Re: SORBS bites the dust

[Charles Gregory]

On Fri, 26 Jun 2009, John Rudd wrote:

It sounds like Charles' user base and cost/benefit analysis is
different, and that's fine.


Actually no, it's not. I arrive at the same cost/benefit analysis and have
instituted the same general policy - I block all hosts on PBL. Thought I 
made that part clear.


But my point here is: legitimate isn't just something that varies from 
mail-admin to mail-admin, and user to user, it's also a difference in 
whether you're talking about messages vs submitting hosts.  Blocking a 
host as being illegitimate doesn't mean "it submits 0 legitimate 
messages". It means it doesn't submit enough legitimate messages to 
justify the number of illegitimate messages it is sending (or is likely 
to send, based upon whatever reputation/policy got it black listed).


(Charles nods enthusiastically) Exactly. It's the distinction between 
whether a filter to block all references to a specific brand of drug 
blocks a medical discussion about the drug. The filter has enforced the 
policy perfectly, but the *intent* to only block drug *ads* has led to 
a false positive. Likewise, the intent to block spammers by marking 
their hosts as illegitimate also blocks legitimate senders who have ended 
up in the IP block where they "don't legitimatey belong". They are not in 
a legitimate place, but that doesn't stop them from *trying* to send 
legitimate messages. Thanks John!


- C

Re: SORBS bites the dust

[Charles Gregory]

On Fri, 26 Jun 2009, LuKreme wrote:

> See, it all comes down to what you think 'legitimate' is.
The recipient wants the e-mail. DUH.

That's not my definition at all


The very reason for my posting. You need not repeat yourself.

. it's not even the definition of any mailadmin I've ever met. We 
reject mail users *want* all the time. It's our job.


That got a genuine laugh Sounds like something out of the BOFH series.

Nope, sometimes people WANT email that is laden down with malware, 
viruses, executable files, web bugs, or other things that compromise the 
security of not just themselves, but of others.


ROFLMAO - Now you're twisting the definition of WANT?
Excuse me, my BS threshold just got exceeded. I'm outta here!

-C

Re: user filtering attachments

[fernando]

I can't have individual maildrop .rc files...just database.

So I was thinking about detect attachments inside spamassassin, tag
message and strip attachments in the maildrop.

I know that mimeheader do what I need, but I couldn't insert mimeheader
into database (sql userpref) rules at user level.

Regards,
Fernando

>
> Please respond to LIST not to personal e-mail.
>
> On Fri, 26 Jun 2009, ferna...@dfcom.com.br wrote:
>> I would like spamassassin does:
>> Read attach extensions from userpref (database),
>> filter that mime and set a message header,
>> maildrop (that is my mda), drops this attach and delivery only text
>> part.
>> (this is the easier part - it is ready).
>
> Does maildrop not have a 'user preferences' or '.rc' file?
> It has to 'find' these attachments and strip them out anyway.
> Why involve SA at all?
>
>> I don´t know to do this mime filtering using userpref configuration. I
>> thouth create an eval function, but I don´t know how to pass function
>> parameters from userpref database.
>
> Just create 'mimeheader' rules.
>
> http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_MIMEHeader.html
>
> - C

Re: SORBS bites the dust

[Michelle Konzack]

Am 2009-06-25 08:56:00, schrieb Matus UHLAR - fantomas:
> Why not? I do that and intentionally - I don't like receiving spam from
> companies that don't accept complaints...

Hihi...

[ '/etc/courier/bofh' ]-
badfrom @hotmail.com
badfrom @hotmail.de
badfrom @hotmail.fr
badfrom @live.com
badfrom @live.de
badfrom @live.fr
badfrom @msn.com
badfrom @facebookmail.com
badfrom @facebook.com
badfrom @badoo.com
badfrom @email.dm2decisionmaker.com
badfrom @mail.ustc.edu.cn
badfrom @superhappypanda.com
badfrom @pixelatedresource.com
badfrom @perceivearound.com
badfrom @mms.metropcs.net
badfrom @thekidbase.com
badfrom @familyfunmedia.com
badfrom @sjwater.com
badfrom @boatbibble.com
badfrom @studiogazzara.it
badfrom @spb.solidworks.ru
badfrom @notesay.com
badfrom @greatyarnmarket.com
badfrom @newmediapoint.com
badfrom @mymainserver.com
badfrom @elixis.cccampaigns.com
badfrom @lists.lifechangersusa.org
badfrom @.cccampaigns.com
badfrom @emv.com
badfrom @.emv2.com


This list is for ANY E-Mails on  because I have  gotten
OVER 12000 spams a day.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   c/o Vertriebsp. KabelBW
   Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de   77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: SORBS bites the dust

[John Rudd]

On Fri, Jun 26, 2009 at 15:23, LuKreme wrote:
> On 26-Jun-2009, at 14:54, Charles Gregory wrote:
>>

>> I don't care. It's the *meaning* that matters. Not the *word*.
>
> Fine, then, the meaning. Your meaning is *wanted* and my meaning is mail
> from a verifiable source with a verifiable (fixed) IP, correct rDNS that is
> authorized to send mail and does not appear in the zen RBL. It also has to
> helo with a legitimate hostname and the rDNS cannot contain strings like
> 'pool' or 'dynamic' or 'dialup'.

It seems to me that this is "legitimate messages" vs "legitimate hosts".

Each mail admin, and organization, has to determine the cost of
deciding how to handle the signal to noise ratio generated by
different classes of hostss.

When a given single host is submitting a high ratio of
spam+viruses+phishing+etc. vs legitimate messages, at what point is
the cost of accepting its messages no longer justified in order to
obtain those legitimate messages?  That's the question that motivates
implementing Spam/Open-Relay/etc. type black holes at the SMTP level.

PBL is similar, except that you're not considering a single host,
you're considering an entire class of hosts (dynamic hosts, end client
hosts, etc.), whose individual submission rates might be quite low,
because they're being leveraged by a well run/configured botnet.  But,
the question is still the same: what is the value of accepting message
submissions directly from those hosts, compared to the cost of doing
so?

Obviously my site targets dynamic hosts quite aggressively (we utilize
both the PBL and the Botnet plugin).  We've had VERY few complaints
about Botnet.  We've had ONE complaint about the PBL since we started
using it (the minute it became available).  Yet, implementing these
measures significantly altered our spam/virus/etc. load.  We feel the
cost/benefit analysis doesn't justify letting those sites have direct
access to our SMTP prompts.

And, I say that as a site with LOTS of vocal "don't block ANY of our
mail!!!" users.  We don't have the most cooperative of user bases (we
have users who have blocked our effort to save disk space by routinely
cleaning old messages out of trash folders ... because they use their
trash folder to store important messages *boggle*).  Yet, we didn't
get push back, nor a wide base of complaint, about this issue.

It sounds like Charles' user base and cost/benefit analysis is
different, and that's fine.  But my point here is: legitimate isn't
just something that varies from mail-admin to mail-admin, and user to
user, it's also a difference in whether you're talking about messages
vs submitting hosts.  Blocking a host as being illegitimate doesn't
mean "it submits 0 legitimate messages". It means it doesn't submit
enough legitimate messages to justify the number of illegitimate
messages it is sending (or is likely to send, based upon whatever
reputation/policy got it black listed).

Just as with the definition of the PBL, the site admin needs to
understand that block lists are about legitimate hosts, not legitimate
messages.

Re: SORBS bites the dust

[RW]

On Fri, 26 Jun 2009 16:23:22 -0600
LuKreme  wrote:


> That's not my definition at all; it's not even the definition of any  
> mailadmin I've ever met. We reject mail users *want* all the time.  
> It's our job.
> ...
> Just because the  
> recipient WANTS it does not make it legitimate. 
> ...
>
> Fine, then, the meaning. Your meaning is *wanted* and my meaning is  
> mail from a verifiable source with a verifiable (fixed) IP, correct  
> rDNS that is authorized to send mail and does not appear in the zen  
> RBL. It also has to helo with a legitimate hostname and the rDNS  
> cannot contain strings like 'pool' or 'dynamic' or 'dialup'.


Hmmm, does Godwin's law apply to comparison with the "Soup-Nazi"?

Re: Reminder: EmailBL test zone will shut down July 1st

[Michael Monnerie]

On Dienstag 23 Juni 2009 Justin Mason wrote:
> that's ok, we take that into account.  it does pretty well against
> zmi's corpus in particular.

Yeah, also helped in real live. Quite a few messages were finally tagged 
as spam because of EMAILBL, with no reported FP.

It's a pity it will go away. Anything we can do to prevent this from 
happening?
> If only someone run a dns zone..

What'cha mean by that?

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4



signature.asc
Description: This is a digitally signed message part.

Re: SORBS bites the dust

[LuKreme]

On 26-Jun-2009, at 14:54, Charles Gregory wrote:

On Fri, 26 Jun 2009, LuKreme wrote:

On 26-Jun-2009, at 08:55, Charles Gregory wrote:
we should not create a false sense of confidence that we will  
'never' see legitimate mail come from a PBL-listed IP

Yes, we will *never* see legitimate mail from a PBL-listed IP.
See, it all comes down to what you think 'legitimate' is.


The recipient wants the e-mail. DUH.


That's not my definition at all; it's not even the definition of any  
mailadmin I've ever met. We reject mail users *want* all the time.  
It's our job.


A common, simple definition, and in terms of warning people about  
the imperfections of *any* blocklist, it is the one that MATTERS.


Nope, sometimes people WANT email that is laden down with malware,  
viruses, executable files, web bugs, or other things that compromise  
the security of not just themselves, but of others. Just because the  
recipient WANTS it does not make it legitimate. Users also WANT to  
send 50MB (or 3GB) attachments via email.


This does not mean you have a bad policy. Nor does it mean that the  
people breaking

their ISP's policy necessarily deserve to be given special treatment.
It means only that you are misleading people to make them think that  
they will never have *wanted* mail blocked by PBL.


*wanted* mail is blocked all the time. What I say is that once a mail  
is received by the server, it is never discarded; before I accept it  
though, I will reject all sorts of mail for all sorts of reasons.  
People are free to get their emil elsewhere. Most people find that  
'elsewhere' means hundreds of more spam messages every single day. I  
had one domain that was briefly hosted somewhere else. Their incoming  
mail jumped from ~200 messages a day to nearly 2,000 messages a day.  
They were completely overwhelmed with the mass of spam to the point  
that their Outlook Database on their windows machines was overwhelmed  
and corrupted itself. They lost all their email over the last three  
years.


Fortunately for them, I had not deleted the maildirs off my server's  
backups, so they were able to move their domain back and recover  
almost all their mail.


It has already happened. Will happen again. It is no different than  
some poor schmuck setting up their hosting and discovering they are  
in a spam-infested IP block. Doesn't mean their mail is 'not  
legitimate' because our policy agrees with spamhaus and blocks that  
whole range.


Again, you have a differing opinion of legitimate than I do.


I don't care. It's the *meaning* that matters. Not the *word*.


Fine, then, the meaning. Your meaning is *wanted* and my meaning is  
mail from a verifiable source with a verifiable (fixed) IP, correct  
rDNS that is authorized to send mail and does not appear in the zen  
RBL. It also has to helo with a legitimate hostname and the rDNS  
cannot contain strings like 'pool' or 'dynamic' or 'dialup'.



--
I have a love child who sends me hate mail

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Fri, 26 Jun 2009, Pawe�~B T�~Ycza wrote:


Dnia 2009-06-26, pią o godzinie 14:15 -0700, John Hardin pisze:

On Fri, 26 Jun 2009, Pawe~B T~Ycza wrote:


Dnia 2009-06-23, wto o godzinie 09:39 +0200, Paweł Tęcza pisze:


 body OBFU_URI_WWDD_2
/\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i


The spammers strike in weekend again. Unfortunately the rule above
doesn't work for the latest incarnation of that spam, it means "www.
pill22. com."


{sung to the tune of Peter Gabriel's "Kiss That Frog"} Whack that mole!

/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

   ^
John,

Thanks a lot for rule update! It works fine. I can say it's nearly
perfect, because it missing only one small back-slash :) Please look
above.


D'oh!

That, plus some other fixes:

/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Constitution is a written instrument. As such its meaning does
  not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
   SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
---
 8 days until the 233rd anniversary of the Declaration of Independence

Re: [NEW SPAM FLOOD] www.shopXX.net

[Paweł Tęcza]

Dnia 2009-06-26, pią o godzinie 14:15 -0700, John Hardin pisze:
> On Fri, 26 Jun 2009, Pawe~B T~Ycza wrote:
> 
> > Dnia 2009-06-23, wto o godzinie 09:39 +0200, Paweł Tęcza pisze:
> 
>   body OBFU_URI_WWDD_2
>  /\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> >
> > The spammers strike in weekend again. Unfortunately the rule above
> > doesn't work for the latest incarnation of that spam, it means "www.
> > pill22. com."
> 
> {sung to the tune of Peter Gabriel's "Kiss That Frog"} Whack that mole!
> 
> /\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
^
John,

Thanks a lot for rule update! It works fine. I can say it's nearly
perfect, because it missing only one small back-slash :) Please look
above.

Have a nice weekend!

P.

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Fri, 26 Jun 2009, Pawe�~B T�~Ycza wrote:


Dnia 2009-06-23, wto o godzinie 09:39 +0200, Paweł Tęcza pisze:


 body OBFU_URI_WWDD_2
/\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i


The spammers strike in weekend again. Unfortunately the rule above
doesn't work for the latest incarnation of that spam, it means "www.
pill22. com."


{sung to the tune of Peter Gabriel's "Kiss That Frog"} Whack that mole!

/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The one political issue that strips all politicians bare is
  individual gun rights.
---
 8 days until the 233rd anniversary of the Declaration of Independence

Re: RulesDuJour

[Gerry Maddock]

"R
> I'm new to the list, and haven't been working with Spamassasin for
> long (about 1 year). It worked fine filtering spam, but now more and
> more are getting through. I found something called RulesDuJour on
> the net, but it seems it's not being updated anymore. Is it usefull
> to stil use it, or does anyone have some advice about thirth party
> rules that can help?

Hey Roland, checkout KAM (
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf)
also sought (http://wiki.apache.org/spamassassin/SoughtRules)
JFK Antifishing (http://www.jules.fm/Logbook/files/anti-phishing-v2.html)
Also use Razor,DCC, & Pyzor

I suggest looking into using MailScanner + spamassassin
you can find MailScanner  here: http://www.mailscanner.info/





CONFIDENTIALITY: This e-mail message is for the sole use of the intended 
recipient(s) and may contain confidential and / or privileged information.  Any 
unauthorized review, use, disclosure or distribution of any kind is strictly 
prohibited.  If you are not the intended recipient, please contact the sender 
via reply e-mail and destroy all copies of the original message.  Thank you.

RulesDuJour

[Roland Klein Overmeer]

Hi All,

 

I'm new to the list, and haven't been working with Spamassasin for long
(about 1 year). It worked fine filtering spam, but now more and more are
getting through. I found something called RulesDuJour on the net, but it
seems it's not being updated anymore. Is it usefull to stil use it, or
does anyone have some advice about thirth party rules that can help?

 

Regards,

Roland.

 

Re: SORBS bites the dust

[Charles Gregory]

On Fri, 26 Jun 2009, LuKreme wrote:

On 26-Jun-2009, at 08:55, Charles Gregory wrote:
we should not create a false sense of confidence that we will 'never' see 
legitimate mail come from a PBL-listed IP

Yes, we will *never* see legitimate mail from a PBL-listed IP.
See, it all comes down to what you think 'legitimate' is.


The recipient wants the e-mail. DUH.

A common, simple definition, and in terms of warning people about the 
imperfections of *any* blocklist, it is the one that MATTERS. This does 
not mean you have a bad policy. Nor does it mean that the people breaking

their ISP's policy necessarily deserve to be given special treatment.
It means only that you are misleading people to make them think that they 
will never have *wanted* mail blocked by PBL. It has already happened. 
Will happen again. It is no different than some poor schmuck setting up 
their hosting and discovering they are in a spam-infested IP block. 
Doesn't mean their mail is 'not legitimate' because our policy agrees with 
spamhaus and blocks that whole range. Just means they are SOL. :)


Legitimate. If you're so hung up on the word, you can HAVE it.
I don't care. It's the *meaning* that matters. Not the *word*.
My appeal is to not confuse people who have a broader colloquial 
understanding of the word. If someone is setting up their own mail filter, 
they should know what to expect. And what they should expect is to 
occasionally see someone complain about not  being able to *receive* their 
'legitimate' (by all common uses of the word) *wanted* e-mail because of 
PBL or some other list.


You are, of course, welcome to argue with your users over the 'legitimacy' 
of the e-mail being sent to them. :)


- Charles

Re: SORBS bites the dust

[LuKreme]

On 26-Jun-2009, at 08:55, Charles Gregory wrote:
we should not create a false sense of confidence that we will  
'never' see legitimate mail come from a PBL-listed IP


Yes, we will *never* see legitimate mail from a PBL-listed IP.

See, it all comes down to what you think 'legitimate' is.

According to my 'legitimate' it is definitionally impossible for  
legitimate mail to come to my mailserver from a PBL listed IP.


--
Satan oscillate my metallic sonatas

Re: SORBS bites the dust

[LuKreme]

On 26-Jun-2009, at 08:18, Charles Gregory wrote:

On Thu, 25 Jun 2009, LuKreme wrote:
If only more people understood this.  Thanks for the post John, you  
summarized it very well. If anyone ever whines about the PBL again,  
please repost.


Firstly, my thanks to all who commented. Based upon the weight of  
this information, I have upgraded my MTA to full 'zen' RBL checking.


However, I would like to point out that there is a class of 'poor'  
internet users who want to send mail legitimately directly from  
their dynamic IP. These are people who either want to send more mail  
than their ISP's outgoing server permits, or wish to avoid  
additional fees from their ISP.


Too bad. I will not accept mail from them. I have numerous checks in  
place to prevent users on dynamic IPs sending mail to me.


Technically, yes, they are trying to get 'around' the policies of  
their ISP. But (by most notewrothy example) if they are outside the  
area for DSL service and *must* use the local cable high speed, and  
the cable company's pricing policy presumes that any sender of large  
volumes of mail simply 'must' be a commercial venture, immediately  
doubling the cost of the home internet connection to a 'business'  
one, then the operator of a small club mailing list may have no  
choice but to try and send their mail directly.


Nope, there are other choices. You can use any mailserver to send your  
mail. that's what submission is for. You cannot use your dynamic  
connection as a mailserver because if you do, the majority of admins  
will assume you are a spammer.


These people are not without 'other solutions'. But they are making  
the best of a bad one. Is this enough to warrant down-scoring the PBL?


Not in my opinion. And for me, PBL is not a score, it is a flat-out  
blacklist with an instant rejection before the DATA phase of the SMTP  
transaction.


I no longer think so. But just so we're clear, just because an ISP  
says that they have a 'policy' does not mean we can brush off the  
attempts by people to bypass being *stuck* with those ISP's as not  
really being 'legitimate'.

There are always exceptions.


No. There are NO circumstances under which it is OK for someone on a  
PBL (or non-PBL dynamic) connection to send email DIRECTLY to my  
mailserver.


--
Well boys, we got three engines out, we got more holes in us than a
horse trader's mule, the radio is gone and we're leaking fuel
and if we was flying any lower why we'd need sleigh bells on
this thing... but we got one little budge on those Roosskies.
At this height why they might harpoon us but they dang sure
ain't gonna spot us on no radar screen!

Re: user filtering attachments

[Charles Gregory]

Please respond to LIST not to personal e-mail.

On Fri, 26 Jun 2009, ferna...@dfcom.com.br wrote:

I would like spamassassin does:
Read attach extensions from userpref (database),
filter that mime and set a message header,
maildrop (that is my mda), drops this attach and delivery only text part.
(this is the easier part - it is ready).


Does maildrop not have a 'user preferences' or '.rc' file?
It has to 'find' these attachments and strip them out anyway.
Why involve SA at all?


I don´t know to do this mime filtering using userpref configuration. I
thouth create an eval function, but I don´t know how to pass function
parameters from userpref database.


Just create 'mimeheader' rules.

http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_MIMEHeader.html

- C

Re: SORBS bites the dust

[Arvid Picciani]

Charles Gregory wrote:


There are always exceptions.


Those can send me  (postmaster@)  a mail  (without beeing blocked) 
asking for whitelisting.

The reject message contains a link explaining how to do that.

Re: SORBS bites the dust

[Charles Gregory]

On Fri, 26 Jun 2009, Matus UHLAR - fantomas wrote:

Imho, the important question is, why such home user wants to send large
amounts of mail


Keep in mind, the definition of 'large' may be arbitrarily SMALL for some 
ISP's Maybe just 100 recipients.



 if (s)he can't find any (free) hosting .


The club starts off with a mailing list of 50 members, on their Outlook 
Express addressbook. It grows over the years. It's 'easier' to just keep 
sending mail the same way. Normally, the ISP just adjusts the limit, but 
if they can't, or want to charge ridiculous money, then the user looks for 
the next easiest way to get the mail out. Use the 'packaged' mail server 
on their computer. Minimal learning curve, same usage, no changes to 
addresses, etc, etc.


Yes, as I said, there are other solutions. Personally, when a list gets 
bigger than 100 people, I want to get it onto a Yahoo Group or other free 
list server so that I don't have to *manage* it. But for simple users 
whose lists have just *grown* I can see the possibility. (shrug)


Advocated? No. Just aware and avoiding any sense of false confidence that 
the PBL is any more secure from inaccurate listings (taking care in this 
case to NOT atrbitrarily define the choices of the ISP as 'accurate' for 
all their users).


But I think we were done here, weren't we? LOL

- Charles

Re: user filtering attachments

[Charles Gregory]

On 24.06.09 22:56, ferna...@dfcom.com.br wrote:

I'm trying to find a solution allowing user filtering attachments. My
environment uses sql user tables.


Um, do you mean 'reject if mail has attachment of a certain type'?
Or do you mean you want to run an actual filtering program to examine
the contents of attachments?

In the former case it should be trivial to have rules that score
0.001 for each mime-type you want to block, then have the user's MDA deal 
with it (if in fact the MDA cannot just check for the mime types directly 
itself).


Or were you trying to have this happen during SMTP transaction?

- C

Re: SORBS bites the dust

[Charles Gregory]

On Fri, 26 Jun 2009, Yet Another Ninja wrote:

what you do is your choice.


(nod) I've already made my choice clear, and would advocate the same
for anyone else. My argument was only that we should not create a false 
sense of confidence that we will 'never' see legitimate mail come from a 
PBL-listed IP just because of the 'policy' basis. Some policies are just 
plain stupid. LOL


But yeah, let's trashcan this one. I say again, thanks.

- Charles

Re: user filtering attachments

[Matus UHLAR - fantomas]

On 24.06.09 22:56, ferna...@dfcom.com.br wrote:
> I'm trying to find a solution allowing user filtering attachments. My
> environment uses sql user tables.
> 
> I was using mimeheader, it works at local.cf but no inside userpref table.
> Spamassassin shows the rules at debug, but it doesn't work (with
> allow_user_rules 0 or 1).
> 
> Do you have any idea how to do that ?
> 
> Can I define a eval rule and dynamically process user preferences ?
> 
> My idea is: user stores the attach extension at userpref tables (as
> whitelist/blacklist does - using or not mimeheader plugin).

SA only detects spam. In some cases you can force the mail containing and
attachment to be refused, but you should better search for an solution like
amavis...
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

Re: SORBS bites the dust

[Matus UHLAR - fantomas]

> On Thu, 25 Jun 2009, LuKreme wrote:
>> If only more people understood this.  Thanks for the post John, you  
>> summarized it very well. If anyone ever whines about the PBL again,  
>> please repost.

On 26.06.09 10:18, Charles Gregory wrote:
> Firstly, my thanks to all who commented. Based upon the weight of this 
> information, I have upgraded my MTA to full 'zen' RBL checking.
>
> However, I would like to point out that there is a class of 'poor'  
> internet users who want to send mail legitimately directly from their  
> dynamic IP. These are people who either want to send more mail than their 
> ISP's outgoing server permits, or wish to avoid additional fees from 
> their ISP. Technically, yes, they are trying to get 'around' the policies 
> of their ISP. But (by most notewrothy example) if they are outside the 
> area for DSL service and *must* use the local cable high speed, and the 
> cable company's pricing policy presumes that any sender of large volumes 
> of mail simply 'must' be a commercial venture, immediately doubling the 
> cost of the home internet connection to a 'business' one, then the 
> operator of a small club mailing list may have no choice but to try and 
> send their mail directly. Oddly enough, these users are often able to buy 
> a static IP for a reasonable surcharge, so that they don't have issues 
> with Dynamic IP blocklists, but then they can still run into the PBL if 
> their cable company has sent in their IP ranges...
> These people are not without 'other solutions'. But they are making the  
> best of a bad one. Is this enough to warrant down-scoring the PBL? I no  
> longer think so. But just so we're clear, just because an ISP says that  
> they have a 'policy' does not mean we can brush off the attempts by 
> people to bypass being *stuck* with those ISP's as not really being 
> 'legitimate'.
> There are always exceptions.

Imho, the important question is, why such home user wants to send large
amounts of mail, if (s)he can't find any (free) hosting that will allow him
to do that, and, the main question, if (s)he pays enough to the provider,
who in such case shares the rick of blacklisting in case of real spam
outbreak.


-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Re: SORBS bites the dust

[Yet Another Ninja]

On 6/26/2009 4:18 PM, Charles Gregory wrote:
 > These people are not without 'other solutions'. But they are making the
best of a bad one. Is this enough to warrant down-scoring the PBL? I no 
longer think so. But just so we're clear, just because an ISP says that 
they have a 'policy' does not mean we can brush off the attempts by 
people to bypass being *stuck* with those ISP's as not really being 
'legitimate'.

There are always exceptions.


what you do is your choice.
your MTA or SA or whatever give you the choice to implement *your* policy.

should we really keep on beating the dead horse, even in Spam-L .-)
(that was for ChrisH .-)

Re: SORBS bites the dust

[Charles Gregory]

On Thu, 25 Jun 2009, LuKreme wrote:
If only more people understood this.  Thanks for the post John, you 
summarized it very well. If anyone ever whines about the PBL again, 
please repost.


Firstly, my thanks to all who commented. Based upon the weight of 
this information, I have upgraded my MTA to full 'zen' RBL checking.


However, I would like to point out that there is a class of 'poor' 
internet users who want to send mail legitimately directly from their 
dynamic IP. These are people who either want to send more mail than their 
ISP's outgoing server permits, or wish to avoid additional fees from their 
ISP. Technically, yes, they are trying to get 'around' the policies of 
their ISP. But (by most notewrothy example) if they are outside the area 
for DSL service and *must* use the local cable high speed, and the cable 
company's pricing policy presumes that any sender of large volumes of mail 
simply 'must' be a commercial venture, immediately doubling the cost of 
the home internet connection to a 'business' one, then the operator of a 
small club mailing list may have no choice but to try and send their mail 
directly. Oddly enough, these users are often able to buy a static IP for 
a reasonable surcharge, so that they don't have issues with Dynamic IP 
blocklists, but then they can still run into the PBL if their cable 
company has sent in their IP ranges...


These people are not without 'other solutions'. But they are making the 
best of a bad one. Is this enough to warrant down-scoring the PBL? I no 
longer think so. But just so we're clear, just because an ISP says that 
they have a 'policy' does not mean we can brush off the attempts by people 
to bypass being *stuck* with those ISP's as not really being 'legitimate'.

There are always exceptions.

Thanks again for the discusssion/info.

- Charles

Re: SORBS bites the dust

[Yet Another Ninja]

On 6/26/2009 4:07 PM, Jack Pepper wrote:

Quoting LuKreme :


On 25-Jun-2009, at 16:01, John Rudd wrote:

People who complain that the PBL is blocking things that aren't spam
kind of don't get the point of the PBL.  The PBL's definition means
that it will block non-spam.  It should also block a lot of spam, but
the fact that it will block ham is not an indictment of the PBL.  It
just means that people who complain about that fact don't understand
the PBL.


If only more people understood this.  Thanks for the post John, you 
summarized it very well. If anyone ever whines about the PBL again, 
please repost.


John Ruud's post needs to be in the faq.



http://www.spamhaus.org/pbl/index.lasso

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which 
should not be delivering unauthenticated SMTP email to any Internet mail 
server except those provided for specifically by an ISP for that 
customer's use. The PBL helps networks enforce their Acceptable Use 
Policy for dynamic and non-MTA customer IP ranges.

Re: SORBS bites the dust

[Jack Pepper]

Quoting LuKreme :


On 25-Jun-2009, at 16:01, John Rudd wrote:

People who complain that the PBL is blocking things that aren't spam
kind of don't get the point of the PBL.  The PBL's definition means
that it will block non-spam.  It should also block a lot of spam, but
the fact that it will block ham is not an indictment of the PBL.  It
just means that people who complain about that fact don't understand
the PBL.


If only more people understood this.  Thanks for the post John, you  
summarized it very well. If anyone ever whines about the PBL again,  
please repost.


John Ruud's post needs to be in the faq.

jp


--
Simple compliance is a hacker's best friend


@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

Re: backscatter (was Re: cas...@snigelpost.org bounces?)

[Charles Gregory]

On Thu, 25 Jun 2009, Arvid Picciani wrote:

 I still welcome suggestions for handling the few remaining cases where my
 procmail chokes on a mailbox limit. Probably more of a PM question than an
 SA question, but seeing how the cause for concern is backscatter from
 'full mailbox' DSN's I'm figuring the answer is here, if anywhere

1)  your MTA bounces, becouse your users mailboxes are full.


Of the two questions, this one is closest, but it's not the MTA that 
generates the bounce. The MTA has handed off the message for delivery to 
individual recipients after accepting the DATA. Procmail encounters the 
full mailbox and signals the MTA.


My MTA checks for a mailboxes that are *already* over quota while dealing 
with individual 'RCPT_TO' commands. The problem comes after I receive DATA 
and know the size of the mail. At this point the only actions my MTA can 
take are for ALL recipients. I can't reject mail just for *one* recipient 
with a (nearly) full mailbox. The only 'workaround' for this would be to 
have my MTA enforce individual recipients by returning a 4xx code for 
second and subsequent recipients. Mind you, this might actually help with 
some spam, but it would also add to bandwidth for ALL legitimate mail with 
multiple recipients, forcing transmission of the data/body for each one.



2) You're receiving backscatter and you get "mailbox full" DSNs
I find it impossible to parse DSNs. There is no standard and its 
supposed to be human readable.


This wasn't my question, but I have a 'fairly good' answer for it:
I do a body check for a quoted From line that has the wrong 'name' in 
front of my address Eg. "From: Bob Kenny ...


- Charles