Re: [Mimedefang] filter on header from display name
Marcus Schopen wrote: Am Montag, den 26.11.2018, 13:02 -0500 schrieb Dianne Skoll: On Mon, 26 Nov 2018 17:55:57 +0100 Marcus Schopen wrote: is always the same, but I can't catch it with blacklist_from. Can I get that from $entity->head->get('From') or any better ideas? That should work, or you can open and read the file ./HEADERS, which contains the message headers (unwrapped, so exactly one header per line.) I use a spamassassin rule now header MY_HEADER_1 From =~ /^.*\@spammer\.com.*/ describe MY_HEADER_1Header-Spam-Rule 1 score MY_HEADER_1 100 This will more or less work, but keep in mind that "spammer.com" might better be shown in examples as "spoofvictim.com". The whole point of this from the spammer's perspective is that mail clients will only display the "known"/"trusted" address, hiding the *other* victim (the compromised account). Most of the time *both* addresses in the From: on these messages, however arranged, are innocent and unrelated to the spammer. If you block either, you take the risk of blocking legitimate mail. I have a pair of subrules looking for two @ signs in the From: - one just looks for two @ signs, the other looks for a specific variant with two <>-wrapped normal email addresses. These get combined with a couple of other factors in meta rules to build up the score. -kgd ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header from display name
Am Montag, den 26.11.2018, 13:02 -0500 schrieb Dianne Skoll: > On Mon, 26 Nov 2018 17:55:57 +0100 > Marcus Schopen wrote: > > > is always the same, but I can't catch it with blacklist_from. Can I > > get > > that from $entity->head->get('From') or any better ideas? > > That should work, or you can open and read the file ./HEADERS, which > contains the message headers (unwrapped, so exactly one header per > line.) I use a spamassassin rule now header MY_HEADER_1 From =~ /^.*\@spammer\.com.*/ describe MY_HEADER_1Header-Spam-Rule 1 score MY_HEADER_1 100 Ciao! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header from display name
On Mon, 26 Nov 2018 17:55:57 +0100 Marcus Schopen wrote: > is always the same, but I can't catch it with blacklist_from. Can I get > that from $entity->head->get('From') or any better ideas? That should work, or you can open and read the file ./HEADERS, which contains the message headers (unwrapped, so exactly one header per line.) Regards, Dianne. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header From:
On Tue, 09 May 2017 17:07:58 +0200 Marcus Schopenwrote: > Okay. So if I rebuild the hash file I have the reread mimedefang to > kill idle slaves and forcing reread filter rules or wait until all > processes are restarted itself by multiplexor, right? Yes. The purpose of md-mx-ctrl reread is to have a graceful way to update the filters without waiting for them to be recycled naturally. Regards, Dianne. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header From:
Hi Dianne, Am Dienstag, den 09.05.2017, 09:46 -0400 schrieb Dianne Skoll: [...] > No, because the filter_recipient and filter_begin/filter_end functions > may not be called in the same process. > > You can define a function called filter_initialize() that will get called > once when a new scanning process is started. > > See the section MAINTAINING STATE in the mimedefang-filter(5) man page. Okay. So if I rebuild the hash file I have the reread mimedefang to kill idle slaves and forcing reread filter rules or wait until all processes are restarted itself by multiplexor, right? Ciao! Marcus ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header From:
On Tue, 09 May 2017 10:51:08 +0200 Marcus Schopenwrote: > Is there a way to load the key-value hash table file only at > start/reread/reload of mimedefang and not read it on each incoming > email in filter_end? No, because the filter_recipient and filter_begin/filter_end functions may not be called in the same process. You can define a function called filter_initialize() that will get called once when a new scanning process is started. See the section MAINTAINING STATE in the mimedefang-filter(5) man page. Regards, Dianne. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header From:
Am Dienstag, den 09.05.2017, 14:45 +0200 schrieb Marcus Schopen: > The hash file is created with > > makemap hash testhash.db < testhash.txt Just found out, that I can use the -e option using makemap to allow empty value on right hand side, so the format now is just one email address per line. Ciao! Marcus ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header From:
Hi Kris, Am Dienstag, den 09.05.2017, 10:51 +0200 schrieb Marcus Schopen: > Is there a way to load the key-value hash table file only at > start/reread/reload of mimedefang and not read it on each incoming email > in filter_end? Haha, we had a similar discussion three years a ago ;) http://lists.roaringpenguin.com/pipermail/mimedefang/2014-March/037274.html This is my mimedefang-filter now: sub filter_initialize { require DB_File; use Fcntl; tie %testhash_list, "DB_File", "/etc/mail/testhash.db", O_RDONLY; } sub filter_cleanup { untie %testhash_list; } sub filter_end { [...] # get header From and compare to hash my $fromaddr = $entity->head->get('From'); $fromaddr =~ s/.+<([^>]+)>/$1/; $fromaddr =~ s/\s+$//; if(exists $testhash_list{lc $fromaddr}) { action_add_header("X-SpecialHeader", "$fromaddr is in testhast_list"); } The hash file is created with makemap hash testhash.db < testhash.txt The format of the hash file is just myemailaddr...@domain.de1 What I don't understand is, why there is an ending white space on the header From variable $fromaddr, so I have to trim it with $fromaddr =~ s/\s+$//; Ciao Marcus ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header From:
Hi Kris, Am Montag, den 08.05.2017, 17:27 -0400 schrieb Kris Deugau: > You would have to fill it in first, by extracting it from the > MIME::Entity passed to the filter_end sub; something like (untested, > check MIME::Tools documentation): > > $fromaddr = $entity->head->get('From'); > $fromaddr =~ s/.+<([^>]+)>/$1/; [...] Ah, yes. This is working. I thought "fromaddr" is a globally available variable. Sorry for misunderstanding. Is there a way to load the key-value hash table file only at start/reread/reload of mimedefang and not read it on each incoming email in filter_end? Ciao Marcus ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header From:
Marcus Schopen wrote: Hi Kris, Am Montag, den 08.05.2017, 11:13 -0400 schrieb Kris Deugau: if ($hashfile{$fromaddr}) { action_add_header("SpecialHeader", "$fromaddr found in list"); } Ah, good idea. Thanks! But if I just add this to filter_end action_add_header("X-SpecialHeader", "$fromAddr test"); to read out $fromAddr, the variable is empty in my case. You would have to fill it in first, by extracting it from the MIME::Entity passed to the filter_end sub; something like (untested, check MIME::Tools documentation): $fromaddr = $entity->head->get('From'); $fromaddr =~ s/.+<([^>]+)>/$1/; If you just want to test, you can try $Sender instead, which is the envelope sender. See the man page for mimedefang-filter to see which globals are provided. -kgd ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header From:
Hi Kris, Am Montag, den 08.05.2017, 11:13 -0400 schrieb Kris Deugau: > if ($hashfile{$fromaddr}) { >action_add_header("SpecialHeader", "$fromaddr found in list"); > } > Ah, good idea. Thanks! But if I just add this to filter_end action_add_header("X-SpecialHeader", "$fromAddr test"); to read out $fromAddr, the variable is empty in my case. Ciao! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter on header From:
Marcus Schopen wrote: Hei, I have a text base list of email addresses (one email per line). Where would I best filter on header "From: " (not envelope from) in mimedefang-filter and add an additional mail header in case of a hit? At the moment I use spamassassin rules to tag such mails in filter_end, but spamassassin catches only mails if their "./INPUTMSG" smaller than the global given message size, which I don't want to increase. You should be able to use the MIME::Entity passed to filter_end to retrieve the From: header. Unless it's fairly short, I'd recommend converting your text file into your favourite flavour of key-value hash table file, accessible from MD as a tied hash via the matching Perl *DB_File module. Then it's just a matter of: if ($hashfile{$fromaddr}) { action_add_header("SpecialHeader", "$fromaddr found in list"); } -kgd ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang