Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through
That's what I was looking for (I think). I should be able to script something together with that. I'll post it here if/when I get it done. Not really a high priority at the moment. ;) Sam Clippinger wrote: That's not a bad idea, I'll add that to the ever-growing list. :) With the current version (assuming you're comfortable at the command line), you can set the TCPREMOTEIP environment variable to the remote IP and run spamdyke manually to see what it says. Something like this: $ export TCPREMOTEIP=11.22.33.44 $ spamdyke -f /etc/spamdyke.conf /var/qmail/bin/qmail-smtpd /bin/true -- Sam Clippinger Eric Shubert wrote: Christoph Kuhle (Expat Email Ltd) wrote: Separately, I do notice a small but sufficiently significant number of genuine emails which get rejected with no reverse DNS. Should we be happy to put email addresses on the white list, or is that dangerous with Spammers being able to get through if they purport to be that address? Up to now, we have just passed on the maillog entry on so that they can check it out with their own hosting company. This is what I do, whitelist and notify the sending server's admin. It'd be nice if there was a spamdyke tool that would allow one to easily re-check an IP address to see if their server has subsequently been fixed, as an aid in keeping the whitelist clean. Sort of a if a certain IP address were to send an email to my server, would spamdyke reject it? tool. What do you think, Sam? -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] newbie question - please bear with me - some Spam getting through
I have spamdyke, with Atomic Secured Linux as well, protecting a server, and it works well generally, stopping about 50% of emails (I note that some people have reported 90+% Spam statistics). I have just run a DNSStuff Anti-Spam Filtering Test. It got through: This is a test message that was sent to you because you or someone you know visited the DNSstuff Mail Server Test Center and ran an anti-spam test against this email address. This email message contains a forged received header with with a blacklisted IP Address. If you received this message without a spam warning or notification, we recommend you perform the following steps: 1. Contact your email administrator. 2. If you are the email administrator, review your current anti-spam settings, and insure that the latest updates are applied and that your spam filtering software is enabled. Because it has a forged received header and a blacklisted IP address, I would like it to be rejected, naturally. maillog said: Aug 26 08:09:29 plesk2 spamdyke[20992]: ALLOWED from: emailavt...@dnsstuff.com to: m...@mydomain.com origin_ip: 75.125.82.251 origin_rdns: gold.dnsstuff.com auth: (unknown) and the email header says: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on plesk2.ourdomain.co.uk X-Spam-Level: X-Spam-Status: No, score=-1.0 required=4.0 tests=BAYES_00,HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_MID autolearn=no version=3.2.5 Received: (qmail 21000 invoked from network); 26 Aug 2009 08:09:30 +0100 Received: from gold.dnsstuff.com (HELO main) (75.125.82.251) by plesk2.ourdomain.co.uk with SMTP; 26 Aug 2009 08:09:29 +0100 Received-SPF: pass (plesk2.ourdomain.co.uk: SPF record at dnsstuff.com designates 75.125.82.251 as permitted sender) Received: from forgedsnd.example.com ([127.0.0.2]) by forgedrcv.example.com with fakesvc; Thu, 13 Aug 2009 07:30:02 To: m...@mydomain.com From: DNSstuff Mail Server Test Center sa...@dnsstuff.com Subject: DNSstuff Mail Server Test Center - Anti-Spam Test Message Date: Wed, 26 Aug 2009 07:09:14 + MIME-Version: 1.0 Content-Type: text/html; charset=US-ASCII Content-Disposition: inline My spamdyke config file is: [r...@plesk2 ~]# cat /etc/spamdyke.conf #Plesk-Addon #use log-level=verbose to see which dnsrbls triggered. use info for normal level. use debug ## for loads of stuff. log-level=info #idle-timeout-secs=180 local-domains-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem #AUTH FROM xinetd-conf smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /bin/true smtp-auth-level=ondemand-encrypted ## the following url gets put in all rejection messages so people who get false positives ## know where to go for help: policy-url=http://emailitis.com/index_files/spam_rejection.html graylist-level=always graylist-dir=/var/qmail/spamdyke/greylist #GREYLIST MINIMUM = 5 Min graylist-min-secs=300 #GREYLIST MAX = 3 Months graylist-max-secs=1814400 sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-whitelist-file=/var/qmail/spamdyke/whitelist_senders greeting-delay-secs=5 #RBL BLOCKLISTS dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=bogons.cymru.com reject-missing-sender-mx reject-empty-rdns reject-unresolvable-rdns [r...@plesk2 ~]# Listening to these posts, I guess that there are a LOT more complex settings that I could or should have in my config. Can anyone advise what setting(s) might prevent similar emails from getting through next time? Kind regards, Christoph ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through
* Christoph Kuhle (Expat Email Ltd) ku...@expat-email.com [090826 13:27]: I have spamdyke, with Atomic Secured Linux as well, protecting a server, and it works well generally, stopping about 50% of emails (I note that some people have reported 90+% Spam statistics). I have just run a DNSStuff Anti-Spam Filtering Test. It got through: Please do not start a new thread by replying to an old mail changing the subject line. it screws up threading. well, we have managed to block 92-94% spam by various filters of spamdyke. I would recommend removing cymru dnsbl and replacing that with of barracuda networks. also consider a local dnsbl of zones from uceprotect, so there will not be any network overheads. also see, http://www.shantanukulkarni.org/rbl-compare.html http://www.shantanukulkarni.org/spam_analysis.html (done in feb 09) Shantanu www.shantanukulkarni.org -- ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through
I apologise for replying to an original email. I will not do that again :-( THANK YOU Shantanu for the really quick response and the advice with links. I have added dnsbl-1.uceprotect.net and removed cymru dnsbl. I am registered with barracuda, but I had heard before that barracuda can reject a fair number of genuine emails (I never remember if that is a false negative or a false positive!). If I include barracuda as well, is there a way to monitor what they have rejected, or must we wait for people to tell us that email is not getting through. Separately, I do notice a small but sufficiently significant number of genuine emails which get rejected with no reverse DNS. Should we be happy to put email addresses on the white list, or is that dangerous with Spammers being able to get through if they purport to be that address? Up to now, we have just passed on the maillog entry on so that they can check it out with their own hosting company. Is it an easy script that we can run to see the percentages being rejected by the various stages? The one I have is: cat /usr/local/psa/var/log/maillog | /etc/spamdyke-statistics.pl Kind regards, Christoph -Original Message- From: spamdyke-users-boun...@spamdyke.org [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf Of Kulkarni Shantanu Sent: 26 August 2009 09:40 To: spamdyke users Subject: Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through * Christoph Kuhle (Expat Email Ltd) ku...@expat-email.com [090826 13:27]: I have spamdyke, with Atomic Secured Linux as well, protecting a server, and it works well generally, stopping about 50% of emails (I note that some people have reported 90+% Spam statistics). I have just run a DNSStuff Anti-Spam Filtering Test. It got through: Please do not start a new thread by replying to an old mail changing the subject line. it screws up threading. well, we have managed to block 92-94% spam by various filters of spamdyke. I would recommend removing cymru dnsbl and replacing that with of barracuda networks. also consider a local dnsbl of zones from uceprotect, so there will not be any network overheads. also see, http://www.shantanukulkarni.org/rbl-compare.html http://www.shantanukulkarni.org/spam_analysis.html (done in feb 09) Shantanu www.shantanukulkarni.org -- ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through
Christoph Kuhle (Expat Email Ltd) wrote: Separately, I do notice a small but sufficiently significant number of genuine emails which get rejected with no reverse DNS. Should we be happy to put email addresses on the white list, or is that dangerous with Spammers being able to get through if they purport to be that address? Up to now, we have just passed on the maillog entry on so that they can check it out with their own hosting company. This is what I do, whitelist and notify the sending server's admin. It'd be nice if there was a spamdyke tool that would allow one to easily re-check an IP address to see if their server has subsequently been fixed, as an aid in keeping the whitelist clean. Sort of a if a certain IP address were to send an email to my server, would spamdyke reject it? tool. What do you think, Sam? -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through
Thank you Eric, Interesting one. I put the whole domain in /var/qmail/spamdyke/whitelist_senders by simply putting revivevending.com in that file. I seem to remember reading that this is possible. The restarted Apache /etc/init.d/httpd restart but it was still being rejected. Then I put in the full email address, and it worked. Is it possible to put a whole domain in whitelist_senders? Kind regards, Christoph -Original Message- From: spamdyke-users-boun...@spamdyke.org [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf Of Eric Shubert Sent: 26 August 2009 15:13 To: spamdyke-users@spamdyke.org Subject: Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through Christoph Kuhle (Expat Email Ltd) wrote: Separately, I do notice a small but sufficiently significant number of genuine emails which get rejected with no reverse DNS. Should we be happy to put email addresses on the white list, or is that dangerous with Spammers being able to get through if they purport to be that address? Up to now, we have just passed on the maillog entry on so that they can check it out with their own hosting company. This is what I do, whitelist and notify the sending server's admin. It'd be nice if there was a spamdyke tool that would allow one to easily re-check an IP address to see if their server has subsequently been fixed, as an aid in keeping the whitelist clean. Sort of a if a certain IP address were to send an email to my server, would spamdyke reject it? tool. What do you think, Sam? -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through
I use @domain.com in whitelist_senders file and it works. I think it needs to have the @ sign. Christoph Kuhle (Expat Email Ltd) wrote: Thank you Eric, Interesting one. I put the whole domain in /var/qmail/spamdyke/whitelist_senders by simply putting revivevending.com in that file. I seem to remember reading that this is possible. The restarted Apache /etc/init.d/httpd restart but it was still being rejected. Then I put in the full email address, and it worked. Is it possible to put a whole domain in whitelist_senders? Kind regards, Christoph -Original Message- From: spamdyke-users-boun...@spamdyke.org [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf Of Eric Shubert Sent: 26 August 2009 15:13 To: spamdyke-users@spamdyke.org Subject: Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through Christoph Kuhle (Expat Email Ltd) wrote: Separately, I do notice a small but sufficiently significant number of genuine emails which get rejected with no reverse DNS. Should we be happy to put email addresses on the white list, or is that dangerous with Spammers being able to get through if they purport to be that address? Up to now, we have just passed on the maillog entry on so that they can check it out with their own hosting company. This is what I do, whitelist and notify the sending server's admin. It'd be nice if there was a spamdyke tool that would allow one to easily re-check an IP address to see if their server has subsequently been fixed, as an aid in keeping the whitelist clean. Sort of a if a certain IP address were to send an email to my server, would spamdyke reject it? tool. What do you think, Sam? -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through
This isn't too surprising -- spamdyke doesn't check the Received headers or any part of the actual message content. If the blacklisted IP address mentioned in the text only occurs in the message headers, spamdyke won't stop it. If you need a filter that will examine message content, take a look at SpamAssassin -- it works well in conjunction with spamdyke. -- Sam Clippinger Christoph Kuhle (Expat Email Ltd) wrote: I have spamdyke, with Atomic Secured Linux as well, protecting a server, and it works well generally, stopping about 50% of emails (I note that some people have reported 90+% Spam statistics). I have just run a DNSStuff Anti-Spam Filtering Test. It got through: This is a test message that was sent to you because you or someone you know visited the DNSstuff Mail Server Test Center and ran an anti-spam test against this email address. This email message contains a forged received header with with a blacklisted IP Address. If you received this message without a spam warning or notification, we recommend you perform the following steps: 1.Contact your email administrator. 2.If you are the email administrator, review your current anti-spam settings, and insure that the latest updates are applied and that your spam filtering software is enabled. Because it has a forged received header and a blacklisted IP address, I would like it to be rejected, naturally. maillog said: Aug 26 08:09:29 plesk2 spamdyke[20992]: ALLOWED from: emailavt...@dnsstuff.com to: m...@mydomain.com origin_ip: 75.125.82.251 origin_rdns: gold.dnsstuff.com auth: (unknown) and the email header says: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on plesk2.ourdomain.co.uk X-Spam-Level: X-Spam-Status: No, score=-1.0 required=4.0 tests=BAYES_00,HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_MID autolearn=no version=3.2.5 Received: (qmail 21000 invoked from network); 26 Aug 2009 08:09:30 +0100 Received: from gold.dnsstuff.com (HELO main) (75.125.82.251) by plesk2.ourdomain.co.uk with SMTP; 26 Aug 2009 08:09:29 +0100 Received-SPF: pass (plesk2.ourdomain.co.uk: SPF record at dnsstuff.com designates 75.125.82.251 as permitted sender) Received: from forgedsnd.example.com ([127.0.0.2]) by forgedrcv.example.com with fakesvc; Thu, 13 Aug 2009 07:30:02 To: m...@mydomain.com From: DNSstuff Mail Server Test Center sa...@dnsstuff.com Subject: DNSstuff Mail Server Test Center - Anti-Spam Test Message Date: Wed, 26 Aug 2009 07:09:14 + MIME-Version: 1.0 Content-Type: text/html; charset=US-ASCII Content-Disposition: inline My spamdyke config file is: [r...@plesk2 ~]# cat /etc/spamdyke.conf #Plesk-Addon #use log-level=verbose to see which dnsrbls triggered. use info for normal level. use debug ## for loads of stuff. log-level=info #idle-timeout-secs=180 local-domains-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem #AUTH FROM xinetd-conf smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /bin/true smtp-auth-level=ondemand-encrypted ## the following url gets put in all rejection messages so people who get false positives ## know where to go for help: policy-url=http://emailitis.com/index_files/spam_rejection.html graylist-level=always graylist-dir=/var/qmail/spamdyke/greylist #GREYLIST MINIMUM = 5 Min graylist-min-secs=300 #GREYLIST MAX = 3 Months graylist-max-secs=1814400 sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-whitelist-file=/var/qmail/spamdyke/whitelist_senders greeting-delay-secs=5 #RBL BLOCKLISTS dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=bogons.cymru.com reject-missing-sender-mx reject-empty-rdns reject-unresolvable-rdns [r...@plesk2 ~]# Listening to these posts, I guess that there are a LOT more complex settings that I could or should have in my config. Can anyone advise what setting(s) might prevent similar emails from getting through next time? Kind regards, Christoph ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through
* Christoph Kuhle (Expat Email Ltd) ku...@expat-email.com [090826 18:02]: I am registered with barracuda, but I had heard before that barracuda can reject a fair number of genuine emails (I never remember if that is a false nope, for me the false positive rate of uceprotect was more. negative or a false positive!). If I include barracuda as well, is there a way to monitor what they have rejected, or must we wait for people to tell us that email is not getting through. i have a perl script which analyses daily logs to produce o/p like, ALLOWED Mails = 2487 BLOCKED No RDNS entry = 11367 Mailbox does not exists = 829 Listed in RBL zen.spamhaus.org = 1133 dyna.spamrats.com = 202 uceprotect.local = 8489 b.barracudacentral.org = 4258 Separately, I do notice a small but sufficiently significant number of genuine emails which get rejected with no reverse DNS. Should we be happy to put email addresses on the white list, or is that dangerous with Spammers every mailserver (or smarthost) *should* have an rdns entry. see above to find how many spam are rejected with missing rdns switch. being able to get through if they purport to be that address? Up to now, we have just passed on the maillog entry on so that they can check it out with their own hosting company. we also do same thing. Is it an easy script that we can run to see the percentages being rejected by the various stages? The one I have is: cat /usr/local/psa/var/log/maillog | /etc/spamdyke-statistics.pl simple it can be as easy, cat logfile | egrep -c 'FILTER_RBL_MATCH.*zen.spamhaus.org' cat logfile | egrep -c 'FILTER_RDNS_MISSING' or it can be anything similar in awk/perl/python/etc. Shantanu -- ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] newbie question - please bear with me - some Spam getting through
* Eric Shubert e...@shubes.net [090826 21:09]: It'd be nice if there was a spamdyke tool that would allow one to easily re-check an IP address to see if their server has subsequently been fixed, as an aid in keeping the whitelist clean. Sort of a if a certain IP address were to send an email to my server, would spamdyke reject it? tool. What do you think, Sam? no need of adding extra code. you can write a shell script to daily parse the logs and check each ip against various tests. for scripting dns test i recommend packages like dnsname/dnsq/dnsqr from djbdns suite. Shantanu -- ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
