Re: [Mimedefang] $helo is empty!
>From an earlier post. Note that recent versions of MIMEDefang don't pass $helo in filter_relay; you need to do HELO checks in filter_sender. Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDEFANG NOT TAGGING
Hi, You didn't say what OS you are running, but for RH or FC, you need to set MX_LOG=yes in /etc/sysconfig/mimedefang Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Custom Configuration
> Relaying based on FROM: (envelope sender information) is dangerous as it > can be easily faked. > > Alexander Argh, you are right, it's actually easier to fake message headers than envelope headers, I'm only making trouble for myself doing this. Thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Custom Configuration
Kevin, It worked like a charm, great. One question for you. I guess this is more of a sendmail question than MIMEDefang In the access table I added From:localhost.mydomain.com RELAY From:mydomain.com REJECT since this is the incoming mxhost, I don't expect any valid sender from the internal domain. Do you see any potential problems with this? i.e. emails generated from the localhost and etc Thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Custom Configuration
Kevin, That very good, thanks a lot, I will give it a try. Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Custom Configuration
On Fri, 12 Nov 2004 09:48:02 -0500, Kevin A. McGrail <[EMAIL PROTECTED]> wrote: > Aleksander is exactly right but I would do one thing differently. I use the > code/idea that Brian Landers wrote to create an access file for sendmail for > the LDAP work. We enhanced it and it's very stable and in place on multiple > servers now for almost a year. > > http://www.peregrinehw.com/downloads/ldap/ > > Basics behind it are to connect to an LDAP server every five minutes and > generate an access.db file that can sendmail can use to deny recipients > without calling a milter, etc. I took a rough look at the script, I wonder how should I modify it to work with our AD LDAP, something like this? our $filter ="(&(proxyAddresses=smtp:$recipient))") the reason being we have 2 domains and each user are allowed two forms of email address in each domain, [EMAIL PROTECTED], [EMAIL PROTECTED], and they are stored in the proxyAddresses. part of my sendmail-rx.mc file : ---BEGIN dnl define(`confRUN_AS_USER',`smmsp:smmsp')dnl Drop privileges (see SECURITY NOTE) define(`confPID_FILE', `/var/run/sendmail-rx.pid')dnl Non-default pid file define(`STATUS_FILE', `/etc/mail/stat-rx')dnlNon-default stat file define(`QUEUE_DIR', `/var/spool/mqueue-rx')dnl Non-default queue area define(`confQUEUE_SORT_ORDER',`Modification')dnl Modif or Random are reasonable dnl Match the number of queue runners (R=) to the number of amavisd-new child dnl processes ($max_servers). 2 to 7 OK, 10 is plenty, 20 is too many QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue-rx, R=2, F=f')dnl dnl Direct all mail to be forwarded to amavisd-new at 127.0.0.1:10024 FEATURE(stickyhost)dnl Keep envelope addr "[EMAIL PROTECTED]" when fwd to MAIL_HUB define(`MAIL_HUB', `esmtp:[127.0.0.1]')dnl Forward all local mail to amavisd define(`SMART_HOST',`esmtp:[127.0.0.1]')dnl Forward all other mail to amavisd define(`confDELIVERY_MODE',`q')dnl Delivery mode: queue only (a must, dnl ... otherwise the advantage of this setup of being able to specify dnl ... the number of queue runners is lost) define(`ESMTP_MAILER_ARGS',`TCP $h 10024')dnl To tcp port 10024 instead of 25 MODIFY_MAILER_FLAGS(`ESMTP', `+z')dnl Speak LMTP (this is optional) define(`SMTP_MAILER_MAXMSGS',`10')dnl Max no. of msgs in a single connection define(`confTO_DATAFINAL',`20m')dnl20 minute timeout for content checking define(`confSMTP_LOGIN_MSG', `Howdie v4.12 $d')dnl Fake ESMTP Server Message define(`HELP_FILE',`/etc/nohelp')dnl Disable Help command totally DAEMON_OPTIONS(`Name=MTA-RX')dnl Daemon name used in logged messages dnl MIMEDefang Milter Definitions INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:360s;R:360s;E:15m') define(`confINPUT_MAIL_FILTERS', `mimedefang') dnl Disable local delivery, as all local mail will go to MAIL_HUB undefine(`ALIAS_FILE')dnl No aliases file, all local mail goes to MAIL_HUB define(`confFORWARD_PATH')dnl Empty search path for .forward files undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl undefine(`DECNET_RELAY')dnl MAILER(smtp) END I had to commend out runas smmsp or mimedefang won't be able to access the queue, everything works fine until DATA, it looks like mimedefang just dies when trying to write the queue. Many thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Custom Configuration
Hi all, I'm using amavisd-new and Maia as the web interface so that users can easily manage their w/b lists and spam/virus/attachment settings. However, I would still like to use MIMEDefang for 1. Envelope/header checking in filter_recipient() : reject anyone claims to be sending from the internal domain. 2. LDAP lookup on RCPT TO: verify valid mailbox before accepting data. but not anything else, because I want amavisd-new to handle spam and virus checking, is this possible? and how should I go about it? Many thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] graphmimedefang problem
Hi all, I get this error message from graphmimedefang Processing data file: /var/log/maillog 0 new log lines processed No valid mimedefang logs in /var/log/maillog at /var/www/html/defang/graphdefang.pl line 88. I see a lot of MD_LOG entries in my maillong like this Nov 5 16:07:46 mfilter1 mimedefang.pl[10469]: MDLOG,iA5L7gh5011964,spam,6. Please help. Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Virus Alert gets marked as Spam
Hi all, I'm using MIMEDefang with SpamAssassin. First, what function generates the Virus Alert? I can't find it anywhere in mimedefang-filter, so I guess it's one of the action_ thingy? And all the Virus Alerts gets marked as Spam by Spamassassin, which is kind of annoying. Here's what I want to do with $FoundVirus if ($FoundVirus) { md_graphdefang_log('virus', $VirusName, $RelayAddr); md_syslog('warning', "Discarding because of virus $VirusName"); action_notify_administrator("Virus $VirusName Found in Message from $sender to $recipeint"); action_quarantine_entire_message("Virus $VirusName found in message."); return action_discard(); } According to the documentation, action_quarantine_entire_message($message) should send the administrator the $message. But it's not working, neither is action_notify_administrator($) But I'm getting VIRUS ALERT:$VirusName Then SpamAssassin butchers it [Pssible SPAM (8.33)]: VIRUS ALERT: Worm.Bagle.AU as subject name in emails sent by defang user.confused. Thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: Frustration...
Hi, As a fellow newbie, I have struggled to get everything working for the past two weeks as well, and I can see you are having some of the same problem I had(still having), so here's my $0.02, hope it helps, and for the experts out there, please correct me if I'm wrong with any of my assumptions! I'm using SpamAssassin, MIMEDefang, and MailScanner with ClamAV As for writing custom SpamAssassin rules, it's basically perl RegEx. and if you are too lazy to do it yourself. look here http://wiki.apache.org/spamassassin/WritingRules and here: http://wiki.apache.org/spamassassin/CustomRulesets I find the custom rulesets are quite usefull, such as bigevil and anti-drug, they have the rules for what you have mentioned download them and drop in /etc/mail/spamassassin, that's all you need to do. IMHO, MimeDefang is useful in a much different way, such as the fiilter_sender and filter_recipient functions enables you to do a lot of different checks before any messages are even accepted. As for MailScanner, I like it's ability to convert dangerous HTML and Javascript codes and strip them, I think MIMEDefang does this as well, but I haven't look into it yet, if that's the case, I need to find a reason to run MailScanner if at all. Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spamassassinreport.txt
Got it, many thanks! Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Spamassassinreport.txt
Hi, What do I need to do to replace the actual email message body with the SpamAssassin-report.txt and send the spam message body as an attachment? I had it working for a while but now it forwards the spam and send the report as an attachment, please help. Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Frustration...
Hi, As a fellow newbie, I have struggled to get everything working for the past two weeks as well, and I can see you are having some of the same problem I had(still having), so here's my $0.02, hope it helps, and for the experts out there, please correct me if I'm wrong with any of my assumptions! I'm using SpamAssassin, MIMEDefang, and MailScanner with ClamAV As for writing custom SpamAssassin rules, it's basically perl RegEx. and if you are too lazy to do it yourself. look here http://wiki.apache.org/spamassassin/WritingRules and here: http://wiki.apache.org/spamassassin/CustomRulesets I find the custom rulesets are quite usefull, such as bigevil and anti-drug, they have the rules for what you have mentioned download them and drop in /etc/mail/spamassassin, that's all you need to do. IMHO, MimeDefang is useful in a much different way, such as the fiilter_sender and filter_recipient functions enables you to do a lot of different checks before any messages are even accepted. As for MailScanner, I like it's ability to convert dangerous HTML and Javascript codes and strip them, I think MIMEDefang does this as well, but I haven't look into it yet, if that's the case, I need to find a reason to run MailScanner if at all. Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] 'service mimedefang status' returns "multiplexor dead but pid file exists"
Is the mimedefang-multiplexor.sock in /var/spool/MIMEDefang/ dir? or check where ever you configured the socket to be in. Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] I'm going crazy
Hi all, I don't know what I did, but this is what's happening to me 1. SpamAssassin noi longer Prepend Subject Line even though I told it to in local.cf 2. Spam score mismatch in headers. 3. Spam gets delivered as it is but Spamassassin report was send as an attachment instead of the other way around! Please help. This is my setup Fedora Core 2 SpamAssassin 3 Mimedefang 3.48 ClamAV 0.8 Many Thanks! Yang ---Sample Mail Header Received: from mail.domain.com (192.168.2.111 [192.168.2.111]) by mail.ohpp.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id VLSN5ZAB; Tue, 2 Nov 2004 17:18:09 -0500 Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mail.domain.com (8.12.11/8.12.11) with ESMTP id iA2MJBU5021808 for <[EMAIL PROTECTED]>; Tue, 2 Nov 2004 17:19:13 -0500 Received: by wproxy.gmail.com with SMTP id 66so89085wri for <[EMAIL PROTECTED]>; Tue, 02 Nov 2004 14:19:07 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=EFkIA1O6m6xKEFDXjFBPzrUROzzjTFvbnmXvPhQb+9qzLdDugN4g7dnGN+K2d10tX93Y+wwPC5goJ51JN9DL9sucPQ5hitkLZjzs4jqdzra8KHM/9blM5etbiu3k7wACwaDMKX9UVAsIuiBb5CsGlkQsrlnwPMFFw/1TLQ4J60k= Received: by 10.54.50.22 with SMTP id x22mr134736wrx; Tue, 02 Nov 2004 14:19:06 -0800 (PST) Received: by 10.54.22.65 with HTTP; Tue, 2 Nov 2004 14:19:06 -0800 (PST) Message-ID: <[EMAIL PROTECTED]> Date: Tue, 2 Nov 2004 17:19:06 -0500 From: Yang Xiao <[EMAIL PROTECTED]> Reply-To: Yang Xiao <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Fwd: Congratulations In-Reply-To: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_1099433954-21740-0" References: <[EMAIL PROTECTED]> X-Spam-Score: ** (6.309) BILLION_DOLLARS,DEAR_SOMETHING,FROM_ENDS_IN_NUMS,NIGERIAN_BODY1,NIGERIAN_BODY2 X-Scanned-By: MIMEDefang 2.48 on 192.168.2.111 X-Virus-Scanned: ClamAV 0.80/569/Tue Nov 2 14:14:23 2004 clamav-milter version 0.80j on mail.domain.com X-Virus-Status: Clean X-Spam-Status: No, score=3.1 required=5.0 tests=ALL_TRUSTED,BILLION_DOLLARS, DEAR_SOMETHING,FROM_ENDS_IN_NUMS,NIGERIAN_BODY1,NIGERIAN_BODY2, RCVD_BY_IP autolearn=no version=3.0.1 X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on mail.domain.com This is a multi-part message in MIME format... =_1099433954-21740-0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline =_1099433954-21740-0 Content-Type: text/plain; name="SpamAssassinReport.txt" Content-Disposition: inline; filename="SpamAssassinReport.txt" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.415 (Entity 5.415) ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
OK, this what I have came up with so far,. 1. Check for anybody claims to be from mydomain.com in the HELO Line 2. Check for RCPT TO anyone in mydomain.com 3. $helo doesn't match $ip #*** # %PROCEDURE: filter_recipient # %DESCRIPTION: # Check whether HELO claims to be from internal domain and reverse DNS # lookup doesn't check #*** sub filter_sender { my ($sender, $ip, $hostname, $helo) = @_; return('CONTINUE', "OK") if ($ip eq "127.0.0.1"); if ($helo =~ /mydomain\.com$/i) { return ('REJECT', "We Don't Like Spammers, Go Away!!!."); } elsif ($ip ne $helo){ return ('REJECT', "You are not who you say you are.") } else { return ('CONTINUE',"OK"); } } #*** # %PROCEDURE: filter_recipient # %DESCRIPTION: # Check whether MAIL FROM claims to be from internal domain #*** sub filter_recipient { my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; if ($sender =~ /[EMAIL PROTECTED]>?$/i) { return ('REJECT', "Service Not Available."); } return ('CONTINUE',"ok"); } I'm just concerned about the reverse dns lookup would reject too many legit emails. Many Thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
On Fri, 29 Oct 2004 17:42:36 +0200, Alexander Dalloz <[EMAIL PROTECTED]> wrote: > Am Fr, den 29.10.2004 schrieb Yang Xiao um 15:54: > > > Hi, > > I found out that the filter_sender() function will be enabled if I > > turn the MX_SENDER_CHECK option on. I was just wondering where should > > I put it and how to use it. > > For you as a Fedora user it has to be activated in > /etc/sysconfig/mimedefang. > > > I got to read the man pages more carefully. > > As for the usefullness of the code sample, I think it at least get rid > > of half of the problem, and spammers can still forge the MAIL FROM > > header if he uses a legit HELO. So the problem is, how do you check > > the MAIL FROM header then? > > Both HELO and MAIL FROM can be easily forged. The question is, what do > you want to prohibit? Often a combination of tests is needed to properly > detect spamming attempts and to not reject valid senders. > > One test which stops quite some guys at the front door is following: > > #*** > # %PROCEDURE: filter_relay > # %DESCRIPTION: > # Check whether helo fits with hosts IP address. > #*** > sub filter_relay () { > my ($ip, $name, $helo, $RelayAddr) = @_; > # Check if IP correlates to given HELO > if (($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) && > ($ip ne $helo)) { > md_syslog('warning', "Header forgery attempt: $ip claims to be > $helo"); > return ('REJECT', "Header forgery attempt, $ip claims to be > $helo"); > } > return ('CONTINUE', "ok"); > } > > > Yang > > Alexander > Alex, Good to see you here. Won't this check generate a lot of false positive if the sending host has a hostname that's different from it's public DNS name? I have had several mailhost like this in places I've worked before, it's not because we are lazy or careless, but because it's very hard to change the hostnmae for various reasons. But as to my problem, I just want to stop anybody from sending to the mail gateway as local domain users because it's a incoming spam filter mail host. I guess I would just need to check for MAIL FROM header somewhere? But where should I implement this check in MIMEdefang? and do you see any senario that it will break anything? Thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
On Fri, 29 Oct 2004 15:33:32 +0200, Paul Pries <[EMAIL PROTECTED]> wrote: > Ian Mitchell wrote: > > >>Ok, for something like this, a sample function on the FAQ site that > >>filters HELO line > >> > >>How do I integrate this into the filter file ? > >> > >> > > > >I'm not sure that I would. Sendmail has the capability to limit > >connections based on where the IP's come from (outside of the HELO which > >can be spoofed). You can limit based on relaying (access_db) or you can > >actually limit based on connections (tcp_wrappers). There is actually many > >different ways that this can be accomplished without the need for using > >expensive resources by having mimedefang catch it. Think of it this way, > >if you have your mimedefang process scanning for it, then the child > >processes for your mimedefang/spamassassin/virus scanner could potentially > >all be called for a connection your just going to drop anyways (depend on > >how you put together your filter) when sendmail could easily make a call > >to tcpd and determine it's not legitimate and kill right away. Not a > >problem with only a few connections, but what happens if you get hit by a > >spam bot that is attempting hundreds or thousands or more connections > >close together from all different ip's? > > > > > That is correct, but I don't think that is what the meaning of the code > snippet is > This piece of code is to reject mail that comes from someone > impersonating your domain, > that is an external source saying it is internal. > > I use almost the same setup here... > > -- > > Paul Pries > Hi, I found out that the filter_sender() function will be enabled if I turn the MX_SENDER_CHECK option on. I was just wondering where should I put it and how to use it. I got to read the man pages more carefully. As for the usefullness of the code sample, I think it at least get rid of half of the problem, and spammers can still forge the MAIL FROM header if he uses a legit HELO. So the problem is, how do you check the MAIL FROM header then? Many Thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] VERY Newbie Question
Hi all, I'm a little confused as to how to insert a custom function into the filter. Can someone please give me a pointer or two? Ok, for something like this, a sample function on the FAQ site that filters HELO line sub filter_sender { my($sender, $ip, $name, $helo) = @_; return(1, "OK") if ($ip eq "127.0.0.1"); # no further checking if localhost if ($helo =~ /(^|.)abc.com$/i) { if ($ip !~ /^123.123.123./) { return(0, "Connect rejected - $ip is not abc.com"); } } return(1, "OK"); } How do I integrate this into the filter file ? Many thanks, flames ok too. Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] HELP: filter_sender() not working
Hi all, I modified the filter_sender() function showed in the man page : # # Filter Sender who says they are OHPP.COM # sub filter_sender { my ($sender, $ip, $hostname, $helo) = @_; if ($helo =~ /ohpp\.com$/i) { return (REJECT, "goaway."); } return (CONTINUE,"OK"); } This is not working, can someone please help? Many thanks! Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang