-mail. - Knowing if an e-mail is "From: [EMAIL PROTECTED]" doesn't help to determine if it SHOULD BE "From: [EMAIL PROTECTED]". SPF doesn't do enough to give any real security...PGP (or similar) signatures are the only real way to do this. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/LostNetworkPassword.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SURBL effectiveness and domain turnaround time
On 7 Sep 2004 at 20:15, David F. Skoll wrote: > Well, there is an absolute lower limit on the useful lifetime of a > domain. A spammer probably can't throw a domain away in much less > than 4-8 hours, because it takes that long to complete the spam run > and for victims to go check their mail. Although I check my mail > practically continuously when I'm at work, many people only check > their mail a few times a day. If SURBL can react within 15-30 > minutes, it will still remain quite effective. This is a good thought, but caching of DNS records defeats this. I know that most BLs have low TTL in the records, but lower than about an hour would cause a lot of extra network traffic, especially on the "not found" responses. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/RhymesWithOrange/BigDogs.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Catching the porn spams
On 8 Sep 2004 at 22:05, Penelope Fudd wrote: > Is there a way to say "deny email from all domains that are less > than 12 hours old"? No, because a spammer could buy up 365 domains on Jan 1, then use one each day. -- Jeff Rife| "I'll be back in five or six days." SPAM bait: | [EMAIL PROTECTED] | "No, you'll be back in five or six pieces." [EMAIL PROTECTED] | -- "The Lost World" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SURBL effectiveness and domain turnaround time
On 8 Sep 2004 at 23:27, David F. Skoll wrote: > sc.surbl.org seems to have a 15-minute TTL. And the negative-response > caching TTL is under your control. I guess that was my point. A short TTL does little for IPs/URLs that are in the BL. It just makes sure that a removed entry gets propogated quickly...not usually an issue. On the other hand, it would be logical for the "client" to put negative responses at no less than 1 hour before you query again, at least for "general" queries. I'll have to see if I can set up my cache so that negative responses from specific domains/servers have a different TTL than "general" ones. > DNS lookups are pretty cheap -- one UDP packet out and one UDP packet back > in. A couple of delays in response can just kill throughput on sendmail, though. > sc.surbl.org has 13 name servers, just like the root name servers of > the Internet. You can imagine that if 13 name servers can handle all > the root name server traffic, it's not so bad to have a low TTL. :-) Since the root domains don't change much, they have a larger TTL, I suspect. A quick check shows that it is a little more than 6 hours. Also, they really just pass off TTLs from the subdomains (i.e., whatever is in the SOA for roaringpenguin.com gets propagated to the .com root servers). Unfortunately, though, some brain-dead implementations (*cough* Microsoft *cough*) "lock on" to one DNS server, so having more than one is useless. Once a MS client asks what machine is authoritative for surbl.org, gets the "here's the list" answer, and picks one, it uses that one until the TTL expires, even if it can't contact it anymore. Unless surbl.org uses a load-sharing system that isn't evident to the client, MS clients wouldn't take advantage of multiple servers. -- Jeff Rife| "This? This is ice. This is what happens to SPAM bait: | water when it gets too cold. This? This is [EMAIL PROTECTED] | Kent. This is what happens to people when [EMAIL PROTECTED] | they get too sexually frustrated." | -- Chris Knight, "Real Genius" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Catching the porn spams
On 9 Sep 2004 at 8:17, David F. Skoll wrote: > On Thu, 9 Sep 2004, Jeff Rife wrote: > > > No, because a spammer could buy up 365 domains on Jan 1, then use one > > each day. > > Darn! You're too clever. Not a spammer, are you? :-) Every good cop knows the best ways to break the law, because it's easier to catch bad guys if you know how they think. Mostly, though, it's the RPGer in me. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/Win95CatOnMonitor.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] REALLY blocking the porn spam
On 12 Sep 2004 at 8:38, David F. Skoll wrote: > Come on guys! Simplistic word-blocking is passe. (Of course, no-one > with simplistic word blocking will be reading this message...) Since we all use MIMEDefang, I don't see why anybody wouldn't run SpamAssassin as well (the integration is just too good), and auto- whitelisting makes it so that somebody would have to send about a 6000- point SPAM to the list before it would get blocked by my system. -- Jeff Rife| "...the flames began at a prophylactic recycling SPAM bait: | plant, near the edge of the forest..." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- "WarGames" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Conceptual Stage of setting up email gateway
On 18 Sep 2004 at 8:51, Peter A. Cole wrote: > I tried Fedora once, went back to Sarge. Maybe I didn't give it > enough time, but it's so easy to type apt-get install On Fedora, it's "yum install packagename". To keep my machine updated, I just do "yum check-update" in a nightly cron job, and then manually run "yum update" if anything shows up (I'm too paranoid to let things work completely automatically). > dselect if > you're not sure of the name. I don't know what dselect does, but "yum list available | more" works pretty good for me to find a package when I mostly know what I want. I don't know of any good tool on any distribution for doing things like "I want something that helps me to filter my mail...list all packages like that". -- Jeff Rife| "Only one human captain has ever survived battle SPAM bait: | with a Minbari fleet...he is behind me...you are [EMAIL PROTECTED] | in front of me. If you value your lives, [EMAIL PROTECTED] | be somewhere else." | -- Ambassador Delenn, 2260 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Display spam score in all emails
On 18 Sep 2004 at 21:56, Trevor Dodds wrote: > Only emails which are being picked up as spam have a spam score in the > headers. > How can I show the spam score for all emails that have been processed. Move the line of code that adds/changes the header outside of the "if" check that tests if the message is "spammy-enough". -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/Evaluation.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] again - Overlong line in RESULTS file
On 20 Sep 2004 at 10:15, Kelson wrote: > Mainly, this is the Tripwire ruleset, which looks for unusual letter > combinations and assigns a low score to each, the idea being that if > something has just a few, like an alphanumeric confirmation number, it > won't cause a false positive, but if it has a lot, it will trigger many > of these rules and result in a big boost to the spam score. If you're > adding the spam report to the headers, a lot of its on tripwire can > easily stretch that report past 8K. There must be a *lot* that needs to hit to cause this problem. I had one e-mail that hit 130 of the Tripwire rules, and it came through to me, which I guess means that it didn't hit the limit. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/RhymesWithOrange/MailerDaemon.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] again - Overlong line in RESULTS file
On 20 Sep 2004 at 11:13, Kelson wrote: > If you're only adding X-Spam-Status, then it shouldn't cause problems. That's what I'm doing, so that explains it. -- Jeff Rife| "I feel the need...the need for SPAM bait: | expeditious velocity" [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Brain ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIME-Base64-3.03 and Fedora Core, possibly other Linux distributions
On 23 Sep 2004 at 8:14, David F. Skoll wrote: > That's why this code appears in mimedefang.pl.in: > > # Move site library directory ahead of default library directory in @INC. > # That's so we can sanely package our own version of MIME::Base64 that > # won't conflict with the built-in one on RPM-based platforms. > use lib '@PERLINSTALLSITELIB@'; Well, here's a strange thing from a Fedora Core 2 default install...this is the (slightly re-formatted) output when I try to find a non-existant Perl module (MIME::Base65, in this case): == perl -MMIME::Base65 -e 1 Can't locate MIME/Base65.pm in @INC, @INC contains: /usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . == Unless it reads @INC backwards, it appears that my "site_perl" is already ahead of "vendor_perl" in the list. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/OverTheHedge/Olympics.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Bounce AND send a copy?
On 30 Sep 2004 at 7:19, David F. Skoll wrote:
> > Hmmm, either that didn't work, or (much more likely) I'm doing it
> > wrong:
> >
> > resend_message('[EMAIL PROTECTED]');
>
> You want:
>
> resend_message_one_recipient('[EMAIL PROTECTED]');
Is there a reason this function isn't documented in the man page?
Looking at the source, there seems to be not very different from
resend_message_specifying_mode, which is what resend_message calls.
--
Jeff Rife|Al Gore: To my left, you'll recognize
SPAM bait: | Gary Gygax, inventor of Dungeons &
[EMAIL PROTECTED] | Dragons.
[EMAIL PROTECTED] | Gary Gygax: Greetings it's a...
| [rolls dice]
| Gary Gygax: ...pleasure to meet you.
| -- "Futurama"
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Limiting delivery by *nix group
I posted this to the sendmail newsgroup and got an answer that uses sendmail rulesets. Since I don't understand these as well as I understand Perl (since I'm a Perl beginner, that tells you how little I can deal with sendmail rules), I'd like a way to do this from within MIMEDefang. The need arose because our mail server gets its user list from Active Directory, but not every one of the users listed there should get e- mail (a good example is all the "machine" users). I can easily put all the real e-mail users into a AD group which then maps to a *nix group. So, all I need to do is check to see whether the user is in a particular group and, if not, return a "550 User unknown" status. How would I do this from within MIMEDefang? Thanks. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/OverTheHedge/BrokenInternet02.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
On 30 Sep 2004 at 12:45, Jim McCullars wrote: >Well, at the risk of exposing by backside: > > $bad_exts = '(bat|cmd|com|cpl|exe|hta|lnk|pif|reg|scr|shs|vb|vbe|vbs|zi)'; Ouch...there's far too many that are just as bad as those: .INS: Internet Settings file...can change your IE setup to use a proxy, change to a different dial-out number, etc. .CHM: Compliled Help file...can have scripting, embedded EXEs, and any number of bad things. .ASX, .ASF: These are *script* files for Windows Media player. They normally just load a few .WMV (or similar) files in a row, but they can do a *lot* more. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/OverTheHedge/SlowInternet.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Limiting delivery by *nix group
On 30 Sep 2004 at 16:27, Jason Gurtz wrote: > Are you getting your users via LDAP? No. On 30 Sep 2004 at 13:51, [EMAIL PROTECTED] wrote: > We do something similar. Instead of checking from MIMEDefang, we > have a cron.hourly job query the AD server using LDAP, and build a > sendmail /etc/mail/access file (and hash it as well.) We query the Active Directory live using winbind integrated into /etc/nsswitch.conf: passwd: files winbind group: files winbind This makes checks by sendmail that think they only look at /etc/passwd for user info actually have "ghost" entries created on the fly by winbind. This works well for SMTP AUTH, because I merely add to /etc/pam.d/smtp.sendmail: authrequisite pam_succeed_if.so user ingroup smtp-users I can create any number of groups and restrict logins using PAM and this same technique to have "ftp-users", "pop3-users", "www-private- users", etc. There isn't any way like this that makes the actual account invisible to sendmail, though. I guess I was just asking if there was an already written Perl function that does something like is_user_in_group()? -- Jeff Rife| "When I first heard that Marge was joining the SPAM bait: | police academy, I thought it would be fun and [EMAIL PROTECTED] | zany, like that movie: Spaceballs. But instead [EMAIL PROTECTED] | it was dark and disturbing, like that movie: | Police Academy." | -- Homer Simpson ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Moving bayes database?
On 20 Oct 2004 at 21:23, James Curtis wrote: > I put in a newer server to replace my main sa/mimedefang server. > I am getting less tagged because it has a clean bayes database, and would > like to move my old bayes database > Is it just as simple as stopping mimedefang, replacing the file, and > starting it back up? It should be. If you use a journal, remember to flush the journal using sa-learn. Any option that rebuilds the database will do the job. -- Jeff Rife| "I'm worse than Hitler?!?" SPAM bait: | [EMAIL PROTECTED] | "Not worse...just less warm and cuddly." [EMAIL PROTECTED] | | -- Jay Sherman and Duke Phillips, "The Critic" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Moving bayes database?
On 22 Oct 2004 at 5:58, James Curtis wrote: > Is it the default to use a journal? No. > How would I be able to tell? In your SpamAssassin config file (the same file that has the "use_bayes" setting), there would be a "bayes_learn_to_journal" setting. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/OverTheHedge/BrokenInternet02.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Bayes DB in SpamAssassin 3.0
OK, my SA 3.0 install works fine. If I use the command line "spamassassin -t < testmessage" on an e-mail, all comes out well. There are no errors with "spamassassin -D --lint". Yet, when I run "mimedefang.pl -test", I get: bayes: bayes db version 2 is not able to be used, aborting! at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/BayesStore/DBM.pm line 160. bayes: bayes db version 2 is not able to be used, aborting! at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/BayesStore/DBM.pm line 160. Filter /etc/mail/mimedefang-filter seems syntactically correct. The Bayes database was created by taking a Bayes database from a SpamAssassin 2.63 install and using "sa-learn --import" to turn it into the new version. I'm running (or trying to run) MIMEDefang 2.45. -- Jeff Rife| "You are now dead. Thank you for using Stop and SPAM bait: | Drop, America's favorite Suicide Booth since [EMAIL PROTECTED] | 2008." [EMAIL PROTECTED] | -- "Futurama" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bayes DB in SpamAssassin 3.0
On 24 Oct 2004 at 2:03, Jeff Rife wrote: > The Bayes database was created by taking a Bayes database from a > SpamAssassin 2.63 install and using "sa-learn --import" to turn it into > the new version. To answer my own question, apparently you have to do "sa-learn --sync" *after* the import in order to avoid this problem. It's not real clear in the docs (but then the SA docs aren't very clear in general). -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/TechSupport.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] whitelisting in Mimedefang?
On 28 Oct 2004 at 14:01, scohen wrote: > I know I can whitelist with /etc/mail/access.db and I know I can > whitelist in sa-mimedefang.cf for the spamassassin tests, but is > there anyway to whitelist at the begining of mimedefang-filter so no > tests are performed? Btw, if I whitelist in the access.db does the > email get sent through the socket to mimedefang? Yes, it does. You can tie to the /etc/mail/access.db using Perl to stop processing early in your mimedefang-filter. Don't ask me exactly *how* to do this (no Perl guru here), but the archives for this list should have something. -- Jeff Rife| SPAM bait: | http://www.netfunny.com/rhf/jokes/99/Apr/columbine.html [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] /etc/sysconfig/mimedefang option questions
On 29 Oct 2004 at 13:03, Rich West wrote: > In the /etc/sysconfig/mimedefang file, there are the following options: > > # If "yes", turn on the multiplexor relay checking function > # MX_RELAY_CHECK=yes Calls "filter_relay" in mimedefang-filter, if it exists. > # If "yes", turn on the multiplexor sender checking function > # MX_SENDER_CHECK=yes Calls "filter_sender" in mimedefang-filter, if it exists. > # If "yes", turn on the multiplexor recipient checking function > # MX_RECIPIENT_CHECK=yes Calls "filter_recipient" in mimedefang-filter, if it exists. -- Jeff Rife| "Grab a shovel...I'm only one skull SPAM bait: | short of a Mouseketeer reunion." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Bender, "Futurama" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
On 29 Oct 2004 at 15:01, David F. Skoll wrote:
> > elsif ($ip ne $helo){
> > return ('REJECT', "You are not who you say you are.")
> > }
>
> That will reject 99.999% of all your e-mail. Most machines use the
> machine name in HELO, not an IP address, so...
...and the RFC pretty clearly says that an IP address should *never* be
used as the argument to HELO, so that rule *should* reject all e-mail.
--
Jeff Rife|
SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/Evaluation.jpg
[EMAIL PROTECTED] |
[EMAIL PROTECTED] |
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
On 30 Oct 2004 at 0:16, David F. Skoll wrote: > > ...and the RFC pretty clearly says that an IP address should *never* be > > used as the argument to HELO, so that rule *should* reject all e-mail. > > Umm... reread his code. Maybe you should? This is his test: if ($ip ne $helo) $ip is *always* of the form ###.###.###.###. $helo can *never* be of that form *if* the connecting machine follows the RFC...it must be either foobar.domain.tld or [###.###.###.###]. So, if everybody followed RFC, that test can never be true, thus it will reject all mail. As you said, it will only reject *almost* all e-mail, because a few machines don't follow RFC. -- Jeff Rife| Sam: What d'ya say to a beer, Normie? SPAM bait: | [EMAIL PROTECTED] | Norm: Hi, sailor...new in town? [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_relay
On 1 Nov 2004 at 9:18, Aleksandar Milivojevic wrote: >For example, they'll use ISP's mail server to relay. > Most ISP's don't have virus scanners (too expensive). I don't know about this statement anymore. First, there are great free scanners, like ClamAV. Second, I see a *lot* of bounces from virus scanners where the "From" address is forged to my domain, so I know that there are a great many virus scanners on mail servers...they just aren't very well configured. -- Jeff Rife| Sam: Hey, how's life treating you there, Norm? SPAM bait: | [EMAIL PROTECTED] | Norm: Beats me...then it kicks me and leaves me [EMAIL PROTECTED] | for dead. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] 'service mimedefang status' returns "multiplexor dead but pid file exists"
On 2 Nov 2004 at 22:20, David F. Skoll wrote: > On Wed, 3 Nov 2004, Matt Smith wrote: > > > Is this just a system-specific thing, or is there something else going on? > > It's a stupid RedHat-ism. You can ignore it. This must be post-2.45, then, because both 2.43 and 2.45 on Fedora Core 2 show the expected output with the stock init script from the MD source: root:~# service mimedefang status mimedefang (pid 17527) is running... mimedefang-multiplexor (pid 11087 9479 17514) is running... 0/15 ...0/15 ... 30941 -- Jeff Rife| "I feel the need...the need for SPAM bait: | expeditious velocity" [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Brain ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New to Mimedefang
On 4 Nov 2004 at 8:43, Aleksandar Milivojevic wrote: > Another possiblity is if you killed MIMEDefang while > it was still processing an email, directory might be left over. If you put the /var/spool/MIMEDefang directory on a ramdisk (using either an actual ramdisk or tempfs) this not only speeds up the scanning but solves this problem in the long run, since every reboot gets rid of these randomly saved directories. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/AngryTVGod.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Frustration...
On 4 Nov 2004 at 14:15, Lisa Casey wrote: > and Spamassassin adds a SpamAssassinReport.txt as an attachment to each > spam mail. But I've been reading websites for two days now and can't figure > out how to do anything else with this. Basically I don't want spam coming > into my users mailboxes, they don't want it. I understand there will be some > amount of false positives, but I just want to drop (or bounce or whatever) > the spam before it reaches the mailboxes. For this, in /etc/mail/mimedefang-filter where the code currently adds the SA report, just use "action_discard" or "action_bounce" instead. > I'ld also like to drop, bounce, whatever mail that has certain words in the > subject, such as rolex, penis, viagra, etc. For this, check out http://www.rulesemporium.com/ and add rules that seem to do what you want. I like: BOGUSVIRUS SARE_SPECIFIC SARE_RATWARE SARE_BML SARE_FRAUD SARE_OEM SARE_GENLSUBJ0 TRIPWIRE > Also, I'm not sure how I'm supposed to feed it spam. I have > Sendmail/Qpopper and most of my users pick up their mail using > Outlook Express. I understand I can't just forward spam to a spam > mailbox and run sa-learn on that as the forwarding will not get the > original headers. For anything you mark as "spam", use the "resend_message" function inside to copy the *original* to a spam mailbox. Then, run sa-learn on that mailbox every so often. That box *could* just be an alias to a pipe to sa-learn, if you want. -- Jeff Rife| "You may find this strange, but I think body SPAM bait: | piercing is a good thing. It gives us a [EMAIL PROTECTED] | quick way to tell that people ain't right, [EMAIL PROTECTED] | just by lookin' at 'em." | -- Hank Hill, "King of the Hill" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Frustration...
On 4 Nov 2004 at 14:02, Brent J. Nordquist wrote: > First off: What are you using for your mimedefang-filter script? The > tarball has examples/suggested-minimum-filter-for-windows-clients which > has a pretty complete framework. Unless I'm mistaken, I can't see any difference between this file and the default that is installed as /etc/mail/mimedefang-filter. > My users would never allow me to unilaterally drop everything that SA > claimed was spam. We're not an ISP, but I have found that dropping anything that scores higher than 10 (using the standard SA 2.63 rulesets) gives us zero false positives, and *nothing* that anybody could possibly want. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/OverTheHedge/HDTV.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New to Mimedefang
On 4 Nov 2004 at 13:08, David F. Skoll wrote:
> On Thu, 4 Nov 2004, Jeff Rife wrote:
>
> > If you put the /var/spool/MIMEDefang directory on a ramdisk (using
> > either an actual ramdisk or tempfs) this not only speeds up the
> > scanning but solves this problem in the long run, since every reboot
> > gets rid of these randomly saved directories.
>
> Well, yeah, except I don't like to reboot too often! :-)
True, but for a while, I was doing a lot of reboots for new kernels.
> And you
> really don't want a ramdisk to fill up.
Unless MD craps out or you stop/start it a lot, you shouldn't get any
of these.
> So if you're paranoid, run
> this nightly from cron:
>
> find /var/spool/MIMEDefang -name 'mdefang-*' -type d -mtime +1 -exec rm -r {} \; >
> /dev/null 2>&1
>
> That deletes any /var/spool/MIMEDefang/mdefang-* directories older than a day.
This also works:
/bin/touch /var/spool/MIMEDefang/*.pid
/bin/touch /var/spool/MIMEDefang/*.sock
/usr/sbin/tmpwatch 24 /var/spool/MIMEDefang
This makes sure that the important files are "fresh", and then anything
older than 24 hours gets deleted.
It's easy to add this to the /etc/cron.daily/tmpwatch file on a RedHat-
based OS.
--
Jeff Rife| "As usual, a knife-wielding maniac
SPAM bait: | has shown us the way."
[EMAIL PROTECTED] |
[EMAIL PROTECTED] | -- Bart Simpson
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New to Mimedefang
On 4 Nov 2004 at 19:29, Rob MacGregor wrote: > But be aware that with FreeBSD 5.x and UFS2 short lived files (~6 s > ISTR) don't get written to disk, so a RAM disk will rarely buy you > anything, but costs you memory :-). That's what makes tempfs so nice. There is no memory use unless the file is committed to disk, and the memory is recovered when the file is deleted. Still, on a loaded server, it wouldn't be surprising for the MD work directory to hang around for 10 seconds or so, especially if you use the optional "$delay" return value from filter_relay, filter_sender, or filter_recipient. -- Jeff Rife| "I feel the need...the need for SPAM bait: | expeditious velocity" [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Brain ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Frustration...
On 4 Nov 2004 at 17:33, Kris Deugau wrote: > Jeff Rife wrote: > > We're not an ISP, but I have found that dropping anything that scores > > higher than 10 (using the standard SA 2.63 rulesets) gives us zero > > false positives, and *nothing* that anybody could possibly want. > > Don't count on it. I've seen far too many legit "mail me info about > your website"-type messages get scores at 12-15+. I haven't seen any truly legitimate ones get those scores, although ones that come from "legitimate spammers" (i.e., where they are spamming for legal things) do. Since all of these sorts are from harvesting or sold-without-consent lists, I don't think anybody is inconvenienced by it. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Zits/AttentiveIgnorer.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Frustration...
On 4 Nov 2004 at 19:39, Tory Blue wrote: > What I need is > something that will do a dictionary look up and if the email contains more > then 2 mispelled words in the subject it's bounced. That's not efficient, > but how else are you going to stop all the V!Agra, M0r tgage and other types > of spam?! The "tripwire" ruleset is designed to look for odd letter triples (based on their occurance in a standard dictionary). You could do something similar because "[a-z][#%!][a-z]" is *very* rare in a subject (case insensitive, of course). Just create a rule with all the special characters (I'm too tired to figure out which ones need escaping), and set up the rule so that it can fire multiple times. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/BabyBlues/TVDistance.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Do not use Clam AV < version 8.0 --Wrong!
On 6 Nov 2004 at 21:25, Tory Blue wrote: > Ummm, that's not what it says, it says if your abusing the system they will > blacklist you. Meaning that if you continue using the older version and not > use the DNSquery option and are checking the system each hour or less, then > you're an abuse and need to set your system up to check every 3-53 minutes.. You misread. What they said was that if you are checking through crontab, you should have it check no more than once per hour, and only on minutes 3 through 57, excluding 10,20,30,40,50. > But I guess upgrading is probably a smart move, but again if your not > abusing their systems, you will not be blacklisted.. I'm checking my cron > right now and.. I was an abuser in their eyes, I would check it 4-5 times a > day. Have modified it to check every 53 minutes... Sorry guys! Will work on > upgrading when I get my head above water. You are actually now worse than before. You were checking far *less* than once an hour, so you were fine, and would never have been blacklisted. Now, however, you might actually, since you are more than once an hour. I check 8 times a day (the freshclam.conf option "Checks" should really have been an interval between checks, but it is instead the number of checks per day), or every 3 hours, plus use the "DNSDatabaseInfo" option, since that is on by default in the RPM I use. Since many commercial anti-virus servers allow at most one check per day, even *two* per day with ClamAV will keep you ahead of more viruses than those systems. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/ArloNJanis/ClothesHorse.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] tmpfs on Linux
On 10 Nov 2004 at 14:17, Greg Miller wrote: > Currently not using bayesian or whitelist. This is a dedicated sendmail > box. Part of what my company does is marketing (opt-in only lists, of course), and some of that marketing is about drugs. Because of that, we get a lot of what might be "spam" from clients we work with, because of the keywords, etc. The auto-whitelist keeps these false positives down to zero. For other sites, this tool might not be helpful, but if you know that you expect to get *some* "spammy" e-mail from people who send you a lot of "good" e-mail, it does a good job. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/NoHelpDesk.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_recipient
On 11 Nov 2004 at 11:39, Kevin A. McGrail wrote: > define(`confMILTER_MACROS_ENVFROM', `rcpt_host, rcpt_mailer, rcpt_addr')dnl > > This is just a starting point, untested, etc. but I am 99% certain this is > the right path. This seems to be the default for the m4 config in current sendmail versions if you have any INPUT_MAIL_FILTER lines. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Pickles/Adoration.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Original-Content-Type in header
On 12 Nov 2004 at 8:52, Kevin A. McGrail wrote: > Well your emails are the only emails that show up in my inbox with newsgroup > features ;-) And I'm pretty sure I'm not nuts because I can definitely see > headers like this: > > X-Complaints-To: [EMAIL PROTECTED] > X-Gmane-NNTP-Posting-Host: dhcp065-025-111-053.neo.rr.com > X-Newsreader: Forte Agent 2.0/32.652 Same headers here, so it's not something on your end. -- Jeff Rife| "_Grease_ is one of my favorite movies. A SPAM bait: | sociopathic greaser in a leather jacket turns an [EMAIL PROTECTED] | innocent high school girl into a slut. [EMAIL PROTECTED] | | Kind of like _My Fair Lady_ in reverse." | | -- Scot Gardner, in alt.video.dvd ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] tmpfs on Linux
On 12 Nov 2004 at 9:03, Aleksandar Milivojevic wrote: > For later (simpler) global solution, just add these lines to > sa-mimedefang.cf: > > auto_whitelist_path /var/spool/MIMEDefang/awl > > bayes_path /var/spool/MIMEDefang/bayes These are really *bad* paths if you put /var/spool/MIMEDefang on any sort of ramdisk (like many of us do). -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/Evaluation.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] tmpfs on Linux
On 12 Nov 2004 at 15:46, Matthew S. Cramer wrote: > > These are really *bad* paths if you put /var/spool/MIMEDefang on any > > sort of ramdisk (like many of us do). > > Why? I found this greatly improved performance. I have a cron job > that copies the bayes db files over to a physical disk once every > day so there is no danger of losing the entire database if the ramdisk > would suddenly go away. Many people who read the list archives just follow instructions blindly, and won't know to do this. > On my machine: > > /dev/ram0 48388646458840 1% /var/spool/MIMEDefang > /dev/ram1 483886132675326211 29% /var/spool/bayes You've got a lot more RAM than I have to spare for this (500MB for each ramdisk). Also, you end up using double for the bayes database because the DB code caches a lot of the database in RAM. Using a journal for the bayes database should result in acceptable performance under most circumstances. -- Jeff Rife| Sam: How's life in the fast lane, Normie? SPAM bait: | [EMAIL PROTECTED] | Norm: Beats me, I can't find the on-ramp. [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] STILL : MIMEDEFANG NOT TAGGING
On 16 Nov 2004 at 0:38, Hitete wrote:
> I have fedora core 2 + mimedefang 2.42 + SA 2.64 + Sendmail.
>
> I've installed everything corectly :
> spamd starts ok,
> sa starts o
> dcc starts ok
You don't need spamd running at all. SpamAssassin is integrated into
MIMEDefang through pure Perl.
> What kinda logs should I see in maillog if SA worked well with mimedefang
> and sendmail ?.
You need to make sure that logging is enabled for MIMEDefang
(MX_LOG=yes and SYSLOG_FACILITY=mail in /etc/sysconfig/mimedefang).
You also need to make sure that any optional function calls are enabled
(MX_RELAY_CHECK=yes, MX_SENDER_CHECK=yes, and/or MX_RECIPIENT_CHECK=yes
in /etc/sysconfig/mimedefang).
Then, just add lines like the following to your /etc/mail/mimedefang-
filter:
md_syslog('info', "md_info: Got here");
These will show up in /var/log/maillog.
--
Jeff Rife|
SPAM bait: |
http://www.nabs.net/Cartoons/OverTheHedge/TiVoForRealLife.gif
[EMAIL PROTECTED] |
[EMAIL PROTECTED] |
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting
OK, so I've been bad at keeping up with messages On 14 Dec 2005 at 21:37, David F. Skoll wrote: > Our (commercial) implementation of greylisting notes when a host > makes it past the greylist hurdle. Once that happens, we don't greylist > that host for 40 days. It's a simple trick that greatly reduces the annoyance > of greylisting delays without materially reducing the effectiveness of > greylisting. I'm not sure if any of the free greylisting implementations > do this Yes, indeed. Milter-greylist with the "lazyaw" setting will do exactly what you describe. Basically, the first time sender/recipient/IP gets greylisted, but when they succeed, "lazyaw" causes the IP address to be whitelisted instead of the tuple. Combining that with "subnetmatch /32" and "autowhite 40d" would do exactly what you said. I suspect that anybody using "lazyaw" would want to change the "subnetmatch /24" default because whitelisting 256 IPs because just one retried would be a bit too much, I think. -- Jeff Rife | | http://www.nabs.net/Cartoons/PaperOrPlastic.gif ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Justifying greylisting to management
After installing milter-greylist on my personal e-mail server, identified spam and viruses dropped dramatically (down to between 10- 20% of previous levels). But, I absolutely can't get the PHBs at my work to approve of a full install there (currently I just greylist anything addressed to me) because "critical e-mail might be delayed". After much thought, I realize there is no way I can fight this particular issue, because no matter how much whitelisting you do, it could happen. For the same reason, even an "opt in" approach isn't likely to happen, since the PHBs feel that individual employees aren't smart enough to be able to judge if they might need to receive a "critical" e-mail. Still, if I had some real-world examples of largish *businesses* that use greylisting, I could use that to convince them that other successful businesses see it as something that they can afford to do. Universities and other places where e-mail is a privilege (in a sense) wouldn't do a lot to sway them, but ISPs (who could lose customers because they don't want e-mail delays) would probably help. I've done a few Google searches, but haven't found anything large and specific enough to really give me ammo. I don't want to violate any NDAs, or intrude on privacy, but any pointers at all would be appreciated. Thanks to all in advance. -- Jeff Rife | | Visualize Whirled Peas ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Justifying greylisting to management
On 26 Feb 2006 at 11:11, Kevin A. McGrail wrote: > Good Point. The use of a multi-month "whitelist for hosts known to retry > properly to disable greylisting seems like an excellent fix that would > probably solve 75% of the issues I was detailing previously (hazarding a > guess here). > > I just don't know if that 1 email that got delayed X number of hours from a > non-whitelist host wouldn't be the proverbial spine breaking straw and have > a feeling it would occur here and greylisting would have to be 100% removed > because of 1 FP email delayed. Bingo! That's exactly what I feel will happen. Now, here's why I used the term "PHB": We currently use DNSBLs on the mail server in question. We *have* had client communications blocked because of this (and they were "false positives" in the sense that the client just had the bad luck of being on an ISP that had allowed enough spam to go through before catching it that they hit some blacklists). The PHBs did *not* request that we stop using DNSBLs...only that we should whitelist the problem IPs when problems occur. This is why I turned to this group of experienced mail admins. I need a way to justify occasionally delaying good e-mail to people who have already said that occasionally *blocking* good e-mail (and thus *really* delaying it) is acceptable. -- Jeff Rife | | http://www.nabs.net/Cartoons/OverTheHedge/TreeChainsaw.gif ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Patch to mimedefang...
On 13 Jan 2006 at 19:28, David F. Skoll wrote: >One of the biggest complaints from > people who've tried MIMEDefang is the number of Perl modules it > requires. I really hesitate to make another absolute dependency; I'd > rather continue to use the mechanism in detect_and_load_perl_modules > to discover modules at run-time and enable bits of functionality based > on what is discovered. Catching up on old stuff here... One idea would be to make some very small part of MIMEDefang into a CPAN module, and let that module's build script automatically get the truly required Perl modules. This won't reduce the requirements, but it would allow a MIMEDefang install to be just "./configure && make" on the MIMEDefang source. -- Jeff Rife | | http://www.nabs.net/Cartoons/OverTheHedge/PizzaDelivery.gif ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Validate users before scanning?
On 14 May 2005 at 21:08, David F. Skoll wrote:
> > (currently - if David is prepared to make MD jump three flaming hoops
> > while doing limbo dancing, then that might change - see my other post on
> > this subject.)
>
> Here's an odious solution (untested):
>
> sub filter_recipient {
> my($recipient, $sender, $ip, $hostname, $firstRecip, $helo,
>$rcpt_mailer, $rcpt_host, $rcpt_addr) = @_;
> if ($sender ne '<[EMAIL PROTECTED]>' or
>$ip ne '127.0.0.1') {
> my($val, $text, $code, $dsn) =
> md_check_against_smtp_server('<[EMAIL PROTECTED]>',
>$recipient, $helo, '127.0.0.1');
> if ($val ne 'CONTINUE') {
> return ($val, $text, $code, $dsn);
> }
> }
>
> # Do normal filter_recipient processing here.
>
> }
>
> If your local Sendmail would reject the recipient (for whatever
> reason), then MIMEDefang is informed of it and the recipient doesn't
> get added to @Recipients in filter_begin.
OK, so I've tested this.
I did it two different ways:
1. as you described
2. by running another sendmail daemon listening on a high port, so I
could
keep the same virtusertable/aliases/etc., but not run any milters
The results show that you can *mostly* know when sendmail would reject
an recipient, but won't tell you for sure, in particular, any alias
that ends up pointing to something bad (an error mailer, or just
something that doesn't exist) won't be flagged as bad with this check.
Flat-out bad addresses seem to return the correct value, though, so if
you 100% control the aliases and virtusertable, you should be OK.
--
Jeff Rife |
| http://www.nabs.net/Cartoons/Dilbert/NoHelpDesk.jpg
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylist-busting ratware?
On 18 Apr 2006 at 22:23, David F. Skoll wrote: > For example: > > http://www.roaringpenguin.com/canit/showtrap.php?o=71.0.177.139&status=spam > > (Login/password = demo/demo) > > Anyone else seeing this? Yeah, I get some...it's that stock spam, right? The funny thing is that I haven't seen *any* to my mail server...it's all come in through the server at my work (usually for dns@, although some are for my work e-mail). Both have milter-greylist plus MIMEDefang, and the mimedefang-filter files are very similar, so I have no idea why I get it at one and not the other. -- Jeff Rife | "Ahhh, what an awful dream! Ones and zeroes | everywhere...and I thought I saw a two!" | -- Bender, "Futurama" ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
