Re: Next Rule Causing False Positives: BOTNET

[Karsten Bräckelmann]

On Sat, 2009-06-06 at 13:32 -0700, Rich Shepard wrote:
> On Sat, 6 Jun 2009, Karsten Br?ckelmann wrote:
> 
> > This is a third-party plugin, deliberately installed by you.

Given the previous thread I was actually wondering about the phrasing.
Anyway, make that "any admin, or previous admin".

>Actually, it was most likely installed with the SA upgrade because I've

That sounds too close to sa-update -- which by default does not allow
plugins or touches that dir. Stock SA updates definitely is not it
anyway.

Upgrading your distro supplied SA version -- maybe. Though seriously I
doubt that. It's a third-party plugin, and if your distro installs it as
part of SA, please flame them.

> not made any modifications or tuning to the system. I figure that those who
> set up defaults know much more than do I, so I leave things until there's a
> reason for change.

Yeah, I was more about inheriting it from an old install plus custom
settings. Stock SA plugins *never* will be installed to your *site*
config dir -- where you reported that plugin to be.

Checked the file's age?

> > With any custom rule-set, it's definitely the admins duty to score it
> > appropriately, and to tune to their specific mail stream. After all, you
> > already "tuned" SA by installing the rule-set in the first place.
> 
>It must have been the Slackware build/installation script that included it
> because adding such a plug-in would not have occurred to me. Regardless, I
> will decrease the score by 80%.

If it doesn't work reliably for you, decreasing the score is a good
first step.

Anyway, let me stress the point: It is not SA that installed it, and if
so, never with a sore a like that. And I would guess it is not Slackware
either. Or at least, not part of the Slackware SA, but a separate
module.


In conclusion I can only re-iterate my previous recommendation, to
review your custom settings. By default, there are NO .pm modules or
rules in your site config /etc/mail/spamassassin dir. Only .pre files
and some, few options in local.cf.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: FCrDNS and localhost

[Adam Katz]

mouss wrote:
> $ host localhost 127.0.0.1
> localhost.netoyen.net has address 127.0.0.1

You forgot the trailing dot, so it tacked your own domain onto the end
of that.  I'm believe "localhost.$domain" is not required by any specs
and is non-standard.  ... That's okay, I'll just assume your DNS serves
that A record as you've stated.

I've got servers all over the place, so here's a better tally than the
previous hasty checks.  This crosses FreeBSD, Red Hat, and Debian just
fine, since it's more a result of the upstream DNS than the local
instances.  I've purposefully removed any DNS servers I administer from
consideration, instead using their upstream sources.

Results:  two of my company's colocation providers resolve localhost
while the three others do not.  My office T1s do not.  My alma mater
does not (and unless I'm mistaken, neither do its upstream providers).
My home cable does not.  Four of my colos resolve 1.0.0.127.in-addr.arpa
while one does not.  My cable ISP resolves it, and my office T1s resolve
it to the wrong domain (as a subdomain of one of their subsidiaries).
My alma mater also resolves it.

> It does here. we BSD users love DNS ;-p

This is not OS-dependent.  My BSD boxes exhibit the same results as the
Linux boxes, and the BSD box running a BIND server fails to resolve
localhost (note, BIND was not installed via ports).  To be thorough, I
checked host, dig, and nslookup on a BSD server to ensure consistency.

>>> Maybe SPF, I expect someone to comment on this...
>> Same problem as above: "localhost" is not actually a domain.
> 
> it _is_.  [...] In contrast, "localdomain" is not a valid TLD.

Are you also arguing that the "localhost" FQDN has a TXT record in
addition to its A record?  How can you argue that localhost is a FQDN
while localdomain, which is equally hacked, is not a TLD?  "localhost"
is not a domain because it has no whois entry and no NS record (which
consequently means no A record and no TXT record).  It is reserved.

>> I suppose I could place such an entry in my local DNS server...
>> Actually, I like that idea.  Don't forget to also create an A record!
>>
>> You'll want TXT record  "v=spf1 ip4:127.0.0.0/8 -all"  for both
>> localhost. and localhost.localdomain.
> 
> why bother yourself with SPF since nobody remote should call himself
> "localhost". localhost is a reserved domain.

Two proposals with the same goal have been made:  specific hunting for
localhost and friends or SPF entries for them.  Since this specific
hunting is not built into SA or the MTA by default, it must be added,
just as SPF would need.  I chose to add SPF; six of one, half-a-dozen of
the other.



Let me rephrase my whole argument:

Different DNS servers, depending on their administrators, have different
results for localhost and localhost.localdomain.  Even rDNS on 127.0.0.1
can fail to resolve (or resolve correctly).  Therefore, it may be
troublesome to make assumptions on these grounds.

That's it.

Re: FCrDNS and localhost

[Matus UHLAR - fantomas]

> On Thu, Jun 4, 2009 at 16:32, Adam Katz wrote:
> > I think FCrDNS stands for "Forward-confirmed reverse DNS" as noted at
> > http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS   :-)

On 06.06.09 13:39, John Rudd wrote:
> Every place I've seen it talked about, including past discussion on
> this list, calls it Full Circle, not Forward Confirmed.  Based on that
> page, I assume they're synonymous.

I have never seen the "full circle" until this discussion. googling gives
the other name at least on first 10 results...

> > 5. IP -> rDNS: Domain -> DNS: IP2 -> FAIL (mismatch)
> > 6. IP -> rDNS: [none] ->-> FAIL (no rDNS, doesn't fail in sendmail)

because this is not fail. This just means the IP does not have RDNS, not
that anyone is trying to fake that. So I think that's a different thing.

> > 8. IP -> rDNS: Domain != HELO -> ~FAIL (mismatch)
> 
> I'm pretty sure, but I'd have to re-check, that Botnet catches all of those.

Well, this is catched by RCVD_HELO_IP_MISMATCH with quite high score.

(And, the SMTP connection MUST NOT be rejected (only) because of this
mismatch, we talked about this already)
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

spamd dies - please help

[Claudia Burman]

Hi,
I am trying to setup a new mail server. With postfix - dovecot ldap -
spamd. All virtual users. Over Centos 5.3 64 bits. Spamassassin version is
3.2.5 installed with yum.

This is the line in postfix's master.cf

dovecot unix - n n - 30 pipe
flags=DRhu user=vmail argv=/usr/bin/spamc -s 204800 -u $user -e
/usr/libexec/dovecot/deliver -d ${user}

This is how spamd is started
-d -l -x -m 35 -u vmail
--virtual-config-dir=/var/spool/postfix/virtual/%u/spamassassin

This is the problem:
When I send a mail everything works, ps ax shows spamd and two childs.
Sending a big load of mails, I begin to see spamd  processes.

After a while (and after some messages are correctly delivered), I see
this in the log

Jun  6 13:36:58 mail spamd[13000]: prefork: cannot ping 14503, file handle
not defined, child likely to still be processing SIGCHLD handler after
killing itself

Jun  6 13:36:58 mail spamd[13000]: prefork: killing failed child 14503
fd=undefined at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/SpamdForkScaling.pm
line 171,  line 275.

Jun  6 13:36:58 mail spamd[13000]: prefork: killed child 14503

(one for each process)

and after that
connect to spamd on 127.0.0.1 failed, retrying (#3 of 3): Connection refused

the message is delivered but is not passed through spamassassin.

Any help will be appreciated. I can provide aditional info if necessary.
Thanks

Claudia Burman
El Bolson - Patagonia Argentina

Re: FCrDNS and localhost

[Matus UHLAR - fantomas]

> Matus UHLAR - fantomas a écrit :
> > Actually, I think this is not good. "localhost." should resolve, but
> > putting localhost to other domains even with 127.0.0.1 address is
> > something that should be imho avoided ;)

On 06.06.09 20:39, mouss wrote:
> why? if it's because of xss and the like, it doesn't apply here, because
> attacker can use http://localhost/ as well (or even http://127.0.0.1/).
> or am I missing something?

it's either useless or hides a problem elsewhere...
however it's OT here...
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!

Re: FCrDNS and localhost

[Adam Katz]

John Rudd wrote:
>> I think FCrDNS stands for "Forward-confirmed reverse DNS" as noted at
>> http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS   :-)
> 
> Every place I've seen it talked about, including past discussion on
> this list, calls it Full Circle, not Forward Confirmed.  Based on that
> page, I assume they're synonymous.

I hope so.  They both sound like great names for the concept, anyway.

>> As a matter of fact, there is nothing stopping a domain
>> from resolving to 127.0.0.1 (or 127.0.0.1 from resolving to a domain,
>> regardless of whether or not it is "localhost") and no reason for SMTP
>> to complain about it, so those aren't always automatic failures.
> 
> I didn't imply that they're automatically failures.  It was an
> implication that the rule that does the checking might be set up to
> reject those results.  "I got back localhost as a result, and I don't
> want that, so I'm going to give a rule failure of some sort, rather
> than continue on to some other result".

So then they are specific samples that despite not failing FCrDNS, you
would like to discriminate against?  I misunderstood your intent.
Checking against private and local networks sounds like a good idea.

>> SENDMAIL HAS THIS AMBIGUITY.
> 
> In fact, Sendmail's ambiguity on the subject was part of why I wrote Botnet.

Ah, that was you (this list is awesome; everybody's here!).  I keep
meaning to try that plugin, but I'm wary of all the false positives I
hear it creates (so I'd have to turn the scores down to near-zero and
then slowly turn them up).  I also find that greylisting, even if solely
against Windows desktops (p0f is now supported in milter-greylist, and
I'd be happy to share my rules that let servers through), seems to
alleviate my need for botnet detection.

>> 5. IP -> rDNS: Domain -> DNS: IP2 -> FAIL (mismatch)
>> 6. IP -> rDNS: [none] ->-> FAIL (no rDNS, doesn't fail in sendmail)
>> 7. IP -> rDNS: Domain -> DNS: [none] -> FAIL (no DNS, sendmail=?)
>>
>> Within SpamAssassin, RDNS_NONE catches #6, my KHOP_MAYBE_FORGED
>> catches #5 (on sendmail servers), and I think #7 goes uncaught.  The
>> other rule I described, KHOP_HELO_FCRDNS, catches #8, which isn't
>> technically FCrDNS:
>>
>> 8. IP -> rDNS: Domain != HELO -> ~FAIL (mismatch)
> 
> I'm pretty sure, but I'd have to re-check, that Botnet catches all of those.

Interesting.  Catching #7 would be nice, though not worth too many
points given how often servers accidentally use their internal (non-TLD)
names.  However, regexps can solve that quite nicely.  Does botnet
create pseudo-headers for later polling?

> Btw: are you the Adam Katz that used to be Mr. Curtain in the Santa
> Cruz/UCSC geek scene?

Nope, haven't been there since I was a kid.  There are thousands of
people with my name (and yet I'm the one with www.adamkatz.com).  There
are only a handful of us in the geek world, so I think I can isolate the
one you're thinking of to the guy at www.geekeasy.com.  Heck, I live
only a few blocks from another Adam Katz who is a professional web
designer (which I've done from time to time).  I'm the (only?) one that
does F/OSS, D&D, and spam-fighting stuff.  ... I'm also a famous dog
trainer, MLB sports agent, several journalists, and I teach plastic
surgery, religion, English, and literature at various universities.  :-D

-- 
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam

Re: Next Rule Causing False Positives: BOTNET

[John Rudd]

On Sat, Jun 6, 2009 at 13:38, Rich Shepard wrote:
> On Sat, 6 Jun 2009, John Rudd wrote:
>
>> The thing thing to do to fix messages from given locations is lean,
>> heavily, upon the sender to get their sending environment fixed.  What
>> botnet finds are sites with bad DNS (no full circle reverse DNS), or
>> sending hosts that look like clients instead of looking like servers. If
>> the exact cause was the former, then that site is poorly configured
>> (violating best practices).
>>
>> If it's the latter, then that's a little more tricky.  But there are
>> entries you can put in the Botnet.cf to exempt sites that actually can't
>> fix their own reverse DNS, or sites that you really need to communicate
>> with, but that wont fix their reverse DNS.
>
> John,
>
>  The false positives I'm seeing now are primarily from people who know
> virtually nothing about computers. Sure, they have some competence in their
> Microsoft applications, but to them anything else is a black box. Not only
> do they not run their own servers, but they couldn't clearly communicate the
> problem to someone who could fix it even if they wanted to do so.

When I send those reports to the sender, I typically also send it to
the postmaster, abuse, and hostmaster addresses for their
ISP/hosting-provider/whatever, exactly because I don't expect the end
user to know much about it.  From there, ISPs that are difficult to
deal with, wrt to suggesting that they follow best practices, I put
into the same category as ISPs that condone spam.  But... I know of
VERY few providers that are difficult about it.  Once AOL and
earthlink started to get picky about it, the little guys started to
fall into line.

Out of a few dozen false positives in the 3-4ish years since I made
Botnet public, only 2 have required a local whitelist entry.  The
other providers fixed their configurations.  The funniest one was that
the end user (a marketing person) had been trying to get his sysadmins
to fix it for years, and my report back to them actually provided
ammunition for the _MARKETING_ person to get the TECHNICAL person do
to the right technical thing.


>  I'm lowering the score on that rule.

Probably a good approach for your situation.  Let me know how the
lower score works out for you (when you said 80% in the other message,
do you mean you're lowering it to a score of 1.0, or to a score of
4.0?)

Re: FCrDNS and localhost

[John Rudd]

On Thu, Jun 4, 2009 at 16:32, Adam Katz wrote:
> John Rudd wrote:
>> That seems to be an important distinction for
>> strict/rigorous/theoretical discussions of "what is full circle
>> reverse DNS", and things along those lines... but I'm not sure if
>> it really is an important distinction for the practical matter of
>> how you handle tests in SA.
>
> I think FCrDNS stands for "Forward-confirmed reverse DNS" as noted at
> http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS   :-)

Every place I've seen it talked about, including past discussion on
this list, calls it Full Circle, not Forward Confirmed.  Based on that
page, I assume they're synonymous.


> To clarify your four examples (as I understand them):
>
> IP = 222.252.188.181
>
> 1: IP -> rDNS: localhost -> DNS: [none] -> FAIL* (DNS is missing)
> 2: IP -> rDNS: localhost ->-> ~FAIL (rDNS result is forbidden)
> 3: IP -> rDNS: localhost -> DNS: 127.0.0.1 -> FAIL (mismatch)
> 4: IP -> rDNS: localhost -> DNS: 127.0.0.1 -> ~FAIL (DNS is forbidden)
>
> I don't think we ever discussed #2 or #4, which state that entering
> "localhost" as a domain or "127.0.0.1" as an IP is explicitly
> forbidden.

I was trying to cover more bases in the localhost/127.0.0.1 results,
to be more complete/thorough.


> As a matter of fact, there is nothing stopping a domain
> from resolving to 127.0.0.1 (or 127.0.0.1 from resolving to a domain,
> regardless of whether or not it is "localhost") and no reason for SMTP
> to complain about it, so those aren't always automatic failures.

I didn't imply that they're automatically failures.  It was an
implication that the rule that does the checking might be set up to
reject those results.  "I got back localhost as a result, and I don't
want that, so I'm going to give a rule failure of some sort, rather
than continue on to some other result".


> SENDMAIL HAS THIS AMBIGUITY.

In fact, Sendmail's ambiguity on the subject was part of why I wrote Botnet.


> 5. IP -> rDNS: Domain -> DNS: IP2 -> FAIL (mismatch)
> 6. IP -> rDNS: [none] ->-> FAIL (no rDNS, doesn't fail in sendmail)
> 7. IP -> rDNS: Domain -> DNS: [none] -> FAIL (no DNS, sendmail=?)
>
> Within SpamAssassin, RDNS_NONE catches #6, my KHOP_MAYBE_FORGED
> catches #5 (on sendmail servers), and I think #7 goes uncaught.  The
> other rule I described, KHOP_HELO_FCRDNS, catches #8, which isn't
> technically FCrDNS:
>
> 8. IP -> rDNS: Domain != HELO -> ~FAIL (mismatch)

I'm pretty sure, but I'd have to re-check, that Botnet catches all of those.


Btw: are you the Adam Katz that used to be Mr. Curtain in the Santa
Cruz/UCSC geek scene?

Re: Next Rule Causing False Positives: BOTNET

[Rich Shepard]

On Sat, 6 Jun 2009, John Rudd wrote:


The thing thing to do to fix messages from given locations is lean,
heavily, upon the sender to get their sending environment fixed.  What
botnet finds are sites with bad DNS (no full circle reverse DNS), or
sending hosts that look like clients instead of looking like servers. If
the exact cause was the former, then that site is poorly configured
(violating best practices).

If it's the latter, then that's a little more tricky.  But there are
entries you can put in the Botnet.cf to exempt sites that actually can't
fix their own reverse DNS, or sites that you really need to communicate
with, but that wont fix their reverse DNS.


John,

  The false positives I'm seeing now are primarily from people who know
virtually nothing about computers. Sure, they have some competence in their
Microsoft applications, but to them anything else is a black box. Not only
do they not run their own servers, but they couldn't clearly communicate the
problem to someone who could fix it even if they wanted to do so.

  There are obviously many poorly or mis-configured servers and clients on
the 'Net. That's why there's so much spam and malware out there.

  I'm lowering the score on that rule.

Thanks,

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: Next Rule Causing False Positives: BOTNET

[Rich Shepard]

On Sat, 6 Jun 2009, Karsten Br?ckelmann wrote:


This is a third-party plugin, deliberately installed by you.


  Actually, it was most likely installed with the SA upgrade because I've
not made any modifications or tuning to the system. I figure that those who
set up defaults know much more than do I, so I leave things until there's a
reason for change.


With any custom rule-set, it's definitely the admins duty to score it
appropriately, and to tune to their specific mail stream. After all, you
already "tuned" SA by installing the rule-set in the first place.


  It must have been the Slackware build/installation script that included it
because adding such a plug-in would not have occurred to me. Regardless, I
will decrease the score by 80%.

Thanks,

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: check message body/subject for spam?

[Charles Gregory]

On Sat, 6 Jun 2009, Don Ireland wrote:
P.S.  What I'm looking to do is check it for spam BEFORE sending the 
message.


I find that this kind of 'form spam' is best handled by a couple of simple 
'tricks' within the form and the cgi that processes it:


   1) Include a 'hidden' field (using the style visibility attribute) and 
give it a 'tempting' name like 'e-mail'. If it has an entered value, then 
a robot has 'filled' the form.

   2) Reject if anyone enters URI's into the form.
   3) To stop the kind of spam that enters garbage into all the fields 
except for one, do simple format checking on phone number, e-mail and/or 
zip/post-code fields.


These three things stop ALL my form spam. And you don't have to invoke SA.
So I guess this answer was slightly OT :)

- Charles

Re: FCrDNS and localhost

[mouss]

Matus UHLAR - fantomas a écrit :
> On 05.06.09 23:55, mouss wrote:
>> localhost.netoyen.net has address 127.0.0.1
> 

oh, I didn't even realize it was the .$domain" one!
old habit to avoid nslookup barking and then lusers asking what's the
problem...


> Actually, I think this is not good. "localhost." should resolve, but putting
> localhost to other domains even with 127.0.0.1 address is something that
> should be imho avoided ;)
> 

why? if it's because of xss and the like, it doesn't apply here, because
attacker can use http://localhost/ as well (or even http://127.0.0.1/).
or am I missing something?

Re: Next Rule Causing False Positives: BOTNET

[John Rudd]

Different people run botnet at different score levels, depending on
what they want the rule to do.  The default is 5 because 5 is the
common point where people set messages aside for review (remove them
from their regular mail stream).  That's what botnet is saying about
such messages: this message needs to be reviewed/quarantined.

If you don't agree with that intent, then you should lower the score.

The thing thing to do to fix messages from given locations is lean,
heavily, upon the sender to get their sending environment fixed.  What
botnet finds are sites with bad DNS (no full circle reverse DNS), or
sending hosts that look like clients instead of looking like servers.
If the exact cause was the former, then that site is poorly configured
(violating best practices).

If it's the latter, then that's a little more tricky.  But there are
entries you can put in the Botnet.cf to exempt sites that actually
can't fix their own reverse DNS, or sites that you really need to
communicate with, but that wont fix their reverse DNS.


On Sat, Jun 6, 2009 at 10:48, Rich Shepard wrote:
>  Now that the EMPTY_BODY and mis-identified spam issues have been resolved
> I've countered a new one creating false positives: the rule (in
> /etc/mail/spamassassin/Botnet.cf is:
>
> describe        BOTNET                  Relay might be a spambot or virusbot
> header          BOTNET                  eval:botnet()
> score           BOTNET                  5.0
>
>  I've read Botnet.txt but I've no clue what to do to reduce the number of
> false positives. I could include a specific example that came today from a
> client via his Crackberry, if that would help.
>
>  Do I need to build a white list of all such senders? Is there a better way
> to tune this rule so it's not triggered so frequently?
>
> Rich
>
> --
> Richard B. Shepard, Ph.D.               |  Integrity            Credibility
> Applied Ecosystem Services, Inc.        |            Innovation
>      Voice: 503-667-4517      Fax: 503-667-8863
>

Re: Next Rule Causing False Positives: BOTNET

[Karsten Bräckelmann]

On Sat, 2009-06-06 at 10:48 -0700, Rich Shepard wrote:
> Now that the EMPTY_BODY and mis-identified spam issues have been resolved
> I've countered a new one creating false positives: the rule (in
> /etc/mail/spamassassin/Botnet.cf is:

This is a third-party plugin, deliberately installed by you.

> describeBOTNET  Relay might be a spambot or virusbot
> header  BOTNET  eval:botnet()
> score   BOTNET  5.0

This is a custom score. Generally, consensus is that no single rule in
SA should be able to single-handedly flag a mail as spam. That means,
use a score lower than your required_score threshold.

Yes, I do realize (IIRC) that it actually is the Botnet plugin default.
However, it also offers a fine-grained scoring approach with more rules
and lower scores each.


With any custom rule-set, it's definitely the admins duty to score it
appropriately, and to tune to their specific mail stream. After all, you
already "tuned" SA by installing the rule-set in the first place.

Given your previous thread, my advice is to seriously go through your
entire custom settings, and carefully review them.


>I've read Botnet.txt but I've no clue what to do to reduce the number of
> false positives. I could include a specific example that came today from a
> client via his Crackberry, if that would help.

If it hits too often on ham for you, it isn't what you want.

  guenther


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: New Spam Mails plz suggest

[Benny Pedersen]

On Sat, June 6, 2009 11:55, chauhananshul wrote:
> How can i make spamassassin catch these mails.

you can do this better in your mta

2 ways to solve it:

1 use postfwd with a rule that check sender equal to recipient

2 add spf to your domain, and test spf in your mta


3 take a ice :)


-- 
http://localhost/ 100% uptime and 100% mirrored :)

Next Rule Causing False Positives: BOTNET

[Rich Shepard]

  Now that the EMPTY_BODY and mis-identified spam issues have been resolved
I've countered a new one creating false positives: the rule (in
/etc/mail/spamassassin/Botnet.cf is:

describeBOTNET  Relay might be a spambot or virusbot
header  BOTNET  eval:botnet()
score   BOTNET  5.0

  I've read Botnet.txt but I've no clue what to do to reduce the number of
false positives. I could include a specific example that came today from a
client via his Crackberry, if that would help.

  Do I need to build a white list of all such senders? Is there a better way
to tune this rule so it's not triggered so frequently?

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: FCrDNS and localhost

[Matus UHLAR - fantomas]

> Matus UHLAR - fantomas wrote:
> > Actually, I think this is not good. "localhost." should resolve, but
> > putting localhost to other domains even with 127.0.0.1 address is
> > something that should be imho avoided ;)

On 06.06.09 11:28, Bob Proulx wrote:
> I think it is okay and normal to have localhost.$mydomain resolve to
> 127.0.0.1.  But the reverse 127.0.0.1 should never resolve to
> localhost.$mydomain but always to "localhost."
> 
> It is recommended not to send queries for local addresses off to the
> root nameservers.  "localhost" by itself is used and expected to work.
> Therefore enabling localhost.$mydomain to resolve prevents this.

what's why "localhost" zone should be configured in each resolving
nameserver...

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

Re: FCrDNS and localhost

[Bob Proulx]

Matus UHLAR - fantomas wrote:
> Actually, I think this is not good. "localhost." should resolve, but
> putting localhost to other domains even with 127.0.0.1 address is
> something that should be imho avoided ;)

I think it is okay and normal to have localhost.$mydomain resolve to
127.0.0.1.  But the reverse 127.0.0.1 should never resolve to
localhost.$mydomain but always to "localhost."

It is recommended not to send queries for local addresses off to the
root nameservers.  "localhost" by itself is used and expected to work.
Therefore enabling localhost.$mydomain to resolve prevents this.

Bob

Re: FCrDNS and localhost

[Matus UHLAR - fantomas]

On 05.06.09 23:55, mouss wrote:
> localhost.netoyen.net has address 127.0.0.1

Actually, I think this is not good. "localhost." should resolve, but putting
localhost to other domains even with 127.0.0.1 address is something that
should be imho avoided ;)

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: check message body/subject for spam?

[John Hardin]

On Sat, 6 Jun 2009, Don Ireland wrote:

If I write the message/subject to a file (so that it looks like a 
message without most of the headers), can I run it through SA and make 
sure that it's not spam?


Certainly.

Figuring out the headers shouldn't be too difficult, and you will probably 
want to run it using a config that's customized to fake mail (i.e. with 
scores adjusted to reduce the effect of header tests like "does the 
sending hostname look evil?", but it's absolutely technically doable.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the place of government to make right every tragedy and
  woe that befalls every resident of the nation.
---
 Today: the 65th anniversary of D-Day

Re: New Spam Mails plz suggest

[Jari Fredriksson]

> Below is the mail header for one of the mail in which to
> & from id id same 
> 
> From u...@mydomain.com Sat Jun 6 12:41:57 2009
> Return-Path: u...@mydomain.com

mydomain.com really exists, and it is not advisable to mask one's read domain 
behind it.

Use example.com, that is what it is for.

Re: New slew of spams

[RW]

On Fri, 05 Jun 2009 14:05:40 -0400
Rob McEwen  wrote:

> An occassional legit e-mail will have RDNS_NONE, and an occassional
> legit e-mail will have RCVD_IN_PBL. But even extreme fewer legit
> emails will have hits on BOTH of these. So I'd suggest scoring the
> combination of the two either just above threshold, or (at the
> least...) just below threshold.


You need to be a little careful about that if you have an extended
internal network outside your control. Not all servers record rnds and
authentication.

Re: New Spam Mails plz suggest

[Robert Schetterer]

Anshul Chauhan schrieb:
> Below is the mail header for one of the mail in which to & from id id same
> 
> From u...@mydomain.com  Sat Jun 6 12:41:57 2009
> Return-Path: mailto:u...@mydomain.com>>
> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
> mailserver1.mydomain.com 
> X-Spam-Level: 
> X-Spam-Status: No, score=4.4 required=5.0
> tests=HTML_FONT_SIZE_HUGE,HTML_IMAGE_ONLY_24,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_DYNAMIC
> shortcircuit=noautolearn=no version=3.2.5
> Received: from ABTS-KK-dynamic-136.34.172.122.airtelbroadband.in
> 
> (ABTS-KK-dynamic-026.159.172.122.airtelbroadband.in
> 
> [122.172.159.26] (may be forged))by mailserver1.mydomain.com
>  (8.13.1/8.13.1) with ESMTP id
> n567Ban7019772for mailto:u...@mydomain.com>>; Sat, 6
> Jun 2009 12:41:42 +0530
> Date: Sat, 6 Jun 2009 12:41:42 +0530
> Message-ID:
> <618687839783948.slilovsyitpo...@abts-kk-dynamic-136.34.172.122.airtelbroadband.in
> >
> From: "Lauran" mailto:u...@mydomain.com>>
> To: u...@mydomain.com 
> Subject: Video Bush's accident
> MIME-Version: 1.0
> Content-Type: text/html; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Virus-Scanned: ClamAV 0.94.2/9433/Sat Jun 6 02:49:42 2009 on
> mailserver1.mydomain.com 
> X-Virus-Status: Clean
> X-Logged: Logged by mailserver1.mydomain.com
>  as n567Ban7019772 at Sat Jun 6
> 12:41:42 2009
> 
> Warm Regards,
> Anshul Chauhan
> "Dream is not what you see while sleep, it's the thing that does not let
> you sleep."
> 
> 
> 
> On Sat, Jun 6, 2009 at 4:04 PM, ram  > wrote:
> 
> 
> On Sat, 2009-06-06 at 02:55 -0700, chauhananshul wrote:
> > I'm getting a lot of mails daily in which to & from addresses are
> same &
> > spamassassin is not able to stop them. I'm using
> spamassassin-3.2.5-1.el4.rf
> > CentOS4.7 with sendmail.I've increased the score to 4 frm default
> 5 but
> > stills its not catching them.
> >
> > How can i make spamassassin catch these mails.
> 
> Please post a sample ( full mail source  including headers)  on some
> pastebin and post the link here
> 
> 
> 
> 
> 
> 

looks like your mailserver accepting relay with an account from your
domain without auth. why?
after all its easy to reject mail from *dynamic* reverse ipaddr
and i am nearly sure that you will find the ip in serveral rbls
as well you might filter with clam and sanesecurity
and use greylisting etc
that all can be done before passing mail to spamassassin
the score is near to mark, so i would say
give a litte more priors to RDNS_DYNAMIC
or and use more rules, looks like image spam, fuzzy ocr may help
etc, but as i said there is a lot you should and can do before accepting
such mails on smtp income level


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: check message body/subject for spam?

[Don Ireland]

P.S.  What I'm looking to do is check it for spam BEFORE sending the 
message.


Thx!

Don Ireland



Don Ireland wrote:

Hi everyone.

I have a contact form that allows visitors to send messages to me.  
Some nimnod is using it to send me ads wanting me to use his "Search 
Engine Optimization" service.


Because the form sends messages as though it is ME, the mail server 
doesn't check messages received from my form through SA.  I'm a user 
on a shared hosting service so I can't change that.


If I write the message/subject to a file (so that it looks like a 
message without most of the headers), can I run it through SA and make 
sure that it's not spam?


TIA!

Don Ireland

check message body/subject for spam?

[Don Ireland]

Hi everyone.

I have a contact form that allows visitors to send messages to me.  Some 
nimnod is using it to send me ads wanting me to use his "Search Engine 
Optimization" service.


Because the form sends messages as though it is ME, the mail server 
doesn't check messages received from my form through SA.  I'm a user on 
a shared hosting service so I can't change that.


If I write the message/subject to a file (so that it looks like a 
message without most of the headers), can I run it through SA and make 
sure that it's not spam?


TIA!

Don Ireland

Re: New Spam Mails plz suggest

[Anshul Chauhan]

Below is the mail header for one of the mail in which to & from id id same

>From u...@mydomain.com Sat Jun 6 12:41:57 2009
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
mailserver1.mydomain.com
X-Spam-Level: 
X-Spam-Status: No, score=4.4 required=5.0
tests=HTML_FONT_SIZE_HUGE,HTML_IMAGE_ONLY_24,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_DYNAMIC
shortcircuit=noautolearn=no version=3.2.5
Received: from ABTS-KK-dynamic-136.34.172.122.airtelbroadband.in (
ABTS-KK-dynamic-026.159.172.122.airtelbroadband.in [122.172.159.26] (may be
forged))by mailserver1.mydomain.com (8.13.1/8.13.1) with ESMTP id
n567Ban7019772for ; Sat, 6 Jun 2009 12:41:42 +0530
Date: Sat, 6 Jun 2009 12:41:42 +0530
Message-ID: <
618687839783948.slilovsyitpo...@abts-kk-dynamic-136.34.172.122.airtelbroadband.in
>
From: "Lauran" 
To: u...@mydomain.com
Subject: Video Bush's accident
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.94.2/9433/Sat Jun 6 02:49:42 2009 on
mailserver1.mydomain.com
X-Virus-Status: Clean
X-Logged: Logged by mailserver1.mydomain.com as n567Ban7019772 at Sat
Jun 6 12:41:42 2009

Warm Regards,
Anshul Chauhan
"Dream is not what you see while sleep, it's the thing that does not let you
sleep."



On Sat, Jun 6, 2009 at 4:04 PM, ram  wrote:

>
> On Sat, 2009-06-06 at 02:55 -0700, chauhananshul wrote:
> > I'm getting a lot of mails daily in which to & from addresses are same &
> > spamassassin is not able to stop them. I'm using
> spamassassin-3.2.5-1.el4.rf
> > CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but
> > stills its not catching them.
> >
> > How can i make spamassassin catch these mails.
>
> Please post a sample ( full mail source  including headers)  on some
> pastebin and post the link here
>
>
>
>
>
>

Re: New Spam Mails plz suggest

[ram]

On Sat, 2009-06-06 at 02:55 -0700, chauhananshul wrote:
> I'm getting a lot of mails daily in which to & from addresses are same &
> spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf
> CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but
> stills its not catching them.
> 
> How can i make spamassassin catch these mails.

Please post a sample ( full mail source  including headers)  on some
pastebin and post the link here 

New Spam Mails plz suggest

[chauhananshul]

I'm getting a lot of mails daily in which to & from addresses are same &
spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf
CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but
stills its not catching them.

How can i make spamassassin catch these mails.
-- 
View this message in context: 
http://www.nabble.com/New-Spam-Mails-plz-suggest-tp23900308p23900308.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: FCrDNS and localhost

[Bob Proulx]

mouss wrote:
> Adam Katz a écrit :
> > Actually, localhost doesn't resolve via DNS;
> 
> I don't know where you're taking this from:
> 
> $ host localhost 127.0.0.1
> Using domain server:
> Name: 127.0.0.1
> Address: 127.0.0.1#53
> Aliases:
> 
> localhost.netoyen.net has address 127.0.0.1

Although I like host a lot in this case I think dig gives more
convincing results.

  $ dig -x 127.0.0.1 ptr
  ;; ANSWER SECTION:
  1.0.0.127.in-addr.arpa. 604800  IN  PTR localhost.

  $ dig localhost a
  ;; ANSWER SECTION:
  localhost.  604800  IN  A   127.0.0.1

> > it has no A record, nor
> > any other record type.  It resolves locally without using DNS; see
> > your /etc/hosts file.  Similarly, 1.0.0.127.in-addr.arpa. has no PTR
> > record indicating it should be called localhost.

Both localhost and 127.0.0.1 resolve as expected.  They definitely
have A and PTR records.

> It does here. we BSD users love DNS ;-p

And here too.  (Debian GNU/Linux but we could list out virtually every
legacy Unix and modern system.)

> In contrast, "localdomain" is not a valid TLD.

localdomain, as in localhost.localdomain is a clever hack to initially
provision a generic system such that everything is consistent and
somewhat functioning in a standalone way without having an actual real
domain.  By using localhost.localdomain in the MTA and everywhere else
it is needed the software can be configured for a fqdn without
actually having a fqdn.  It's fake.  But self-consistent.  And so
useful as a generic placeholder configuration.  For machines visible
on the Internet this should be replaced with real configuration.
Machines that are not visible can happily not worry about it.

> > I suppose I could place such an entry in my local DNS server...
> > Actually, I like that idea.  Don't forget to also create an A record!
> > 
> > You'll want TXT record  "v=spf1 ip4:127.0.0.0/8 -all"  for both
> > localhost. and localhost.localdomain.
> 
> why bother yourself with SPF since nobody remote should call himself
> "localhost". localhost is a reserved domain.

I reject at SMTP time clients who claim to be localhost at the MTA
level.  This is a well known anti-spam technique and I am sure most of
us on this list have this as a standad configuration.  A lot of spam
is rejected very quickly this way.

Bob