Low score

[Casartello, Thomas]

Been getting a lot of low scoring stuff like this lately. Any suggestions?

 

-Original Message-

From: FedEx Courier Express NG [mailto:mas...@card.org] 

Sent: Monday, August 10, 2009 7:12 PM

Subject: Dear Customer/Beneficiary!

 

Dear Customer/Beneficiary!

 

Kindly contact our delivery department with the details

Given below: FedEx Courier Express NG穢

Contact Person: Mr.Ramon Moheno 

E-mail: fedex...@yahoo.com.hk 

 

 

Telephone: +234-706-285-2867.

 

Reasons: This is due to the fact that we are in possession

Of your Package containing a master card worth of five

Hundred Thousand United State Dollars that was registered

With us by the Master Card Award Team for shipment to you,

You are to act fast by providing your postal address and

Your direct phone number to enable us makes the delivery ASAP.

 

Note that as soon as our Delivery Team confirms your

Informations, it will take only two working days (48 hours)

For your package to arrive your designated address. For your

Information, the Mail, VAT & Shipping fees have been paid by

The Award Promo Board you will only have20to pay a sum of

$120.00 to the FedEx Courier Department being full payment

For the Security Keeping Fee of the FedEx Courier as stated

In our privacy terms & condition page.

 

 

Yours Faithfully,

Secretary

Mrs. Mercy Hunt 

=

COPYRIGHT 穢 2009 MasterCard簧.

=

 

 

Thomas E. Casartello, Jr.

Staff Assistant - Wireless/Linux Administrator

Information Technology

Wilson 105A

Westfield State College

(413) 572-8245

 

Red Hat Certified Technician (RHCT)

 



smime.p7s
Description: S/MIME cryptographic signature

Re: Tracking recipient counts on a per user basis

[Mark Martinec]

Ryan,

> I am trying to implement an anti-phishing strategy and was hoping some of
> you could point me in the right direction. I want to keep track of how many
> recipients a user sends mail to on a 24-hour basis. When a given threshold
> is met, that user's email would then go into quarantine until an admin
> releases it. Thing is, I'm not sure where to begin...
>
> Breaking this down into bite-size chunks I see the following ahead of me:
>
> 1. Track the number of recipients that are sent mail on a 24-hour per-user
> basis. 2. If the number of outgoing email transmissions for a user crosses
> the preset threshold, add a header to the email. 3. If the header is seen,
> quarantine the message.
> 4. Notify an admin
> 5. Allow an admin to delete or release the quarantined emails.
>
> I'm starting into number 1 for now but am at a loss at the moment. My
> thought would be to update a MySQL table with the recipient count found in
> each message. How to do this escapes me.
>
> I am aware that SpamAssassin can't perform all of these tasks.

Indeed, the recipients of a message are passed from MTA to MTA in the
SMTP 'envelope' and not in the mail header section. The To and Cc
mail header fields may or may not bear any relationship with the
actual list of recipients of a message. This is especially so for spam mail
(and for mailing lists), so you need to collect these numbers from
where they are still available.

> My understanding is that amavisd will handle the ones SA can't. If anyone
> could help with any part of this, I would greatly appreciate it.

/etc/amavisd-custom.conf :

package Amavis::Custom;
use strict;
BEGIN { import Amavis::Util qw(do_log) }
sub new {
  my($class,$conn,$msginfo) = @_;
  my(@recip_objects) = @{$msginfo->per_recip_data};
  do_log(0, "Mail from %s, number of recipients is %d",
$msginfo->sender, scalar(@recip_objects));
  # do whatever you want with this number here
  bless {}, $class;
}
1;  # insure a defined return


Put the following somewhere in amavisd.conf:

  include_config_files('/etc/amavisd-custom.conf');


Mark

Re: Tracking recipient counts on a per user basis

[Benny Pedersen]

On Tue, 11 Aug 2009 16:54:08 -0400, "Wendel, Ryan" 
wrote:
> I am trying to implement an anti-phishing strategy and was hoping some
of
> you could point me in the right direction.

start with policyd v2 (http://www.policyd.org/)

take virus later

-- 
Benny Pedersen

ANNOUNCE: Apache SpamAssassin 3.3.0-alpha2 available

[Justin Mason]

Apache SpamAssassin 3.3.0-alpha2 is now available for testing.

Downloads are available from:
 http://people.apache.org/~jm/devel/

md5sum of archive files:

 1b396a9df1faa22185263c7526fe6042 Mail-SpamAssassin-3.3.0-alpha2.tar.bz2
 fbd0c4016d5d9c5adc3a958105b0b414 Mail-SpamAssassin-3.3.0-alpha2.tar.gz
 ed3ef5bef7c40e690ff80fce762a8302 Mail-SpamAssassin-3.3.0-alpha2.zip
 daaca5fba5787774eb918e1a5e92be6a
Mail-SpamAssassin-rules-3.3.0-alpha2.r802600.tgz

sha1sum of archive files:

 ab41278cb0c84c0fe6b38e57662487ea75c499a5 Mail-SpamAssassin-3.3.0-alpha2.tar.bz2
 87bc1e6777065af13a6f8c179636aa22a0644237 Mail-SpamAssassin-3.3.0-alpha2.tar.gz
 e4f08e636cd1f2cd6896e358c380fc952db51ad7 Mail-SpamAssassin-3.3.0-alpha2.zip
 64ff7fb327f0d699c4a600cd1f0f1ba9a64a0ba0
Mail-SpamAssassin-rules-3.3.0-alpha2.r802600.tgz


Note that the *-rules-*.tgz files are only necessary if you cannot, or do not
wish to, run "sa-update" after install to download the latest fresh rules.

The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net key server, as well as
http://spamassassin.apache.org/released/GPG-SIGNING-KEY

The key information is:

pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key

   Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24  F6D7 DEE0 1987 265F A05B

See the INSTALL and UPGRADE files in the distribution for important
installation notes.

Summary of major changes since 3.2.5


Changes to the core code:

[TODO: write changes list]

Tracking recipient counts on a per user basis

[Wendel, Ryan]

I am trying to implement an anti-phishing strategy and was hoping some of you 
could point me in the right direction. I want to keep track of how many 
recipients a user sends mail to on a 24-hour basis. When a given threshold is 
met, that user's email would then go into quarantine until an admin releases 
it. Thing is, I'm not sure where to begin...

Breaking this down into bite-size chunks I see the following ahead of me:

1. Track the number of recipients that are sent mail on a 24-hour per-user 
basis.
2. If the number of outgoing email transmissions for a user crosses the preset 
threshold, add a header to the email. 
3. If the header is seen, quarantine the message.
4. Notify an admin
5. Allow an admin to delete or release the quarantined emails.

I'm starting into number 1 for now but am at a loss at the moment. My thought 
would be to update a MySQL table with the recipient count found in each 
message. How to do this escapes me.

I am aware that SpamAssassin can't perform all of these tasks. My understanding 
is that amavisd will handle the ones SA can't. If anyone could help with any 
part of this, I would greatly appreciate it.

Regards,

Ryan

Re: 0.001 rules - why?

[Matus UHLAR - fantomas]

> Henrik K wrote:
> > On Tue, Aug 11, 2009 at 04:31:32AM +0100, RW wrote:
> >> On Sun, 09 Aug 2009 11:33:29 +0100
> >> Cedric Knight  wrote:
> >>
> >>
> >>> header   FH_HELO_EQ_D_D_D_DX-Spam-Relays-Untrusted =~ /^[^\]]+
> >>> ...
> >>> header   HELO_MISC_IPX-Spam-Relays-Untrusted =~ /^[^\]]+
> >>>
> >> Possibly this is down to their running on the wrong boundary, these
> >> should be on the internal network boundary.
> > 
> > All these are fixed to -External in SVN/3.3.

On 11.08.09 10:58, Cedric Knight wrote:
> Quite a complicated issue.  I'd posted before
> http://www.nabble.com/Understanding-Trusted-and-Internal-to22282224.html#a22292088
> wondering why such rules didn't check X-Spam-Relays-External.

apparently because that's what trusted relays are for

> However, when I test external equivalents like EXT_HELO_DYNAMIC_IPADDR2,
> I find they hit as much ham (still only a little) and about half as much
> spam.  In other words, testing the first entry of the -Untrusted
> pseudoheader empirically does better for my setup.

It's quite common that people send mail from IPs with generic/dynamic naes.
If they mail you directly, that should be scored, but if they are using smart
relays, it's correct and you shouldn't score them if the ISP intentionally
set up such names for them (just because it wanted to help you rejecting
spam directly from such hosts).

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

Re: Slightly OT - Spam opprortunities in SMTP-AUTH

[Matus UHLAR - fantomas]

>> On 10.08.09 14:56, Charles Gregory wrote:
>>> Not at all. I know who logs on when, and I can easily disable their
>>> access.

> On Tue, 11 Aug 2009, Matus UHLAR - fantomas wrote:
>> I should made that more clear: If there are more _concurrent_ users on  
>> the same IP (home/office network with NAT), you only can block them all 
>> or none of them. Even if they have separate mailboxes. You need SMTP  
>> auth to be able to block only the spamming one.

On 11.08.09 10:58, Charles Gregory wrote:
> (nod) You are correct, though on our net this is a rare situation

depends :)

> Though again, I ask the question, for those who have tried it both ways,  
> is my seat-of-the-pants guess that theft of a password and illegitimate  
> use from third party locations a greater or lesser risk than this?

I wrote that two messages ago in this thread: we've had much more problems
with users spamming from our IP range w/o auth than from other IP's,
authenticated

>> Don't you even run webmail being accessible from outside your network?
>
> (nod) Of course. And *that* is actually the promoted alternative for
> people 'roaming' outside our network. Again, I could be wrong, and would
> welcome input on this, but my feeling is that a webmail interface is a lot
> more trouble for a spammer to write scripts for?

I wouldn't say so. We've have many problems with users spamming through
webmail year and half ago... luckily even webmails allow to limit number of
messages sent.

And we have suffered from these much more than from spamming via
authenticated SMTP...

>> I found it out that it's much safer to ask everyone to authenticate, it
>> makes problem with more-or-less anonymous IP addresses (nearly) disappear.
>
> (nod again) The key word being 'anonymous'. I would be forced to choose  
> SMTP-AUTH and require it for all clients if I could not identify who was  
> connecting. :)

with SMTP auth you can see that from logs/messages, and don't need to search
external sources (radius)...

>>  Luckily many phishes are detectable by SA or ClamAV.

> Which leads to another question. Has anyone written a really *good*  
> generic rule for these phishes? Trouble is, legitimate users could send  
> 'forms' via mail with many of the headers I might test. But I notice they 
> all come from odd phone numbers or freemail addresses, so I'm working 
> with that, but the variability of the 'information' lines is annoying. 
> Anyone got a good generic 'spotter' set of rules/meta?

Good question too... if not anybody, I hope I'll have the time to check for
that...

something like
/dear\s+${COMPANY}\s+(internet|webmail)\s+user/i

>> I think I'll take all phishes that come onto our company's mailboxes and
>> will try to create some filters...
>
> LOL - Shoulda kept reading.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

Re: Error msgs Q

[Gene Heskett]

On Tuesday 11 August 2009, John Hardin wrote:
>On Tue, 11 Aug 2009, Gene Heskett wrote:
>> How can I make it verbose enough to tell me which 'channel' is failing
>> the check?
>
>Run sa-update in debugging mode with -D

Thank you, I'll do that.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
The NRA is offering FREE Associate memberships to anyone who wants them.


Most people are too busy to have time for anything important.

Re: Error msgs Q

[John Hardin]

On Tue, 11 Aug 2009, Gene Heskett wrote:

How can I make it verbose enough to tell me which 'channel' is failing 
the check?


Run sa-update in debugging mode with -D

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference is that Unix has had thirty years of technical
  types demanding basic functionality of it. And the Macintosh has
  had fifteen years of interface fascist users shaping its progress.
  Windows has the hairpin turns of the Microsoft marketing machine
  and that's all.-- Red Drag Diva
---
 4 days until the 64th anniversary of the end of World War II

RE: 0.001 rules - why?

[Karsten Bräckelmann]

> > Should be blatantly obvious, but since you asked...
> > 
> > Lack of volunteer time, manpower or a paid position? Maybe 
> > also a mass- check run, since this might have more overall 
> > impact?  Possibly?
> 
> i wouldnt know about the internal stuff you mentioned although i didnt
> really ponder that.
> 
> frankly, i figured that some of the more successful projects like SA should
> have basic resources
> 
> i just figured there was some reasonable cash for very basic and reasonable
> expense coverage.

You mean like donated update mirrors, and the ASF providing the infra-
structure?

This is an Open Source project. The developers spend their free time.
Cash would be news to me...


> i am not saying you are swimming in money although i pray you have massive
> financial resources someday soon.
> 
> not really my business so i never dug into that...
> 
> to save time, is there a way to program your system so it will push rules
> used with current svn and stable so you dont have to re-duplicate efforts?

The rules in trunk are very often intended for QA and testing, and not
safe for general consumption. Moreover, they might (and do) depend on
new features in trunk *code*, not available with the latest stable
version.

There are some changes to the general system WRT this topic. Though
again, not really applicable to current stable...


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Error msgs Q

[Gene Heskett]

Greetings all;

My sa-update script, set for 3 channels, is returning this email when it runs:

error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed

I have pulled the gpg keys for each of the 3 channels repeatedly, trying to 
fix this error.

How can I make it verbose enough to tell me which 'channel' is failing the 
check?

Thanks.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
The NRA is offering FREE Associate memberships to anyone who wants them.


My, how you've changed since I've changed.

RE: 0.001 rules - why?

[R-Elists]

> Should be blatantly obvious, but since you asked...
> 
> Lack of volunteer time, manpower or a paid position? Maybe 
> also a mass- check run, since this might have more overall 
> impact?  Possibly?
> 

i wouldnt know about the internal stuff you mentioned although i didnt
really ponder that.

frankly, i figured that some of the more successful projects like SA should
have basic resources

i just figured there was some reasonable cash for very basic and reasonable
expense coverage.

i am not saying you are swimming in money although i pray you have massive
financial resources someday soon.

not really my business so i never dug into that...

to save time, is there a way to program your system so it will push rules
used with current svn and stable so you dont have to re-duplicate efforts?

 - rh

Re: Slightly OT - Spam opprortunities in SMTP-AUTH

[Charles Gregory]

On Tue, 11 Aug 2009, Matus UHLAR - fantomas wrote:

On 10.08.09 14:56, Charles Gregory wrote:

Not at all. I know who logs on when, and I can easily disable their
access.
I should made that more clear: If there are more _concurrent_ users on 
the same IP (home/office network with NAT), you only can block them all 
or none of them. Even if they have separate mailboxes. You need SMTP 
auth to be able to block only the spamming one.


(nod) You are correct, though on our net this is a rare situation
Though again, I ask the question, for those who have tried it both ways, 
is my seat-of-the-pants guess that theft of a password and illegitimate 
use from third party locations a greater or lesser risk than this?



Don't you even run webmail being accessible from outside your network?


(nod) Of course. And *that* is actually the promoted alternative for 
people 'roaming' outside our network. Again, I could be wrong, and would 
welcome input on this, but my feeling is that a webmail interface is a lot

more trouble for a spammer to write scripts for?


What I'm saying is that it's much easier to block authenticated user,
especially if he changes IPs.


Again, this is one of those YMMV situations. In my case, I can identify 
the user, and then I filter their connection for *all* port 25. Obviously 
something you could not do with a large corporate intranet through a NAT, 
but sufficient for my needs.


But just the same, I would *like* to add SMTP-AUTH, as long as I have a 
clear conviction that I am not significantly increasing the risk of

having a user spoofed remotely.


I found it out that it's much safer to ask everyone to authenticate, it
makes problem with more-or-less anonymous IP addresses (nearly) disappear.


(nod again) The key word being 'anonymous'. I would be forced to choose 
SMTP-AUTH and require it for all clients if I could not identify who was 
connecting. :)



 Luckily many phishes are detectable by SA or ClamAV.


Many, but not all. And... (Charles lowers his voice) ...I have some of the 
most computer-ignorant users on the planet. Ie. Had a caller this morning 
that had to be told that ths big box on the floor with all the wires 
plugged in the back was what we called "the computer". (smack forehead)


Which leads to another question. Has anyone written a really *good* 
generic rule for these phishes? Trouble is, legitimate users could send 
'forms' via mail with many of the headers I might test. But I notice they 
all come from odd phone numbers or freemail addresses, so I'm working with 
that, but the variability of the 'information' lines is annoying. Anyone 
got a good generic 'spotter' set of rules/meta?



I think I'll take all phishes that come onto our company's mailboxes and
will try to create some filters...


LOL - Shoulda kept reading.

- C

RE: 0.001 rules - why?

[Karsten Bräckelmann]

On Mon, 2009-08-10 at 23:19 -0700, Robert wrote:

> > All these are fixed to -External in SVN/3.3.
> 
> why arent they "fixed and/or changed" in 3.2.5 then?
> 
> what could possibly hold that back?

Should be blatantly obvious, but since you asked...

Lack of volunteer time, manpower or a paid position? Maybe also a mass-
check run, since this might have more overall impact?  Possibly?


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: 0.001 rules - why?

[Karsten Bräckelmann]

On Sun, 2009-08-09 at 11:33 +0100, Cedric Knight wrote:
> I'm using Bayes and network tests, and have found a few rules with a
> good ratio of ham to spam, but that score only 0.001 in the default rules.
> 
> In some cases, it is presumably because they overlap with other rules or
> are detected by remote tests, and so would score double because a
> particular feature in the email.  But in other cases, I wonder if
> they've been pegged at that low value for some other reason and are
> actually pretty useful and could go up to 1.0 or so?

Keep in mind that the scores have been set during the last mass-check
run, which was quite a while ago. Consequently, they do reflect a
(historic) snapshot of the mass corpora (available).

Spam patterns change. Much faster than ham patterns...

-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: 0.001 rules - why?

[Karsten Bräckelmann]

On Tue, 2009-08-11 at 10:58 +0100, Cedric Knight wrote:
> BTW (2), maybe I overstated the case for URIBL_RED.  It seems to vary
> somewhat in its reliability, and probably shouldn't be scored >1.0.
> Still non-zero though, I propose.

Did you read the URIBL docs, specifically Usage and About? The former
doesn't even list RED, which is pretty much identical to them advising
not to score it (anything even half significant). The latter clearly
states to use at your own risk.

The stock score is a default, and quite sensible. Feel free to customize
the score.

-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Mailbox for auto learning

[Cedric Knight]

Luis Daniel Lucio Quiroz wrote:
> Le lundi 10 août 2009 19:15:15, Cedric Knight a écrit :
>> Stefan wrote:
[...]
>>> You have to forward the message as an attachment un unpack it after
>>> receiving. Have a look at:
>>> https://po2.uni-stuttgart.de/~rusjako/sal-wrapper
>> Yes, I find this approach works well.  It's the simplest way for me to
>> train Bayes, and most users can cope with it, providing they're not
>> using Outlook 2003/XP which can't forward as an attachment.  But
>> Thunderbird, Outlook Express, Squirrelmail and Pine all can easily.
>> It's not as simple as a 'This Is Spam' button perhaps, and that's a
>> *good* thing.  Requiring a little bit of thought stops people using it
>> as an alternative to the delete key for 'OK, perhaps I did subscribe to
>> this but I don't want it now'.
[...]

> Yes but problem is that 99% of users are about using some kind of outlook

Well then, tell them not to :)  Outlook Express and Windows Mail are
fine.  Outlook 2003 supposedly needs a special program like
http://www.olspamcop.org/ to forward properly, although if you select
multiple messages to forward, then it will forward them in some kind of
possibly useful digest format.  Outlook 2007 introduces an explicit menu
item called "forward as an attachment" (Ctrl+Alt+F) but still mangles
the headers:
http://forum.spamcop.net/forums/index.php?showtopic=10241&st=0&p=70453&#entry70453

Outlook 2007 also mangles the headers (kind of reconstructing a
misleading semblance of what the original was) when moving between IMAP
folders.  Therefore, I wouldn't use spamassassin -r on spam from Outlook
users, but sa-learn to get tokens from the body text may be OK.

Actually, some users of Outlook 2003 do seem to be able to forward as
intact message/rfc822 attachment.  Not exactly sure how.

Anyway, the 1% using a better e-mail program may be all that's needed to
train Bayes.

CK

Re: 0.001 rules - why?

[Cedric Knight]

Henrik K wrote:
> On Tue, Aug 11, 2009 at 04:31:32AM +0100, RW wrote:
>> On Sun, 09 Aug 2009 11:33:29 +0100
>> Cedric Knight  wrote:
>>
>>
>>> header   FH_HELO_EQ_D_D_D_DX-Spam-Relays-Untrusted =~ /^[^\]]+
>>> ...
>>> header   HELO_MISC_IPX-Spam-Relays-Untrusted =~ /^[^\]]+
>>>
>> Possibly this is down to their running on the wrong boundary, these
>> should be on the internal network boundary.
> 
> All these are fixed to -External in SVN/3.3.

Quite a complicated issue.  I'd posted before
http://www.nabble.com/Understanding-Trusted-and-Internal-to22282224.html#a22292088
wondering why such rules didn't check X-Spam-Relays-External.

However, when I test external equivalents like EXT_HELO_DYNAMIC_IPADDR2,
I find they hit as much ham (still only a little) and about half as much
spam.  In other words, testing the first entry of the -Untrusted
pseudoheader empirically does better for my setup.

I guess this is because (a) greylisting cuts out a lot of botnet spam
that would otherwise be delivered direct to internal_networks; (b) this
system is set to use the 3.2 model, that is, without including general
ISP MTAs in trusted_networks; and setting internal_networks to only
include MXs for the organisation.  What spam does match these rules
often comes via servers that provide MX for a domain that doesn't
greylist or filter and then forwards, and these (often MXs provided by
domain registrars) I include in trusted_networks but not internal, such
that spam delivered to them is tested appropriately by the existing
HELO_DYNAMIC_IPADDR2 and FH_HELO_EQ_D_D_D_D.

BTW, when I did try including servers like Google and ISP MTAs in
trusted_networks on the basis that they are "relay hosts...
considered to not be potentially operated by spammers, open
relays, or open proxies. A trusted host could conceivably relay
spam, but will not originate it, and will not forge header data" I found
not only FPs from EXT_HELO_DYNAMIC_IPADDR2 etc, bit also a lot of FNs,
partly because ALL_TRUSTED often triggered.  I imagine that if this is
an issue, it will come out over the course of SA3.3 testing.

BTW (2), maybe I overstated the case for URIBL_RED.  It seems to vary
somewhat in its reliability, and probably shouldn't be scored >1.0.
Still non-zero though, I propose.

CK

Re: [sa] Re: Slightly OT - Spam opprortunities in SMTP-AUTH

[Matus UHLAR - fantomas]

> On Mon, 10 Aug 2009, Matus UHLAR - fantomas wrote:
>> On 10.08.09 11:07, Charles Gregory wrote:
>>> IMNSHO You shouldn't. You should only allow *your* customers with pop
>>> e-mail accounts on *your* servers to send mail.
>> 1.
>> If more customers send spam from the same IP address without authentiaction,
>> you only can disable them all, not only the one who really spams.

On 10.08.09 14:56, Charles Gregory wrote:
> Not at all. I know who logs on when, and I can easily disable their  
> access.

I should made that more clear: If there are more _concurrent_ users on the
same IP (home/office network with NAT), you only can block them all or none
of them. Even if they have separate mailboxes. You need SMTP auth to be able
to block only the spamming one.

>> If an user (accidentally) gets a spamming engine on computer he does 
>> not use for sending spam, you will get spammed even if user does not 
>> notice nor configure anything.
>
> So far this has seemed less of a risk than having someone use a phished  
> password from a third-party IP. Our user has to have their whole computer 
> compromised, rather than just be tricked into sharing a password.

Don't you even run webmail being accessible from outside your network?

>> If a customer is hosted on your servers and you or he use SPF to  
>> (hopefully) ensure that only he sends mail from his e-mali address, he  
>> _MUST_ use your servers since other ISP _can not_ verify the address  
>> validity and ownership.
>
> A good argument, provided that using SMTP-AUTH does not increase the risk 
> of ruining the reputation of my server.

What I'm saying is that it's much easier to block authenticated user,
especially if he changes IPs.
  
>> And if you insist on providing e-mail services to any broken computer 
>> in you IP range, instead of supporting your customers roaming 
>> elsewhere, yes, it's sad and stupid.
>
> The two are not really related. I can provide IP-Range services for  
> controlled/monitored IP's, with accountability for possible hackers, and  
> it makes no difference to whether I allow SMTP-AUTH.

I found it out that it's much safer to ask everyone to authenticate, it
makes problem with more-or-less anonymous IP addresses (nearly) disappear.

>> I do not care if that's common in Australia or wherever for 20 years or 
>> so. It's broken design and brings you much more problems you will have  
>> to cope with, when anyone starts spamming through your servers.
>
> Actually, it was advocated strongly in NA too, but times change, and the  
> user population is much more mobile. But I never see "it was always done  
> that way" as *any* sort of argument for how something *should* be done.

I had the feeling reading some posts in this thread :)

>> Relatively rare. We have much more users spamming directly from IP  
>> addresses we haven't started requiring authentication from (the time is 
>> near, just prepare some changes and we'll announce the policy change)  
>> than those spamming through authenticated SMTP.
>
> Hmm Maybe this is the reason the number of phishing spams has 
> been rising? :)

I guess so. Luckily many phishes are detectable by SA or ClamAV.
I think I'll take all phishes that come onto our company's mailboxes and
will try to create some filters...

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759