email address forgery
Hi All, Thanks to this list who help me(Newby) with my Spamassasin configuration the last time, but here I am again. I've been having email spoofing issues for sometime now and have complaints about it allot. I need to implement SPF checks If I'm correct on thinking so, to handle email spoofing for me on my server. Can anybody explain to me how to do this and how would I be able to test it? (Apologies if this was discussed in the passed of this list.) Thanks Jeremy
Re: email address forgery
To give more detail on my issue is as follows:
*example log: *
1PGasp-0007C4-Tl SA: Debug: SAEximRunCond expand returned: '1 '
1PGasp-0007C4-Tl SA: Debug: check succeeded, running spamc
1PGasp-0007C4-Tl SA: Action: scanned but message isn't spam: score=-1.0
required=7.0 (scanned in 1/1 secs | Message-Id:
00e0cd1445893cd960494ca7...@google.com). *From * (host=
mail-pz0-f68.google.com [209.85.210.68]) for u...@example.com
2010-11-11 19:24:27 1PGasp-0007C4-Tl =
H=mail-pz0-f68.google.com[209.85.210.68] P=esmtp S=3417 id=
000e0cd1445893cd960494ca7...@google.com
2010-11-11 19:24:27 1PGasp-0007C4-Tl = user u...@example.com R=local_user
T=maildir_home
2010-11-11 19:24:27 1PGasp-0007C4-Tl Completed
-
This snippet is what I get in my email log(quit allot of them everyday). On
the user side I get the following (bounce back email):
Delivery Status Notification (Failure) or Message Undeliverable! with
the original email attached which is spam.
PS: I'm using Exim4 with SA-Exim and Spamassassin.
Hope this will help for details.
Thanks for your help in advance.
Jeremy
2010/11/11 Karsten Bräckelmann guent...@rudersport.de
On Thu, 2010-11-11 at 16:11 +0200, Jeremy Van Rooyen wrote:
Thanks to this list who help me(Newby) with my Spamassasin
configuration the last time, but here I am again.
I've been having email spoofing issues for sometime now and have
complaints about it allot.
Please elaborate. What exactly is the issue? Samples showing the
problem, including the SA headers, could be helpful, too.
You're not whitelisting your own domain, are you? Yes, spammers love to
forge that.
I need to implement SPF checks If I'm correct on thinking so, to
handle email spoofing for me on my server.
Maybe. But we cannot possibly verify that you're correct in thinking so,
unless you provide details of your problem.
--
char *t=\10pse\0r\0dtu...@ghno
\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8?
c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
}}}
--
There is therefore now no condemnation to them which are in Christ Jesus,
who walk not after the flesh, but after the Spirit. Romans 8
Re: Spam tagging not happening
Dominic, Ok it seems like SAEximDebug is set to 1, but I don't see anything similar like in your example log My /var/log/exim4/mainlog : 2010-10-19 08:13:50 1P85Q4-0003iH-Gw = p...@decordeli.com H= wblv-ip-mesg-2-3.saix.net [196.25.240.101] P=esmtp S=26973403 id= c865a021-d0c2-4859-a538-ae67b5626...@decordeli.com 2010-10-19 08:13:52 1P85Q4-0003iH-Gw = paul p...@mydomain.com R=local_user T=maildir_home 2010-10-19 08:13:52 1P85Q4-0003iH-Gw Completed Surely I'm missing something here and when I do a grep sa-exim /var/lib/exim4/config.autogenerated, the output is null. Does this mean I don't have sa-exim configured properly? I really appreciate the help guys:-) Jerry On Mon, Oct 18, 2010 at 5:48 PM, Dominic Benson domi...@lenny.cus.orgwrote: On 18/10/10 16:11, Jeremy Van Rooyen wrote: Thanks for the quick reply Dominic, I just checked and the SApermreject is set sensible for now. The latter part of your email refers to SA-Flagged messages, how do I make sure this is working, as I have enabled rewrite_header in /etc/spamassassin/local.cf. http://local.cf/ If rewite_header is enabled, and you don't see the *SPAM* (or alternative you specified) in the subject line, then it didn't get processed. Could you set SAEximDebug: 1 in /etc/exim4/sa-exim.conf, and then paste the output of a message in /var/log/exim4/mainlog, e.g.: 2010-10-18 16:26:48 1P7rbr-0007e3-NS SA: Debug: SAEximRunCond expand returned: 'true' 2010-10-18 16:26:48 1P7rbr-0007e3-NS SA: Debug: check succeeded, running spamc 2010-10-18 16:26:51 1P7rbr-0007e3-NS SA: Action: permanently rejected message: score=15.7 required=5.0 trigger=12.0 (scanned in 3/3 secs | Message-Id: 1P7rbr-0007e3-NS). From e...@cambridge-union.orge...@cambridge-union.org(host=NULL [117.5.37.103]) for e...@cambridge-union.org Then we should be able to see what is actually happening. Also, could you check the output of grep sa-exim /var/lib/exim4/config.autogenerated - if you use Exim in unsplit configuration, sa-exim doesn't get used by default. exim4-daemon-heavy has an alternative way of using SpamAssassin (exiscan_acl), which is powerful, but not so convenient. How do I add a message rule that subject starts with *SPAM* ? Do I add to my local.cf? I'm sure I did this already. I mean you should do this in either your mail client, or e.g. a Cyrus sieve. This is about using the data that SpamAssassin/Exim have added to the message to classify it in your inbox, rather than a mail routing decision. (e.g. in Thunderbird you would go Tools - Message Filters - New) Dominic -- There is therefore now no condemnation to them which are in Christ Jesus, who walk not after the flesh, but after the Spirit. Romans 8
Re:Spam tagging not happening
Any news for me on this issue? Dominic, Ok it seems like SAEximDebug is set to 1, but I don't see anything similar like in your example log My /var/log/exim4/mainlog : 2010-10-19 08:13:50 1P85Q4-0003iH-Gw = p...@decordeli.com H= wblv-ip-mesg-2-3.saix.net [196.25.240.101] P=esmtp S=26973403 id= c865a021-d0c2-4859-a538-ae67b5626...@decordeli.com 2010-10-19 08:13:52 1P85Q4-0003iH-Gw = paul p...@mydomain.com R=local_user T=maildir_home 2010-10-19 08:13:52 1P85Q4-0003iH-Gw Completed Surely I'm missing something here and when I do a grep sa-exim /var/lib/exim4/config.autogenerated, the output is null. Does this mean I don't have sa-exim configured properly? I really appreciate the help guys:-) Jerry On Mon, Oct 18, 2010 at 5:48 PM, Dominic Benson domi...@lenny.cus.orgwrote: On 18/10/10 16:11, Jeremy Van Rooyen wrote: Thanks for the quick reply Dominic, I just checked and the SApermreject is set sensible for now. The latter part of your email refers to SA-Flagged messages, how do I make sure this is working, as I have enabled rewrite_header in /etc/spamassassin/local.cf. http://local.cf/ If rewite_header is enabled, and you don't see the *SPAM* (or alternative you specified) in the subject line, then it didn't get processed. Could you set SAEximDebug: 1 in /etc/exim4/sa-exim.conf, and then paste the output of a message in /var/log/exim4/mainlog, e.g.: 2010-10-18 16:26:48 1P7rbr-0007e3-NS SA: Debug: SAEximRunCond expand returned: 'true' 2010-10-18 16:26:48 1P7rbr-0007e3-NS SA: Debug: check succeeded, running spamc 2010-10-18 16:26:51 1P7rbr-0007e3-NS SA: Action: permanently rejected message: score=15.7 required=5.0 trigger=12.0 (scanned in 3/3 secs | Message-Id: 1P7rbr-0007e3-NS). From e...@cambridge-union.orge...@cambridge-union.org(host=NULL [117.5.37.103]) for e...@cambridge-union.org Then we should be able to see what is actually happening. Also, could you check the output of grep sa-exim /var/lib/exim4/config.autogenerated - if you use Exim in unsplit configuration, sa-exim doesn't get used by default. exim4-daemon-heavy has an alternative way of using SpamAssassin (exiscan_acl), which is powerful, but not so convenient. How do I add a message rule that subject starts with *SPAM* ? Do I add to my local.cf? I'm sure I did this already. I mean you should do this in either your mail client, or e.g. a Cyrus sieve. This is about using the data that SpamAssassin/Exim have added to the message to classify it in your inbox, rather than a mail routing decision. (e.g. in Thunderbird you would go Tools - Message Filters - New) Dominic -- There is therefore now no condemnation to them which are in Christ Jesus, who walk not after the flesh, but after the Spirit. Romans 8 -- There is therefore now no condemnation to them which are in Christ Jesus, who walk not after the flesh, but after the Spirit. Romans 8
Re: Spam tagging not happening
Hi Dominic and Users, I was not using the split configuration of exim4, I'm using the monolithic config at /etc/exim4/exim4.conf.template. So I added this line to my /etc/exim4/exim4.conf.template config file right at the top local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so restarted exim4 and I'm seeing SA entries in my /var/log/exim4/main.log. I then did a grep sa-exim /var/lib/exim4/config.autogenerated and the results obviously was local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so. I really appreciate the help here guys, and I'm very happy that I'm one step forward now. Thanks Jerry On Tue, Oct 19, 2010 at 4:10 PM, Dominic Benson domi...@lenny.cus.orgwrote: Surely I'm missing something here and when I do a grep sa-exim /var/lib/exim4/config.autogenerated, the output is null. Does this mean I don't have sa-exim configured properly? It means that it isn't being used by exim. We're veering away from SA-Users topics, but: if you dpkg-reconfigure exim4-config and select Yes to the question Split configuration into small files, then you should find that SA-Exim is used; it [sa-exim] installs a config file at /etc/exim4/conf.d/main/15_sa-exim_plugin_path - the /etc/exim4/conf.d directory is what gets compiled [by the exim4 init script] into /var/lib/exim4/config.autogenerated if you select the small files config method. Otherwise it uses the monolithic config template at /etc/exim4/exim4.conf.template - which doesn't get the SA-Exim stuff added automatically. I really appreciate the help guys:-) Jerry Dominic -- There is therefore now no condemnation to them which are in Christ Jesus, who walk not after the flesh, but after the Spirit. Romans 8
Spam tagging not happening
Hi all, I need help with my spamassasin configuration. Setup is as follows: Ubuntu (OS), Exim4 (MTA), Spamassasin (Spam Filter). When I look at my logs I can see messages been identified as spam, but it does not get tagged on the email client side. I did look at some forums and I also made the necessary changes to my local.cf file, but have no luck. Can Anybody assist me? Thanks in advance Jerry
Re: Spam tagging not happening
Thanks for your reply John, I'm really new to Exim and Spamassassin, there is no procmail scripts and I don't know how to glue SA onto Exim? Can you help me with that? When I look at the rejected emails in the rejected logs for Exim it looks like this: F From: pharmacyl1fe.lo...@yahoo.com Received-SPF: none X-SPF-Guess: neutral X-Spam-Score: 23.9 (+++) X-Spam-Report: Spam detection software So as far a I know, the tagging happens here, but I don't see anything in the email though. On Mon, Oct 18, 2010 at 3:46 PM, John Hardin jhar...@impsec.org wrote: On Mon, 18 Oct 2010, Jeremy Van Rooyen wrote: Hi all, I need help with my spamassasin configuration. Setup is as follows: Ubuntu (OS), Exim4 (MTA), Spamassasin (Spam Filter). When I look at my logs I can see messages been identified as spam, but it does not get tagged on the email client side. I did look at some forums and I also made the necessary changes to my local.cf file, but have no luck. Can Anybody assist me? One more piece is needed: how is SA glued onto Exim? Procmail scripts? A milter (or Exim's equivalent native API)? Are _no_ SA-related X-Spam-* headers present in processed messages? -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/http://www.impsec.org/%7Ejhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Sheep have only two speeds: graze and stampede. -- LTC Grossman --- 60 days until TRON Legacy -- There is therefore now no condemnation to them which are in Christ Jesus, who walk not after the flesh, but after the Spirit. Romans 8
Re: Spam tagging not happening
Thanks for the quick reply Dominic, I just checked and the SApermreject is set sensible for now. The latter part of your email refers to SA-Flagged messages, how do I make sure this is working, as I have enabled rewrite_header in /etc/spamassassin/local.cf. http://local.cf/ How do I add a message rule that subject starts with *SPAM* ? Do I add to my local.cf? I'm sure I did this already. On Mon, Oct 18, 2010 at 4:40 PM, Dominic Benson domi...@lenny.cus.orgwrote: On 18/10/10 15:22, Jeremy Van Rooyen wrote: When I look at the rejected emails in the rejected logs for Exim it looks like this: F From: pharmacyl1fe.lo...@yahoo.com Received-SPF: none X-SPF-Guess: neutral X-Spam-Score: 23.9 (+++) X-Spam-Report: Spam detection software So as far a I know, the tagging happens here, but I don't see anything in the email though. Spamassassin is obviously being used then. I would expect that it is being accessed through sa-exim; what you probably want to do is edit /etc/exim4/sa-exim.conf and set SApermreject to a sensible value (fairly high, as this will bounce messages so that they never get to your inbox). 20 would probably be a reasonably good start; you can (cautiously) reduce it from there if you find that you are getting no ham above some value. (You'll need to restart Exim after this) There is a separate question implicit in your post: that you want to filter SA-flagged messages into a junk folder in your MUA. There are a few options for this. The easiest (not necessarily best!) is to enable rewrite_header in /etc/spamassassin/local.cf and then add a message rule that subject starts with *SPAM* gets moved to a folder. It isn't a great plan if you are resending to a mailing list (breaks DKIM etc.), so the alternative is to inspect the X-Spam-Status header directly. How to / if you can do that is strongly MUA dependent. Dominic -- There is therefore now no condemnation to them which are in Christ Jesus, who walk not after the flesh, but after the Spirit. Romans 8
