Re: Spammed by Non-delivery-report? (someone is using my email to spam)
: On Fri, 1 Sep 2006, Christian Purnomo wrote: : : I am having so much trouble at present that some people are using my : email address to send their spam messages, in return I get hundreds and : hundres of non-delivery email + other misc reply such as out of office. Thanks All who have responded to my initial inquiry. I have implemented openspf and it looks it has dropped the number of bounces significantly. There are still a few coming through, is there any other methods that I can use to clean up the uncaught mess? Justin has recommended http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf which sounds reasonable to me. Thanks Christian
Spammed by Non-delivery-report? (someone is using my email to spam)
Hi Gurus, I am having so much trouble at present that some people are using my email address to send their spam messages, in return I get hundreds and hundres of non-delivery email + other misc reply such as out of office. How would I be able to use spamassassin to help me with this? would sa-learn be the most efficient way? I can think of using procmail to filter them into a seperate mailbox, but the mail headers all very random. Your help would be much appreciated. Cheers Christian
Re: Exchange/Outlook - how do you learn spam?
I have implemented John's idea and it works like a charm! I use postfix in my mail gateway at the perimiter, I have : always_bcc = [EMAIL PROTECTED] The reason I'm bcc-ing is because my mail-gateway is not suitable to store large quantity of emails, very plain server. I wrote a simple perl script below to automate all the processing. /home/spamtrapcc/.maildir/.UndetectedSPAMS/cur/ is the folder where all users drop the undetected spams. /home/spamtrapcc/.maildir/.WhitelistSPAMS/cur/ users drop their whitelist email request here /home/ccmail/.maildir/new is the [EMAIL PROTECTED] mailbox - this folder grows very quickly, I have a cron job to clean this directory on a daily basis: find /home/ccmail/.maildir/new -type f -mtime +3 -exec rm {} \; Btw as you already see, I use Maildir format instead of Mailbox, just love maildir!! My perl is not good, the script only works in my environment. Feel free to modify and post it back to this list if you have improvements. Cheers Christian. -- #!/usr/bin/perl chdir(/home/spamtrapcc/.maildir/.UndetectedSPAMS/cur/) or die(Failed to chdir: $!\n); opendir(UND, .) or die(Opendir failed: $!\n); my @undfiles = grep {!/^\.+$/} readdir(UND); closedir(UND); my %badmessageids = (); foreach $undfile (@undfiles) { open(UFILE, $undfile) or die(Failed to open $undfile for reading: $!\n); while (UFILE) { if (/^Message-ID: (.*?)/) { $badmessageids{$1} = 1; last; } } close(UFILE); } chdir(/home/spamtrapcc/.maildir/.WhitelistSPAMS/cur/) or die(Failed to chdir: $!\n); opendir(WHITE, .) or die(Opendir failed: $!\n); my @whitefiles = grep {!/^\.+$/} readdir(WHITE); closedir(WHITE); my %goodmessageids = (); foreach $whitefile (@whitefiles) { open(WFILE, $whitefile) or die(Failed to open $whitefile for reading: $!\n); while (WFILE) { if (/^Message-ID: (.*?)/) { $goodmessageids{$1} = 1; last; } } close(WFILE); } chdir(/home/ccmail/.maildir/new) or die(chdir failed: $!\n); opendir(CCMAIL, .) or die(Failed to opendir CCMAIL: $!\n); my @ccmailfiles = grep {!/^\.+$/} readdir(CCMAIL); closedir(CCMAIL); foreach $cm (@ccmailfiles) { open(CCFILE, $cm) or die(Failed to open $cm for reading: $!); while (CCFILE) { if (/^Message-ID: (.*?)/i) { if (defined($badmessageids{$1})) { print Copying $cm to blackspam...\n; system cp $cm /home/ccmail/.maildir/.blackspams/tmptmp; chown 1008, 1008, /home/ccmail/.maildir/.blackspams/tmptmp/$cm; } elsif (defined($goodmessageids{$1})) { print Copying $cm to whitespam...\n; system cp $cm /home/ccmail/.maildir/.whitespams/tmptmp; chown 1008, 1008, /home/ccmail/.maildir/.whitespams/tmptmp/$cm; } } } } Subject: Re: Exchange/Outlook - how do you learn spam? Date: Wed, Jun 22, 2005 at 04:25:03PM +0100 Quoting John Hall ([EMAIL PROTECTED]): : Sadly 'script' is rather a grand term. I haven't got around to automating : things properly, so I manually do the following roughly once a week or so: : : # get a list of message-ids from the imap folder : $ grep -i ^message-id: imap-folder | sed -e 's/.*\(.*\).*/\1/' msgids : : # get e-mails from the current archive folder : $ cat /var/local/archive/mail | spamlearn msgids mbox : : # get e-mails from the last 3 weeks of archives : $ zcat /var/local/archive/mail.[123].gz | spamlearn msgids mbox : : # feed to SA : $ sa-learn --spam --mbox mbox : : : The archive I keep is rotated once a week and gzipped. The perl script, : spamlearn, is attached. This just scans stdin for messages in the supplied : file and writes them to stdout. Any that it finds it removes from the : supplied file. Hopefully, by the end, the file 'msgids' is empty. : : This could obviously be vastly improved and automated - I just haven't got : round to it yet. : : regards, : John : : : begin 666 spamlearn.dat : M(R$O=7-R+V)I;B]P97)L@IUV4@W1R:6-T.PH*;7D@)6US9VEDSL*;7D@ : M)'-T871E.PH*;7D@)%-4051%7U-405)4(#T@,#L*;7D@)%-4051%7TA%041% : M4E,@/2 Q.PIM2 D4U1!5$5?3U544%545$E.1R ](#([FUY(135$%415]4 : M2%)/5TE.1U]!5T%9(#T@,SL*B,@;]O:R!A=!AF=U;65N=',*:[EMAIL PROTECTED]'-C : M86QAB! 05)'5B A/2 Q*2![@EPFEN= B57-A9V4Z('-P86UL96%R;B!M : MV=I9'-;B([@EEET(#$[GT*FUY(1MV=I9'-?9FEL92 ]('-H:69T : M($!!4D=6.PII9B H(2 M92 D;7-G:61S7V9I;4I('L*7!R:6YT((D;7-G : M:61S7V9I;5.B!F:6QE(YO=!F;W5N9%QN(CL*65X:70@,3L*?0H*(R!G : M970@;ES=!O9B!MV=I9',*;W!E;B!-4T=)1%,L((\(1MV=I9'-?9FEL : M92(@;W(@9EE()5;F%B;[EMAIL PROTECTED]\@;W!E;B D;7-G:61S7V9I;5.B D(5QN : M(CL*=VAI;[EMAIL PROTECTED])1%,^*2![@EC:]M#L*21MV=I9'-[)%]](#T@ : M,3L*?0IC;]S92!-4T=)1%,[@IM2! 8W5RF5N=%]MV[B1S=%T92 ] : M(135$%415]35$%25#L*G=H:6QE(@D7R ](#P^*2![@EI9B H)'-T871E : M(#T](135$%415]35$%25D@PH)6EF(@O7D9R;[EMAIL PROTECTED]@PH)0DDW1A : M=4@/2 D4U1!5$5?2$5!1$524SL*0D)0-UG)E;G1?;7-G([EMAIL PROTECTED]1?*3L* : M0E]@E]@EE;'-I9B H)'-T871E(#T](135$%415](14%$15)3*2![@D) : M:[EMAIL PROTECTED]]365SV%G92U)1#IRH\*XJ*3XO:2D@PH)0EP=7-H($!C=7)R :
Re: Exchange/Outlook - how do you learn spam?
I have a similiar approach, I noticed though that when the email is copied across to a public folder OR an IMAP folder, the email header/body is changed with ms-application/tnef. So whatever you feed sa-learn, it's not going to be effective as the body of the email has changed since from the original email. I get my exchange users to drop all the spams (undetected by spamassassin) to a public folder and I use imap (exchange is imap enabled) to retrieve the email from the exchange to my linux box, and scp ssh to copy and run sa-learn on the remote mailgateway. I am still trying to figure out how to fix this tnef problem, has anyone experience / noticed the tnef / winmail.dat thing in the email message? apparently this only happens if the email has been read by a Microsoft email client who is tnef aware, and it automaticaly changes the email!!! CP Subject: Re: Exchange/Outlook - how do you learn spam? Date: Tue, Jun 21, 2005 at 02:17:13PM -0500 Quoting E. Falk ([EMAIL PROTECTED]): : Easiest way to get them out of the Exchange public folder without : messing up the headers is via IMAP. There are some scripts available to : open the folder and read the messages (can't recall exactly where, but : if you can't find them let me know and I'll pass mine onto you - they're : modified versions of the scripts available online). : : Works very nicely. : : Evan : : Jon Dossey wrote: : I'm sure a lot of us have a similar setup, linux/bsd mx gateways : (running SA) relaying mail to Exchange, and Outlook clients. I'm just : curious how everyone handles learning? : : It seems like a lot of people recommend a public folder for users to : dump spam in, but how do you get it back out into a useable format that : sa-learn will understand? Saving messages out of Outlook (for me : anyway) into a txt file removes all the internet headers. : : So how else do you handle getting your messages back out of : exchange/outlook, and sa-learn'ed? : : .jon
Re: Exchange/Outlook - how do you learn spam?
Hey Matt, Thanks heaps for the update. That certainly really helps my mystery! If this is the case, I will try to live with these facts! oh well *sob* Christian. Subject: Re: Exchange/Outlook - how do you learn spam? Date: Tue, Jun 21, 2005 at 10:40:00PM -0500 Quoting Matt Yackley ([EMAIL PROTECTED]): : Christian Purnomo said: : I have a similiar approach, I noticed though that when the email is : copied across to a public folder OR an IMAP folder, the email : header/body is changed with ms-application/tnef. So whatever you feed : sa-learn, it's not going to be effective as the body of the email has : changed since from the original email. : : I get my exchange users to drop all the spams (undetected by : spamassassin) to a public folder and I use imap (exchange is imap : enabled) to retrieve the email from the exchange to my linux box, and : scp ssh to copy and run sa-learn on the remote mailgateway. : : I am still trying to figure out how to fix this tnef problem, has anyone : experience / noticed the tnef / winmail.dat thing in the email message? : apparently this only happens if the email has been read by a Microsoft : email client who is tnef aware, and it automaticaly changes the email!!! : : CP : : Hi Christian, : : I have a ticket open with MS support on this issue, so far the news is not good. MS : has confirmed the problem and the Exchange dev team has said that they will not be : able to release a hotfix or patch to change the behaviour of their IMAP/POP3 code : due to the change required to fix this possibly causing issues with other pieces of : Exchange. : : Here is what I know of the issue. : 1. Email that has only been stored in user mailbox and then pulled from a mailbox : via IMAP/POP3 will retain the full headers of the email. : 2. Email that is moved into a public folder, then pulled out via IMAP/POP3 will have : the headers converted to the TNEF style which removes most X- headers, but does : leave the received headers, date/time headers but adds in some of the MS headers : including the TNEF. : 3. Emails that are moved to a public folder, then moved to a user mailbox, then : pulled out via IMAP/POP3 will suffer the same header issues as #2 : : MS is trying to come up with a work-around for the problem, also in his spare time : our developer at work is looking to see if he can come up with a work-around. If I : find a better way to pull messages out of Exchange, I'll let everyone know. : : --matt
How to get sa-learn the original message of application/ms-tnef email?
Hello All. We have a smarthost running spamassassin in the permiter, this host relays email for our internal domains to an M$ Exchange server in our private LAN. Spamassassin is doing a great job in filtering most spams. I get my MS Exchange users to drop any 'Undetected SPAM' to a folder which I daily feed to sa-learn on the smarthost. I can notice a big difference this makes to the spamassassin filter. After a time, I notice an email pattern in this folder that doesn't seem to improve from time to time. I did some investigations and concluded that most emails with ms-tnef have low rate spam detection. My guess is that because the emails that I feed to sa-learn is NO LONGER the original email due to ms-tnef. Below is a sample email from my Undetected Spam folder, as you can see, the mail body gets modified, hence sa-learn do not get to learn the original message and this kind of spam pattern just keeps coming in. I read a bit about ms-tnef on this website http://agamemnon.ucs.ed.ac.uk/faq/mstnef.html - I can't get my Exchange server to receive text only message (instead of rich text/html) due to internal politic issue, so I'm trying to find a way to get around this outside the Exchange box. Has anyone experience this problem before? Thanks in advance. -- [-- Attachment #2: winmail.dat --] [-- Type: application/ms-tnef, Encoding: base64, Size: 3.0K --] Content-Type: application/ms-tnef; name=winmail.dat Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=winmail.dat [-- application/ms-tnef is unsupported (use 'v' to view this part) --] --