Re: [SPAM:9.6] Re: Off Topic - SPF - What a Disaster
On Wed, February 24, 2010 2:28 am, Per Jessen wrote: > Christian Brel wrote: > >> On Wed, 24 Feb 2010 09:18:38 +0100 >> Per Jessen wrote: >> >>> LuKreme wrote: >>> >>> > On 23-Feb-10 14:17, Bowie Bailey wrote: >>> >> SPF enforcement at the MTA is useless for the reasons you >>> >> specified. The only exception is if you have a strict SPF policy >>> >> for your own domain, you can use it to reject spam pretending to >>> >> be from your users. >>> > >>> > And that makes it worthwhile all by itself. >>> > >>> >>> Well, I guess it depends on your point of view - how difficult is it >>> to set up an MTA to reject mails pretending to be from >>> that didn't originate on your MTA? >>> >>> >>> /Per Jessen, Zürich >>> >> >> Good question - how would you do it? > > Postfix: I would have two different smtpd daemons - one for the local > network, one for the external. The external smtpd would have a > check_sender_access along these lines (thinking out loud here): ... which is why I use sendmail. It now comes standard with 2 different daemons, built into one so the setup isn't so complicated: one for external access and one for internal access. Already doing what you suggest out of the box, and it works quite well, if configured securely. One activity rejects attempts to send email pretending to be 'on the inside' and the other rejects to send email pretending to be 'on the outside' thus preventing much of what has been discussed ... > > check_sender_access = hash:/etc/postfix/reject_from_my_domain > > etc/postfix/reject_from_my_domain would have: > > example.com 5xx > > > /Per Jessen, Zürich > --- Karl Pearson ka...@ourldsfamily.com Owner/Administrator of the sites at http://ourldsfamily.com --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. --Benjamin Franklin --- Prayer for Obama, et al: http://scriptures.lds.org/en/ps/109/8#8 (~) ---
Re: HTML in Messages
On Tue, December 15, 2009 9:31 am, Marc Perkel wrote: > > > LuKreme wrote:On 15-Dec-2009, at 06:11, Kai Schaetzl wrote: > Mark, can you *please* stop sending HTML-only messages to the list? > And just in case the response is "no one else complains" Yes. > Stop doing this. Bad list subscriber. Bad! Bad! > Get a modern email client. Are you using a KSR33 teletype on a 110 baud > modem? > Sorry, modern isn't good. I manage an email group server, and HTML/MIME email really messes up the archives, so I've installed plugins that strip it out, thus making the archives usable. Who wants to scan through thousands of bytes of uuencoding to get to the text they are searching for? No one. Your email is always put in a separate folder from the rest, and usually I just delete them, so if you have something important to say, I will usually miss it. Quit sending HTML email. It's very annoying, and if marketing professors are right, for every ONE person that complains, there are probably 20+ others who say nothing. --- Karl Pearson ka...@ourldsfamily.com Owner/Administrator of the sites at http://ourldsfamily.com --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. --Benjamin Franklin --- Prayer for Obama, et al: http://scriptures.lds.org/en/ps/109/8#8 (~) ---
Re: bringing clamav into the loop?
On Sat, October 31, 2009 7:16 am, Gene Heskett wrote: > Greetings; > > Does anyone have a procmail recipe that incorporates clamav into the > checks, > and one that handles the clamav output to /dev/null the viri etc? > > At least I assume clamav doesn't auto-delete, I've not yet studied all > the > docs, but do have freshclam running apparently ok. > > Thanks everybody. > I use ClamAV-milter at MTA level at the gateway. In the new version of ClamAV, email is not deleted, but is quarantined within sendmail itself. I run a cron job against the sendmail queue and send myself a report on each quarantined email, then remove them. With sendmail this is done with these two commands: report each: mailq -qQ remove from quarantine and delete: sendmail -qQ Very useful and the virus infected emails don't get inside my network anywhere, which if using procmail/SpamAssassin, they would have to. My network is protected from both the viruses and the waste of email traffic. HTH, Karl > -- > Cheers, Gene > "There are four boxes to be used in defense of liberty: > soap, ballot, jury, and ammo. Please use in that order." > -Ed Howdershelt (Author) > The NRA is offering FREE Associate memberships to anyone who wants them. > <https://www.nrahq.org/nrabonus/accept-membership.asp> > > If your happiness depends on what somebody else does, I guess you do > have a problem. > -- Richard Bach, "Illusions" > --- Karl Pearson ka...@ourldsfamily.com Owner/Administrator of the sites at http://ourldsfamily.com --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. --Benjamin Franklin ---
Re: your mail
On Fri, August 21, 2009 1:41 pm, Ted Mittelstaedt wrote: > Gary Smith wrote: >>> I agree. We're and ISP and I don't want us to be associated with >>> companies like Google. I don't want Google operating in my market >>> and >>> I'm sure as heck that Google doesn't want me operating in the search >>> engine market, either. >>> >>> I don't agree with this "everyone's an ISP" mentality that's become >>> so prevalent, recently. >>> >>> Ted >> >> Ted, >> >> So you think google is just in the search engine market... RW is even >> using google mail. (I'm just heckling you :) ) >> >> > > Everyone knows that anything given away free isn't worth having!!! > > Why do you think that nobody uses FreeBSD? > > Geeze > > > Ted Mittelstaedt > Right, and why I've been using Redhat and Fedora for going on 2 decadess now as mail/web servers, not to mention desktop and laptop OSes for going on 8 years. Nothing free is worth a cent. Why can't everyone just understand that and be happy? KLP --- Karl Pearson ka...@ourldsfamily.com Owner/Administrator of the sites at http://ourldsfamily.com --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. --Benjamin Franklin ---
Re: Dealing with backscatter
On Sun, June 21, 2009 2:47 pm, Bob Proulx wrote: > Jeremy Morton wrote: >> ...backscatter... >> 'Your message to Gatewayav-discuss awaits moderator approval' > > The GNU Mailman mailing list software is a big offender in that area. > The option to fix this is to set "respond_to_post_requests" to "No" on > the main options page. Otherwise it is a serious backscatter source. > I think the default may be Yes. > > respond_to_post_requests=No > > As a backscatter source I would have no qualms about listing them in a > DNSBL. Reporting offenders as spam sources seems like the only > recourse. > >> Any tips for filtering these out? > > I specifically filter those out from my incoming mail. That message > is never helpful to me. > >> Trouble is there might occasionally be a mailing list I want to post >> to where I do get such a message, > > Do *you* ever need to see that message? Unless you are the moderator > you can't approve the posting. And if you are the moderator then you > will get a moderator mail message concerning it and can react to it. > It doesn't help you. There isn't any action you can take for it. So > you might as well smtp-reject or procmail-discard those. > I own a mailing list server. One of our policies are specifically about "Challenge Servers" . . . We don't accept any. If someone hasn't previously entered our server in so we don't see the responses, we unsubscribe them without comment. Some might think that's harsh. I don't. Karl >> but I get a phenomenal number of such messages where it's obviously >> a spammer who has sent a msg to the list and joe-jobbed me. Worse >> still, the mail matches this, rule: >> >> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at >> http://www.dnswl.org/, medium trust > > You might consider changing that to: > > score RCVD_IN_DNSWL_HI -0.001 > score RCVD_IN_DNSWL_MED -0.001 > score RCVD_IN_DNSWL_LOW -0.001 > score HABEAS_ACCREDITED_COI -0.001 > score HABEAS_ACCREDITED_SOI -0.001 > > Bob > --- Karl Pearson ka...@ourldsfamily.com Owner/Administrator of the sites at http://ourldsfamily.com --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. --Benjamin Franklin ---
Re: Spam Assassin White List
On Mon, March 23, 2009 10:58 pm, dsh979 wrote:
>
> Thank you for your reply Matt.
>
> I did not realise that items listed on the white list or the black list
> would still be subject to the operation/analysis of the SpamAssassin
> Rules.
>
> You have asked why I have set the required score the 100. Lengthy
> explanation (sorry). I have done this to prevent SpamAssassin from
> inserting SpamWarnings into the header/body of the relevant email. In
> responding to spam I rely on the SpamAssassin Score in conjunction with
> other "email message indicators"), and incorporate these variables into
> a
> domain level filter (cPanel). Mail is then bounced (by the filter)
> without
> any warning in the bounced email itself, that it has been bounced
> because it
> has been identified as spam. In fact, the bounced email will have a
> message
> inserted to the effect that there is no such user/receipient. In this
> way,
> if there is a sender who receives the bounced email, hopefully they take
> me
> off their mailing list, instead of looking for a way to 'outsmart' the
> SpamRules.
>
> Q:How can I list items/users on a "white list" or a "black list" without
> the
> lists (and items) being the subject of further analysis by the
> SpamAssassin
> Rules (and therefore obtaining the same score for each item on the
> relevant
> list, irrespective of the operation of the SpamAssassin Rules, that is
> -100=white list items & +100 = black list items)?
>
A couple thoughts:
1. by returning the emails, you run the risk of false-negatives and thus
creating 'email backscatter' (see wikipedia).
2. If you don't want to receive these things at all, have you considered
using your MTA to block the actual IP addresses of known spammers using
a couple of rules like (for sendmail):
FEATURE(`dnsbl', `bl.spamcop.net',`"Rejected as Spam. See
http://bl.spamcop.net?"$&{clientaddr}"; for more information"')dnl
FEATURE(`dnsbl', `zen.spamhaus.org',`"Rejected as Spam. See
http://spamhaus.org/query/bl?ip="$&{clientaddr}"; for more
information"')dnl
which rejects the email long before SA has to be bothered? When I check
my logs, the spamcop rule alone blocks as many as 800-1100 email daily.
Just something to consider.
Karl
>
>
>
> Matt Kettler-3 wrote:
>>
>> dsh979 wrote:
>>> Hello John
>>>
>>> Thanks for your reply. I am adding users to the white list and the
>>> black
>>> list (in the SpamAssassin user preferences file) as follows:
>>>
>>> blacklist_from *...@blacklist1.com
>>> blacklist_from *...@blacklist2.com
>>> blacklist_from *...@blacklist3.com
>>> required_score 100
>>> whitelist_from *...@whitelist1.com
>>> whitelist_from *...@whitelist2.com
>>> whitelist_from *...@whitelist3.com
>>>
>>>
>>
>> Why do you have the required_score 100 in there?
>>
>> That could prevent your blacklists from working 100% of the time.
>>
>> The blacklist works by adding +100 to the message score, but if the
>> other rules it matches come out negative, the blacklist won't be
>> effective because the total score will be under 100.
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Spam-Assassin-White-List-tp22589650p22674314.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
---
Karl Pearson
ka...@ourldsfamily.com
Owner/Administrator of the sites at
http://ourldsfamily.com
---
"To mess up your Linux PC, you have to really work at it;
to mess up a microsoft PC you just have to work on it."
---
Re: Getting hammered by backscatter
On Wed, 29 Oct 2008, Chris Arnold wrote: We use zimbra OSS on SLES10 SP1. Zimbra has spamassassin built-in. At the present time, my mailbox is filled with backscatter; getting around 10 a minute since 4:30 today. I have postfix backscatter rules in postfix of zimbra, http://www.postfix.org/BACKSCATTER_README.html#real but still getting pounded. Here is the header from on such mail: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] SMTP error from remote mail server after RCPT TO:<[EMAIL PROTECTED]>: host relay1.tm.odessa.ua [195.66.204.50]: 511 sorry, no mailbox here by that name (#5.1.1 - chkuser) Your domain was used as the spoofed 'from' address, so it's technically not backscatter, but rather bounced email sent to an invalid address. Since you are the spoofed 'from' address, you are the lucky recipient of all their bad email addresses. In other words, the spammer got sold a bad list of email addresses. Too bad for them, worse for you. You could use an iptables rule (if you are *nix) that would block that domain for a time: iptables -I INPUT -s 89.74.205.165 -j DROP but with all the different domains the bounces are probably coming from, that might be much too tedious to get all of them, unless they targeted just chello.pl accounts... -- This is a copy of the message, including all the headers. -- Return-path: <[EMAIL PROTECTED]> Received: from chello089074205165.chello.pl ([89.74.205.165]) by wifi-router.tm.odessa.ua with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <[EMAIL PROTECTED]>) id 1KvJP6-000Eho-L0 for [EMAIL PROTECTED]; Thu, 30 Oct 2008 00:20:42 +0200 Message-ID: <[EMAIL PROTECTED]> From: =?koi8-r?B?4c3X0s/Tycog4czT2c7Cwco=?= <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: =?koi8-r?B?5dfSz9DFytPLwdEgzsXExczRIMvB3sXT1NfB?= Date: Wed, 29 Oct 2008 20:30:54 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0004_01C93A14.03BA381D" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 This is a multi-part message in MIME format. --=_NextPart_000_0004_01C93A14.03BA381D Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Can someone please help me stop this? A while back, there was a thread that pointed to a website, backscatter.org or something like that, that we used that since the upgrade did a wonderful job. Anyone remember that web site? --- _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\\<._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- http://consulting.ourldsfamily.com --- "Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other." --John Quincy Adams --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." ---
Re: Block all incoming mail from domain except certain users?
On Sat, 11 Oct 2008, Matus UHLAR - fantomas wrote: On Fri, October 10, 2008 17:05, Liam-PrintingAutomation wrote: any email with a FROM as coming from our domain but is not a user (left of @ sign) that isn't one of these X addresses? On 10.10.08 21:01, Benny Pedersen wrote: what rule gives -100 ? whitelist, of course: "any email with a FROM as coming from our domain" That's common mistake of adding local domain to whitelist_from, often used by spammers to get mail through. there is a number of ways to make sure its not giveing -100 to own domains that is sent outside of localhost or even from localhost olso adjust the score -100 to something like -0.01 and make use of dkim/spf to compensate for real users thar send correct not just have your domain in sender from simply using whitelist_auth or whitelist_from_rcvd instead of whitelist_from should be enough I use whitelist_from_rcvd but am not sure I use it right: whitelist_from_rcvd [EMAIL PROTECTED] ourldsfamily.com Is that right? Also, I've never heard of whitelist_auth and am curious to see an example. Would using both _auth and _from_rcvd be good/better/worse? Karl -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. --- _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\\<._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- http://consulting.ourldsfamily.com --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." ---
Re: New free blacklist: BRBL - Barracuda Reputation Block List
On Tue, 23 Sep 2008, Joseph Brennan wrote: Everyone should block/defer ALL email with no reverse DNS. Then maybe those email admins would get a clue. AOL.com does just that. No, they don't, really. They 'may' do that (see below). Try it. Effective immediately: AOL 220- may no longer accept connections from IP addresses which 220 have no reverse-DNS (PTR record) assigned. As the administrator of a couple email servers, I have personal experience with AOL's 'may no longer' 'policy'... Sometimes it worked, and sometimes it didn't. Why didn't we have rDNS working? Because technically it's the responsibility of your ISP and ours, at the time, didn't think they had to do it because we were hosting our own webpages and they thought they were only responsible when THEY hosted the pages. That's not true, and after a dozen or so calls, I finally got to a person who believed me, and it was fixed, finally... Karl Joseph Brennan Columbia University Information Technology --- _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\\<._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- http://consulting.ourldsfamily.com ---
Re: Trying out a new concept
On Mon, 22 Sep 2008, Marc Perkel wrote: McDonald, Dan wrote: On Mon, 2008-09-22 at 15:44 -0700, Marc Perkel wrote: Ken A wrote: Marc Perkel wrote: I don't know how this will work but I'm building the data now. For those of you who are familiar with Day old bread lists to detect new domains, as you know there's a lag time in the data and they often don't have data from all the registries. So - here's a different solution. What I'm thinking is to accumulate every domain name that interacts with my system and storing it in a list. Eventually after a week or so I should have a good list. Then the idea is to do a lookup to see if a new domain is NOT on the list. This will catch all really new domains, but will have some false positives. But - if it is mixed with other conditionals it might be a good way to detect and block spam from or linking to tasting domains. So, If for years I send mail to hundreds of people in my county, but never anything to your spamtraps or your legitimate mail, and then one day I decide to send you a single piece of mail, you will blacklist me as DOB? No - that's not how it works. Being a stranger to the list doesn't get you blacklisted. It's just a factor that when combined with other factors indicates it's spam. And generally URI spam. I'm just using this as a way to discover new domains by what's not on a list as opposed to what is on a list. And I don't yet know if it will work. I'm still building the list. I just wanted to throw the concept out there and see if it sparks innovation. It might turn out to be a dead end. So, what about doing a whois query and 'grep' for the setup date? You theoretically could then just append that date to the domain name, and have something to cross-reference... --- _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\\<._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- http://consulting.ourldsfamily.com ---
Re: MagicSpam
Excellent points. I'm glad I'm not a 'common user'... KLP On Fri, 12 Sep 2008, Jesse Stroik wrote: Karl, Ease of setup and use are not the primary reason for purchasing any product, IMO. Yes, but you aren't the common user. Many commercial products *must* have oversimplified setups if they want the largest possible customer base. Consider the difference between the primary goals of spamassassin and arbitrary commercial anti-spam solution: Spamassassin: To facilitate a community effort with the primary goal of accurate reduction of spam. Commercial Product: to sell as much commercial product as possible, with the goal being either short term profits or long term profits. A few years ago I bought a groupware that was configured as an open relay out of the box. When I contacted support about changing the default behavior, they said that they would lose customers if they configured it securely out of the box, so they didn't do it. Is spamassassin the best I've seen and worked with? Absolutely. Does spamassassin cost more in sysadmin time and require a more competent sysadmin to properly configure and maintain it? Yes. I've noticed in my own work with spamassassin, especially under solaris, that more time spent configuring it resulted in significantly better results. Best, Jesse --- _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\<._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- http://consulting.ourldsfamily.com ---
Re: MagicSpam
On Thu, 11 Sep 2008, fchan wrote: Hi, Sorry I don't have experience with this product. I do have limited experience with Barracuda Networks appliance and I think is a great product for an e-mail filter which I had experienced with my friend to set up on their network & email server. It is easy to set up, configure and maintain so for an alternative to spamassassin this is great alternative. Price a fairly good and since they were a educational institute they got an discount. http://www.barracudanetworks.com/ns/products/spam_overview.php I have to violently disagree. As an administrator of a system with 184 email groups and over 7000 subscribers on it, I absolutely hate Barracuda products. Out of the box, they specialize in creating huge amounts of backscatter (see http://en.wikipedia.org/wiki/Backscatter_(e-mail) for more info) which is SPAM. Ease of setup and use are not the primary reason for purchasing any product, IMO. Karl Frank Does anybody have any experience with this product? My company wants to replace SpamAssassin with this product, due to SpamAssassin being not being up to par other products. My argument is that people we give SpamAssassin to have no clue how to use it and what it's designed to do, therefore they think it sucks. --- _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\<._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- http://consulting.ourldsfamily.com ---
