Re: SPF Fails on SA 3.0rc5 because of lack of HELO ?

[Loren Wilton]

 From some reason, SPF is always claiming the lack of HELO in the received
headers, while they are clearly there.

Nope, they're not.

I'm attaching an example message file which I try to pass via spamassassin,
and get something like:

debug: SPF: checking HELO (helo=, ip=66.111.4.30)
debug: SPF: trimmed HELO down to ''
debug: SPF: cannot get HELO, cannot use SPF

Received: from frontend1.messagingengine.com ([66.111.4.30]) by localmta.org
with
Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300
Received: from web4.messagingengine.com (web4.internal [10.202.2.213]) by
frontend1.messagingengine.com (Postfix) with ESMTP id 19E5CC154AE for
[EMAIL PROTECTED]; Sat, 18 Sep 2004 12:53:00 -0400 (EDT)

Those debug lines are pointing to the first received line above.  The HELO
name would normally appear between the ( and the [ of the dotquad address.
Nothing there.

The second received line does appear to have a HELO name on it.  However,
the address is in private space, so is not usable.

Loren

RE: SPF Fails on SA 3.0rc5 because of lack of HELO ?

[Avi Shatz]

Well, the way that Microsoft SMTP works here, is if the line is: 

Received: from frontend1.messagingengine.com ([66.111.4.30]) by
localmta.org with
Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300

The EHLO is: frontend1.messagingengine.com
The IP is: 66.111.4.30
The accepting Server is: localmta.org

I've double checked this, that first string is not the rDNS, its clearly
the EHLO, and can be used..

Any ideas on how to solve this?

-Original Message-
From: Avi Shatz 
Sent: Sunday, September 19, 2004 2:18 AM
To: 'Loren Wilton'
Subject: RE: SPF Fails on SA 3.0rc5 because of lack of HELO ?

Well, the way that Microsoft SMTP works here, is if the line is: 

Received: from frontend1.messagingengine.com ([66.111.4.30]) by
localmta.org
with
Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300

The EHLO is: frontend1.messagingengine.com
The IP is: 66.111.4.30
The accepting Server is: localmta.org

I've double checked this, that first string is not the rDNS, its clearly
the EHLO, and can be used..

Any ideas on how to solve this?

-Original Message-
From: Loren Wilton [mailto:[EMAIL PROTECTED] 
Sent: Sunday, September 19, 2004 2:01 AM
To: users@spamassassin.apache.org
Subject: Re: SPF Fails on SA 3.0rc5 because of lack of HELO ?

 From some reason, SPF is always claiming the lack of HELO in the
received
headers, while they are clearly there.

Nope, they're not.

I'm attaching an example message file which I try to pass via
spamassassin,
and get something like:

debug: SPF: checking HELO (helo=, ip=66.111.4.30)
debug: SPF: trimmed HELO down to ''
debug: SPF: cannot get HELO, cannot use SPF

Received: from frontend1.messagingengine.com ([66.111.4.30]) by
localmta.org
with
Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300
Received: from web4.messagingengine.com (web4.internal [10.202.2.213])
by
frontend1.messagingengine.com (Postfix) with ESMTP id 19E5CC154AE
for
[EMAIL PROTECTED]; Sat, 18 Sep 2004 12:53:00 -0400 (EDT)

Those debug lines are pointing to the first received line above.  The
HELO
name would normally appear between the ( and the [ of the dotquad
address.
Nothing there.

The second received line does appear to have a HELO name on it.
However,
the address is in private space, so is not usable.

Loren

Re: SPF Fails on SA 3.0rc5 because of lack of HELO ?

[jdow]

% host 66.111.4.30
30.4.111.66.in-addr.arpa domain name pointer frontend1.messagingengine.com.

You coul dnot prove it by me that the name there is the HELO rather than
the rDNS lookup.

{^_^}
- Original Message - 
From: Avi Shatz [EMAIL PROTECTED]
 
 Well, the way that Microsoft SMTP works here, is if the line is: 
 
 Received: from frontend1.messagingengine.com ([66.111.4.30]) by
 localmta.org with
 Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300
 
 The EHLO is: frontend1.messagingengine.com
 The IP is: 66.111.4.30
 The accepting Server is: localmta.org
 
 I've double checked this, that first string is not the rDNS, its clearly
 the EHLO, and can be used..
 
 Any ideas on how to solve this?
 
 -Original Message-
 From: Avi Shatz 
 Sent: Sunday, September 19, 2004 2:18 AM
 To: 'Loren Wilton'
 Subject: RE: SPF Fails on SA 3.0rc5 because of lack of HELO ?
 
 Well, the way that Microsoft SMTP works here, is if the line is: 
 
 Received: from frontend1.messagingengine.com ([66.111.4.30]) by
 localmta.org
 with
 Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300
 
 The EHLO is: frontend1.messagingengine.com
 The IP is: 66.111.4.30
 The accepting Server is: localmta.org
 
 I've double checked this, that first string is not the rDNS, its clearly
 the EHLO, and can be used..
 
 Any ideas on how to solve this?
 
 -Original Message-
 From: Loren Wilton [mailto:[EMAIL PROTECTED] 
 Sent: Sunday, September 19, 2004 2:01 AM
 To: users@spamassassin.apache.org
 Subject: Re: SPF Fails on SA 3.0rc5 because of lack of HELO ?
 
  From some reason, SPF is always claiming the lack of HELO in the
 received
 headers, while they are clearly there.
 
 Nope, they're not.
 
 I'm attaching an example message file which I try to pass via
 spamassassin,
 and get something like:
 
 debug: SPF: checking HELO (helo=, ip=66.111.4.30)
 debug: SPF: trimmed HELO down to ''
 debug: SPF: cannot get HELO, cannot use SPF
 
 Received: from frontend1.messagingengine.com ([66.111.4.30]) by
 localmta.org
 with
 Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300
 Received: from web4.messagingengine.com (web4.internal [10.202.2.213])
 by
 frontend1.messagingengine.com (Postfix) with ESMTP id 19E5CC154AE
 for
 [EMAIL PROTECTED]; Sat, 18 Sep 2004 12:53:00 -0400 (EDT)
 
 Those debug lines are pointing to the first received line above.  The
 HELO
 name would normally appear between the ( and the [ of the dotquad
 address.
 Nothing there.
 
 The second received line does appear to have a HELO name on it.
 However,
 the address is in private space, so is not usable.
 
 Loren

RE: SPF Fails on SA 3.0rc5 because of lack of HELO ?

[Avi Shatz]

Well, in that case it might just be also the rDNS, but I've tested more
then once: 

telnet mailserver.localmta.org 25
ehlo blabla
[...]
Quit

Resulting header will show blabla other then workstation.localmta.org

-Original Message-
From: jdow [mailto:[EMAIL PROTECTED] 
Sent: Sunday, September 19, 2004 2:42 AM
To: users@spamassassin.apache.org
Subject: Re: SPF Fails on SA 3.0rc5 because of lack of HELO ?

% host 66.111.4.30
30.4.111.66.in-addr.arpa domain name pointer
frontend1.messagingengine.com.

You coul dnot prove it by me that the name there is the HELO rather than
the rDNS lookup.

{^_^}
- Original Message - 
From: Avi Shatz [EMAIL PROTECTED]
 
 Well, the way that Microsoft SMTP works here, is if the line is: 
 
 Received: from frontend1.messagingengine.com ([66.111.4.30]) by
 localmta.org with
 Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300
 
 The EHLO is: frontend1.messagingengine.com
 The IP is: 66.111.4.30
 The accepting Server is: localmta.org
 
 I've double checked this, that first string is not the rDNS, its
clearly
 the EHLO, and can be used..
 
 Any ideas on how to solve this?
 
 -Original Message-
 From: Avi Shatz 
 Sent: Sunday, September 19, 2004 2:18 AM
 To: 'Loren Wilton'
 Subject: RE: SPF Fails on SA 3.0rc5 because of lack of HELO ?
 
 Well, the way that Microsoft SMTP works here, is if the line is: 
 
 Received: from frontend1.messagingengine.com ([66.111.4.30]) by
 localmta.org
 with
 Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300
 
 The EHLO is: frontend1.messagingengine.com
 The IP is: 66.111.4.30
 The accepting Server is: localmta.org
 
 I've double checked this, that first string is not the rDNS, its
clearly
 the EHLO, and can be used..
 
 Any ideas on how to solve this?
 
 -Original Message-
 From: Loren Wilton [mailto:[EMAIL PROTECTED] 
 Sent: Sunday, September 19, 2004 2:01 AM
 To: users@spamassassin.apache.org
 Subject: Re: SPF Fails on SA 3.0rc5 because of lack of HELO ?
 
  From some reason, SPF is always claiming the lack of HELO in the
 received
 headers, while they are clearly there.
 
 Nope, they're not.
 
 I'm attaching an example message file which I try to pass via
 spamassassin,
 and get something like:
 
 debug: SPF: checking HELO (helo=, ip=66.111.4.30)
 debug: SPF: trimmed HELO down to ''
 debug: SPF: cannot get HELO, cannot use SPF
 
 Received: from frontend1.messagingengine.com ([66.111.4.30]) by
 localmta.org
 with
 Microsoft SMTPSVC(6.0.3790.80); Sat, 18 Sep 2004 19:53:03 +0300
 Received: from web4.messagingengine.com (web4.internal [10.202.2.213])
 by
 frontend1.messagingengine.com (Postfix) with ESMTP id 19E5CC154AE
 for
 [EMAIL PROTECTED]; Sat, 18 Sep 2004 12:53:00 -0400 (EDT)
 
 Those debug lines are pointing to the first received line above.  The
 HELO
 name would normally appear between the ( and the [ of the dotquad
 address.
 Nothing there.
 
 The second received line does appear to have a HELO name on it.
 However,
 the address is in private space, so is not usable.
 
 Loren

AWL DoS?

[Jason J. Ellingson]

I'm sure someone thought of this, but I don't see it asked before... so...
=
1) Person X regularly gets emails from Person Y (good friends)

2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked
FROM: address of Person Y.

3) Now, GTUBE scores a 1000 points, and gets set to the AWL database.

4) Future emails from Person Y to Person X now get tagged as spam since AWL
keeps bumping up the score because of the GTUBE that was sent earlier.
=
I hope that makes sense...

I gotta think this isn't gonna happen... but anyone know if it can?  If so,
I'm not going to enable AWL on my server.

Jason J Ellingson
Technical Consultant

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
[EMAIL PROTECTED]

Re: AWL DoS?

[Jim Sabatke]

Jason J. Ellingson wrote:
I'm sure someone thought of this, but I don't see it asked before... so...
=
1) Person X regularly gets emails from Person Y (good friends)
2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked
FROM: address of Person Y.
3) Now, GTUBE scores a 1000 points, and gets set to the AWL database.
4) Future emails from Person Y to Person X now get tagged as spam since AWL
keeps bumping up the score because of the GTUBE that was sent earlier.
=
I hope that makes sense...
I gotta think this isn't gonna happen... but anyone know if it can?  If so,
I'm not going to enable AWL on my server.

Jason J Ellingson
You have an evil mind.  I would like a scheme like this to 
get back at whoever bombed me with over 1000 p0rn spams in 
an hour the other day.
--
Jim Sabatke
Hire Me!! - See my resume at http://my.execpc.com/~jsabatke

Do not meddle in the affairs of Dragons, for you are crunchy 
and good with ketchup.

NOTE: Please do not email me any attachments with Microsoft 
extensions.  They
are deleted on my ISP's server before I ever see them, and 
no bounce message
is sent.

Re: Two logs for each daemon?

[Mike Burger]

YOu might want to direct this at a Samba list.

On Sat, 18 Sep 2004, Ed Kasky wrote:

 I just upgraded to 3.0.7-1 and noticed an slight oddity in the logs now beig 
 created.  In my smb.conf I have:
 
 log level = 2
 log file = /var/log/samba/%m.log
 
 Since upgrading I now get two logs for smbd and two for nmbd...
 
  114676 Sep 18 07:19 /var/log/samba/log.nmbd
  100728 Sep 18 15:35 /var/log/samba/nmbd.log
 4656 Sep 18 06:34 /var/log/samba/log.smbd
   55035 Sep 18 06:34 /var/log/samba/smbd.log
 
 I have not seen this with previous versions and was wondering if I might have 
 done something in the upgrade to cause this.
 
 Ed Kasky
 . . . . . . . . . . . . . . .
 Randomly generated quote:
 Success usually comes to those who are too busy to be looking for it.
 - Henry David Thoreau, naturalist and author (1817-1862)
 

-- 
Mike Burger
http://www.bubbanfriends.org

Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org

To be notified of updates to the web site, visit 
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a 
message to:

[EMAIL PROTECTED]

with a message of: 

subscribe

Re: AWL DoS?

[Bill Landry]

- Original Message - 
From: Jason J. Ellingson [EMAIL PROTECTED]

 I'm sure someone thought of this, but I don't see it asked before... so...
 =
 1) Person X regularly gets emails from Person Y (good friends)

 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a
faked
 FROM: address of Person Y.

 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database.

 4) Future emails from Person Y to Person X now get tagged as spam since
AWL
 keeps bumping up the score because of the GTUBE that was sent earlier.
 =
 I hope that makes sense...

Make sense, but wouldn't work unless bad guy Z was also sending his GTUBE
message from the same address range that Person Y normally send his messages
to Person X from.  Here is a snippet from the AWL database:

-2.9(-2.9/1)  --  [EMAIL PROTECTED]|ip=216.33
 2.0 (2.0/1)  --  [EMAIL PROTECTED]|ip=64.225
 5.3 (5.3/1)  --  [EMAIL PROTECTED]|ip=67.171
   0.4 (0.8/2)  --  [EMAIL PROTECTED]|ip=205.244
-4.3(-4.3/1)  --  [EMAIL PROTECTED]|ip=192.209

Note the ip=xxx.xxx at the end of each line, after the senders e-mail
address.  This helps to prevent malicious activities like you've discribed.
It can happen, but not as easily as you thought (once again, the devs were
thinking ahead).

 I gotta think this isn't gonna happen... but anyone know if it can?  If
so,
 I'm not going to enable AWL on my server.

You're safe, go for it.

Bill

Re: AWL DoS?

[William Stearns]

Good evening, Jason,

On Sat, 18 Sep 2004, Jason J. Ellingson wrote:

 I'm sure someone thought of this, but I don't see it asked before... so...
 =
 1) Person X regularly gets emails from Person Y (good friends)
 
 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked
 FROM: address of Person Y.
 
 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database.
 
 4) Future emails from Person Y to Person X now get tagged as spam since AWL
 keeps bumping up the score because of the GTUBE that was sent earlier.
 =
 I hope that makes sense...
 
 I gotta think this isn't gonna happen... but anyone know if it can?  If so,
 I'm not going to enable AWL on my server.

You're asking the right questions.
To the best of my knowledge, this has already been addressed.  
What goes in the AWL isn't just the raw email address, it's the email 
address plus the first two octets of the source IP address.  For someone 
to successfully attack this way, the attacker would need a legal IP 
address in the same class B network as the legitimate sender.
If sent from a different network, the +1000 user would show up in 
a different AWL entry than the legitimate sender.
Cheers,
- Bill

---
I am Homer of Borg! Prepare to be... OOooo! donuts!
(Courtesy of: Carlos Morgado [EMAIL PROTECTED])
--
William Stearns ([EMAIL PROTECTED]).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--

RE: AWL DoS?

[Jason J. Ellingson]

Okay, follow-up question: 

Where does SpamAssassin get the IP?  Is it the oldest IP in the received
headers (low), or the most recent (top)?

If it is oldest (assuming originating IP), then that could be faked easily
enough.

If it is top, then what does it do if there is no IP (as many SpamAssassin
implementations seem to have the message processed before adding appropriate
received headers.. tisk, tisk, tisk...)

Either way... a lot of people I know are on Comcast in the same town... they
are all on the same sub-b class network (/17 I think)...  So entirely
possible to have this nightmare happen.

Perhaps then, this is a time to look at using SPF along with AWL.  Have AWL
use the same record for all SPF'd IPs for that domain and then the usual
(change to a class c?) records for those falling outside the SPF's listed
IPs or no SPF for that domain.

It won't stop those who truly use the same server/subnet, but it should help
some?

Getting later at night... and I'm starting to become more muddled in my
thoughts... sorry.

Jason J Ellingson
Technical Consultant

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
[EMAIL PROTECTED]


-Original Message-
From: William Stearns [mailto:[EMAIL PROTECTED] 
Sent: Sunday, September 19, 2004 12:25 AM
To: Jason J. Ellingson
Cc: ML-spamassassin-talk; William Stearns
Subject: Re: AWL DoS?

Good evening, Jason,

On Sat, 18 Sep 2004, Jason J. Ellingson wrote:

 I'm sure someone thought of this, but I don't see it asked before... so...
 =
 1) Person X regularly gets emails from Person Y (good friends)
 
 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a
faked
 FROM: address of Person Y.
 
 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database.
 
 4) Future emails from Person Y to Person X now get tagged as spam since
AWL
 keeps bumping up the score because of the GTUBE that was sent earlier.
 =
 I hope that makes sense...
 
 I gotta think this isn't gonna happen... but anyone know if it can?  If
so,
 I'm not going to enable AWL on my server.

You're asking the right questions.
To the best of my knowledge, this has already been addressed.  
What goes in the AWL isn't just the raw email address, it's the email 
address plus the first two octets of the source IP address.  For someone 
to successfully attack this way, the attacker would need a legal IP 
address in the same class B network as the legitimate sender.
If sent from a different network, the +1000 user would show up in 
a different AWL entry than the legitimate sender.
Cheers,
- Bill

---
I am Homer of Borg! Prepare to be... OOooo! donuts!
(Courtesy of: Carlos Morgado [EMAIL PROTECTED])
--
William Stearns ([EMAIL PROTECTED]).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--

Re: AWL DoS?

[Bill Landry]

- Original Message - 
From: Jason J. Ellingson [EMAIL PROTECTED]

 Okay, follow-up question:

 Where does SpamAssassin get the IP?  Is it the oldest IP in the received
 headers (low), or the most recent (top)?

 If it is oldest (assuming originating IP), then that could be faked easily
 enough.

 If it is top, then what does it do if there is no IP (as many SpamAssassin
 implementations seem to have the message processed before adding
appropriate
 received headers.. tisk, tisk, tisk...)

 Either way... a lot of people I know are on Comcast in the same town...
they
 are all on the same sub-b class network (/17 I think)...  So entirely
 possible to have this nightmare happen.

I just tested this and it used the address range of the client computer I
sent the message from.  When I sent another message with the same e-mail
address but from a totally different subnet, it registered the same e-mail
address with the different client computer address range, thus, I had two
entries in the AWL database for the same e-mail address but with different
client ip nets.

Like you said, this address can be forged, but someone would really have to
put some effort into it just to IP someone's AWL database, which can then be
removed from the database even easier than it went in.  And using the
sending client machine IP address is certainly much safer and less prone to
abuse then it would be if the sending mail servers IP address were used.

Bill

Re: spam@uce.gov bouncing?

[Ed Kasky]

Not mine and I sent about 25 or so about an hour ago.

I have seen it once or twice in the past but it was temporary.  I 
attributed it to a busy or down server.

On Sat, 18 Sep 2004, Roger E. Rustad, Jr. wrote:
 Is anyone else's [EMAIL PROTECTED] e-mail bouncing?
 
 All the mail I've forwarded there over the last day or so has been
 getting 
 returned with
 
   Delay reason: Connection refused

. . . . . . . . . . . . . . .
Randomly generated quote:
What happens when your fortune cookie contradicts your horoscope?

Re: AWL DoS?

[tBB]

On Sat, 18 Sep 2004 20:05:29 -0500
Jason J. Ellingson [EMAIL PROTECTED] wrote:

 I'm sure someone thought of this, but I don't see it asked before... so...
 =
 1) Person X regularly gets emails from Person Y (good friends)
 
 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked
 FROM: address of Person Y.
 
 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database.
 
 4) Future emails from Person Y to Person X now get tagged as spam since AWL
 keeps bumping up the score because of the GTUBE that was sent earlier.
 =
 I hope that makes sense...

I would suggest to simply set GTUBE to a very low score unless you
really want to test something.

+---+
- Mailto: [EMAIL PROTECTED]
- No HTML mails please
+---+

Re: AWL DoS?

[Raymond Dijkxhoorn]

Hi!
I gotta think this isn't gonna happen... but anyone know if it can?  If so,
I'm not going to enable AWL on my server.
You're asking the right questions.
To the best of my knowledge, this has already been addressed.
What goes in the AWL isn't just the raw email address, it's the email
address plus the first two octets of the source IP address.  For someone
to successfully attack this way, the attacker would need a legal IP
address in the same class B network as the legitimate sender.
If sent from a different network, the +1000 user would show up in
a different AWL entry than the legitimate sender.
We turned off AWL, we had a customer that forwarded two spam messages to 
our helpdesk, the third normal message never came in, since his AWL beat 
him...

For us it didnt work out.
Bye,
Raymond.

Re: AWL DoS?

[Bill Landry]

- Original Message - 
From: Raymond Dijkxhoorn [EMAIL PROTECTED]

 We turned off AWL, we had a customer that forwarded two spam messages to 
 our helpdesk, the third normal message never came in, since his AWL beat 
 him...

Probably should not be spam filtering postmaster/abuse/support e-mails.

Bill

Re: AWL DoS?

[William Stearns]

Good afternoon, Raymond, all,
(Raymond, you probably already know this, but I wanted to quickly
cover it for other people that may also be considering whether or not to
use AWL).

On Sun, 19 Sep 2004, Raymond Dijkxhoorn wrote:

  I gotta think this isn't gonna happen... but anyone know if it can?  If so,
  I'm not going to enable AWL on my server.
 
  To the best of my knowledge, this has already been addressed.
  What goes in the AWL isn't just the raw email address, it's the email
  address plus the first two octets of the source IP address.  For someone
  to successfully attack this way, the attacker would need a legal IP
  address in the same class B network as the legitimate sender.
  If sent from a different network, the +1000 user would show up in
  a different AWL entry than the legitimate sender.
 
 We turned off AWL, we had a customer that forwarded two spam messages to 
 our helpdesk, the third normal message never came in, since his AWL beat 
 him...

That's a different issue.  If the customer used _forward_ rather 
than _bounce_, SA treats the entire message as coming from that email 
address and class B network, so yes, the customer's AWL score will be 
hurt.
This is why people are encouraged to _bounce_ the original 
message, so the sender email address is still the original one, and then 
won't hurt the customer.
http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting
http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport
http://www.stearns.org/doc/spamassassin-setup.current.html#redirect
Cheers,
- Bill

---
Nothing in the Constitution compels us to listen to or view any
unwanted communication, whatever its meritThe ancient concept that
`a man's home is his castle' into which `not even the king may enter'
has lost none of it vitalityWe therefore categorically reject the
argument that a vendor has a right under the Constitution or otherwise
to send unwanted material into the home of another. If this prohibition
operates to impede the flow of even valid ideas, the answer is that no
one has a right to press even `good' ideas on an unwilling recipient.
That we are often `captives' outside the sanctuary of the home and
subject to objectionable speech and other sound does not mean we must be
captives everywhereThe asserted right of a mailer, we repeat, stops
at the outer boundary of every person's domain.
-- Chief Justice Burger, U.S. Supreme Court
http://www.euro.cauce.org/en/freespeech.html#rowan
--
William Stearns ([EMAIL PROTECTED]).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--

Re: AWL DoS?

[Bill Landry]

 - Original Message - 
 From: William Stearns [EMAIL PROTECTED]

  Good afternoon, Raymond, all,
  (Raymond, you probably already know this, but I wanted to quickly
  cover it for other people that may also be considering whether or not to
  use AWL).
 
 [SNIP]
  That's a different issue.  If the customer used _forward_ rather
  than _bounce_, SA treats the entire message as coming from that email
  address and class B network, so yes, the customer's AWL score will be
  hurt.
  This is why people are encouraged to _bounce_ the original
  message, so the sender email address is still the original one, and then
  won't hurt the customer.
  http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting
 
http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport
  http://www.stearns.org/doc/spamassassin-setup.current.html#redirect

 Probably unrealistic to expect customers to know how to bounce a
message.
 Much better to simply not spam filter critical e-mail accounts like
 postmaster/abuse/support/sales/etc.

Sorry for replying to my own post, but just wanted to also note that many of
the most commonly used e-mail clients sadly do not support the bounce
feature.

Bill

Re: AWL DoS?

[Raymond Dijkxhoorn]

Hi!
This is why people are encouraged to _bounce_ the original
message, so the sender email address is still the original one, and then
won't hurt the customer.
http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting
http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport
http://www.stearns.org/doc/spamassassin-setup.current.html#redirect
Probably unrealistic to expect customers to know how to bounce a message.
Yes. Exactly my point.
Much better to simply not spam filter critical e-mail accounts like
postmaster/abuse/support/sales/etc.
With around 35.000-70.000 mails to those above boxes daily thats not 
really do-able...

Bye,
Raymond.

Re: AWL DoS?

[Bill Landry]

- Original Message - 
From: Raymond Dijkxhoorn [EMAIL PROTECTED]

  Probably unrealistic to expect customers to know how to bounce a
message.

 Yes. Exactly my point.

  Much better to simply not spam filter critical e-mail accounts like
  postmaster/abuse/support/sales/etc.

 With around 35.000-70.000 mails to those above boxes daily thats not
 really do-able...

Do you see a lot of spam to these addresses?  The reason I'm asking is
because we don't.  To bad there's not a way to exclude certain recipient
addresses like postmaster/abuse/support/sales/etc. from AWL (hint to devs).
That way you could still run all of your other SA spam tests against
messages to these accounts, without potentially poisoning your AWL database
when spam is forwarded to the support or spam account from customers.

Bill

RE: SPF Fails on SA 3.0rc5 because of lack of HELO ?

[Avi Shatz]

The only thing I wanted to prove with this is that line, that is created by my 
local mail server (the last hop, and the most important one for SPF), does 
indeed contains the EHLO string that isn't detected correctly by SA 3.0rc5.

And since nothing is special about my own MS SMTPSVC (Win2k3 SMTP Server), I 
believe the behavior of received.pm should be changed to allow SA running on 
those machines to properly detect the EHLO string, and thus allow SPF Detection 
to properly execute.


-Original Message-
From: Kai Schaetzl [mailto:[EMAIL PROTECTED] 
Sent: Sunday, September 19, 2004 4:27 PM
To: users@spamassassin.apache.org
Subject: Re: SPF Fails on SA 3.0rc5 because of lack of HELO ?

Avi Shatz wrote on Sun, 19 Sep 2004 02:52:49 +0300:

 telnet mailserver.localmta.org 25
 ehlo blabla


What do you want to prove with this? What needs to happen is that 
[66.111.4.30] sends a HELO with an FQDN when it connects to another SMTP. 
Your example above doesn't prove this, it just proves that you know how to 
do an SMTP handshake. At least if the SMTPSVC received lines usually show 
the HELO then, indeed, it seems to be missing.


Kai

-- 

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de  http://msie.winware.org

Re: After starting spamd, spamc fails to connect to it and spamd stops running!?

[hug]

After all that it seems my problems were related to having changed versions
of perl and spamd's inability to find the new libraries on it's path.

Many thanks all for your help!


hugh
- Original Message - 
From: Chris Santerre [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: Spamassassin-Talk (E-mail) [EMAIL PROTECTED]
Sent: Friday, September 17, 2004 3:09 PM
Subject: RE: After starting spamd, spamc fails to connect to it and spamd
stops running!?




 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Friday, September 17, 2004 7:02 AM
 To: users@spamassassin.apache.org
 Subject: After starting spamd, spamc fails to connect to it and spamd
 stops running!?
 
 
 Will anyone please help me?
 
  I've recently had a working sitewide install of spamassassin
 stop working
 and it's very upsetting! :(
 
 Many thanks.
 
 hugh
 
 
 -- My problem:
 *snip*
 -- My setup:
 
 Red Hat 7.3
 SA 2.64 (site wide install using /etc/procmailrc - see below)
 Perl 5.6.1
 
 -- Contents of /etc/procmailrc:
 
 DROPPRIVS=yes
 :0fw
 | /usr/bin/spamc -f
 
 -- From /var/log/maillog
 
 Sep 17 11:20:24 wibble spamc[6273]: connect(AF_INET) to spamd
 at 127.0.0.1
 failed, retrying (#1 of 3): Connection refused
 Sep 17 11:20:25 wibble spamc[6273]: connect(AF_INET) to spamd
 at 127.0.0.1
 failed, retrying (#2 of 3): Connection refused
 Sep 17 11:20:26 wibble spamc[6273]: connect(AF_INET) to spamd
 at 127.0.0.1
 failed, retrying (#3 of 3): Connection refused
 Sep 17 11:20:27 wibble spamc[6273]: connection attempt to spamd aborted
 after 3 retries


 It might be a permissions problem. Can you call spamc with the -u and a
 particular user with permissions?

 --Chris

Re: AWL DoS?

[Will Yardley]

On Sun, Sep 19, 2004 at 08:08:24AM -0700, Bill Landry wrote:
 From: Raymond Dijkxhoorn [EMAIL PROTECTED]

   Much better to simply not spam filter critical e-mail accounts
   like postmaster/abuse/support/sales/etc.

  With around 35.000-70.000 mails to those above boxes daily thats not
  really do-able...
 
 Do you see a lot of spam to these addresses?  The reason I'm asking is
 because we don't.

At our organization, we see a /LOT/ of spam and viruses to these
addresses, especially because we're already exempting them from our
usual dnsbl checks. And, of course, most of the spam that hits these
addresses is not even worth reporting - sent via open proxies, hosted
via rogue ISPs overseas.

abuse@ we don't filter for obvious reasons. Just making a rough guess,
I'd say we probably get 30-40 spam / virus messages for every actual
actual message of any sort... I just did a quick straw poll, and since
yesterday afternoon (24 hours) our abuse box received about 28 viruses
/ bounces from viruses, and 30 spams.

Support gets a ton as well - but we ultimately just started only
allowing through messages from addresses that are in our customer
database, or responses to ongoing support cases; obviously we have other
ways for customers to submit support tickets if they're unable to email
us.

Not perfect, perhaps, but neither is deleting huge volumes of spam from
our customer support system's interface. 

Re: Delivery failure (users@spamassassin.apache.org)

[Will Yardley]

Anyone else seeing this junk when sending messages to the list?

gbierman at mochamail.com, apparently the address at this site
subscribed to the SA users list - please tell the postmaster of your
system to fix this.

On Sun, Sep 19, 2004 at 12:03:01PM -0700, [EMAIL PROTECTED] wrote:

 users@spamassassin.apache.org
 Delivery failed
 550 SPF forgery: Please see 
 http://spf.pobox.com/why.html?sender=sa-users%40veggiechinese.netip=147.208.128.11receiver=hermes.apache.org
 
Please fix your brokenware

1) The envelope-sender of mail from the SA-users mailing list would be
the list address, not my address. SPF is supposed to check the
envelope-sender address, not the From:  address in the message
headers. See also:
http://spf.pobox.com/faq.html#whichfield
which specifically explains the issues you must 

2) Your system is also apparently sending the delivery failure to the
From:  address of the email, rather than to the envelope-sender.

 Reporting-MTA: dns; rockpub4.rockliffe.com
 Received-From-MTA: dns; rockpub4.rockliffe.com (mail.rockliffe.com 
 [10.42.2.30])
 Arrival-Date: Sun, 19 Sep 2004 12:02:58 -0700
 
 Final-Recipient: rfc822; users@spamassassin.apache.org
 Action: failed
 Status: 5.0.0 (Permanent failure - no additional status information available)
 Remote-MTA: dns; mail.apache.org
 Diagnostic-Code: smtp; 550 SPF forgery: Please see
 
 http://spf.pobox.com/why.html?sender=sa-users%40veggiechinese.netip=147.208.128.11receiver=hermes.apache.org

 X-Spam-Score: 1
 Received: from rockpub4.rockliffe.com (mail.rockliffe.com [10.42.2.30]) by 
 rockliffe.com
  (Rockliffe SMTPRA 6.1.16) with ESMTP id [EMAIL PROTECTED] for 
 users@spamassassin.apache.org;
  Sun, 19 Sep 2004 12:02:58 -0700
 X-Spam-Score: 1
 Received: from mail.apache.org (hermes.apache.org [209.237.227.199]) by 
 rockliffe.com
  (Rockliffe SMTPRA 6.1.16) with SMTP id [EMAIL PROTECTED] for [EMAIL 
 PROTECTED];

SpamAssassin postfix mysql virtual users courier-imap help

[Michael T. Halligan]

Greetings,

I'm testing a new mailserverr now based on
the HOWTO at workaround.org/articles/ispmail-sarge/ and have
a couple of remaining issues before I can actually deploy this.

1. How do I use whitelists in a configuration where users don't
have their own UID/GID since everything is owned by the virtual mail
account?

2. Any good ideas on how to make spamassassin move messages marked
as spam to /home/virtual/[EMAIL PROTECTED]/spam/ (keeping in mind that
this is a courier/Maildir setup) ? 

I really appreciate any help!

---
BitPusher, LLC
http://www.bitpusher.com/
1.888.9PUSHER
(415) 724.7998 - Mobile