ignore me - testing my spf record
Title: ignore me - testing my spf record testing
RE: Testing SPF
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Monday, October 18, 2004 2:02 PM > To: Steven Stern; users@spamassassin.apache.org > Subject: Re: Testing SPF > > > At 04:59 PM 10/18/2004, Steven Stern wrote: > >I've set up the SPF TXT record for my domain, although I'm > not quite sure it's > >correct or acceptable to SA 3 because I have to pass my > outgoing mail through > >Earthlink as a smarthost. I'd like to send a email to a few > of you checking > >SPF to see what result you get. > > > >Please reply directly to me and not the list if you'd do me > this favor. > >Thanks. > > Why ask any of us, look at the headers of your message on the list: > > Received-SPF: pass (hermes.apache.org: domain of > [EMAIL PROTECTED] designates 207.217.120.253 as > permitted sender) > > You can also have your SPF record checked (for syntax problems) and add it to the statistics registry here: http://spftools.infinitepenguins.net/register.php
RE: [OFFTOPIC] Opinions on DSPAM
> -Original Message- > From: Chris Santerre [mailto:[EMAIL PROTECTED] > Sent: Monday, October 18, 2004 11:49 AM > To: 'Mathieu Nantel'; users@spamassassin.apache.org > Subject: RE: [OFFTOPIC] Opinions on DSPAM > > > > > >-Original Message- > >From: Mathieu Nantel [mailto:[EMAIL PROTECTED] > >Sent: Monday, October 18, 2004 2:32 PM > >To: users@spamassassin.apache.org > >Subject: [OFFTOPIC] Opinions on DSPAM > > > > > >Good day list, > > > >As I've read a few articles on DSPAM claiming that it's > >better/faster/sexier > >than spamassassin, I would appreciate having this list's > >comment on DSPAM. > > Which version of SA? If they are claiming better then 3.0 I > think they are > full of it. Does DSPAM use SURBL? > > If someone uses SA 3.0 w/ SURBL and also RDJ to update files > from SARE, then > IMHO bayes isn't needed. So it becomes 'almost' a "set it and > forget it" > function to use SA. > > I would like to know how one can be better/sexier then that. They do sell women's underwear... > Faster.well > that might be. > > --Chris >
RE: spamassassin and user whitelist/blacklist prefs
> -Original Message- > From: ip.guy [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 13, 2004 5:50 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: spamassassin and user whitelist/blacklist prefs > > > ip.guy wrote: > > > hi > > > > my qmail server only acts as the spam/av gateway server to > our internal > > MS server(s). > > > > i need to allow users, with mail accounts on our internal > server(s), to > > access the whitelist/blacklist functions of spamassassin > but without > > seeing the entire list, i'm only interested in allowing > them to access > > there own lists for security and privacy reasons > > > > does this sound possible and if so is there something > available that > > already does this kind of thing, web based of course > > > > no takers re this one ? > I'd think an SQL user_prefs and a web interface would be the easiest way to go. See this: http://spamassassin.apache.org/full/3.0.x/dist/sql/README and this: http://wiki.apache.org/spamassassin/WebUserInterfaces Nate
RE: RBL Misfires?
> -Original Message- > From: Jeff Chan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 12, 2004 5:14 PM > To: users@spamassassin.apache.org > Subject: Re: RBL Misfires? > > > It would be useful if you could forward the messages that falsely > trigger on RBLs, along with name resolution results on the specific > RBL nearby in time, such as: > > > % dig vantagemobility.com.ws.surbl.org The message is attached. I ran that exact query against my DNS server, and both my ISPs servers at the time it happened. Got basically this (nadda): ; <<>> DiG 9.2.1 <<>> vantagemobility.com.ws.surbl.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62432 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;vantagemobility.com.ws.surbl.org. IN A ;; AUTHORITY SECTION: ws.surbl.org. 900 IN SOA a.surbl.org. zone.surbl.org. 1097682081 900 450 604800 900 ;; Query time: 247 msec ;; SERVER: 10.10.3.2#53(10.10.3.2) ;; WHEN: Wed Oct 13 09:17:27 2004 ;; MSG SIZE rcvd: 93 > (and similar lookups on numeric RBLs like > dig 2.0.0.127.sbl.spamhaus.org) ; <<>> DiG 9.2.1 <<>> 2.0.0.127.sbl.spamhaus.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48647 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;2.0.0.127.sbl.spamhaus.org.IN A ;; ANSWER SECTION: 2.0.0.127.sbl.spamhaus.org. 7200 IN A 127.0.0.2 ;; AUTHORITY SECTION: sbl.spamhaus.org. 172800 IN NS n.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS r.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS s.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS u.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS v.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS z.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS a.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS b.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS c.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS d.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS e.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS f.ns.spamhaus.org. sbl.spamhaus.org. 172800 IN NS m.ns.spamhaus.org. ;; Query time: 409 msec ;; SERVER: 10.10.3.2#53(10.10.3.2) ;; WHEN: Wed Oct 13 09:25:29 2004 ;; MSG SIZE rcvd: 271 > > There have been other sporadic reports of RBL misfires, which > leads me to wonder about the possibility of a rarely hit bug > somewhere in the RBL code. Unfortunately this kind of thing > seems hard to debug given the dynamic nature of messages and > RBLs, but there are enough reports to make me wonder > Yeah... I know. I'm not even sure if I have a problem or not. I just recently turned on the report header for all mail, so that I could at least get a little more information without getting lost in constant debug output. I'm keeping an eye on it for now. The system, btw, is Red Hat 7.3, Sendmail 8.12.11, Spamass-Milter 0.2.0, SA 3.0 (but I also noticed questionable RBL hits with 2.64), and Net::DNS 0.46. The SA system is configured to use our internal DNS server, which has the typical default settings, afaik. I do see cached entries for the RBLs in my DNS system, but when I actually catch what I believe to be a misfire on an RBL check, I don't see a cache record for it in my DNS. One other thing that may be worth mentioning is that all messages come into sendmail from localhost. MessageWall listens on the wire as a proxy. The only obvious issue I saw with this is that SPF doesn't work. > Jeff C. > -- > Jeff Chan > mailto:[EMAIL PROTECTED] > http://www.surbl.org/ > > From "Karl Wein" Tue Oct 12 09:55:51 2004 Microsoft Mail Internet Headers Version 2.0 Received: from blacksheep.riconcorp.com ([10.10.3.5]) by pnork.ricon.us with Microsoft SMTPSVC(6.0.3790.0); Tue, 12 Oct 2004 09:56:43 -0700 Received: from riconcorp.com (blacksheep.riconcorp.com [127.0.0.1]) by blacksheep.riconcorp.com (8.12.11/8.12.11) with ESMTP id i9CB3Iu1012753 for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 09:56:32 -0700 X-MessageWall-Score: 0 (riconcorp.com) X-MessageWall-Warning: MIME/REJECT: body part contains disallowed string: text/html Received: from [165.251.41.49] by riconcorp.com (MessageWall 1.0.8md) with SMTP; 12 Oct 2004 16:56:22 - Received: from jcmwsc09.mwjc.easylink.com (mwsmout-vip-1.mwjc.easylink.com [165.251.41.105]) by jcmwsm02.mwjc.easylink.com (8.12.9/8.12.9) with ESMTP id i9CGuLiJ008577 for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 12:56:21 -0400 (EDT) Received: from mail pickup service by jcmwsc09.mwjc.easylink.com with Microsoft SMTPSVC; Tue, 12 Oct 2004 12:56:21 -0400 Received: from 165.251.41.100 ([165.251.41.100]) by jcmwsc09.m
RE: JS and EXE test isn't working?
yup. ;) wonder if anybody's filed a bug about that - maybe standard html tags should be ignored in the uppercase tests. -Original Message- From: Brett Romero [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 12, 2004 1:44 PM To: Nate Schindler Cc: users@spamassassin.apache.org Subject: Re: JS and EXE test isn't working? - Original Message - From: "Nate Schindler" <[EMAIL PROTECTED]> To: "Brett Romero" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, October 12, 2004 4:37 PM Subject: RE: JS and EXE test isn't working? > -Original Message- > From: Brett Romero [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 12, 2004 1:23 PM > To: [EMAIL PROTECTED] > Subject: JS and EXE test isn't working? > > Where is the JS/EXE test? The MICROSOFT_EXECUTABLE test was removed in 3.0, it seems. I guess they want to thicken the line between antivirus, and antispam. *shrug* Fine with me. > > Also, what is UPPERCASE_25_50? > You, uh... just pasted the answer yourself ;) - "UPPERCASE_25_50 0.10 message body is 25-50% uppercase" I don't think that can be any more clear, except to paraphrase that the message was 25%-50% "screaming" e.g. "IT'S A BRAND NEW CAR!!!" Nate The only visiable text to the user is "testing", which is lower case. Are you saying I'm being penalized because the HTML tags are in upper case? Thanks, Brett
RE: JS and EXE test isn't working?
> -Original Message- > From: Brett Romero [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 12, 2004 1:23 PM > To: [EMAIL PROTECTED] > Subject: JS and EXE test isn't working? > > Where is the JS/EXE test? The MICROSOFT_EXECUTABLE test was removed in 3.0, it seems. I guess they want to thicken the line between antivirus, and antispam. *shrug* Fine with me. > > Also, what is UPPERCASE_25_50? > You, uh... just pasted the answer yourself ;) - "UPPERCASE_25_50 0.10 message body is 25-50% uppercase" I don't think that can be any more clear, except to paraphrase that the message was 25%-50% "screaming" e.g. "IT'S A BRAND NEW CAR!!!" Nate
RE: RBL Misfires?
> -Original Message- > From: Kelson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 12, 2004 10:57 AM > To: users@spamassassin.apache.org > Subject: Re: RBL Misfires? > Most likely scenario: > > 1. Someone erroneously reports the domain name to SURBL. > 2. You receive and scan the message, which fires on URIBL_WS_SURBL. > 3. Someone else realizes the listing is invalid, and it gets removed > from ws.surbl.org. > 4. You read the message, wonder why the heck it triggered a > SURBL check, > and look it up. Since it's already been removed, you don't find it. This is a sound hypothesis, but I was actually watching the log at the time, and tried looking it up only moments after the test hit. I looked at our internal DNS cache, and my ISPs DNS servers with dig. Couldn't find it in any of those. If nobody else has ever heard of DNS tests misfiring like this, or don't think this could be a real problem, I'll assume it was cached in DNS *somewhere*. Thanks, Nate
RBL Misfires?
Title: RBL Misfires? Once in a while, I notice a hit for an RBL-related test that seems a little off. When I check for the existance of a record in the list, I can't find one. Below is a match SA 3 found in an e-mail from one of our dealers. I thought it was curious that they were listed, so I checked into it, and couldn't find this domain in surbl. This isn't limited to URIBL lists. I've noticed misfires in most of the lists SA checks. My Net::DNS is v0.46. * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist\n\t* [URIs: vantagemobility.com] Any ideas? TIA, Nate
RE: Spamass-milter 0.2.0 and spamassassin 3.0
It works with one slight problem fixed in CVS already. If set, the reject threshold (-r ) in 0.2.0 looks for "hits" instead of "score". If you set to -1 (reject anything tagged as spam), 0.2.0 works fine. -Original Message- From: Randall Perry [mailto:[EMAIL PROTECTED] Sent: Sunday, October 10, 2004 12:45 PM To: users@spamassassin.apache.org Subject: Spamass-milter 0.2.0 and spamassassin 3.0 Do these 2 work together? Checked the spamass-milter site and docs and couldn't find any ref to spamassasin 3.0. -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Design/Development WebObjects Hosting Mac Consulting/Sales http://www.systame.com/
RE: AWL auto_expire?
awesome! looks like it removes addresses seen only once. it also seems to be okay with SA 3.0. Thanks much! (Kris, too:) -Original Message- From: snowjack [mailto:[EMAIL PROTECTED] Sent: Friday, October 08, 2004 4:21 PM To: users@spamassassin.apache.org Subject: Re: AWL auto_expire? Nate Schindler wrote: > Just a curiosity question for now - is auto-expiring the AWL a planned > feature? > My auto-whitelist is about 3x the size of bayes_toks. I imagine it'll > become problematic eventually, since it's only growing. > > ...or is there already some way to expire old entries from the AWL, and > i'm just a 'tard? or both? I use this successfully with SA 2.64. I run it automatically once per month. (Thanks, Kris!) http://www.deepnet.cx/~kdeugau/spamtools/trim_whitelist
AWL auto_expire?
Title: AWL auto_expire? Just a curiosity question for now - is auto-expiring the AWL a planned feature? My auto-whitelist is about 3x the size of bayes_toks. I imagine it'll become problematic eventually, since it's only growing. ...or is there already some way to expire old entries from the AWL, and i'm just a 'tard? or both? Thanks, Nate
RE: Oh where, oh where does my bayes_journal go?
a --sync operation is performed when you sa-learn things. This commits the journal to the database, and removes the file. it's recreated, written to, committed, and removed automatically when needed. sa-learn just forces this to happen whenever it's run. it's by design. -Original Message- From: Ed Kasky [mailto:[EMAIL PROTECTED] Sent: Friday, October 08, 2004 3:09 PM To: [EMAIL PROTECTED] Subject: Oh where, oh where does my bayes_journal go? I am currently running SA 3.0.0 with a site wide bayes and spamd running as user spamd. Database is in /home/spamd When I pipe false negatives through sa-learn, the bayes_journal file disappears. Is this by design or is there something I need to change or fix? Thanks... Ed . . . . . . . . "It's not a very big step from contentment to complacency." - Simone De Beauvoir
RE: [OT] Uptime was [scan times up!]
they mean microsoft equipment... :) -Original Message- From: Andy Jezierski [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 3:13 PM To: users@spamassassin.apache.org Subject: [OT] Uptime was [scan times up!] Ken Goods <[EMAIL PROTECTED]> wrote on 10/05/2004 04:50:30 PM: > Spamassassin, and ClamAV. It is currently processing 5 to 8 thousand emails > a day and has been up for 68 days. Here's a current snapshot of top: > A sad day is coming on Thursday, I have to re-boot a router at one of our remote locations to install a new card. I always loved showing this to people who insisted that you should re-boot equipment periodically. anrtr1>sh ver Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-JS-M), Version 12.1(5)T, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Sat 11-Nov-00 07:24 by ccai Image text-base: 0x60008950, data-base: 0x61476000 ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) anrtr1 uptime is 3 years, 23 weeks, 1 day, 15 hours, 58 minutes System returned to ROM by power-on System restarted at 23:10:31 PDT Thu Apr 26 2001 System image file is "flash:c3640-js-mz.121-5.T.bin" Heavy Sigh... Andy
RE: Global Whitelist_from not working
You can either set up an SQL database for user_prefs to hold both global and user-specific entries - that's how I'm doing it, or according to Theo: "a quick workaround for this problem, btw, is running spamd with "--max-conn-per-child=1". it essentially reverts spamd to the 2.x way, and each child only processes 1 message before exiting." The doc for SQL user_prefs is here: http://spamassassin.apache.org/full/3.0.x/dist/sql/README In my case, I have no local users (~/ doesn't exist) and I was running MySQL for something else anyway... so it just made sense to put my settings in MySQL rather than using "--virtual-config-dir=". N8 -Original Message- From: Randy Gibson [mailto:[EMAIL PROTECTED] Sent: Monday, October 04, 2004 4:31 PM To: 'Marco van den Bovenkamp'; users@spamassassin.apache.org Subject: RE: Global Whitelist_from not working I really like ability to put global whitelist_from's in the local.cf for company wide whitelisting. And put user specific whitelist_from's in their ~/.spamassassin/user_prefs. This allows users to maintain they're personal white and black lists. This also keeps users out of the systems wide configuration file. ~Randy * Don't read everything you believe. -Original Message- From: Marco van den Bovenkamp [mailto:[EMAIL PROTECTED] Sent: Monday, October 04, 2004 11:00 AM To: users@spamassassin.apache.org Subject: Re: Global Whitelist_from not working Randy Gibson wrote: > I'm not using SQL so I don't have a place to put the @GLOBAL. Should I put > it in may local.cf? If you're using user_pref files, try putting them in there; if the problem is indeed 'whitelist entries are taken from the last place spamd looks for them' (as it seems to be), that might work. If you're not, run spamd with the '-x' option to disable scanning for user_prefs and only look in local.cf. The latter option worked for me. -- Groeten, Marco.
FW: Global Whitelist_from not working
I think I found an answer to this on my own. It seems as though when spamd hits the SQL database, it starts ignoring whitelist_from entries in local.cf. I noticed in the debug output that it also looks for "@GLOBAL" in the SQL database, which I wasn't aware of. so... I put an @GLOBAL whitelist_from record in the SQL database, and it hits consistently. Is this by design? I don't remember seeing anything in the docs about this change. Thanks, Nate -Original Message- From: Nate Schindler Sent: Friday, October 01, 2004 12:55 PM To: 'users@spamassassin.apache.org' Subject: RE: Global Whitelist_from not working I have a similar problem with whitelist_from entries in local.cf. --lint shows no issues. What's happening with me is that whitelist_from works for the first few hits, then it stops working entirely. the line in local.cf says "whitelist_from [EMAIL PROTECTED]" Running spamd in debug mode, I caught one that worked, and one that didn't. It doesn't really explain why, but below is the area of the log where the change in the score is or isn't taking place. Is it possible for SQL user_prefs to override local.cf for some reason? I use local.cf for my "real" config, and SQL user_prefs only for custom user thresholds such as ,required_hits,100, The one that worked where 'score so far' changes from 0 to -100: Oct 1 11:56:56 blacksheep spamd[23696]: debug: all '*From' addrs: [EMAIL PROTECTED] Oct 1 11:56:56 blacksheep spamd[23696]: debug: Running tests for priority: 0 Oct 1 11:56:56 blacksheep spamd[23696]: debug: running header regexp tests; score so far=0 Oct 1 11:56:56 blacksheep spamd[23696]: debug: SPF: message was delivered entirely via trusted relays, not required Oct 1 11:56:56 blacksheep spamd[23696]: debug: all '*To' addrs: [EMAIL PROTECTED] Oct 1 11:56:56 blacksheep spamd[23696]: debug: SPF: message was delivered entirely via trusted relays, not required Oct 1 11:56:56 blacksheep spamd[23696]: debug: running body-text per-line regexp tests; score so far=-100 The one that didn't work where 'score so far' remains 0: Oct 1 11:58:15 blacksheep spamd[23701]: debug: all '*From' addrs: [EMAIL PROTECTED] Oct 1 11:58:15 blacksheep spamd[23701]: debug: Running tests for priority: 0 Oct 1 11:58:15 blacksheep spamd[23701]: debug: running header regexp tests; score so far=0 Oct 1 11:58:15 blacksheep spamd[23701]: debug: SPF: message was delivered entirely via trusted relays, not required Oct 1 11:58:15 blacksheep spamd[23701]: debug: all '*To' addrs: [EMAIL PROTECTED] Oct 1 11:58:15 blacksheep spamd[23701]: debug: SPF: message was delivered entirely via trusted relays, not required Oct 1 11:58:15 blacksheep spamd[23701]: debug: running body-text per-line regexp tests; score so far=0 So, it would seem that the header regxp tests aren't consistently working, and it's only after spamd has processed a few messages. Any ideas? TIA, Nate -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 11:35 AM To: Randy Gibson; users@spamassassin.apache.org Subject: Re: Global Whitelist_from not working At 01:29 PM 10/1/2004, Randy Gibson wrote: >Since upgrading to SA3.0 user_prefs whitelist_from work >but not local.cf whitelist_from. 1) check for syntax errors.. run spamassassin --lint. If SA's parser gets sufficiently confused it can dump a whole config file. 2) You sure you have the right local.cf? check spamassassin --lint -D to see what site_config path SA is using.
RE: Global Whitelist_from not working
I have a similar problem with whitelist_from entries in local.cf. --lint shows no issues. What's happening with me is that whitelist_from works for the first few hits, then it stops working entirely. the line in local.cf says "whitelist_from [EMAIL PROTECTED]" Running spamd in debug mode, I caught one that worked, and one that didn't. It doesn't really explain why, but below is the area of the log where the change in the score is or isn't taking place. Is it possible for SQL user_prefs to override local.cf for some reason? I use local.cf for my "real" config, and SQL user_prefs only for custom user thresholds such as ,required_hits,100, The one that worked where 'score so far' changes from 0 to -100: Oct 1 11:56:56 blacksheep spamd[23696]: debug: all '*From' addrs: [EMAIL PROTECTED] Oct 1 11:56:56 blacksheep spamd[23696]: debug: Running tests for priority: 0 Oct 1 11:56:56 blacksheep spamd[23696]: debug: running header regexp tests; score so far=0 Oct 1 11:56:56 blacksheep spamd[23696]: debug: SPF: message was delivered entirely via trusted relays, not required Oct 1 11:56:56 blacksheep spamd[23696]: debug: all '*To' addrs: [EMAIL PROTECTED] Oct 1 11:56:56 blacksheep spamd[23696]: debug: SPF: message was delivered entirely via trusted relays, not required Oct 1 11:56:56 blacksheep spamd[23696]: debug: running body-text per-line regexp tests; score so far=-100 The one that didn't work where 'score so far' remains 0: Oct 1 11:58:15 blacksheep spamd[23701]: debug: all '*From' addrs: [EMAIL PROTECTED] Oct 1 11:58:15 blacksheep spamd[23701]: debug: Running tests for priority: 0 Oct 1 11:58:15 blacksheep spamd[23701]: debug: running header regexp tests; score so far=0 Oct 1 11:58:15 blacksheep spamd[23701]: debug: SPF: message was delivered entirely via trusted relays, not required Oct 1 11:58:15 blacksheep spamd[23701]: debug: all '*To' addrs: [EMAIL PROTECTED] Oct 1 11:58:15 blacksheep spamd[23701]: debug: SPF: message was delivered entirely via trusted relays, not required Oct 1 11:58:15 blacksheep spamd[23701]: debug: running body-text per-line regexp tests; score so far=0 So, it would seem that the header regxp tests aren't consistently working, and it's only after spamd has processed a few messages. Any ideas? TIA, Nate -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 11:35 AM To: Randy Gibson; users@spamassassin.apache.org Subject: Re: Global Whitelist_from not working At 01:29 PM 10/1/2004, Randy Gibson wrote: >Since upgrading to SA3.0 user_prefs whitelist_from work >but not local.cf whitelist_from. 1) check for syntax errors.. run spamassassin --lint. If SA's parser gets sufficiently confused it can dump a whole config file. 2) You sure you have the right local.cf? check spamassassin --lint -D to see what site_config path SA is using.
RE: spoofed Received header
> Perhaps you might consider a disposable-email-address
> factory. Generate a disposable email address that forwards
> to your real email address. Then sign the disposable email
> address up for the list.
>
> If you start getting spam at that email address, discontinue
> the email address. If you want to remain subscribed to the
> mailing list, generate another disposable email address.
I do this for my personal server. It's easy to do this with sendmail. It's not
so easy with Exchange/Outlook which is what work uses, unfortunately. But
yeah, it is a really great way to track where spammers get your address and
keep your primary spam-free. :)
>
> [EMAIL PROTECTED] 805.964.4554 x902
> Hispanic Business Inc./HireDiversity.com Software Engineer
> perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
>
RE: spoofed Received header
> -Original Message- > From: Kris Deugau [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 30, 2004 3:24 PM > To: users@spamassassin.apache.org > Subject: Re: spoofed Received header > > Er, I think you're getting your terminology mixed up. Those > are usually > considered to be the same thing (ie, the SMTP "MAIL FROM:" == envelope > sender). I think you mean the "From:" field in the message headers > instead of "envelope from". Yeah, sorry. I took a 50/50 shot at getting my terms right. I'm not running for president. ;) > Er... You don't want mail that you send to the list to > appear as if you > wrote it? That's what you're asking for here... Yes and no. I think it should be clear that it wasn't sent directly by me, but show for informational purposes that I wrote the content. This is somewhat done in practice by prepending [listname] to the message subject, and having the reply-to point to the list. Anyway, my complaint wasn't about mailing list software, and this wouldn't be the place for that anyway. What I was attempting to say, which somewhat applied to this original thead, was that we do block From headers that claim to be our domain. It works wonders for combatting spam and viruses, but you don't get your own mail back from lists. *shrug* Below is one example (I have quite a few) of why I do this - a social engineering attack sent before I put this policy in place. I don't expect my regional sales managers to know that this wasn't legitimate, although I do my best to educate the users. This appeared to come from [EMAIL PROTECTED]: Dear user of Riconcorp.com gateway e-mail server, We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions. For details see the attached file. For security reasons attached file is password protected. The password is "14083". Sincerely, The Riconcorp.com team http://www.riconcorp.com
RE: spoofed Received header
> -Original Message- > From: Will Yardley [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 30, 2004 12:58 PM > To: users@spamassassin.apache.org > Subject: Re: spoofed Received header > > > On Thu, Sep 30, 2004 at 12:50:04PM -0700, Nate Schindler wrote: > > > I actually block all incoming mail that claims to be from my domain. > > The only problem is that I don't get copies of messages > that I send to > > some lists, such as this one. But... as far as I'm concerned, if a > > mail server isn't listed as an MX for , it > should use > > in the mail from or envelope from feilds. It's a > > wide open hole for spam and social engineering attacks. > > Should or should not? > And what does being listed as an MX have to do with sending mail? It's > completely reasonable for a server not listed as an MX for a domain to > send mail "from" that domain. Or am I misunderstanding what you're > saying? Sorry, i meant should NOT. :) According to the RFCs (from what I've seen) MX records are *not* required for sending servers. This is a problem. Unfortunately, it's difficult to validate a source machine when an MX record doesn't exist. Even when we had a send-only server, we had a low-priority MX record for it. Many anti-spam packages do RMX lookups, if not to validate 'mail from', to at least see if records exist for it at all to make it seem more like a legitimate mail host. > > > I was actually surprised to see that even anti-spam lists > such as this > > one spoof the envelope from field. :/ > > What are you talking about? > > Any reasonable MLM (including the one used for this list, which I > believe is EZMLM) rewrites the envelope address to its own. > > Because the MLM used by this list uses VERP, your address is > embedded in > the envelope-address - maybe your filters just aren't configured > properly? > There are two From lines in an incoming message, mail from, and the envelope from which is in the data portion. We scan only the envelope from field for our domain name, because it's what users see. For example, in your reply, my mail client says the message is from "[EMAIL PROTECTED]". When I click Reply, I have to change the To field so that it gets back to the list, instead of directly to you. I know this is how list servers work, but I don't agree with it. I did mis-state what I said above. Technically, it's not "spoofed". Having the original sender in the envelope from field, even though the message isn't being delivered by the original mail server, is allowed according to the RFCs... but when it comes to getting a virus that uses my address in the envelope from field, should I say that wasn't spoofed either? There's also the point that with these list archives, since address obfuscation is either very simple, or nonexistant, scouring bots can acquire our addresses. I try to treat my e-mail address as if it were my personal phone number. I don't sign up with many mailing lists for this reason... but I love SpamAssassin, so I've made an exception. ;) Well, that, and I wanted to track issues with v3. Anyway, IMO, when my mail server hands a message off to another external system, it's no longer a trusted message. It shouldn't come back in claiming to be from us anymore in either from field, and I'll happily bounce it right back. It's a flaw in the standard which is exploited by spammers and virus programmers. There are ietf drafts for using rmx validation for sending hosts, but who knows if those'll ever become anything solid. Nate > From > [EMAIL PROTECTED] > >
RE: spoofed Received header
I actually block all incoming mail that claims to be from my domain. The only
problem is that I don't get copies of messages that I send to some lists, such
as this one.
But... as far as I'm concerned, if a mail server isn't listed as an MX for
, it should use in the mail from or envelope
from feilds. It's a wide open hole for spam and social engineering attacks.
I was actually surprised to see that even anti-spam lists such as this one
spoof the envelope from field. :/
Oh, well... I still get everyone else's posts.
Nate
-Original Message-
From: Loren Wilton [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 29, 2004 3:22 PM
To: users@spamassassin.apache.org
Subject: Re: spoofed Received header
> Received: from 64.239.129.105 ([:::219.144.149.91])
> From: "Trina Parr" <[EMAIL PROTECTED]>
>
> where in Received: 1st ip is my mx, but 2nd is spammers host
> and in From: name is some arbitrary name with my email address
>
> is it possible to make regex in local.cf that would check that both ips in
Received are the same?
Yes, but it can get tricky, because there are so many received formats.
A very simple test could be something like
/64\.239\.129\.105 \(\[(?!64\.239\.129\.105).{1,20}\]\)/
Assuming I typed that right it will check for a double-dotquad format where
the second doesn't match and the first one matches. Of course you could
have a hostname between the ([ characters, so you really should handle that
somehow. Perhaps insert a [\w\.]{0,50} ir the like there.
I've got a cold and am not thinking too clearly at the moment, so I don't
know how many legit things that might declare to be bogus. You could try it
with a real low score and see what sort of things it hits on. Maybe it
would work for you.
Loren
RE: How did this not get tagged??
Title: How did this not get tagged?? BAYES_40=-1.096 HTML_90_100=0.022 HTML_IMAGE_RATIO_02=0.018 HTML_MESSAGE=0.001 MIME_HTML_ONLY=0.177 RCVD_IN_BL_SPAMCOP_NET=1.216 RCVD_IN_SBL=0.107 URIBL_SBL=0.996 URIBL_WS_SURBL =1.462 OPTO_HEADER=? SARE_MSGID_EMPTY=? not finding two of these tests on my system or in the list at the site, i'm getting 2.9 from adding up the others. At least one of those two other tests seems to have brought the score down. simply because a message has a lot of test hits doesn't mean much. many tests bring the score down. bayes here, for example, knocked the score down by 1.096. bayes can really screw things up if it's not properly trained. It doesn't even ADD to the score unless it has at least 50% probability. -Original Message-From: Robert Leonard [mailto:[EMAIL PROTECTED]Sent: Monday, September 27, 2004 10:31 AMTo: users@spamassassin.apache.orgSubject: How did this not get tagged?? I got the following in my headers.. I'm not sure how this could possibly score so low, with all the hits it received... X-Spam-Status: No, hits=2.2 required=6.0 tests=BAYES_40,HTML_90_100, HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY,OPTO_HEADER, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBL,SARE_MSGID_EMPTY,URIBL_SBL, URIBL_WS_SURBL version=3.0.0 X-Spam-Bayes: 0.3934 X-Spam-Pyzor: Reported 0 times.
whitelist_from broken?
Title: whitelist_from broken? whitelist_from in v3 seems inconsistant. after a service restart, it fires correctly about 5 times. after that, it stops working entirely. anybody else having this issue? Thanks, Nate
Auto learn as Ham when ALL_TRUSTED?
Title: Auto learn as Ham when ALL_TRUSTED? Looks like others are posting this question as well, but I couldn't see it in the archives... I recently upgraded to v3. Everything looks great so far, except one change that I can't seem to figure out. We have an internal Exchange server, and SpamAssassin running on a different machine, but on the same private network. I use clear_trusted_networks, and clear_internal_networks in my config, because I want messages from the inside learned the same as messages from the outside. I force outgoing mail to pass with a 'whitelist_from ' line so that the messages themselves are scored the same, but the threshold is just higher. So... after upgrading to v3, I see a new test in the log - ALL_TRUSTED. It seems that any message that matches this test (e.g. all outgoing mail) is auto-learned as ham, no matter what the score is. I'd like to make it stop doing this, if possible, and make it learn outgoing mail based on the same criteria as incoming mail like it did in 2.64. Otherwise, congratulations SA people on a job well done. SA is the best thing since chocolate pop-tarts! N8
