Re: Test for empty EnvelopeFrom
On Thu, 24 Sep 2015, Reindl Harald wrote: Am 23.09.2015 um 19:24 schrieb Philip Prindeville: Stating facts here, not giving an opinion. Not sure what’s up for debate. if it is empty it's <> aka Null-Sender and you really don't block that because you violating RFC's, block sane autoreplies usng it to prevent mail-loops and the subject indiactes one thing; you donät really understand how email works Rejecting messages based on their content PERIOD is violating the RFC’s. What’s your point? do what you want - a empty envelope from is not a sign of spam An empty envelope from by itself is not a spam sign but when combined with other characteristics of a message can be a good spam sign. For example almost everthing coming from outlook.com is locally generated messages (either new user created content or NDRs). User generated content has headers added to indicate that, NDRs have have headers added to indicate that. So take Null-Sender && sourced from outlook.com && has client-headers && not-have NDR-headers is a very good spam indicator. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Test for empty EnvelopeFrom
>> I never said it was. >> >> What I said was that when it’s coming from a server that doesn’t >> except inbound messages (and hence can’t generate bounces) THEN it’s >> a sign of Spam. >Since when does a server handling outbound traffic have to accept >inbound mail? >Any setup with more than a dozen boxes usually separates in/outbound traffic I know of many of my customers I filter for don't send their outbound mail back through my filters (even though I tell them to) so they could generate bounce messages and definitely are firewalled off from the Internet on inbound TCP 25. I am pretty sure that the majority of sending mail servers on the Internet don't accept inbound TCP 25 connections.
Re: Test for empty EnvelopeFrom
On 09/24/2015 06:17 PM, Philip Prindeville wrote: On Sep 24, 2015, at 4:12 AM, Reindl Harald wrote: Am 23.09.2015 um 19:24 schrieb Philip Prindeville: Stating facts here, not giving an opinion. Not sure what’s up for debate. if it is empty it's <> aka Null-Sender and you really don't block that because you violating RFC's, block sane autoreplies usng it to prevent mail-loops and the subject indiactes one thing; you donät really understand how email works Rejecting messages based on their content PERIOD is violating the RFC’s. What’s your point? do what you want - a empty envelope from is not a sign of spam I never said it was. What I said was that when it’s coming from a server that doesn’t except inbound messages (and hence can’t generate bounces) THEN it’s a sign of Spam. Since when does a server handling outbound traffic have to accept inbound mail? Any setup with more than a dozen boxes usually separates in/outbound traffic
Re: Test for empty EnvelopeFrom
On Sep 24, 2015, at 4:12 AM, Reindl Harald wrote: > > > Am 23.09.2015 um 19:24 schrieb Philip Prindeville: >> Stating facts here, not giving an opinion. Not sure what’s up for debate. >>> >>> if it is empty it's <> aka Null-Sender and you really don't block that >>> because you violating RFC's, block sane autoreplies usng it to prevent >>> mail-loops and the subject indiactes one thing; you donät really understand >>> how email works >> >> Rejecting messages based on their content PERIOD is violating the RFC’s. >> What’s your point? > > do what you want - a empty envelope from is not a sign of spam > > I never said it was. What I said was that when it’s coming from a server that doesn’t except inbound messages (and hence can’t generate bounces) THEN it’s a sign of Spam.
Re: Test for empty EnvelopeFrom
On Thu, 24 Sep 2015 14:30:42 + David Jones wrote: > I agree with you and Reindl on this point too. I guess what I meant > to say is usually the hardest spam to block with a null sender is > backscatter from a normally trusted/good reputation mail server. Yes, that can be very annoying. Luckily, most of the big providers AFAIK use SPF and DKIM (and even DMARC) and can reject spoofed messages with a 5xx reply code instead of generating backscatter; since we've published SPF and DKIM records we've seen quite a drop in the backscatter coming our way. What backscatter we do get is usually from domains whose admins don't know or care about SPF, etc. > RBLs and SA with a well-trained Bayes DB do a very good job on new > emails with a null sender. Yes, they do. And Bayes is good even on some backscatter if it includes the original message. Regards, Dianne.
Re: Test for empty EnvelopeFrom
> >From: Dianne Skoll >Sent: Thursday, September 24, 2015 9:02 AM >To: users@spamassassin.apache.org >Subject: Re: Test for empty EnvelopeFrom >On Thu, 24 Sep 2015 12:21:33 + >David Jones wrote: >> I agree with Reindl. You can't block null senders or you break a lot >> of legit emails. >Well, if you run your own mail server, you can do whatever you like so >long as you accept the consequences. >I would say: A null sender is not necessarily the sign of spam, but it's >also not necessarily the sign of ham. We see a continuous background >chatter of spam messages that have a null envelope sender. And these >are new messages, not backscatter in response to anything. I agree with you and Reindl on this point too. I guess what I meant to say is usually the hardest spam to block with a null sender is backscatter from a normally trusted/good reputation mail server. RBLs and SA with a well-trained Bayes DB do a very good job on new emails with a null sender. >What *is* a very reliable spam indicator (and is a SpamAssassin rule >DSN_NO_MIMEVERSION) is mail from a null sender that lacks a >MIME-Version: header. Almost all auto-generated responses have that >header; a fair bit of null-sender spam does not. Good info. I checked my MailScanner logs and there are a lot of hits on this rule along with an invalid watermark so they seem to be closely related. I do see a number of Yahoo.com legit DSNs that seem to be hitting this rule (not surprised) but have a valid MS watermark. Dave >Regards, >Dianne.
Re: Test for empty EnvelopeFrom
On Thu, 24 Sep 2015 12:21:33 + David Jones wrote: > I agree with Reindl. You can't block null senders or you break a lot > of legit emails. Well, if you run your own mail server, you can do whatever you like so long as you accept the consequences. I would say: A null sender is not necessarily the sign of spam, but it's also not necessarily the sign of ham. We see a continuous background chatter of spam messages that have a null envelope sender. And these are new messages, not backscatter in response to anything. What *is* a very reliable spam indicator (and is a SpamAssassin rule DSN_NO_MIMEVERSION) is mail from a null sender that lacks a MIME-Version: header. Almost all auto-generated responses have that header; a fair bit of null-sender spam does not. Regards, Dianne.
Re: Test for empty EnvelopeFrom
On Thu, 24 Sep 2015 12:21:33 + David Jones wrote: > > >From: Reindl Harald > >do what you want - a empty envelope from is not a sign of spam > > I agree with Reindl. You can't block null senders or you break a lot > of legit emails. You're agreeing with his response to a conclusion he jumped to. The OP never said he wanted to block it, or even score it unconditionally. > There are tools out there to prevent backscatter so you can detect > fake messages with a null sender. It's not about backscatter, a lot of spam has no envelope sender address. The main problem with trying to score it is not avoiding FPs on legitimate DSNs and out-of-office replies, it's that a lot of legitimate bulk and autogenerated email has no envelope sender address.
Re: Test for empty EnvelopeFrom
>From: Reindl Harald >Sent: Thursday, September 24, 2015 5:12 AM >To: Philip Prindeville >Cc: users@spamassassin.apache.org >Subject: Re: Test for empty EnvelopeFrom >Am 23.09.2015 um 19:24 schrieb Philip Prindeville: >> Stating facts here, not giving an opinion. Not sure what’s up for debate. >>> >>> if it is empty it's <> aka Null-Sender and you really don't block that >>> because >>> you violating RFC's, block sane autoreplies usng it to prevent mail-loops >>> and >>> the subject indiactes one thing; you donät really understand how email works > >> Rejecting messages based on their content PERIOD is violating the RFC’s. >> What’s your point? >do what you want - a empty envelope from is not a sign of spam I agree with Reindl. You can't block null senders or you break a lot of legit emails. There are tools out there to prevent backscatter so you can detect fake messages with a null sender. MailScanner has this built in and works well if you send your outbound messages through it. It adds a special header that will be included in a legit bounce message but won't exist in a fake one so you can detect them. P.S. MailScanner can be a little tough to get going with the web interface. This is a VM with everything ready to roll with a number of excellent tweaks already done for you including the Watermarking feature to help block backscatter. http://efa-project.org/
Re: Test for empty EnvelopeFrom
Am 23.09.2015 um 19:24 schrieb Philip Prindeville: Stating facts here, not giving an opinion. Not sure what’s up for debate. if it is empty it's <> aka Null-Sender and you really don't block that because you violating RFC's, block sane autoreplies usng it to prevent mail-loops and the subject indiactes one thing; you donät really understand how email works Rejecting messages based on their content PERIOD is violating the RFC’s. What’s your point? do what you want - a empty envelope from is not a sign of spam signature.asc Description: OpenPGP digital signature