Re: trusted mailing list subscriber spam
On Sun, May 11, 2008 03:07, [EMAIL PROTECTED] wrote: > All I know is that I don't use SPF anymore for my domain as there are > just too many problems... e.g., forwarded messages. and you usely dont know where you forwards going from, :/( come on, please :-) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: trusted mailing list subscriber spam
>> All a spam program would have to do is say "[EMAIL PROTECTED] posts lots >> to that list. His address must be a trusted subscriber. Well, here's >> one more post from him, muhahaha." SB> If "Bob" posts a lot to a list(s) and is respected within said SB> list(s), then the other subs of that list will immediately recognize SB> by the tone and the writing style of a fake message that it wasn't Bob SB> that sent it. Yes, but I'm talking about having spamassassin do the recognizing before it reaches the humans. OK, that means some training for what each trusted subscriber's message usually looks like. I have an idea: let's discuss this complicated question at some other time. >> OK, I suppose that would be caught by SPF rules etc., if bob likes SPF. SB> Not all mail systems actually block upon SPF breakage... BP> what are you talking about ?, to score email addresses found on maillist a bit BP> negative since it looks like none spammy human ? All I know is that I don't use SPF anymore for my domain as there are just too many problems... e.g., forwarded messages.
Re: FW: Exploiting Google MX servers as Open SMTP Relays
> On Sat, May 10, 2008 19:48, Joseph Brennan wrote: > > --On Saturday, May 10, 2008 9:57 AM -0400 Michael Scheidell > > <[EMAIL PROTECTED]> wrote: > >> fyi: post in bugtraq. You may wish to look for and remove any whitelists > >> based on google, googlegroups, or gmail accounts until google fixes this. > > I was surprised to hear that anyone gave whitelist status to free > > email services to begin with! On 10.05.08 20:39, Benny Pedersen wrote: > thats why i use def_whitelist_auth to free domains and whitelist_auth to > specificaly known persons that i know > > then adjust the whitelist score to get only non spam throught I don't even do that... default whitelist has score of -15 which is quite enough to pass much of spam that goes through. Yes I can change the score to e.g. -10 or -5... and I even wonder why there are so much of domains on default whitelist (luckily not much of FPs) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
Re: FW: Exploiting Google MX servers as Open SMTP Relays
On Sat, May 10, 2008 19:48, Joseph Brennan wrote: > --On Saturday, May 10, 2008 9:57 AM -0400 Michael Scheidell > <[EMAIL PROTECTED]> wrote: >> fyi: post in bugtraq. You may wish to look for and remove any whitelists >> based on google, googlegroups, or gmail accounts until google fixes this. > I was surprised to hear that anyone gave whitelist status to free > email services to begin with! thats why i use def_whitelist_auth to free domains and whitelist_auth to specificaly known persons that i know then adjust the whitelist score to get only non spam throught Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Problems with sa-update
On 10/05/2008 18:40, Benny Pedersen wrote: On Sat, May 10, 2008 18:47, [EMAIL PROTECTED] wrote: [21292] dbg: diag: module installed: IO::Zlib, version 1.01 find where this is installed: rpm -qa | grep IO-Zlib rpm -e IO-Zlib-1.01 (only if its there) i do not know if its really called that as rpm if its there upgrade it in rpm, if you have it from previous cpna instll, make a rpm with cpan2rpm, but you still have to remove the old 1.01 version that is found OK, I found and erased it: [EMAIL PROTECTED] root]# rpm -qa | grep IO-Zlib perl-IO-Zlib-1.01-fc2.build75050824.12 [EMAIL PROTECTED] root]# rpm -e perl-IO-Zlib-1.01 [EMAIL PROTECTED] root]# I then tried to install it from an RPM: [EMAIL PROTECTED] root]# wget http://dag.wieers.com/rpm/packages/perl-IO-Zlib/perl-IO-Zlib-1.04-1.1.fc3.rf.noarch.rpm --20:24:18-- http://dag.wieers.com/rpm/packages/perl-IO-Zlib/perl-IO-Zlib-1.04-1.1.fc3.rf.noarch.rpm => `perl-IO-Zlib-1.04-1.1.fc3.rf.noarch.rpm' Resolving dag.wieers.com... 62.213.193.164 Connecting to dag.wieers.com|62.213.193.164|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://rpmforge.sw.be/fedora/3/en/i386/rpmforge/RPMS/perl-IO-Zlib-1.04-1.1.fc3.rf.noarch.rpm [following] --20:24:19-- http://rpmforge.sw.be/fedora/3/en/i386/rpmforge/RPMS/perl-IO-Zlib-1.04-1.1.fc3.rf.noarch.rpm => `perl-IO-Zlib-1.04-1.1.fc3.rf.noarch.rpm' Resolving rpmforge.sw.be... 88.198.65.175, 130.133.35.16 Connecting to rpmforge.sw.be|88.198.65.175|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 14,783 (14K) [application/x-rpm] 100%[>] 14,783--.--K/s 20:24:19 (1.12 MB/s) - `perl-IO-Zlib-1.04-1.1.fc3.rf.noarch.rpm' saved [14783/14783] [EMAIL PROTECTED] root]# rpm -i perl-IO-Zlib-1.04-1.1.fc3.rf.noarch.rpm warning: perl-IO-Zlib-1.04-1.1.fc3.rf.noarch.rpm: V3 DSA signature: NOKEY, key ID 6b8d79e6 [EMAIL PROTECTED] root]# Which looked OK from the little I know. I then checked SA and nothing appeared to be installed: [EMAIL PROTECTED] root]# spamassassin 2>&1 -D --lint | grep Zlib [14245] dbg: diag: module installed: Compress::Zlib, version 1.33 [14245] dbg: diag: module not installed: IO::Zlib ('require' failed) [EMAIL PROTECTED] root]# Can you suggest what I might do next? I'm not at all experienced in this so I'm very grateful for your advice and patience! Thanks, Geoff
Re: FW: Exploiting Google MX servers as Open SMTP Relays
--On Saturday, May 10, 2008 9:57 AM -0400 Michael Scheidell <[EMAIL PROTECTED]> wrote: fyi: post in bugtraq. You may wish to look for and remove any whitelists based on google, googlegroups, or gmail accounts until google fixes this. I was surprised to hear that anyone gave whitelist status to free email services to begin with! Joseph Brennan Columbia University Information Technology
Re: Problems with sa-update
On Sat, May 10, 2008 18:47, [EMAIL PROTECTED] wrote: > [21292] dbg: diag: module installed: IO::Zlib, version 1.01 find where this is installed: rpm -qa | grep IO-Zlib rpm -e IO-Zlib-1.01 (only if its there) i do not know if its really called that as rpm if its there upgrade it in rpm, if you have it from previous cpna instll, make a rpm with cpan2rpm, but you still have to remove the old 1.01 version that is found other missing perl modules should olso be checked, but spamassassin dont complain on them so ok Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Multiple X-Envelope-From and SPF
> On Fri, May 9, 2008 08:55, ram wrote: > > > Precisely what I am afraid of. But the issue is whatever header I use > > for envelope-from all of them can be trivially forged > > I am trying replacing all the X-Envelope headers before sending them to > > scan servers On 09.05.08 23:39, Benny Pedersen wrote: > dont change headers on trusted routes, you will fail if you do it, but if you > have diff mta's with diff envelope_sender_header one might need to have diff > conetent scanners aswell > > envelope_sender_header in local.cf does not solve that imho he reported that there are multiple such headers. Since ANY header can be in e-mail when MTA received it, the header chosen to be used for envelope sender address MUST be replaced by current MTA, it does not matter if it's X-Envelope-From or Return-Path or wtf. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: Problems with sa-update
On Sat, May 10, 2008 16:42, Geoff Soper wrote: > Can anyone suggest what I should do next? post output of spamassassin 2>&1 -D --lint i belive you have older versions from rpm installed, dont use rpm and cpan at the same time ! Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Problems with sa-update
I've previously used RDJ to keep my SA rules up-to-date but have got the impression I should be using sa-update instead. My first step was to run "sa-update && service spamassassin restart" but this gave the following error: IO::Zlib version 1.04 required--this is only version 1.01 at /usr/bin/sa-update line 82. BEGIN failed--compilation aborted at /usr/bin/sa-update line 82. My next action was to use CPAN to update IO::Zlib but this also failed: cpan[1]> upgrade IO::Zlib CPAN: Storable loaded ok (v2.09) Going to read /root/.cpan/Metadata Database was generated on Sat, 10 May 2008 05:29:47 GMT Package namespace installedlatest in CPAN file IO::Zlib 1.01 1.09 TOMHUGHES/IO-Zlib-1.09.tar.gz Running install for module 'IO::Zlib' Running make for T/TO/TOMHUGHES/IO-Zlib-1.09.tar.gz CPAN: Digest::SHA loaded ok (v5.45) CPAN: Compress::Zlib loaded ok (v1.33) Checksum for /root/.cpan/sources/authors/id/T/TO/TOMHUGHES/IO-Zlib-1.09.tar.gz ok Scanning cache /root/.cpan/build for sizes DONE IO-Zlib-1.09/ IO-Zlib-1.09/Makefile.PL IO-Zlib-1.09/META.yml IO-Zlib-1.09/t/ IO-Zlib-1.09/t/basic.t IO-Zlib-1.09/t/getline.t IO-Zlib-1.09/t/import.t IO-Zlib-1.09/t/tied.t IO-Zlib-1.09/t/getc.t IO-Zlib-1.09/t/large.t IO-Zlib-1.09/t/uncomp1.t IO-Zlib-1.09/t/external.t IO-Zlib-1.09/t/uncomp2.t IO-Zlib-1.09/SIGNATURE IO-Zlib-1.09/ChangeLog IO-Zlib-1.09/README IO-Zlib-1.09/MANIFEST IO-Zlib-1.09/Zlib.pm CPAN: File::Temp loaded ok (v0.18) CPAN: YAML loaded ok (v0.66) CPAN.pm: Going to build T/TO/TOMHUGHES/IO-Zlib-1.09.tar.gz Checking if your kit is complete... Looks good Writing Makefile for IO::Zlib cp Zlib.pm blib/lib/IO/Zlib.pm Manifying blib/man3/IO::Zlib.3pm TOMHUGHES/IO-Zlib-1.09.tar.gz /usr/bin/make -- OK Running make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/basic...ok t/externalok t/getcok t/getline.ok t/import..ok t/large...ok t/tiedok t/uncomp1.FAILED test 5 Failed 1/10 tests, 90.00% okay t/uncomp2.FAILED test 5 Failed 1/10 tests, 90.00% okay Failed Test Stat Wstat Total Fail List of Failed --- t/uncomp1.t 101 5 t/uncomp2.t 101 5 Failed 2/9 test scripts. 2/122 subtests failed. Files=9, Tests=122, 1 wallclock secs ( 0.79 cusr + 0.29 csys = 1.08 CPU) Failed 2/9 test programs. 2/122 subtests failed. make: *** [test_dynamic] Error 255 TOMHUGHES/IO-Zlib-1.09.tar.gz /usr/bin/make test -- NOT OK //hint// to see the cpan-testers results for installing this module, try: reports TOMHUGHES/IO-Zlib-1.09.tar.gz Running make install make test had returned bad status, won't install without force Failed during this command: TOMHUGHES/IO-Zlib-1.09.tar.gz: make_test NO cpan[2]> Can anyone suggest what I should do next? Thanks, Geoff
Re: False positive on forged_mua_outlook
Jeff Koch wrote: If you guys are going to keep looking at the wrong part of the header information that I sent in nothing will get done. What makes you believe we are looking at the wrong part? see below. Please look at the section below the spam scoring. Here's the header from the user's email and it was sent from Outlook Express: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161]) by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700 Message-ID: <[EMAIL PROTECTED]> This is the header I was talking about From: "Aindrea" <[EMAIL PROTECTED]> To: "warehouse" <[EMAIL PROTECTED]> Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_NextPart_000_0039_01C8AF72.8920CD60" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Re: False positive on forged_mua_outlook
Jeff Koch wrote: That part (i.e. the top part of the header) was generated by qmail. Please look at the bottom part of the header after the spam scoring which shows the header from the user's email which was mistakenly scored as a forged_mua_outlook. The message-id is the same, but anyway, I actually checked the headers inside the report.
Re: False positive on forged_mua_outlook
If you guys are going to keep looking at the wrong part of the header information that I sent in nothing will get done. Please look at the section below the spam scoring. Here's the header from the user's email and it was sent from Outlook Express: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161]) by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700 Message-ID: <[EMAIL PROTECTED]> From: "Aindrea" <[EMAIL PROTECTED]> To: "warehouse" <[EMAIL PROTECTED]> Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_NextPart_000_0039_01C8AF72.8920CD60" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 At 09:09 AM 5/10/2008, D Hill wrote: On Sat, 10 May 2008 at 10:13 +0200, [EMAIL PROTECTED] confabulated: Randy Ramsdell wrote: [snip] Scratch that and reverse it. If it does match, then it will score the message header as fake. oops :) sorry. Let me check some more things. Did outlook really generate this message-id: Message-ID: <[EMAIL PROTECTED]> I just sent myself a test message from Outlook Express 6.00.2900.2180: Message-ID: <[EMAIL PROTECTED]> The message ID's part before the '@' and is two characters less than what you show. 'meme' is the name of my computer. Outlook and Outlook Express use the name of the computer in the message ID after the '@'. I don't have access to Outlook for testing. On a side note, Outlook and Outlook Express also HELO with the computer's name when sending a message through an email server. Best Regards, Jeff Koch, Intersessions
Re: False positive on forged_mua_outlook
That part (i.e. the top part of the header) was generated by qmail. Please look at the bottom part of the header after the spam scoring which shows the header from the user's email which was mistakenly scored as a forged_mua_outlook. At 04:13 AM 5/10/2008, mouss wrote: Randy Ramsdell wrote: [snip] Scratch that and reverse it. If it does match, then it will score the message header as fake. oops :) sorry. Let me check some more things. Did outlook really generate this message-id: Message-ID: <[EMAIL PROTECTED]> ? Best Regards, Jeff Koch, Intersessions
FW: Exploiting Google MX servers as Open SMTP Relays
fyi: post in bugtraq. You may wish to look for and remove any whitelists based on google, googlegroups, or gmail accounts until google fixes this. -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer -- Forwarded Message > From: <[EMAIL PROTECTED]> > Date: 7 May 2008 20:37:46 - > To: <[EMAIL PROTECTED]> > Subject: Exploiting Google MX servers as Open SMTP Relays > > > Vulnerability Report: > > As part of our recent work on the trust hierarchy that exists among email > providers throughout the Internet, we have uncovered a serious security flaw > in Ggoogle's free email service, Gmail. This vulnerability exposes Google's > email servers in a way that allows an attacker to use them as open spam and > phishing relays. This issue is related to the risk of a malicious user abusing > Gmail's email forwarding functionality. This is possible because Gmail's email > forwarding functionality does not impose proper security restrictions during > its setup process and can be easily subverted. By exploiting this problem an > attacker can send unlimited spam and phishing (i.e. forged) email messages > that are delivered by Google's very own SMTP servers. Since the messages are > delivered by Google's own servers, an attack based on this flaw is able to > bypass all spam filters that are based on the blacklist / whitelist concept. > We were able to confirm that this vulnerability is indeed exploitable b > y crafting a proof of concept attack that allowed us to send any number of > forged email messages without restriction through Google's server > infrastructure. We have also verified that this flaw allows attackers to > bypass spam filters by using our method to send messages that are usually > flagged as spam. While sending these messages directly from our network in the > traditional way had the messages classified as spam, by sending the very same > messages using our exploit, the messages were delivered directly to the > victim's inbox, thus bypassing filters. > > Impact: > > All email providers that offer Google's SMTP servers any special level of > trust (e.g. whitelist status) are vulnerable. > > Disclosure: > We have contacted Google about this issue and are waiting for their position > before releasing further details. > > For more information, visit our homepage: > http://ece.uprm.edu/~andre/insert > > > Regards, > > > Pablo Ximenes, AndrĂ© dos Santos > > INSERT - Information Security Research Team > University of PR at Mayaguez (UPRM), USA > State University of CearĂ¡ (UECE), Brazil > > [EMAIL PROTECTED], [EMAIL PROTECTED] > -- End of Forwarded Message _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: False positive on forged_mua_outlook
On Sat, May 10, 2008 15:09, D Hill wrote: > On a side note, Outlook and Outlook Express also HELO with the computer's > name when sending a message through an email server. yes windows mailclients can say helo with a dot in the helo either, so thay cant do a fqdn in the helo unless its a spambot or server that dont have that limith that is olso why its important to mail server to accept non fqdn in helo on smtp authed clients, so it only apply to non smtp authed client with reject non fqdn in helo Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: False positive on forged_mua_outlook
On Sat, 10 May 2008 at 10:13 +0200, [EMAIL PROTECTED] confabulated: Randy Ramsdell wrote: [snip] Scratch that and reverse it. If it does match, then it will score the message header as fake. oops :) sorry. Let me check some more things. Did outlook really generate this message-id: Message-ID: <[EMAIL PROTECTED]> I just sent myself a test message from Outlook Express 6.00.2900.2180: Message-ID: <[EMAIL PROTECTED]> The message ID's part before the '@' and is two characters less than what you show. 'meme' is the name of my computer. Outlook and Outlook Express use the name of the computer in the message ID after the '@'. I don't have access to Outlook for testing. On a side note, Outlook and Outlook Express also HELO with the computer's name when sending a message through an email server.
Re: SA 3.2.4 --lint errors?
On Sat, May 10, 2008 08:52, Obantec Support wrote: > looks like a lot of warnings, any advise welcomed. and you only have 3.2.4 installed now ? is all perl modules up2date ? Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: False positive on forged_mua_outlook
Randy Ramsdell wrote: [snip] Scratch that and reverse it. If it does match, then it will score the message header as fake. oops :) sorry. Let me check some more things. Did outlook really generate this message-id: Message-ID: <[EMAIL PROTECTED]> ?