RE: [Mimedefang] temp failing - got code?

2005-01-05 Thread Minica, Nelson \(EDS\) 
Here is some code I've used on a small domain with MySQL.  If they retry
after 10 minutes and before 24 hours they are permanently let through
the greylist filter as long as they send from same classc.  Hopefully
this will help you.

sub check_greylist(){   # return 0 is tempfail, 1 is permit
  if($TrustedRelay==1 || $Sender eq  || $sender =~
/(MAILER-DAEMON|postmaster)/i) { return 1; }
  $dbh = DBI-connect(DBI:mysql:dbname,dbuser,'dbpass');
  $blackperiod=10*60;   #10 minutes
  $greyperiod=24*60*60; #24 hours
  $from = lc($Sender);
  $from =~ s/[]//g;
  ( $username, $domain ) = split(/\@/,$from);
  @classc=split(/\./,$RelayAddr);
  foreach my $mailto (@Recipients) {
$mailto =~ s/[]//g;
$sth = $dbh-prepare(SELECT greystatus,inittime FROM greylist WHERE
domain='$domain' AND ip LIKE '$classc[0].$classc[1].$classc[2].%' AND
(greystatus=1 OR mailto='$mailto') ORDER BY greystatus DESC LIMIT 1);
$sth-execute;
if (($greystatus,$inittime)=$sth-fetchrow() ) {
  $timediff = time() - $inittime;
  if ($greystatus == 1) {
md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Already white);
$rc=1;
}
  elsif ($timediff  $blackperiod  $timediff  $greyperiod) {
$dbh-do(UPDATE greylist SET greystatus=1 WHERE
domain='$domain' AND ip LIKE '$classc[0].$classc[1].$classc[2].%');
md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Whitelisted now);
$rc=1;
}
  elsif ($timediff  $blackperiod  $timediff  $greyperiod) {
$dbh-do(UPDATE greylist SET inittime='.time().' WHERE
domain='$domain' AND ip LIKE '$classc[0].$classc[1].$classc[2].%');
md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Greylisted again);
$rc=0;
}
  else {
md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Black still);
$rc=0;
}
  }
else {
  $dbh-do(INSERT INTO greylist
(greystatus,inittime,user,domain,ip,mailto) VALUES
(0,'.time().','$username','$domain','$RelayAddr','$mailto'));
  md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Greylisted now);
  $rc=0;
  }
$sth-finish;
}
  $dbh-disconnect();
  return $rc;
  }

CREATE TABLE greylist (
  greystatus int(11) NOT NULL default '0',
  inittime varchar(20) NOT NULL default '',
  user varchar(200) NOT NULL default '',
  domain varchar(200) NOT NULL default '',
  ip varchar(15) NOT NULL default '',
  mailto varchar(200) NOT NULL default '',
  PRIMARY KEY  (domain,ip,mailto),
  KEY status (greystatus)
)

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Need to turn off CC in Defang Notifications

2004-11-29 Thread Minica, Nelson \(EDS\) 
Upgraded to latest version I believe.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark
Penkower
Sent: Monday, November 29, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] Need to turn off CC in Defang Notifications


Since Clamav 0.80 took it upon itself to detect and bounce HTML.Phishing

emails, my users are getting cc's with the message.  The notification to

the sender (from defang) is cc'd to postmaster and to the user.

In my filter, I want to turn off the cc'ing to the user.  How do I 
accomplish that?

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Allowing mails from specific users

2004-11-01 Thread Minica, Nelson \(EDS\) 
Yes that would work.  Of course any virus/spammer pretending to use that
email address would also get through.

Nelson Minica


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Catching the porn spams

2004-09-09 Thread Minica, Nelson \(EDS\) 
Easy?  Maybe.  But at least it would have verified the spammer's e-mail
address/domain/IP in a world where 99.% of spam hides behind fake
e-mail addresses and zombie machines.  Like SPF is supposed to do.

With a whitelist based system of course the user has to manage their
whitelist if they want to receive e-mail from notification systems.  C/R
is only one piece of a whitelist based system.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]

And this would be very easy for the spammers to write mail systems to
look 
for the challenge, and respond.  The only ones that make it difficult
for 
automated response are the ones with an image that has to be typed, but 
many of those cause problems for people with vision problems.  And they 
break down when you use text only mail readers.

What about some end-user type that signs up for legitimate email 
notifications.  Who is supposed to check for the challenges from the EUs

that don't remember to add the notification system to their white list?

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Catching the porn spams

2004-09-08 Thread Minica, Nelson \(EDS\) 
Even with all my RBL/SpamAssasin/SPF/Greylisting spam blocking efforts I
was still getting about 1 porn spam a month, and that's 1 porn spam a
month too many for me.  Switching to a whitelist based system (like
challenge-response) is the only answer that seems to be 100% (at this
point in time).  Slowly writing/testing one, seems to be working good so
far.

-Original Message-
How are other people blocking this stuff?  Even the SARE rulesets 
 are not catching it.

Try the SpamCop URI SpamAssassin ruleset.  It catches URLs in the body 
that match sites that are advertised through SPAM.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Deadline for SPF records

2004-08-04 Thread Minica, Nelson \(EDS\) 
Seems to be the deadline date I keep hearing because that's when
Microsoft will start checking SPF.

Microsoft to enforce Sender ID checks
http://www.infoworld.com/article/04/07/22/HNmicrosoftid_1.html

http://www.DNSreport.com now gives a warning if your domain doesn't have
SPF.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] filter bounces using mimedefang?

2004-07-14 Thread Minica, Nelson \(EDS\) 
If only sendmail had an OUTPUT_MAIL_FILTER grrr

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] filter bounces using mimedefang?

2004-07-13 Thread Minica, Nelson \(EDS\) 
I'm looking for a way to filter specific bounces preferably using
mimedefang.  Looking at the sendmail logs, bounces from the local
MAILER-DAEMON don't ever appear to hit the milter.  Any way I can make
them go through mimedefang???  I have not checked on remote bounces yet.

I tried sendmail's (deprecated) Errors-To: functionality, but that still
copies the Return-Path: (and hence doesn't allow me to filter).  I'd
really like to do this at milter level instead of local/procmail level.
Thanks for any suggestions in advance!

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] local socket unsafe

2004-07-06 Thread Minica, Nelson \(EDS\) 
I also have this problem if I try to restart MD before the previous MD
processes have stopped.  Log file for example you can see it is trying
to start before mi_stop=1...  Something wrong with init.d script.

 mimedefang-multiplexor: Received SIGTERM: Killing slaves and
terminating
 mimedefang-multiplexor: started; minSlaves=2, maxSlaves=10,
maxRequests=500, maxIdleTime=300, busyTimeout=600, clientTimeout=10
 mimedefang-multiplexor: Starting slave 0 (pid 1456) (1 running):
Bringing slaves up to minSlaves (2)
 mimedefang[1457]: Multiplexor alive - entering main loop
 mimedefang[1244]: MIMEDefang-2.42: mi_stop=1
 sendmail[1463]: alias database /etc/mail/aliases rebuilt by root
 sendmail[1463]: /etc/mail/aliases: 674 aliases, longest 156 bytes,
17074 bytes total
 sendmail[1469]: starting daemon (8.12.11): [EMAIL PROTECTED]:05:00
 sm-msp-queue[1478]: starting daemon (8.12.11): [EMAIL PROTECTED]:05:00
 sendmail[1485]: i5R8Ktsc001485: Milter (mimedefang): local socket name
/var/spool/MIMEDefang/mimedefang.sock unsafe
 sendmail[1485]: i5R8Ktsc001485: Milter (mimedefang): to error state
 sendmail[1485]: i5R8Ktsc001485: Milter: initialization failed, temp
failing commands

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Where is best to use $SendmailMacros{auth_authen} ?

2004-07-01 Thread Minica, Nelson \(EDS\) 
Here's what I use: ACCEPT_AND_NO_MORE_FILTERING in filter_relay.  Can't
use macros there, have to read COMMANDS file.

sub is_trusted() {
  if ($RelayAddr eq 127.0.0.1 || $RelayAddr eq 123.123.123.123 ||
$RelayAddr =~ /^10\.1\.1\./) {
return 1;
}
  else {
open(COMM, ./COMMANDS) or return 0;
while(COMM) {
  if (/^=auth_authen/) {
close(COMM);
md_syslog('info', MDLOG: SMTP Authenticated);
return 1;
}
  }
close(COMM);
return 0;
}
}

#Must set MX_RELAY_CHECK=yes in /etc/init.d/mimedefang
sub filter_relay {
 my($ip, $name, $helo) = @_;
 if ($helo =~ /mydomain\./i) {
   if (!is_trusted()){
 return(REJECT,Spam block HELO $helo.);
 }
   }
 if (is_trusted()){
   return(ACCEPT_AND_NO_MORE_FILTERING,ok1);
   }

 return (CONTINUE,ok2);
 }

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] yet another greylist mysql implementation

2004-07-01 Thread Minica, Nelson \(EDS\) 
The tied DBM code just didn't make sense to me so I wrote this before I
saw someone else ported the DBM code to mysql... Just thought I'd offer
it to community for comments/inspection (I'm sure it could be
improved)... use at your own risk!  The code greylists by
domain/classc/to, but will allow domain/classc to anyone once
whitelisted.


sub check_greylist(){  # return 0 is tempfail, 1 is permit
  if($Sender eq  || is_trusted()) { return 1; }
use DBI;
$dbh = DBI-connect(DBI:mysql:spamdb,myuser,'mypass');
$blackperiod=10*60;   #10 minutes
$greyperiod=24*60*60; #24 hours
$from = lc($Sender);
$from =~ s/[]//g;
( $username, $domain ) = split(/\@/,$from);
@classc=split(/\./,$RelayAddr);
foreach my $mailto (@Recipients) {
$mailto =~ s/[]//g;
$sth = $dbh-prepare(SELECT greystatus,inittime FROM
greylist WHERE domain='$domain' AND ip LIKE
'$classc[0].$classc[1].$classc[2].%' AND (greystatus=1 OR
mailto='$mailto') ORDER BY greystatus DESC LIMIT 1);
$sth-execute;
if (($greystatus,$inittime)=$sth-fetchrow() ) {
$timediff = time() - $inittime;
if ($greystatus == 1) {
md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Already white);
$rc=1;
}
elsif ($timediff  $blackperiod  $timediff 
$greyperiod) {
$dbh-do(UPDATE greylist SET
greystatus=1 WHERE domain='$domain' AND ip LIKE
'$classc[0].$classc[1].$classc[2].%');
md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Whitelisted now);
$rc=1;
}
elsif ($timediff  $blackperiod  $timediff 
$greyperiod) {
$dbh-do(UPDATE greylist SET
inittime='.time().' WHERE domain='$domain' AND ip LIKE
'$classc[0].$classc[1].$classc[2].%');
md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Greylisted again);
$rc=0;
}
else {
md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Black still);
$rc=0;
}
}
else {
$dbh-do(INSERT INTO greylist
(greystatus,inittime,user,domain,ip,mailto) VALUES
(0,'.time().','$username','$domain','$RelayAddr','$mailto'));
md_syslog('info', GREYLIST: $domain
$classc[0].$classc[1].$classc[2] Greylisted now);
$rc=0;
}
$sth-finish;
}
$dbh-disconnect();
return $rc;
}

sub is_trusted() {
  if ($RelayAddr eq 127.0.0.1 || $RelayAddr eq 123.123.123.123 ||
$RelayAddr =~ /^10\.1\.1\./) {
return 1;
}
  else {
open(COMM, ./COMMANDS) or return 0;
while(COMM) {
  if (/^=auth_authen/) {
close(COMM);
md_syslog('info', MDLOG: SMTP Authenticated);
return 1;
}
  }
close(COMM);
return 0;
}
}

sub filter_begin () {
if ( !check_greylist() ) {
return action_tempfail(Temporary Error, please retry later);
}
etc...

CREATE TABLE greylist (
  greystatus int(11) NOT NULL default '0',
  inittime varchar(20) NOT NULL default '',
  user varchar(200) NOT NULL default '',
  domain varchar(200) NOT NULL default '',
  ip varchar(15) NOT NULL default '',
  mailto varchar(200) NOT NULL default '',
  PRIMARY KEY  (domain,ip,mailto),
  KEY status (greystatus)
) TYPE=MyISAM;

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Where is best to use $SendmailMacros{auth_authen} ?

2004-07-01 Thread Minica, Nelson \(EDS\) 
 Nit:  you're calling is_trusted twice to check the same things -
including a file read. Option 1, store the value and use it for the
tests.

Thanks, your right.  I saw that but let it go since we don't block many
HELO's.  Shame on me, posting sloppy code!

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang