Re: [Mimedefang] Question for the HOWTO page
On Tue, 2006-01-31 at 12:33, Philip Prindeville wrote:
> The variable would be set so that the gate chosen would continue to be the
> current behavior.
>
> I.e.
>
> my $extreme_paranoia = 0;
>
> ...
> if ($extreme_paranoia == 1) {
> # bounce it with a warning...
> } elsif ($extreme_paranoia == 2) {
> # silently drop it...
> } else {
> # default: flag the spam
> }
>
> Just to include the code in the template, so it offers some alternatives
> that
> could be turned on.
I'm paranoid about dropping legitimate email. Your
variable settings are backwards. Or maybe it should have
a different name...
--
Les Mikesell
[EMAIL PROTECTED]
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Paul Murphy wrote:
The stock filter has a non-dangerous set of defaults. If the change you
proposed was included in the stock filter, many sites would be bouncing
important files with no indication to the recipient that anything was going
wrong.
By all means do it in your own filter, but leave the stock filter alone.
I wasn't proposing changing the stock behavior. I was suggesting
including a
2- or 3-way switch controlled by a variable that allowed the behavior to
be made
more or less permissive, and have it controlled by a variable.
The variable would be set so that the gate chosen would continue to be the
current behavior.
I.e.
my $extreme_paranoia = 0;
...
if ($extreme_paranoia == 1) {
# bounce it with a warning...
} elsif ($extreme_paranoia == 2) {
# silently drop it...
} else {
# default: flag the spam
}
Just to include the code in the template, so it offers some alternatives
that
could be turned on.
-Philip
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Question for the HOWTO page
Philip,
> I was wondering about making the following
> change to the stock mimedefang-filter:
>
> if (filter_bad_filename($entity)) {
> md_graphdefang_log('bad_filename', $fname, $type);
> # return action_drop_with_warning("An attachment named $fname was
> removed from this document as it\nconstituted a security hazard. If you
> require this document, please contact\nthe sender and arrange an
> alternate means of receiving it.\n");
> return action_bounce("Message rejected; an attachment named
> $fname of\ndubious nature was found in this message.\nContact the
> postmaster if this was a legitimate transfer.\n");
> }
>
>
> Or we could make the code switched on a variable, such as
> "$extreme_paranoia" ;-)
These are policy decisions, which vary enormously from one site to another.
Most people will have to edit the stock filter in several places to reflect
their policy - for example I reject (5xx) incoming spam rather than bouncing
it (in most cases it came from a zombie PC or open relay, so why waste my
bandwidth sending a bounce?). Others will insist that it has to be a bounce,
others still want it to be flagged but delivered, and so on.
The stock filter has a non-dangerous set of defaults. If the change you
proposed was included in the stock filter, many sites would be bouncing
important files with no indication to the recipient that anything was going
wrong.
By all means do it in your own filter, but leave the stock filter alone.
Best Wishes,
Paul.
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.14.25/246 - Release Date: 30/01/2006
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Hmmm... I'm running a Linux shop here, so rarely does anyone send me
legitimately a .exe or .pif file. I was wondering about making the
following
change to the stock mimedefang-filter:
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
# return action_drop_with_warning("An attachment named $fname was
removed from this document as it\nconstituted a security hazard. If you
require this document, please contact\nthe sender and arrange an
alternate means of receiving it.\n");
return action_bounce("Message rejected; an attachment named
$fname of\ndubious nature was found in this message.\nContact the
postmaster if this was a legitimate transfer.\n");
}
Or we could make the code switched on a variable, such as
"$extreme_paranoia" ;-)
Ditto for flagging and delivering suspected spam versus bouncing it.
-Philip
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 29 Jan 2006, Philip Prindeville wrote: > Does everyone use the built-in scoring, or do they write their own? I use a combination of both (and I suspect most longtime MD/SA users do also). Furthermore, in my local sa-mimedefang.cf file I have both rulesets that I came up with, and some from sites like this one: http://www.rulesemporium.com/rules.htm > Also, instead of flagging spam, what about just rejecting the email in > filter_end() if SA reports too high a probability of it being spam? We flag at 5 and reject at 9.1. Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
--On Sunday, January 29, 2006 11:41 -0700 Philip Prindeville
<[EMAIL PROTECTED]> wrote:
Also, instead of flagging spam, what about just rejecting the email in
filter_end() if SA reports too high a probability of it being spam?
Of course.
$names =~ s/,/ /g;
if ($hits >= 8.0) {
md_graphdefang_log('spam', "$hits $names", $RelayAddr);
action_bounce("This appeared to be spam");
}
Choose your own threshold and your own message. We change commas to
spaces in $names for the sake of the log. By logging the score and
the names, we can more easily assess the problem in cases of legit mail
that got rejected.
We also assign points and names to a few things more easily checked
in Mimedefang, like bogus Helo strings or no reverse DNS. If $hits
has reached 8.0 before we run the SA tests, we can skip SA.
Joseph Brennan
Columbia University Information Technology
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
More confusion... Ok, I used the *CHARSET_FARAWAY tests with scores of 5.0 in the previous email. Then I ran a message with: Content-Type: text/plain; charset="ISO-8859-9" even though my "ok_locales en fr" are set (so tr isn't included). Didn't see any CHARSET_FARAWAY matches. For both "en" and "fr", ISO-8859-1 or "ASCII" should be the only two character sets, right? What am I missing? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
So, did the message attached below fire up because it contained the words "porn" and "viagra"? Does that mean that not only spam, but talking about spam, is subject to filtration? ;-) I was going to try the config below... I'll see how it works. I ran the spamassassin -t -x test that's in the HOWTO, but I think it generates different results by hand than when run out of MdF. Not sure why. Will dig deeper. -Philip # Needed when calling SpamAssassin from within MdF remove_header all Report required_hits 5 # languages... ok_locales en fr # used by CJK score HTML_COMMENT_8BITS1.5 # gibberish score CHARSET_FARAWAY 5.0 score CHARSET_FARAWAY_HEADER5.0 score HTML_CHARSET_FARAWAY 5.0 score MIME_CHARSET_FARAWAY 5.0 score UNWANTED_LANGUAGE_BODY5.0 # malformed score MIME_BASE64_TEXT 5.0 # shouting score UPPERCASE_75_100 2.0 score MANY_EXCLAMATIONS 2.5 score PLING_PLING 2.0 score SUBJ_ALL_CAPS 1.5 # machines with bogus clocks score DATE_IN_FUTURE_12_24 2.0 score DATE_IN_FUTURE_24_48 2.5 score DATE_IN_FUTURE_48_96 3.0 score DATE_IN_FUTURE_96_XX 3.25 score DATE_IN_PAST_96_XX3.0 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 2006-01-29 at 14:30, Philip Prindeville wrote:
> Les Mikesell wrote:
>
> >I reject values that can only be reached by my local settings
> >for viagra/porn, and send the rest through with the score
> >value arranged for easy individual filtering (the asterisk list
> >as the first thing in the header).
> >
>
> Can you post your configs and diffs?
I don't think anyone would want to duplicate it exactly, but
sa-mimedefang.cf has things like:
whitelist_from *.microsoft.com
and
score ADULT_SITE 100
score SUBJ_VIAGRA 100
and mimedefang-filter has
sub filter_end ($) {
my($entity) = @_;
return if message_rejected();
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"} && !relayIsTrusted($RelayAddr)) {
if (-s "./INPUTMSG" < 100*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
my($score);
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
}
## drop if SA score over 100
if ($hits > 100) {
md_graphdefang_log('spam', $hits, $RelayAddr);
md_syslog('warning', "Discarding because of spam score
hits");
action_bounce("Message screened as spam, please
rephrase");
return action_discard();
}
if ($hits >= $req) {
action_change_header("X-Spam-Score", "$hits ($score)
$names");
### note local header here with *'s only
action_change_header("X-FS-Spam-Score", "$score");
md_graphdefang_log('spam', $hits, $RelayAddr);
action_add_part($entity, "text/plain", "-suggest",
"$report\nX-FS-Spam-Score: $score",
"SpamAssassinReport.txt", "inline");
} else {
# Delete any existing X-Spam-Score header?
action_delete_header("X-Spam-Score");
}
}
}
The relyIsTrusted subroutine was posted by someone a long time ago and
contains a list of local addresses where the spam scan can be skipped.
--
Les Mikesell
[EMAIL PROTECTED]
This mail is probably spam. The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future. See http://spamassassin.org/tag/ for more details.
Content preview: On Sun, 2006-01-29 at 14:30, Philip Prindeville wrote:
> Les Mikesell wrote: > > >I reject values that can only be reached by
my local settings > >for viagra/porn, and send the rest through with
the score > >value arranged for easy individual filtering (the asterisk
list > >as the first thing in the header). > > > > Can you post your
configs and diffs? [...]
Content analysis details: (94.60 points, 5 required)
IN_REP_TO (-0.5 points) Has a In-Reply-To header
REFERENCES (-0.5 points) Has a valid-looking References header
EMAIL_ATTRIBUTION (-0.5 points) BODY: Contains what looks like an email
attribution
ADULT_SITE (100.0 points)BODY: Possible porn - Adult Web Sites
QUOTED_EMAIL_TEXT (-0.5 points) BODY: Contains what looks like a quoted email
text
REPLY_WITH_QUOTES (-0.5 points) Reply with quoted text
USER_AGENT_XIMIAN (-2.9 points) Headers indicate a non-spam MUA (Ximian)
X-FS-Spam-Score: ___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Les Mikesell wrote: I reject values that can only be reached by my local settings for viagra/porn, and send the rest through with the score value arranged for easy individual filtering (the asterisk list as the first thing in the header). Can you post your configs and diffs? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 2006-01-29 at 12:41, Philip Prindeville wrote: > Does everyone use the built-in scoring, or do they write their own? I used the sa-mimedefang.cf file to whitelist some known business-related senders and bump up the scoring on viagra and porn related items to unrealistically high values. > Also, instead of flagging spam, what about just rejecting the email in > filter_end() if SA reports too high a probability of it being spam? I reject values that can only be reached by my local settings for viagra/porn, and send the rest through with the score value arranged for easy individual filtering (the asterisk list as the first thing in the header). -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Does everyone use the built-in scoring, or do they write their own? I can see how, at the very least, you'd want to configure your set of ok_locales for SA. Perhaps the MdF (RPM) distribution could contain a set of sample sa-mimedefang.cf.example files? Also, instead of flagging spam, what about just rejecting the email in filter_end() if SA reports too high a probability of it being spam? The system-wide checks could be a set of inoffensive checks that everyone agrees are highly reliable. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Ratware and failures (was Re: [Mimedefang] Question for the HOWTO page)
Philip Prindeville wrote: > Why? Well, if the ratware sees enough rejections, I'm hoping they > will eventually decide that it's not worth the resources to try to send > me mail and will eventually delete me from their mailing list. Very unlikely. In my experience, spammers don't bother cleaning their lists. Heck, greylisting is still effective after three years, so that should tell you something about how ratware deals with failures. > I'm running FC3, and modified spamassassin and sendmail, the latter > as: > INPUT_MAIL_FILTER(`mimdefang', > `S=local:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m') > INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamassassin/sock, > F=, T=C:15m;S:4m;R:4m;E:10m') Is there a reason you don't call SpamAssassin from within MIMEDefang? Just curious; it seems to me it's easier to code business logic in Perl than as a sequence of milters. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Question for the HOWTO page
> From: Philip Prindeville > Sent: Tuesday, January 24, 2006 5:09 PM > > I was wondering if we could update the HOWTO pages to describe > installing Mimedefang and Spamassassin both on a system, so that > the former is run, then the latter, or incoming email. > > I'd like to be able to reject mail that fails certain tests, like > containing > Hebrew, Cyrillic, and Han character sets (for instance)... rather than > accepting it and marking it as spam. Since you can coax SA to tag e-mails that have unacceptable languages and locales ... why not just run SA from MdF directly, and then look at the result (the tags) returned by SA? I don't know if the SA protocol will give you those tags directly, but it wouldn't be difficult pulling them from the headers. For example, X-Spam-Score: 11.565 (***) CHARSET_FARAWAY_HEADER,FORGED_HOTMAIL_RCVD,FORGED_RCVD_HELO,SPF_HELO_SOFTF AIL, SPF_SOFTFAIL,UNWANTED_LANGUAGE_BODY,URIBL_JP_SURBL ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
