RE: SA Milter problem

[Tempter]

I have the same problem, and have no idias how to resolve it... i tried to
use -m key when starting milter, but it have no effect. if U find the unswer
to this problem pliz tell how to resolv it.
--
View this message in context: 
http://www.nabble.com/SA-Milter-problem-t1665293.html#a4932563
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: Its nice when spammers declare their intentions...

[Craig McLean]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Loren Wilton wrote:
> Subject: PayPal Fraud Intention !!! Verify Account & Billing Information !!!
> From: "PayPal.inc Security Center Department " <[EMAIL PROTECTED]>
> 
> Its nice to know that they intend to defraud me.  Maybe I won't bother
> playing their game.
> 
> Loren

Heh, got this one yesterday:

From: "Lazarus Dennis" 
To: <[EMAIL PROTECTED]>
Subject: bastard

And thought, why's he calling me a bastard? Maybe he knows his crap
isn't going to get through...

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEloZvMDDagS2VwJ4RAo9+AKD8ukwZr6oFJlcoOa2GcWBShQxFwQCgkczn
EE/t68LA8bfo2eFwLNkjVV8=
=5DqP
-END PGP SIGNATURE-

Is it possible ?

[boka]

Hello,

is it possible to store global white/black lists in sql ?

I know that it is possible for users.

-- 
boka

Re: Is it possible ?

[JamesDR]

boka wrote:

Hello,

is it possible to store global white/black lists in sql ?

I know that it is possible for users.

Yes, see the wiki pages for the sql userprefs. There is a query that 
allows you to do Global, Domain, and User based prefs -- all depending 
on how SA is getting the user of course.


...
http://wiki.apache.org/spamassassin/UsingSQL
...
--
Thanks,
James

Can SA be used to implement greylisting?

[Steven W. Orr]

I'm running sendmail here on a home server. I've been looking for a good 
greylist package and I frankly have not found one. There are a couple out 
there but they work in memory and don't maintain their tables in a 
database.


I'm also running spamass-milter which is set to reject mail ifd SA says 
it's spam. Is it worthwhile to try to convince the SA dev crowd to add 
greylist functionality? I know it would be easy to modify spamass-milter 
to return the needed info to sendmail. It would require a new table.


Does this make sense?

--
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

spamassassin on a mail relay

[Michael Grant]

Do any of you out there run spamassassin on a mail relay or pop/imap
server  to add the X-Spam headers to all mail that passes through your
gateway?

If you do, how do you let individual users (who don't have accounts on
your relay) tweak their user_prefs file to whitelist things that are
not spam or otherwise tweek the rules?

Do any of you who use spamassassin at the server level (as opposed to
the user level) use it to reject spam (versus just marking it up)?

I had this idea that something could add a url to the bottom of the
message that would let the user click on it and white/black list the
user back on the server.  Maybe something like this exists already?

I must say that in my own experience, I could not blindly reject mail
with Spamassassin because it has too many false positives with my
mail.

Michael Grant

Re: spamassassin on a mail relay

[Rick Macdougall]

Michael Grant wrote:

Do any of you out there run spamassassin on a mail relay or pop/imap
server  to add the X-Spam headers to all mail that passes through your
gateway?

If you do, how do you let individual users (who don't have accounts on
your relay) tweak their user_prefs file to whitelist things that are
not spam or otherwise tweek the rules?

Do any of you who use spamassassin at the server level (as opposed to
the user level) use it to reject spam (versus just marking it up)?

I had this idea that something could add a url to the bottom of the
message that would let the user click on it and white/black list the
user back on the server.  Maybe something like this exists already?

I must say that in my own experience, I could not blindly reject mail
with Spamassassin because it has too many false positives with my
mail.

Michael Grant


Hi,

We use mysql based User Preferences so users can use their own black and 
white lists as well as set the markup and required hits.


We reject spam (55x, not a bounce) when the score is 10 or above and 
mark everything else that gets 5 or more.


Regards,

Rick

RE: How to detect current images-only messages?

[Chris Santerre]

Title: RE: How to detect current images-only messages?







> -Original Message-
> From: Yves Goergen [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, June 18, 2006 5:50 AM
> To: users@spamassassin.apache.org
> Subject: How to detect current images-only messages?
> 
> 
> Hello,
> I keep receiving messages that contain of nothing but composed images.
> They're HTML messages with only  tags in them. There 
> seems to be a
> rule that checks if the message has *any* image and compares it to its
> length. That gave my spam some scores recently but not so today. I
> received a message that looks just like the others but has no score at
> all due to the fact that it only contains of images.
> 
> Is there any way to detect this type of message with SpamAssassin? I
> cannot think of a regular _expression_ that would do it, and even if I
> could, SA offered no way to match it reliably. (See the line-by-line
> problem with 'rawbody' and encoding problems with 'full'.)


I keep hearing this is a problem, but I'm not seeing it on my end. Most are being caught:


Some examples


X-Spam-Status: Yes, score=7.6 required=5.0 tests=EXTRA_MPART_TYPE,HTML_90_100,
    HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
    MY_ALT,MY_DSL,RCVD_IN_NJABL_DUL


X-Spam-Status: Yes, score=7.6 required=5.0 tests=HTML_90_100,
    HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
    MSGID_DOLLARS,MY_ALT


X-Spam-Status: Yes, score=9.2 required=5.0 tests=HTML_90_100,
    HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
    MSGID_DOLLARS,MY_ALT,SARE_BOUNDARY_09 


X-Spam-Status: Yes, score=8.6 required=5.0 tests=EXTRA_MPART_TYPE,
    HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_90_100,HTML_IMAGE_ONLY_08,
    HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT,SPF_HELO_SOFTFAIL 


X-Spam-Status: Yes, score=5.6 required=5.0 tests=HTML_90_100,HTML_MESSAGE,
    MIME_HTML_MOSTLY,MPART_ALT_DIFF,MSGID_DOLLARS,MY_ALT 


Ahhh...occasional slip thru...


X-Spam-Status: No, score=4.4 required=5.0 tests=EXTRA_MPART_TYPE,HTML_90_100,
    HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT,RCVD_IN_NJABL_DUL 


X-Spam-Status: No, score=4.4 required=5.0 tests=EXTRA_MPART_TYPE,
    FORGED_RCVD_HELO,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,
    MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT,MY_HELO,SPF_HELO_PASS 
    
I'll have to adjust for those 2. :) 


Chris Santerre
SysAdmin and SARE/URIBL ninja
http://www.uribl.com
http://www.rulesemporium.com

RE: Can SA be used to implement greylisting?

[Chris Santerre]

Title: RE: Can SA be used to implement greylisting?







> -Original Message-
> From: Steven W. Orr [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 19, 2006 9:08 AM
> To: spamassassin-users
> Subject: Can SA be used to implement greylisting?
> 
> 
> I'm running sendmail here on a home server. I've been looking 
> for a good 
> greylist package and I frankly have not found one. There are 
> a couple out 
> there but they work in memory and don't maintain their tables in a 
> database.


grey.uribl.com  ???
 
> I'm also running spamass-milter which is set to reject mail 
> ifd SA says 
> it's spam. Is it worthwhile to try to convince the SA dev 
> crowd to add 
> greylist functionality? I know it would be easy to modify 
> spamass-milter 
> to return the needed info to sendmail. It would require a new table.
> 
> Does this make sense?


Not really. Are you talking about greylisting as in a greet pause, or a "This is a spamish domain."? 


Greet pause would be used in Sendmail. grey.uribl.com would be used for the later. 


http://www.uribl.com/usage.shtml


Chris Santerre
SysAdmin and SARE/URIBL ninja
http://www.uribl.com
http://www.rulesemporium.com

RE: spamassassin on a mail relay

[Chris Santerre]

Title: RE: spamassassin on a mail relay







> -Original Message-
> From: Rick Macdougall [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 19, 2006 11:52 AM
> To: users@spamassassin.apache.org
> Subject: Re: spamassassin on a mail relay
> 
> 
> Michael Grant wrote:
> > Do any of you out there run spamassassin on a mail relay or pop/imap
> > server  to add the X-Spam headers to all mail that passes 
> through your
> > gateway?
> > 
> > If you do, how do you let individual users (who don't have 
> accounts on
> > your relay) tweak their user_prefs file to whitelist things that are
> > not spam or otherwise tweek the rules?
> > 
> > Do any of you who use spamassassin at the server level (as 
> opposed to
> > the user level) use it to reject spam (versus just marking it up)?
> > 
> > I had this idea that something could add a url to the bottom of the
> > message that would let the user click on it and white/black list the
> > user back on the server.  Maybe something like this exists already?
> > 
> > I must say that in my own experience, I could not blindly 
> reject mail
> > with Spamassassin because it has too many false positives with my
> > mail.
> > 
> > Michael Grant
> 
> Hi,
> 
> We use mysql based User Preferences so users can use their 
> own black and 
> white lists as well as set the markup and required hits.
> 
> We reject spam (55x, not a bounce) when the score is 10 or above and 
> mark everything else that gets 5 or more.
> 
> Regards,
> 
> Rick


I have a weird setup :) 


AFAIK, I'm the only nut who does this. All my users are actually aliases to procmail scripts. No user accounts on the mail gateway system. If they want to opt out, (which no person ever has.), I can do it in their script. 

This gives me amazing flexibility in the system. Copying specific spam/ham to archives for research as an example. Anything between score 5-6.99 gets marked and delivered. Anything 7 or above gets sent to a global spam account that I check every morning. About 85% are instantly deleted because of URIBL/SURBL combination hits. The rest are just analized by me for more patterns for SARE, and URIs for URIBL. 

About 95% of all the spam into my system score over 7 points. So my users see maybe 1-2 marked messages. I love the setup. 

--Chris

RE: spamassassin on a mail relay

[Bret Miller]

> Do any of you out there run spamassassin on a mail relay or pop/imap
> server  to add the X-Spam headers to all mail that passes through your
> gateway?
>
> If you do, how do you let individual users (who don't have accounts on
> your relay) tweak their user_prefs file to whitelist things that are
> not spam or otherwise tweek the rules?
>
> Do any of you who use spamassassin at the server level (as opposed to
> the user level) use it to reject spam (versus just marking it up)?

We don't use it on a mail relay, but we do server-wide and reject
(rather drop in an IT account instead of delivering) when the score is
above a certain level. We're running in a corporate mail environment,
rather than a hosting service. The needs are somewhat different.

>
> I had this idea that something could add a url to the bottom of the
> message that would let the user click on it and white/black list the
> user back on the server.  Maybe something like this exists already?
>
> I must say that in my own experience, I could not blindly reject mail
> with Spamassassin because it has too many false positives with my
> mail.

SpamAssassin scores e-mail. If it FPs too much, then maybe you need a
higher required_score; or maybe training (sa_learn) a bit more on the
FPs would help. Running ham through the learner lets bayes know that
certain tokens are appearing in ham and shouldn't be scored as high, and
reduces the auto whitelist score both of which should help certain
messages avoid being flagged as spam.

Bret

RE: Adding Phishing Link rule

[Chris Santerre]

Title: RE: Adding Phishing Link rule







> -Original Message-
> From: Yves Goergen [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, June 18, 2006 5:46 AM
> To: Loren Wilton
> Cc: users@spamassassin.apache.org
> Subject: Re: Adding Phishing Link rule
> 
> 
> On 18.06.2006 03:51 CE(S)T, Loren Wilton wrote:
> > The rule you suggest isn't particularly good.  There are 
> far too many legit
> > mails (mostly mailing list type of things) that do exactly 
> what you want to
> > check for.  So the FP rate is higher than most people would like.
> 
> However, I haven't seen this type of link before and I cannot tolerate
> people showing explicit URLs in a link label but actually linking
> somewhere else. This rule, as so many, isn't intended to 
> block a message
> on its own, but gives its part to the score.
> 
> > That said, I believe there is at least one SARE rule that 
> checks for exactly
> > what you want to look for.
> 
> Now that I know what SARE is, it doesn't make the impression of a
> considerable archive to me, with respect to this issue.


Say what??? Its not really a discussion list type setup. If you mean the forums, hell even I haven't looked at them in ages :) 

Loren meant that there is already a rule written by SARE for exactly what you are looking for. You just need to find it. I'll see if I can. 

> 
> Still I don't know how to create a rule like this. But as someone else
> in the bug tracker already mentioned a year ago, what SpamAssassin
> misses to do things like that is a 'rawbody' match that uses 
> the entire
> message, not only single lines. Content can be arbitrary 
> split over many
> lines so that any 'rawbody' rule can become useless pretty fast. :(


Why not just use black.uribl.com ? It lists PHISHes.


Chris Santerre
SysAdmin and SARE/URIBL ninja
http://www.uribl.com
http://www.rulesemporium.com

Re: spamassassin on a mail relay

[qqqq]

| Do any of you out there run spamassassin on a mail relay or pop/imap
| server  to add the X-Spam headers to all mail that passes through your
| gateway?

We use smf-spamd v1.2.0 - http://smfs.sourceforge.net/
for preliminary SA scanning and bounce at a score of 8.  After that, it gets 
processed by SA on
another server with the user's settings.

RE: Can SA be used to implement greylisting?

[Steven W. Orr]

On Monday, Jun 19th 2006 at 11:40 -0400, quoth Chris Santerre:

=>
=>
=>> -Original Message-
=>> From: Steven W. Orr [mailto:[EMAIL PROTECTED]
=>> Sent: Monday, June 19, 2006 9:08 AM
=>> To: spamassassin-users
=>> Subject: Can SA be used to implement greylisting?
=>> 
=>> 
=>> I'm running sendmail here on a home server. I've been looking 
=>> for a good 
=>> greylist package and I frankly have not found one. There are 
=>> a couple out 
=>> there but they work in memory and don't maintain their tables in a 
=>> database.
=>
=>grey.uribl.com  ???
=> 
=>> I'm also running spamass-milter which is set to reject mail 
=>> ifd SA says 
=>> it's spam. Is it worthwhile to try to convince the SA dev 
=>> crowd to add 
=>> greylist functionality? I know it would be easy to modify 
=>> spamass-milter 
=>> to return the needed info to sendmail. It would require a new table.
=>> 
=>> Does this make sense?
=>
=>Not really. Are you talking about greylisting as in a greet pause, or a
=>"This is a spamish domain."? 
=>
=>Greet pause would be used in Sendmail. grey.uribl.com would be used for the
=>later. 
=>
=>http://www.uribl.com/usage.shtml

Neither. What I'm looking for is a rubust way to say: "I haven't seen mail 
from this guy before so I'm going to reject his email with a 450 error 
code. If email from him tries for delivery after (let's say) four 
hours, then I will accept it and nevermore will this guy have a delay in 
sending me mail." 

It's not a spam identifying technique but it does eliminate about 90% of 
the spam. The question is, is this worthwhile exploring as adjunct 
functionality to SA?

Yes, I understand that SA does not have any ability to reject mail, much 
less specify an SMTP error code. Is this clearly out of bounds for what SA 
should be doing?

-- 
steveo at syslang dot net TMMP1 http://frambors.syslang.net/
Do you have neighbors who are not frambors?

Re: spamassassin on a mail relay

[Gary D. Margiotta]

Do any of you out there run spamassassin on a mail relay or pop/imap
server  to add the X-Spam headers to all mail that passes through your
gateway?


Yep, border MX servers which accept all mail for all domains we host, scan 
all the mail, then pass it along the line to the recipient servers.  Mail 
either gets tagged, or not, and continues on its way, no modification on 
the border machines.



If you do, how do you let individual users (who don't have accounts on
your relay) tweak their user_prefs file to whitelist things that are
not spam or otherwise tweek the rules?


Users can request a whitelisted address, we put it in the site-wide lists. 
There have been very few requests thanks to our scoring setup.  We have a 
higher scoring point (based on "live" testing prior to actual 
implementation) for spam, and tag it all and let it through.  We don't 
delete any mail at the gateway, that gets handled on down the line by the 
endpoint servers.



Do any of you who use spamassassin at the server level (as opposed to
the user level) use it to reject spam (versus just marking it up)?


All spam detected by SA first gets tagged by the border servers with the 
Subject: markup, as well as the X-Spam headers.  Then, depending on the 
destination server, multiple things happen.


For our mass hosting machines, all spam-tagged mail gets detected by 
Postfix header checks, and gets redirected to a set of e-mail addresses on 
our border servers for bayes training via nightly script.  Based upon 
feedback from our customers, this was the most effective way for dealing 
with the spam.  People were willing to deal with some possible FP's, as 
long as we killed most of the spam.  This is where our beta testing phase 
came in handy, so we could tweak the setup and scores, and it's been 
working like a charm since.


For our dedicated servers, the customer chooses the method of spam 
filtering.  Either they do the same redirect as above, they have us manage 
it via procmail rules, or they manage it internally with local mail client 
filters.  They also have the option to save mail into spam folders, and we 
routinely grab those folders, and send them over to the border servers as 
well for training.



I had this idea that something could add a url to the bottom of the
message that would let the user click on it and white/black list the
user back on the server.  Maybe something like this exists already?

I must say that in my own experience, I could not blindly reject mail
with Spamassassin because it has too many false positives with my
mail.


It all depends on your userbase, their tolerance levels, and the amount of 
training your filters get.  For us, our setup works darn near perfectly, 
and with the flexibility we have with how we handle the flow of mail, 
pretty much everyone is satisfied.




Michael Grant




-Gary

Re: Can SA be used to implement greylisting?

[Bill Landry]

- Original Message - 
From: "Steven W. Orr" <[EMAIL PROTECTED]>



On Monday, Jun 19th 2006 at 11:40 -0400, quoth Chris Santerre:

=>
=>
=>> -Original Message-
=>> From: Steven W. Orr [mailto:[EMAIL PROTECTED]
=>> Sent: Monday, June 19, 2006 9:08 AM
=>> To: spamassassin-users
=>> Subject: Can SA be used to implement greylisting?
=>>
=>>
=>> I'm running sendmail here on a home server. I've been looking
=>> for a good
=>> greylist package and I frankly have not found one. There are
=>> a couple out
=>> there but they work in memory and don't maintain their tables in a
=>> database.
=>
=>grey.uribl.com  ???
=>
=>> I'm also running spamass-milter which is set to reject mail
=>> ifd SA says
=>> it's spam. Is it worthwhile to try to convince the SA dev
=>> crowd to add
=>> greylist functionality? I know it would be easy to modify
=>> spamass-milter
=>> to return the needed info to sendmail. It would require a new table.
=>>
=>> Does this make sense?
=>
=>Not really. Are you talking about greylisting as in a greet pause, or a
=>"This is a spamish domain."?
=>
=>Greet pause would be used in Sendmail. grey.uribl.com would be used for 
the

=>later.
=>
=>http://www.uribl.com/usage.shtml

Neither. What I'm looking for is a rubust way to say: "I haven't seen mail
from this guy before so I'm going to reject his email with a 450 error
code. If email from him tries for delivery after (let's say) four
hours, then I will accept it and nevermore will this guy have a delay in
sending me mail."

It's not a spam identifying technique but it does eliminate about 90% of
the spam. The question is, is this worthwhile exploring as adjunct
functionality to SA?

Yes, I understand that SA does not have any ability to reject mail, much
less specify an SMTP error code. Is this clearly out of bounds for what SA
should be doing?


Yes, this has to happen before SA gets the message, as SA works on messages 
after they have been fully received.  Greylisting needs to happen at the MTA 
level, before the message is received.  Depending on what MTA you are using, 
most support greylisting plug-ins.


Bill 

Re: Adding Phishing Link rule

[Jamie L. Penman-Smithson]

On 19 Jun 2006, at 17:26, Chris Santerre wrote:
> Still I don't know how to create a rule like this. But as someone  
else

> in the bug tracker already mentioned a year ago, what SpamAssassin
> misses to do things like that is a 'rawbody' match that uses
> the entire
> message, not only single lines. Content can be arbitrary
> split over many
> lines so that any 'rawbody' rule can become useless pretty fast. :(

Why not just use black.uribl.com ? It lists PHISHes.

There's also ph.surbl.org 

-j



PGP.sig
Description: This is a digitally signed message part

Re: Adding Phishing Link rule

[Yves Goergen]

On 19.06.2006 18:26 CE(S)T, Chris Santerre wrote:
> Why not just use black.uribl.com ? It lists PHISHes.

Trying this out now.

-- 
Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]>
http://beta.unclassified.de – My web laboratory.

Re: Can SA be used to implement greylisting?

[Steven W. Orr]

On Monday, Jun 19th 2006 at 10:24 -0700, quoth Bill Landry:

=>- Original Message - From: "Steven W. Orr" <[EMAIL PROTECTED]>
=>
=>> On Monday, Jun 19th 2006 at 11:40 -0400, quoth Chris Santerre:
=>> 
=>> =>
=>> =>
=>> =>> -Original Message-
=>> =>> From: Steven W. Orr [mailto:[EMAIL PROTECTED]
=>> =>> Sent: Monday, June 19, 2006 9:08 AM
=>> =>> To: spamassassin-users
=>> =>> Subject: Can SA be used to implement greylisting?
=>> =>>
=>> =>>
=>> =>> I'm running sendmail here on a home server. I've been looking
=>> =>> for a good
=>> =>> greylist package and I frankly have not found one. There are
=>> =>> a couple out
=>> =>> there but they work in memory and don't maintain their tables in a
=>> =>> database.
=>> =>
=>> =>grey.uribl.com  ???
=>> =>
=>> =>> I'm also running spamass-milter which is set to reject mail
=>> =>> ifd SA says
=>> =>> it's spam. Is it worthwhile to try to convince the SA dev
=>> =>> crowd to add
=>> =>> greylist functionality? I know it would be easy to modify
=>> =>> spamass-milter
=>> =>> to return the needed info to sendmail. It would require a new table.
=>> =>>
=>> =>> Does this make sense?
=>> =>
=>> =>Not really. Are you talking about greylisting as in a greet pause, or a
=>> =>"This is a spamish domain."?
=>> =>
=>> =>Greet pause would be used in Sendmail. grey.uribl.com would be used for
=>> the
=>> =>later.
=>> =>
=>> =>http://www.uribl.com/usage.shtml
=>> 
=>> Neither. What I'm looking for is a rubust way to say: "I haven't seen mail
=>> from this guy before so I'm going to reject his email with a 450 error
=>> code. If email from him tries for delivery after (let's say) four
=>> hours, then I will accept it and nevermore will this guy have a delay in
=>> sending me mail."
=>> 
=>> It's not a spam identifying technique but it does eliminate about 90% of
=>> the spam. The question is, is this worthwhile exploring as adjunct
=>> functionality to SA?
=>> 
=>> Yes, I understand that SA does not have any ability to reject mail, much
=>> less specify an SMTP error code. Is this clearly out of bounds for what SA
=>> should be doing?
=>
=>Yes, this has to happen before SA gets the message, as SA works on messages
=>after they have been fully received.  Greylisting needs to happen at the MTA
=>level, before the message is received.  Depending on what MTA you are using,
=>most support greylisting plug-ins.
=>
=>Bill 

And this is my point. SA *DOESN'T* work on messages after they have been 
received. Since I use spamass-milter, SA sees the messages before 
reception is completed. (You're free to do otherwise.) Then when SA 
decides that the message doesn't conform to its high standards, the report 
of that fact goes back to spamass-milter which then returns status back to 
sendmail. The current result is a reject 5xx status. So all we need is for 
SA to manage one extra table and to allow some sort of reportage that 
spamass-milter could be mucked to understand.

Is this making sense?

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

Re: Can SA be used to implement greylisting?

[Ron Johnson]

Steven W. Orr writes:
> 
> 
> And this is my point. SA *DOESN'T* work on messages after they have been 
> received. Since I use spamass-milter, SA sees the messages before 
> reception is completed. (You're free to do otherwise.) Then when SA 
> decides that the message doesn't conform to its high standards, the report 
> of that fact goes back to spamass-milter which then returns status back to 
> sendmail. The current result is a reject 5xx status. So all we need is for 
> SA to manage one extra table and to allow some sort of reportage that 
> spamass-milter could be mucked to understand.
> 
> Is this making sense?
> 
Yes. And if you can manage to do the heavy lifting a lot of
people will thank you. (I have little problem accepting that
you can do pretty much anything via milter. But there's enough 
stuff that looks tricky that I'd be surprised if it goes high
on anybody's todo list)

To get back to your original point (memory resident versus databases)
there are some interesting setups that you can look at using
mimedefang.

http://whatever.frukt.org/mimedefangfilter.text.shtml

and from the wiki:

http://www.mimedefang.com/kwiki/index.cgi?Greylisting

I understand, you're probably not interested in mimedefang.
Still worth a look IMO.

RE: Can SA be used to implement greylisting?

[John D. Hardin]

On Mon, 19 Jun 2006, Steven W. Orr wrote:

> =>> Is it worthwhile to try to convince the SA dev 
> =>> crowd to add greylist functionality?

> Neither. What I'm looking for is a rubust way to say: "I haven't
> seen mail from this guy before so I'm going to reject his email
> with a 450 error code. If email from him tries for delivery after
> (let's say) four hours, then I will accept it and nevermore will
> this guy have a delay in sending me mail."

That's the common definition of "greylisting".

I think the suggestion to add it to SA misses a basic fact: the
mail has *already been received in its entirety* by the time SA gets a
chance to see it. What's the point in greylisting then?

Proper greylisting is done early in the SMTP exchange, at the point
the DATA command is sent and the sender and recipients are known but
before the message itself has been received. I use milter-greylist to
do this and it works well.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
What nuts do with guns is terrible, certainly. But what evil or crazy
people do with *anything* is not a valid argument for banning that item.
  -- John C. Randolph <[EMAIL PROTECTED]>
---

RE: Was "One large image" now is "several small images"

[Toll, Eric]

> -Original Message-
> From: John D. Hardin [mailto:[EMAIL PROTECTED] 
>
> On Thu, 15 Jun 2006, Matt wrote:
> 
> > It seems the spammers have gotten smart to the fact that we were 
> > filtering for one large image and no text... now what I am 
> seeing is 
> > that the spammers are sending many small images inline with the 
> > e-mails!  But, I have yet to see a way to filter against this.
> > Any thoughts?
> 
> This is yet another argument for match counts in SA rules. It 
> would be useful to score (say) .10 per image attachment after 
> the first two or three...
> 
>


I am seeing this too.  It's the only spam I get now.  Stocks with GIF images
inline.
How annoying.  I bumped up SARE_GIF_ATTACH to 4.75 points but that's not enough
to kill it.

Anyone have a good rule for this??

Thanks,
Eric

(Headers & Score follow)



X-Spam-Score: 4.75
X-Spam-Level: 
X-Spam-Status: No, score=4.75 tagged_above=-100 required=6.1
tests=[SARE_GIF_ATTACH=4.75]
X-Greylist: Passed host: 86.216.157.231 whitelisted
Received: from AMarseille-252-1-134-231.w86-216.abo.wanadoo.fr
(AMarseille-252-1-134-231.w86-216.abo.wanadoo.fr [86.216.157.231])
Received: from [86.216.193.205] (helo=hqhyu.lr)
by AMarseille-252-1-134-231.w86-216.abo.wanadoo.fr with smtp (Exim
4.43)
id 1Fr0xd-0004La-Gb; Fri, 16 Jun 2006 01:09:13 +0200
Message-ID: <[EMAIL PROTECTED]>
From: "Tony Ratliff" <[EMAIL PROTECTED]>
Subject: beet debilitate
Date: Fri, 16 Jun 2006 01:01:09 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="=_NextPart_000_0017_01C690E0.E33C46F6"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 15 Jun 2006 23:05:15.0410 (UTC)
FILETIME=[29B71720:01C690D0]

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: multipart/alternative;
boundary="=_NextPart_001_0018_01C690E0.E33C470D"

--=_NextPart_001_0018_01C690E0.E33C470D
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable

--=_NextPart_001_0018_01C690E0.E33C470D
Content-Type: text/html;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable


--=_NextPart_001_0018_01C690E0.E33C470D--
--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="irritate.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="bowl.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="nationalize.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="nationalism.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="formally.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="upwards.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="heartbreaking.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="smear.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="titter.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

--=_NextPart_000_0017_01C690E0.E33C46F6
Content-Type: image/gif;
name="connivance.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>

Re: Can SA be used to implement greylisting?

[Andy Jezierski]

[snip]

> And this is my point. SA *DOESN'T* work on messages
after they have been 
> received. Since I use spamass-milter, SA sees the messages before

> reception is completed. (You're free to do otherwise.) Then when SA

> decides that the message doesn't conform to its high standards, the
report 
> of that fact goes back to spamass-milter which then returns status
back to 
> sendmail. The current result is a reject 5xx status. So all we need
is for 
> SA to manage one extra table and to allow some sort of reportage that

> spamass-milter could be mucked to understand.
> 
> Is this making sense?
> 

Why re-invent the wheel. While I'm sure most of the
greylist milters out there are similar, I can only comment on milter-greylist.
It will do almost everything you're looking for. The first time it receives
a message it will send out a 451, it'll continue rejecting messages until
a user defined time limit is reached. Two minutes in our case, although
I suppose you could specify 4 hours as you stated, but I don't know why
you'd want your mail delayed that long.  I've noticed that most servers
will try to resend their messages within 5-15 minutes. 

Once the second message is received, the tuple is
stored in memory, and the table is dumped to disk at a user defined time
interval. When you re-start the software, it'll attempt to read in the
last dumped file to rebuild it's in memory table.  You also, define
how long each entry is valid in memory, 7 days in our case, since yours
is a home server, you should be able to bump this limit way up. As long
as you keep receiving mail from a particular sender within this time period,
their mail will not be delayed.  If no messages are received in that
time period, the entry is dropped and they'll get a 451 the next time.
 If you know specific email addresses, or domains, or mail servers
that you never want to delay, you can white list them ahead of time using
the config files.

Practically everything you want, and nothing needs
to be re-coded.

Andy

Re: Adding Phishing Link rule

[Stuart]

Unfortunately, although many phishing mails would match this rule, 
just as many ligitimate messages would as well.  Check the archives.


http://www.nabble.com/Detecting-phishing-urls-t1027084.html#a2669493

On Sat, 17 Jun 2006 21:56:03 +0200
 Yves Goergen <[EMAIL PROTECTED]> wrote:

Hello,
I'm running SpamAssassin on my Exim MTA and would like to add a rule 
of
which I don't think it's built-in yet: Phishing mails commonly have 
an

HTML link in them with a target like "http://12.34.56.78/..."; but a
label like "http[s]://somedomain/...". This case where the link 
label is
a domain but the target is a numeric IP, and even worse the case, 
where
the label has https: and the target only http:, I would like to 
score a
high number of points. Is this already built-in? I couldn't see it 
on

such a mail I received today.

How can I add this rule myself? The "rawbody" option only matches 
line
by line, which doesn't help me because the link is split over 
multiple
lines. What I need is something to match the entire message as one, 
with

HTML kept intact but encoding (Quoted Printable...) resolved. I have
seen the HTTPS_IP_MISMATCH rule that leads me to a Perl function. I
don't understand Perl very well, and this specific function is way 
too
complex for me. Also I don't know where to add my own Perl 
functions.

The documentation doesn't tell me.

--
Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]>
http://beta.unclassified.de – My web laboratory.

GTUBE

[Fidel Leon]

Hi,
 
I've been doing a lot of googling and archiving search for no success, so I
ask here for an answer...

I am currently using SA 3.0.6, as a system-wide spam filter integrated with
Qmail. For Qmail, I am using qmail-scanner, which has a config tool that
"prepares" qmail in order to be able to use SA.

The question is: the qmail-scanner config tool relies *exclusively* on GTUBE
to check for a spam-nasty.eml with the GTUBE signature in it. SA 3.0.6
recognizes the mail as spam, but 3.1.2 simply gives 0.0 score for the mail..

I have checked what the configuration script does, and it simply calls
'spamc -U /var/run/spamassassin/spamd.socket < spam-nasty.eml' for the test.

I have 1 points score hit for GTUBE in my configuration files (which are
read as per debug log). 

Any kind advice...? I could keep using 3.0.6, but...
 
Fidel Leon - EA3LF
[EMAIL PROTECTED]

Re: Can SA be used to implement greylisting?

[Justin Mason]

John D. Hardin writes:
> On Mon, 19 Jun 2006, Steven W. Orr wrote:
> 
> > =>> Is it worthwhile to try to convince the SA dev 
> > =>> crowd to add greylist functionality?
> 
> > Neither. What I'm looking for is a rubust way to say: "I haven't
> > seen mail from this guy before so I'm going to reject his email
> > with a 450 error code. If email from him tries for delivery after
> > (let's say) four hours, then I will accept it and nevermore will
> > this guy have a delay in sending me mail."
> 
> That's the common definition of "greylisting".
> 
> I think the suggestion to add it to SA misses a basic fact: the
> mail has *already been received in its entirety* by the time SA gets a
> chance to see it. What's the point in greylisting then?
> 
> Proper greylisting is done early in the SMTP exchange, at the point
> the DATA command is sent and the sender and recipients are known but
> before the message itself has been received. I use milter-greylist to
> do this and it works well.

Yep -- that's the key point -- as far as I know it's illegal (in
SMTP terms) to offer a 421 after DATA.

--j.

Re: Can SA be used to implement greylisting?

[David B Funk]

On Mon, 19 Jun 2006, Steven W. Orr wrote:

> And this is my point. SA *DOESN'T* work on messages after they have been
> received. Since I use spamass-milter, SA sees the messages before
> reception is completed. (You're free to do otherwise.) Then when SA
> decides that the message doesn't conform to its high standards, the report
> of that fact goes back to spamass-milter which then returns status back to
> sendmail. The current result is a reject 5xx status. So all we need is for
> SA to manage one extra table and to allow some sort of reportage that
> spamass-milter could be mucked to understand.
>
> Is this making sense?

Yes, but IMHO you are trying to use the wrong tool for the job.

greylisting is a relativly lightweight task and can be done quickly
(IE no DNS/network lookups needed, only need envelope-from, envelope-to,
sending host IP addr, no need to absorb the whole message body,
very small CPU load ,etc) so it should be done -before- you waste
resources running a full SA scan.

I would suggest sendmail milter configured so that first you run the
greylisting milter, then the virus-scan milter and finally the SA
milter.

I can see your argument for needing some kind of persistant table
backend for greylisting but that looks like an arugment for building
a MySQL backend for greylisting, not trying to mung greylisting into SA.

The only reason that I can see for trying to combine greylisting & SA
is to have an adaptive greylist, one that only kicks in if the message
has a high-enough score (but still lower than spam-tagging threshold).
However you would loose the load reduction benefit of the previously
mentioned config.

Dave

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Can SA be used to implement greylisting?

[Jonas Eckerman]

Steven W. Orr wrote:

I'm running sendmail here on a home server. I've been looking for a good 
greylist package and I frankly have not found one. There are a couple out 
there but they work in memory and don't maintain their tables in a 
database.


My greylist code  using the 
milter MIMEDefang  keeps the tables in a SQLite database 
(wich means it shouldn't be too hard porting to a server based SQL database).

I'm also running spamass-milter which is set to reject mail ifd SA says 
it's spam. Is it worthwhile to try to convince the SA dev crowd to add 
greylist functionality?


One of the key benefits of "normal" greylisting is that it you don't need to 
call SpamAssassin, anti virus stuff, etc, at all for the messages that never makes it 
through a SMTP level grey list.

Also, SpamAssassin cannot itself refuse to accept a mail, so the SMTP software 
still has to be involved for grey listing to work.

/Jonas

--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: Can SA be used to implement greylisting?

[David B Funk]

On Mon, 19 Jun 2006, Justin Mason wrote:

> Yep -- that's the key point -- as far as I know it's illegal (in
> SMTP terms) to offer a 421 after DATA.
>
> --j.

RFC-2821 section 3.9:

   An SMTP server MUST NOT intentionally close the connection except:

   -  After receiving a QUIT command and responding with a 221 reply.

   -  After detecting the need to shut down the SMTP service and
  returning a 421 response code.  This response code can be issued
  after the server receives any command or, if necessary,
  asynchronously from command receipt (on the assumption that the
  client will receive it after the next command is issued).

So anytime is 421 time. ;)

also a 451 is explicitly listed as an acceptable error response
to a DATA.



-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Can SA be used to implement greylisting?

[Logan Shaw]

On Mon, 19 Jun 2006, David B Funk wrote:

On Mon, 19 Jun 2006, Justin Mason wrote:



Yep -- that's the key point -- as far as I know it's illegal (in
SMTP terms) to offer a 421 after DATA.


RFC-2821 section 3.9:

  An SMTP server MUST NOT intentionally close the connection except:

  -  After receiving a QUIT command and responding with a 221 reply.

  -  After detecting the need to shut down the SMTP service and
 returning a 421 response code.  This response code can be issued
 after the server receives any command or, if necessary,
 asynchronously from command receipt (on the assumption that the
 client will receive it after the next command is issued).

So anytime is 421 time. ;)

also a 451 is explicitly listed as an acceptable error response
to a DATA.


OK, if that's the case, let me offer my own personal justification of
why it might be worthwhile to combine greylisting with SpamAssassin.

Basically, greylisting has an achilles heel:  legit messages
from unknown senders are delayed a long time.  This is fine for
certain types of organizations, but what if all the accounts on
your mail server are for salespeople?  They're constantly trying to
generate new contacts and leads, and they really don't want their
communications to be delayed.  This is just one example; there are
surely other people who don't want any delays that can be avoided.

So, what does this have to do with greylisting + content-based
filtering?  It's simple: if you receive a message from an unknown
sender / domain / IP / whatever, you can then do a spamassassin run
on it.  If it comes up with a very low score (almost definitely
not spam), let it pass.  If it comes up with a very high score
(almost definitely spam), drop it right away.  If it comes up with
an indeterminate score, apply the greylisting approach and delay
it until later.

What does this buy you?  Two things.  The first is that low-risk
messages (based on content) go right through, eliminating much
of the downside of greylisting.  The second is that for messages
which SpamAssassin is unsure about, you get the added benefit of
greylisting.  By definition, SpamAssassin by itself is insufficient
in these cases, so any extra information you can gather (i.e. whether
the sender retries) is valuable information.

To put it another way, greylisting has a high cost in terms of
convenience.  So, apply greylisting only when SpamAssassin is not
confident in its judgement; in those cases, you can easily justify
the cost, and in the other cases, you can avoid the cost of
greylisting completely.

  - Logan

Re: Can SA be used to implement greylisting?

[John D. Hardin]

On Mon, 19 Jun 2006, Steven W. Orr wrote:
> 
> And this is my point. SA *DOESN'T* work on messages after they
> have been received. Since I use spamass-milter, SA sees the
> messages before reception is completed.

So, you're passing just the message headers through SA?

Using a milter doesn't magically mean that you haven't received the
body of the message yet, it just means that a third-party extension to
Sendmail is allowed to review the message before Sendmail acknowledges
receipt and attempts delivery to the next stage (procmail, relay,
whatever). You've already spent the time and bandwidth and system
resources to receive the entire message and process it through SA.

So: why not save the resources consumed by receiving and processing
the entire message *multiple times* (because legitimate messages will
have to be almost completely transmitted at least twice in this model)
and use an existing tool (greylist-milter) to do the greylisting early
in the SMTP exchange?

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
What nuts do with guns is terrible, certainly. But what evil or crazy
people do with *anything* is not a valid argument for banning that item.
  -- John C. Randolph <[EMAIL PROTECTED]>
---

Re: Can SA be used to implement greylisting?

[John D. Hardin]

On Mon, 19 Jun 2006, Logan Shaw wrote:

> If it comes up with a very high score (almost definitely spam),
> drop it right away.  If it comes up with an indeterminate score,
> apply the greylisting approach and delay it until later.

What's the point? You've already *got* the entire message, at that
point why tell the sender "I don't want it right now, try again
later"? Instead of SMTP TMPFAILing the message, why not just add a few
SA points for "never seen this sender before"?

> What does this buy you?  Two things.  The first is that low-risk
> messages (based on content) go right through, eliminating much
> of the downside of greylisting.  The second is that for messages
> which SpamAssassin is unsure about, you get the added benefit of
> greylisting.  By definition, SpamAssassin by itself is insufficient
> in these cases, so any extra information you can gather (i.e. whether
> the sender retries) is valuable information.

At the cost of receiving and processing those messages at least twice.

Consider the case of a spammer whose software *does* retry, but
retries every two or three minutes until delivery is accepted or
PERMFAILed. I have seen this in my greylist logs. Do you really want
SA + AV + whatever to completely process this message a half-dozen
times before making a permanent decision at the end of the delay
period?
 
> To put it another way, greylisting has a high cost in terms of
> convenience.

Email is a store-and-forward best-attempt unguaranteed delivery
system, *not* Instant Messaging. The perception that a fifteen-minute
delay in delivery of a message is not acceptable is unrealistic. And
if such a delay *is* unacceptable, then you need to use something
other than email to communicate.

Most greylisting tools can be configured to bypass greylisting for
specified recipient addresses. In your example of salespeople not
wanting to have their messages from potential customers delayed, just
bypass greylisting for them and leave the standard behavior in place
for everybody else.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
What nuts do with guns is terrible, certainly. But what evil or crazy
people do with *anything* is not a valid argument for banning that item.
  -- John C. Randolph <[EMAIL PROTECTED]>
---

Re: spamassassin on a mail relay

[Gary V]

Do any of you out there run spamassassin on a mail relay or pop/imap 
server to add the X-Spam headers to all mail that

passes through your gateway?



-Gary


I use amavisd-new (works best with Postfix). There is only one user, so 
there is only one user_prefs, so each individual recipient cannot have their 
own set of custom rules, but they can have a large number of other settings 
that determine what happens to spam. For example, I prefix the Subject line 
with Spam> when a message scores over 5.0, send mail that scores at 8.0 to a 
quarantine and discard mail from that quarantine that scores at 14.0 or 
higher. X-Spam headers are written on all (incoming) mail. SQL is the best 
way to go if there are number of differences in the way individuals want 
their spam handled. Policies are kept in a table, and users are assigned to 
one of them. The policy can be as granular as each individual, or as broad 
as the entire system. With SQL each user can also have their own w/b list 
but these and other settings are usually controlled by the administrator (I 
find phpmyadmin helpful). There are addon packages like Mailzu that allow 
individuals to control their own quarantine, or 'plus addressing' that can 
be used to redirect malware to a different individual mailboxes (among other 
quarantine options). The advantage to amavisd-new is the fact that the 
message is only scanned once regardless of the number of recipients, so it 
saves processing power. It also interfaces to antivirus software, is able to 
ban files with (what are usually) malicious attachments, and detect mail 
with malformed headers. Initially amavisd-new and Postfix are relatively 
simple to set up and there are quite a few HOWTOs out there for that - one 
location is http://www.freespamfilter.org/ . Since there are a lot of 
different ways to go about things, it does get interesting after the initial 
setup however.


Maia mailguard is based on (an older version of) amavisd-new. It is a 
quarantine managment system that gives each user a web interface to control 
some of their most critical settings, their quarantine and their w/b lists. 
Initially the admininstrator sets domain wide policies, then users are allow 
to deviate from that as they see fit. When users verify that messages are 
spam, the spam is also fed to Bayes and reported. False positives are also 
fed as ham.


Gary V

_
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: Can SA be used to implement greylisting?

[JamesDR]

Logan Shaw wrote:

On Mon, 19 Jun 2006, David B Funk wrote:


On Mon, 19 Jun 2006, Justin Mason wrote:





[snip]




OK, if that's the case, let me offer my own personal justification of
why it might be worthwhile to combine greylisting with SpamAssassin.

Basically, greylisting has an achilles heel:  legit messages
from unknown senders are delayed a long time.  This is fine for
certain types of organizations, but what if all the accounts on
your mail server are for salespeople?  They're constantly trying to
generate new contacts and leads, and they really don't want their
communications to be delayed.  This is just one example; there are
surely other people who don't want any delays that can be avoided.

So, what does this have to do with greylisting + content-based
filtering?  It's simple: if you receive a message from an unknown
sender / domain / IP / whatever, you can then do a spamassassin run
on it.  If it comes up with a very low score (almost definitely
not spam), let it pass.  If it comes up with a very high score
(almost definitely spam), drop it right away.  If it comes up with
an indeterminate score, apply the greylisting approach and delay
it until later.

What does this buy you?  Two things.  The first is that low-risk
messages (based on content) go right through, eliminating much
of the downside of greylisting.  The second is that for messages
which SpamAssassin is unsure about, you get the added benefit of
greylisting.  By definition, SpamAssassin by itself is insufficient
in these cases, so any extra information you can gather (i.e. whether
the sender retries) is valuable information.

To put it another way, greylisting has a high cost in terms of
convenience.  So, apply greylisting only when SpamAssassin is not
confident in its judgement; in those cases, you can easily justify
the cost, and in the other cases, you can avoid the cost of
greylisting completely.

  - Logan



I've been following this thread closely... and I have a few thoughts on 
how SA could be used... as a feed back loop device.


Currently in SA is the AWL, we all know this is a table of senders, 
ip's, mail count, and total scores. If one has a good AWL database - 
then this could be used in part of the graylist decision. In my mind, 
how this could work is:


1) Message comes in, check against AWL, if sender/ip pair do not exist, 
send the tempfail, if sender/ip pair do exist:
2) Check the average score against some threshold (say 4 points as a 
figure.) If sender's score is over this value (still at the header 
stage) send tempfail, if the sender's average score is below:

3) Send the message on through to the AV's, SA, etc..
4) SA will adjust the totals, rinse and repeat.

This to me has 2 good effects:
1) Uses graylisting as an efficient means to stop spam (early on in the 
SMTP conversation.)
2) Integrates SpamAssassin in what it does best, scoring. Thus feeds 
back to the graylisting mech.


Of course, this assume that the standard table of senders, ip's, and 
their last try time are kept. Along with whitelist/blacklist entries. I 
think this is a good use of SpamAssassin, graylisting and our tight IT 
budgets for processor time.


My $0.25 worth.
--
Thanks,
JamesDR


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Can SA be used to implement greylisting?

[Rick Macdougall]

JamesDR wrote:

Logan Shaw wrote:

On Mon, 19 Jun 2006, David B Funk wrote:


On Mon, 19 Jun 2006, Justin Mason wrote:





[snip]
1) Message comes in, check against AWL, if sender/ip pair do not exist, 
send the tempfail, if sender/ip pair do exist:
2) Check the average score against some threshold (say 4 points as a 
figure.) If sender's score is over this value (still at the header 
stage) send tempfail, if the sender's average score is below:

3) Send the message on through to the AV's, SA, etc..
4) SA will adjust the totals, rinse and repeat.


If sender/ip pair is in AWL, it's most likely in the greylisting 
database as well and will be allowed in.


I considered adding this to simscan as well but for reasons mentioned 
before I found it to be overly burdensome on the mail server and really 
didn't add any true value.


I ended up just whitelisting major ISP's in my greylisting database and 
went from there.


Regards,

Rick

Re: Can SA be used to implement greylisting?

[Logan Shaw]

On Mon, 19 Jun 2006, John D. Hardin wrote:

On Mon, 19 Jun 2006, Logan Shaw wrote:


If it comes up with a very high score (almost definitely spam),
drop it right away.  If it comes up with an indeterminate score,
apply the greylisting approach and delay it until later.


What's the point? You've already *got* the entire message, at that
point why tell the sender "I don't want it right now, try again
later"?


The point is, in doing so you will see whether they actually
*do* try again later.  Because greylisting is known to be an
effective tool against spam, we can conclude that it is useful
information.  Because SpamAssassin gave indeterminate results
(by definition), any information you can get is useful.


By definition, SpamAssassin by itself is insufficient
in these cases, so any extra information you can gather (i.e. whether
the sender retries) is valuable information.


At the cost of receiving and processing those messages at least twice.


Yes, I agree with that.  It does use more resources.  So,
fundamentally, this is a question of cost vs. benefits.
Is it worth using resources to get this extra information?
It might be to some, and it might not be to others.


Consider the case of a spammer whose software *does* retry, but
retries every two or three minutes until delivery is accepted or
PERMFAILed. I have seen this in my greylist logs. Do you really want
SA + AV + whatever to completely process this message a half-dozen
times before making a permanent decision at the end of the delay
period?


That's a possible problem.  One solution is that there is
already a database that tells you when not to delay; this could
be extended to tell you when not to run content-based checking
again.  So, you'd only have to run the expensive content-based
checks the first time you get a message from an unknown source.
Of course, that complicates the software a little bit, but we
are back to cost vs. benefits again.


Email is a store-and-forward best-attempt unguaranteed delivery
system, *not* Instant Messaging. The perception that a fifteen-minute
delay in delivery of a message is not acceptable is unrealistic.


I agree with that too, but that doesn't mean it wouldn't be
worthwhile to do something to reduce the negative effects of
greylisting while still getting most of its benefits.

  - Logan

Re: Can SA be used to implement greylisting?

[David B Funk]

On Mon, 19 Jun 2006, Rick Macdougall wrote:

> JamesDR wrote:
> > 1) Message comes in, check against AWL, if sender/ip pair do not exist,
> > send the tempfail, if sender/ip pair do exist:
> > 2) Check the average score against some threshold (say 4 points as a
> > figure.) If sender's score is over this value (still at the header
> > stage) send tempfail, if the sender's average score is below:
> > 3) Send the message on through to the AV's, SA, etc..
> > 4) SA will adjust the totals, rinse and repeat.
>
> If sender/ip pair is in AWL, it's most likely in the greylisting
> database as well and will be allowed in.

You've missed a point. In the traditional greylisting database you
list by sender/ip -and- recipient address. This is to prevent a
machine-gunning spammer from getting a 'bye' for hitting previous
targets. (IE you only do the greylist pass if the triple of
sender & recipient & ip address match).

If you do the suggested AWL lookup then you can use the sender/ip
score entries as an indication of "credibility" for sending to other
recipients; all done at the SMTP header stage so low overhead.

You could also use this as a selective greylist system:
1) If there is no AWL/greylisting-database entry for the sender
   or a 'good' score in AWL, don't greylist, just pass thru SA as a
   normal message (but also do -not- add to greylisting-database).
2) If 'bad' AWL score and not in greylisting-database, greylist delay.
3) If 'bad' AWL score and in greylisting-database pass thru to SA.

So if the sender is unknown to you, you give them the benefit of the
doubt (no greylist delay) but do the SA score to get a ranking.

If known 'bad' then delay, if known 'good' no delay.


-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Found on a stock spam:

[Bob Proulx]

Michael Monnerie wrote:
> Bob Proulx wrote:
> > Meanwhile, I do think that filtering outgoing mail from such places
> > as open internet nodes at hotels and other places like that is
> > probably a good thing.  But simply tagging by itself does not seem
> > useful to me.
> 
> It's a legal thing: You are not allowed to throw away e-mail from your 
> customers, they could sue you. Yes, false positives, right...

But these same places now usually require a click through license to
accept their terms.  So they should be okay based upon that, no?  I
only see that with hotels so far.  Most coffee shops are still
completely open.  Personally I would block all outgoing port 25
traffic.

> There exist many tools that filter on SpamAssassin headers (Mozilla 
> Thunderbird), so it can be valuable for the receiver's filter to have 
> that scan results. Even for a company: If one PC got some infection and 
> sends SPAM, at least you marked all messages as such.

That is not good.  What tool would trust the header contents the
message came in with?

But I do acknowledge your point.  If you scan with SpamAssassin and
mark the subject as spam then they at least when you are a clueless
associate to a spammer you can claim that you told the victim that you
were spamming them.  But there is still a victim and I think that is
bad.

Bob

Re: Found on a stock spam:

[Kelson]

Bob Proulx wrote:
There exist many tools that filter on SpamAssassin headers (Mozilla 
Thunderbird), so it can be valuable for the receiver's filter to have 
that scan results. Even for a company: If one PC got some infection and 
sends SPAM, at least you marked all messages as such.


That is not good.  What tool would trust the header contents the
message came in with?


I've never used the "Trust junk mail headers set by..." option myself, 
so I'm not 100% certain what it does and does not trust, but...


If a message comes in with "X-Spam-Status: No" I would hope that 
Thunderbird will process the message normally, including running it 
through its own junk mail filters.  If a message comes in with 
"X-Spam-Status: Yes" it seems reasonable to mark it as junk without 
running it through another set of filters.


(Seriously, who's going to deliberately mark their own mail as spam?  I 
can see a spammer marking their own mail as non-spam, but a good SA 
setup will override that before the mail client sees it.)


In any case, it's a config option that IIRC is disabled by default, so 
presumably it should only be enabled by people whose accounts are 
filtered by SpamAssassin on the server.


--
Kelson Vibber
SpeedGate Communications 

Re: Found on a stock spam:

[jdow]

From: "Bob Proulx" <[EMAIL PROTECTED]>


Michael Monnerie wrote:

Bob Proulx wrote:
> Meanwhile, I do think that filtering outgoing mail from such places
> as open internet nodes at hotels and other places like that is
> probably a good thing. But simply tagging by itself does not seem
> useful to me.

It's a legal thing: You are not allowed to throw away e-mail from your 
customers, they could sue you. Yes, false positives, right...


But these same places now usually require a click through license to
accept their terms.  So they should be okay based upon that, no?  I
only see that with hotels so far.  Most coffee shops are still
completely open.  Personally I would block all outgoing port 25
traffic.


And you'd probably get someone as volatile as I am attacking you
with any handy rolling pin size and heft object they could find.

When travelling I use port 25 for authenticated smtp with Earthlink.

(Of course, I think Earthlink has been smart enough to set up a
port 587 mail submission port. But I don't want to bet on it yet.)

Verizon seems to block 25 except to get to Earthlink or whatever
other ISP may be registered for DSL connections. That has me 
irritated enough that experienceing it on the road would drive

me ballistic.

{^_^}

Re: How to detect current images-only messages?

[jdow]

From: "Chris Santerre" <[EMAIL PROTECTED]>

From: Yves Goergen [mailto:[EMAIL PROTECTED]

Hello,
I keep receiving messages that contain of nothing but composed images.
They're HTML messages with only  tags in them. There 
seems to be a

rule that checks if the message has *any* image and compares it to its
length. That gave my spam some scores recently but not so today. I
received a message that looks just like the others but has no score at
all due to the fact that it only contains of images.

Is there any way to detect this type of message with SpamAssassin? I
cannot think of a regular expression that would do it, and even if I
could, SA offered no way to match it reliably. (See the line-by-line
problem with 'rawbody' and encoding problems with 'full'.)


I keep hearing this is a problem, but I'm not seeing it on my end. Most are
being caught:




I'll have to adjust for those 2. :) 


In case he means no score and no SA markup there is still a way this
can happen. If an email comes in during a very tiny window when spamd
is reloading its configuration (-HUP) the email can sneak through.

{^_^}

Re: Its nice when spammers declare their intentions...

[jdow]

From: "Craig McLean" <[EMAIL PROTECTED]>


Loren Wilton wrote:

Subject: PayPal Fraud Intention !!! Verify Account & Billing Information !!!
From: "PayPal.inc Security Center Department " <[EMAIL PROTECTED]>

Its nice to know that they intend to defraud me.  Maybe I won't bother
playing their game.

Loren


Heh, got this one yesterday:

From: "Lazarus Dennis" 
To: <[EMAIL PROTECTED]>
Subject: bastard

And thought, why's he calling me a bastard? Maybe he knows his crap
isn't going to get through...


Craig,  there IS an obvious connection between your domain name
and the subject of the message. Maybe the author thought it was
appropriate?

    Thataway REAL fast -->>>{O,o}

Re: spamassassin on a mail relay

[jdow]

From: "Chris Santerre" <[EMAIL PROTECTED]>


Hi,

We use mysql based User Preferences so users can use their 
own black and 
white lists as well as set the markup and required hits.


We reject spam (55x, not a bounce) when the score is 10 or above and 
mark everything else that gets 5 or more.


Regards,

Rick


I have a weird setup :) 


AFAIK, I'm the only nut who does this. All my users are actually aliases to
procmail scripts. No user accounts on the mail gateway system. If they want
to opt out, (which no person ever has.), I can do it in their script. 


This gives me amazing flexibility in the system. Copying specific spam/ham
to archives for research as an example. Anything between score 5-6.99 gets
marked and delivered. Anything 7 or above gets sent to a global spam account
that I check every morning. About 85% are instantly deleted because of
URIBL/SURBL combination hits. The rest are just analized by me for more

Oh really? You have THAT problem, eh?- Maybe a
good psychologist could help you.

patterns for SARE, and URIs for URIBL. 


 (I'm sorry, I just CANNOT pass up some setups) -->>> {O,o}

Re: Can SA be used to implement greylisting?

[John D. Hardin]

On Mon, 19 Jun 2006, Logan Shaw wrote:

> > Consider the case of a spammer whose software *does* retry, but
> > retries every two or three minutes until delivery is accepted or
> > PERMFAILed. I have seen this in my greylist logs. Do you really want
> > SA + AV + whatever to completely process this message a half-dozen
> > times before making a permanent decision at the end of the delay
> > period?
> 
> That's a possible problem.  One solution is that there is
> already a database that tells you when not to delay; this could
> be extended to tell you when not to run content-based checking
> again.  So, you'd only have to run the expensive content-based
> checks the first time you get a message from an unknown source.

Okay, I'll buy that. IP + MSGID, store the spam score and don't scan
it again.

One problem with that is you may lose extra spam points from a URL
that goes into the URIBLs between the time the message is first
scanned and when the greylist delay expires. Or you could limit it to
two scans, one initial and one at delay expiration, and suppress the
scans on intermediate delivery attempts.

Another alternative is no timeout. If you are just saying "I want to
see whether they will retry at all," then accept the message on the
second delivery attempt whenever that occurs. Scan both times. The
other greylist packages may have good reasons they don't do this,
though.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--

Re: Found on a stock spam:

[John D. Hardin]

On Mon, 19 Jun 2006, Bob Proulx wrote:

> That is not good.  What tool would trust the header contents the
> message came in with?

True for a header that says "this is NOT spam", but what spammer is
going to put in a header saying "this message IS spam" ?

It may be justified to trust an X-Spam: YES header on inbound
messages.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--

Re: Found on a stock spam:

[jdow]

From: "John D. Hardin" <[EMAIL PROTECTED]>


On Mon, 19 Jun 2006, Bob Proulx wrote:


That is not good.  What tool would trust the header contents the
message came in with?


True for a header that says "this is NOT spam", but what spammer is
going to put in a header saying "this message IS spam" ?

It may be justified to trust an X-Spam: YES header on inbound
messages.


I use procmail's formail to rewrite incoming "X-Spam:" headers both
to preserve then and prevent SpamAssassin from marking up email.
It has not yet proven useful to take "X-False-Spam:" as a header
and declare the value "Yes" to be spam. If it does I'll use it. (Of
course, so LITTLE spam gets through that discovering cases where
paying attention to incoming "X-Spam: Yes" headers would make a
difference rather "tedious.")

{^_-}

How to install iXhash

[Marc Perkel]

I found this plugin iXhash in the Wiki but I don't know how to use it. 
What do I do to install it?

Re: How to install iXhash

[Marc Perkel]

Here's the link to the wiki, but I don't know what to do with it.

http://wiki.apache.org/spamassassin/iXhash

Re: Was "One large image" now is "several small images"

[Michael Monnerie]

On Freitag, 16. Juni 2006 17:33 Toll, Eric wrote:
> Anyone have a good rule for this??

I didn't have a single message of this type passing my filters. That 
surprised me, positively. Here's what they got:

X-Spam-Status: Yes, hits=20.751 tagged_above=-999 required=5
 tests=BAYES_99=3.5, EXTRA_MPART_TYPE=1.091, FORGED_RCVD_HELO=0.135,
 HELO_DYNAMIC_IPADDR=4.2, HTML_90_100=0.113, HTML_IMAGE_ONLY_16=0.497,
 HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=1.102, PYZOR_CHECK=3.7,
 RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046, RELAY_FR=0.01,
 SARE_GIF_ATTACH=0.75, SARE_GIF_STOX=1.66

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660/4156531  .network.your.ideas.
// PGP Key:"curl -s http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2  9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE


pgpUGoz9RY7h2.pgp
Description: PGP signature

Re: How to detect current images-only messages?

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

jdow wrote:
> From: "Chris Santerre" <[EMAIL PROTECTED]>
>>> From: Yves Goergen [mailto:[EMAIL PROTECTED]
>>>
>>> Hello,
>>> I keep receiving messages that contain of nothing but composed images.
>>> They're HTML messages with only  tags in them. There seems to be a
>>> rule that checks if the message has *any* image and compares it to its
>>> length. That gave my spam some scores recently but not so today. I
>>> received a message that looks just like the others but has no score at
>>> all due to the fact that it only contains of images.
>>>
>>> Is there any way to detect this type of message with SpamAssassin? I
>>> cannot think of a regular expression that would do it, and even if I
>>> could, SA offered no way to match it reliably. (See the line-by-line
>>> problem with 'rawbody' and encoding problems with 'full'.)
>>
>> I keep hearing this is a problem, but I'm not seeing it on my end.
>> Most are
>> being caught:
> 
>>
>> I'll have to adjust for those 2. :) 
> 
> In case he means no score and no SA markup there is still a way this
> can happen. If an email comes in during a very tiny window when spamd
> is reloading its configuration (-HUP) the email can sneak through.
> 
> {^_^}

Of course this can also happen if the message size is greater than the
upper size limit set (default 250k) ... being that it's an image only,
I'd say it's definitely a possibility.  (I've seen that happen on my
system in the past)

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEl45SE2gsBSKjZHQRAmKdAKCmcutB8fkoZZQCVMDsZSfBHXpwxACffS9X
5T96aD/02CijQdHB+uoy54c=
=XRir
-END PGP SIGNATURE-