Re: [Mimedefang] Random Word Spam
On Wed, 14 Jan 2004, Kenneth Porter wrote: About 33% of non-tagged SPAM I find in my mailbox currently looks like: Content-Type: multipart/alternative; The first part is: text/plain and contains random words The second part is: text/html and contains the "real" spam. Well, I do see the gibberish only ... . Also: Most often the Subject line is contained of random words, too; and X-Mailer as well. Can you configure SpamAssassine to take into account the MIME-structure when trying to identify the text/plain portion as "gibberish"? Perhaps, would it make sense to do some sort of compare between both portions? E.g. all words from the plain/text part must be in the text/html part, too? When someone builts a HTML mail and when the text/html part is generated by the Mailer, I guess, it works straight forward and it will just remove the tags, hence, the words of the plain/text part should even be in the same sequence as those of the text/html part? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] rejecting on helo,drive-by-relay,forged_sender,
On Fri, 16 Jan 2004, John A. Stewart wrote: > Allowing authenticated connections (only) on an alternate port is also a good > idea because some service providers force their customers to send mail > via their own mail server by blocking outgoing connections to port 25. > VPN is overkill in my view. I'd rather use SSL based services for secure > remote access. Actually, I'm wondering that there seem to exist so many ISPs (in the USA) that do not mangle the From/Sender/Reply-To headers. I have very bad experience in this aspect. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question regarding account name / recipient parsing
On Sat, 17 Jan 2004, Kevin A. McGrail wrote: There was some question in this list, but I don't find it rioght away in the archives. > In a SUBFILTER, is their a way to determine if and what account name is > associated with a recipient for a local mail delivery? The answer was no, > If the answer is no, has anyone written anything to parse the standard > virtusertable/alias tables to do this? Well, manually I'd use this: sendmail -bv -O ForwardPath= recipient_address I wonder if it makes sense to re-implement all the matching and various cases of sendmail. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Search link of MIMEDefang list
Hallo David, could you please remove the JS-depend search link or re-add a plain one? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Message that bypasses virus scanning
Hello,
Testees: mimedefang-2.39 and mimedefang-2.33, with
MIME-tools-5.411a-RP-Patched-02
recently I found warnings in my logs about "Uninitialized values" of the
output triplet of message_contains_virus_fprotd().
The reason is this code snippet in mimedefang.pl, function sub
item_contains_virus_fprotd ($;$), near line 2613:
if(-d $item) {
my @result;
$host .= ":$baseport";
foreach my $entry (glob("$item/*")) {
@result = &item_contains_virus_fprotd($entry, $host);
last if $result[0] != 0;
}
return (wantarray ? @result : $result[0]);
}
The code does return an empty "@result", but only if no regular file in
the directory gets scanned.
Logs show that there are NO files scanned, the "Work" directory is empty!
I wonder why mimedefang.pl scans an empty directory?!
The bypassing that includes the header:
Content-Type: multipart/alternative;
boundary="=_Part_42810428_-5465.32142810428"
but does not contain any boundary at all, the spam is contained in the
mail body. When I remove that header, the message is scanned.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Random Word Spam
On Thu, 15 Jan 2004, Brent J. Nordquist wrote: > > Also: Most often the Subject line is contained of random words, too; and > > X-Mailer as well. > > the header lines, which doesn't tax the CPU as much as the body tests to > find the random words themselves. See x_headers.cf at Cool thing! Works great, Thanks. -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Dumb Question
On Fri, 23 Jan 2004, Ben Kamen wrote: > In the /etc/mail/spamassassin dir... what's the local.cf for? perldoc Mail::SpamAssassin::Conf Says: "SpamAssassin is configured using some traditional UNIX- style configuration files, loaded from the /usr/share/spa- massassin and /etc/mail/spamassassin directories." I think I have seen those two directories referred to as: /usr/share/spamassassin --> base rules /etc/mail/spamassassin --> site-wide config Although I have installed SpamAssassin via CPAN only all the time on this system, I have found two "base rule" directories, one in /usr/share/spamassassin (which was very out of date) and one in /usr/local/share/spamassasin (up-to-date). In my tests, SpamAssassin picks up every *.cf file in all three locations: /usr/local/share/spamassassin, /usr/share/spamassassin,& /etc/mail/spamassassin. However, MimeDefang passes /etc/mail/sa-mimedefang.cf as "user config" to SpamAssassin, which overrides any setting of the other files. (In fact, the file is read twice this way, first as site-wide config, second as user config.) I accidently found out about this behaviour running the command: $ spamassassin --lint -x Actually, I have almost nothing in sa-mimedefang.cf, but place rules and settings of one topic into one file, e.g. "bayes.cf" etc. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Using more than one virus scanner is a good idea.
On Wed, 28 Jan 2004, Chris Myers wrote:
> Here are replacements for message_contains_virus and entity_contains_virus
> that use all available virus scanners (and an example of using clamd but not
> clamav when
> both are available). Instead of using only the first available scanner,
> these new routines try the available scanners in turn, until one of them
> finds a virus or all of the scanners have been tried.
OK, I agree that this code is nice to have in a plug-and-go filter
(though, I'd move the generation of the @scanner array out of the
function).
But I do not test any of the $Features{'Virus:XYZ'}, because
a) I know what virus scanners should be present and
b) when they fail (to be invoked or whatever) it's a bug that has to be
resolved and to be found early and
c) I do not intend to change the list of available scanners regularily.
BTW: There was a thread on this list claiming that the File::Scan module
has very little impact on the scanning process in comparison to the other
virus scanners, that it should be called first to avoid unnecessary calls
to heavier ones -- however, assuming that most mails are free of viruses
that makes no difference, because both scanners run anyway.
>foreach my $scanner ( @scanners ) {
> my ($code, $category, $action) = &$scanner();
> if ( $category eq "virus" || $category eq "suspicious" ) {
> return ( wantarray ? ($code, $category, $action) : 0 )
^^^ Souldn't you return $code instead of "0", in case you happen to
call the function in scalar context?
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] disable antivirus for one user
On Wed, 28 Jan 2004, Fox, Randy wrote:
> > does anyone have a quick way to say
> > if the recipient is [EMAIL PROTECTED] exit from the
> > filter completely and deliver as-is?
>
> How about adding and activating filter_recipient? Then put something
> like this in the sub-routine:
>
> sub filter_recipient {
> my($recip, $sender, $ip, $host, $first, $helo) = @_;
> $recip =~ tr/A-Z/a-z/;
> if ($recip =~ /[EMAIL PROTECTED]/) {
> return ('ACCEPT_AND_NO_MORE_FILTERING','ok');
> }
> }
Hmm, this snippet is from stream_by_recipient:
foreach $recip (@Recipients) {
resend_message_one_recipient($recip);
}
You have _one_ recipient that should go unfiltered, but the mail has
probably more than one recipient.
The idea I have now is that the mail is dealt with normally, if there is
just one recipient or at least one non-exempted recipient is specified,
and the message is resend to all exempted recipients individually.
How about in filter_begin:
if(scalar(@Recipients) > 1) { # May be honeypot and regular users are
# intermixed
# Filter for exempted recipients
foreach my $r (@Recipients) {
if($r =~ /(^|\<)[EMAIL PROTECTED]($|\>)/i) {
# honeypot found
# Resend -> Next time the filter gets this mail
# there is just one recipient, hence, this
# check is bypassed, and the mail is processed
resend_message_one_recipient($r);
delete_recipient($r);
}
}
## Warning:
# If you have more than one recipients to exempt, you have to deal with
# the probability that all recipients are deleted from the current (the
# original, actually) message, because all of them are exempted.
## Warning #2:
# @Recipients does still include all exempted recipients, because
# delete_recipient() does not update the array!
$exemptedUser = 0;
} elsif($Recipient[0] =~ /(^|\<)[EMAIL PROTECTED]($|\>)/i) {
# the single recipient is the special user to be exempted from
# scanning
# Set a global variable so all filter_*() functions bypass filtering
# by immediately calling action_accept();
$exemptedUser = 1;
return action_accept();
} else {
$exemptedUser = 0;
}
Then in all other filter_* functions there is a:
return action_accept() if $exemptedUser;
right behind the usual
return if message_rejected();
Or do evaluate $exemptedUser whereever you need.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] $helo versus $ip
On Tue, 3 Feb 2004, Matt Cramer wrote: > This will yield many false positives. Here is what I do: > > * Reject mail from outside relays who HELO as one of my domains. > * Reject mail from outside relays who HELO as one of my networks, with or > without brackets (e.g. "204.74.20.1" and "[204.74.20.1]") > * Reject mail from outside relays who HELO as a string that isn't a domain > or an address. I just check for a "." in the string. An amazing > amount of ratware issues "HELO hjdjhdf" etc. I've had a few false > positives where the server was just doing "HELO servername" and in all > cases the admin of the sending server has corrected it. This sounds cool. Despite the always mentioned problem, when Mail clients connect to the server directly - like in my case. Is there a way to determine, if the message came in through sendmail's MTA (Port 25) or MSA (Port 587) channel? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Determine MTA or MSA port: consult the {daemon_*} macros
On Tue, 3 Feb 2004, Jeremy Mates wrote:
> > clients connect to the server directly - like in my case. Is there a
> > way to determine, if the message came in through sendmail's MTA (Port
> > 25) or MSA (Port 587) channel?
>
> Sendmail knows what port is being used, and this information is made
> available as macros. To see what macros are passed to MIMEDefang, use
> Then send a few test messages, which should reveal the {daemon_name}
> macro being passed to MIMEDefang. This macro can be used to translate
Hey, I simply missed this nifty info in the info logs!
BTW: I'm logging the MIMEDefang info for all my own mails with the
Data::Dumper->Dump() method into a file. Works great for debugging and
has a readable output of all the variables; e.g.:
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] action_tempfail question -- greylist at filter_begin
On Wed, 4 Feb 2004, Rick Mallett wrote: > Not necessarily. The other way of doing it is to just use > $Recipients[0] as the recipient as in Is it guaranteed that the 1st recipient remains the first one in the next delivery attempt? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] memory leak?
On Mon, 9 Feb 2004, Ron Peterson wrote: > What we have been seeing is that the system's memory useage slowly (over a > day or two) creeps up to full utilization. Then the swap space starts > being used. I don't know how hard it's getting hit, just that it goes > from 0% to something slightly more than 0%. I'd call this normal. It seems to me that Linux swaps out long-term not used pages in favour of disk cache buffers: I have an internet router/gateway that never peaks over its physical RAM (512MB), but has about 120MB swap space in use. The buffers allocate about 70% of the RAM. > That would all be o.k., but for the fact that the load average also > spikes. We're running a load average just over 1% right now. The CPUs > are over 80% idle. Everything is going full bore. By tomorrow morning, I > expect the load average to be over 50, and the CPU idle to be way My mail server shows this behaviour when the NFS servers times out and the MDA or the IMAP/POP servers try to access the home directories. Also, when the DNS server has some problems, sendmail tends to spawn lots of childs waiting for the DNS response; this seems to pump up the load, too. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Idea.. spell checking?
On Tue, 10 Feb 2004, Mark wrote: > Here I am thinking out loud while running through my spam log, would a perl > interface to a spell checker with some sort of weighting help kill more of > this junk? > > i.e if there are 100 words in the body, and 75% are misspelled, add it to > the score... > > comments, good idea, bad idea? Well, the culture to spell correctly tends to be very low when it comes to electronic mail - tons of abbreviations, acronyms, synthetic words, and laziness. Also consider mixed contents, like source code, different languages, URLs, filenames, error messages ... What about non-native speakers? Do you have the SA rules installed posted in conjunction with this thread: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-January/019200.html They are targetted at "gibberish". Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] file extension regex bug
On Thu, 12 Feb 2004, David F. Skoll wrote: > That was not a bug. It was an attempt to guard against malformed > MIME like this: > > Content-Type: appliaction/octet-stream; name=foobar.exe .txt > > vs. > > Content-Type: appliaction/octet-stream; name=foobar.txt .exe > However, the old behavior was so unpopular that as of 2.39, I anchored > the regexp. Would it be possible to parse and re-create MIME sub headers, in order to place, at least, double quotes around the name? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Mimedefang/Spamassassin/bayesian
On Tue, 17 Feb 2004, Paul Murphy wrote: > drwxr-xr-x2 root root 4096 Feb 17 12:29 . > drwxr-xr-x 14 root root 4096 Jan 19 17:30 .. > -rw-rw-rw-1 defang root 4096 Jan 19 18:36 bayes_seen > -rw-rw-rw-1 defang root20480 Jan 19 18:36 bayes_toks I'm not sure, if the autolearn feature will need to create the bayes_journal, too. I made the directory owned by defang as well. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Performance parameters
On Fri, 27 Feb 2004, Kevin A. McGrail wrote: > For a quick change on a server in place with plenty of ram with tmpfs > compiled and configured to /dev/shm, does anyone see a problem with just > adding the following (or very similar) to the mimedefang startup script? > > cd /dev/shm > mkdir MIMEDefang > chmod 700 MIMEDefang > chown defang.defang MIMEDefang > ln -s /dev/shm/MIMEDefang /var/spool/MIMEDefang How to handle the case, if /var/spool/MIMEDefang already exists? Be it an old symlink or an old-style directory. BTW: Why don't you use mount? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Invalid "mimedefang.pl -structure" output and virus scanning behaviour
Hello, lately I found and reported that message_contains_virus() runs the virus scanner on an empty directory. I collected some mails, in which cases this occurs: mimedefang.pl -structure To: <> Subject: Boost Your Car's Gas Mileage 27%+, livingston magnesium disposal yeats Mime-Version: 1.0 X-Mailer: adjacent illegitimacy Date: Wed, 18 Feb 2004 00:26:21 -0500 Reply-To: " Arroyo" <[EMAIL PROTECTED]> Content-Type: multipart/alternative; boundary="" Message-Id: <[EMAIL PROTECTED]> -- Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit [snip: gibberish] -- Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit [snip: contents] ==END The same applies to this [snipped non-MIME stuff]: ===START Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--ALT--SJFV45206236694260 Message-Id: <[EMAIL PROTECTED]> ALT--SJFV45206236694260 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit [snip: gibberish] ALT--SJFV45206236694260 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit [snip: contents] ALT--SJFV45206236694260 -- ===END The second message was resent/forwarded by some FreeMail hoster, maybe this one destroyed the MIME stuff. The problem is the "unusal" MIME boundary, e.g. if I add the missing closing quote of the second message, mimedefang.pl -structure correctly returns: non-leaf: type=multipart/alternative; fname=; disp=inline leaf: type=text/plain; fname=; disp=inline leaf: type=text/plain; fname=; disp=inline leaf: type=text/plain; fname=; disp=inline However: my concernings are as following: a) The first message containing an empty MIME boundary is splitted apart by Pine v4.58 (and I guess other MUAs, too). That means that no attachment is scanned for viruses by MIMEDefang, but is happily accessable by the MUA. b) The second message may not contain such a thread, because the MIME type is to default to text/plain (because of the preceeding empty line), but what about stupid MUAs? At least many MUAs do attempt HTML display on text/plain. === The behaviour is equal regardless of using the patched MIME::Tools or the development version: MIME::Tools : Version 6.110 MIME::Words : Version 6.107 patched MIME::Tools: MIME::Tools : Version 5.411 MIME::Words : Version 5.404 This makes three weaknesses in the MIME::Tools so far. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] wish: for ./configure
Hello David,
could ./configure have options for to enable specific virus scanners,
e.g.:
./configure --enable-fprotd[=127.0.0.1:12000] ?
That could set both the $Feature{Virus:FPROTD} and $FprotdHost.
Reason: Well, my laziness/forgetfullness: I always forget to set
$Feature{Virus:FPROTD} manually in mimedefang.pl.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] stream_by_* placement question
Hello,
I'm implementing a stream_by_class function, that is to work like
stream_by_recipient and stream_by_domain, but with a more generic way to
categorize into which chunks the mail is broken up. So far, I'm using
Mimedefang v2.39 and it seems to work. (I named it stream_by_class below.)
However, I wonder about the following points:
S: I usually split off only few recipients, mainly postmaster/abuse/noc
and some internal lists.
Q: The current implementation of stream_by_domain completely discards the
current instance of the mail and generates a "resend" mail for each
domain. Can I keep some recipients left in the current instance?
I thought to perform:
resend_message(@{ $recip });
foreach my $r (@{ $recip }) {
delete_recipient($r);
}
Where @{ $recip } contains the unmodified addresses of the split-off
recipients.
S: The current stream_by_domain's doc explicitly states that one should
call the function "early" in filter_begin.
Q: Are there side effects -- other than sending the _completely_ unmodifed
mail -- when to resend a mail later, say in filter() or filter_end()?
I thought to split the mail only, when necessary; example:
Only three out of hundreds recipients shall have attachments replaced by
URLs. So in filter() I find this condition and call stream_by_class() and,
if the current class is to replace the attachment, action_replace_by_URL()
is invoked.
I assume this question is answered by man for the "resend_message()"
function; meaning: It is possible, but no change is resent.
===
Some considerations about this setup:
a) When one keeps one class of recipients within the current instance of
the mail, there is one resent copy less then usual; hence, you use less
resources to process a mail, that will split up. That applies to run the
MIMEDefang process (decomposing the mail etc.pp.) one time.
b) If the mail is resend _late_ in the filter_begin/filter/filter_end
chain, the same mail is possibly processed multiple times, e.g. two times
the virus check is invoked.
b1) If there is virus in the mail, the filter can reject/drop the mail
once, before it had been resent at all. The total number of virus scans
per mail drops to "one", from once per resent copy.
b2) If there is no virus in the mail and the mail is resend _early_, the
mail is also checked multiple times, because once per resent copy and if I
keep one class within the current instance of MIMEDefang, hence, it is not
resent, the total number of virus scans per mail remains the same.
c) To be able to split the mail when the filter needs to alter the
message, decreases the amount to resend the mail, e.g. in my case:
if($lcType !~ /^text\// && $lcType ne 'message/delivery-status') {
# Now split the mail if necessary
if(!defined($Class) && stream_by_class ($RecipientClasses) ) {
return;
}
if($Class eq 'list') {
"$Class" is undef until stream_by_class is performed. There is no need to
split the mail, if there is no non-text attachment.
d) I also split up the "categorization" and "resent" process; the
categorization of the recipients is performed early, but the separation
process on demand. Second see above. The categorization is used to control
full-message bounces, when recipients of mixed categories are sent to,
e.g.:
$RecipientClasses = categorise_recipients();
if(exists($SendmailMacros{'auth_authen'})) {
$isFHSender = $isInfSender = 1;
} else {
# [snip]
}
unless($isFHSender) {
if(defined($RecipientClasses->{'list'})) {
return action_bounce('You are not qualified for sending to a
list.');
}
}
So a mail to a mixed set of recipients is completely bounced, if at least
one recipient class denies sending. This is what people expect here.
That Aliases and forwards may break this setup, is a known bug ;-), but is
resolved by "organizational rules".
I also wonder if it is possible to keep certain information of resend
messages, e.g. in a DB_File; for instance to bypass the virus scan and use
the SpamAssassin values computed in the primary instance of MIMEDefang
already.
E.g. using "$Sender|$MSgID" as key and a secondary instance looks up the
key for all mails that are send by the localhost (127.0.0.1).
The the primary instance could run all tests on the message, places the
values into the DB; and late in filter_end() one could actually split the
message in order to specifically alter the body according to the class of
the recipients.
I do attach a cut down filter, for reference. The skalog function simply
drop the arguments to syslog.
Bye,
--
Steffen Kaiser
mimedefang-filter_cut-down.gz
Description: Cut down mimedefang-filter
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Replace with URL
On Wed, 10 Mar 2004, Jon R. Kibler wrote: Hello, if I understand you correctly, you are using the replace_by_url function; we do, too. But I do not got one complaint about encoded documents. The most problem is that the MUA does not make the enclosed link clickable. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] F-Risk Fprotd -how to use?
On Thu, 18 Mar 2004, J.D. Bronson wrote:
> I have f-protd running and can talk to it, but the configure on mimedefang
> does not see this program eventhough it is installed in the default
> /usr/local/sbin ...
You have to enable the demon variant manually:
$Features{'Virus:FPROTD'} = 1;
Also make sure, your demon and MIMEDefang use the same ports:
$FprotdHost = "127.0.0.1:10200";
I do patch mimedefang.pl.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] F-Risk Fprotd -how to use?
On Thu, 18 Mar 2004, J.D. Bronson wrote: > I have 1 question...does not f-protd change ports?? Yup. It's somewhere explained how and why; in general, as soon as the old (currently running) demon finds an updated image, it spawns the new one and, when this one is up and running, terminates itself; because of security reasons, I think I remember. Because of this, the new one cannot bind to the port, because the old demon is still bound to it. However, the documentation varies about how many ports are used by this mechanism, the sample client script checks three ports, the documentation says "4", and some resource summary lists: 10200..10204 -- hence: five ports. > Does MD then try any of those by default starting with the first one? MD tries the ports in order 10200 .. 10204 till there is a valid response. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] F-Risk Fprotd -how to use?
On Thu, 18 Mar 2004, Chris Myers wrote: Hello, > It's actually not necessary to patch mimedefang.pl. Just set the $Features > and $FprotdHost variables in your filter. Yes, and it wouldn't be necessary to have the command line tools auto-detected and written into mimedefang.pl during configure. This is an inconsistency among the configurable virus scanners. Actually, I understand the virus scanner as part of the system environment and not of the user-configurable filter, therefore I patch mimedefang.pl. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Notify recipient?
On Wed, 24 Mar 2004, Jobst Schmalenbach wrote: > action_notify_recipient($message) > > Now I wonder is there any reason for this? How about: drop_with_warning The part is deleted and a warning is added to the mail message. replace_with_warning The part is deleted and instead replaced with a text message. -and- delete_recipient($recip) This function deletes $recip from the list of recipients. That person will not receive a copy of the mail. $recip should exactly match an entry in the @Recipients array for delete_recipiĀ ent() to work. Note that delete_recipient does not modify the @Recipients array; it just makes a note to Sendmail to delete the recipient. for any recipient in your domain. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SMTP Pipelining, and GREYLISTING
On Thu, 25 Mar 2004, Cormack, Ken wrote: Hello Ken, please forgive my ignorance, but what problem is this thread about actually? And why is pipelining a problem with greylisting only? This kicks in whenever the server (temp-) fails a recipient, but accepts the SMTP dialogue in advance (aka pipelining). What do I miss? Actually, if you read the SMTP RFC, the client may always sent the whole message to your server, regardless wether or not it recieved a negative response, it's the duty of the server to act as a bitbucket in this case. However, does this paragraphe RFC2920: "Client SMTP implementations that employ pipelining MUST check ALL statuses associated with each command in a group. For example, if none of the RCPT TO recipient addresses were accepted the client must then check the response to the DATA command -- the client cannot assume that the DATA command will be rejected just because none of the RCPT TO commands worked. If the DATA command was properly rejected the client SMTP can just issue RSET, but if the DATA command was accepted the client SMTP should send a single dot." imply that the client have to wait for the response of DATA? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] search perl code perl-ldap to see if a user exist + how use bogofilter + problem clamav failed with testvirus.org ?
On Fri, 2 Apr 2004, jean-marc pouchoulon wrote:
> I 'd like also to ask our ldap server with perl-ldap , if a user exist
> before accepting mail. If someone did it
That's actually quite simple, but depends on your local setup.
I guess, your users uses unique account names, usually storred in the
"uid" attribute, hence, you can do this:
use Net::LDAP;
use Net::LDAP::Entry;
# Setup some vars for easy adjusting
my $ldapBase = "dc=fh-bonn-rhein-sieg,dc=de";
my $ldapBaseGroups = "ou=groups,dc=fb02,$ldapBase";
my $ldap = Net::LDAP->new('localhost') or die "$@";
$ldap->bind;# anon bind
sub getAccount ($) {
my $name = $_[0];
my $req = $ldap->search ( # perform a search
base => $ldapBase
, filter => "(&(objectClass=posixAccount)(uid=$name))"
);
$req->code && die $req->error;
if($req->count > 1) {
mylog( "$_[0] matches more than on account");
return undef;
}
return undef if $req->count == 0;
return $req->pop_entry;
}
Above function returns the Net::LDAP::Entry object for the user, or undef
on error (not found or found multiple entries). On big problems
(connection to server fails etc.) die function die's -> here you should
adjust to something more useful in the MIMEDefang filter.
Depending on your local setup you must adopt the "filter" in
ldap->search().
If all your users are located in the same scope, try openDN:
sub openDN ($;$) {
my $myLdap = $_[1] || $ldap;
my $mesg = $myLdap->search(base => $_[0]
, scope => 'base'
, filter => 'objectclass=*'
);
return undef if $mesg->code;
die "Multiple search results fetching one item: " . $_[0] . "\n"
if $mesg->count > 1;
return $mesg->pop_entry;
}
The first parameter needs to be the fully qualified DN of the user. BTW:
The "die" in this function should never trigger, because unless your
server is broken, it can return one entry at maximum.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .mail domain designed to slow spam (fwd)
On Tue, 13 Apr 2004, [EMAIL PROTECTED] wrote: > What you think about this? Hmm, I makes me nervous is this: > The .mail signup process will be so time-consuming that it wouldn't be > financially viable for spammers to use it, Matt said. And Spamhaus' > experienced staff will be able to shut off any domain owner who > misbehaves. So we have another cash machine here. I always wonder why PGP (or S/MIME) is never mentioned in this conjunction. Those systems seem to re-invent the wheel again and again; set up an easy to use certiciation hierarchie (say, PGP key is signed the IANA/ICAN/XYZ-mail-approval key), the receiving MTA is verifying that the sender has an IANA-certified key. Done. You can use systems of today for this, no need to change anything (accept to use security plugins etc. available). Moreover, instead of "just" have a SPAM-free mail system, you can have a secure and/or encrypted mail deliviery. Well, even today. > "This isn't a plan to end spam," said Matt. "This will just help ensure > sender authentication. But that doesn't sound as marketable." Well, re-invent the wheel? > "This won't stop people from spamming in .com and .net," Ambler said. > "But it will only allow legitimate mailers to get into the .mail zone." What about those viruses etc. How are they filtered out in the .mail zone, after they took over a host on the "turstworthy .mail" network? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Update to MIMEDefang Filter KAM
On Fri, 16 Apr 2004, Kevin A. McGrail wrote:
> if ($io = $entity->open("r")) {
> while (defined($currentline = $io->getline)) {
> if ($currentline =~ s/<(iframe|script|object)\b/ $badtag++;
> }
> $output .= $currentline;
> }
> $io->close;
>
> if ($badtag) {
> if ($io = $entity->open("w")) {
> $io->print($output);
> $io->close;
> }
I wonder:
a) You read in all the entity into memory, without size check?
b) As you already have all the lines in memory, why don't you apply the
s// operation on $output once?
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Update to MIMEDefang Filter KAM
On Mon, 19 Apr 2004, Joseph Brennan wrote:
> b) Steffen, it sounds like you have a simpler way in mind to do the
> changes and know whether to do the open("w"). What is it?
Well, no; no "better" way. I've just checked out mimedefang.pl's
anomy_clean_html function, which uses perl's open() and is, therefore,
slurp'able. To stick to the MIME::Entity
Anyway, the IO::Handle used by MIME::Body is slurp'able, at least in my
simple sample:
use IO::Handle;
$fh = new IO::Handle;
if ($fh->fdopen(fileno(STDIN), "r")) {
$line1 = <$fh>;
undef $/;
$lines = <$fh>;
print "Line 1: $line1";
print "=== remaining lines:\n" , $lines;
}
To use open("w") looks good for me, because you emit all the message
within one call. -- One might try using:
### Create a body which stores data in an in-core array:
$body = new MIME::Body::InCore [EMAIL PROTECTED];
or similiar, however, this keeps everything in the local memory of the
slave and probably some other part of MIMEDefang assumes that the body is
located on disk - and this is a RAMdisk most of the time, I guess.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] feature request for md-mx-ctrl reread
On Wed, 12 May 2004, Kevin A. McGrail wrote: > Have a 'md-mx-ctrl reread' run a mimedefang --test on the subfilter > currently being used to abort a reread if it doesn't pass syntax. This won't safe any way, because it may happen that the same time you've editted the filter in-place a slave is activated anew and is reading your modified filter even without "reread". Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Saving Headers for report
On Mon, 10 May 2004, Jerome Tytgat wrote:
> my $logf = "$logd/${MsgID}-Report-" . localtime() . ".txt";
I added localtime() only for internal purposes; the MsgID should be
suficient for most purposes, hence, you could avoid this function.
> print LOG $report;
Actually, this is my report assembled for the message during the
filter_begin().._end() triplet, it is more-or-less this:
$report = "Status report " . $_[0] . ":\n\n" . Data::Dumper->Dump( [
## my values
[EMAIL PROTECTED],
$isFHSender,
$isInfSender,
$oneRcptIsList,
$oneRcptIsMe,
$lcSender,
# message stuff
$Helo,
$Sender,
$Subject,
$Domain,
$MessageID,
$QueueID,
$MsgID,
$RelayAddr,
$WasResent,
$RelayHostname,
$RealRelayAddr,
$RealRelayHostname,
$SuspiciousCharsInHeaders,
$SuspiciousCharsInBody,
...
] , [ qw(
*ska_SpamValues
isFHSender
isInfSender
oneRcptIsList
oneRcptIsMe
lcSender
Helo
Sender
Subject
Domain
MessageID
QueueID
MsgID
RelayAddr
WasResent
RelayHostname
RealRelayAddr
RealRelayHostname
SuspiciousCharsInHeaders
SuspiciousCharsInBody
...
)]);
$report .= "Sender authentification: by relay\n";
$report .= "Skipping SpamAssassin: too large\n";
a.s.o You get the idea.
The Data::Dumper module formats nicely as known from the "x" command of
the perl debugger. However, some of the values still contain "left-overs"
from previous useages of the same slave, as the variables are not undef'ed
by default. Esp. during debugging new changes I do a full log of all
MIMEDefang variables.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Semi OT: Best configuration for two servers to handle > 20,000msgs/day
> >1) New server becomes primary MX, has sendmail, mimedefang, > > spamassassin, and uvscan. Any incoming email gets scanned by new Just hit my eye: Is this the command-line "uvscan" or some demon-based one? I'd ran the command-line uvscan with terrible results myself for a while. Maybe this is your performance problem. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mimedefang on debian
On Wed, 5 May 2004, Patrick Morris wrote: > Been using MIMEDefang on Debian for years now with now issues. If it's > a production server, I'd recommend the Stable Debian release. > > Andrew Jayes wrote: > >debian drivers. My question, will it be much harder to install > >mimedefang on to the debian OS? And if not which release should I use. I'm installed MIMEDefang tarball with no issues on Debian Woody (current stable) as well. It has been in production since approx. one year. However, I switched to to use my own perl environment (/usr/local/perl) , because you have to re-install modules you've installed via CPAN (or manually) after an update of the Debian package of the perl-modules again. It also has the advantage, that Woody ships perl v5.6, but I'd like to use the Encode module from v5.8. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Saving Headers for report
On Thu, 6 May 2004, Jerome Tytgat wrote:
> Is there a possibility, with mimedefang, to automatically save
> only the headers (I don't want the full mail, as forwarding virus
> is not a good idea) to a folder using for name the reference number
> of the mail (also found in MDLOG entries) for easy linking.
I do it like so in filter_end():
my $logd = $Features{'Path:QUARANTINEDIR'} . "/maillog";
if(-d $logd) {
my $logf = "$logd/${MsgID}-Report-" . localtime() . ".txt";
if(open(LOG, ">$logf")) {
print LOG $report;
if(open(H, 'HEADERS')) {
print LOG "\nHeaders:\n" . join('', );
close H;
} else {
print LOG "\nFailed to open headers: $!\n";
}
close LOG;
} else {
skalog "\nFailed to create logfile: $logf: $!\n";
}
} else {
skalog "No maillog dir: $logd";
}
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Saving Headers for report
On Mon, 10 May 2004, Jerome Tytgat wrote: Hello, > But I lack the last Received: line. What do you expect as "last" line? The filter is parsing the message right when it comes in, before it got manipulated by the local sendmail or any Milter (incl. MIMEDefang). Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Learning about to preserve information when relaying
Hello, I'm merely trying verify that a particular message has been already scanned by a trusted mailserver, so I can rely on the correctness of certain header information, e.g. Spam status and absense of scannable virii. My base is this: http://lists.roaringpenguin.com/pipermail/mimedefang/2003-February/013267.html and, of course, the man page. So, I guess the security here is: 1) Because the key (a random value) is used by a particular host, I trust it. 2) The host would, if it sends me mail, either add such header anew or overwrite an existing one; or remove the header at all. 3) When spooling the message, the header is removed. "The key should be kept confidential, but it's not disastrous if it leaks out." That's because an outsider cannot slipstream the correct header, because: either the outsider cannot use the same IP than my trusted hosts or, if the mail gets relayed through one of the trusted ones, the key gets deleted or overwritten by the trusted host. Did I understood it correctly?? A more "correct" (robust / secure) method would be to use certificates communicating between trusted hosts, right? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] graphdefang on remote server
On Tue, 15 Jun 2004, Chris Gauch wrote: So, my question is, is there a way to have graphdefang process a maillog remotely so that my MIMEDefang server isn't brought to its knees even If you don't like to have syslog forward the messages to another server, how about rsync'ing the log file from the mail relay to the log generator, just before you call graphdefang? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [ot] spamassassin config error with bayes
On Fri, 18 Jun 2004, Rolf Loudon wrote: thought I've poisoned the bayes data, so I deleted it hoping that it would start again and go through the re-learning again. But it has not created any files at all in the path (bayes_path) that I set. When no files are created and no error is issued somewhere, I suppose you deactiveated bayes, e.g. check the settings of bayes_auto_learn and use_bayes Alternatively, try the sa-learn tool, e.g. su defang $(which sa-learn) --spam|--ham file|folder at least you will see that MIMEDefang/Spamassassin would be able to create the bayes database. (Sorting out permission problems etc.) Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Backup virusscanner
On Fri, 18 Jun 2004, Didi Rieder wrote:
I know that MIMEDefang supports multiple virusscanner and one can use several
of them
simultaneously. But is it also possible to run one virusscanner as the main
scanner
and only try other scanners if the main scanner fails to run.
e.g.
if clamd dies, do not TMPFAIL immediately but try first to run calmscan or
uvscan or
others
Code your own message/entity_contains_virus function by to call the
appropriate entity_contains_virus_clamd (a.s.o.) function directly.
E.g.: This was the function before it gone into mimedefang.pl:
sub message_contains_virus () {
return message_contains_virus_avp() if ($Features{'Virus:AVP'});
return message_contains_virus_fprot()if
($Features{'Virus:FPROT'});
return message_contains_virus_fsav() if ($Features{'Virus:FSAV'});
return message_contains_virus_hbedv()if
($Features{'Virus:HBEDV'});
return message_contains_virus_nai() if ($Features{'Virus:NAI'});
return message_contains_virus_nvcc() if ($Features{'Virus:NVCC'});
return message_contains_virus_rav() if ($Features{'Virus:RAV'});
return message_contains_virus_sophie() if
($Features{'Virus:SOPHIE'});
return message_contains_virus_trophie() if
($Features{'Virus:TROPHIE'});
return message_contains_virus_sophos() if
($Features{'Virus:SOPHOS'});
return message_contains_virus_trend()if
($Features{'Virus:TREND'});
return message_contains_virus_filescan() if
($Features{'Virus:FileScan'});
return message_contains_virus_clamd()if
($Features{'Virus:CLAMD'});
return message_contains_virus_clamav() if
($Features{'Virus:CLAMAV'});
return message_contains_virus_carrier_scan() if
($Features{'Virus:SymantecCSS'});
return (wantarray ? (0, 'ok', 'ok') : 0);
}
So you could move to _clamd() check first, but instead to return
immediately check its return value and proceed with the next scanner, if
it returns with TEMPFAIL.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Still problems with bayes...
On Sun, 20 Jun 2004, Ashley M. Kirchner wrote: bayes_path /var/spool/MD-Quarantine/bayes/bayes bayes files, and fed it a new spam and ham content. All the files in /var/spool/MD-Quarantine/bayes/ are owned by defang.defang. What else am I Is the path itself owned by defang? Spamassassin need to create one or so lock files. BTW: perldoc Mail::SpamAssassin::Conf bayes_auto_learn ( 0 | 1 ) (default: 1) Whether SpamAssassin should automatically feed high- scoring mails (or low-scoring mails, for non-spam) into its learning systems. The only learning system supported currently is a naive-Bayesian-style classi- fier. Maybe this is deactivated in your config? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] blocking | and bad syntax in "from" address
On Fri, 18 Jun 2004, Joe Arnstein wrote: Do any of the rfc's say this is improper syntax or forbiden characters? Should I block this? Can I block it? And if so can someone recommend a Well, although they are very unlikely, the RFC does not forbid almost no character in the local part of an email address. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Out of memory problem and missing attachments
Hello, lately I discovered the rules_du_jour script and had it configured to download (and install) some SpamAssassin config files. That bumped my normal MIMEDefang process from 30MB to about 60MB size of the process image and, when it scanned the first mail, easily reaches 85MB. That broke my memory limits (-M option of the multiplexor). I had plenty of: mimedefang-multiplexor[17235]: Slave 7 stderr: Out of memory! mimedefang-multiplexor[17235]: Slave 7 ran out of memory -- possible DoS attack due to complex MIME? Currently I the normal size of a slave is 110MB (85MB resident). In the same time I experienced a lot of complains that attachements were lost during transmition (esp. local only), the log file shows that MIMEDefang did found the attachments and scanned them for virus, but did not removed them. Could it be that, because a slave did unexpectedly, the attachements got removed and lost?? Actually, it does not occure everytime or to or from the same senders/recipients nor when the same pair mails among them, it seems to occure randomly. Bonus question: How much consumes the normal MIMEDefang process? Am I using extraordinary large SpamAssassin rules? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Out of memory problem and missing attachments
On Thu, 24 Jun 2004, Jonas Eckerman wrote: If you're using all the rules from the rulesemporium, then yes. To get the size down I would suggest using SURBLs (www.surbl.org) instead of "bigevil.cf" and "blacklist-uri.cf". That dropped the image by approx. 15MB. Also consider not using "blacklist.cf" (a 1MB file of regular expressions...). Doh! This one costs about 40MB!! Thanks, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sender validation
On Thu, 24 Jun 2004, Kelson Vibber wrote: The logic is more along the lines of: - Sender claims to be [EMAIL PROTECTED] - Look up MX records for speed.net - Connect to mail.speed.net and see if it accepts mail for [EMAIL PROTECTED] - From "User unknown" error, conclude that the sender is invalid and reject the message In the old days, it might have been done using VRFY, but so many sites have disabled it to throw a roadblock in front of dictionary attacks. Wouldn't you qualify as an address harvester by some IDSes, because you just connect to the server issue the RCPT TO then drop the connection? (I suppose you use "MAIL FROM: <>" ;-) Anyway, what about mail servers that always accepts RCPTs and fail the connection during DATA phase only? Or when it tempfails you? Or there is no connection possible? This method was discussed several times on this list and I got the impression that it was found unreliable and good in the local organization only. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Greylisting code, now with mysql Backend
On Wed, 30 Jun 2004, Paul Murphy wrote: Running a test script which does nothing but add one record and exit works OK, even if the script is called several thousand times in a loop, though I have yet We have some serious problem with BerkleyDB on Debian in conjunction with OpenLDAP's slapd. We have to issue a db_recover every two days or so. I'm not sure, however, if this has anything to do with each other. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] email forwarding and subject line capture...
On Thu, 1 Jul 2004, [EMAIL PROTECTED] wrote: The first one is to capture the subject line (first 25 chars) of emails that get tagged as spam - will write it out with md_syslog. I tried this before and sort of got it to work, I was only able to capture the subject of "some" emails, other came in blank even though there was a known subject. Maybe the lines are MIME encoded? Look at MIME::WordDecoder, for instance. The second is a little more complicated. When email is tagged as spam, I still want to do an action_bounce, but I also want to deliver an untouched copy of the email to another address exempt from spam filter. So I would Hmm, to search the archives for "spamtrap" should get plenty of hits. The resend_message () function does exactly what you want. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Problems with filter for graphdefang
On Tue, 6 Jul 2004, Martin Ferguson wrote:
md_graphdefang_log('mail_sales_filing',,$RelayAddr);
However if there are multiple recipients, one line with the
'mail_sales_filing' tag is added to the log for each of the recipient. This
is obviously not what I'm after.
Compare man mimedefang-filter(5):
"If a message has more than one recipient, md_graphdefang_log may
log an event message for each recipient, depending on how you
called md_graphdefang_log_enable."
Why nor use your own database or logfile for this or use md_syslog().
If disable to log multiple lines per message, you may break other scanners
of the log.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Validating sender domain opinion
Hello, there has been talk on the list placing 127.** or some other private address as tarpit as MX record with least precedence. What about a DNS configuration with an invalid private MX as first one? I just test a sender validation by grabbing all MX's records and check if the first one is an external address; doing so I found this domain: ; <<>> DiG 9.2.4rc5 <<>> -t mx mox.de. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29441 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 4 ;; QUESTION SECTION: ;mox.de.IN MX ;; ANSWER SECTION: mox.de. 252 IN MX 30 mail.portunity.de. mox.de. 252 IN MX 10 192.168.100.251. mox.de. 252 IN MX 20 mail.mox.de. These are not spammers, BTW. I would consider such setup invalid and my code had rejected the mail, if it were enable. -- I mean, why does they try to deliver mail to one of my hosts, private addresses are "my hosts", aren't they? I ignore the fact here intentionally, that they do point to a numerical address rather than a symbolic host. What do you think? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Globals
On Thu, 8 Jul 2004, Rich West wrote:
Hmm, I'd populate a global variable when the slave starts or in
filter_initialize. I do so, anyway.
sub is_list
{
$listname = (split("\@", $listname))[0];
$listname = (split("\<", $listname))[1];
Angle brackets are not mandatory.
foreach $list (@lists)
{
chop($list);
return 1 if ($list =~ /^$listname/i);
^ here you check only, if the recipient
begins with a name of a list.
}
return 0;
}
BTW: How about preparing the name cache a bit more in order to avoid the
foreach loop each time you lookup a name, e.g.
1) use a hash:
%mailists = ( 'list1' => 1
, 'list2' => 1, ... );
Then you can do simply return $mailists{lc($listname)}
2) or use a large string: $mailists = '@[EMAIL PROTECTED]@[EMAIL PROTECTED]@';
then do: return index($mailists, '@' . lc($listname) . '@') >= 0;
(Because '@' is never part of listname, it's save.)
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Validating sender domain opinion
On Fri, 9 Jul 2004, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote on 07/08/2004 09:37:16 AM: What about a DNS configuration with an invalid private MX as first one? They are probably lazy and do not have split DNS servers, or seperate ones for internal vs external resolution. The external ones are filters, and Yeap, it seems to be some problem like that. Their hoster mailed the reply to me(???) that this setup was the "cheapest" one and that it was agreed among them and me(??). ;) If you want to block it, you could, but would your users like that? Do you feel like teaching the mail admin at mox.de how to fix their mail and/or DNS system? I just tested how much it would block, when I sanity-check the sender domain in filter_sender (), by: 1. request 1st MX RRs; 2. request all A RRs of result of 1. or given domain alternatively; 3. check that no "forbidden addresses" (127.*, 0.*, 192.168.* etc.pp) is among the IPs. Instead of to teach somebody something, I tried to find hosts, like localhost.com, that way that evaluate to 127.0.0.1 and cause those "local configuration error" notifications send to me. (I don't open a connection to the server to verify its existance, just request the DNS information.) The results are not too promising, but do indicate, that I'm to install some filter rules on the server to block access to some internal networks. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] taking too long to exit; sending SIGTERM
Hello, recently, I see lots of these: Jul 19 07:15:09 ux-2s11 mimedefang-multiplexor[11157]: Killing idle slave 4 (pid 11541): Idle timeout Jul 19 07:15:19 ux-2s11 mimedefang-multiplexor[11157]: Slave 4 (pid 11541) taking too long to exit; sending SIGTERM same second the Reap'ed log appears. It also happens when the slave is killed, because it processed the max. requests. Possibly a dumb question, but is this bad? Can I increase the 10s delay? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] validating mail was sent from your domain on bounce back messages
On Tue, 20 Jul 2004, Lucas Albers wrote: Hello, because there are so many different kinds of "bounce" notifications, I suppose you have bad luck with a particular header check. You also cannot ensure that the server generating a valid bounce message can be determined by the mail address. Maybe you can track, which user send mail to whom, and try to determine the failed recipient from the bounce notification and match this against the database. But, well, there will be problems there,too, e.g. we have a partner, that's using Lotus Notes internally, and the bounce messages contain the _Notes_ id, rather than the EMail address. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Deadline for SPF records
On Thu, 5 Aug 2004, Joseph Brennan wrote: What is recommended for things like "send this page to a friend", where the initiator wants to be able to have a remote machine send on his behalf despite an SPF to the contrary? MAIL FROM: <> From:? From: <> Sender:? From: <> Reply-To:? The SPF advocates say all such systems must use an envelope sender with their own domain in it. The header From: can still show what human sent it. While this sounds like the right thing to do, I wonder how fast it can really be implemented and what pain will be caused in the meantime. I wonder what the impact of SPF really is, because: On Thu, 5 Aug 2004, Damrose, Mark wrote: From http://spf.pobox.com/faq.html#allsmtp Reading this doc, I'm starting to wonder: 1) it breaks mail forwarding. http://spf.pobox.com/faq.html#forwarding All forwarding/aliasing becomes resending?! We have plenty of "forward-only" accounts, that do not have no local account. Who is the sender of such virtual account -> I will recieve all the DSNs then?!! Arrgh. 2) it does not protect the From: http://spf.pobox.com/faq.html#whichfield Actually for many concerns of mine this is exactly what I want (that the From: header is set by the user as s/he wishes). But I cannot see how I setup a MUA to use this From: header and that envelope sender. Does somebody has some pointer to information about this topic? Consider the following scenario: You know the large Call Centers around that get phoned for support by customers often of many different companies. Move that over to email support. Consider an email support center named "support.com" for companies "comanyA.com", "companyB.com" a.s.o. When I consider SPF right, the mails send by the support center must use the envelope address "[EMAIL PROTECTED]", but the recipients must see "[EMAIL PROTECTED]", when doing bussiness for company A respectively. How do I configure sendmail and the MUAs to support this? Will this effectly be happen (without being able to bypass by MUAs) using the MSA? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_recipient problem (bug?)
On Wed, 11 Aug 2004, Egor Moskvichev wrote:
Hi, all!
The problem is...
explained in man mimedefang-filter section MAINTAINING STATE.
sub filter_recipient () {
my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer,
$rcpt_host, $rcpt_addr) = @_;
$from_host = $ip;
$to_recipient = $recipient;
return ('CONTINUE', "ok");
};
Consider you have multiple recipients, what use $to_recipient have in
this scenario?
When you read man mimedefang-filter section GLOBAL VARIABLES SET BY
MIMEDEFANG.PL, you see that you needn't filter_recipient as it is now at
all.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records
On Mon, 9 Aug 2004, Les Mikesell wrote: someone still forge the user name as long as the domain name is correct for the originating IP address or will that take yet another change in all MTA's to enforce before this one is very useful? This mechanism is called PGP. No MTA needs to be changed to use it. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records
On Tue, 10 Aug 2004, Cor Bosman wrote: I mean, one of your customers (employees, whatever) sending email through your server using [EMAIL PROTECTED] (basically their own hotmail account). They can in the From: header, but in the envelope your MTA is to ensure that DSNs have a valid return address, hence, the envelope must be some local account. Sure, but if they are sending themselves (and have for years) and suddenly people are implementing SPF and we dont list their dynamic dialup host as a valid senderhost, their mail will be suddenly rejected. Yup. That's is what happening now already, because of DUL blacklists. Do you participate in some SourceForge projects? I do. And I painfully noticed that I cannot run those mails through my mail server at home. Yeah, they could/should use our mailserver, but im just trying to say implementing SPF has a _lot_ of side effects. Too much, for what I see currently. Plaintext, you need to use SSL. How do you 'make' them use authentication? Turn off non-authentificated access. You dont control if they decide to use the hotspot's email smarthost, or use software that does the delivery itself. If you publish SPF records, then their email will be rejected. Maybe not such a big deal in your case, but im sure we have thousands of customers emailing with our domain name from remote locations not using our mailservers. That is one problem of the current SPAM. Because legit mail may flow in non-signed and from any host. If anyone would use PGP or S/Mime, there would be no forged senders, if one would use a confirm-style certificate check-in mechanism (like when you join a mailing list that sends back a message to your mail account to verify that a) the address really exists and b) you are the particular person that initiated the join) -- at least not forged in the sense "there is an existing mailbox", as one could allocate easily one at any freemail (web) hoster, Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MUA for multiple senders
On Tue, 10 Aug 2004, [EMAIL PROTECTED] wrote: The other day someone asked about an MUA that would support sending from different addresses. Last night I was looking at my Mozilla Thunderbird setup where I have my primary home accoount, as well as my rarely used ISP If you mean me, that's true, you can have any (??) number of mailboxes in Mozilla (it would be cool to have "roles" there, instead to force you to setup different mailboxes for each From: address). My question was how I can have: - an user-specified From: address and - a valid local-server-based envelope address. I considered this was in the line with the distinction between MTA and MSA, but I haven't found any pointers in the sendmail README's or google. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question about Virus Scanners
On Wed, 11 Aug 2004, Kevin A. McGrail wrote: However, I haven't found much issues with Beagle/Bagle, etc. since I switched to using File::Archive that searches for bad_exts and blocks them. If the defs don't get them, the zip scanning has been. Instructions on how I installed McAfee: http://www.peregrinehw.com/downloads/MIMEDefang/INSTALL-MCAFEE Actually I'm surprised. I had installed the command line scanner, too, a while back, but it was slow. And it seemed to consume lots of resources in memory. I had ordered the scanners like so: first File::Scan(), then McAfee and McAfee _never_ found a virus! It did, when I reversed the processing order, so I'm certain the scanner and stuff were working. Do you catch virii with McAfee, that slipped through the other scanners? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On Thu, 12 Aug 2004, Jeff Rife wrote: And what do you think the command ETRN is for? It's an optional part of SMTP that doesn't have to be supported, and does have some security issues. Which ones? It simply triggers a queue run filtering mail for a target server. Bye. -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On Thu, 12 Aug 2004, Kelson Vibber wrote: Sure, PGP and S/MIME are probably more elegant solutions. But if you think it's hard getting mail server admins to agree on and implement something like SPF, just try convincing every man, woman and child on the Internet to digitally sign every piece of outgoing mail! That's a problem of: a) how hard is it to sign a mail (try to sign a mail with PGP with Mozilla or Outlook for instance), b) how hard and cumbersum is it to gather a certificate (try to get a cert for S/Mime for instance). Both conditions above indicate that it is not easy, but it is not easy by intention; it gets even more painful when you try to set up such scenario for different mail addresses, aka "roles", e.g. when you participate in various projects, firms, or "morally bad" mailing lists. BTW: Many people think of PGP and S/Mime very personally, I mean, they believe that that you can be tracked down all the net by them. However, PGP signs are absolutely not human-personalized, only when you want to enter a partitucal web-of-trust. Also, PGP lacks the check currently, that you can ensure that the corresponding mail address is not faked as well. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Monitoring Selected User Emails
On Wed, 8 Sep 2004, Ted Beaton wrote: have been tasked with monitoring all incoming and outgoing mail for a couple targeted users. Is mimedefang the best way to attack this or is there a simpler solution? Thinking that mimedefang was the way to go I have Because aliases are expanded later than MIMEDefang runs, you might skip some of the mails. The most simple solution to duplicate _incoming_ mails to an address would to add a forward for this user on the final mail server. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang + spamd
On Wed, 22 Sep 2004, David F. Skoll wrote: On Wed, 22 Sep 2004, John Scully wrote: On any system with a lot of rule sets SA represents about 90% of the total message prosessing time. C vs perl makes a difference on that part. Yes, but I fail to see how spamd helps -- it still must, ultimately, call into the exact same Perl API as any other SA user. Might spamc/spamd gains from the fact that spamd pre-loads more things and caches certain internal stuff, which is shared among multiple spamd slaves, instead of kept into each MIMEDefang slave? You've said to switch to embedded Perl to avoid those problems, so the answer probably is no. Anyway, would it be possible to use the spampd API directly, instead of to call spamc? That way one could measure the speed factor and useage of resources better. (No, I don't volunteer ;-) Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need to turn off CC in Defang Notifications
On Mon, 29 Nov 2004, Kenneth Porter wrote: Hello, I suppose he could be stress-testing Thunderbird, but at that volume I'd be inclined to switch all filtering server-side (ie. with procmail). Suppose the users are not supposed to have shell account on the server (just POP and IMAP), can you lock down procmail to keep within the user's home directory or at least to run some particular, selected programs only? Or does there exist some other MailDir-aware MDA doing so? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need to turn off CC in Defang Notifications
On Tue, 30 Nov 2004, Kelson wrote: Hello, Sendmail comes with smrsh, the SendMail Restricted SHell. If you set an smrsh applies to programs sendmail calls, account to use smrsh as its shell, then the user can only run the programs you specify -- and that includes programs called through procmail. but not to the spawned ones (e.g. procmail). At least not in my installation. I tried this .procmailrc: MAILDIR=$HOME/.mail DEFAULT=$MAILDIR/.INBOX/ LOGFILE=$MAILDIR/log :0 c * ^From.*root .backup/ :0 * ^From.*root | perl $HOME/script The mail is delivired to the folder and the script is executed, although "perl" is not linked in /etc/mail/smrsh. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
OT: Secure MDA (was Re: [Mimedefang] Need to turn off CC in Defang Notifications)
On Wed, 1 Dec 2004, Joseph Brennan wrote: hosts and mail servers, but if the mail server reads .procmailrc over NFS, users can therefore execute programs on the mail server just by receiving mail. This is, in fact, our setup. In the past, we had too much trouble, e.g. ill-written scripts, that consumed lots of CPU and memory, even bouncers and other servers got invoked. Actually, I'd stick message filtering to pick some proper maildrop directories and/or to forward to another mail address. I considered to move the user .procmailrc's into some local place with web-interface and parse the contents prior installing it, e.g. to reject the conf file, when a '|' character is found; but I haven't tested the idea, yet. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Change "warning1.txt" attachment name when using action_replace_with_url
On Thu, 16 Dec 2004, Administrador DyR wrote: About the type of the replacing attachment: There is actually another reason why it might be good to use another type: There are local recipients using some (I don't know what particular) version of Outlook, who claim that they cannot access the link in the Warning. The cause is simple: Outlook does not make the URL clickable. You could copy'n'paste the URL into a browser, but that's too much effort (or lack of knowledge or whatever). Bye. -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Anyone using File::Scan?
On Thu, 17 Feb 2005, Matt Smith wrote:
Hello,
don't monitor closely exactly _what_ is getting rejected due to virii (I
I drop the part with warning when File::Scan returns positive, so the
recipient may decide further. Till now, I had no single complaint. But we
do not scan thousands of mails daily :)
suggest that this is heavily faq'd and man'd, as the list will no-doubt be
bombarded with questions like "I upgraded MD and File::Scan is no-longer
working!", or similar!
A line in the sample filter would be nice:
# Uncomment the next two lines if you want to use File::Scan if it is
installed
#(eval 'use File::Scan; $Features{"File::Scan"} = 1;')
#or $Features{"File::Scan"} = 0;
Or vice verse:
# Comment out the next line to avoid using File::Scan
(eval 'use File::Scan; $Features{"File::Scan"} = 1;');
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] How can I tell WHY this was rejected?
Or one can keep a report of the internal variables of the filter for a mail, e.g.: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-May/022272.html Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Order of the fuctions?
On Wed, 22 Jun 2005, James Ebright wrote: I check for auth in filter_begin (earliest I know of that you can check for authenticated users in MD [I use the global array SendmailMacros]) and skip portions of my MD filter if the user authenticated as well. Most actions in filter_recipients and filter_relay I dont actually take at that time but save to a state file and do not take any action until after I can check for authentication. You can check for Sendmail Auth anytime by inspecting the COMMANDS file: http://lists.roaringpenguin.com/pipermail/mimedefang/2003-June/015208.html Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] RE: HELP! At end of my rope with MD/SA
On Wed, 6 Jul 2005, Dirk the Daring wrote:
Hello,
Summary: Adding SA v3.0.4 to an existing MD v2.52 install breaks MD
I wrote:
If I add
$Features{'SpamAssassin'} = 1;
to mimedefang-filter, so I can eliminate the "if $Features" logic and
simplify my -filter file, I get the following error:
Can't locate object method "new" via package "Mail::SpamAssassin"
(perhaps you forgot to load "Mail::SpamAssassin"?) at
/opt/mimedefang/bin/mimedefang.pl line 6177.
Compilation failed in require at /opt/mimedefang/bin/mimedefang.pl
line 4881.
The last command won't run unless I remove the "Features{'SpamAssassin'}" from
mimedefang-filter. If I leave that in, I get the same error as in my
first message.
Hmm, I've re-checked with the archive, there you said that you really mean
that you've >>eliminate(d) the "if $Features" logic<<
Well, I agree with:
http://lists.roaringpenguin.com/pipermail/mimedefang/2005-July/027565.html
The basic question is: WHY do you want to remove the "if logic" at all?
quote: "If I run MD with a filter that *optionally* adds SA (that is, using
if ($Features{"SpamAssassin"})
constructions as the default filter does, MD works fine.
If I add
$Features{'SpamAssassin'} = 1;
"
First: $Features{'SpamAssassin'} should be '1' already, if SpamAssassin
is present and useable.
(Also: It does not 'optionally add SA' in your filter, but pre-load the
SA-framework. The "add" is performed in mimedefang.pl - search for "use
Mail::SpamAssassin ()")
Second:
What I haven't understood from your posts:
Is spamAssassin used at runtime (scan time) at all, when the "if logic" is
present, or not?
Or is mimedefang.pl -features is telling, that SA is present, but it is
NOT present while scanning mails?
Also, in
http://lists.roaringpenguin.com/pipermail/mimedefang/2005-July/027557.html
you indicate that your MIMEDefang _and_ perl are located in /opt, whereas
in
http://lists.roaringpenguin.com/pipermail/mimedefang/2005-July/027562.html
you indicate that both reside under /usr/bin.
The error indicates that "use Mail::SpamAssassin ();" had not been seen by
perl. The question is why, actually.
I'd do the following to investigate:
a) recompile mimedefang
b) keep the if logic, unless there is some real reason to remove it (it
won't take that much resources in your environment, will it?)
else:
c) insert a "print "\$Features{'SpamAssassin'} = " .
$Features{'SpamAssassin'} . "\n"; prior the "if logic" and watch the
output of "./mimedefang.pl -features".
(Note: I really mean ./mimedefang.pl and NOT perl mimedefang.pl)
(Oh: and verify that 'pwd' displays the very same path as used in
/etc/init.d/mimedefang) (Note#2: Remove the line, before using the
filter.)
if nothing obvious is to be seen:
d) $(head -1 mimedefang.pl | sed -e '1,$s/#!//') -d mimedefang.pl
-features
in order to verify, why the "use Mail::SpamAssassin ();" is not seen by
perl. (Note: I really mean $(head -1 mimedefang.pl | sed -e '1,$s/#!//') )
on doubt:
e) add "use Mail::SpamAssassin ();" right next to where you've placed:
$Features{'SpamAssassin'} = 1;
and watch the difference(s).
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SpamAssassin net tests disabled then called by mimedefang.
On Thu, 7 Jul 2005, [EMAIL PROTECTED] wrote: Hello, What's the value of: $SALocalTestsOnly = 0; in your filter? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blatent spam getting X-Spam-Score: 0 ()
On Fri, 8 Jul 2005, Bill Curtis wrote: Here is the header of a message that shows X-Spam-Score: 0. I'm curious if a spammer could have put this there to get mimedefang to skip it. I know that my I've seen these headers, too; but it wouldn't a good mail filter to honor alien headers, would it? Unless you coded it, MIMEDefang has no interest in these headers. I suppose those headers are there to trick MUAs, that are configured to normally be used in conjunction with a filter, that tags mail, and a second one that does not. Consider somebody who pulls private mail from some provider and bussiness mail from the firm's server. If latter is running anti-spam ware and tags the mails, but the provider does not. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Code to remove winmail.dat files and replace them with the attachments.
On Tue, 19 Jul 2005, David F. Skoll wrote: Is there a reason you didn't use Convert::TNEF? http://search.cpan.org/~dougw/Convert-TNEF-0.17/ Does somebody know how to extract the RTF message using Convert::TNEF? I haven't found anything in the pod nor pointed google to something useful. I suspect $tnef->message to return something, where one can get the hands on the message, but I cannot see how. The example in the pod is also just dealing with "real" attachments. I verified the existance of the RTF part by loading the winmail.dat into ktnef and selecting "Action | Show Message Text" from the menu; but using the module I do not see it in neither $tnef->message nor $tnef->attachments First one seems to contain status information only; latter returns an empty list (actually there are no real attachments). Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slaves died prematurely
On Thu, 4 Aug 2005, Eduardo Otubo wrote: nothing found something smells bad in my debian kingdom I just did an install of Debian stable sarge; it worked out-of-the-box, except MIMEDefang is not automatically added to sendmail.m4, what to do about it is described in /usr/share/doc/mimedefang. Debian includes MIMEDefang v2.51, instead of the most current one, however. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Spam with more than one recipient - reject or not?
On Thu, 18 Aug 2005, [EMAIL PROTECTED] wrote: David F. Skoll wrote: [EMAIL PROTECTED] wrote: Tempfail the second of A and B at RCPT time... There are serious practical problems with this approach: True. Just brainstorming. 5. Accept A and B at RCPT time... make a decision at DATA time. If all recipients agree a message should be rejected, reject it (duh) If all recipients agree a message should be accepted, accept it (duh) If there's any disagreement, tempfail it ONCE and remember it. If there's a retry later, ACCEPT IT. The initial disagreement, plus the fact that there was a real retry, should go a long way toward proving the hammyness of the email. Drawback... if spammers start retrying, this could be a free ride for a lot of spam. This is a conditional Greylisting, no? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Excluding localhost
On Mon, 22 Aug 2005, Andrew Pollock wrote:
sub filter_begin () {
# No need to impact on delivery times for locally generated mail
if (!defined $RelayAddr || $RelayAddr eq '127.0.0.1') {
8.204.2') {
return ACCEPT_AND_NO_MORE_FILTERING
}
This code is valid in filter_relay/_sender/_recipient.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [OT] Debian Policy (was Re: [Mimedefang] Re: Quarantine location)
On Fri, 26 Aug 2005, David F. Skoll wrote: The sendmail package of Debian is a bit odd, I agree, but an upgrade within the various sarge/testing variants never broke my installation, except that sendmailconfig insists of putting procmail into /etc/mail/smrsh. However, what would be the way to intelligently handle sendmail's .m4 conf script, without to disable lots of functionality? I had no problems with Postgres at all. I do, however, use my own perl version for my own perl programs as upgrading keeps overwriting any updated modules, to update the perl package or to install a newer (required) variant of a CPAN module broke the system or my own (perl) applications running on the server. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SPAM with Multiple Subject Headers
On Thu, 1 Sep 2005, Sean Ware wrote:
action_change_header("X-Spam-Score", "$hits ($score) $names");
Wouldn't the same problem apply to X-Spam-Score?
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spam with more than one recipient - reject or not?
On Tue, 6 Sep 2005, Wesley Peters wrote: On Wed, 2005-08-17 at 07:54 -0400, David F. Skoll wrote: Michal Jankowski wrote: I have received a suggestion to stream by recipient. But that's a big no-no. Once you do that, you have effectively accepted the smtp transaction. So you cannot 'bounce' and the only way to notify sender is by mail, which should be avoided at all cost. Well, in that case, you just discard instead of bounce. Can you suggest a viable alternative? (Other than re-writing SMTP, of course.) Tempfail all the recipients who use different rules than the first? That's falls into the field of "re-writing SMTP"; because the recipients are sent amd acknowledged (or rejected) _before_ the contents comes in, you can't tempfail individual recipients based on the contents. Also, another idea: + tempfail the message awhole, & + when the mail transfer is attempted again, you know the old score and tempfail the recipients, who does not like the mail. Well, won't work as well, because when the recipients are sent, you only know the connecting host, the HELO string and the envelope sender. Not enough information to reliably identify a message. Some (mostly larger hosters) have mail clusters, where, possibly, a message is retried from another host, which should use another HELO string as well. So one can only act on the tuple (sender, recipient), and, you can't even rely on that the order of the recipients keeps the same on retry. -> Well, this is much like conditional greylisting, where you hope that the attempt for re-transfer is a good sign for non-SPAM. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
brainstorming this topic: Re: [Mimedefang] Spam with more than one recipient - reject or not?
On Tue, 6 Sep 2005, Wesley Peters wrote: While writing the former reply, some idea developed, it tries to extend Greylisting: Consider a message for multiple recipients, some do like it, some do not. + During filter_end() you score why the recipients don't like it (e.g. some reasons might not be appropriate for this idea); then you save the pair (envelope sender, envelope recipient) into a database. + The whole message is tempfailed. + When a message arrives, you check in filter_recipient(), if the DB contains the pair (sender, recipient), if so, the recipient is tempfailed. + The database entries are deleted after, say, one hour. + Eventually within the grace time of 1h, the message with the mixed recipients is retried, the recipients, who don't like the message, get tempfailed, the others pass. + When the message is retried again after the grace time, all recipients don't like the mail and it is bounced. The basic idea is to assume that a sender will send SPAM the next time, too. This assumption is also the weak point because of all the faked sender addresses. There will be well-known senders that, when arriving from certain hosts, are no SPAM mostly, so they can be exempted from this technique. There will be several scenarios, that make this technique cumbersome, because it is possible that a mail gets tempfailed forever without being scanned at all. E.g.: + Mail A of faked sender S arrives has multiple recipients, recipient R don't like the message; the pair (S, R) is stored into the DB. + Mail B arrives from real sender S to R (single recipient) within grace time. But it is tempfailed. You don't know whether this is message has one or recipients, hence, you must honor the DB any time. --> When message A is never retried _within_ the grace time, it will tempfailed forever and possibly prevent scanning and delivery of Mail B that way. Does anybody has some idea to eliminate the weak points? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MX -> 127.0.0.1
On Mon, 12 Sep 2005, Les Mikesell wrote: On Mon, 2005-09-12 at 17:31, Kelson wrote: I remember a year or two ago there was a fad in which admins would set up a tertiary or higher MX pointing to 127.0.0.1 in order to hassle spam software that used the highest MX instead of the lowest. I don't know how many of these are still around, and I never thought it was a good idea -- and you can definitely argue that it's a malicious config! The reason you publish multiple MX addresses in the first place is that you know some won't always be reachable. What would you like to happen when all but 127.0.0.1 is unreachable? there was a longly discussion on this list about abusing "Backup-MX" hosts, because they are most likely not protected the same has the primary host; therefore it was suggested to publish 127.0.0.1 as the MX entry with the highest number in assumtion: a) It will never happen all that the higher priority (aka with lower number) servers are gone away, and b) that ratware uses the last-priority server to catch a Backup-Host, that is not protected so well, but is now using localhost. Well, the same effort in to detect "bad" MX hosts can be performed by ratware, hence, this technique can last for short while only, perhaps the usefullness is gone by now. So I would agree with you that to publish localhost anywhere in the chain is possibly not good. BTW: I wouldn't wonder much, when some ratware (or spammer) usues completely random addresses. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MX -> 127.0.0.1
On Tue, 13 Sep 2005, Kenneth Porter wrote: --On Tuesday, September 13, 2005 1:29 PM +0200 Steffen Kaiser <[EMAIL PROTECTED]> wrote: Well, the same effort in to detect "bad" MX hosts can be performed by ratware, hence, this technique can last for short while only, perhaps the usefullness is gone by now. The 2nd best solution is to use "black hole space" for the last MX, IP space guaranteed to not have a host. This ensures that the spammer has to time out the connection. But it means that the timeout is only as long as the stock TCP SYN timeout. Good point. An even better solution is to point to a host that tarpits port 25 connections. Such a host accepts the connection, but then turns the TCP feed into a trickle, effectively forcing the spammer to tie up the connection forever. (You can install a netfilter module on Linux called "TARPIT" for this purpose.) You still have to ensure that any of the "good" MX hosts must be online all over the time. Or at least ignore / tempfail connections, when all the other hosts are down. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filters and Global Variables
On Wed, 14 Sep 2005, John Rudd wrote: Does the same child get called for all filter* subroutines? For example, if I define a global variable outside of any subroutines, and then in filter_begin I clear it ... then add some values to it in filter, will I then be able to read it in filter_end? Yes and no; the details are explained in man mimedefang-filter ; section "MAINTAINING STATE". Bye. -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] blocked file types in text file
On Mon, 19 Sep 2005, John Rudd wrote: Right, that's the same as what $& is doing: it's telling you what part of the There is a large performance penalty using the special $` $' $& variables, because if you use those variables anywhere in the code, they are propagated for each regex, which is not so for $1 variables. There was a thread some time ago claiming that e.g. SpamAssassine's huge amount of regex's drop the performance significantly. ($& is not so problematic than $`and $', if I remember correctly. Perl developers have made the same quirk, see "perldoc English" last paragraphe: "PERFORMANCE This module can provoke sizeable inefficiencies for regular expres- sions, due to unfortunate implementation details. If performance mat- ters in your application and you don't need $PREMATCH, $MATCH, or $POSTMATCH, try doing use English qw( -no_match_vars ) ; . It is especially important to do this in modules to avoid penalizing all applications which use them." ) Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] howto add another recpient when email's size bigger that X vale
On Wed, 28 Sep 2005, Anton Kudris wrote:
I think I need to add few lines to filter_end() like these
my $x = 5120; #bytes
if (message_size() >= $x) {
add_recipient('[EMAIL PROTECTED]');
}
but I don't know how to write message_size() function... Or is there
any $MsgSize variable avialable?
Check out the sample filter, esp. the code snippet:
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 100*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
2nd if() probes the message size.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] DoS??
On Mon, 17 Oct 2005, [EMAIL PROTECTED] wrote: Anyway.. helpful hint: rsync or otherwise mirror your whitelists to a local nameserver as much as possible, if you handle more than a decent amount of email. And run a caching nameserver on every mailserver. The DNS servers in question are local, just another subnet. A local Then it is not local -- for the services on the mail server :-) The jammed up IP stack even was causing problems connecting to the CanIt database server occasionally. I do not suppose that the stack is jammed awhole, but the queue of the ethernet card, right? So to use a DNS cache on localhost would definitely help to keep the IP stack OK. Actually, I saw a benefit in to have a local DNS cache in the past, because our mail server had rejected mails even to itself, because it couldn't verify its own domain via DNS. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Fprotd problems and patch
Hello, f-protd (demonized F-Prot) has a quirk. The scanner returns these result codes: # 0 Not scanned, unable to handle the object. # 1 Not scanned due to an I/O error. # 2 Not scanned, as the scanner ran out of memory. # 3 X The object is not of a type the scanner knows. This # may either mean it was misidentified or that it is # corrupted. # 4 X The object was valid, but encrypted and could not # be scanned. # 5 Scanning of the object was interrupted. # 7 X The object was identified as an "innocent" object. # 9 X The object was successfully scanned and nothing was # found. # 11 The object is infected. # 13 The object was disinfected. Now I found a reason for code #0 not acceptable to be blocked by the server: The code is triggered by compiled Java classes (*.class). I have therefore changed the logic of mimedefang.pl in order to assume the same behaviour of code 0 as code 3 -- corrupt or unknown archive. Code 3 is also returned by some binary text file, like Word .doc. Maybe, it would be good to have an user-controlled way to react on the return codes, because: - fprotd cannot scan directories awohle, but you have to feed it one file after another, therefore there is a loop to do so. - when one item is triggering "not ok" (whatever reason), the loop is terminated and the non-ok value is returned. - So when you have one item of code0 (til now it returns "tempfail"), message_contains_virus() returns (900, "cannot-execute", "tempfail") If you let it pass, because of code 900 (actually, the code is the scanner code + 900), there might be some not scanned items, because the loop had been terminated. So, I would suggest to revamp all the scanner codes, at least those ones that recurse the Work directory themselves to: a) use the same recursion code,& b) either: b1) scan all items and score the results, e.g.: ok -> score 0 suspicious -> score 1 quarantine -> score 10 virus -> score 100 and return the result with the highest score. (Actually one can break when the maximal score had been found). b2) Don't score the result by the code in mimedefang.pl at all, but by an user-supplied function - with defaults, if none is supplied. The easiest method would be to have a global array - one needs to define such array for those scanners only, which are installed, hence, there should be no memory overhead. b3) Add a "mixed-result" code, which contains all results of all items, maybe compressed, like return code OK had been found three times, tempfail, because of code 0 five times a.s.o. Actually, I'd prefer implementing variant 2, because it might open for a more generic handling of unknown attachments, e.g. when the virus scanner returns code 0 (unkown), one could bounce the message with the text "Invalid attachment, retransmit wrapped up in a ZIP archive". Well, I do not scan no archives, so they would pass and will be scanned by the virus scanner on the computer of the recipient, if the sender retries at all. Any opinions? Bye, -- Steffen Kaiser fprotd_code0.patch.gz Description: F-protd code0 patch ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail filter problems
On Mon, 24 Oct 2005, Ross wrote: [EMAIL PROTECTED] wrote: Ross, can you post your sendmail.mc in its entirety? As requested: Missing "dnl"'s at the end of the lines may cause strange side effects, try correct your .mc file by adding a dnl to all lines. e.g.: define(`confRELAY_MAILER', `esmtp') define(`RELAY_MAILER_ARGS', `TCP $h 24') dnl # INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m;E:5m') (maybe, I missed some others) Also: dnl # dln # temporarily on while setting up server. ^^ typo! FEATURE(`accept_unresolvable_domains')dnl Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bare returns in message body
On Wed, 9 Nov 2005, Jan Pieter Cornet wrote: Here's (imo) the fundamental problem here: the mimedefang filter is not given the same message that end user sees... lone CR characters will be removed from it (line ending CRLF will also be converted by sendmail or the local delivery agent to just LF, that's not the point). You can rebuilt the message when SuspiciousCharsInBody is true, then the message you filter in MIMEDefang is the same as the message the client sees. This is a good thing anyway, probably, because MIMETools reacts on ill-formatted MIME mails differently than a MUA possibly reacts. So you cannot be sure that both implementations sees the message the same. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bare returns in message body
On Thu, 17 Nov 2005, Aleksandar Milivojevic wrote:
If any of $SuspisiousCharsIn* are true, I'm doing (as one of the first things
in
filter_begin, even before checking for viruses):
action_quarantine_entire_message('descriptive msg');
return action_bounce('descriptive msg');
I did so for some time, too, but had to disable it, because some
(important) people are subscribed to some CVS-has-changed notification
lists, which send embedded CRs and NULs. The sender was complaining, that
I'm the only person who thinks the mails are bad. (Well, I would probably
react this way as well, if I'd get only one reply.) I bet that they have
some newline problem (Mac vs. Unix vs. Windows), because these are huge
projects they are working within, so someone probably checks in the files
inconsistently.
Since then I bounce SuspiciousCharsInHeader only and treat them as
"infected by malware". No complains since then.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Debugging slaves that die
On Thu, 24 Nov 2005, Roland Pope wrote:
Actually, I do like debugging my scripts and see what's going on in there.
I used to do the following when I tested my filter's _begin/../end stage
heavily:
I've added this code into the filter:
action_quarantine_entire_message("Message quarantined
because for TESTING purpose");
get_quarantine_dir();
foreach my $fnam (glob('*')) {
if(-f $fnam && !-e "$QuarantineSubdir/$fnam") {
if(open(OUT, ">$QuarantineSubdir/$fnam"))
{
if(open(IN, $fnam)) {
while() {
print OUT;
}
close IN;
}
close OUT;
}
}
}
The "foreach" loop causes that all files are available in the quarantined
directory, incl COMMANDS, which is essential.
Then you can check the filter doing this:
$ cd $QuarantineSubdir
$ rm -r RESULT Work
$ perl -d mimedefang.pl -f filter $(pwd)
c do_scan
c filter_begin
... do the debugging
q
$ test -f RESULTS && cat RESULTS || echo no results
However, if you do not check the logic of the filter itself, but some
general problem, you must be aware that you debug as the defang-user (the
demon runs as), that you cannot emulate the timings and that a slave may
have leftover values of a previous run.
Bye,
--
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] upgrade mimedefang to 2.54 failed with error
On Thu, 24 Nov 2005, [EMAIL PROTECTED] wrote: Dear List, I tried to upgrade mimedefang to 2.54. while running ./configure i got the following error message: configure: WARNING: Oops.. I couldn't find libmilter/mfapi.h. Please install Sendmail 8.12 It's odd because i got sendmail 8.13.4 complied with milter support?? Do you mean that you've compiled sendmail yourself? can anyone suggest a fix? Conf: Debian Serge 3.1a + sendmail 8.13.4 + clamd 0.87 + SA 3.0.3 + mimedefang 2.51 (is there a simple way to upgrade?? or should i got through the whole proccess of configure,make, make install...etc.??) If you use the Debian packages, you need to install the milter-dev package: # apt-cache search milter amavisd-new-milter - Interface between sendmail-milter and amavisd-new dcc-milter - Distributed Checksum Clearinghouse - sendmail milter plugin libmail-milter-perl - Perl extension modules for mail filtering via milter libmilter-dev - Sendmail Mail Filter API (Milter) libmilter0 - Sendmail Mail Filter API (Milter) libsendmail-milter-perl - Interface to Sendmail's Mail Filter API libsendmail-pmilter-perl - A Perl implementation of the Sendmail Milter protocol sendmail-doc - powerful, efficient, and scalable Mail Transport Agent spamass-milter - sendmail milter for filtering mail through spamassassin clamav-milter - antivirus scanner for sendmail # apt-get install libmilter-dev Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Even sillier disclaimers (was Re: [Mimedefang] defang startuperrors)
On Mon, 12 Dec 2005, David F. Skoll wrote: Todd Aiken wrote: Ignore the text that follows this disclaimer which says that all disclaimers in the above text are NULL AND VOID and that they can be ignored. That disclaimer is false-the above is true. Well! :-) We have an arms race, then. I'll change my disclaimer Maybe it depends on the local laws very hard, but there was a decision of a German court: when two "standard disclaimers" (aka "general terms and conditions " -- at least that's what DICT translates the German term into: http://dict.leo.org/?search=agb) declare the other void, both are void. Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Even sillier disclaimers (was Re: [Mimedefang] defang startuperrors)
On Tue, 13 Dec 2005, Steffen Kaiser wrote: Um, I forgot to mention that such nullifyings, when they are part of global terms, are void by itself anyway. Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Multiple From addresses
Hello, today I recieved a SPAM that puzzled me, because it displayed _two_ addresses in the From: field. Checking the log that was caused by a malformed From: line as the comment part didn't quoted the comma; so I checked RFC822 sec 4.4.1, where the plural is used, hence, it is legal to specify multiple From addresses. However, I grepped all mails I got hands on and found NO single valid mail with two From addresses, hence, it's a SPAM indicator; does anyone stumbled across a valid mail with multiple From's, perhaps, someone uses this "feature" himself? Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting
On Wed, 14 Dec 2005, Kenneth Porter wrote: help a small company server. Perhaps a distributed greylist DB? Sort of like a DNSBL but with white-listing. MD could store the successful entries in a zone and we could publish our zones for others to use. OK, how to keep the "Bad Guys" out? You're required to build up a trust system, then. Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting
On Wed, 14 Dec 2005, Kenneth Porter wrote: --On Thursday, December 15, 2005 8:15 AM +0100 Steffen Kaiser <[EMAIL PROTECTED]> wrote: OK, how to keep the "Bad Guys" out? You're required to build up a trust system, then. Right, but we already do that with black lists. Which had listed a major German freemail hoster some months ago regularily, so that I had to whitelist their IPs. In opposite of blacklisting, where the sender can act upon a failure and, the probably queued, mails arrive the recipient eventually; you want to prevent that the mail is delivered, e.g.: 0) Zombie network prepares to submit SPAM messages, 1) half of the network lists the other half into the whitelist DNSBL, 2) the other half pushes out the SPAM. You cannot do nothing, because the SPAM is already delivered. Unlike with blacklisting, where you can manage a _late_ delivery, you cannot "undeliver" a message. Hence, you (or "one") have to trust the Whitelist DB more than you need to trust a Blacklist DB. Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] dictionary attacks looking for a valid user
On Thu, 15 Dec 2005, David F. Skoll wrote: Jan Pieter Cornet wrote: An easier solution might be to have a process tail(1) your logfile and take action on the information there. I think I've even seen something like that: more than x invalid recipients, and you're firewalled away. That's much easier. I have a script I run for a similar purpose: It firewalls off anyone who attempts to log in via SSH with an invalid password. There are lots of SSH brute-forcers around. After reading these two paragraphes some worrying struck me: In opposite to SSH connections you cannot assume that the attacker sits on "the other side" of a SMTP communication. Maybe the server just relays the mail or is an huge mail hoster (say, hotmail, gmail, aol), you cannot firewall them off, just because one Black Sheep is abusing the service?! Will you really try to differ between home/zombie senders and huge relay systems, esp. because you do not have no headers to take into account? Actually, there was a patch for sendmail posted to comp.mail.sendmail for a feature "drop connection if number of bad recipients exceeds n". http://groups.google.com/group/comp.mail.sendmail/browse_thread/thread/5203bd02a5d9f8f3 Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] That .com extension
On Tue, 3 Jan 2006, Joseph Brennan wrote: WSJ.com - Cutting Hedge_ Law Firm Grows With Funds.pdf It must be because of the ".com " in the name. Why do we not just test the value of lc($ext), rather than pass the entire entity to filter_bad_filename? Is there some form of obfuscation in which the filename could be WSJ.com followed by random text? This is in order to prevent using a partial name, when using invalid MIME syntax, e.g.: Content/type=application/octet-string; filename=WSJ.com - Cutting Hedge_Law Firm Grows With Funds.pdf Note the missing quotes of the filename tag. There are reports that some MUAs ignore the text after the ".com" part and, hence, would treat the attachment as executable file. MIMEDefang does not know whether there are quotes or not, hence, it assumes that they are not. Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
