SpamAssassin on Exchange...
I have gotten SpamAssassin(Latest Release) to work with exchange using one of the sinks. It seems to be doing a wonderful job of catching spam.. BUT --- It is also damaging attachments, specifically PDFs Any ideas??? I seem to remember this happening a couple of years ago Uuuggghhh, why did management dump my linux server Sincerely Eric Sandquist I am using the free version of SPAMfighter for private users.It has removed 32602 spam emails to date.Paying users do not have this message in their emails.Try SPAMfighter for free now!
Re: 2.63 DoS vulnerability (was: problems matching the dollar sign ($))
At 09:53 AM 12/30/2004, Rainer Sokoll wrote: On Thu, Dec 30, 2004 at 08:36:00AM -0500, Josh Endries wrote: body and rawbody. This is with SA 2.63 and Perl 5.005_03, which I can't upgrade :(. You do not have to upgrade perl, you can have a 2nd install instead. And if Josh chooses to not upgrade perl, he should at least upgrade SA to 2.64 ASAP... 2.50-2.63 all have a malformed message DoS vulnerability. And no, this isn't new news, it was in 2.64's release announcement back in august http://marc.theaimsgroup.com/?l=spamassassin-announcem=109168121628767w=2 Not to mention being reported in dozens of security databases, including CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796
OT - MySQL/SA/PTR records
Hi all, Just a quick note to say, I *finally* got my SA working faster by adding PTR records for the MySQL server. The speed difference is astounding, on FC3 the turnaround time on a test mail has gone from 1 minute plus down to 1 - 2 seconds. Standard mail is running so much faster that comparing it is unfair. Many, many thanks to James Rallo for supplying the fix. Happy New Year to all Nigel
Re: OT - MySQL/SA/PTR records
--On Friday, December 31, 2004 1:19 AM + Nigel Frankcom [EMAIL PROTECTED] wrote: Just a quick note to say, I *finally* got my SA working faster by adding PTR records for the MySQL server. What was actually checking for the PTR records? Ie. what other MySQL clients could benefit from this? Or is this just an SA thing?
Re: OT - MySQL/SA/PTR records
At 08:19 PM 12/30/2004, Nigel Frankcom wrote: Just a quick note to say, I *finally* got my SA working faster by adding PTR records for the MySQL server. *grin*.. never underestimate the importance of having PTR records, or hosts file entries, for all of your machines. A lot of services have support for access-restriction by hostname, thus have to RNDS all incoming connections.. Other apps (mostly LAN scale apps) will just RDNS them for logging purposes. This isn't much of a problem, since all hosts on the local lan should always have a valid PTR unless they are bogons. Either way, an app that has to keep timing out RDNS operations is going to be painfully slow.
Re: OT - MySQL/SA/PTR records
--On Thursday, December 30, 2004 9:33 PM -0500 Matt Kettler [EMAIL PROTECTED] wrote: *grin*.. never underestimate the importance of having PTR records, or hosts file entries, for all of your machines. What happens when we all go to IPv6? There seems to be some disagreement over how much reverse support will be deployed.
Re: OT - MySQL/SA/PTR records
On Thu, Dec 30, 2004 at 06:52:22PM -0800, Kenneth Porter wrote: What happens when we all go to IPv6? There seems to be some disagreement over how much reverse support will be deployed. If IPv6 support was added, mkrdns (http://www.mkrdns.org/) would make the reverse entries trivially managed. ;) -- Randomly Generated Tagline: As I uploaded the resultant kernel, a specter of the holy penguin appeared before me, and said It is Good. It is Bugfree. As if wanting to re-assure me that yes, it really =was= the holy penguin, it finally added Do you have any Herring? before fading out in a puff of holy penguin-smoke. - Linus Torvalds pgp0hwjnPZHdI.pgp Description: PGP signature
Re: SpamAssassin on Exchange...
Doesn't seem that SA itself should be able to do this, since it isn't supposed to change the mail except to add the scores. I suppose it could be a line-ending problem if you are running SA itself on Windows. But I'd more think this is a problem with whatever tool you have used to integrate SA with the mail path in Exchange. Loren
Training SA with postfix
Title: Training SA with postfix Hey all, I've just spend a good amount of time installing postfix, amavis-new, clamAV and SA (with DCC, razor, pyzor) -- [All the latest versions] I'm trying to figure out if there is anyway I get incorporate sa-learn to learn ham based on what my people send through the box. This is a relay only server, which from my reading, kind of complicates things. My end goal, if possible, is to have sa-learn train itself on ham whenever I send mail outbound. Is this possible? If so, can someone help me with how it's done or point me to documentation?
Re: Training SA with postfix
At 09:10 AM 12/31/2004 -0500, Jason Gauthier wrote: I'm trying to figure out if there is anyway I get incorporate sa-learn to learn ham based on what my people send through the box. This is a relay only server, which from my reading, kind of complicates things. My end goal, if possible, is to have sa-learn train itself on ham whenever I send mail outbound. Is this possible? If so, can someone help me with how it's done or point me to documentation? One possible way of approximating this is to take some advantage of the autolearner... Write yourself a negative scoring rule that looks at the Received: headers for signs of relay from the inside. For added security against forgery you could use a meta rule and also check other header fields (message ID, from, etc). With a decently hefty negative scoring rule firing, the autolearner should try to learn most of the messages as ham.
Re: SpamAssassin on Exchange...
Which tool are you using to connect between exchange and spamassassin? Thanks, JamesDR Eric C Sandquist wrote: I have gotten SpamAssassin(Latest Release) to work with exchange using one of the sinks. It seems to be doing a wonderful job of catching spam.. BUT --- It is also damaging attachments, specifically PDFs Any ideas??? I seem to remember this happening a couple of years ago Uuuggghhh, why did management dump my linux server Sincerely Eric Sandquist I am using the free version of SPAMfighter for private users. It has removed 32602 spam emails to date. Paying users do not have this message in their emails. Try SPAMfighter http://www.spamfighter.com/Product_Info.asp? for free now! smime.p7s Description: S/MIME Cryptographic Signature
Rules du Jour 2 (beta) -- Testers Wanted
contact me if interested signature.asc Description: OpenPGP digital signature
RE: Forwarding mail as an attachment from M-^%@#%$#$@!!!-S Outlo ok
-Original Message- From: Kris Deugau [mailto:[EMAIL PROTECTED] Sent: Friday, December 31, 2004 12:22 PM To: users@spamassassin.apache.org Subject: Forwarding mail as an attachment from [EMAIL PROTECTED][EMAIL PROTECTED] Outlook I know I've seen a number of suggestions here and there for How to forward mail as an attachment from MS Outlook. I've searched through the archives - more or less - and haven't quite found what I'm certain I've seen. So: How do you forward a message as an attachment from MS Outlook, and which version(s) of Outlook does that particular method work for? I just have users compose a new email and then drag the old mail from their Inbox into the new email and send it. This preserves the headers of the old email so I can drag the attached message out of their email and review it. Brian
RE: Forwarding mail as an attachment from M-^%@#%$#$@!!!-S Outlo ok
I just have users compose a new email and then drag the old mail from their Inbox into the new email and send it. This preserves the headers of the old email so I can drag the attached message out of their email and review it. Great solution... but a pain to try to explain to novice and/or non-technical users. I can't figure out why Outlook Express has the forward as attachment option right there in the menu, but Outlook doesn't?? Weird. BTW, (slightly off topic), I also hate the way that clicking on a link within Outlook will take over an existing MS Explorer window when I'd rather it open a new window and not interfere. Is there a way to change the default behavior for this? Rob McEwen
Re: Forwarding mail as an attachment from M-^%@#%$#$@!!!-S Outlook
If the best possible with some version is resending or something like Do not 'resend'. This will mash the headers. The simplest method (but not necessarily for the user) is to have the user create a new mail message, address it to [EMAIL PROTECTED] (or whatever) and then drag the spam message from their inbox into the message, then send the new message. Dragging the spam from the inbox will turn it into an attachment. Usually this will be a mime attachment. Sometimes various versions of Outlook might decide to do it as a UUEncoded part of the body. (Usually this only happens when you send an attachment using the Send to menu item in some other program like Word.) Obviously you can have a global address book entry for the spam and ham addresses so that the user can just enter spam or ham or the like to simplify things a little. The trick though is dropping the spam message into a new message to make it an attachment. Forwarding or resending the spam will mash the headers beyond use. Of course, then you have to unwrap the attachment to process the original message. Another easier way is to make some IMAP folders on your server, possibly as public folders, and then have the users attach to these folders. Then they can right-click on the spam message, select copy to folder, and select the spam folder. That will do it for them, and you will get nice clean spam messages in your spam folder. You can have a cron job harvest the folder and clean it out every so often. Loren
Re: Forwarding mail as an attachment from M-^%@#%$#$@!!!-S Outlo ok
BTW, (slightly off topic), I also hate the way that clicking on a link within Outlook will take over an existing MS Explorer window when I'd rather it open a new window and not interfere. Is there a way to change the default behavior for this? In OE you can shift-click to get a new window, but this doesn't seem to work in Outlook. Best I've found so far is to try to remember to open an empty IE window, *then* click the link. Loren
Re: Forwarding mail as an attachment from M-^%@#%$#$@!!!-S Outlook
On Fri, 2004-12-31 at 12:22 -0500, Kris Deugau wrote: So: How do you forward a message as an attachment from MS Outlook, and which version(s) of Outlook does that particular method work for? If the best possible with some version is resending or something like Pine's bounce capability, how is that done and what does it mangle? (It *will* mangle things, because new, *legitimate* headers get added.) Take a look at: http://www.spamcop.net/fom-serve/cache/19.html -- Homer Parker [EMAIL PROTECTED]
RE: Forwarding mail as an attachment from M-^%@#%$#$@!!!-S Outlo ok
BTW, (slightly off topic), I also hate the way that clicking on a link within Outlook will take over an existing MS Explorer window when I'd rather it open a new window and not interfere. Is there a way to change the default behavior for this? In IE: Tools-internet options-advanced and uncheck the box that says 'Reuse windows for launching shortcuts' Muskoka.com 115 Manitoba Street Bracebridge, Ontario P1L 2B6 (705)645-6097 Muskoka.com is pleased to announce New High Speed Services please visit http://www.muskoka.com/services.htm for more information
RE: Training SA with postfix
Thanks for the tip. Due to my newbie-ness with these products I'm a little uncertain were to start. Amavis seems to build many rules, and interface with SA where it actually has options in it. Would I build this rule within amavis or SA? And of course, could you (or someone) point me to some documentation or example? I'm not sure where to even begin. Thanks, Jason -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Friday, December 31, 2004 9:31 AM To: Jason Gauthier; users@spamassassin.apache.org Subject: Re: Training SA with postfix At 09:10 AM 12/31/2004 -0500, Jason Gauthier wrote: I'm trying to figure out if there is anyway I get incorporate sa-learn to learn ham based on what my people send through the box. This is a relay only server, which from my reading, kind of complicates things. My end goal, if possible, is to have sa-learn train itself on ham whenever I send mail outbound. Is this possible? If so, can someone help me with how it's done or point me to documentation? One possible way of approximating this is to take some advantage of the autolearner... Write yourself a negative scoring rule that looks at the Received: headers for signs of relay from the inside. For added security against forgery you could use a meta rule and also check other header fields (message ID, from, etc). With a decently hefty negative scoring rule firing, the autolearner should try to learn most of the messages as ham.
RE: Training SA with postfix
At 02:45 PM 12/31/2004, Jason Gauthier wrote:
Thanks for the tip. Due to my newbie-ness with these products I'm a
little uncertain were to start. Amavis seems to build many rules, and
interface with SA where it actually has options in it.
Would I build this rule within amavis or SA?
I'd do the rule as a SA rule, since it's SA's autolearner you want to affect.
And of course, could you (or someone) point me to some documentation or
example?
http://wiki.apache.org/spamassassin/WritingRules
So for this header:
Received: from mattk-801-567.evi-inc.com (mattk-801-567.evitechnology.com
[10.0.6.249])
by xanadu.evi-inc.com (8.12.8/8.12.8) with ESMTP id iBV0gIZP031926
Assuming my internal machines are 10.0.6.0/24, and all RDNS to
evitechnology.com names, I might write:
header L_OUTBOUND_MAIL Received =~ /from .{1,60}\.evitechnology.com
\[10\.0\.6\.\d{1,3}\]\).{0,10}by xanadu\.evi\-inc\.com .{1,50} with ESMTP id/s
score L_OUTBOUND_MAIL -1.0
Other, less specific variants:
header L_OUTBOUND_MAIL0 Received =~ /from .{1,60}\.evitechnology.com
\[10\.0\.6\.\d{1,3}\]\).{0,10}by xanadu\.evi\-inc\.com/s
score L_OUTBOUND_MAIL0 -1.0
Caution: these last two are easily forged:
header L_OUTBOUND_MAIL2 Received =~ /from .{1,60}\.evitechnology.com
\[10\.0\.6\.\d{1,3}\]\)/
score L_OUTBOUND_MAIL2 -1.0
header L_OUTBOUND_MAIL3 Received =~ /from .{1,60}\.evitechnology.com/
score L_OUTBOUND_MAIL3 -1.0
RE: Training SA with postfix
Great!
Using your example and the website I'm able to understand this much
better.
My idea is to start small and make sure it works.
So I simply added this:
header L_FROM Received =~ /server24/
score L_FROM -1.0
If the received line contains server24 then score it as -1.0. I know
this is easy to fib, but like I said, it's just for testing :)
I go ahead and look at the headers and see the following:
Microsoft Mail Internet Headers Version 2.0
Received: from server24.ctg.com (unknown [192.168.50.11])
by spamfilter.lastar.com (Postfix) with ESMTP id 9EACAEFCC1
for [EMAIL PROTECTED]; Fri, 31 Dec 2004 16:09:23 -0500
(EST)
The originating server is server24, then it hits spamfilter.
As you can see server24 is contained in that string.
But looking below, I see spam_scan is scored as 0.28.
Dec 31 16:09:24 spamfilter amavis[8276]: (08276-02) spam_scan: hits=0.28
tests=ALL_TRUSTED,AWL,HTML_90_100,HTML_MESSAGE,HTML_SHORT_COMMENT
I looked at the headers and I don't see the X-Spam-* headers at all, (I
set it to -999), so I'm not sure why amavisd-new didn't add the headers.
-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED]
Sent: Friday, December 31, 2004 3:07 PM
To: users@spamassassin.apache.org
Subject: RE: Training SA with postfix
At 02:45 PM 12/31/2004, Jason Gauthier wrote:
Thanks for the tip. Due to my newbie-ness with these
products I'm a
little uncertain were to start. Amavis seems to build many
rules, and
interface with SA where it actually has options in it.
Would I build this rule within amavis or SA?
I'd do the rule as a SA rule, since it's SA's autolearner you
want to affect.
And of course, could you (or someone) point me to some
documentation or
example?
http://wiki.apache.org/spamassassin/WritingRules
So for this header:
Received: from mattk-801-567.evi-inc.com
(mattk-801-567.evitechnology.com
[10.0.6.249])
by xanadu.evi-inc.com (8.12.8/8.12.8) with ESMTP id
iBV0gIZP031926
Assuming my internal machines are 10.0.6.0/24, and all RDNS to
evitechnology.com names, I might write:
header L_OUTBOUND_MAIL Received =~ /from .{1,60}\.evitechnology.com
\[10\.0\.6\.\d{1,3}\]\).{0,10}by xanadu\.evi\-inc\.com
.{1,50} with ESMTP id/s
score L_OUTBOUND_MAIL -1.0
Other, less specific variants:
header L_OUTBOUND_MAIL0 Received =~ /from .{1,60}\.evitechnology.com
\[10\.0\.6\.\d{1,3}\]\).{0,10}by xanadu\.evi\-inc\.com/s
score L_OUTBOUND_MAIL0 -1.0
Caution: these last two are easily forged:
header L_OUTBOUND_MAIL2 Received =~ /from .{1,60}\.evitechnology.com
\[10\.0\.6\.\d{1,3}\]\)/
score L_OUTBOUND_MAIL2 -1.0
header L_OUTBOUND_MAIL3 Received =~ /from .{1,60}\.evitechnology.com/
score L_OUTBOUND_MAIL3 -1.0
DNS tests
Our secondary spam box is not performing dns tests. The perl mod dns is installed and the dns_available option is set in the local.cf. Does anyone have any suggestions? Thanks Shane
Re: DNS tests
The Net::DNS module is ver 0.48. Shane - Original Message - From: shane mullins [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, December 31, 2004 5:13 PM Subject: DNS tests Our secondary spam box is not performing dns tests. The perl mod dns is installed and the dns_available option is set in the local.cf. Does anyone have any suggestions? Thanks Shane
Re: Training SA with postfix
Jason Gauthier wrote: Thanks for the tip. Due to my newbie-ness with these products I'm a little uncertain were to start. Amavis seems to build many rules, and interface with SA where it actually has options in it. Read the docs at the amavisd-new site here: -- http://www.ijs.si/software/amavisd/ Amavis runs SA, but does not allow SA to rewrite the message. Amavis does the rewriting, quarantining, and ultimate scoring. SA still looks to its own config file (typically named local.cf) to run and score all of its tests, it just doesn't get to rewrite the original message. More info here: -- http://www.ijs.si/software/amavisd/ Would I build this rule within amavis or SA? All SA rules go in SA config (ok, this may be too absolute, I just can't think of any at the moment ;-). There are many ways to train this anti-spam software stack (amavis/sa/razor/pyzor/bayes/etc.). Amavisd can soft-blacklist, blacklist, and soft-whitelist based on *envelope senders*, while SA's black and whitelists work on message headers. SA also has the trainable bayes engine. It all depends on what kind of features, performance, flexibility, accuracy, etc. etc. etc. that you need. - Sam Nilsson
Re: DNS tests
On Friday, December 31, 2004, 2:15:51 PM, shane mullins wrote: The Net::DNS module is ver 0.48. Our secondary spam box is not performing dns tests. The perl mod dns is installed and the dns_available option is set in the local.cf. Does anyone have any suggestions? There are some suggestions for enabling network tests at: http://www.surbl.org/faq.html#nettest Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Training SA with postfix
Sam Nilsson wrote: SA still looks to its own config file (typically named local.cf) to run and score all of its tests, it just doesn't get to rewrite the original message. More info here: -- http://www.ijs.si/software/amavisd/ Sorry! More info here: -- http://www.ijs.si/software/amavisd/#faq-spam - Sam
Fw: DNS tests
Thanks Jeff, It is working now. I checked the web page you sent. Also, I went back and reinstalled the dns modules. I got prompted to install some additional mods, which I did. Then, I rebooted and all is working now. Thanks Shane - Original Message - From: Jeff Chan [EMAIL PROTECTED] To: shane mullins [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Friday, December 31, 2004 5:49 PM Subject: Re: DNS tests On Friday, December 31, 2004, 2:15:51 PM, shane mullins wrote: The Net::DNS module is ver 0.48. Our secondary spam box is not performing dns tests. The perl mod dns is installed and the dns_available option is set in the local.cf. Does anyone have any suggestions? There are some suggestions for enabling network tests at: http://www.surbl.org/faq.html#nettest Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/ -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
