Re: [Mimedefang] Question for the HOWTO page
Paul Murphy wrote:
The stock filter has a non-dangerous set of defaults. If the change you
proposed was included in the stock filter, many sites would be bouncing
important files with no indication to the recipient that anything was going
wrong.
By all means do it in your own filter, but leave the stock filter alone.
I wasn't proposing changing the stock behavior. I was suggesting
including a
2- or 3-way switch controlled by a variable that allowed the behavior to
be made
more or less permissive, and have it controlled by a variable.
The variable would be set so that the gate chosen would continue to be the
current behavior.
I.e.
my $extreme_paranoia = 0;
...
if ($extreme_paranoia == 1) {
# bounce it with a warning...
} elsif ($extreme_paranoia == 2) {
# silently drop it...
} else {
# default: flag the spam
}
Just to include the code in the template, so it offers some alternatives
that
could be turned on.
-Philip
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Tue, 2006-01-31 at 12:33, Philip Prindeville wrote:
The variable would be set so that the gate chosen would continue to be the
current behavior.
I.e.
my $extreme_paranoia = 0;
...
if ($extreme_paranoia == 1) {
# bounce it with a warning...
} elsif ($extreme_paranoia == 2) {
# silently drop it...
} else {
# default: flag the spam
}
Just to include the code in the template, so it offers some alternatives
that
could be turned on.
I'm paranoid about dropping legitimate email. Your
variable settings are backwards. Or maybe it should have
a different name...
--
Les Mikesell
[EMAIL PROTECTED]
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
--On Sunday, January 29, 2006 11:41 -0700 Philip Prindeville
[EMAIL PROTECTED] wrote:
Also, instead of flagging spam, what about just rejecting the email in
filter_end() if SA reports too high a probability of it being spam?
Of course.
$names =~ s/,/ /g;
if ($hits = 8.0) {
md_graphdefang_log('spam', $hits $names, $RelayAddr);
action_bounce(This appeared to be spam);
}
Choose your own threshold and your own message. We change commas to
spaces in $names for the sake of the log. By logging the score and
the names, we can more easily assess the problem in cases of legit mail
that got rejected.
We also assign points and names to a few things more easily checked
in Mimedefang, like bogus Helo strings or no reverse DNS. If $hits
has reached 8.0 before we run the SA tests, we can skip SA.
Joseph Brennan
Columbia University Information Technology
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 29 Jan 2006, Philip Prindeville wrote: Does everyone use the built-in scoring, or do they write their own? I use a combination of both (and I suspect most longtime MD/SA users do also). Furthermore, in my local sa-mimedefang.cf file I have both rulesets that I came up with, and some from sites like this one: http://www.rulesemporium.com/rules.htm Also, instead of flagging spam, what about just rejecting the email in filter_end() if SA reports too high a probability of it being spam? We flag at 5 and reject at 9.1. Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Hmmm... I'm running a Linux shop here, so rarely does anyone send me
legitimately a .exe or .pif file. I was wondering about making the
following
change to the stock mimedefang-filter:
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
# return action_drop_with_warning(An attachment named $fname was
removed from this document as it\nconstituted a security hazard. If you
require this document, please contact\nthe sender and arrange an
alternate means of receiving it.\n);
return action_bounce(Message rejected; an attachment named
$fname of\ndubious nature was found in this message.\nContact the
postmaster if this was a legitimate transfer.\n);
}
Or we could make the code switched on a variable, such as
$extreme_paranoia ;-)
Ditto for flagging and delivering suspected spam versus bouncing it.
-Philip
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Does everyone use the built-in scoring, or do they write their own? I can see how, at the very least, you'd want to configure your set of ok_locales for SA. Perhaps the MdF (RPM) distribution could contain a set of sample sa-mimedefang.cf.example files? Also, instead of flagging spam, what about just rejecting the email in filter_end() if SA reports too high a probability of it being spam? The system-wide checks could be a set of inoffensive checks that everyone agrees are highly reliable. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 2006-01-29 at 12:41, Philip Prindeville wrote: Does everyone use the built-in scoring, or do they write their own? I used the sa-mimedefang.cf file to whitelist some known business-related senders and bump up the scoring on viagra and porn related items to unrealistically high values. Also, instead of flagging spam, what about just rejecting the email in filter_end() if SA reports too high a probability of it being spam? I reject values that can only be reached by my local settings for viagra/porn, and send the rest through with the score value arranged for easy individual filtering (the asterisk list as the first thing in the header). -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
So, did the message attached below fire up because it contained the words porn and viagra? Does that mean that not only spam, but talking about spam, is subject to filtration? ;-) I was going to try the config below... I'll see how it works. I ran the spamassassin -t -x test that's in the HOWTO, but I think it generates different results by hand than when run out of MdF. Not sure why. Will dig deeper. -Philip # Needed when calling SpamAssassin from within MdF remove_header all Report required_hits 5 # languages... ok_locales en fr # used by CJK score HTML_COMMENT_8BITS1.5 # gibberish score CHARSET_FARAWAY 5.0 score CHARSET_FARAWAY_HEADER5.0 score HTML_CHARSET_FARAWAY 5.0 score MIME_CHARSET_FARAWAY 5.0 score UNWANTED_LANGUAGE_BODY5.0 # malformed score MIME_BASE64_TEXT 5.0 # shouting score UPPERCASE_75_100 2.0 score MANY_EXCLAMATIONS 2.5 score PLING_PLING 2.0 score SUBJ_ALL_CAPS 1.5 # machines with bogus clocks score DATE_IN_FUTURE_12_24 2.0 score DATE_IN_FUTURE_24_48 2.5 score DATE_IN_FUTURE_48_96 3.0 score DATE_IN_FUTURE_96_XX 3.25 score DATE_IN_PAST_96_XX3.0 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
More confusion... Ok, I used the *CHARSET_FARAWAY tests with scores of 5.0 in the previous email. Then I ran a message with: Content-Type: text/plain; charset=ISO-8859-9 even though my ok_locales en fr are set (so tr isn't included). Didn't see any CHARSET_FARAWAY matches. For both en and fr, ISO-8859-1 or ASCII should be the only two character sets, right? What am I missing? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Question for the HOWTO page
From: Philip Prindeville Sent: Tuesday, January 24, 2006 5:09 PM I was wondering if we could update the HOWTO pages to describe installing Mimedefang and Spamassassin both on a system, so that the former is run, then the latter, or incoming email. I'd like to be able to reject mail that fails certain tests, like containing Hebrew, Cyrillic, and Han character sets (for instance)... rather than accepting it and marking it as spam. Since you can coax SA to tag e-mails that have unacceptable languages and locales ... why not just run SA from MdF directly, and then look at the result (the tags) returned by SA? I don't know if the SA protocol will give you those tags directly, but it wouldn't be difficult pulling them from the headers. For example, X-Spam-Score: 11.565 (***) CHARSET_FARAWAY_HEADER,FORGED_HOTMAIL_RCVD,FORGED_RCVD_HELO,SPF_HELO_SOFTF AIL, SPF_SOFTFAIL,UNWANTED_LANGUAGE_BODY,URIBL_JP_SURBL ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Ratware and failures (was Re: [Mimedefang] Question for the HOWTO page)
Philip Prindeville wrote: Why? Well, if the ratware sees enough rejections, I'm hoping they will eventually decide that it's not worth the resources to try to send me mail and will eventually delete me from their mailing list. Very unlikely. In my experience, spammers don't bother cleaning their lists. Heck, greylisting is still effective after three years, so that should tell you something about how ratware deals with failures. I'm running FC3, and modified spamassassin and sendmail, the latter as: INPUT_MAIL_FILTER(`mimdefang', `S=local:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m') INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamassassin/sock, F=, T=C:15m;S:4m;R:4m;E:10m') Is there a reason you don't call SpamAssassin from within MIMEDefang? Just curious; it seems to me it's easier to code business logic in Perl than as a sequence of milters. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
