Re: [Mimedefang] [External] Re: Is this list still alive?

[Kevin A. McGrail]

> I'm not sure what data feeds you're referring to.  If you are 
referring to
> the Roaring Penguin IP blocklists and/or the CanIt Bayes data feeds, 
those

> are controlled by AppRiver and if AppRiver decides to shut them down...
> there's not much anyone can do because they are fed by CanIt 
installations.


Thanks for the reminder on this.  The pandemic just keeps ruining plans 
but getting the mailing list onto a platform that doesn't need kicking 
is on our list.


And the RPBL is also something where I don't believe there is a risk of 
it being shutdown without it being transferred to the McGrail Foundation 
first.  We've talked about it and need to get some of the other 
waterfowl aligned.  We do have a repo and patches are going into it and 
a release is imminent too.


Regards,

KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [External] Re: Help with header checking

[Kevin A. McGrail]

On 12/1/2020 1:10 PM, Joseph Brennan wrote:

We used this to create an array of header information:

if (open(IN, '<', './HEADERS')) {
 while() {
 chomp;
 if (/^(\S+):\s*(.*)/) {
 my $label = $1;
 my $data  = $2;
 $label = lc($label);
 $Header{$label} = $data;
 if ($label eq 'received') {
 push(@Received,$data);
 }
 }
 close(IN);
 }


So following this, if for example we want to test the From: header, we
check $Header{'from'}
Received: was handled specially. It could end up an empty list. I
don't think we checked for that!

Hmm... If HEADERS was not there (??) it fails silently and
$Header{'anything'} is empty. The rest of filter still works,
but maybe we should have logged that case.


Does using MIME::Tools and $entity->head->get('Received'), for example, 
work?  Not sure how it parses through the various received headers.


For example, I convert Date's to unix epoch time format with something 
like this and the Date::Parse module:


$date_unixtime = Date::Parse::str2time($entity->head->get('Date'));

Regards,

KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] [Off-Topic] Happy Thanksgiving and Announcing the Apache SpamAssassin Channel for the KAM Rule Set

[Kevin A. McGrail]

Morning all,
I wanted to share the news from 
https://mcgrail.com/newsmanager/news_article.cgi?template=news.template_id=11 
with you all.  We'll also have a mailing list up soon too.
Thanks to the sponsors and to Georgia Smith and Karsten Bräckelmann who 
worked hard on setting up the infrastructure for this.


Happy Thanksgiving,
KAM


 Announcing the Apache SpamAssassin Channel for the KAM Rule Set

Nov 26, 2020
Happy Thanksgiving,

The McGrail Foundation is proud to announce the immediate availability 
of the channel for the KAM rule set.


The rule set has been free and available to improve Apache SpamAssassin 
installations for going on 17 years now. It includes rules for common 
spam as well as contributed rules plus tweaks to help make things faster 
and more efficient with the stock rules without lowering the efficacy.


The KAM rule set is authored by Kevin A. McGrail with contributions from 
Joe Quinn, Karsten Bräckelmann, Bill Cole, and Giovanni Bechis. It is 
maintained by The McGrail Foundation.


The KAM channel is made possible with the support of hosting from Linode 
and help from PCCC & cPanel. More information about our sponsors can be 
found at our Sponsor's Page <https://mcgrail.com/template/sponsors> at 
https://mcgrail.com/template/sponsors


To enable the KAM rule set via an sa-update channel see the channel page 
<https://mcgrail.com/template/kam.cf_channel> at 
https://mcgrail.com/template/kam.cf_channel

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [External] Re: Test

[Kevin A. McGrail]

On 11/22/2020 12:42 PM, Fredrik Pettai wrote:

Have you looked at Orange Spam?  That was effectively a lightweight rewrite of 
SA in Python.  Not as feature rich but I believe rulesets were compatible.  
They got bought by SolarWinds so I don't know if the project is alive any more.

This one?https://github.com/SpamExperts/OrangeAssassin  ?
It looked alive (it had recent commits), but a closer look shows its automation 
jobs doing all commits & pull requests etc. the last year(s).
I think so yes, but the website has been pulled.  I didn't think to 
check for a repo. I know that SpamExperts was bought by SolarWinds and 
that Dreas is no longer with the firm though.  With it, I think this 
python-based project became dormant.

(but then again, SpamAssassin isn’t fast moving target these days…)
SA is a mature product with gazillions of users so it doesn't have much 
change really.  But it is alive, features being added, bugs being fixed, 
etc.  I'd like to get more releases done though the repo code is usually 
quite suitable for production environments believe it or not.

PS. Is there a (hidden) pun in “orange assassin” that non-native English 
speakers don’t understand? Or perhaps it’s something Dutch… (SpamExperts 
originate from Holland I believe DS.


I believe it's an homage to Dreas and team from Amsterdam and the House 
of Orange.


Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [External] Re: Test

[Kevin A. McGrail]

hope for spamassassin writed in python is a long term dream, just
like unifi wifi ax

No chance of that happening, I'd say.  There's only downside involved
in such a rewrite.


Have you looked at Orange Spam?  That was effectively a lightweight 
rewrite of SA in Python.  Not as feature rich but I believe rulesets 
were compatible.  They got bought by SolarWinds so I don't know if the 
project is alive any more.


Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Submit your Patches for MIMEDefang re: AppRiver donates MIMEDefang to The McGrail Foundation

[Kevin A. McGrail]

Afternoon everyone!

Sorry for the radio silence.  Many moons ago in the prepandemic times, 
MIMEDefang was donated to The McGrail Foundation. As the new stewards, 
we are accepting bug reports and especially patches.


You can run the latest version from the repo and here is the Changelog: 
https://github.com/The-McGrail-Foundation/MIMEDefang/blob/master/Changelog 
where we have been moving forward!


More info below and at www.mcgrail.com.  Also getting ready to announce 
KAM.cf's update channel too. We currently have it running in production 
and drafting the instructions and announcement now.


Regards,
KAM


 AppRiver donates MIMEDefang to The McGrail Foundation

Mar 05, 2020 Today, we are proud to announce that the MIMEDefang project 
has been donated to The McGrail Foundation. This includes source code, 
website, and domains.


However, due to the COVID-19 Pandemic, the integration of this project 
is going to take some time! Please keep an eye out on the MIMEDefang 
mailing list 
 and our 
GitHub  for more updates.


Thank you to everyone at AppRiver and Zix as well as Roaring Penguin 
founder Dianne F. Skoll for their help in making this wonderful donation 
a reality.

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [External] Re: utf-8 issue?

[Kevin A. McGrail]

On 1/30/2020 6:09 AM, Benoit Panizzon wrote:
> Sorry, if this seemed off-topic.
Discussions of milter implementations and MIME-Tools is definitely NOT
off-topic.
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [External] MS Office document macros

[Kevin A. McGrail]

On 1/26/2020 10:10 AM, Vieri Di Paola wrote:
> On Sat, Jan 25, 2020 at 12:57 AM Kevin A. McGrail  wrote:
>> I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with
>> 3.4.3.
> Nice to know spamassassin can block malicious macros in Office documents.
>
> However, I'm not sure why it's not working for me.

Do you have any rules using that plugin?  Look at KAM.cf

https://mcgrail.com/downloads/KAM.cf

Regards,

KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [External] Re: MS Office document macros

[Kevin A. McGrail]

There is also a newer ClamAv plugin being tested.  See
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7786

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [External] MS Office document macros

[Kevin A. McGrail]

On 1/24/2020 6:22 PM, Vieri Di Paola wrote:
> Has anyone tried to detect and block e-mails with MS Office documents
> that contain macros?
> Something like this: https://github.com/sbidy/MacroMilter
>

Hi Vieri,

I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with
3.4.3.  There's an update to 3.4.4 coming with more blocks too.  KAM.cf
has examples for implementation too.

Regards,KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [External] No such file or directory at /usr/share/perl5/MIME/Parser.pm line 627

[Kevin A. McGrail]

On 12/24/2019 4:38 AM, Benoit Panizzon wrote:
> Hi Gang
>
> Happy X-mas to all.
>
> Yesterday I updated one MIMEDefang machine because of actual security
> fixes with SpamAssassin. Those packages were updated:
>
> libsasl2-2 libsasl2-modules libsasl2-modules-db sa-compile sasl2-bin
> spamassassin spamc
>
> They don't seem to be related to perl in any way.
>
> Since, the MIMEDefang Worker fail because MIME::Parser throws an error
> on:
>
> my $headstr = '';
> open(my $outfh, '>:scalar', \$headstr) or die $!;
> $hdr_rdr->read_chunk($in, $outfh, 0, 1);
> close $outfh;
>
> I checked the obvious thinks like full disk, /var/spool/MIMEDefang,
> permission issue, but I am at a loss.
>
> Has anyone encountered this problem and could point me to the right
> direction?
>
Hi Benoit, I've never seen it but have you looked at reinstalling
MIMETools?  Maybe you updated your version of Perl as well while you
were doing work?

Merry Christmas as well!

Regards,

KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [External] Re: A rose by any other name... Renaming MIMEDefang. What's your idea for a name?

[Kevin A. McGrail]

Hi All,

Just an update on two things:

First, that I'm working with the current owners to re-light the project.

Second, if we need a new name, we closed that vote a while ago and
maillusc was the clear winner and pun du jour encompassing
filtering/perl/oysters/mollusc's all in one horribly punny name.

I recommend you think about a backronym for LUSC now :-)

Regards,

KAM


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] A rose by any other name... Renaming MIMEDefang. What's your idea for a name?

[Kevin A. McGrail]

Hello All,

MIMEDefang needs a new name.  Got ideas?  Shout em out!

Regards,

KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Update on MIMEDefang Development

[Kevin A. McGrail]

Evening all, I wanted to let you know I'm working through some of the
administrivia to re-open development of MIMEDefang.  Thanks to DFS for
her amazing work and support as I work through the issues.

There are a large number of things to do the least of which will be
confirming a home for the community.  In the meantime, if you have
patches you would like considered for inclusion, please email me at
kevin.mcgrail-mdpatc...@mcgrail.com.  I'm working through an intake
process now!

Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] KAM for MIMEDefang Leadership Role

[Kevin A. McGrail]

Thank you all for your input and kind words.  I'm going to start on a
plan to move this idea forward.  Likely no news for a bit but I will be
working behind the scenes and bring things back on list as soon as I can.

Regards,

KAM

On 10/21/2019 5:51 PM, Kevin A. McGrail wrote:
> Good Evening everyone,
>
> My name is Kevin A. McGrail.  I've been a long-time user of MIMEDefang
> and I'd like to put myself forward to take the mantle of leadership from
> DFS now that she has moved on to other work.  I don't envision it will
> be as amazing as under Dianne's leadership but I look to continue
> maintaining MD for the public good. 
>
> I've been a PMC Member/Developer/VP & Release Manager of Apache
> SpamAssassin as well as serving as an executive officer at the ASF.  I'm
> good at administrivia and foundational work so I would work to make sure
> the project has a home.  I would likely work on that first while also
> working on any backlog of submitted patches.
>
> I welcome any all support for such a role.
>
> Regards,
> KAM
>
-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>

https://www.linkedin.com/in/kmcgrail

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] KAM for MIMEDefang Leadership Role

[Kevin A. McGrail]

Good Evening everyone,

My name is Kevin A. McGrail.  I've been a long-time user of MIMEDefang
and I'd like to put myself forward to take the mantle of leadership from
DFS now that she has moved on to other work.  I don't envision it will
be as amazing as under Dianne's leadership but I look to continue
maintaining MD for the public good. 

I've been a PMC Member/Developer/VP & Release Manager of Apache
SpamAssassin as well as serving as an executive officer at the ASF.  I'm
good at administrivia and foundational work so I would work to make sure
the project has a home.  I would likely work on that first while also
working on any backlog of submitted patches.

I welcome any all support for such a role.

Regards,
KAM

-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>

https://www.linkedin.com/in/kmcgrail

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Add the .iso extension to the forbidden list

[Kevin A. McGrail]

On 6/26/2019 6:25 PM, Kenneth Porter wrote:
>
> 
>
>
> The attackers are spreading malware as executables in small ISO disk
> images.
>
> I'm adding iso to $bad_exts in filter_bad_filename. 

Interesting.  We've seen this attack vector for years.  You are welcome
to look at our blocked attachment list at
https://raptor.pccc.com/raptor.cgim?template=raptor_attachment_stripped
including information about why we blocked it.

Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Carefully Crafted Recipient executes script?

[Kevin A. McGrail]

On 6/25/2019 4:25 PM, Stefan Schoeman wrote:
> Hoping someone can assist me with this...
>
> I just came across an email processed by MIMEDefang that seems to have
> had a specially crafted recipient. It seems as if the crafted
> recipient managed to coerce either my mimedefang-filter, or MIMEDefang
> itself to actually execute script. The recipient was recorded as : 

It's an exim exploit CVE-2019-10149.  MIMEDefang won't be affected but
you are correct what it is trying to do.

In filter_recipient, add this to reject this exploit attempt:

  #EXIM EXPLOIT 2019 June
  if ($recip =~ /root\+\$\{run/i) {
    $explanation = "Invalid user";
    $answer = 'REJECT';

    return ($answer, $explanation);
  }

Regards,

KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] future of mimedefang and locale

[Kevin A. McGrail]

On 6/20/2019 2:57 AM, Vieri Di Paola wrote:
> Is there an update to this previous thread?
>
> https://lists.roaringpenguin.com/pipermail/mimedefang/2019-April/038360.html
Hi Vieri,

DFS doesn't have the capability to do this right now but I've also
reached out to Zix/Appriver that owns MD now to see about reinvigorating
the community but so far they seem to be working on the integration of
the technology on their side of things.  Fingers crossed!

Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Fwd: An open letter from Papa John's CEO, Steve Ritchie

[Kevin A. McGrail]

Interesting crap tracking trick that MD shutdown from Papa John's
because we disable javascript in emails:

document.write('https://2543611.fls.doubleclick.net/activityi;src=2543611;type=email011;cat=promo0;ord
 =' + a + '?" width="1" height="1" frameborder="0" 
style="display:none">');

And it broke their mail too.

Racist and technologically incompetent...  They should rename to Masta
John's.

Way to go doubleclick helping them.

KAM

 Forwarded Message 
Subject:An open letter from Papa John's CEO, Steve Ritchie
Date:   Sun, 15 Jul 2018 14:47:44 -0600
From:   Papa John's 
Reply-To:   Papa John's


To: shann...@mcgrail.com



var axel = Math.random() + ""; var a = axel * 10;
document.write('');


This past week was the hardest week in my 22 years with Papa John's. I
know the words of John Schnatter were offensive, and nothing pains me
more than knowing they hurt you. To be clear, those words in no way
represent my views or the values of our company. As the leader of Papa
John's, I'm sorry.

Racism and insensitive language - no matter the context - will not be
tolerated at any level of our company. Period.

Papa John's is not an individual. Papa John's is a pizza company with
120,000 corporate and franchise team members around the world. These are
the people in your communities from all walks of life who work hard to
provide you with better service and better pizza. These are your local
owners and operators who do so much in your community.

Still, you deserve actions, not just words, so here's what we're going
to do about it:

  * We're in the process of bringing in outside experts to help audit
our company's culture and diversity and inclusion practices. This
will allow us to identify our strengths and weaknesses. We will then
set clear goals to do better.
  * Our senior management team will be on the road, listening to our
employees and franchisees and getting their feedback on a path to
move forward.
  * We'll be transparent with you along the way. We want you to hold us
accountable.

I will personally be leading this effort because there is nothing more
important for Papa John's right now. We want to regain your trust, and
we will work hard to earn it. I know this will take time.

The entire team at Papa John's wants to thank you for your loyalty. We
are only in business because of you. And it's our sincere wish that
we'll continue to have the honor of serving you.

Sincerely,

Steve Ritchie
CEO, Papa John's

Click Here


Manage Email Preferences

| Unsubscribe

| Contact Us  | Privacy Policy




© 2018 Papa John's International, Inc. All Rights Reserved.
Papa John's Online: consumer_servi...@papajohns.com
 | 1-877-547-7272

Company Address: Papa John's 2002 Papa John's Blvd Louisville, KY 40299 <#>

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mimedefang blocked since this morning

[Kevin A. McGrail]

Hi Florin,

So A) I have a system watcher on mimedefang and clamd. Yesterday it went
off 5 times. That is highly unusual.

B) I have a pdf that unfortunately does bad things and effectively stops
clamd. There is a security bug with the clamav team about this.

So you should design your system to expect messages can stop things
because they can.

I haven't researched issue a yet but I will predict it will be a message
that is blowing up the innards somewhere.
Regards,
KAM

On June 4, 2018 5:52:32 AM EDT, Florin Grosu  wrote:

Recovered by itself, without any modifications. It looks like there was a 
network problem, something like interrogating the public lists (either 
spamassassin or clamav) and waiting forever for the response. I'm waiting for 
the confirmation from our network engineer, but I see no other explanation.

However, this case showed us that we don't know how to find the blocking 
point, if it's a spamassassin problem, or clamav. If you know how, can you 
please answer this point ? 

Thank you very much.

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Cant reload filter

[Kevin A. McGrail]

Hi Thomas, that's the embedded perl option if my memory is correct

You can turn that option off and you can then reread.  The multiplexer design 
is very elegant so I don't think it provides a huge benefit but I use code that 
calls spamd without spamd in the md child.  I think it has some startup delay 
but won't matter too much in real practice.  
Regards,
KAM


>I got this error when i try to reread the filter.
>
>Jan 13 19:32:23 edimail mimedefang-multiplexor[25284]: Cannot destroy
>and recreate a Perl interpreter safely on this platform.  Filter rules
>will NOT be reread.
>
>I am running Ubuntu 16.04.1 LTS.
>
>I have to stop mimedefang and start it again for filter reload.
>
>Any ideas?


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mailsploit prevention in MD

[Kevin A. McGrail]

On 12/5/2017 7:37 PM, Jan-Pieter Cornet wrote:
Another bug with it's own logo and website has appeared: 
www.mailsploit.com.
In the same vein and somewhat off-topic from an MD solution, here's a 
solution via Apache SpamAssassin that I'm soliciting feedback regarding 
on the SA users mailing list.


I've added these rules to KAM.cf and would appreciate feedback.

#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
 #NUL
header   __KAM_MAILSPLOIT1   From =~ /[\0]/
describe __KAM_MAILSPLOIT1   RFC2047 Exploit 
https://www.mailsploit.com/index


 #\n Multiple inthe From Header
header   __KAM_MAILSPLOIT2    From =~ /[\n]/
describe __KAM_MAILSPLOIT2    RFC2047 Exploit 
https://www.mailsploit.com/index

tflags   __KAM_MAILSPLOIT2    multiple maxhits=2

meta    KAM_MAILSPLOIT  (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 
>= 2))
describe    KAM_MAILSPLOIT  Mail triggers known exploits per 
mailsploit.com

score   KAM_MAILSPLOIT  10.0

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] How-to: Extracting Inline Images from Emails?

[Kevin A. McGrail]

On 11/9/2017 9:11 AM, Dianne Skoll wrote:

Inline attachments are not special; they're just like regular attachments
except they have a Content-Disposition: of inline and quite likely
have a Content-ID: header.


Ahh, thanks!

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] How-to: Extracting Inline Images from Emails?

[Kevin A. McGrail]

Hi All,

I'm trying to rip out attachments that are inline as well as attachments 
from emails.


Anyone have any pointers for that in MD so I don't reinvent the wheel?

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter for header line

[Kevin A. McGrail]

On 9/5/2017 7:15 AM, MAYER Hans wrote:

Dear mailing list members,

I am looking for a possibility to filter for an existing header line.
I found a lot of examples where $Subject, $Sender and others can be used.
But I need the possibility to find a certain header line, for example  
X-Someinfo:
Can someone point me to some examples.
I was searching at Google but obviously with the wrong keywords.

Kind regards
Hans


Hi Hans,

Here's how I do it:

if (uc _header(header=>"X-HANS-Check-Header") eq 
'X-HANS-CHECK-HEADER: TRUE') {

blah...
}

# check the HEADERS file and return any instances of a specific 
parameter header (case insensitive on header name)

sub check_header {
  my (%params) = @_;
  my ($filehandle, $output);

  $params{'header'} || return undef;

  $filehandle = new IO::File('< ./HEADERS') or return undef;

  while (<$filehandle>) {
    if ($_ =~ /^$params{'header'}:/i) {
  $output .= $_;
    }
  }

  close ($filehandle);

  return $output;

}

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] arj file extension

[Kevin A. McGrail]

On 8/9/2017 9:39 AM, Joseph Brennan wrote:

New one to me-- a phish came in with a .arj attachment. Pretty old
format. We're going to block it, since I doubt anyone uses it this
side of the 90s.



Holy time-machine, Batman.  Perhaps they are trying to infect some 
legacy system and it's a targeted attack?


Does 7-zip or something handle it and it has some obscure auto-execution 
concept?


Wow!
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MIMEDefang without SpamAssassin

[Kevin A. McGrail]

On 6/8/2017 4:16 PM, Dianne Skoll wrote:

You can't use the stock /etc/mail/mimedefang-filter.  Create
your own filter and near the top, put this:

$Features{"AutoDetectPerlModules"} = 0;

This will cause MIMEDefang not to drag in various expensive Perl modules
like SpamAssassin.  Then write your own filter_end routine to do whatever
processing you need.

Ignore my response.  It's based on a different filter than stock I realized!

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MIMEDefang without SpamAssassin

[Kevin A. McGrail]

On 6/8/2017 1:04 PM, Chad Cordero wrote:
I have a CentOS 7 box running the packaged mimedefang 2.79-1.e17.  I 
installed it on my Mailman server to include the footer of a list in 
the body, instead of as an attachment.  However, I have now noticed 
that some messages get a SpamAssassinReport.txt file attached to it. 
Is there a configuration parameter I can set to not run SpamAssassin?  
My mailman server is already behind a spam/virus scanner and I only 
need mimedefang to clean up the footer.


In your mimedefang-filter, set this:

# Disable SpamAssassin (For Example, to use procmail mode for SpamAssassin);
$Features{"SpamAssassin"} = 0;

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Checking Office XML Files

[Kevin A. McGrail]

On 4/13/2017 9:43 AM, Dianne Skoll wrote:

On Thu, 13 Apr 2017 07:15:24 -0400
"Kevin A. McGrail" <kmcgr...@pccc.com> wrote:


Any ideas how to reliably detect if they are password protected
Office files and deal with them appropriately?

:) Funny you should ask!  We do this in CanIt.

There's a program called "lsar" that can print out all kinds of useful info
about all kinds of archive formats, including MS Office files.  Some encrypted
office files contain a subfile called "EncryptionInfo" while for others,
"lsar" issues an "XADIsEncrypted" attribute.

So you can key off those.

On Debian, "lsar" is part of the "unar" package.

We are on similar pages there.

lsar does indeed identify it correctly.

It was really my mistake thinking that all office xml (docx, xlsx, etc) 
were zip files.


It appears encrypted ones are not!
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Checking Office XML Files

[Kevin A. McGrail]

Morning!

I have previously been checking files like xlsx for indicators they have 
macros and blocking them.


Effectively I was doing things like this by treating them as zip files.

However, it appears I was stupid and files when password protected 
aren't password protected zips but something else.


I'm just starting to dive into this issue.

Any ideas how to reliably detect if they are password protected Office 
files and deal with them appropriately?  A quick check shows they don't 
appear to have a consistent magic byte but perhaps I'm missing something 
obvious.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Get recipients

[Kevin A. McGrail]

On 4/12/2017 5:12 AM, Stagiair 2. Cisa wrote:

I'm working directly into the mimedefang.pl now.

Same problem as before, the size of the array is right but it has empty values.

Could this be the result of using an EFA-server?  
(https://efa-project.org/about/)
It uses postfix instead of sendmail.

Or do you have any other ideas why it's not filling up?


Hi Staigiair,

I use MD with both postfix and sendmail and use @Recipients without 
concern.  You have something fundamentally wrong as this is really a 
basic issue.


@Recipients might not be set in filter_recipient.  And if you are using 
add_recipient, it doesn't change.  I don't think there are many other 
restrictions.


So if the array length is changing but the array values are not, I can 
only extrapolate that there is something very odd.


Best if you post a filter for us to look at.

Or if you know you have logging working, in filter_begin add this:

my ($output);

foreach my $recip (@Recipients) {

$output .= " $recip ";

}

md_syslog('info',$output);


And test what you see in your logs.

Untested while grabbing lunch, but that basic code must work or you are 
fundamentally building on a flawed foundation.



Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Anti-spam breakthrough from Roaring Penguin

[Kevin A. McGrail]

On April 1, 2017 12:17:25 AM EDT, Dianne Skoll  wrote:
>I'm proud to announce that our Roaring Penguin research staff have made
>a historical breakthrough in spam filtering.  Please see our video
>about
>our new technology, Quantum Spam Filtering:
>
>https://www.youtube.com/watch?v=koRRqOJcaHs

A truly unique way to combat spammers!
Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Memory Usage Thoughts

[Kevin A. McGrail]

Evening all,

I'm looking at the math for memory size for a MIMEDefang process such as 
this one:


postfix   1620  0.0  0.9 116392 33088 ?SMar20   0:00 
/usr/bin/perl /usr/bin/mimedefang.pl -f /etc/mail/mimedefang-filter -serveru


If I do the Rss memory size (33184) minus the Shared memory size (2892), 
would that be a good basis for how much ram each process uses?


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Bcc Info

[Kevin A. McGrail]

On 3/9/2017 8:35 AM, Dianne Skoll wrote:

Yes, although you'd obviously only be seeing those Bcc: recipients in
a domain or domains handled by your server.


Thanks Dianne, D. Stussy and Kees for your input!

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Bcc Info

[Kevin A. McGrail]

If I Bcc someone, the MUA is injecting as additional rcpt_to but there 
is no header with the info.


Would parsing the To and Cc headers and comparing to @Recipients for 
what remained tell you what would be a Bcc?


regards,

KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Help Wanted at Virtru for a Programmer w/Java, Perl, Javascript, etc. and SMTP/MTA experience

[Kevin A. McGrail]

On March 2, 2017 10:46:45 PM EST, Bill Cole 
<mdlist-20140...@billmail.scconsult.com> wrote:
>On 28 Feb 2017, at 19:46, Kevin A. McGrail wrote:
>
>> Off-topic Help-Wanted posting but this is one of those lists where 
>> someone might know Java and can argue RFC5822 as it it was chapter
>and 
>> verse.
>
>
>Relevant tweet: https://twitter.com/obra/status/156597976255574016
He's not going for a broad audience with these tweets.  What 12 people who 
lol'd that?

But yes, someone who knows my brain merged 2822 and 5322 is exactly what I 
need.  ;-)   find me that in a Java programmer, please.
Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] OT: Help Wanted at Virtru for a Programmer w/Java, Perl, Javascript, etc. and SMTP/MTA experience

[Kevin A. McGrail]

All,

Off-topic Help-Wanted posting but this is one of those lists where 
someone might know Java and can argue RFC5822 as it it was chapter and 
verse.


Regards,

KAM


Looking for a good programmer and especially one that knows programming
is a state of mind, not a language.  Lots of gear switching from Java to
JSON to Perl to Bash to whatever...  Ideal person from my POV will be a
jack of all trades with experience in programming, building and using
test structures, knows real-world MTA/SMTP issues, etc.

Good news is that it's a cool product at an exciting start-up. Just
named to CNBC's top 25 startups
http://www.cnbc.com/2017/02/28/upstart-25-virtru.html   The bad news is
you'll be working with me.

Email me at kevin.mcgrail-vir...@mcgrail.com if you are interested in
learning more or applying.

Specs Below

Senior Java Developer (Gateway)
Engineering | Washington, DC | Full Time
Job Description

Senior Java Developer (Gateway)

Virtru is a fast-paced startup with a strong performance-driven culture.
We are well capitalized with investments from Bessemer Venture Partners
and private investors. Virtru offers a competitive salary, full health
benefits, and the ability to work with talented coworkers in an
informal, collaborative environment.

The ideal candidate will have a natural passion for digital privacy,
software development, and great user experiences. We are a fun group and
want to keep it that way, which means you should be comfortable speaking
your mind, drinking a few beers, eating ramen, and geeking out about
side projects. Anyone who has trouble self-motivating is going to have a
hard time. We’re looking for an expert, who can make tough decisions. We
don't want anyone that needs constant management. If you have trouble
collaborating and self-organizing with the assistance of a Sprint Board
you shouldn't apply.

Unfortunately, we are only able to hire within the U.S. at this time.

Requirements

Minimum 6 years working with Enterprise Java applications
Experience building high throughput, secure products
Experience developing JSON, RESTful APIs, and SDKs

Preferences

Experience in any of the following is a huge plus: Javascript,
NodeJS, Perl, Mail Transfer Agents (MTAs) and SMTP servers
Comfortable working with Git and Jira
Experience working within a Scrum and/or Kan Ban agile process
Strong natural analytical and creative abilities
Team player who also enjoys autonomy
Be willing to provide daily/weekly status updates


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD 2.79 - very minor patch for mimedefang.multiplexor.c

[Kevin A. McGrail]

On 2/19/2017 5:56 PM, Philip Prindeville wrote:

Which raises the philosophical question, how long do compilers from a different 
millennium need to be supported?;-)   Kevin, you’re so 1989.


It was a good decade.  I think I went dressed as hulk hogan for 
halloween two year ago.  Sunglasses, a bright T-shirt and Shorts, a 
Bandana, a blong wig/mustache and a boa and your good to go.


Sorry, I think I just brought Hulkamania into a philosophy discussion.  
Perhaps that deserves bonus points?


Best,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Delaying 2xx as long as possible with stream_by_xyz()

[Kevin A. McGrail]

On 1/31/2017 3:07 AM, Steffen Kaiser wrote:
some wild idea: 
Thanks Steffen.  If I find an elegant solution, I'll post back to the 
list for sure!

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] MD 2.79 - very minor patch for mimedefang.multiplexor.c

[Kevin A. McGrail]

I'm sure it's an ancient gcc that I'm using but throwing an error 
compiling 2.79.  This is the only issue that stops compilation so I 
fixed it to define the var before setting a value.


gcc -g -O2 -Wall -Wstrict-prototypes -D_POSIX_PTHREAD_SEMANTICS 
-DEMBED_PERL -DSAFE_EMBED_PERL -DPERL_PATH=\"/usr/local/bin/perl\" 
-DMIMEDEFANG_PL=\"/usr/local/bin/mimedefang.pl\" -DRM=\"/bin/rm\" 
-DVERSION=\"2.79\" -DSPOOLDIR=\"/var/spool/MIMEDefang\" 
-DQDIR=\"/var/spool/MD-Quarantine\" -DCONFDIR=\"/etc/mail\"  -c -o 
mimedefang-multiplexor.o ./mimedefang-multiplexor.c

./mimedefang-multiplexor.c: In function `doSlaveReport':
./mimedefang-multiplexor.c:3548: parse error before `now'
./mimedefang-multiplexor.c:3581: `now' undeclared (first use in this 
function)
./mimedefang-multiplexor.c:3581: (Each undeclared identifier is reported 
only once

./mimedefang-multiplexor.c:3581: for each function it appears in.)
./mimedefang-multiplexor.c:3542: warning: `secs' might be used 
uninitialized in this function

make: *** [mimedefang-multiplexor.o] Error 1

--- mimedefang-multiplexor.org  Sun Feb  5 15:02:43 2017
+++ mimedefang-multiplexor.cSun Feb  5 15:03:05 2017
@@ -3538,6 +3538,7 @@
 char *ptr = ans;
 char status = '?';
 int i, j;
+time_t now;

 int secs;
 if (!ans) {
@@ -3545,7 +3546,7 @@
return;
 }
 *ans = 0;
-time_t now = time(NULL);
+now = time(NULL);

 for (i=0; i

Re: [Mimedefang] Delaying 2xx as long as possible with stream_by_xyz()

[Kevin A. McGrail]

On 1/30/2017 9:11 AM, Dianne Skoll wrote:

The stream_by_XXX methods set a flag that makes Sendmail discard the
original message,  So you cannot do anything useful in the original
SMTP conversation after streaming.


Thank god.  You were hurting my brain when I was looking at the 
underlying code and didn't think it would work.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Delaying 2xx as long as possible with stream_by_xyz()

[Kevin A. McGrail]

On January 27, 2017 3:50:53 AM EST, Steffen Kaiser 
 wrote:

>Um, what do you mean with "interactive SMTP responses such as checking
>the 
>helo values"
>
>I just forgot to point out the obvious:
>
>Which state you are returning to the sender, if your streamed messages 
>return different status'? E.g. it could sent to recipient one, but not
>two 
>and recipient three tempfailed.
>
>Maybe ...
Yeah, that is where I am a bit confused as well.  I'll have to work it out in a 
lab I think.
Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Delaying 2xx as long as possible with stream_by_xyz()

[Kevin A. McGrail]

All,

I was thinking about a scenario with stream_by_recipient or 
stream_by_domain where I want to delay accepting responsibility for the 
email as long as possible.


In filter_begin when we call stream_by_xyz, have we accepted the mail?  
Or can we still do interactive SMTP responses?


If not, can we do interactive SMTP responses such as checking the helo 
values, then stream the messages to process it per domain or per recipient?


I can't find it documented, but I seem to remember that once you stream 
the messages per domain or per recipient, that you've given a 2xx DSN 
and closed the session.  So if you then later find you want to decline, 
you have to generate a bounce.


Any pointers appreciated especially if this is a milter limitation or an 
MD framework limitation that I can figure out a way around!


Regards,
KAM


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Block .js extension was Fwd: G Suite Update Alerts

[Kevin A. McGrail]

On 1/26/2017 9:12 AM, Dianne Skoll wrote:

On Thu, 26 Jan 2017 08:10:13 -0500
"Kevin A. McGrail" <kmcgr...@pccc.com> wrote:


OK, so I seem to post only about extensions lately... Gmail is going
to block .js which mirrors in the wild attempts in zip files as well
that we have seen VERY minorly in recent days.

Huh.  We take a more nuanced approach.  We block .js files directly attached
to an email message.  For looking inside zips, we block .js files UNLESS
there's also at least one .html, .htm or .css file also found in the zip.

A blanket block of .js would really annoy web developers who seem to mail
around zip files of projects (yeah, yeah, this "git" nonsense will never
catch on...)
Nice nuanced approach.  We haven't had too many complaints and have 
blocked js/jse with quarantine for eons including inside zip files 
recursively.  RCS like git is really the correct answer...


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Block .js extension was Fwd: G Suite Update Alerts

[Kevin A. McGrail]

OK, so I seem to post only about extensions lately... Gmail is going to 
block .js which mirrors in the wild attempts in zip files as well that 
we have seen VERY minorly in recent days.


Gmail will block .js file attachments starting February 13, 2017 
 



Posted: 25 Jan 2017 01:30 PM PST

Gmail currently restricts certain file attachments (e.g. .exe, .msc, and 
.bat) for security reasons, and starting on *February 13, 2017*, we will 
not allow .js file attachments as well. Similar to other restricted file 
attachments 
, you 
will not be able to attach a .js file and an in-product warning will 
appear, explaining the reason why.


If you still need to send .js files for legitimate reasons, you can use 
Google Drive , Google Cloud Storage 
, or other storage solutions to share 
or send your files.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Block internal messages

[Kevin A. McGrail]

On 12/26/2016 9:38 PM, Richard Laager wrote:

On 12/26/2016 03:35 PM, Marcelo Machado wrote:

I am new to Mimedefang and I would like to know if it is possible to
block internal messages, (from my domain to my domain) if the number
of recipients is greater than 10.

Anything is possible if you write the custom Perl code required. What
you have described wouldn't be too terribly hard. No, that's not an
offer to write it. Look at the @Recipients array. In there, you can
determine if some recipients are local, and how many. The $Sender
variable is how you'd determine if the sender is local.



filter_sender might be the better way to go. That way you can 
accept/reject/etc.


From the man page:

   filter_sender is passed four arguments:  $sender is the envelope 
e-mail address of  the  sender  (for  example,
   "").   The  address  may or may not be 
surrounded by angle brackets.  $ip and $name are
   the IP address and host name of the SMTP relay.  Finally, $helo 
is the argument to the SMTP "HELO" command.


Then something to strip to the domain:

#get domain name from an email address
sub get_domain_from_email {
  my ($domain) = @_;

  #REMOVE ANY LEADING/TRAILING <>'s
  $domain =~ s/(^<|>$)//g;
  #REMOVE ANY LEADING/TRAILING SPACE'S
  $domain =~ s/^ *//g;
  $domain =~ s/ *$//g;
  #REMOVE EVERYTHING UP TO THE @ SYMBOL
  $domain =~ s/.*\@//g;

  return $domain;
}

And then a check like if (uc(_domain_from_email($sender)) eq 
'MARCELO.ORG') {


   return ('REJECT', "Sorry; Can't send internal email.");
}

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] add_header all RelaysUntrusted _RELAYSUNTRUSTED_

[Kevin A. McGrail]

On 12/12/2016 5:57 PM, Marcus Schopen wrote:

Hmmm ... I did a reread and after your email a stop/start, but the
header doesn't come up.
I always forget that we have SA glued into MD in an odd way.  If you are 
using something like the default example windows filter, you have a call 
in your filter that calls spam_assassin_check().


Based on that logic, you now have a yes this is spam boolean result (and 
some other data like hits, etc.).  The modifications SA made to the 
message are not carried through unless you implement logic for them.  
Sorry, I led you down the completely wrong path.  Someone will correct 
me, I'm sure.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] add_header all RelaysUntrusted _RELAYSUNTRUSTED_

[Kevin A. McGrail]

On 12/12/2016 5:30 PM, Marcus Schopen wrote:

I'd like to set a "add_header all RelaysUntrusted _RELAYSUNTRUSTED_" to
my headers, to see in case of IPs in trusted_networks on which IPs
dnsrbl and dnswl checks run on. But putting this to sa-mimedefang.cf has
no effect.
My first thought is if you have restarted MD.  Darxus on the SA Mailing 
List might also have some input if it's not something simple because 
that is the right command.

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] DZIP Extension

[Kevin A. McGrail]

Seeing some fake invoice/in the wild garbage with .dzip extension 
getting through today.


If you are doing some extension blocking, etc. might want to take a look.

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Connecting Clamd via inet socket?

[Kevin A. McGrail]

That's the great thing about mimedefang.  Very little you can't add.  I've got 
some clamp code that streams to another host.  Don't remember how I did it.  
Can you implement code if I dig it up?
Regards,
KAM

On December 2, 2016 12:01:59 PM EST, Dianne Skoll  
wrote:
>On Fri, 2 Dec 2016 16:57:32 +0100
>Benoit Panizzon  wrote:
>
>> Does anyone know, if it's possible to use
>> ClamdSock = "host:port";
>> in MIMEDefang?
>
>No; the built-in code uses IO::Socket::UNIX and can only scan local
>files.  You need to write your own wrapper code if you want to
>stream files to another host.
>
>Regards,
>
>Dianne.

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Fwd: syncing sent item from pop3 account to webmail sent folder

[Kevin A. McGrail]

On 11/30/2015 12:00 AM, Indunil Jayasooriya wrote:



Hi,

Is there a way to sync sent item from pop3 account to webmail sent 
folder ?


For POP3, Sent Items would be stored only locally on the machine that 
sent the email.


You likely need an automated bcc and a procmail rule to sort the copy of 
your sent item into your sent folder.


But if you are using POP3, there is only an inbox.  So I think you are 
out of luck.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Seeing weird SMFI errors

[Kevin A. McGrail]

On 8/4/2015 4:11 PM, Dianne Skoll wrote:

This is why I resisted even adding a filter_helo callback.  It's
basically useless.  Anything you can do in filter_helo might as well
be deferred to filter_sender.

+1

If an SMTP client connects, says EHLO and then closes the connection...
do we really care?

Something about a forest falls in the tree comes to mind...

regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Seeing weird SMFI errors

[Kevin A. McGrail]

On 8/4/2015 2:02 PM, Philip Prindeville wrote:

Err, cipher_bits… or tls_version… except that, if I remember correctly, these 
can’t be accessed until after filter_sender(), right?

Is there any other way to figure out if this is HELO that follows a STARTTLS?

Save state and re-call the helo check again in filter_sender, perhaps?


regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] right value for MX_MAXIMUM

[Kevin A. McGrail]

On 6/24/2015 7:43 AM, Muthu N.C wrote:

Hello,

I am having the system with sendmail, mimedefang and spamassassin.
Mimedefang is running with the below options.

-m 2 -x 80 -y 0 -U defang -b 300 -l

MX_MINIMUM=2
MX_MAXIMUM=80
#MX_QUEUE_SIZE=10

In a day I am getting the below error multiple times. By looking at
the md-mx-ctrl rawstats, all the 80 slaves are busy at that time. We
are receiving around 500 e-mails in a minute.

mimedefang-multiplexor[2500]: No free slaves
mimedefang[2517]: t5O6odRs007105: Error from multiplexor: error: No free slaves

How much slaves should be set for this workload?
Would increasing the MX_QUEUE_SIZE help, how much I can increase?
Any other suggestions to overcome this issue?
I read that the e-mails sent during this time would be retried by the
other MTA automatically, but I am seeing it as lost.
There are a lot of variables for this.  Are you doing spam processing, 
av processing, etc. How many processors? How much ram? There is no magic 
formula but it sounds like you need more.


I would turn on the timing for mimedefang (-T) option and look at how 
long a message takes to process.  Then I would likely look at what I 
could do to reduce that...


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] *****SPAM***** ****SPAM**** (14.701) MimeDefang problem

[Kevin A. McGrail]

On 6/24/2015 8:52 AM, David Both wrote:
David,

You can't really discuss spam on list without adding -munge or something 
to the URI's.  The spam you included caused your email to get hammered 
on my system and I imagine quite a few others.  It was a fluke I saw it 
was legit...


However, I recommend you add md_syslog lines to your logic so you can 
look at the logs more for the issue.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] How to parse pdf files or pass them to spamassassin

[Kevin A. McGrail]

On 5/29/2015 9:38 AM, Benoit Panizzon wrote:

Has anyone already found such a solution?


Not a 1:1 match for your question but have you looked at the PDF info 
plugin in a recent version of SA?


Also, if you throw a sample up on pastebin, I can see how it fairs in my 
setup. I've not seen this particular phishing much and I'm interested if 
there is a different angle that is effectively blocking it.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Missed executable attachments with empty Content-Type

[Kevin A. McGrail]

On 4/29/2015 6:14 AM, Tomasz Ostrowski wrote:
I'm very sorry if I've written something rude 
Sorry too.  I was grumpy yesterday but appreciate you apologizing about 
it.  I commented the same off-list yesterday but should have posted it 
to the list.  You very professionally posted the spample and provided 
swift feedback which is better than 99% of the problem reports ;-)


regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Missed executable attachments with empty Content-Type

[Kevin A. McGrail]

On 4/28/2015 9:44 AM, Tomasz Ostrowski wrote:
My filter is depending on re_match function provided by MIMEdefang. 
Also suggested-minimum-filter-for-windows-clients is using it.


Mimedefang-filter man page says:
re_match returns true if any of the fields 
[Content-Disposition.filename,

Content-Type.name and Content-Description] matches the regexp without
regard to case.


In my example Content-Type should match, but it doesn't because it is 
probably deliberately broken enough to avoid detection by security 
products. But not enough to not work in Email clients.



Anyway, I made a SpamAssassin rule to block these [SecureMessage.chm].


I think this resolution is unsustainable - this technique might get 
popular fast if this proves to foul filters. 


I took a little umbrage about your statement and wanted to rant for a 
moment about why.


1st, DFS in good faith gave a triage idea for your concern.

You however, didn't even thank her and pointed out the obvious. Namely, 
these bastards are always evolving their techniques.


2md MD is open-source and the enemy is the bastard spammers/malware 
authors.  Don't attack people trying to help, donating their time and 
giving you possible solutions.  Instead you might consider thanking 
them, providing feedback or even taking a swipe at the code and post a 
patch.


/rant
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Strip DOC with macros

[Kevin A. McGrail]

On 2/25/2015 1:17 PM, Justin Edmands wrote:

Hey Mimedefang listers,
I wanted to know if I could use mimedefang to strip out .DOC, .DOCX, .XLS, and 
.XLSX files (or any applicable file type) if they contain a macro.



We have some code inspired by DFS' recent post on the issue but haven't 
had time to polish it to my satisfaction to bring it back to the list.


However, here's the key point:

  # For formats later than 2003, the document is a zipped folder tree
  # Macros are given away by the presence of two files, and because the 
zip index is plaintext


My plan is to use Archive::Zip to look at the index for these files 
which indicate a macro and then add a header which we then use in SA to 
increase the score.

vbaData\.xml|vbaProject\.bin

Additionally, in the link 
https://social.technet.microsoft.com/Forums/office/en-US/1eb2d35a-b212-480b-9af3-121ab498d095/where-does-the-macro-gets-stored-in-new-microsoft-word-open-office-xml-format-docx?forum=word 
you'll note The .docx format doesn't contain macros. A macro-enabled 
Word document has extension .docm.


So you can also assume .docm has macros.

Eventually I will post the code to the list when it's ready in keeping 
with the spirit that DFS shared his original idea as well.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Mimedefang breaks DKIM signing of single-part, plain text emails

[Kevin A. McGrail]

On 1/15/2015 2:55 PM, David F. Skoll wrote:

On Thu, 15 Jan 2015 10:41:14 -0700
Peter Nagel pbna...@rmi.net wrote:

[Some very good comments]

Yes, I can see how MIMEDefang misbehaves if you're trying to sign
something.  I'll definitely look at fixing the behaviour.


We've been experimenting with making sure DKIM verification is working 
so we've added a verification loop to test all of the DKIM signed 
messages to see if we can identify any edge cases that are failing.


To do this, we added an add_recipient call to our DKIM routine for 
signature.  Perhaps some others might like to do the same so we can 
identify more edge cases.


We then run the emails through a small script that uses 
Mail::DKIM::Verifier to check the signature using procmail. Here's call 
to the script using procmail:


# RUN MESSAGES NOT DIRECTLY TO DKIM_CHECK THROUGH THE SCRIPT
:0 fw
* !^(To|Cc|Bcc|From): check_the_d...@pccc.com.*
| perl /usr/local/check_the_dkim.pl

# DISCARD ANY MESSAGES THAT SAY DISCARD FROM THE SCRIPT
:0:
* ^X-Status: D.*
/dev/null


And here's the small script:


#Written by PCCC to test edge cases of DKIM signing
#Released to Public Domain
use Mail::DKIM::Verifier;

our ($original_message);
main();

sub main {
  my ($message, $result);

  $result = get_result();

  if (uc($result) ne 'PASS') {

$message .= A message signed by mimedefang has failed the DKIM 
verification.brbr;

$message .= bResult:/b $resultbrbr;
$message .= bOriginal Message:/bbrbr;
$message .= pre$original_message/pre;

# email message here

# keep email in inbox for inspection
print $original_message;

  } else {
my $printed_delete = 0;

# ADD X-Status: D TO MARK EMAIL DELETED
foreach my $line (split(\n, $original_message)) {
  if ($printed_delete  1 and $line =~ /^$/) {
print X-Status: D\n;
$printed_delete++;
  }

  print $line.\n;
}
  }

  # KEEP EMAIL IN INBOX FOR CHECKING LATER
  exit 0;
}

# USE THE VERIFIER TO CHECK THE DKIM SIGNATURE
sub get_result {
  my ($FORM, %params) = @_;
  my ($result, $dkim);

  # create a verifier object
  $dkim = Mail::DKIM::Verifier-new();

  while (STDIN)
  {
  # keep original message to be saved later
  $original_message .= $_;

  # remove local line terminators
  chomp;
  s/\015$//;

  # use SMTP line terminators
  $dkim-PRINT($_\015\012);
  }
  $dkim-CLOSE;

  # what is the result of the verify?
  $result = $dkim-result_detail;

  return $result;
}


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] (no subject)

[Kevin A. McGrail]

Glad it was an easy fix.
Regards,
KAM

On January 20, 2015 9:46:15 PM EST, Francis Cabrera lastcard@gmail.com 
wrote:
WOW!! Great! thank you kevin! Thank you guys!!! the
SpamAssasinReport.txt is now gone.


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] (no subject)

[Kevin A. McGrail]

You can also just rely on headers for spam status and comment this line 
to stop adding the report:


  action_add_part($entity, text/plain, 
-suggest, $report\n, SpamAssassinReport.txt, inline);


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] md_check_against_smtp_server

[Kevin A. McGrail]

On 1/2/2015 6:29 AM, joris dedieu wrote:

2014-12-30 23:53 GMT+01:00 Jon Rowlan jon.row...@sads.com:

I'd like to thank everyone who replied to my recent query regarding
md_check_against_smtp_server.

The end result is now working beautfifully and inspired by the replies I
am looking into caching the lookup results.

I use a Redis database for that. It's quite efficient.

Joris

Thanks Joris,

We refined your caching and added more debugging and error checking so 
we thought we would post back to the list in like and kind.


Best,
KAM

#Thanks to Joris Dedieu for inspiration and example code for this function
sub cached_md_smtp_check {
  my ($sender, $recipient, $helo, $server, $port) = @_;
  my ($redis, $key, $status, $message, $redis_server, $redis_password, 
$start_time, $end_time, $status_message);


  md_syslog(warning, DEBUG: Edge Test - Checking Recipient 
$recipient with cached_md_smtp_check);


  # IN ORDER TO MAKE SURE WE DON'T GET STUCK, RUN IN AN EVAL SO WE CAN 
TIME OUT THAN md_check_against_smtp_server

  ($status, $message) = eval {
# SET TIMEOUT FUNCTION
$SIG{ALRM} = sub { md_syslog(warning, DEBUG: Edge Test - Timing 
Out); die timeout }; # NB: \n required


# SET TIMEOUT TO 15 SECONDS
alarm 15;

$redis_server = XXX:6379;
$redis_password = YYY;

$recipient =~ s/[]//g;

# ATTEMPT CONNECTION TO REDIS SERVER
eval { $redis = Redis-new(server = $redis_server, password = 
$redis_password); };


# IF THERE IS AN ERROR WHEN TRYING TO CONNECT TO REDIS, JUST USE A 
REGULAR CALL

if ($@) {

  # WARN THAT REDIS ISN'T WORKING
  md_syslog(warning, WARNING: Edge Test - Redis Failed, calling 
md_check_against_smtp_server.  Error: $@);


  # RESET ALARM BEFORE RETURNING
  alarm 0;
  return md_check_against_smtp_server($sender, $recipient, $helo, 
$server, $port);


} else {
  md_syslog(warning, DEBUG: Edge Test - Redis connection 
success, checking for cached value for $recipient);


  $key = $redis-get($recipient);

  # PARSE RESPONSE FROM REDIS IF IT IS SET
  if ($key ne '' and $key =~ /(.*):(.*)/) {
$status = $1;
$message = $2;

if (uc($status) eq CONTINUE or uc($status) eq REJECT) {
  md_syslog(warning, DEBUG: Edge Test - Returning cached 
value from Redis Status: '$status' Message: '$message' Recipient: 
$recipient);


  $redis-quit;

  # RESET ALARM BEFORE RETURNING
  alarm 0;
  return ($status, $message);
} else {
  $redis-quit;


  md_syslog(warning, WARNING: Edge Test - Cached value in 
Redis returned an incorrect value for $recipient.  Calling 
md_check_against_smtp_server);


  # RESET ALARM BEFORE RETURNING
  alarm 0;
  return md_check_against_smtp_server($sender, $recipient, 
$helo, $server, $port);

}

  } else {
md_syslog(warning, DEBUG: Edge Test - Response for 
$recipient Not Cached, calling md_check_against_smtp_server);


($status, $message) = md_check_against_smtp_server($sender, 
$recipient, $helo, $server, $port);


# IF NOT TEMPFAIL, SAVE RESPONSE IN REDIS WITH APPROPRIATE 
EXPIRATION

if(uc($status) eq CONTINUE) {


  $redis-set($recipient,$status:$message);

  # GOOD RESPONSE, CACHE FOR 5 DAYS
  $redis-expire($recipient, 432000);

} elsif(uc($status) eq REJECT) {

  $redis-set($recipient,$status:$message);

  # BAD RESPONSE, CACHE FOR 1 DAY
  $redis-expire($recipient, 86400);

} elsif (uc($status) eq TEMPFAIL) {

  # IF THE RESPONSE IS TEMPORARY FAIL, DON'T CACHE THE RESULT
  alarm 0;
  return ($status, $message);

}

$redis-quit;

# RESET ALARM BEFORE RETURNING
alarm 0;
return ($status, $message);
  }
}
  };

  if ($@) {
# FUNCTION TIMED OUT, FOR NOW, JUST SEND CONTINUE, LATER WE WILL 
NEED TO CALL THE md_check_against_smtp_server FUNCTION


if ($@ =~ /timeout/) {
  md_syslog(warning, DEBUG: Edge Test - Redis Eval timed out, 
sending CONTINUE, OK);

  return (CONTINUE, OK);
} else {
  # FAILURE DID NOT COME FROM TIMEOUT, WARN AND DIE
  md_syslog(warning, DEBUG: Edge Test - Redis Eval failed for 
reasons other than timeout $@, calling die);

  die;
}

  } else {
# NO TIMEOUT, RETURN VALUES SET
return ($status, $message);
  }

}
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Net::DNS referral section for a Domain?

[Kevin A. McGrail]

Trying to do some checks on spam by nameservers but I can't figure out 
how to find the referral nameservers for a domain from the root servers.


For example, this snippet is NOT what I need, I don't think:

use Net::DNS;
my $res   = Net::DNS::Resolver-new;
my $reply = $res-query(pccc.com, NS);

if ($reply) {
foreach $rr (grep { $_-type eq 'NS' } $reply-answer) {
print $rr-nsdname, \n;
}
}
else {
warn query failed: , $res-errorstring, \n;
}

This snippet gets the SOA records which don't have to agree with whois, 
for example:


ns3.pccc.com
ns.2rad.net
ns.pccc.com
ns2.pccc.com

But perhaps it's because our system will check and the servers are 
authoritative.


What we want is the equivalent of a dig +trace referral record which 
would be:


;; Received 486 bytes from 198.41.0.4#53(a.root-servers.net) in 9 ms

pccc.com.   172800  IN  NS  ns.pccc.com.
pccc.com.   172800  IN  NS  ns2.pccc.com.
pccc.com.   172800  IN  NS  ns3.pccc.com.

Any thoughts on how to do that programmatically with Net::DNS?

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] detect failed auth

[Kevin A. McGrail]

On 10/9/2014 4:37 AM, Tomasz Ostrowski wrote:

On 2014-09-10 16:29, David F. Skoll wrote:

Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: 
d...@hydrogen.roaringpenguin.com [192.168.10.1] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to MTA-v6


I've recently configured fail2ban on my CentOS5 server with blocking 
based solely on this line:
Oct  9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834: 
cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to MTA


We had the same issue and working with Claus Assman who put us in touch 
with Jim Hranicky to get a patch for sendmail 8.14.5 for this issue.  It 
needs some eyes on it though as we've tried to make it compatible with 
multiple versions of SASL


So based on / inspired by a patch from Jim Hranicky acontributed to 
sendmail.org is a first pass at logging Auth failures. Anyone able to do 
some testing with it?


It compiles and doesn't blow things up but we need to put this on a 
server with SASL 2.0 but I don't want to delay other people testing it 
because I've had this sitting on my to-do list for a month+.


Regards,
KAM
--- /tmp/srvrsmtp.c Fri Nov  7 15:37:19 2014
+++ ./srvrsmtp.cFri Nov  7 16:01:19 2014
@@ -593,6 +593,7 @@
volatile int authenticating;
char *user;
char *in, *out2;
+   char auth_user[256];
 # if SASL = 2
char *auth_id = NULL;
const char *out;
@@ -1309,9 +1310,11 @@
in = xalloc(strlen(inp) + 1);
result = sasl_decode64(inp, strlen(inp), in,
   strlen(inp), inlen);
+(void) sm_strlcpy(auth_user, in, sizeof(auth_user));
 # else /* SASL = 2 */
out = xalloc(strlen(inp));
result = sasl_decode64(inp, strlen(inp), out, outlen);
+   (void) sm_strlcpy(auth_user, out, sizeof(auth_user));
 # endif /* SASL = 2 */
if (result != SASL_OK)
{
@@ -1471,9 +1474,9 @@
{
/* not SASL_OK or SASL_CONT */
message(535 5.7.0 authentication failed);
-   if (LogLevel  9)
+   if (LogLevel = 9)
sm_syslog(LOG_WARNING, e-e_id,
- AUTH failure (%s): %s (%d) 
%s, relay=%.100s,
+ AUTH failure (1) (%s): %s 
(%d) %s, relay=%.100s user=%s,
  auth_type,
  sasl_errstring(result, NULL,
 NULL),
@@ -1483,6 +1486,7 @@
 # else /* SASL = 2 */
  errstr == NULL ?  : errstr,
 # endif /* SASL = 2 */
+ auth_user,
  CurSmtpClient);
RESET_SASLCONN;
authenticating = SASL_NOT_AUTH;
@@ -1699,6 +1703,7 @@
result = sasl_decode64(q, strlen(q), in,
   inlen);
 # endif /* SASL = 2 */
+   (void) sm_strlcpy(auth_user, in, 
sizeof(auth_user));
if (result != SASL_OK)
{
message(501 5.5.4 cannot BASE64 decode 
'%s',
@@ -1738,9 +1743,9 @@
if (result != SASL_OK  result != SASL_CONTINUE)
{
message(535 5.7.0 authentication failed);
-   if (LogLevel  9)
+   if (LogLevel = 9)
sm_syslog(LOG_ERR, e-e_id,
- AUTH failure (%s): %s (%d) 
%s, relay=%.100s,
+ AUTH failure (2) (%s): %s 
(%d) %s, relay=%.100s user=%s,
  p,
  sasl_errstring(result, NULL,
 NULL),
@@ -1750,6 +1755,7 @@
 # else /* SASL = 2 */
  errstr,
 # endif /* SASL = 2 */
+ auth_user,
  CurSmtpClient);
RESET_SASLCONN;
break;
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit 

Re: [Mimedefang] Slightly OT: Sendmail config option for accepting user.n...@domain.com

[Kevin A. McGrail]

On 10/23/2014 11:36 AM, Ben Kamen wrote:
I don't remember unconfiguring this -- but my system currently 
doesn't accept mail at the full name user field like it used to.


I wonder if over time I managed to turn it off.

What's the config option so that sendmail accepts  mail to a user's 
Full Name field?


(like mine is Ben Kamen -- so ben.ka...@benjammin.net should work 
- but it doesn't. 
Sendmail was acquired last October by Proofpoint.  So far, I haven't 
seen much impact and Sendmail, Inc. was commercial before that 
supporting Opensource as well.  One of the good examples of a company 
built on open source that seems to do a good job of supporting the 
community and still keeping the lights on.


I'm not aware of a full name option (doesn't mean it doesn't exist) 
but you could add a file called virtusertable and put in a line that 
routes the alias to your local account such as:


ben.ka...@benjammin.net\bkamen

Then compile it, etc.

Your sendmail.mc will need something like this line which activates the 
feature and tells it the hash is in /etc/mail/virtusertable.db


FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl

Regards,
KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Slightly OT: Sendmail config option for accepting user.n...@domain.com

[Kevin A. McGrail]

On 10/23/2014 2:01 PM, Kees Theunissen wrote:

define(`confMATCH_GECOS',`true')dnl

Don't use that! It is way too fuzzy and error prone. At least it was
a long time ago on a Silicon Graphics Irix 5.x system.
Sounds like some sed/awk parsing of passwd could create a very quick 
virtusertable table instead...

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Sendmail Skipping Filter

[Kevin A. McGrail]

On 10/20/2014 10:38 PM, Nathan F wrote:

I have a mimedefang filter that discards all messages with relayaddr
ne 127.0.0.1.  It is a sort of journaling server for mail. Sometimes
I am finding that some (a very small number) of mails are somehow
being sent out.  These mails are coming from an external system
originally, but they don't seem to hit mimedefang's filter.  Any
ideas?

pseudo-code:

filter_end {
   if($RelayAddr ne '127.0.0.1') {
 do processing;
 discard;
   }
}

Nathan,

What I would do is add an else to that pseudo loop with a mimedefang log 
entry for the $RelayAddr that you are not hitting on.  I would want to 
know that MD is getting called for every single email and then you know 
if it's logic or bypassing MD.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] spam score different from when scanning via mimedefang

[Kevin A. McGrail]

On 10/16/2014 11:26 AM, i...@bsolution.net wrote:

Hello guys,
i am desperate. this question has been asked many times - yet the 
resolution does not apply to me because most cases mimedefang runs a 
different user.  I also Searched many places, read a lot of docs and 
posts - still can't solve the mystrey.


i have a relatively straight forward setup
Sendmail-MimeDefang-CLAM+SPAM-Cyrus.



I get email in my mailbox that has headers with following:

X-Spam-Score: 2.328 (**) 
AWL,BAYES_50,HTML_IMAGE_RATIO_06,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,T_KAM_HTML_FONT_INVALID,URIBL_BLOCKED

X-Scanned-By: MIMEDefang 2.75


However when i run same email in the eml format while being as a user 
spam on the server through spamassassin - i get a correct recognition 
of a spam.


[spam@newcitymedia ~]$ spamassassin -x -p /etc/mail/sa-mimedefang.cf 
-D  ./test.eml


X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on 
newcitymedia.net

X-Spam-Flag: YES
X-Spam-Level: **
X-Spam-Status: Yes, score=6.5 required=3.0 tests=AWL,BAYES_99,BAYES_999,
HTML_IMAGE_RATIO_06,HTML_MESSAGE,RCVD_IN_BRBL_LASTEXT,RCVD_IN_RP_RNBL,
RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,TVD_RCVD_SPACE_BRACKET,
T_KAM_HTML_FONT_INVALID,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no
autolearn_force=no version=3.4.0 


I don't know that you are missing anything. I'm assuming time has 
elapsed between these two tests because you are showing different Bayes 
scores, different RBL hits, etc. which would indicate that the RBLs 
reactively added information after you received the email.


However, overall, I think I would focus on a few things to improve your 
installation and not focus on the MD vs CLI differences as I think 
that's a red-herring.  Someone else might notice something I'm not, though.


1 - URIBL_BLOCKED means your DNS queries are being blocked.  See 
https://wiki.apache.org/spamassassin/DnsBlocklists under the first QA.  
Short answer, install a caching local nameserver fixes this issue for 
most installations


2 - Your required score of 3.0 is very aggressively low.  We suggest 5 
and I often use 5.0 to 6.5 for more real world usage.


3 - Consider adding KAM.cf

4 - Switch AWL to TxRep

regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan

[Kevin A. McGrail]

On 10/9/2014 10:28 AM, Cliff Hayes wrote:

Thanks to this list I am making progress :)
Now clamd is failing due to this...
Wed Oct  8 16:32:20 2014 - WARNING: lstat() failed on: 
/var/spool/MIMEDefang/mdefang-s98LWK78002037/Work
...I'm assuming this is because the mimedefang working directory is 
owned by defang and clamd runs as clamav.
I fixed by running clamd as root ... is this the preferred solution or 
is there a better way?

In general, you don't want daemons running as privileged users.

I run clamd as the same user as I run MD and that would be my 
recommendation as well.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] clamav vs clamd vs clamscan

[Kevin A. McGrail]

On 10/8/2014 3:05 PM, Cliff Hayes wrote:
I will have to go with clamd because clamav is taking 12 seconds to 
scan an email with five words in it.
Correct.  Using anything but clamd is not going to work for anything but 
the smallest of installations.

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] clamav vs clamd vs clamscan

[Kevin A. McGrail]

On 10/8/2014 4:05 PM, Cliff Hayes wrote:
Is it advisable to use clamd first and clamav as a fallback (per code 
example below)?  If so, do I still need to set the Features in 
mimedefang.pl like this ...
Never needed fall-back.  Clamav has always been pretty solid.  And if I 
started running clamav, it would like spin the server out of resources ;-)

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] filter_cleanup question

[Kevin A. McGrail]

So I have a filter_cleanup and I see these errors:

Sep 26 07:54:03 intel1 mimedefang-multiplexor[30156]: Slave 11 stderr: 
Use of uninitialized value in exit at /usr/local/bin/mimedefang.pl line 
5577, STDIN line 10.
Sep 26 07:54:03 intel1 mimedefang-multiplexor[30156]: Reap: slave 11 
(pid 5463) exited normally with status 0


From looking at the code, I think maybe I should have a return status 
on my function so I've added return 0;  If I'm right, I think perhaps 
the man page could be a bit more effusive on that point?


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter_cleanup question

[Kevin A. McGrail]

On 9/26/2014 10:01 AM, David F. Skoll wrote:

 From looking at the code, I think maybe I should have a return
status on my function so I've added return 0;  If I'm right, I think
perhaps the man page could be a bit more effusive on that point?

Well, it currently reads:

The return value from filter_cleanup becomes the slave's exit
status.

I guess I can change it to:

The return value from filter_cleanup becomes the slave's exit
status, so make sure filter_cleanup returns an integer suitable for
a process exit status.

I agree it's there.  It just seemed easy to gloss over.  Perhaps an 
example such as return 0 for ok and anything else for an error ;-) Or 
even a little mini-stub in an example filter.


regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Upgrading MIME::Tools to 5.505?

[Kevin A. McGrail]

On 8/22/2014 1:51 PM, Amit Gupta wrote:

I noticed in mimedefang.pl there is the following statement:

use MIME::Tools 5.410 ();

The latest MIME::Tools seems to be 5.505.. MD 2.75 still references
the old version.  Should we be updating this?  Or is this planned for
the future?
I think that just enforces a minimum.  But DFS maintains MIME::Tools and 
MD.  I recommend running the latest of both.


Regards,
kAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MIMEDefang and systemd

[Kevin A. McGrail]

On 8/6/2014 2:00 PM, David F. Skoll wrote:

Hi,

There is apparently some demand for a systemd unit file for MIMEDefang:
https://bugzilla.redhat.com/show_bug.cgi?id=789768

I replied to that ticket at 
https://bugzilla.redhat.com/show_bug.cgi?id=789768#c10

If anyone is using MIMEDefang on a Linux distro that uses systemd and
would like to help with making MIMEDefang systemd-friendly, I'm happy
to take patches... :)




https://bugzilla.redhat.com/show_bug.cgi?id=656911 was done by some 
people for SpamAssassin that I think did a good job.  Might want to look 
at what Warren Togami came up with for SA which didn't require a fork.  
I currently don't have a system that requires systemd but I expect it 
soon.  And I liked your wrapper idea.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] multiplexor - No DNS servers available!

[Kevin A. McGrail]

Looks like a dns server.  Do you have a local cached nameserver?  Is it 
working?  What does your filter look like?  Is there a line that configures dns 
servers or is your systems resolv.conf correct?

Justin Edmands shockwav...@gmail.com wrote:
I am trying to fix our setup.

What needs to exist for this to work?

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] multiplexor - No DNS servers available!

[Kevin A. McGrail]

On 6/5/2014 9:30 AM, Justin Edmands wrote:

I will admit that I did not configure this but have been learning
about it throughout the debug process.

Either way, looks like we have dnsmasq setup. I am not sure if it is
working correctly. If I do host ourwebsite.com it returns the
records listed below rather than external DNS records.
Sorry, I have no familiarity with dnsmasq and you didn't post your 
MIMEDefang filter.  Perhaps it is configured to look at specific DNS 
servers.  Your question is really vague I am sorry to say.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] DMARC reject/quarantine policy - Latest version of the code

[Kevin A. McGrail]

Here's the latest version of the stub for an MD filter to handle the 
DMARC issues.  Thanks to DFS and Roaring Penguin for the utf8 code.


regards,
KAM
sub filter_initialize {
  ...

  use Net::DNS;
  use IO::File;
  ...
}

sub filter_end ($) {
  ...

#DMARC MAILING LIST RESOLUTION
foreach my $recip (@Recipients) {
  # BLOCK IF FROM YAHOO (AND OTHERS) BECAUSE THEY SET DMARC TOO STRICTLY
  # 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html
  # REWRITE THE FROM HEADER AND OTHER FIELDS PER RECOMMENDATION HERE: 
http://dmarc.org/faq.html#s_3

  # If Sender is set to DMARC reject and recipient is a mailing list - NOTE 
Yahoo.com and AOL.com reject as of 4/23
  if (([[[Logic to identify your mailing lists]]] $recip =~ m/\@mailman\./i 
or

  and

 # exclude the admnistrivia addresses like admin confirm, join, leave, 
etc.
 ($recip !~ 
/\-(admin|bounces|confirm|join|leave|owner|request|subscribe|unsubscribe)(\+.*)?\@/i)

 ) {
my ($container, $parser, $original, $report2, $dmarc_reject_notice, 
$sender, $dmarc_result, $sender_domain, $modification_subject);

# Automatically check DMARC DNS entry
$sender_domain = get_domain_from_email($Sender);
# DNS test for DMARC entry with timeout of 5 seconds
$dmarc_result = check_dmarc(domain=$sender_domain, timeout=5);

if ($dmarc_result =~ /p=(reject|quarantine)/i) {

  # NOTIFY SENDER AND REWRITE THE SENDER TO A DO-NOT-REPLY ADDRESS
  md_syslog('warning', Modifying message to mailing list due to DMARC 
- $recip - $Sender - $Subject);
  $dmarc_reject_notice = Your email to $recip was modified due to a 
change your email provider implemented which causes your email on mailing lists 
to be flagged incorrectly as a forgery.

In order to permit your email through to the mailing list, we have rewritten 
the From address to a do-not-reply address.  Depending on the list 
configuration, you may not receive replies and will need to monitor the list.  
Additionally, this may delay your email as it will require manual intervention 
by the list moderator to approve.

We apologize for the inconvenience but the cause of the issue rests squarely 
and solely on your email provider.  We recommend you consider a free Google 
account available at http://www.gmail.com/.  For more technical information, 
please see: 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html
 and 
http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/

Sincerely,

Kevin A. McGrail
President, PCCC;


  #CUSTOMIZE NOTIFICATION PARAMS
  $sender = 'do-not-re...@pccc.com';
  $modification_subject = utf8_to_mime(Important Mailing List 
Notification re:[. mime_to_utf8($Subject) .]);

  #SEND NOTIFICATION
  action_notify_sender_immediately(Sender=$Sender, DaemonName='PCCC 
Notice', DaemonAddress=$sender, NotifySenderSubject=$modification_subject, 
body=$dmarc_reject_notice);

  #TEMPORARILY REMOVE MAILING LIST
  #delete_recipient($recip); - NO LONGER NEEDED WITH REWRITE OF FROM

  #Possible Improvement is to do a DKIM/SPF/etc. check on the email 
before rewriting to minimize forgeries getting farther in the process.

  #CHANGE SENDER ON ENVELOPE
  change_sender($sender);

  #CHANGE SENDER ON FROM
  if (check_header(header='From')) {
action_delete_all_headers('From');
action_delete_all_headers('Reply-To');
action_add_header(From,\DMARC Modified Email (was $Sender)\ 
$sender);
action_add_header(Reply-To, $Sender);
  }
}
  }
}
#END DMARC MAILING LIST HANDLING

...
}

#get domain name from an email address
sub get_domain_from_email {
  my ($domain) = @_;

  #REMOVE ANY LEADING/TRAILING 's
  $domain =~ s/(^|$)//g;
  #REMOVE ANY LEADING/TRAILING SPACE'S
  $domain =~ s/^ *//g;
  $domain =~ s/ *$//g;
  #REMOVE EVERYTHING UP TO THE @ SYMBOL
  $domain =~ s/.*\@//g;

  return $domain;
}

sub action_notify_sender_immediately {
  my (%params) = @_;

  my ($body, $recip);

  # Send notification to sender - Based on function from mimedefang.pl
  if ($params{'Sender'} ne '') {
$body = From: $params{'DaemonName'} $params{'DaemonAddress'}\n;
$body .= To: $params{'Sender'}\n;
$body .= gen_date_msgid_headers();
$body .= Auto-Submitted: auto-generated\n;
$body .= MIME-Version: 1.0\nContent-Type: text/plain\n;
$body .= Precedence: bulk\n;
$body .= Subject: $params{'NotifySenderSubject'}\n\n;
$body .= $params{'body'}\n;

send_mail($params{'DaemonAddress'}, $params{'DaemonName'}, 
$params{'Sender'}, $body);
  }
}

# check the HEADERS file and return any instances of a specific parameter 
header (case insensitive on header name)
sub check_header {
  my (%params) = @_;
  my ($filehandle, $preslurp

Re: [Mimedefang] FB Joins? And current copy of code we are using to handle DMARC reject/quarantine domains and mailing lists - Was Re: ADMINISTRIVIA: Yahoo users may not post to this mailing list

[Kevin A. McGrail]

On 4/24/2014 7:23 PM, David F. Skoll wrote:

Here are a pair of functions from our commercial CanIt product that
I hereby place in the public domain.

Thanks, BTW.

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] FB Joins? And current copy of code we are using to handle DMARC reject/quarantine domains and mailing lists - Was Re: ADMINISTRIVIA: Yahoo users may not post to this mailing list

[Kevin A. McGrail]

Afternoon All,

Not sure if it's new but FB's dmarc rejects as well.  Noticed it when 
someone tried to share something from FB with a mailing list.


_dmarc.facebook.com.3600IN  TXT v=DMARC1\; p=reject\; 
pct=100\; rua=mailto:d...@rua.agari.com,mailto:postmas...@facebook.com\; 
ruf=mailto:d...@ruf.agari.com\;;
_dmarc.facebookmail.com. 2101   IN  TXT v=DMARC1\; p=reject\; 
pct=100\; rua=mailto:d...@rua.agari.com,mailto:postmas...@facebook.com\; 
ruf=mailto:d...@ruf.agari.com\;;


Here's the current version of the code we are using to intervene for 
mailing lists.  It's more generic and does a dmarc lookup each time.


to use it, filter_initialize needs   use Net::DNS;

Then in filter_end, we use this block:

#DMARC MAILING LIST RESOLUTION
foreach $recip (@Recipients) {
  # BLOCK IF FROM YAHOO (AND OTHERS) BECAUSE THEY SET DMARC TOO 
STRICTLY
  # 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html


  # If Sender is set to DMARC reject and recipient is a mailing 
list - NOTE Yahoo.com and AOL.com reject as of 4/23

  if (($recip =~ m/\@mailman\./i or

(logic you add for your setup)


  and

 # exclude the admnistrivia addresses like admin confirm, join, 
leave, etc.
 ($recip !~ 
/\-(admin|bounces|confirm|join|leave|owner|request|subscribe|unsubscribe)\@/i)


 ) {
my ($container, $parser, $original, $report2, 
$dmarc_reject_notice, $sender, $dmarc_result, $sender_domain, 
$modification_subject);


# Automatically check DMARC DNS entry
$sender_domain = get_domain_from_email($Sender);
# DNS test for DMARC entry with timeout of 5 seconds
$dmarc_result = check_dmarc(domain=$sender_domain, timeout=5);

if ($dmarc_result =~ /p=(reject|quarantine)/i) {

  # NOTIFY SENDER AND REWRITE THE SENDER TO A DO-NOT-REPLY ADDRESS
  md_syslog('warning', Modifying message to mailing list due 
to DMARC - $recip - $Sender - $Subject);
  $dmarc_reject_notice = Your email to $recip was modified due 
to a change your email provider implemented which causes your email on 
mailing lists to be flagged incorrectly as a forgery.


In order to permit your email through to the mailing list, we have 
rewritten the From address to a do-not-reply address.  Depending on the 
list configuration, you may not receive replies and will need to monitor 
the list.  Additionally, this may delay your email as it will require 
manual intervention by the list moderator to approve.


We apologize for the inconvenience but the cause of the issue rests 
squarely and solely on your email provider.  We recommend you consider a 
free Google account available at http://www.gmail.com/. For more 
technical information, please see: 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html 
and 
http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/


Sincerely,

Kevin A. McGrail
President, PCCC;


  #CUSTOMIZE NOTIFICATION PARAMS
  $sender = 'do-not-re...@pccc.com';
  $modification_subject = Important Mailing List Notification 
re:[$Subject];


  #SEND NOTIFICATION
  action_notify_sender_immediately(Sender=$Sender, 
DaemonName='PCCC Notice', DaemonAddress=$sender, 
NotifySenderSubject=$modification_subject, body=$dmarc_reject_notice);


  #TEMPORARILY REMOVE MAILING LIST
  #delete_recipient($recip); - NO LONGER NEEDED WITH REWRITE OF 
FROM


  #Possible Improvement is to do a DKIM/SPF/etc. check on the 
email before rewriting to minimize forgeries getting farther in the process.


  #CHANGE SENDER ON ENVELOPE
  change_sender($sender);

  #CHANGE SENDER ON FROM
  if (check_header(header='From')) {
action_delete_all_headers('From');
action_delete_all_headers('Reply-To');
action_add_header(From,\DMARC Modified Email\ $sender);
action_add_header(Reply-To, $Sender);
  }
}
  }
}
#END DMARC MAILING LIST HANDLING



You will also need these functions:

# check the HEADERS file and return any instances of a specific 
parameter header (case insensitive on header name)

sub check_header {
  my (%params) = @_;
  my ($filehandle, $preslurp, $contents, $output);

  $params{'header'} || return undef;

  $filehandle = new IO::File(' ./HEADERS') or return undef;

  while ($filehandle) {
if ($_ =~ /^$params{'header'}:/i) {
  $output .= $_;
}
  }

  close ($filehandle);

  return $output;

}

sub action_notify_sender_immediately {
  my (%params) = @_;

  my ($body, $recip);

  # Send notification to sender - Based on function from mimedefang.pl
  if ($params{'Sender'} ne '') {
$body = From: $params{'DaemonName'} $params{'DaemonAddress'}\n;
$body .= To: $params{'Sender'}\n;
$body .= gen_date_msgid_headers();
$body .= Auto

Re: [Mimedefang] FB Joins? And current copy of code we are using to handle DMARC reject/quarantine domains and mailing lists - Was Re: ADMINISTRIVIA: Yahoo users may not post to this mailing list

[Kevin A. McGrail]

On 4/24/2014 3:44 PM, David F. Skoll wrote:

On Thu, 24 Apr 2014 15:30:49 -0400
Kevin A. McGrail kmcgr...@pccc.com wrote:


We apologize for the inconvenience but the cause of the issue rests
squarely and solely on your email provider.  We recommend you
consider a free Google account available at http://www.gmail.com/.

I like the logic but wonder what recommendations we can make if (when?)
gmail.com goes to p=reject? :(
On a related note, anyone know a quick way to handle modifying subjects 
like this so I properly modify it?


Important Mailing List Notification 
re:[=?utf-8?B?MjHkuJbnuqropoHkuYjnlLXlrZDllYbliqHvvIzopoHkuYjml6DllYblj6/liqHvvIE=?=]


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] ADMINISTRIVIA: Yahoo users may not post to this mailing list

[Kevin A. McGrail]

On 4/23/2014 10:32 AM, Joseph Brennan wrote:


David F. Skoll d...@roaringpenguin.com wrote:



I regret to inform Yahoo users that they may no longer post to any 
mailing

list hosted on lists.roaringpenguin.com.



The madness has spread to AOL effective yesterday 4/22.


host -t txt _dmarc.aol.com
_dmarc.aol.com descriptive text v=DMARC1\; p=reject\; pct=100\; 
rua=mailto:d...@rua.agari.com\; ruf=mailto:d...@ruf.agari.com\;;

Thanks Joseph,

As a side-note, the code framework I posted a week or so ago for Yahoo! 
has been working very well for our mailing lists.  I'm going to work on 
generalizing my code and doing a DMARC check prior to posting for any 
domains.  Some people might want to consider things like the new DMARC 
code in the latest mailman release candidate but I like fixing this with 
things like MD where it's more generic and customizable at the same 
time.  Will share code when I'm done.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Try to reject sender

[Kevin A. McGrail]

On 4/23/2014 5:43 PM, Ricardson Williams wrote:

Yes. I tried also with only quote and the messages still pass. :(


Have you ever used the filter_sender and have you enabled it?

For example, in /etc/sysconfig/mimedefang, change this:

# If yes, turn on the multiplexor sender checking function
MX_SENDER_CHECK=yes

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Yahoo! DMARC and smfi_chngfrom was Yahoo DMARC

[Kevin A. McGrail]

On 4/14/2014 10:06 PM, David F. Skoll wrote:

Specifically, here's a test from my Yahoo! account to an autism
mailing list. Even though smfi_chgfrom appears to have worked, when
the email is parsed by mailman, it does not appear to reflect the
changed sender. Any thoughts appreciated...

smfi_chgfrom only changes the envelope sender.  I think Mailman (and
possibly Yahoo?) might be looking at the From: header instead.
Thanks.  I think I also need to exempt emails to -owner, etc.  Need to 
look at that.

With regards to the MIMEDefang list, I don't plan on doing anything
special.  If Yahoo wants to break legitimate mailing lists for its
users, that's Yahoo's problem, not mine.  Luckily, I do not depend
on being able to reach Yahoo subscribers for my business to be viable,
so... meh.
The article might not be doing a good job of explaining the basic, 
real-world issue:


- Yahoo user sends email to list
- List resends email to all members
- All the various recipients that acknowledge p=reject reject the mail 
as forged

- You look like a spammer
- Recipient ISPs blacklist you
- Members on some lists (like mailman) are unsubscribed for reaching 
bounce thresholds



regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Yahoo! DMARC and smfi_chngfrom was Yahoo DMARC

[Kevin A. McGrail]

On 4/14/2014 10:50 PM, Joseph Brennan wrote:
DMARC is actually checking the header From, not just the envelope 
$Sender,

Thanks.  That's what I was overlooking.
The problem I've got at our gateway is that milter gives us the 
@Recipient as in the RCPT TO, but I need to know what the recipient is 
after aliasing. We can safely accept when the alias routes to one of 
our own mail stores (Exchange, Cyrus, Google Apps), but not when the 
alias routes to our Mailman host or somewhere else on the net.
Agreed.  We had to study our aliases and come up with a list but it's 
far from full-proof.
Obviously it would be simpler to refuse mail with header From yahoo, 
or break standard and rewrite all header From yahoo to something else. 
On principle I'd rather do the former than the latter, but that does 
not always meet the needs of the organization.
For triage, we blocked email from yahoo to our mailing list.  Today, 
I'll be rewriting the from header so it looks like it came from a 
do_not_reply email.  That will then trigger manual moderation for all 
those users but we feel it's the best option along with sending a notice 
to senders to switch from Yahoo!


regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Yahoo! DMARC and smfi_chngfrom was Yahoo DMARC

[Kevin A. McGrail]

On 4/15/2014 9:52 AM, David F. Skoll wrote:

On Tue, 15 Apr 2014 09:35:19 -0400
Kevin A. McGrail kmcgr...@pccc.com wrote:


- All the various recipients that acknowledge p=reject reject the
mail as forged

That's the part I don't understand.  Mail from my list will not have
a yahoo.com envelope sender.  And if I remove the DKIM header, what basis
could third parties possibly have for considering the email to be forged?
Ignoring the why, I can tell you we have had issues with emails from 
Yahoo! users on the mailing list causing bounces back from yahoo.com, 
email.msn.com, msn.com, hotmail.com, sbcglobal.net, live.com, att.net, 
pacbell.net, comcast.net and likely more.

Anyway, for now, I'm simply going to ban yahoo.com users from posting
to our mailing lists until I sort this out.

Makes sense to me.

For those who care, attached is my latest version of the code in MD that 
I used to rewrite Yahoo! emails to mailing lists for MIMEDefang in 
filter_end.


We use it to identify mailing lists, exempt administrivia messages and 
modify messages from yahoo! users to a generic do-not-reply address 
which we then manually moderate.  It also notifies the Yahoo! sender and 
recommends the use a different email company (Gmail in our case), etc.


regards,
KAM

# Patch to rewrite Yahoo! emails to mailing lists for MIMEDefang in filter_end

#YAHOO DMARC RESOLUTION
foreach $recip (@Recipients) {
  # BLOCK IF FROM YAHOO BECAUSE THEY SET DMARC TOO STRICTLY
  # 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html
  
  # If Sender is Yahoo and recipient is a mailing list - NOTE Only 
Yahoo.com rejects as of 4/14 so not hitting 
|rocketmail\.com|ymail\.com|yahoo\.com\.au|yahoo\.ca|yahoo\.co\.uk
  # exclude the admnistrivia addresses like admin confirm, join, leave, etc.
  if ($Sender =~ /\@yahoo\.com?$/i 

  and

 ($recip =~ m/\@mailman\./i or 

#... more logic for identifying your mailing lists goes in the 
section ...

  and

 ($recip !~ 
/\-(admin|bounces|confirm|join|leave|owner|request|subscribe|unsubscribe)\@/i)

 ) {
my ($container, $parser, $original, $report2, $yahoo_reject_notice, 
$sender);

# NOTIFY SENDER AND REWRITE THE SENDER TO A DO-NOT-REPLY ADDRESS
md_syslog('warning', Modifying Yahoo! message to mailing list due to 
DMARC - $recip - $Sender - $Subject);
$yahoo_reject_notice = Your email to $recip was modified due to a 
change Yahoo! implemented which causes your email on mailing lists to be 
flagged incorrectly as a forgery.  

In order to permit your email through to the mailing list, we have rewritten 
the From address to a do-not-reply address.  Depending on the list 
configuration, you may not receive replies and will need to monitor the list.  
Additionally, this may delay your email as it will require manual intervention 
by the list moderator to approve.

We apologize for the inconvenience but the cause of the issue rests squarely 
and solely on Yahoo!  We recommend you consider a free Google account available 
at http://www.gmail.com/.  For more technical information, please see: 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html
 

Sincerely,

Kevin A. McGrail
President, PCCC;


# SAVE NOTIFY SETTINGS
my ($save_NotifyNoPreamble, $save_NotifySenderSubject, 
$save_DaemonAddress);
$save_NotifySenderSubject = $NotifySenderSubject;
$save_NotifySenderSubject = $NotifySenderSubject;
$save_DaemonAddress = $DaemonAddress;

#CUSTOMIZE NOTIFICATION PARAMS
$sender = 'do-not-re...@pccc.com';
$DaemonAddress = 'do-not-re...@pccc.com';
$NotifyNoPreamble = 1;
$NotifySenderSubject = Important Mailing List Notification 
re:[$Subject];

#SEND NOTIFICATION
action_notify_sender($yahoo_reject_notice\n);

#TEMPORARILY REMOVE MAILING LIST
#delete_recipient($recip); - NO LONGER NEEDED WITH REWRITE OF FROM

#Possible Improvement is to do a DKIM/SPF/etc. check on the email 
before rewriting to minimize forgeries getting farther in the process.

#CHANGE SENDER ON ENVELOPE
change_sender($sender);
 
#CHANGE SENDER ON FROM
if (check_header(header='From')) {
  action_delete_all_headers('From');
  action_delete_all_headers('Reply-To');
  action_add_header(From,'Yahoo! Modified Email $sender');
  action_add_header(Reply-To, $Sender);
}

# RESTORE NOTIFY SETTINGS 
$NotifySenderSubject = $save_NotifySenderSubject;
$NotifySenderSubject = $save_NotifySenderSubject;
$DaemonAddress = $save_DaemonAddress;
  }
}
#END YAHOO DEMARC


# check the HEADERS file and return any instances of a specific parameter 
header (case insensitive on header name)
sub check_header {
  my

Re: [Mimedefang] Yahoo! DMARC and smfi_chngfrom was Yahoo DMARC

[Kevin A. McGrail]

On 4/14/2014 12:50 PM, Joe Quinn wrote:
We are having issues with Yahoo's DMARC policy unsubscribing a very 
large number of members for Mailman lists we host.


Does anyone have a quick piece of code that we can use which bounces 
their message and inserts a nice description of why?

We are already matching on Yahoo senders to /mailman.\.*/


Continuing the thread, for those who don't know, Yahoo! is breaking all 
kinds of legit mailing lists 
(http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html) 
and today we found out the hard way with mailing lists unsubscribing 
people with default mailman thresholds.  So here's what we are thinking 
with a block to change the sender and send a notification to the 
original sender but I can't get the change_sender to work right (see below):


#YAHOO DMARC RESOLUTION
foreach $recip (@Recipients) {
  # BLOCK IF FROM YAHOO BECAUSE THEY SET DMARC TOO STRICTLY
  # 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html


  # If Sender is Yahoo and recipient is a mailing list - NOTE Only 
Yahoo.com rejects as of 4/14 so not hitting 
|rocketmail\.com|ymail\.com|yahoo\.com\.au|yahoo\.ca|yahoo\.co\.uk

  if ($Sender =~ /kevin_mcgrail\@yahoo\.com?$/i and
  ($recip =~ m/\@mailman\./i or
 .. More checks specific to us...
 )) {
my ($container, $parser, $original, $report2, 
$yahoo_reject_notice, $sender);


# NOTIFY SENDER AND REWRITE THE SENDER TO A DO-NOT-REPLY ADDRESS
md_syslog('warning', Modifying Yahoo! message to mailing list 
due to DMARC - $recip - $Sender - $Subject);
$yahoo_reject_notice = Your email to $recip was rejected. At 
this time, Yahoo! email addresses cannot be used to send to our mailing 
lists due to a change Yahoo! implemented where they recommend your email 
is identified as a forgery.  We recommend you consider a free Google 
account available at http://www.gmail.com/. For more technical 
information, please see: 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html


In order to permit your email through to the mailing list, your from 
address has been rewritten to a do-not-reply address.  You will need to 
monitor the list for replies and this will likely require moderation to 
allow.


Sincerely,

Kevin A. McGrail
President, PCCC;


# SAVE NOTIFY SETTINGS
my ($save_NotifyNoPreamble, $save_NotifySenderSubject, 
$save_DaemonAddress);

$save_NotifySenderSubject = $NotifySenderSubject;
$save_NotifySenderSubject = $NotifySenderSubject;
$save_DaemonAddress = $DaemonAddress;

#CUSTOMIZE NOTIFICATION PARAMS
$sender = 'do-not-re...@pccc.com';
$DaemonAddress = 'do-not-re...@pccc.com';
$NotifyNoPreamble = 1;
$NotifySenderSubject = Important Mailing List Notification 
re:[$Subject];


#SEND NOTIFICATION
action_notify_sender($yahoo_reject_notice\n);
#CHANGE SENDER
change_sender($sender);

# RESTORE NOTIFY SETTINGS
$NotifySenderSubject = $save_NotifySenderSubject;
$NotifySenderSubject = $save_NotifySenderSubject;
$DaemonAddress = $save_DaemonAddress;
  }
}
#END YAHOO DEMARC




However, we are seeing an issue with the change_sender(); function.

Specifically, here's a test from my Yahoo! account to an autism mailing 
list. Even though smfi_chgfrom appears to have worked, when the email is 
parsed by mailman, it does not appear to reflect the changed sender.  
Any thoughts appreciated...




Apr 14 16:22:32 intel1 sendmail[26075]: s3EKMToA026075: Connection: 
38.124.232.6 (mailman.peregrinehw.com) 25 - 98.138.229.24 33133 C:1 R:1
Apr 14 16:22:33 intel1 sendmail[26075]: s3EKMToA026075: 
from=kevin_mcgr...@yahoo.com, size=2710, class=0, nrcpts=1, 
msgid=1397506777.77106.yahoomail...@web141604.mail.bf1.yahoo.com, 
proto=ESMTP, daemon=MTA, relay=nm31.bullet.mail.ne1.yahoo.com 
[98.138.229.24]

Apr 14 16:22:33 intel1 mimedefang.pl[13624]: s3EKMToA026075: sm_load_avg: 1
Apr 14 16:22:33 intel1 mimedefang.pl[13624]: s3EKMToA026075: Running 
SPAM Checks - spam_assassin_check_with_spamc
Apr 14 16:22:37 intel1 mimedefang.pl[13624]: s3EKMToA026075: Running 
SPAM Checks - spam_assassin_check_with_spamc done
Apr 14 16:22:37 intel1 mimedefang.pl[13624]: s3EKMToA026075: SA-DEBUG: 
(mailman) - poac-n...@mailman.poac-nova.org - No, hits=-1.1 
required=7.0^Itests=AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM, 
^I  KAM_RPTR_PASSED,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, ^I  
SPF_PASS,T_RP_MATCHES_RCVD
Apr 14 16:22:37 intel1 mimedefang.pl[13624]: s3EKMToA026075: Modifying 
Yahoo! message to mailing list due to DMARC - 
poac-n...@mailman.poac-nova.org - kevin_mcgr...@yahoo.com - This is 
a test #8
Apr 14 16:22:37 intel1 mimedefang.pl[13624]: s3EKMToA026075: 
MDLOG,s3EKMToA026075,mail_in,,,kevin_mcgr...@yahoo.com,poac-n

[Mimedefang] OFF-TOPIC: Heartbleed Information / OpenSSL 1.0.1 TLS Incompatibility w/Sendmail and Exchange 2003

[Kevin A. McGrail]

All,

I thought this might be a good list where some people might care/comment 
on a TLS/Sendmail issue we uncovered while dealing with Heartbleed.


We're using Sendmail 8.14.5 on a machine that had OpenSSL 1.0.0j. As a 
safety measure due to heartbleed, we upgraded to open OpenSSL 1.0.1g.


We then found that we had a server running Microsoft Exchange 2003 that 
we could not email.  After turning on full logs we found it appeared to 
be a TLS error.


STARTTLS=read: 1800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong 
version number:s3_pkt.c:337:
STARTTLS: read error=generic SSL error (-1), errno=0, 
get_error=error::lib(0):func(0):reason(0), retry=99, ssl_err=1

STARTTLS=client, SSL_shutdown failed: -1

We then use try_tls server no in access and that worked.

We also then switched back to OpenSSL 1.0.0j and TLS worked again.

We then upgraded to 1.0.0l and TLS continued to work.

For those in a similar boat, this appears to be what Claus Assman refers 
to as a cipher list too long bug where: ... this server has the 
Exchange 2003 cipher-count limit problem. When RC4-SHA and RC4-MD5 are 
too low on the cipher-list, TLS breaks.


He then recommends that you need to set a different cipher list for 
those servers.  from 
https://groups.google.com/forum/#!topic/comp.mail.sendmail/SXR51LaIB_U


To do this, re-compile sendmail with -D_FFR_TLS_1 and change your cipher 
list.


echo APPENDDEF(\`conf_sendmail_ENVDEF', \`-D_FFR_TLS_1')   
devtools/Site/site.config.m4


You can also check if you have this feature with sendmail -d0.14 -bt  
/dev/null | grep FFR


Then add this to your mc and compile:

dnl# Do not allow SSLv2 and weak ciphers:dnl
O 
CipherList=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-DES-CBC3-MD5:+SSLv3:+TLSv1:-SSLv2


http://www.thedumbterminal.co.uk/?action=showArticlearticleId=152


This change at least got us from 4.0.0, stat=Deferred: Input/output 
error to 403 4.7.0 TLS handshake failed which at least was accurate 
because before that we thought maybe the ISP was the issue.


Then after lots of playing around, we determined if we added RC4-MD5 
right to the front of the ciphers that Microsoft appeared to connect and 
other servers negotiated appropriate strong ciphers.  So we ended up 
using this:


O 
CipherList=RC4-MD5:ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-DES-CBC3-MD5:+SSLv3:+TLSv1:-SSLv2


This worked and thanks to Claus for his original post.  I thought more 
people might need this help because of the prevalence of Exchange 2003 
servers in the real-world and the sudden explosion of upgraded OpenSSL 
libraries.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Blocked Files

[Kevin A. McGrail]

Hi Everyone,

So I wanted to be able to answer what and why we blocked various 
attachments.


Towards that end, for our installation, we wrote this page 
https://raptor.pccc.com/raptor.cgim?template=blocked_files


To help out MD, we also wrote the following patch to help document in 
the suggested minimum filter.


Regards,
KAM
--- suggested-minimum-filter-for-windows-clientsMon May  4 11:35:41 2009
+++ suggested-minimum-filter-for-windows-clients.my Thu Feb 27 14:33:17 2014
@@ -63,7 +63,76 @@
 # $MaxMIMEParts = 50;
 
 #***
-# Set various stupid things your mail client does below.
+# Set various stupid things your mail client does below.  The list of
+# extensions blocked are as follows:
+# --
+# Ext | Description  | Threat
+# --
+# ade | MS Access project description| Macros
+# adp | MS Access project description| Macros
+# app | Microsoft FoxPro app/OS X binary | Executable malware
+# asd | MS Word automatic backup | Macros
+# asf | Streaming video  | Buffer overflow
+# asx | Streaming video  | Buffer overflow
+# bas | BASIC source file| Executable malware
+# bat | Executable batch file| Malware, discarded completely
+# chm | Compiled HTML htlp file  | Buffer overflow in IE
+# cmd | Executable batch file| Executable malware
+# com | Executable file  | Malware, discarded completely
+# cpl | Control panel extension  | Executable malware
+# crt | Security Certificate | Overwrite SSL certificates
+# dll | Dynamic Link Library | Executable malware
+# exe | Executable file  | Malware, discarded completely
+# fxp | Microsoft ProFox Executable  | Executable malware
+# hlp | Windows compiled help file   | Macros
+# hta | HTML application | (Java)script malware
+# inf | Setup information| Script can change settings
+# ini | Contains program options | Change system settings
+# ins | Internet Naming Service file | DNS hijacking/MITM attacks
+# isp | Internet Settings file   | DNS hijacking/MITM attacks  
+# jse | Javascript executable| Executable malware
+# js  | Javascript source| Executable malware
+# lib | Software library | Executable malware
+# lnk | Windows shortcut | Executable malware
+# mdb | Microsoft Access File| Macros
+# mde | Microsoft Access Database| Macros
+# mdc | Microsoft Common Console Document| DNS/file hijacking
+# msi | Widnows installer executable | Executable malware
+# msp | Microsoft Windows Installer patch| Executable malware
+# mst | Microsoft VisualStudio  Test/SDK | Change computer configuration
+# ocx | OLE Control Extension| Executable malware
+# pcd | Kodak proprietary photo CD image | Executable malware
+# pif | MS-DOS shortcut file | Malware, discarded
+# prg | ProFox program source file   | Executable malware
+# reg | Registry File| Change computer configuration
+# scr | Screen Saver Script  | Malware, discarded
+# sct | Windows Script Component | Executable malware
+# sh  | UNIX shell script| Executable malware (UNIX)
+# shb | Shell Scrap Object file  | Executable malware
+# shs | Shell Scrap Object   | Executable malware
+# sys | Windows System Device Driver | Kernel-level malware
+# url | Bookmarked URL   | URL can be to a bad site
+# vb  | VisualBASIC runtime file | Executable malware
+# vbe | VisualBASIC executable   | Executable malware
+# vbs | VisualBASIC script   | Executable malware
+# vcs | Calendar file| Buffer overflow in Outlook
+# vxd | Virtual Device Driver| Executable malware
+# wms | Windows Media Player Skin| Executable malware
+# wsc | Windows Script Component | Executable malware
+# wsf | Windows Script File  | Executable malware
+# wsh | Windows Scripting Host Settings  | Executable malware
+# --
+# In addition to the above files, ZIP files are scanned for the same 
+# extensions listed above.  Also, class ID file extensions are blocked 
+# ({-...guid...} extensions).  
+# The above list was compiled with source material from the following:
+# * Wikipedia: 
+#http://en.wikipedia.org/wiki/User:Ruud_Koot/Dangerous_file_types
+# * Microsoft:
+#
http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx
+# * PCCC:
+#https://raptor.pccc.com/raptor.cgim?template=blocked_files 
+# * The MIMEDefang Source 

Re: [Mimedefang] Can I get MimeDefang to email alert me when a customer server is on an RBL

[Kevin A. McGrail]

On 2/22/2014 4:54 AM, Jon Rowlan wrote:

I'd like to get MD to email an alert to postmaster when one of my
customer relay servers is featured on an RBL list. I use
MD/Clam/SA/Sendmail.

Currently if I allow a relay from a customer server, no RBL check is
done and it can be some time later that I discover I have been spammed
through.

Is this possible, I can't see any k/b articles to suggest how I might go
about this.

There are scripts that I can run to test a bunch of IP's but I would
rather this be alerted at the point when a client server wants to relay
through mine.

Leading question: Do you test outbound email for spam?

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Perl DBI problem stops mimedefang from loading?

[Kevin A. McGrail]

On 12/6/2013 2:48 PM, Richard Laager wrote:

On Fri, 2013-12-06 at 07:44 -0500, Scott Galambos wrote:

I was using these on an older 32 bit single processor
server without a problem for years.  I'm now trying to migrate to a 64
bit SMP server and I can't specify these max values without it failing
with the following error.

64 bits  32 bits. Every pointer is larger, so applications take more
memory. We had a similar issue (not with DBI, but with the max memory
settings all of a sudden being too small) when we upgraded our
MIMEDefang systems from 32 to 64 bits.

Retest to find new appropriate values for your 64 bit systems.
Good catch.  Memory requirements for 64-bit apps are much higher but it 
is not simply double.  It should be less than double and guessing the 
size is a complicated affair.


regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Bad Extensions in suggested example filter

[Kevin A. McGrail]

Hello everyone, I had a vCal file blocked today with the extension 
.vcs.  I had three questions:


1 - Why is .vcs blocked?  Does it have an exploitable vector that I 
couldn't figure out?


2 - I also block the mim extension which is the Multi-Purpose Internet 
Mail Message File format MIME Files. But sadly I don't remember why.


3 - Has anyone written description of all the extensions and a short 
what/why description?  If not, I'll take a pass at it.  (example below).


Regards,
KAM


ade
adp
app
asd
asf
asx
bas
bat - Executable batch file - Can launch malware
chm
cmd - Executable batch file - Can launch malware
com - Executable file - Can launch malware
cpl
crt
dll
exe - Executable file - Can launch malware
fxp
hlp
hta
hto
inf
ini -
ins
isp
jse?
lib
lnk
mdb
mde
msc
msi
msp
mst
ocx
pcd
pif
prg
reg
scr
sct
sh
shb
shs
sys
url  - File with a web URL that can open nefarious
vb
vbe
vbs
vcs
vxd
wmd
wms
wmz
wsc
wsf
wsh
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Bad Extensions in suggested example filter

[Kevin A. McGrail]

Thanks!  This looks like a great starting point.

On 11/5/2013 1:45 PM, wbr...@e1b.org wrote:

Better list at
http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Bad Extensions in suggested example filter

[Kevin A. McGrail]

On 11/5/2013 1:56 PM, David F. SkollAnd  wrote:

On Tue, 05 Nov 2013 13:30:17 -0500
Kevin A. McGrail kmcgr...@pccc.com wrote:


3 - Has anyone written description of all the extensions and a short
what/why description?  If not, I'll take a pass at it.  (example
below).

The bad filename extension list in the default MIMEDefang filter is
old, crufty, unmaintained, and most likely way too aggressive.
It's not really THAT bad but I agree it needs at a minimum some 
documentation.   The #1 and #2 issues I usually see is exe's and wmz's.  
The exe's are about 50% of the time malware payloads so that policy 
makes sense.  The WMZ there is legitimate ways to exploit that format 
though I've rarely seen it in the wild.  I could argue it both wsays.

I obtained it from some MSFT knowledgebase article, the origin of which
is lost in the mists of time.

If someone would like to patch the sample filter to have a saner list,
I'll gladly take the patch.

I think the list is not bad, like I said.  In practice, I like it.

I'll work on documenting the extensions that are blocked and if any need 
to come off.


Right now, for example, vcs is blocked and I can't find a reason it 
should be blocked.


And .MIM should be blocked - Apparently we had real exploits from years 
ago (2004?).  Looks tied to winzip and this announcement 
http://www.winzip.com/fmwz90.htm


Anyway, I expect the patch to be 99% documentation and 1% changing 
extensions.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Warning: Malformed MIME virus in the wild

[Kevin A. McGrail]

On 10/10/2013 4:46 PM, David F. Skoll wrote:

full __RP_ZIP_TYPE /name\s{0,2}=\s{0,2}.{0,80}\.zip/i
full __RP_EMPTY_CTYPE /Content-Type:\s{0,4};/i
meta RP_ZIP_ECTYP __RP_EMPTY_CTYPE  __RP_ZIP_TYPE
describe RP_ZIP_ECTYP Zip file attachment with bogus Content-Type: header
scoreRP_ZIP_ECTYP 15

Thanks a lot for this heads-up.

regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] What about DKIM

[Kevin A. McGrail]

On 5/9/2013 5:30 PM, David F. Skoll wrote:


 KeyFile = 
/etc/ssl/private/roaringpenguin.com.dkim.2048.key);

Thanks for that info.  Out of interest, it doesn't look like you use 
ADSP. Any reason why or why not?


I'd also love to know more about how you would recommend creating the 
key and the DNS records because I've often worried about that and Google 
started bouncing my old 512bit key so I recently disabled that.


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] General Milter Questions

[Kevin A. McGrail]

On 11/12/2012 11:43 PM, Nathan Findley wrote:
First of all if there is a better mailing list to send milter api 
related questions, please let me know. 
This is definitely not the mailing list for your questions.  You are 
looking for a sendmail or postfix milter devel list.


This is the mailing list for one specific milter called MIMEDefang.

Regards,
kAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Playing with -X and -P for Ticks

[Kevin A. McGrail]

All,

- I'm have a small server I'm testing with some concepts for SQL 
integration with MD


- MD is set to a maximum of 45 slaves.

- 98.143% of the processes are handled with the top 10 slaves. 99.591% 
of the processes handled with the top 15 slaves.


- I have a mysql server with a 3600 second (1 hour) timeout in the my.cnf

- I have the mysql client connecting to the mysql server

- I have a tick command in my filter

- Multiplexor is running with -X 60 -P 3

- My tick command ignores the banding so every tick type runs the same 
function which essentially is a dbh-ping and an SQL reconnection if the 
ping fails.


- In the tick command, I see pings fail to the DB server occasionally .  
Yesterday , 4281 successful pings, 14 unsuccessful.


- This race condition sometimes leads to queries being run where the 
connection has been lost to the database.



My theory is that I should be able to tweak -P and -X to run more ticks 
in parallel to effectively end the client timeout unless the slave is 
gracefully killed.


I'm also rewriting my db query function so that if the query fails, it 
will try and run it again a 2nd time after reconnecting. However, that's 
a band-aid IMO.


Anyone have any guidance on settings for -P and -X in order to maintain 
persistent DB connections?


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang