Re: Scanning Through Saved Emails
On Thu, 5 Feb 2009, yuksel.asim.si...@gmail.com wrote: Can we also extract the domains which are getting spam emails with the solution you suggested? The report doesnt include this information.What should I do if I want to find out which domain is spamming me and how many spams I am getting from this domain? Can I also put the spams into a different folder when I detect them? That all depends on what the program that processes the spamd output does. If the message is scored as spam, then you can subject it to whatever further analysis you like. There isn't going to be a packaged solution to do what you want, though. The closest to that is the masscheck utility, which would dump MSG_ID + rules that hit for that message. If you had a mapping file for MSG_ID - message filename, then you could use that to select message files for further analysis (e.g. extraction of the submitting MTA domain, recipient domain, etc.) based on whether the masscheck output said they were spammy. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- I would buy a Mac today if I was not working at Microsoft. -- James Allchin, Microsoft VP of Platforms --- 6 days until Abraham Lincoln's and Charles Darwin's 200th Birthdays
Filtering/ blocking forged emails
I am new to postfix/SpamAssassin and thinking for a way to block the email address which does not come from that domain. For example, if someone with a @xxx.com email sends to a list it must come from a server in the xxx.com domain else it should be rejected. Is it possible to do this? As there is every possibility that spammers can also send with real user's id and I am planning to have a check that would be able to compare the From: and the Message-Id domains to check for spoofed messages coming in from an open relay. Its just an idea to eliminate every possible attack. As i don't have much experience with postfix, just installed/configured a couple of days ago any suggestions in this regard will be highly helpful for me. I have also read some whre about Sender Score Certified support in SpamAssassin. But not sure how this works? Will it check the senders from address and compare it with the domain?
Re: Filtering/ blocking forged emails
Am I misunderstanidng what you're saying? My domain is www.espphotography.com . But my mail is relayed through my ISP's mail server - smtp.dslextreme.com . So my mail should be rejected? At 12:52 PM 2/6/2009, you wrote: I am new to postfix/SpamAssassin and thinking for a way to block the email address which does not come from that domain. For example, if someone with a @xxx.com email sends to a list it must come from a server in the xxx.com domain else it should be rejected. Is it possible to do this? As there is every possibility that spammers can also send with real user's id and I am planning to have a check that would be able to compare the From: and the Message-Id domains to check for spoofed messages coming in from an open relay. Its just an idea to eliminate every possible attack. As i don't have much experience with postfix, just installed/configured a couple of days ago any suggestions in this regard will be highly helpful for me. I have also read some whre about Sender Score Certified support in SpamAssassin. But not sure how this works? Will it check the senders from address and compare it with the domain?
Re: Filtering/ blocking forged emails
I am new to postfix/SpamAssassin and thinking for a way to block the email address which does not come from that domain. For example, if someone with a @xxx.com email sends to a list it must come from a server in the xxx.com domain else it should be rejected. Is it possible to do Check 'spf' and dkim signing. Lots of legitimate traffic from 'domain.com' comes from 'thirdparty.com'. Spamassassin doesn't verify, validate senders, it just scores spam. Lots of rules looking for forgeries, can check dkim signatures, SPF records, etc. (yes, I know, SPF is brokenĀ) and spammers can sign their spam with dkim, and spammers can run their own domains and put in valid spf records. -- Michael Scheidell, CTO |SECNAP Network Security Finalist 2009 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
How can I set this up in S.A.?
Wow when they say Spam costs companies X amount of dollars I always wondered how, but here is a good example since I've been playing with this for almost 2 hours. I was getting a lot of E-mail from myself to myself (I had put in a rule that let everything from my domain be delivered) upon doing this my fax system (which runs through E-mail is being caught in the box trap) as possible spam. For faxing I use GFI whereby I print to fax a small box comes up I put the phone number in then this gets created into a pdf type file then gets emailed to f...@mydomian.com then the fax server periodically checks for queued mail then receives faxes out then emails back the result. Well all my faxes being sent to f...@mydomain.com is caught in the box, how can I say ANY EMAIL SENT TO f...@mydomain.com doesn't get filtered? Thanks -- View this message in context: http://www.nabble.com/How-can-I-set-this-up-in-S.A.--tp21880651p21880651.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
How can I set this up in S.A.?
Wow when they say Spam costs companies X amount of dollars I always wondered how, but here is a good example since I've been playing with this for almost 2 hours. I was getting a lot of E-mail from myself to myself (I had a rule in place that let everything from my domain be delivered) well due to all this spam from myself I had to remove this. Upon doing this my fax system (which runs through E-mail is being caught in the box trap) as possible spam. For faxing I use GFI whereby I print to fax a small box comes up I put the phone number in then this gets created into a pdf type file then gets emailed to f...@mydomian.com then the fax server periodically checks for queued mail then receives faxes out then emails back the result. Well all my faxes being sent to f...@mydomain.com is caught in the box, how can I say ANY EMAIL SENT TO f...@mydomain.com doesn't get filtered? Thanks -- View this message in context: http://www.nabble.com/How-can-I-set-this-up-in-S.A.--tp21880669p21880669.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Filtering/ blocking forged emails
Am I misunderstanidng what you're saying? My domain is www.espphotography.com . But my mail is relayed through my ISP's mail server - smtp.dslextreme.com . So my mail should be rejected? Yes.. And mailing list email would be blocked also since it comes through: SPF_PASS=-0.001, WHOIS_CONTACTPRIV=2.696] autolearn=unavailable Received: from mail.apache.org (hermes.apache.org [140.211.11.2]) by fl.us.spammertrap.net (Postfix) with SMTP id 457FEE609D for list-s...@secnap.com; Fri, 6 Feb 2009 15:53:30 -0500 (EST) (ps, someone has a FP on whois_contactpriv) Doesn't look like apache or espphotograpy.com or dslextreme.com -- Michael Scheidell, CTO |SECNAP Network Security Finalist 2009 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: Filtering/ blocking forged emails
At 12:52 06-02-2009, Nandini Mocherla wrote: I am new to postfix/SpamAssassin and thinking for a way to block the email address which does not come from that domain. For example, if someone with a @xxx.com email sends to a list it must come from a server in the xxx.com domain else it should be rejected. Is it possible to do this? As there is every possibility that spammers can also send with real That's similar to SPF. You can configure Postfix to block these messages through policyd or a milter. user's id and I am planning to have a check that would be able to compare the From: and the Message-Id domains to check for spoofed messages coming in from an open relay. Its just an idea to eliminate every possible attack. As i don't have much experience with There isn't any correlation between the domain part of the address used in the From: and what appears in the Message-ID. postfix, just installed/configured a couple of days ago any suggestions in this regard will be highly helpful for me. I have also read some whre about Sender Score Certified support in SpamAssassin. But not sure how this works? Will it check the senders from address and compare it with the domain? There are three RCVD_IN_BSP_ rules for that. Regards, -sm
Re: How can I set this up in S.A.?
On Fri, 6 Feb 2009, nambi wrote: I was getting a lot of E-mail from myself to myself (I had put in a rule that let everything from my domain be delivered) Now you know what that's discouraged... :) upon doing this my fax system (which runs through E-mail is being caught in the box trap) as possible spam. For faxing I use GFI whereby I print to fax a small box comes up I put the phone number in then this gets created into a pdf type file then gets emailed to f...@mydomian.com then the fax server periodically checks for queued mail then receives faxes out then emails back the result. Maining this is an email-to-fax gateway? Well all my faxes being sent to f...@mydomain.com is caught in the box, how can I say ANY EMAIL SENT TO f...@mydomain.com doesn't get filtered? Are you sure you *want* to let the entire world send faxes on your penny? What if somebody figures this out and starts sending you emails that end up in a fax being sent to their fax machine, which sits on a 976 number? If you do decide you want your fax machine to be wide open, the best way to do it is by telling your MTA to not pass any messages that are addressed to f...@yourdomain.com through SA in the first place. How you do that depends on what glues SA to your MTA. If you still want to antispam your email-to-fax server, then you'll have to tell us what rules are hitting on a false positive so we can tell you how to properly fix things. Try posting the full headers from a fax gateway FP so we have some actual data to work with. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People seem to have this obsession with objects and tools as being dangerous in and of themselves, as though a weapon will act of its own accord to cause harm. A weapon is just a force multiplier. It's *humans* that are (or are not) dangerous. --- 6 days until Abraham Lincoln's and Charles Darwin's 200th Birthdays
Re: Filtering/ blocking forged emails
At 13:10 06-02-2009, Michael Scheidell wrote: (ps, someone has a FP on whois_contactpriv) Doesn't look like apache or espphotograpy.com or dslextreme.com It's not a false positive. There was xxx.com in the message. Regards, -sm
Re: Filtering/ blocking forged emails
On Fri, February 6, 2009 22:00, Michael Scheidell wrote: (yes, I know, SPF is broken) and spammers can sign their spam with dkim, and spammers can run their own domains and put in valid spf records. life is broken also :) (recipient still need to whitelist friends) -- http://localhost/ 100% uptime and 100% mirrored :)
Re: Filtering/ blocking forged emails
On Fri, 2009-02-06 at 12:52 -0800, Nandini Mocherla wrote: I am new to postfix/SpamAssassin and thinking for a way to block the email address which does not come from that domain. For example, if someone with a @xxx.com email sends to a list it must come from a server in the xxx.com domain else it should be rejected. Is it possible to do this? I'm pretty close to that setup and, AFAIK, don't seem to get many rejects. Here are the pieces of my set up: - my domain name is hosted separately from my ISP. - my domain host does nothing but redirect mail and redirect HTTP requests to my website, which is at my ISP - I use the same domain name internally on my LAN so the From: and envelope-sender names in outgoing mail match my external domain name. - my copy of Postfix uses relay_host to pass all outgoing mail through my ISP's mailserver - I have an SPF record set up at my domain host. - I run Spamassassin In the last week my ISP has introduced greylisting and as a direct result spam has dropped from 70% of incoming to 5% Martin
Re: How can I set this up in S.A.?
On Fri, 2009-02-06 at 13:06 -0800, nambi wrote: then gets emailed to f...@mydomian.com then the fax server periodically checks for queued mail then receives faxes out then emails back the result. Please describe your system in a little more detail on a few points: 1) Describe the path incoming mail follows from the internet to your mail reader. - how does mail get through your firewall? - what programs handle incoming mail between your firewall and your mailreader? 2) Where is your fax machine? By that I mean is it inside your firewall or somewhere outside. 3) Describe the path mail follows to and from your fax machine. - what program(s) handle outgoing faxes on their way from your mail reader to the fax machine? - what programs handle incoming faxes on their way from the fax machine to your mail reader? 4) Describe where Spamassassin fits in your mail handling system. - what program passes mail to spamassassin? - what program receives scored mail from spamassassin? Speaking entirely for myself, I need to understand how your mail handling system is put together before I can offer any useful suggestions. Martin
Stimulus spams
No, this is not sex-related. http://isc.sans.org/diary.html?storyid=5815 body STIMULATE_ME_1 /Stimulus Payment form/ body STIMULATE_ME_2 /Economic Stimulus Payment/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If Microsoft made hammers, everyone would whine about how poorly screws were designed and about how they are hard to hammer in, and wonder why it takes so long to paint a wall using the hammer. --- 6 days until Abraham Lincoln's and Charles Darwin's 200th Birthdays
Obvious? Disabling some RBL/URIBL checks
I'm a bit stumped on this one. We recently got notice that we have too much volume to continue using spamhaus queries, and the quote for our rather small userbase was near what we'd pay for outsourcing all of our spam filtering anyhow... That said, setting the scores to 0 is supposed to disable them, right? # remove spamhaus tests score RCVD_IN_ZEN 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 score RCVD_IN_SBL 0 score URIBL_SBL 0 Running spamassassin in debug mode however: r...@spamd1[/usr/local/etc/mail/spamassassin]# spamassassin -D 21 dialup-nospam.txt | grep -i spamhaus [3816] dbg: dns: checking RBL zen.spamhaus.org., set zen [3816] dbg: dns: launching DNS A query for 2.59.48.64.zen.spamhaus.org. in background [3816] dbg: async: starting: DNSBL-A, dns:A:2.59.48.64.zen.spamhaus.org. (timeout 3.0s, min 0.6s) [3816] dbg: dns: hit dns:2.59.48.64.zen.spamhaus.org 127.0.0.10 [3816] dbg: async: completed in 0.012 s: DNSBL-A, dns:A:2.59.48.64.zen.spamhaus.org. [3816] dbg: async: timing: 0.012 . dns:A:2.59.48.64.zen.spamhaus.org. Any ideas on what I've missed here? Thanks, Charles ___ Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet - www.bway.net sp...@bway.net - 212.655.9344
Re: Obvious? Disabling some RBL/URIBL checks
Charles Sprickman wrote: I'm a bit stumped on this one. We recently got notice that we have too much volume to continue using spamhaus queries, and the quote for our rather small userbase was near what we'd pay for outsourcing all of our spam filtering anyhow... That said, setting the scores to 0 is supposed to disable them, right? # remove spamhaus tests score RCVD_IN_ZEN 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 score RCVD_IN_SBL 0 score URIBL_SBL 0 For set of lists in one lookup type RBLs you need to disable the unscored base rule if you want to disable the DNS query. Those scored rules are just tests against a result from the base rule, so while you've disabled them, they don't cause the DNS lookup. All the spamhaus based RCVD_IN_* rules will have their query disabled by: score__RCVD_IN_ZEN 0 This makes sense if you look at how the rule is set up in 20_dnsbl_tests.cf: http://svn.apache.org/repos/asf/spamassassin/branches/3.2/rules/20_dnsbl_tests.cf The URIBL_SBL one is adequate as-is. Running spamassassin in debug mode however: r...@spamd1[/usr/local/etc/mail/spamassassin]# spamassassin -D 21 dialup-nospam.txt | grep -i spamhaus [3816] dbg: dns: checking RBL zen.spamhaus.org., set zen [3816] dbg: dns: launching DNS A query for 2.59.48.64.zen.spamhaus.org. in background [3816] dbg: async: starting: DNSBL-A, dns:A:2.59.48.64.zen.spamhaus.org. (timeout 3.0s, min 0.6s) [3816] dbg: dns: hit dns:2.59.48.64.zen.spamhaus.org 127.0.0.10 [3816] dbg: async: completed in 0.012 s: DNSBL-A, dns:A:2.59.48.64.zen.spamhaus.org. [3816] dbg: async: timing: 0.012 . dns:A:2.59.48.64.zen.spamhaus.org. Any ideas on what I've missed here? Thanks, Charles ___ Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet - www.bway.net sp...@bway.net - 212.655.9344
Re: Obvious? Disabling some RBL/URIBL checks
On Fri, 6 Feb 2009, Matt Kettler wrote: Charles Sprickman wrote: I'm a bit stumped on this one. We recently got notice that we have too much volume to continue using spamhaus queries, and the quote for our rather small userbase was near what we'd pay for outsourcing all of our spam filtering anyhow... That said, setting the scores to 0 is supposed to disable them, right? # remove spamhaus tests score RCVD_IN_ZEN 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 score RCVD_IN_SBL 0 score URIBL_SBL 0 For set of lists in one lookup type RBLs you need to disable the unscored base rule if you want to disable the DNS query. OK... Those scored rules are just tests against a result from the base rule, so while you've disabled them, they don't cause the DNS lookup. Interesting. I need to read up on the non-basic rules it seems. All the spamhaus based RCVD_IN_* rules will have their query disabled by: score__RCVD_IN_ZEN 0 Just to be clear, the entire list needs to be included like this to completely disable the lookups: # remove spamhaus tests score __RCVD_IN_ZEN 0 score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 score URIBL_SBL 0 For the archives... Thanks, Charles This makes sense if you look at how the rule is set up in 20_dnsbl_tests.cf: http://svn.apache.org/repos/asf/spamassassin/branches/3.2/rules/20_dnsbl_tests.cf The URIBL_SBL one is adequate as-is. Running spamassassin in debug mode however: r...@spamd1[/usr/local/etc/mail/spamassassin]# spamassassin -D 21 dialup-nospam.txt | grep -i spamhaus [3816] dbg: dns: checking RBL zen.spamhaus.org., set zen [3816] dbg: dns: launching DNS A query for 2.59.48.64.zen.spamhaus.org. in background [3816] dbg: async: starting: DNSBL-A, dns:A:2.59.48.64.zen.spamhaus.org. (timeout 3.0s, min 0.6s) [3816] dbg: dns: hit dns:2.59.48.64.zen.spamhaus.org 127.0.0.10 [3816] dbg: async: completed in 0.012 s: DNSBL-A, dns:A:2.59.48.64.zen.spamhaus.org. [3816] dbg: async: timing: 0.012 . dns:A:2.59.48.64.zen.spamhaus.org. Any ideas on what I've missed here? Thanks, Charles ___ Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet - www.bway.net sp...@bway.net - 212.655.9344
Re: Obvious? Disabling some RBL/URIBL checks
Charles Sprickman wrote: On Fri, 6 Feb 2009, Matt Kettler wrote: Charles Sprickman wrote: I'm a bit stumped on this one. We recently got notice that we have too much volume to continue using spamhaus queries, and the quote for our rather small userbase was near what we'd pay for outsourcing all of our spam filtering anyhow... That said, setting the scores to 0 is supposed to disable them, right? # remove spamhaus tests score RCVD_IN_ZEN 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 score RCVD_IN_SBL 0 score URIBL_SBL 0 For set of lists in one lookup type RBLs you need to disable the unscored base rule if you want to disable the DNS query. OK... Those scored rules are just tests against a result from the base rule, so while you've disabled them, they don't cause the DNS lookup. Interesting. I need to read up on the non-basic rules it seems. All the spamhaus based RCVD_IN_* rules will have their query disabled by: score__RCVD_IN_ZEN 0 Just to be clear, the entire list needs to be included like this to completely disable the lookups: # remove spamhaus tests score __RCVD_IN_ZEN 0 score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 score URIBL_SBL 0 For the archives... Interesting, are you sure of that? AFAIK, just disabling the __RCVD_IN_ZEN and URIBL_SBL should inhibit all DNS lookups for spamhaus. The RCVD_IN_SBL shouldn't trigger a DNS lookup, AFAIK.
Re: New version of iXhash plugin - update recommended
Dirk Bonengel wrote: Hello all, just to make it official: he iXhash plugin has now reached version 1.5.5. Recent changes are: - Adam Stephens noted that hash#3 would be checked even though it ahd not been computed in the first place. In other words: Hash #2 would be checked against twice. This should be corrected, saves a DNS query. - Above problems stem from a mis-fix of some problems discovered by Bernd Holzinger and Larry Nedry, especially with hashing routine #3 not returning a return value. - Most importantly, version 1.5.3 fixed a problem some users here recently reported with SpamAssassin/iXhash eating up CPU. Bernd Holzinger (regex Part 1) and Jan Schmidt proposed a modified regular expression that prevents Perl from sometimes excessive backtracking... All users of iXhash should update to the new version - and thanks a lot for the guys above for problem reports and fixes. Dirk Hey Dirk, Just wanted to say that the new iXhash plugin seems to have taken care of the hang problem I was seeing with the last couple of version I tried. Thanks for making it available! Bill