Re: [spamdyke-users] Qmail + spamdyke + chkuser
Hello Eric, Saturday, September 5, 2009, 2:39:30 AM, you wrote: What subdomains are you seeing besides @www. ? Subdomains of our domains. Mail that goes to domains that are not included to rcpthosts file is rejected. But mail to www.mydomain.com or mail.mydomain.com are accepted to deliver (to no avail, of course). I think this is part of your problem: shu...@edwin:~$ host xyz.ja-maica.ru xyz.ja-maica.ru is an alias for www.ja-maica.ru. www.ja-maica.ru is an alias for www.dsite.ru. www.dsite.ru is an alias for dsite.ru. dsite.ru has address 89.108.80.21 dsite.ru mail is handled by 10 dsite.ru. Any subdomain will find its way to your server. Is there any reason for the wildcard DNS record(s)? Yes, it seems quite reasonable for www-hoster (I know, I know, it's not good practice to have www-carrier/database provider and mail server at one hardware, but we not always can change reality as we want). So in the case of any mistype/error users will access through HTTP any domain that is hosted succesfully. Really, the question is - why chkuser/qmail/spamdyke is accepting mail for subdomains, if they are not listed directly in rcpthosts? And how to stop it? Right now in rcpthosts is the string ja-maica.ru without . and/or @. Probably, I'll play with it at night, when the risk to lose some mail is minimal... -- Best regards, Yourimailto:loka...@gmail.com ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Qmail + spamdyke + chkuser
Youri V. Kravatsky wrote: Hello Eric, Saturday, September 5, 2009, 2:39:30 AM, you wrote: What subdomains are you seeing besides @www. ? Subdomains of our domains. Mail that goes to domains that are not included to rcpthosts file is rejected. But mail to www.mydomain.com or mail.mydomain.com are accepted to deliver (to no avail, of course). I think this is part of your problem: shu...@edwin:~$ host xyz.ja-maica.ru xyz.ja-maica.ru is an alias for www.ja-maica.ru. www.ja-maica.ru is an alias for www.dsite.ru. www.dsite.ru is an alias for dsite.ru. dsite.ru has address 89.108.80.21 dsite.ru mail is handled by 10 dsite.ru. Any subdomain will find its way to your server. Is there any reason for the wildcard DNS record(s)? Yes, it seems quite reasonable for www-hoster (I know, I know, it's not good practice to have www-carrier/database provider and mail server at one hardware, but we not always can change reality as we want). So in the case of any mistype/error users will access through HTTP any domain that is hosted succesfully. Really, the question is - why chkuser/qmail/spamdyke is accepting mail for subdomains, if they are not listed directly in rcpthosts? And how to stop it? Right now in rcpthosts is the string ja-maica.ru without . and/or @. Probably, I'll play with it at night, when the risk to lose some mail is minimal... Hey Youri, I gotta admit that I don't know off hand how subdomains are supposed to be handled by qmail. So I did some testing. The first test I sent to mys...@sub.mydomain.com. Interestingly enough, it was rejected because I have @mydomain.com in my blacklist_senders file. This is to prevent spamd where the sender address is spoofed with my domain. It works because all email for my domain is sent with authentication (a good practice), and authenticated users circumvent all spamdyke rules. I was curious about what happens without spamdyke doing this, so I did another test w/out having the blacklist entry. In the smtp log I got: 09-05 07:45:04 CHKUSER rejected relaying:... client not allowed to relay 09-05 07:45:05 DENIED_OTHER from: The message bounced back to the sender with: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser) So chkuser recognized that subdom.mydomain.com was not a domain that my server is configured to receive mail for. This seems right to me. My chkuser version is 2.0.8, but that's the only difference I see. Your system should recognize that the subdomain isn't in your rcpthosts file. Are you certain that you don't have .ja-maica.com (with leading .) in your rcpthosts or morercpthosts files? If not, then I'd look closer into your chkuser implementation. Are you seeing any chkuser messages in your smtp log? -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Whitelist methods
I am thinking that from a security standpoint, the preferred methods of whitelisting would be by: 1) rDNS 2) IP 3) sender simply because spoofing a sender is easiest and spoofing rDNS is the most difficult. Is this correct? Are there other considerations? -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Qmail + spamdyke + chkuser
I can see why spamdyke is accepting messages to your subdomains -- you've whitelisted the recipients. In the full log you sent, I see this line: FILTER_RECIPIENT_WHITELIST recipient: kalugin...@www.ja-maica.ru file: /var/qmail/control/whitelist.local(84) If you're just trying to stop deliveries to your subdomains, removing the whitelist entry will accomplish that goal. If you also want to fix chkuser, there's more work to be done. I don't use chkuser myself, so I'm not familiar with how to configure it. I've glanced at the patch file (version 2.0.9) and your configuration file; nothing jumps out as obviously incorrect. My first idea is the RELAYCLIENT environment variable may the problem. spamdyke sets that variable so that it may control relaying instead of letting qmail-smtpd handle it. I suspected this may prevent chkuser from working, but your configuration seems to eliminate that possibility. Were I you, I think my next step would be to remove spamdyke from the run file and see if chkuser starts working again. If it does, we can keep trying to figure out why spamdyke is interfering with it. -- Sam Clippinger Youri V. Kravatsky wrote: Hello Eric, Saturday, September 5, 2009, 2:39:30 AM, you wrote: What subdomains are you seeing besides @www. ? Subdomains of our domains. Mail that goes to domains that are not included to rcpthosts file is rejected. But mail to www.mydomain.com or mail.mydomain.com are accepted to deliver (to no avail, of course). I think this is part of your problem: shu...@edwin:~$ host xyz.ja-maica.ru xyz.ja-maica.ru is an alias for www.ja-maica.ru. www.ja-maica.ru is an alias for www.dsite.ru. www.dsite.ru is an alias for dsite.ru. dsite.ru has address 89.108.80.21 dsite.ru mail is handled by 10 dsite.ru. Any subdomain will find its way to your server. Is there any reason for the wildcard DNS record(s)? Yes, it seems quite reasonable for www-hoster (I know, I know, it's not good practice to have www-carrier/database provider and mail server at one hardware, but we not always can change reality as we want). So in the case of any mistype/error users will access through HTTP any domain that is hosted succesfully. Really, the question is - why chkuser/qmail/spamdyke is accepting mail for subdomains, if they are not listed directly in rcpthosts? And how to stop it? Right now in rcpthosts is the string ja-maica.ru without . and/or @. Probably, I'll play with it at night, when the risk to lose some mail is minimal... ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] check for mail from email address
I agree -- just change the user's password. That would be much, much simpler than trying to block this kind of attack with spamdyke, which is not designed to restrict authenticated users. -- Sam Clippinger Eric Shubert wrote: Is the undesirable email coming from the compromised computer, or somewhere else? If it's coming from the compromises computer, you should remove the malware. If it's coming from somewhere else, you can simply change the password. I know this doesn't answer your question, but your question has nothing to do with spamdyke after all. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Feature request - whitelist SPF
I don't see why this can't be done. Once SPF support is added, it should be pretty trivial to add a flag to control what spamdyke does with it. -- Sam Clippinger Eric Shubert wrote: Eric Shubert wrote: Hey Sam (et al), I just came across a situation where I wanted to whitelist a vendor (dyndns.com), so I requested their rDNS names. They cordially replied that they use various servers, and gave me their SPF record as reference. Then a little light went on. Spamdyke could do this for me. How about a spf-whitelist option, similar to the other whitelist options, that would read the SPF record for the sending domain and automatically whitelist according to the SPF rules found. This would effectively say, whitelist whatever servers are listed in the domain's SPF record - I'll trust their SPF record. I know this isn't trivial because of the variety of ways that senders can be specified in SPF, but I think the feature would be very useful. I would guess that most users would want to implement this only for certain domains. I'm not sure if turning it on globally would be ok to do or not. I'm thinking probably no, but it might be a nice option for some. Thoughts? I know you have SPF listed under TODO LATER in TODO.txt, but it's listed along with some other schemes which I believe are more involved to fully implement. I see this more of an enhancement of spamdyke's whitelisting capabilities than an outright SPF implementation. FWIW. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Whitelist methods
If secure means hardest for a spammer to exploit, then I would say whitelisting IP addresses would be the most secure. Spoofing IPs is not impossible but well beyond what most spammers can do. Spoofing an rDNS name is actually pretty easy -- if I control my own rDNS, I can set those records to say anything I want. The hard part is updating them rapidly; DNS is not designed to handle frequent updates. Least secure is definitely a sender or recipient whitelist, as spoofing those is trivial. From the standpoint of maintenance, whitelisting IPs is the most inconvenient because they're the hardest to gather and the most likely to change. -- Sam Clippinger Eric Shubert wrote: I am thinking that from a security standpoint, the preferred methods of whitelisting would be by: 1) rDNS 2) IP 3) sender simply because spoofing a sender is easiest and spoofing rDNS is the most difficult. Is this correct? Are there other considerations? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Feature request - whitelist SPF
I would think that SPF would be fairly easy to implement. There are libraries available (http://www.openspf.org/Implementations). I'm just looking at this as a more secure (and lazy) way to whitelist a domain. ;) Is there something I can do to help move this along? Sam Clippinger wrote: I don't see why this can't be done. Once SPF support is added, it should be pretty trivial to add a flag to control what spamdyke does with it. -- Sam Clippinger Eric Shubert wrote: Eric Shubert wrote: Hey Sam (et al), I just came across a situation where I wanted to whitelist a vendor (dyndns.com), so I requested their rDNS names. They cordially replied that they use various servers, and gave me their SPF record as reference. Then a little light went on. Spamdyke could do this for me. How about a spf-whitelist option, similar to the other whitelist options, that would read the SPF record for the sending domain and automatically whitelist according to the SPF rules found. This would effectively say, whitelist whatever servers are listed in the domain's SPF record - I'll trust their SPF record. I know this isn't trivial because of the variety of ways that senders can be specified in SPF, but I think the feature would be very useful. I would guess that most users would want to implement this only for certain domains. I'm not sure if turning it on globally would be ok to do or not. I'm thinking probably no, but it might be a nice option for some. Thoughts? I know you have SPF listed under TODO LATER in TODO.txt, but it's listed along with some other schemes which I believe are more involved to fully implement. I see this more of an enhancement of spamdyke's whitelisting capabilities than an outright SPF implementation. FWIW. -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Qmail + spamdyke + chkuser
Hello Sam, Saturday, September 5, 2009, 10:11:03 PM, you wrote: I can see why spamdyke is accepting messages to your subdomains -- you've whitelisted the recipients. In the full log you sent, I see this line: FILTER_RECIPIENT_WHITELIST recipient: kalugin...@www.ja-maica.ru file: /var/qmail/control/whitelist.local(84) If you're just trying to stop deliveries to your subdomains, removing the whitelist entry will accomplish that goal. If you also want to fix Well, how could I whitelist only ja-maica.ru without any subdomains? Right now whitelist.local has the following string @ja-maica.ru It seemed to me, that it makes only mail to u...@ja-maica.ru whitelisted? -- Best regards, Yourimailto:loka...@gmail.com ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users