Re: [Mimedefang] Question for the HOWTO page
On Tue, 2006-01-31 at 12:33, Philip Prindeville wrote: > The variable would be set so that the gate chosen would continue to be the > current behavior. > > I.e. > > my $extreme_paranoia = 0; > > ... > if ($extreme_paranoia == 1) { > # bounce it with a warning... > } elsif ($extreme_paranoia == 2) { > # silently drop it... > } else { > # default: flag the spam > } > > Just to include the code in the template, so it offers some alternatives > that > could be turned on. I'm paranoid about dropping legitimate email. Your variable settings are backwards. Or maybe it should have a different name... -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Paul Murphy wrote: The stock filter has a non-dangerous set of defaults. If the change you proposed was included in the stock filter, many sites would be bouncing important files with no indication to the recipient that anything was going wrong. By all means do it in your own filter, but leave the stock filter alone. I wasn't proposing changing the stock behavior. I was suggesting including a 2- or 3-way switch controlled by a variable that allowed the behavior to be made more or less permissive, and have it controlled by a variable. The variable would be set so that the gate chosen would continue to be the current behavior. I.e. my $extreme_paranoia = 0; ... if ($extreme_paranoia == 1) { # bounce it with a warning... } elsif ($extreme_paranoia == 2) { # silently drop it... } else { # default: flag the spam } Just to include the code in the template, so it offers some alternatives that could be turned on. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Question for the HOWTO page
Philip, > I was wondering about making the following > change to the stock mimedefang-filter: > > if (filter_bad_filename($entity)) { > md_graphdefang_log('bad_filename', $fname, $type); > # return action_drop_with_warning("An attachment named $fname was > removed from this document as it\nconstituted a security hazard. If you > require this document, please contact\nthe sender and arrange an > alternate means of receiving it.\n"); > return action_bounce("Message rejected; an attachment named > $fname of\ndubious nature was found in this message.\nContact the > postmaster if this was a legitimate transfer.\n"); > } > > > Or we could make the code switched on a variable, such as > "$extreme_paranoia" ;-) These are policy decisions, which vary enormously from one site to another. Most people will have to edit the stock filter in several places to reflect their policy - for example I reject (5xx) incoming spam rather than bouncing it (in most cases it came from a zombie PC or open relay, so why waste my bandwidth sending a bounce?). Others will insist that it has to be a bounce, others still want it to be flagged but delivered, and so on. The stock filter has a non-dangerous set of defaults. If the change you proposed was included in the stock filter, many sites would be bouncing important files with no indication to the recipient that anything was going wrong. By all means do it in your own filter, but leave the stock filter alone. Best Wishes, Paul. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.25/246 - Release Date: 30/01/2006 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Hmmm... I'm running a Linux shop here, so rarely does anyone send me legitimately a .exe or .pif file. I was wondering about making the following change to the stock mimedefang-filter: if (filter_bad_filename($entity)) { md_graphdefang_log('bad_filename', $fname, $type); # return action_drop_with_warning("An attachment named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n"); return action_bounce("Message rejected; an attachment named $fname of\ndubious nature was found in this message.\nContact the postmaster if this was a legitimate transfer.\n"); } Or we could make the code switched on a variable, such as "$extreme_paranoia" ;-) Ditto for flagging and delivering suspected spam versus bouncing it. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 29 Jan 2006, Philip Prindeville wrote: > Does everyone use the built-in scoring, or do they write their own? I use a combination of both (and I suspect most longtime MD/SA users do also). Furthermore, in my local sa-mimedefang.cf file I have both rulesets that I came up with, and some from sites like this one: http://www.rulesemporium.com/rules.htm > Also, instead of flagging spam, what about just rejecting the email in > filter_end() if SA reports too high a probability of it being spam? We flag at 5 and reject at 9.1. Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
--On Sunday, January 29, 2006 11:41 -0700 Philip Prindeville <[EMAIL PROTECTED]> wrote: Also, instead of flagging spam, what about just rejecting the email in filter_end() if SA reports too high a probability of it being spam? Of course. $names =~ s/,/ /g; if ($hits >= 8.0) { md_graphdefang_log('spam', "$hits $names", $RelayAddr); action_bounce("This appeared to be spam"); } Choose your own threshold and your own message. We change commas to spaces in $names for the sake of the log. By logging the score and the names, we can more easily assess the problem in cases of legit mail that got rejected. We also assign points and names to a few things more easily checked in Mimedefang, like bogus Helo strings or no reverse DNS. If $hits has reached 8.0 before we run the SA tests, we can skip SA. Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
More confusion... Ok, I used the *CHARSET_FARAWAY tests with scores of 5.0 in the previous email. Then I ran a message with: Content-Type: text/plain; charset="ISO-8859-9" even though my "ok_locales en fr" are set (so tr isn't included). Didn't see any CHARSET_FARAWAY matches. For both "en" and "fr", ISO-8859-1 or "ASCII" should be the only two character sets, right? What am I missing? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
So, did the message attached below fire up because it contained the words "porn" and "viagra"? Does that mean that not only spam, but talking about spam, is subject to filtration? ;-) I was going to try the config below... I'll see how it works. I ran the spamassassin -t -x test that's in the HOWTO, but I think it generates different results by hand than when run out of MdF. Not sure why. Will dig deeper. -Philip # Needed when calling SpamAssassin from within MdF remove_header all Report required_hits 5 # languages... ok_locales en fr # used by CJK score HTML_COMMENT_8BITS1.5 # gibberish score CHARSET_FARAWAY 5.0 score CHARSET_FARAWAY_HEADER5.0 score HTML_CHARSET_FARAWAY 5.0 score MIME_CHARSET_FARAWAY 5.0 score UNWANTED_LANGUAGE_BODY5.0 # malformed score MIME_BASE64_TEXT 5.0 # shouting score UPPERCASE_75_100 2.0 score MANY_EXCLAMATIONS 2.5 score PLING_PLING 2.0 score SUBJ_ALL_CAPS 1.5 # machines with bogus clocks score DATE_IN_FUTURE_12_24 2.0 score DATE_IN_FUTURE_24_48 2.5 score DATE_IN_FUTURE_48_96 3.0 score DATE_IN_FUTURE_96_XX 3.25 score DATE_IN_PAST_96_XX3.0 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 2006-01-29 at 14:30, Philip Prindeville wrote: > Les Mikesell wrote: > > >I reject values that can only be reached by my local settings > >for viagra/porn, and send the rest through with the score > >value arranged for easy individual filtering (the asterisk list > >as the first thing in the header). > > > > Can you post your configs and diffs? I don't think anyone would want to duplicate it exactly, but sa-mimedefang.cf has things like: whitelist_from *.microsoft.com and score ADULT_SITE 100 score SUBJ_VIAGRA 100 and mimedefang-filter has sub filter_end ($) { my($entity) = @_; return if message_rejected(); # Spam checks if SpamAssassin is installed if ($Features{"SpamAssassin"} && !relayIsTrusted($RelayAddr)) { if (-s "./INPUTMSG" < 100*1024) { # Only scan messages smaller than 100kB. Larger messages # are extremely unlikely to be spam, and SpamAssassin is # dreadfully slow on very large messages. my($hits, $req, $names, $report) = spam_assassin_check(); my($score); if ($hits < 40) { $score = "*" x int($hits); } else { $score = "*" x 40; } ## drop if SA score over 100 if ($hits > 100) { md_graphdefang_log('spam', $hits, $RelayAddr); md_syslog('warning', "Discarding because of spam score hits"); action_bounce("Message screened as spam, please rephrase"); return action_discard(); } if ($hits >= $req) { action_change_header("X-Spam-Score", "$hits ($score) $names"); ### note local header here with *'s only action_change_header("X-FS-Spam-Score", "$score"); md_graphdefang_log('spam', $hits, $RelayAddr); action_add_part($entity, "text/plain", "-suggest", "$report\nX-FS-Spam-Score: $score", "SpamAssassinReport.txt", "inline"); } else { # Delete any existing X-Spam-Score header? action_delete_header("X-Spam-Score"); } } } The relyIsTrusted subroutine was posted by someone a long time ago and contains a list of local addresses where the spam scan can be skipped. -- Les Mikesell [EMAIL PROTECTED] This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content preview: On Sun, 2006-01-29 at 14:30, Philip Prindeville wrote: > Les Mikesell wrote: > > >I reject values that can only be reached by my local settings > >for viagra/porn, and send the rest through with the score > >value arranged for easy individual filtering (the asterisk list > >as the first thing in the header). > > > > Can you post your configs and diffs? [...] Content analysis details: (94.60 points, 5 required) IN_REP_TO (-0.5 points) Has a In-Reply-To header REFERENCES (-0.5 points) Has a valid-looking References header EMAIL_ATTRIBUTION (-0.5 points) BODY: Contains what looks like an email attribution ADULT_SITE (100.0 points)BODY: Possible porn - Adult Web Sites QUOTED_EMAIL_TEXT (-0.5 points) BODY: Contains what looks like a quoted email text REPLY_WITH_QUOTES (-0.5 points) Reply with quoted text USER_AGENT_XIMIAN (-2.9 points) Headers indicate a non-spam MUA (Ximian) X-FS-Spam-Score: ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Les Mikesell wrote: I reject values that can only be reached by my local settings for viagra/porn, and send the rest through with the score value arranged for easy individual filtering (the asterisk list as the first thing in the header). Can you post your configs and diffs? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 2006-01-29 at 12:41, Philip Prindeville wrote: > Does everyone use the built-in scoring, or do they write their own? I used the sa-mimedefang.cf file to whitelist some known business-related senders and bump up the scoring on viagra and porn related items to unrealistically high values. > Also, instead of flagging spam, what about just rejecting the email in > filter_end() if SA reports too high a probability of it being spam? I reject values that can only be reached by my local settings for viagra/porn, and send the rest through with the score value arranged for easy individual filtering (the asterisk list as the first thing in the header). -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Does everyone use the built-in scoring, or do they write their own? I can see how, at the very least, you'd want to configure your set of ok_locales for SA. Perhaps the MdF (RPM) distribution could contain a set of sample sa-mimedefang.cf.example files? Also, instead of flagging spam, what about just rejecting the email in filter_end() if SA reports too high a probability of it being spam? The system-wide checks could be a set of inoffensive checks that everyone agrees are highly reliable. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Ratware and failures (was Re: [Mimedefang] Question for the HOWTO page)
Philip Prindeville wrote: > Why? Well, if the ratware sees enough rejections, I'm hoping they > will eventually decide that it's not worth the resources to try to send > me mail and will eventually delete me from their mailing list. Very unlikely. In my experience, spammers don't bother cleaning their lists. Heck, greylisting is still effective after three years, so that should tell you something about how ratware deals with failures. > I'm running FC3, and modified spamassassin and sendmail, the latter > as: > INPUT_MAIL_FILTER(`mimdefang', > `S=local:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m') > INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamassassin/sock, > F=, T=C:15m;S:4m;R:4m;E:10m') Is there a reason you don't call SpamAssassin from within MIMEDefang? Just curious; it seems to me it's easier to code business logic in Perl than as a sequence of milters. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Question for the HOWTO page
> From: Philip Prindeville > Sent: Tuesday, January 24, 2006 5:09 PM > > I was wondering if we could update the HOWTO pages to describe > installing Mimedefang and Spamassassin both on a system, so that > the former is run, then the latter, or incoming email. > > I'd like to be able to reject mail that fails certain tests, like > containing > Hebrew, Cyrillic, and Han character sets (for instance)... rather than > accepting it and marking it as spam. Since you can coax SA to tag e-mails that have unacceptable languages and locales ... why not just run SA from MdF directly, and then look at the result (the tags) returned by SA? I don't know if the SA protocol will give you those tags directly, but it wouldn't be difficult pulling them from the headers. For example, X-Spam-Score: 11.565 (***) CHARSET_FARAWAY_HEADER,FORGED_HOTMAIL_RCVD,FORGED_RCVD_HELO,SPF_HELO_SOFTF AIL, SPF_SOFTFAIL,UNWANTED_LANGUAGE_BODY,URIBL_JP_SURBL ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang