RE: roaming users sending mail internally and dynamic IPs issue
> -Original Message- > From: Thomas Bolioli [mailto:[EMAIL PROTECTED] > Sent: Monday, December 18, 2006 5:37 PM > To: users@spamassassin.apache.org > Subject: roaming users sending mail internally and dynamic IPs issue > > Whenever our users travel outside the internal networks and send email > to each other, the emails get tagged by the below reports (yes, I > cranked up the default scores because of the botnet crap out there) > because they are on dyn IPs and sending direct to the receiving MTA. > > I see a couple of ways that this can be remedied, most of which is > acceptable. a) Whitelist all of the users (or the entire domain) for > every domain on the system [obviously bad since it allows spammers to > spoof from headers with impunity even with SPF setup]. b) set up second > machine to be a second MTA and have users send email from machine 2 > which then relays to machine 1 [waste of a machine and energy to run > that machine]. or c) there is some configuration I am missing. Does > anyone know what I can do to fix this? > > Thanks, > Tom > > * 0.7 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address > * [xx.xx.xx.xx listed in dnsbl.sorbs.net] > * 2.5 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP > * [xx.xx.xx.xx listed in combined.njabl.org] If you using postfix+amavis+SA, there are many ways to bypass SA checks for your users: http://www200.pair.com/mecham/spam/bypassing.html Regards, Leon
Re: Boy, everything is getting spam protection these days.
On Tue, Dec 19, 2006 at 12:32:51AM -0500, Steve Lake wrote: > spam, I get AIM spam, I get spam in my spam. It's just nuts. heh. Even > my phone. Now how sad is that. Oh well, just thought I'd share that. Leela: "Didn't you have ads in the 20th century?" Fry: "Well sure, but not in our dreams! Only on tv and radio...and in magazines...and movies. And at ball games, on buses, and milk cartons, and t-shirts, and bananas, and written on the sky. But not in dreams! No sirree." - Futurama, "A Fishful of Dollars" pgplSpSEmoNCa.pgp Description: PGP signature
Boy, everything is getting spam protection these days.
lol. This is kind of OT, but does involve stopping spammers. One thing I've noticed lately is that they're getting really desperate. So much so that I've not only had to add spam protection to my forums, but I've also had to several of my web forms. Yes, spammers were actually spamming me through my web forms. Go figure that one out. heh. I get ICQ spam, I get AIM spam, I get spam in my spam. It's just nuts. heh. Even my phone. Now how sad is that. Oh well, just thought I'd share that. Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community
Re: Negative AWL on a spam & received from localhost?
Henry Kwan wrote: > Hi, > > Running SA 3.17 on a CentOS 4.4 install with sendmail. Am getting some spams > that score negative AWL and was wondering why this was. Rule 1) just because the AWL scores negative, does NOT mean the AWL thinks it is nonspam. The AWL is fundamentally a score averager, and the only way for it to always assign positive scores to spam is if your pre-awl scores are constantly decreasing. .that's a BAD thing. In this case, the past average for the sender was approximately 7.7 (spam), this message came in at 11.5 (also spam), so the AWL split the difference and took off 1.9 points to make it 9.6 (still spam). That's 100% normal. See also: http://wiki.apache.org/spamassassin/AwlWrongWay http://wiki.apache.org/spamassassin/AutoWhitelist
Re: Rule that negative scores emails from blackberry.com, not spoofers
On Mon, 18 Dec 2006, Kelly Jones wrote: > The obvious: > > Received =~ /.*blackberry\.com$/ > > doesn't work, because someone could "HELO blackberry.com" or spoof a > blackberry.com received header somewhere in the message headers prior > to the last hop. ...so add enough to it to match only on Received headers that *your* MTA inserts. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 7 days until Christmas
Botnet 0.7 soon
New things: 1) BOTNET_SOHO -- If the sender's (chosen from Envelope-From, Return-Path, or From, in that order) mail domain (the part after the @ sign) resolves back to the relay's IP address, or has an MX host which resolves back to the IP address, AND the sender's mail domain does NOT match the PTR record for the relay, then we'll assume this is a "small office/home office" mail server. We'll exempt them from BOTNET being triggered. (note: someone suggested that this check also try to resolve the HELO string, I make a note in my code as to why this is an extremely bad idea, and have a commented out block of code there for anyone who wants to go down that path ... but, really, don't) 2) Botnet API -- want to include the Botnet.pm module in other Perl code? Maybe call "check_botnet" from mimedefang-filter so you can block before a message gets to SpamAssassin? I've made an API for it. The routines that SA calls use this API, so it's the _exact_same_ code. There's now an included perl program "Botnet.pl" which takes an IP address CLI argument, and an optional main-domain CLI argument. It will tell you which rules do and don't get triggered. It also serves as an example of using the API. (you will still need to have SpamAssassin installed in order to use Botnet.pm in this fashion, even if you're using the API in a program that doesn't call SA) 3) BOTNET_CLIENT and BOTNET are now actual rules instead of meta rules. The individual rules are still there, just with zero'd scores. You can now easily pick between 1 big rule (BOTNET doing eval:botnet()), meta rules (detailed in the file Botnet.variations.txt), or piece-meal calling of the individual checks (also detailed in Botnet.variations.txt). 4) config option: botnet_pass_trusted (all|public|private|ignore) This defaults to "public". If you have any public IP addresses in your relays-trusted list, then Botnet wont trigger. Private means "any private IP addresses", where that includes 127.*, 10.*, etc.. All means either of those two. Ignore means "do what Botnet used to do: not even look at the trusted relays, just look past them". The idea is: if you got this from a trusted relay, we can assume it wasn't a Botnet. 5) botnet_pass_auth now looks at the trusted relays. It probably should have been doing that all along. It no longer looks at the untrusted relays. 6) Rules that get triggered now use $permsgstatus->test_log to record information. The individual rules just list "[rulename,ip=$ip,hostname=$host,maildomain=$domain]" or an appropriate subset of that based on which rule it is. BOTNET_CLIENT and BOTNET also include a list of sub-rule names that were triggered. So, you might see this: [botnet,ip=1.2.3.4,host=dsl-1-2-3-4.isp.net,domain=spammer.com,baddns,ipinhostname,clientwords,client] or [botnet_nordns,ip=2.3.4.5] or [botnet_soho,ip=3.4.5.6,hostname=3.4.5.6.isp.net,maildomain=non-spammer-soho.org] (once I'm more comfortable with the output, I'll probably take out the leading rule name, but for now, I'm keeping it there) 7) shawcable.net and ocn.ne.jp seem to also be botnet sources, but their hostnames don't fit any of my other patterns. Luckily, they DO fit some pattern, and it's simple enough to not need a code based rule, just a regular conventional expression based rule. I've created BOTNET_SHAWCABLE and BOTNET_OCNNEJP rules to cover these two. 8) The file Botnet.variations.txt exists now with different suggested alternative ways to do Botnet rules. 9) Botnet.credits.txt exists, but is far from complete. I think that's everything... Just need another day or two of testing before I release it.
Rule that negative scores emails from blackberry.com, not spoofers
How do I write a rule that negative scores emails "from" blackberry.com. In other words, where the reverse DNS of the IP address connecting to my mailserver matches the regex /.*blackberry\.com$/ The obvious: Received =~ /.*blackberry\.com$/ doesn't work, because someone could "HELO blackberry.com" or spoof a blackberry.com received header somewhere in the message headers prior to the last hop. Is this a good place to use the X-Spam-Relays-Trusted: and X-Spam-Relays-Untrusted: psuedo-headers? Reason I want to do this: by default, Blackberry sends text email MIME-encoded and its timezone is +. This means it gets dinged by the MIME_BASE64_TEXT rule AND the LW_STOCK_SPAM4 which is defined as: meta LW_STOCK_SPAM4 __RATWARE_0_TZ_DATE && MIME_BASE64_TEXT I want to even things out by giving a negative score to cancel out those two positive scores. Has anyone else run into this issue and/or written a rule to compensate? -- We're just a Bunch Of Regular Guys, a collective group that's trying to understand and assimilate technology. We feel that resistance to new ideas and technology is unwise and ultimately futile.
Re: sa-update is broken
--On Monday, December 18, 2006 11:20 PM +0100 Yves Goergen <[EMAIL PROTECTED]> wrote: So now my SA setup is supposed to be broken or what? Well, it still works so I guess when the next SA version comes out, it'll fix this again. Depends on how you installed it. Or if you have backups. Back up your local config (in /etc/mail/spamassassin on my system), re-install SA, restore your local config.
Re: roaming users sending mail internally and dynamic IPs issue
Thomas Bolioli wrote: > Dan Horne wrote: >>> I see a couple of ways that this can be remedied, most of >>> which is acceptable. a) Whitelist all of the users (or the >>> entire domain) for every domain on the system [obviously bad >>> since it allows spammers to spoof from headers with impunity >>> even with SPF setup]. b) set up second machine to be a second >>> MTA and have users send email from machine 2 which then >>> relays to machine 1 [waste of a machine and energy to run >>> that machine]. or c) there is some configuration I am >>> missing. Does anyone know what I can do to fix this? >>> >>> >> >> Set up SMTP AUTH and require your users to log in to send email. If I >> understand correctly Spamassassin automatically trusts mails sent via >> SMTP AUTH. >> > Thanks for the response. SMTP auth is set up so there must be something > I need to do to tell SA that it was auth'd. > Any ideas? For sendmail and client IP's that include a "(may be forged)", there is a patch that will be included with the next release. You can see what is going on by testing one message, with `spamassassin -x -D -t < sample.eml`, look for the "Relays" lines, something like this one: [824] dbg: metadata: X-Spam-Relays-Trusted: [ ip=2.5.1.1 rdns=mail.l.com helo= by=ca.org ident= [EMAIL PROTECTED] intl=1 id=J9POUJ-0001MC-JY auth= ] If the "auth=" is empty, as above, then the authentification was not recognized. In this case look at the messages' corresponding Relay header, which in my example was something like: Received: from M (dsl-1-1-7-1.prod.com [189.149.70.163] (may be forged)) (authenticated bits=0) by mail.l.com (8.13.8/8.13.8) with ESMTP id kB3G26P6019032 for <[EMAIL PROTECTED]>; Sun, 3 Dec 2006 10:02:16 -0600 (CST) -- René Berber
Re: Botnet 0.6 plugin for Spam Assassin availabile
On Monday 18 December 2006 9:42 am, Oliver Schulze L. wrote: > Nice stats! > How do you generate them in SA 3.1.7 ? > > Chris Lear wrote: > > Here's some sa-stats output: > > > > TOP SPAM RULES FIRED If you want a bit more detailed output on add-on rule sets, try Bowie Bailey's "sa-addon-stats" script. This will give you stats on all add-on rulesets: Botnet.cf: Rule Name Score Ham Spam %of Ham %of Spam --- BOTNET 5.00 10 1001 2.75% 75.43% BOTNET_NORDNS 0.01 3 436 0.82% 32.86% BOTNET_BADDNS 0.00 4 142 1.10% 10.70% BOTNET_CLIENT 0.01 4 522 1.10% 39.34% BOTNET_IPINHOSTNAME 0.01 4 494 1.10% 37.23% BOTNET_CLIENTWORDS 0.01 5 150 1.37% 11.30% BOTNET_SERVERWORDS -0.01 171 135 46.98% 10.17% --- OVERALL 181 1125 49.73% 84.78% Addon Rules hitting the most spam (top 20) Ruleset Rule Name % of Spam --- sagrey.cf SAGREY 82.74% Botnet.cf BOTNET 75.43% local.cf BAYES_99 73.25% Botnet.cf BOTNET_CLIENT 39.34% Botnet.cf BOTNET_IPINHOSTNAME 37.23% local.cf RM_t_bobbf 36.62% Botnet.cf BOTNET_NORDNS 32.86% 20_vbounce.cf ANY_BOUNCE_MESSAGE 19.67% 20_vbounce.cf BOUNCE_MESSAGE 19.59% and so forth. -- Chris http://learn.to/quote pgpexeeQ1TzjR.pgp Description: PGP signature
Trying to upgrade to 3.1.7
I've got a RedHat Linux machine running sendmail. I've been using spamassassin 3.0.2 and I'm trying to get 3.1.7 installed. I've gotten versions of SA running in the past, but I'm getting errors on 'make test' and I'm trying to figure out why. Is there anything that SA 3.1.7 is depending on that I may not have upgraded yet? The machine has perl 5.8.3 on it. Thanks!
Re: sa-update is broken
On Mon, 18 Dec 2006 23:20:46 +0100, Yves Goergen <[EMAIL PROTECTED]> wrote: >On 18.12.2006 18:04 CE(S)T, Theo Van Dinter wrote: >> On Mon, Dec 18, 2006 at 06:01:38PM +0100, Yves Goergen wrote: >>> BTW, to make the update work on a default SA installation, you need to >>> specify a different path: >>> >>> # sa-update --updatedir /usr/local/share/spamassassin >>> >>> Is that by intent? >> >> Um. No you don't. In fact, you really don't want to do that. See >> http://wiki.apache.org/spamassassin/RuleUpdates > >Aha, and that stupid little tool can't tell me that before? Maybe a >Wiki-style of a documentation isn't well suited for beginners that don't >know the correct search terms. > >Is this the home of the SA documentation? >http://spamassassin.apache.org/doc.html >I wouldn't know where to click at all to find anything on that page. >Looks like a loose collection of some special short notes to me but not >at all like a structured handbook where you can find your topic like in >those printed on paper a couple of years ago. :( > >So now my SA setup is supposed to be broken or what? Well, it still >works so I guess when the next SA version comes out, it'll fix this again. Umm, if that 'stupid little tool' doesn't work for you, maybe you should drop SA and live with the spam? That 'stupid little tool' works well for many 100's? 1,000's of sa users. Maybe you're special, maybe you need an even smaller tool. Look south, I'm sure you'll find one. Nigel
RE: Name in Subject CF RuleSet
> -Original Message- > From: Theo Van Dinter [mailto:[EMAIL PROTECTED] > Sent: Monday, December 18, 2006 1:33 PM > To: users@spamassassin.apache.org > Subject: Re: Name in Subject CF RuleSet > > > On Mon, Dec 18, 2006 at 12:23:31PM -0600, Jess Mooers wrote: > > Does anyone know of a cf ruleset that will address this, or another > > way to stop it. > > Chasing the subject of the day is futile. Do you use sa-update? > I don't think that is what he ment. GFI mail scanner has a 'name in subject' button. It stops MY name in the subject line: (I think this would need to be a plugin, not a rule) It has to take To:.*(*.@) (whatever), SAVE it and match it against the subject: So: To: Bill Smith <[EMAIL PROTECTED]> Subject: Greetings Smith To: George W. Bush <[EMAIL PROTECTED]> Subject: Greetings Bush (or Greetings George) So, it has to take the To: line, separate 'real name', save at $1 and $2, and match both $1 and $2 against subject.
Re: sa-update is broken
On Mon, Dec 18, 2006 at 11:20:46PM +0100, Yves Goergen wrote: > Maybe a Wiki-style of a documentation isn't well suited for beginners > that don't know the correct search terms. FWIW, the man page points you at that wiki page for more information. > Looks like a loose collection of some special short notes to me but not > at all like a structured handbook where you can find your topic like in > those printed on paper a couple of years ago. :( We'd be happy to accept volunteers to help with documentation. :) > So now my SA setup is supposed to be broken or what? Well, it still > works so I guess when the next SA version comes out, it'll fix this again. It should still work, though some things like TextCat won't due to missing files. It's also going to be slightly less efficient, but that's not a huge deal. -- Randomly Selected Tagline: "640K ought to be enough for anybody." - Bill Gates, 1981 pgpeatlwDKT4U.pgp Description: PGP signature
Re: Simple mail from Dynamic IP listed as spam
>> >> Hello Wolfgang! >> >> You forgot to cc your posting to the list. >> >> [EMAIL PROTECTED] wrote: >> > Hi, >> >=20 >> > common cases that SA recognizes declare auth in the received headers, i= >> =2Ee. per hop >> > (received ... with ESMPTA) >> > Whether X-Authenticated (or any other separate header) would be useful = >> at all depends >> > on whether they remove it from incoming mails. I have sent you a test m= >> essage >> > to your gmx account >> >=20 >> > Wolfgang >> >> Your message still contained the X-Authenticated header upon arriving at >> my machine, although at a different location that it would for mails >> received from mail.gmx.net. So X-Authenticated is far from reliable. >> >> ESMTPA (I guess that's what you meant?) sounds easy enough to implement >> if you want to, so I'll try contact GMX and ask them to change their >> Received header if possible. >> >> Thank's for your help, >> Martin >> >> Hi, when using per-hop auth info from the received headers (ESMTPA is just one way to spell it; some other mailers use different patterns), a recipient can analyze the mail like: it was sent from a dynamic ip but authenticated, so the server that sent on the mail does consider the sender a valid customer. Next, one (or SA) would check that server - and it does, of course, have a static ip, rDNS, and looks ok. If someone were to send spam right from a dynamic ip to the recipient server, but adding a few fake received lines at the beginning, an auth'd connection would still cause SA to start looking at the next "server" - which in that case is the spam sender with a dynamic ip In contrast, the X-authenticated line is just a promise, added by one - unidentified - party in the chain that the mail get authenticated. As you have seen, even the initial sender can add it. It is informative but not at all valuable. Yes, it would be nice for GMX to add some standard tokens to the received lines indicating that the mail was received via authenticated smtp (from a mail client) or via http (from webmail) Wolfgang
Re: sa-update is broken
On 18.12.2006 18:04 CE(S)T, Theo Van Dinter wrote: > On Mon, Dec 18, 2006 at 06:01:38PM +0100, Yves Goergen wrote: >> BTW, to make the update work on a default SA installation, you need to >> specify a different path: >> >> # sa-update --updatedir /usr/local/share/spamassassin >> >> Is that by intent? > > Um. No you don't. In fact, you really don't want to do that. See > http://wiki.apache.org/spamassassin/RuleUpdates Aha, and that stupid little tool can't tell me that before? Maybe a Wiki-style of a documentation isn't well suited for beginners that don't know the correct search terms. Is this the home of the SA documentation? http://spamassassin.apache.org/doc.html I wouldn't know where to click at all to find anything on that page. Looks like a loose collection of some special short notes to me but not at all like a structured handbook where you can find your topic like in those printed on paper a couple of years ago. :( So now my SA setup is supposed to be broken or what? Well, it still works so I guess when the next SA version comes out, it'll fix this again. -- Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]> Visit my web laboratory at http://beta.unclassified.de
Re: ORDB.org is shutting down
Giampaolo Tomassoni wrote: See: http://www.ordb.org/news/?id=38 Does SA uses it somewhere somehow by default? It may have in the past, but I don't see any reference other than a few dangling translated "description" entries in my 2.64 installs. -kgd
Re: roaming users sending mail internally and dynamic IPs issue
On Mon, 18 Dec 2006 16:13:32 -0500, Thomas Bolioli <[EMAIL PROTECTED]> wrote: >Dan Horne wrote: >> >> >> >> Set up SMTP AUTH and require your users to log in to >> send email. If I >> understand correctly Spamassassin automatically trusts >> mails sent via >> SMTP AUTH. >> >> >> >>> Thanks for the response. SMTP auth is set up so there must be >>> >> something I need to do to tell SA that it was auth'd. >> >>> Any ideas? >>> Thanks, >>> Tom >>> >> >> I found out about it at the link below and had to add a config option to >> my postfix I think to get it to add the appropriate info in the headers >> (documented in the page below). >> >> http://wiki.apache.org/spamassassin/DynablockIssues >> >> If you're using postfix, the parameter is >> "smtpd_sasl_authenticated_header = yes" which makes your received >> headers contain info like: >> >> Received: from host.example.com (dyna-IP-AD-DRE-SS.example.com >> [IP.AD.DRE.SS]) >> (Authenticated sender: [EMAIL PROTECTED]) >> by mail.example.org (Postfix) with ESMTP id 6A3922B22E0; >> Tue, 12 Dec 2006 15:24:46 -0500 (EST) >> >> Spamassassin picks up on the "Authenticated sender:" portion of this >> line and "trusts" the sender. >> >> CONFIDENTIALITY NOTICE: >> This email message, including any attachments, is for the sole use of the >> intended recipient(s) and may contain confidential and privileged >> information. Any unauthorized review, use, disclosure or distribution is >> prohibited. If you are not the intended recipient, please contact the sender >> by reply email and destroy all copies of the original message. >> >> SPAM-FREE 1.0(2476) >> >> > >You nailed it. That was it and it is now working. Thanks for the assist. >Tom Is this applicable to sa servers that receive mail from a sender as well as those that send mail from said users? Our systems currently bypass all sa tests for auth'd users but I wonder what receiving servers make of this. Many of my users are on the road and regularly send mail from places that would get an outright block locally without the bypass. Would they get a better reception from the recipient server if the header above was included? To date I've not had a reported problem, we use an alternate port for auth'd users so the usual muppetry of proxies is avoided. KR Nigel
Re: roaming users sending mail internally and dynamic IPs issue
Dan Horne wrote: Set up SMTP AUTH and require your users to log in to send email. If I understand correctly Spamassassin automatically trusts mails sent via SMTP AUTH. Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. Any ideas? Thanks, Tom I found out about it at the link below and had to add a config option to my postfix I think to get it to add the appropriate info in the headers (documented in the page below). http://wiki.apache.org/spamassassin/DynablockIssues If you're using postfix, the parameter is "smtpd_sasl_authenticated_header = yes" which makes your received headers contain info like: Received: from host.example.com (dyna-IP-AD-DRE-SS.example.com [IP.AD.DRE.SS]) (Authenticated sender: [EMAIL PROTECTED]) by mail.example.org (Postfix) with ESMTP id 6A3922B22E0; Tue, 12 Dec 2006 15:24:46 -0500 (EST) Spamassassin picks up on the "Authenticated sender:" portion of this line and "trusts" the sender. CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) You nailed it. That was it and it is now working. Thanks for the assist. Tom
Re: roaming users sending mail internally and dynamic IPs issue
Dan Barker wrote: Another issue you'll run into with road warriors is blocks on port 25. They may not be ABEL to authenticate with your server. They'll have to use port 587 (submission) on some connections. This is so common, that I even support 587 inside my firewall so the client setup doesn't need to change when my laptop comes home. Dan Yeah, I have had this setup myself after running into the issue @ a hotel last year. Thanks, Tom
Re: Rules - How to capture matched text
On Mon, Dec 18, 2006 at 04:01:05PM -0500, Andrew Brosnan wrote: > I'd like the rule to catch when the first name in from: is also the > subject:. I can save you the time and tell you not to bother. It's "subject of the day". FWIW, we used to have a username in subject rule, but it fp'ed so much that it wasn't useful and got removed. You can look at old code to see how it was done, but I really would suggest not bothering. -- Randomly Selected Tagline: "We are born naked, wet, and hungry. Then things get worse." - Zen Musings pgprbh4He9373.pgp Description: PGP signature
Re: Rules - How to capture matched text
On 12/18/06 at 3:41 PM, [EMAIL PROTECTED] (Theo Van Dinter) wrote: > On Mon, Dec 18, 2006 at 02:39:13PM -0500, Andrew Brosnan wrote: > > In perl you can use $&, parens $1, $2, etc. to capture the text > > that matched a regex; but how do you do it in sa? > > It depends what you're trying to do. If you want to do matching > between different rules, you can't do it, short of writing a plugin > to do what you want. If you want to match within the same regex, > it's like any other regex: > > /([a-z]+) foo bar \1/ > > generally speaking, capturing increases resource usage, so don't do > it unless necessary (hence the large amount of (?:...) instead of > (...) in the rules). Thanks Theo, I'd like the rule to catch when the first name in from: is also the subject:. I was going to capture the name in from: and compare it to subject:. I'll have to give some thought to how I can do that without capturing text. :-) Regards, Andrew
Re: Rules - How to capture matched text
On Mon, Dec 18, 2006 at 02:39:13PM -0500, Andrew Brosnan wrote: > In perl you can use $&, parens $1, $2, etc. to capture the text that > matched a regex; but how do you do it in sa? It depends what you're trying to do. If you want to do matching between different rules, you can't do it, short of writing a plugin to do what you want. If you want to match within the same regex, it's like any other regex: /([a-z]+) foo bar \1/ generally speaking, capturing increases resource usage, so don't do it unless necessary (hence the large amount of (?:...) instead of (...) in the rules). -- Randomly Selected Tagline: The main problem I have with cats is, they're not dogs. -- Kevin Cowherd pgpW1e5quqsek.pgp Description: PGP signature
Re: spamd: handle_user unable to find user:
On Mon, 18 Dec 2006, pinoyskull wrote: > - [EMAIL PROTECTED] is a valid user on my server Your usernames actually have "@yourdomain.com" in them? > - im running qmail-scanner 1.25st / spamassassin 3.1.7 / clamav 0.88.6 You should probably ask on the qmail-scanner list, as that's what's probably composing the spamassassin/spamc command line. I suspect something isn't stripping the doman name off the recipient mail address when it's calculating the username to pass to spamassassin/spamc. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 7 days until Christmas
Rules - How to capture matched text
Hello, In perl you can use $&, parens $1, $2, etc. to capture the text that matched a regex; but how do you do it in sa? Thank you Andrew
Re: Using Autowhitelist as a Greylist
Codger wrote: > Regardless of challenge-response or > greylisting, [...], the idea is the same... No, those ideas are very different, both in practice, philosophy and results. One of them is intended as a verification of the sender, the other is intended to differentiate between connections from real queuing mailers and spambots/viruses. > My idea was to remove > the time delay and in the course of normal email communications > between known and accepted contacts, This is of course allways a nice thing to do. I don't see how your method would change the delay at all though. It still requires the mail to be analyzed by SpamAssassin and it has absolutely no impact on a greylist or challenge-response system. Here are a copuple of things we do, that does have impact on the delay: * For every mail sent *out* from our gateway SMTP sender, message-ID, From, Reply-To and Subject is saved in a database. * Incoming mail that seems to be a reply to outgoing mail bypasses out selective greylist. * We use a SpamAssassin plugin to give negative scores to mail that looks like replies to outgoing mail. * We also saves info on incoming mail that is verified by SPF, DKIM or DomainKeys. If there is a certain number of hams and no spams from a verified address, mail from that addresses can bypass both the greylist and SpamAssassin. * The greylist has some more checks to decide wether a mail should bypass it or not. Things similar to what the Botnet plugin checks for example. > I realize also that signatures can be excluded in responses, but they > don't have to be included in every response for the method to be > effective. I check the References and In-Reply-To on incoming mail against our database of outgoing mail. Those are pretty reliable signs that a mail is a reply. Of course, some pieces of software fails to insert those headers, so I also check the SMTP sender and recipient and the subject against the database. In the SA plugin I have three different eval tests so that I can give different scores depending on how likely it is that an incoming mail is a reply to an outgoing. This doesn't require anything at all from the user. Regards /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: Name in Subject CF RuleSet
Theo Van Dinter <[EMAIL PROTECTED]> wrote on Monday, December 18, 2006: >On Mon, Dec 18, 2006 at 12:23:31PM -0600, Jess Mooers wrote: >> Does anyone know of a cf ruleset that will address this, or another way to >> stop it. > >Chasing the subject of the day is futile. Do you use sa-update? > Not to my knowledge. I guess I will have to look up the docs on how to use sa-update. Regards, Jess Mooers ~~~ Landmann InterActive 1423 S. Park St., Madison, WI 53715 W 608-257-1558 www.landmanninteractive.com
RE: roaming users sending mail internally and dynamic IPs issue
Another issue you'll run into with road warriors is blocks on port 25. They may not be ABEL to authenticate with your server. They'll have to use port 587 (submission) on some connections. This is so common, that I even support 587 inside my firewall so the client setup doesn't need to change when my laptop comes home. Dan -Original Message- From: Thomas Bolioli [mailto:[EMAIL PROTECTED] Sent: Monday, December 18, 2006 10:37 AM To: users@spamassassin.apache.org Subject: roaming users sending mail internally and dynamic IPs issue Whenever our users travel outside the internal networks and send email to each other, the emails get tagged by the below reports (yes, I cranked up the default scores because of the botnet crap out there) because they are on dyn IPs and sending direct to the receiving MTA. I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Thanks, Tom * 0.7 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [xx.xx.xx.xx listed in dnsbl.sorbs.net] * 2.5 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [xx.xx.xx.xx listed in combined.njabl.org]
Re: ORDB.org is shutting down
Giampaolo Tomassoni wrote: See: http://www.ordb.org/news/?id=38 Does SA uses it somewhere somehow by default? Regards, Giampaolo Doing a grep through the rules, I don't see it anywhere. MailScanner will use it by default. I have posted the news over on their list. Kind of short notice.
Re: Gif attachment spam
On Mon, Dec 18, 2006 at 10:41:40AM -0800, san wrote:
> Iam getting lot of spams with .Gif attachment. will the follwing rule will
> be able to catch such spam, when i tried its not pulling up anything sort
> of, can anybody correct is this rule is correct to catch gif spam.
No, it won't work.
> body GIF_ATTACH /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i
MIME headers aren't part of the "body" as far as SA is concerned. There are
already a number of rules to deal with this stuff available via sa-update. If
you want to roll your own, look at the MIMEHeader plugin.
--
Randomly Selected Tagline:
A few cans short of a six pack, Six short.
pgpLOiODjiOUm.pgp
Description: PGP signature
Gif attachment spam
Hi,
Iam getting lot of spams with .Gif attachment. will the follwing rule will
be able to catch such spam, when i tried its not pulling up anything sort
of, can anybody correct is this rule is correct to catch gif spam.
http://www.nabble.com/file/4866/s.gif
body GIF_ATTACH /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i
ScoreGIF_ATTACH 5.0
describe GIF_ATTACH describes gif attachment
--
View this message in context:
http://www.nabble.com/Gif-attachment-spam-tf2841594.html#a7934106
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Name in Subject CF RuleSet
On Mon, Dec 18, 2006 at 12:23:31PM -0600, Jess Mooers wrote: > Does anyone know of a cf ruleset that will address this, or another way to > stop it. Chasing the subject of the day is futile. Do you use sa-update? -- Randomly Selected Tagline: "Your next question is 'How does this gate work?' I don't know. I don't have to know, I'm not an Electrical Engineer, I'm a Computer Scientist." - Prof. Hamel pgp2F7gGCE03t.pgp Description: PGP signature
Name in Subject CF RuleSet
I have been getting alot of spam that has the senders first or last name in the subject, either alone or within text like... Greetings Smith Does anyone know of a cf ruleset that will address this, or another way to stop it. Software info: Exim version 4.62 Courier-IMAP 4.1.0 ClamAV 0.88.1/2354 SpamAssassin 3.1.1 Any help would be greatly appreciated. Regards, Jess Mooers ~~~ Landmann InterActive 1423 S. Park St., Madison, WI 53715 W 608-257-1558 www.landmanninteractive.com
Re: Checksum services
On Mon, Dec 18, 2006 at 06:06:27PM +, Steve Sargent wrote: > Is there a parameter in local.cf to turn the 3 checksum services on/off? score RULENAME 0 > Is there a way for SpamAssassin to give a list of what is going to be > called? Not really. You can look at the debug output and see what is actually running, but otherwise, no. -- Randomly Selected Tagline: "The Power Company is having EMP problems with their reactor." - Today's BOFH Excuse pgppMCGjyYvQM.pgp Description: PGP signature
Re: Using Autowhitelist as a Greylist
On Sun, 17 Dec 2006, Codger wrote: > Regardless of challenge-response or greylisting, or SMTP response > delay, the idea is the same... legitimate email is passed after a > time delay. My idea was to remove the time delay and in the course > of normal email communications between known and accepted > contacts, improve the chances of mail delivery without any delay > or user interventional action. That would be handled outside of SA. SA doesn't see the message at all until it's been completely received (though not necessarily accepted for delivery) by the MTA, which is (perforce) *after* the greylisting tool has had its shot at the message. Are you thinking of leveraging the SA autowhitelist database to adjust the behavior of your greylist tool, whatever that is? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 7 days until Christmas
Checksum services
Is there a parameter in local.cf to turn the 3 checksum services on/off? There does not seem to be any mention of it in the documentation I have found so far. Is there a way for SpamAssassin to give a list of what is going to be called? -- Steve Sargent, Vox +44 020 7882 3220, Fax +44 020 8980 2001 QMUL Computing Services, Mile End Road, London E1 4NS, UK Email : [EMAIL PROTECTED] WWW page: http://www.qmul.ac.uk/~cgaa160/index.html PIPER _|_ PA28R /___\___ ___[=o=]___ ARROWe/ o \e
Re: any TextWrapError follow-up?
On 14 Dec 2006, Theo Van Dinter uttered the following: > On Wed, Dec 13, 2006 at 07:11:50PM -0800, snowcrash+spamassassin wrote: >> where it's noted that the bug was reported to the TextWrap author. >> anyone have a bug reference for the issue @ TextWrap? > > If you follow from the wiki page to the bugzilla listing, there's a link to > the Text::Wrap RT entry: http://rt.cpan.org/Public/Bug/Display.html?id=20657 > >:) No updates since the summer. About two items down my todo list is fixing the damn thing myself and sending the patch to the author... -- `He accused the FSF of being "something of a hypocrit", which shows that he neither understands hypocrisy nor can spell.' --- jimmybgood
Re: SPF detection making mistakes
Jan Doberstein wrote: Please take a look at this header: Received: by wp030.webpack.hosteurope.de running Exim 4.43 using esmtp from mi012.mc1.hosteurope.de ([80.237.138.243]); id 1Gvsa8-0007VG-JW; Sun, 17 Dec 2006 10:45:20 +0100 Received: by mx0.webpack.hosteurope.de (80.237.138.5, mi012.mc1.hosteurope.de) running EXperimental Internet Mailer (even more power) using smtp from mail.gmx.net ([213.165.64.20]) id 1Gvsa6-0005C2-As for [EMAIL PROTECTED]; Sun, 17 Dec 2006 10:45:20 +0100 SA can't parse these broken received headers, thus causing your problem. Fix them, and you'll be all set. Daryl
RE: SPF detection making mistakes
Seems de dmx.net / dmx.de SPF is broken: > set type=TXT > gmx.net Server: 10.10.21.4 Address:10.10.21.4#53 Non-authoritative answer: gmx.net text = "v=spf1 ip4:213.165.64.0/23 -all" Authoritative answers can be found from: > gmx.de Server: 10.10.21.4 Address:10.10.21.4#53 Non-authoritative answer: gmx.de text = "v=spf1 ip4:213.165.64.0/23 -all" Authoritative answers can be found from: this does not include: Received: from pD9E05917.dip.t-dialin.net (EHLO [223.1.1.128]) > [217.224.89.23] The managers of the dmx.de / dmx.net should strip that header to make their SPF record ok, or include their dial-up users IP addresses. -Sietse From: Bret Miller Sent: Mon 18-Dec-06 17:41 To: Jan Doberstein; users@spamassassin.apache.org Subject: RE: SPF detection making mistakes > i'm getting some problems with the spamassassin spf modul > (Mail::SpamAssassin::Plugin::SPF) maybe i can resolve this problem by > asking the list. > > Please take a look at this header: > > > --- start cut --- > Return-path: <[EMAIL PROTECTED]> > Delivery-date: Sun, 17 Dec 2006 10:45:20 +0100 > Received: by wp030.webpack.hosteurope.de running Exim 4.43 using esmtp > from mi012.mc1.hosteurope.de ([80.237.138.243]); > id 1Gvsa8-0007VG-JW; Sun, 17 Dec 2006 10:45:20 +0100 > Received: by mx0.webpack.hosteurope.de (80.237.138.5, > mi012.mc1.hosteurope.de) running EXperimental Internet Mailer > (even more > power) using smtp > from mail.gmx.net ([213.165.64.20]) > id 1Gvsa6-0005C2-As > for [EMAIL PROTECTED]; Sun, 17 Dec 2006 10:45:20 +0100 > Received: (qmail invoked by alias); 17 Dec 2006 09:45:18 - > Received: from pD9E05917.dip.t-dialin.net (EHLO [223.1.1.128]) > [217.224.89.23] > by mail.gmx.net (mp034) with SMTP; 17 Dec 2006 10:45:18 +0100 > X-Authenticated: #202980 > From: "just a name" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Date: Sun, 17 Dec 2006 10:45:33 +0100 > MIME-Version: 1.0 > Subject: test > Reply-to: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > Priority: normal > X-mailer: Pegasus Mail for Windows (4.41) > Content-type: text/plain; charset=ISO-8859-1 > Content-transfer-encoding: Quoted-printable > Content-description: Mail message body > X-Y-GMX-Trusted: 0 > X-HE-Virus-Scanned: yes > X-HE-Spam-Level: ++ > X-HE-Spam-Score: 2.5 > X-HE-Spam-Report: Content analysis details: (2.5 points) > > pts rule name description > --- -- -- > 2.1 HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious > hostname (T-Dialin) > 0.2 SPF_FAIL SPF: sender does not match SPF record (fail) > [SPF failed: Please see > http://spf.pobox.com/why.html?sender=xxx%40gmx.de&ip=223.1.1.12 > 8&receiver=mi012.mc1.hosteurope.de] Huh?? 223.1.1.12? Is 213.165.64.20 part of your trusted networks? Actually the doc for the SPF module says "trusted_networks" but shouldn't it be checking "internal_networks" instead? Anyway, it fails because it's checking the wrong IP because it thinks you received it at one stage earlier that you did. That's likely because either or both of trusted_networks and internal_networks are not correctly set. HTH, Bret > 0.2 RCVD_ILLEGAL_IP Received: contains illegal IP address > > Envelope-to: [EMAIL PROTECTED] > > --- end cut --- > > > As you can see, the spf check fail, but in my understanding if should > pass without a failure. > > This mail was sent via dial-in and smtp-auth ... how can i modify the > spf modul that this will check this kind of header correct ? > > > Thanks for help. > > \jd > >
Re: Simple mail from Dynamic IP listed as spam
Martin von Gagern wrote: Daryl C. W. O'Shea wrote: So long as the "problem relays" are acting solely as MSAs and never MXes for your mail this patch will solve your problem: http://people.apache.org/~dos/sa-patches/msa_networks.3.1 This patch will solve my problems on receiving such mails from other users, and spare me the trouble of hacking my own rules. Thank you for that! However it won't solve the problem of me sending mail to other SpamAssassin users that don't know about this problem. Only other gmx.net users who have the same trusted networks config, except are missing this patch and config will have a problem. Everyone else in the world won't have a problem... they'll do the DNSBL lookups you're concerned about on mail.gmx.net [213.165.64.20]. Is this patch intended for inclusion in a future SpamAssassin version? Maybe. Would it make sense to include a list of known MSAs as well? Absolutely not. Daryl
Yet another question about rewrite_header subject not working for me
Hi, I have been reading and I don't see my problem exactly. This is my local.cf I am using 3.1.7 rbl_timeout 15 fold_headers1 report_contact [EMAIL PROTECTED] required_score 5 use_auto_whitelist 1 rewrite_header Subject **SPAM-(score: _SCORE_)** skip_rbl_checks 0 report_safe 1 dns_available yes use_razor2 0 use_pyzor 0 # SURBL uridnsbl_timeout2 uridnsbl_max_domains20 # Bayes use_bayes 1 bayes_auto_learn1 bayes_auto_learn_threshold_spam 12.0 bayes_auto_learn_threshold_nonspam 2.0 bayes_auto_expire 1 bayes_learn_to_journal 0 bayes_expiry_max_db_size15 bayes_journal_max_size 102400 # Tests score UNIQUE_WORDS 0 I have report_safe =1 and the rewrite_header set. from the docs "For the Subject header, this will be prepended to the original subject." the problem i have is the string is not prepended to the original subject, it replaces it. I have an example below. Why? What am I missing here? rewritten subject Subject: **SPAM-(score:20.1)** original subject Subject: High Quality Rolex Replica Watches! If there is a way for me to forward an example, please let me know and I will. I tried and it was bounced back as spam lol BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Tony Guadagno EMAIL;WORK;PREF;NGW:[EMAIL PROTECTED] N:Guadagno;Tony END:VCARD
Re: sa-update is broken
On Mon, Dec 18, 2006 at 06:01:38PM +0100, Yves Goergen wrote: > BTW, to make the update work on a default SA installation, you need to > specify a different path: > > # sa-update --updatedir /usr/local/share/spamassassin > > Is that by intent? Um. No you don't. In fact, you really don't want to do that. See http://wiki.apache.org/spamassassin/RuleUpdates > Also, do I need to restart spamd after an update through sa-update? Yes. -- Randomly Selected Tagline: "Bush keeps saying the terrorists hate us for our freedom, and he's working damn hard to see that pretty soon, that won't be a problem." - Bill Maher, Real Time with Bill Maher, Episode 87 pgpkaMgenJCzw.pgp Description: PGP signature
Re: sa-update is broken
On 18.12.2006 16:54 CE(S)T, Bart Schaefer wrote: > On 12/18/06, Christian Eichert <[EMAIL PROTECTED]> wrote: >> server:~# perl -MCPAN -e 'install LWP::UserAgent' >> Can't locate object method "install" via package "LWP::UserAgent" at -e >> line 1. > > # perl -MCPAN -e shell > cpan> install LWP::UserAgent Thank you, that worked. The first one also failed for me. On its way, it said something about a new CPAN.pm available. Not sure, what it did then to get LWP::UserAgent installed. BTW, to make the update work on a default SA installation, you need to specify a different path: # sa-update --updatedir /usr/local/share/spamassassin Is that by intent? Also, do I need to restart spamd after an update through sa-update? I think I need to, the manpage doesn't mention that at all and sa-update itself remains quiet. (I didn't check the exit code the first time, but it took a few seconds and created a bunch of files in the given directory, so I think it actually did something useful.) -- Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]> Visit my web laboratory at http://beta.unclassified.de
Ongoing trusted_networks confusion
Maybe the name of that config option should be changed to "truthful_networks".
ORDB.org is shutting down
See: http://www.ordb.org/news/?id=38 Does SA uses it somewhere somehow by default? Regards, Giampaolo
Re: SPF detection making mistakes
Bret Miller wrote: > Huh?? 223.1.1.12? Is 213.165.64.20 part of your trusted networks? no, it's not .. this is Dial-UP IP from T-Online, Second Line is the "normal" gmx network, "my" Network start an mx0.webpack.hosteurope.de > Actually the doc for the SPF module says "trusted_networks" but > shouldn't it be checking "internal_networks" instead? on the mx0.webpack.hosteurope.de is the Spamassassin running, and the hole IP-Range is in internal_network. Should it be in trusted_networks too ? > Anyway, it fails because it's checking the wrong IP because it thinks > you received it at one stage earlier that you did. That's likely because > either or both of trusted_networks and internal_networks are not > correctly set. As I understand this correct the IP-Range of mx0.webpack.hosteurope.de should announce in the config as internal an trusted network ? \jd signature.asc Description: OpenPGP digital signature
RE: roaming users sending mail internally and dynamic IPs issue
>> Set up SMTP AUTH and require your users to log in to send email. If I >> understand correctly Spamassassin automatically trusts mails sent via >> SMTP AUTH. > Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. > Any ideas? > Thanks, > Tom I found out about it at the link below and had to add a config option to my postfix I think to get it to add the appropriate info in the headers (documented in the page below). http://wiki.apache.org/spamassassin/DynablockIssues If you're using postfix, the parameter is "smtpd_sasl_authenticated_header = yes" which makes your received headers contain info like: Received: from host.example.com (dyna-IP-AD-DRE-SS.example.com [IP.AD.DRE.SS]) (Authenticated sender: [EMAIL PROTECTED]) by mail.example.org (Postfix) with ESMTP id 6A3922B22E0; Tue, 12 Dec 2006 15:24:46 -0500 (EST) Spamassassin picks up on the "Authenticated sender:" portion of this line and "trusts" the sender. CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476)
Re: roaming users sending mail internally and dynamic IPs issue
Thomas Bolioli wrote: Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. Any ideas? Thanks, Tom One solution that I used for this problem was a custom rule. We had one client site that had a lot of roadwarriors so they had their own SMTP machine. On that machine, I used a mail-filter to add an "X" tag with an MD5 hash of the company name as a validation stamp. Every email coming into that machine from the Roadwarrriors got the "Stamp". The MX boxen all had a custom rule in SA that took 20 points off. Every Sunday night, the system redid the "Stamp" and passed out new versions of the rule with the correct "Stamp" in it to the MX boxen. It worked like a charm. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
RE: Botnet 0.6 plugin for Spam Assassin availabile
> Chris Lear wrote: > > * Oliver Schulze L. wrote (18/12/06 15:42): > > > Nice stats! > How do you generate them in SA 3.1.7 ? > > > > I use this: > http://www.rulesemporium.com/programs/sa-stats-1.0.txt > > Chris > > > Does this require using spamd instead of invoking spamassassin? It requires spamd-style logging. That may or may not required spamd. I recently wrote my own mod to CGPSA to write this style of log so that I could use sa-stats. Whether you can do this with other tools I don't know. Bret
RE: SPF detection making mistakes
> i'm getting some problems with the spamassassin spf modul > (Mail::SpamAssassin::Plugin::SPF) maybe i can resolve this problem by > asking the list. > > Please take a look at this header: > > > --- start cut --- > Return-path: <[EMAIL PROTECTED]> > Delivery-date: Sun, 17 Dec 2006 10:45:20 +0100 > Received: by wp030.webpack.hosteurope.de running Exim 4.43 using esmtp > from mi012.mc1.hosteurope.de ([80.237.138.243]); > id 1Gvsa8-0007VG-JW; Sun, 17 Dec 2006 10:45:20 +0100 > Received: by mx0.webpack.hosteurope.de (80.237.138.5, > mi012.mc1.hosteurope.de) running EXperimental Internet Mailer > (even more > power) using smtp > from mail.gmx.net ([213.165.64.20]) > id 1Gvsa6-0005C2-As > for [EMAIL PROTECTED]; Sun, 17 Dec 2006 10:45:20 +0100 > Received: (qmail invoked by alias); 17 Dec 2006 09:45:18 - > Received: from pD9E05917.dip.t-dialin.net (EHLO [223.1.1.128]) > [217.224.89.23] > by mail.gmx.net (mp034) with SMTP; 17 Dec 2006 10:45:18 +0100 > X-Authenticated: #202980 > From: "just a name" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Date: Sun, 17 Dec 2006 10:45:33 +0100 > MIME-Version: 1.0 > Subject: test > Reply-to: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > Priority: normal > X-mailer: Pegasus Mail for Windows (4.41) > Content-type: text/plain; charset=ISO-8859-1 > Content-transfer-encoding: Quoted-printable > Content-description: Mail message body > X-Y-GMX-Trusted: 0 > X-HE-Virus-Scanned: yes > X-HE-Spam-Level: ++ > X-HE-Spam-Score: 2.5 > X-HE-Spam-Report: Content analysis details: (2.5 points) > > pts rule name description > --- -- -- > 2.1 HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious > hostname (T-Dialin) > 0.2 SPF_FAIL SPF: sender does not match SPF record (fail) > [SPF failed: Please see > http://spf.pobox.com/why.html?sender=xxx%40gmx.de&ip=223.1.1.12 > 8&receiver=mi012.mc1.hosteurope.de] Huh?? 223.1.1.12? Is 213.165.64.20 part of your trusted networks? Actually the doc for the SPF module says "trusted_networks" but shouldn't it be checking "internal_networks" instead? Anyway, it fails because it's checking the wrong IP because it thinks you received it at one stage earlier that you did. That's likely because either or both of trusted_networks and internal_networks are not correctly set. HTH, Bret > 0.2 RCVD_ILLEGAL_IP Received: contains illegal IP address > > Envelope-to: [EMAIL PROTECTED] > > --- end cut --- > > > As you can see, the spf check fail, but in my understanding if should > pass without a failure. > > This mail was sent via dial-in and smtp-auth ... how can i modify the > spf modul that this will check this kind of header correct ? > > > Thanks for help. > > \jd > >
Re: roaming users sending mail internally and dynamic IPs issue
Dan Horne wrote: I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Set up SMTP AUTH and require your users to log in to send email. If I understand correctly Spamassassin automatically trusts mails sent via SMTP AUTH. Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. Any ideas? Thanks, Tom
Re: roaming users sending mail internally and dynamic IPs issue
Dan Horne wrote: I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Set up SMTP AUTH and require your users to log in to send email. If I understand correctly Spamassassin automatically trusts mails sent via SMTP AUTH. Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. Any ideas? Thanks, Tom
Re: Botnet 0.6 plugin for Spam Assassin availabile
Chris Lear wrote: * Oliver Schulze L. wrote (18/12/06 15:42): Nice stats! How do you generate them in SA 3.1.7 ? I use this: http://www.rulesemporium.com/programs/sa-stats-1.0.txt Chris Does this require using spamd instead of invoking spamassassin? Thanks, Tom
SPF detection making mistakes
Hi there, i'm getting some problems with the spamassassin spf modul (Mail::SpamAssassin::Plugin::SPF) maybe i can resolve this problem by asking the list. Please take a look at this header: --- start cut --- Return-path: <[EMAIL PROTECTED]> Delivery-date: Sun, 17 Dec 2006 10:45:20 +0100 Received: by wp030.webpack.hosteurope.de running Exim 4.43 using esmtp from mi012.mc1.hosteurope.de ([80.237.138.243]); id 1Gvsa8-0007VG-JW; Sun, 17 Dec 2006 10:45:20 +0100 Received: by mx0.webpack.hosteurope.de (80.237.138.5, mi012.mc1.hosteurope.de) running EXperimental Internet Mailer (even more power) using smtp from mail.gmx.net ([213.165.64.20]) id 1Gvsa6-0005C2-As for [EMAIL PROTECTED]; Sun, 17 Dec 2006 10:45:20 +0100 Received: (qmail invoked by alias); 17 Dec 2006 09:45:18 - Received: from pD9E05917.dip.t-dialin.net (EHLO [223.1.1.128]) [217.224.89.23] by mail.gmx.net (mp034) with SMTP; 17 Dec 2006 10:45:18 +0100 X-Authenticated: #202980 From: "just a name" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Sun, 17 Dec 2006 10:45:33 +0100 MIME-Version: 1.0 Subject: test Reply-to: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Priority: normal X-mailer: Pegasus Mail for Windows (4.41) Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Content-description: Mail message body X-Y-GMX-Trusted: 0 X-HE-Virus-Scanned: yes X-HE-Spam-Level: ++ X-HE-Spam-Score: 2.5 X-HE-Spam-Report: Content analysis details: (2.5 points) pts rule name description --- -- -- 2.1 HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname (T-Dialin) 0.2 SPF_FAILSPF: sender does not match SPF record (fail) [SPF failed: Please see http://spf.pobox.com/why.html?sender=xxx%40gmx.de&ip=223.1.1.12 8&receiver=mi012.mc1.hosteurope.de] 0.2 RCVD_ILLEGAL_IP Received: contains illegal IP address Envelope-to: [EMAIL PROTECTED] --- end cut --- As you can see, the spf check fail, but in my understanding if should pass without a failure. This mail was sent via dial-in and smtp-auth ... how can i modify the spf modul that this will check this kind of header correct ? Thanks for help. \jd signature.asc Description: OpenPGP digital signature
Perl SA module and logs like spamd
Hi, I'm using SA from mimedefang.org, Is there is a way to tell SA Perl module to write to log files in the same way/format as spamd does? That will help using tools like sa-stats.pl Thanks Oliver -- Oliver Schulze L. | Get my e-mail after a captcha in: Asuncion - Paraguay | http://tinymailto.com/oliver
Re: sa-update is broken
On 12/18/06, Christian Eichert <[EMAIL PROTECTED]> wrote: server:~# perl -MCPAN -e 'install LWP::UserAgent' Can't locate object method "install" via package "LWP::UserAgent" at -e line 1. # perl -MCPAN -e shell cpan> install LWP::UserAgent
Re: Botnet 0.6 plugin for Spam Assassin availabile
* Oliver Schulze L. wrote (18/12/06 15:42): > Nice stats! > How do you generate them in SA 3.1.7 ? I use this: http://www.rulesemporium.com/programs/sa-stats-1.0.txt Chris > > Thanks > Oliver > > Chris Lear wrote: >> Here's some sa-stats output: >> >> TOP SPAM RULES FIRED >> -- >> RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM >> -- >>1BOTNET 138166.37 90.866.44 >>2BAYES_99 127459.50 83.820.00 >>3HTML_MESSAGE 118475.06 77.89 68.12 >>4BOTNET_CLIENT104850.21 68.954.35 >>5BOTNET_IPINHOSTNAME 96245.45 63.291.77 >>6URIBL_BLACK 75135.12 49.410.16 >>7RCVD_IN_SORBS_DUL 72533.96 47.700.32 >>8URIBL_JP_SURBL68832.13 45.260.00 >>9BOTNET_CLIENTWORDS60829.61 40.004.19 >> 10URIBL_SC_SURBL52424.47 34.470.00 >> >> >
Re: Botnet 0.6 plugin for Spam Assassin availabile
Nice stats! How do you generate them in SA 3.1.7 ? Thanks Oliver Chris Lear wrote: Here's some sa-stats output: TOP SPAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1BOTNET 138166.37 90.866.44 2BAYES_99 127459.50 83.820.00 3HTML_MESSAGE 118475.06 77.89 68.12 4BOTNET_CLIENT104850.21 68.954.35 5BOTNET_IPINHOSTNAME 96245.45 63.291.77 6URIBL_BLACK 75135.12 49.410.16 7RCVD_IN_SORBS_DUL 72533.96 47.700.32 8URIBL_JP_SURBL68832.13 45.260.00 9BOTNET_CLIENTWORDS60829.61 40.004.19 10URIBL_SC_SURBL52424.47 34.470.00 -- Oliver Schulze L. | Get my e-mail after a captcha in: Asuncion - Paraguay | http://tinymailto.com/oliver
Re: special spam-account for spam mails
Fettke, Dirk wrote: Hello List, here we have a spam-filtering email-gateway with no local mailboxes. all mails getting scanned only for spam and viruses and then forwarded to the specific mailserver for the recipient-domain. now we would like to have the possibility that spam-mails with score > 5 saved in local mailboxes which will be automatically generated on our system. all other mails whith score < 5 should forwarded further on. The Users then could log into their generated spam-account and read or delete their spam-mails. How can I do this or is there any solution for this? Regards Dirk All of that depends on how your server is set up. I can help you if you are using mimedefang. Hopefully someone else can help you if not.
roaming users sending mail internally and dynamic IPs issue
Whenever our users travel outside the internal networks and send email to each other, the emails get tagged by the below reports (yes, I cranked up the default scores because of the botnet crap out there) because they are on dyn IPs and sending direct to the receiving MTA. I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Thanks, Tom * 0.7 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [xx.xx.xx.xx listed in dnsbl.sorbs.net] * 2.5 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [xx.xx.xx.xx listed in combined.njabl.org]
Re: spamd log error
On Mon, Dec 18, 2006 at 12:01:46PM +0100, vertito wrote: > spamd[31617]: (?:(?<=[\s,]))* matches null string many times in regex; > marked by <-- HERE in > m/\G(?:(?<=[\s,]))* <-- HERE \Z/ at /usr/local/lib/perl5/5.8.8/Text/Wrap.pm > line 47 http://wiki.apache.org/spamassassin/TextWrapError -- Randomly Selected Tagline: Bug free, cheap, on time, works. Pick two. pgpYev9PAyi8A.pgp Description: PGP signature
spamd errors... SpamdForkScaling.pm
Got these errors in maillog on a postfix+spamc/spamd Linux RedHat ES3 installation. Looks like this issue has not been fixed in 3.1.7, targeted for 3.1.9? Could it be that the system runs out of file descriptors? Don't think so... [EMAIL PROTECTED] cat /proc/sys/fs/file-nr 84314030314564 [EMAIL PROTECTED] cat /proc/sys/fs/file-max 314564 Here's an excerpt from maillog. Process 31633 is the spamd master. Dec 18 11:20:39 srv-asgw02 spamd[31633]: prefork: child states: BIIBBIB Dec 18 11:20:39 srv-asgw02 spamd[31633]: spamd: handled cleanup of child pid 5654 due to SIGCHLD Dec 18 11:20:39 srv-asgw02 spamd[31633]: prefork: child states: BIIBBB Dec 18 11:20:39 srv-asgw02 spamd[31633]: syswrite() on closed filehandle GEN452736 at /usr/lib/perl5/5.8.0/i386-linux-thread- multi/IO/Handle.pm line 447. Dec 18 11:20:39 srv-asgw02 spamd[31633]: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_per l/5.8.0/Mail/SpamAssassin/SpamdForkScaling.pm line 419. Dec 18 11:20:39 srv-asgw02 spamd[31633]: prefork: killing rogue child 330, failed to write on fd : Dec 18 11:20:39 srv-asgw02 spamd[31633]: prefork: killing failed child 330 fd=undefined at /usr/lib/perl5/site_perl/5.8.0/Mai l/SpamAssassin/SpamdForkScaling.pm line 137. Dec 18 11:20:39 srv-asgw02 spamd[31633]: prefork: killed child 330 Dec 18 11:20:39 srv-asgw02 spamd[31633]: prefork: child states: BKBBBI Paolo
AW: special spam-account for spam mails
My current MTA is Postfix with amavisd and spamassassin. In the current config we don't have POP3. All Mails will be relayed to different exchange-server depending on the recipient. I tought I could implement the local mailboxes only with imap-support, so the users could login with a webinterface (e.g: squirrelmail) But for the first step it will be ok using a local POP3-server. The important thing is, that the spam-mails with a score > 5 will be stored in the local mailbox of the recipient and will not be delivered to the exchange mailbox. Von: vertito [mailto:[EMAIL PROTECTED] Gesendet: Montag, 18. Dezember 2006 14:35 An: Fettke, Dirk Betreff: RE: special spam-account for spam mails this is possible. the solution you are asking depends on your current hub email server setup and pop3 servers. what is current your MTA and POP3 servers? From: Fettke, Dirk [mailto:[EMAIL PROTECTED] Sent: Monday, December 18, 2006 1:41 PM To: users@spamassassin.apache.org Subject: special spam-account for spam mails Hello List, here we have a spam-filtering email-gateway with no local mailboxes. all mails getting scanned only for spam and viruses and then forwarded to the specific mailserver for the recipient-domain. now we would like to have the possibility that spam-mails with score > 5 saved in local mailboxes which will be automatically generated on our system. all other mails whith score < 5 should forwarded further on. The Users then could log into their generated spam-account and read or delete their spam-mails. How can I do this or is there any solution for this? Regards Dirk
special spam-account for spam mails
Hello List, here we have a spam-filtering email-gateway with no local mailboxes. all mails getting scanned only for spam and viruses and then forwarded to the specific mailserver for the recipient-domain. now we would like to have the possibility that spam-mails with score > 5 saved in local mailboxes which will be automatically generated on our system. all other mails whith score < 5 should forwarded further on. The Users then could log into their generated spam-account and read or delete their spam-mails. How can I do this or is there any solution for this? Regards Dirk
Re: Simple mail from Dynamic IP listed as spam
Daryl C. W. O'Shea wrote: > So long as the "problem relays" are acting solely as MSAs and never MXes > for your mail this patch will solve your problem: > http://people.apache.org/~dos/sa-patches/msa_networks.3.1 This patch will solve my problems on receiving such mails from other users, and spare me the trouble of hacking my own rules. Thank you for that! However it won't solve the problem of me sending mail to other SpamAssassin users that don't know about this problem. Is this patch intended for inclusion in a future SpamAssassin version? Would it make sense to include a list of known MSAs as well? Martin signature.asc Description: OpenPGP digital signature
Re: sa-update is broken
Sietse van Zanen wrote: perl -MCPAN -e 'install LWP::UserAgent' And you might be missing a couple more. -Sietse -Original Message- From: Yves Goergen [mailto:[EMAIL PROTECTED] Sent: Sunday, December 17, 2006 4:16 PM To: users@spamassassin.apache.org Subject: sa-update is broken Hi, I read in another thread, that I can use sa-update, supposedly to update my rules, not sure. I just tried and here's what it says: # sa-update Can't locate LWP/UserAgent.pm in @INC (@INC contains: /usr/local/share/perl/5.8.4 /etc/perl /usr/local/lib/perl/5.8.4 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/bin/sa-update line 92. BEGIN failed--compilation aborted at /usr/bin/sa-update line 92. I installed the latest SA with this: perl -MCPAN -e 'install Mail::SpamAssassin' I needed to install a bunch of other Perl modules before that worked. Is there another module that I need to install? I don't know Perl from the inside, and not at all how to install it. try this: apt-get install libarchive-tar-perl smime.p7s Description: S/MIME Cryptographic Signature
spamd to dump full headers and messages
Hello, How Can I see full headers of messages that spamd is receieving? TNX
spamd log error
spamd[31617]: (?:(?<=[\s,]))* matches null string many times in regex; marked by <-- HERE in m/\G(?:(?<=[\s,]))* <-- HERE \Z/ at /usr/local/lib/perl5/5.8.8/Text/Wrap.pm line 47 i am having these error from maillog? anyone experiencing the same?
Re: Simple mail from Dynamic IP listed as spam
Martin von Gagern wrote: To look at it from a different angle, whether or not an X-Authenticated header has any special meaning at all probably depends on the MTAs in the chain, so special knowledge is needed to be sure. And with the same kind of knowledge you'd know that mail.gmx.net is not the MX for the final destination, hence it's the sender's MSA, hence treat this as the originating IP. I know of no perfect solution, but maybe the X-Authenticated header might be a useful rule to include, with a negative score, not as an absolute fact but rather as an idication some check might have occurred. So long as the "problem relays" are acting solely as MSAs and never MXes for your mail this patch will solve your problem: http://people.apache.org/~dos/sa-patches/msa_networks.3.1 Regards, Daryl
Re: Simple mail from Dynamic IP listed as spam
Hello Wolfgang! You forgot to cc your posting to the list. [EMAIL PROTECTED] wrote: > Hi, > > common cases that SA recognizes declare auth in the received headers, i.e. > per hop > (received ... with ESMPTA) > Whether X-Authenticated (or any other separate header) would be useful at all > depends > on whether they remove it from incoming mails. I have sent you a test message > to your gmx account > > Wolfgang Your message still contained the X-Authenticated header upon arriving at my machine, although at a different location that it would for mails received from mail.gmx.net. So X-Authenticated is far from reliable. ESMTPA (I guess that's what you meant?) sounds easy enough to implement if you want to, so I'll try contact GMX and ask them to change their Received header if possible. Thank's for your help, Martin signature.asc Description: OpenPGP digital signature
spamd: handle_user unable to find user:
Hi, Im a bit concern right now because Im seeing these messages quite often --- @4000458654293088b884 [48180] info: spamd: handle_user unable to find user: '[EMAIL PROTECTED]' --- - [EMAIL PROTECTED] is only an example - [EMAIL PROTECTED] is a valid user on my server - does this means that if i found a message like that on spamd's logs that particular message was not delivered? - im running qmail-scanner 1.25st / spamassassin 3.1.7 / clamav 0.88.6
what does "Image is single non-interlaced" mean ?
I see a messages as below in Fuzzyocr.log. Image is single non-interlaced What does it mean? What should I do ? Thanks
Re: sa-update is broken
Sietse van Zanen wrote: perl -MCPAN -e 'install LWP::UserAgent' And you might be missing a couple more. -Sietse I think we hit a bug server:~# perl -MCPAN -e 'install LWP::UserAgent' Can't locate object method "install" via package "LWP::UserAgent" at -e line 1. can someone provide a sulution for the problem ? smime.p7s Description: S/MIME Cryptographic Signature
