Re: Microsoft blacklisted?
At 18:56 13-11-2006, Philip Prindeville wrote: I recently saw an email get bounced that was legitimately coming from Microsoft: [snip] I've put into my spamassassin/sa-mimedefang.cf file: whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com What am I missing at this point? Does the 2nd arg to the whitelist_from_rcvd need to be maila.microsoft.com instead? Yes. Regards, -sm
Re: White listing yahoo groups
At 07:01 14-11-2006, Bill Moseley wrote: Should I try and white list the hosts? Or better to give a large negative score? Yes, if you don't receive spam from these hosts. Can their use of DomainKeys be used in my scoring? See whitelist_from_dk [EMAIL PROTECTED] example.com The signing domain (last parameter) is optional. Regards, -sm
Re: Microsoft blacklisted?
At 11:49 14-11-2006, Philip Prindeville wrote: The problem with this is that the DNS returns the response (of the multiple PTR records) in no particular order, so looking up the rDNS can return one of three different names... # nslookup set type=any server ns4.msft.net. Default server: ns4.msft.net. Address: 207.46.66.126#53 212.115.107.131.in-addr.arpa Server: ns4.msft.net. Address:207.46.66.126#53 212.115.107.131.in-addr.arpaname = mail1.microsoft.com. 212.115.107.131.in-addr.arpaname = smtp.microsoft.com. 212.115.107.131.in-addr.arpaname = maila.microsoft.com. So, if I put: whitelist_from_rcvd [EMAIL PROTECTED] mail1.microsoft.com Then use: whitelist_from_rcvd [EMAIL PROTECTED] microsoft.com Regards, -sm
Re: What's with UCEPROTECT List?
At 20:52 16-10-2006, Marc Perkel wrote: I don't know if other MTAs support sender verification but if they don't they should. It's a very good trick for blocking spam at connect time. It's also a good trick to cause a denial of service. Regards, -sm
Re: Auto_increment vs SERIAL key types
At 06:14 10-10-2006, Michael Scheidell wrote: I am experimenting with mysql replication, and have done some research on key collisions in the case of a 'load balancing' situation (live sql [snip] My concern is over use of SERIAL keys in amavisd-new tables, vs AUTO_INCREMENT keys. (are SERIAL keys an alias for AUTO_INCREMENT? Are SERIAL keys safe in replication situations?) It's an alias for BIGINT UNSIGNED NOT NULL AUTO_INCREMENT UNIQUE. See auto_increment_increment and auto_increment_offset (MySQL 5.x). Regards, -sm
Re: Setting up DKIM and DomainKeys mail signing and verification
At 12:32 28-09-2006, Henrik Ostergaard wrote: This sounds promissing! But I have distributed, moving users and therefore uses pop-before-smtp for authentication, which means that my IP list is in a hash table, which is not in CIDR format. :-( dk-filter and dkim-filter support pop-before-smtp. Regards, -sm
Re: duplicate emails
At 08:53 26-09-2006, Steve Ingraham wrote: I need help with a problem. Our users are seeing some multiple duplicate emails coming from the same sender. This is not occurring with every email so there does not seem to be any pattern to which incoming emails will be duplicated and which ones won't. They are also reporting that duplicate emails are sent when they send to an outside email. Has anyone experienced this problem before? What could be causing this to occur and what can I do to stop this? I am running qmailtoaster and spamassassin as an external email gateway. There has been nothing changed with qmail but I did update some rules in SA using rules_du_jour yesterday. Would these rules updates cause this problem? If so, what would have changed? This doesn't look like a qmailtoaster or spamassassin problem. Your Exchange server or mail client may be generating the duplicates. Regards, -sm
Re: Setting up DKIM and DomainKeys mail signing and verification
At 04:32 17-09-2006, Benny Pedersen wrote: how does one do signing multible domains ? man 8 dk-filter says to make a internal domain file and add this as -i internal.file You can use the -d parameter ( -d example.com,example.net) or but can domains still have same domain keys or is one domain need to have there own ? The domains can have the same public and private keys. Regards, -sm
Re: Setting up DKIM and DomainKeys mail signing and verification
Hi Mark, At 07:59 12-09-2006, Mark Martinec wrote: At the time of this writing it appears the dkim-milter is more reliable and better maintained than dk-milter, which is slowly fading into oblivion. Similar holds true in the world of Perl modules: there are Both milters are being maintained and are similar in reliability. dk-milter is not fading in oblivion as there are more domains signing with DomainKeys than DKIM. The following SpamAssassin rules (in local.cf) work fairly well, giving verified mail a little bit of advantage and slightly favourize mail from some popular domains, and encourage people to start signing their mail. Possible signed spam can be counterbalanced by other measures (see below). score DK_VERIFIED -1.5 score DK_POLICY_SIGNSOME 0 score DK_POLICY_TESTING 0 score DKIM_VERIFIED -1.5 Note that some spam is DK signed. # DKIM and DK-based whitelisting may be used reliably: score USER_IN_DKIM_WHITELIST -3.0 whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dk [EMAIL PROTECTED] This approach is better. * both the dkim-milter 0.5.1 and the dk-milter 0.4.1 need a patch as described in the Postfix documentation file MILTER_README. The dkim-milter already supplies a required patch in its bug tracking system under [1537905] delayed queue ID; which will be included in the next release; IIRC, the Workarounds section of the Postfix documentation file is being read incorrectly. Dkim-milter and dk-milter do not require any patch. Regards, -sm
Re: uridnsbl error, info what?
At 20:22 01-09-2006, Chris wrote: I've been testing OpenDNS tonight vice using Earthlinks DNS nameservers. Looking at my hourly syslog snip, about half way through my NANAS run I noticed the below entries. First of all, what are these entries telling [snip] Sep 1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr for domain=spamhaus.org, rule=URIBL_XS_SURBL, id=8876 rr=spamhaus.org.xs.surbl.org. 1 IN A 208.67.219.40 at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 626. Turn off the typo correction feature of OpenDNS. Regards, -sm
Re: Strange SPF problem/wrong result
At 05:54 01-09-2006, decoder wrote: This is no real forwarding, but all mail for us gets received by that server first, and this server passes it to us. This is a common structure for a bigger mail setup. The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. Maybe we should add a note about trusted_networks being important for SPF in the install manual where SPF installation is explained The concept is the same as forwarding. Maybe you shouldn't be running any SPF tests in such a setup. Regards, -sm
RE: source SENDER authentication ? (as opposed to SPF HOST authentication)
At 10:55 30-08-2006, Michael Grey wrote: I like Michel Vaillancourt's idea - if it has to be done. There are milters and MTAs that can do that. It's not a good idea as it can cause a denial of service. Regards, -sm
Re: end user whitelist failure help needed
At 09:42 28-08-2006, Sally K. Scheer wrote: HOWEVER, I have a problem with SA intercepting a set of messages I wish to receive daily. They are from our bank and contain only two words (report ready) and an attached pdf file. They are always from the same address but the subject varies according to what kind of report is being sent. The reports are automatically generated and sent by my bank's computer system. [snip] I whitelisted the address several times but it doesn't seem to help. Read the Received header to find out the email address and the host to whitelist. whitelist_from_rcvd [EMAIL PROTECTED] example.com Regards, -sm
Re: end user whitelist failure help needed
At 12:51 28-08-2006, Sally K. Scheer wrote: I already did whitelist the messages according to the spam box directions. How do I find the actual whitelist so I can check to see if the proper header information was included in the whitelist? Perhaps the process I used to whitelist the messages was wrong. The user preferences file location is ~/.spamassassin/user_prefs That's the .spamassassin directory when you login through a ssh. You can open that file with a text editor and see whether it contains any whitelist entries. It may be better to contact your system administrator and ask the later about the user configuration details as SpamAssassin may have been set up differently. Regards, -sm
Re: Yahoo Received header problem?
At 03:05 16-08-2006, Matthew Newton wrote: I just received an e-mail that had been incorrectly marked as hitting a block list (the SBL in this case, IIRC). The culprit for this seems to be the following first Received header, where a.b.c.d is the address on the BL: Received: from [a.b.c.d] by web55501.mail.re4.yahoo.com via HTTP; Tue, 15 Aug 2006 15:34:33 BST This seems wrong to me? However, my guess is that there is nothing wrong with SpamAssassin, just that Yahoo shouldn't be adding a Received header for a non-SMTP transaction (of course an Section 3.8.2 (Received Lines in Gatewaying) mentions adding a Received header as trace fields for messages originating from non-SMTP environments. The above Yahoo.com Received line is correct. Regards, -sm
Re: Rule for non-DK-signed mail from yahoo
At 11:03 14-08-2006, Mark Martinec wrote: Having received a couple of messages faking to be from yahoo, despite FORGED_YAHOO_RCVD and few other rules firing, the final score was not high enough. Since Yahoo! is signing their outgoing mail with DomainKeys, I came up with: header __L_FROM_YAHOOFrom:addr =~ /[EMAIL PROTECTED]/i meta UNVERIFIED_YAHOO __L_FROM_YAHOO !DK_VERIFIED priority UNVERIFIED_YAHOO 500 scoreUNVERIFIED_YAHOO 5.0 which seems to do its job. The score is too high. Some From: yahoo.com mail may not be DK signed. DK verification may fail if the mail goes through mailing lists. Regards, -sm
Re: Looking for a good Ebay whitelist
At 09:52 08-08-2006, Mark Martinec wrote: Seems like ebay is signing messages with DomainKeys, I'm getting DK_VERIFIED in my log for mail from [EMAIL PROTECTED] and [EMAIL PROTECTED] and similar. Ebay.com and a few other high profile domains have been signing their mail with DK. Note that they still have the testing flag set. Regards, -sm
Re: postres bayes db and high load
At 09:23 03-08-2006, Dan wrote: Over the past few weeks, my company's mail server has been experiencing high loads that result in SA skipping emails. I use a postgres database to manage bayes, awl and userprefs. I am pretty sure that it is the bayes db that is causing the high load and resultant skipping, but I have no idea how to fix the problem. I installed the SA DBI [snip] postgreSQL v8.0.4 Upgrade to Postgresql 8.1.4 if you can. Turn on autovacuum. Use BayesStore::PgSQL. Regards, -sm
Re: SpammAssassin on WHM/Cpanel
At 07:11 25-06-2006, Ken Dawber wrote: I have a reseller shared hosting account under WHM/Cpanel software. (In other words I'm not a systems admin) The Cpanel is a control panel for web hosting. The implementation This is the first time I see someone saying that. :) 1) Is there some way for the server system administrator who is using WHM/CPanel to change the default configuration so that SA setup is on the Webmail control panel rather than the Cpanel interface? If so, what do I have to tell the system admin to do? That should be possible if the system admin writes the code to do that. 2) Assuming there is no easy way to do this, is the problem in the way cpanel is implemented or in the way SA is implemented. The restrictions are in CPanel. 3) I notice mention of the need to feed spam ham to SA. The cpanel interface doesn't seem to have any interface for the email user to tell it what was identified as spam was ham or that what was specified as ham was in fact spam. Should there be such an interface or is there one already that I just haven't understood. SpamAssassin does not come with an interface. The interface you see is implemented by CPanel. If you have ssh access, you can use sa-learn. Regards, -sm
Re: Domainkeys - Conflicting msg headers?
At 22:57 12-06-2006, Daryl C. W. O'Shea wrote: Already changed in 3.2: describe DK_SIGNED Domain Keys: message has a signature [snip] It's DomainKeys and not Domain Keys. Regards, -sm
RE: Public Blacklists?
Hi Aaron, At 13:14 21-12-2005, Aaron Boyles wrote: understanding is that I should shell out to nslookup 70.221.33.80.sbl-xbl.spamhaus.org and nab the response. However, when I attempt this, I always get the same thing in response: Can't find server name for address 10.0.0.1 which is our gateway. Am I doing something nslookup is broken. :-) Use dig instead. Regards, -sm
RE: Public Blacklists?
Hi Aaron, At 10:14 22-12-2005, Aaron Boyles wrote: A number of people have mentioned that... But what is it? It's not a command my PC recognizes. It's not part of Windows. It comes with BIND. You can download a Win32 version at ftp://ftp.isc.org/isc/bind/contrib/ntbind-9.3.2/BIND9.3.2.zip Regards, -sm
RE: Public Blacklists?
Hi Aaron, At 11:24 22-12-2005, Aaron Boyles wrote: I assumed that typing: dig www.yahoo.com At the command prompt should have SOMETHING result. Instead, I get the time out. dig @10.0.0.1 www.yahoo.com where 10.0.0.1 is the IP address of your name server. Regards, -sm
Re: DomainKeys in SA
At 06:30 13-12-2005, Kai Schaetzl wrote: Going from that I looked at the Yahoo Groups messages I recently got: From: [EMAIL PROTECTED] DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lima; d=yahoogroups.com; Do I understand it correctly that d should match the sender's domain? In that case all messages from Yahoo groups have to fail. Yes, it should match the sending domain. You should verify the Sender: header as well. Regards, -sm
RE: When is Bulk Bulk
At 14:56 09-08-2005, Rob McEwen wrote: Thanks for the feedback... but it looks like you e-mailed this directly to me without sending it to the spamassassin thread . Please consider re-sending this to the SA list so that other can benefit from your comment... as you probably intended! --Rob McEwen I chose to send you an unsolicited email instead of replying to the thread. :-) I am posting the comment to the SA list as you suggested. -Original Message- From: SM This is indeed a slippery slope. The emails are unsolicited. This one is too as we do not have any business relationship. :-) In business, there are times when we might email someone or even phone that person even if we have no prior relationship with the person. As it is a manual process, we are limited to number of emails we can write or calls we can make in a day. The slippery slope is where to set the threshold without hampering business. As long as the emails are not computer generated, the list is not some list the person purchased and the email is individualized, then we cannot call it bulk. If the template is to add the name of the recipient and the website only, then a lot of people might label it as spam. There may come a day when your client may find that it is easier and faster to use software to grab the information from the website and have some bulk software generate and send the emails. You may wish to bring to the attention of the client that his/her emails might be construed as spam. And you might warn the person that you will be closely monitoring email traffic and you may terminate the account if you receive any complaints. Bulk is bulk when it people start complaining. If you see hundreds of emails going out each day, you are sure to have complaints sooner or later. Regards, -sm
Re: When is Bulk Bulk
At 18:04 09-08-2005, jdow wrote: Worrying about bulk or not is a distraction. It's not in issue. What will the recipients think? How are they likely to react? What makes you think it will get through the email process with NOBODY complaining to a blacklist or sysadmin? I mentioned complaints. It is up to the admin of the sending domain to determine whether the server may be blacklisted because of such mail. The replies to this thread gives the answer as to what will the recipients think and how they might react. Regards, -sm
Re: [Dshield] fingerprinting servers before accepting
Hi Joe, At 15:51 01-12-2004, Joe Emenaker wrote: That was the first thought through my mind when I read the original post. No need for a full-blown fingerprint... just see if they look server-ish or not. Try connecting to 25... and then maybe telnet, ssh, http, and imap. You cannot assume that any of these other services are running or accessible. There'd be some overhead involved in this, initially, but this could be mitigated by keeping a cache of previous call-backs. I imagine this would act like a sieve, where the hosts who send you the most mail (and, hence, would cause the greatest call-back load) would appear in the cache the soonest, and that would cut down on the call-back load the most. After a week or so, I imagine that the call-back load would be tapering off to those few odd hosts which connect. There are some sites which implement the above. Good thing they're well-known. We can add them to a file of known outgoing-only servers and can further cut down on the call-back load. Your users will scream while you determine which sites to whitelist. :) Regards, -sm
Re: [Dshield] fingerprinting servers before accepting
Hi John, At 08:54 01-12-2004, John Hardin wrote: Interesting idea. It sounds a little heavy to be doing for every inbound message, though, and it assumes that you're letting fingerprinting traffic out of your network - I, for example, block all NetBIOS and similar ports at my boundary, so fingerprinting wouldn't be useful. It is not so heavy when applied to inbound connections. Your connection can still be fingerprinted even if you block all NetBIOS and similar ports. Scam-grey does that http://www.elandsys.com/scam/ However, this sounds like it might be useful in Spamassassin: attempt to contact the sender on port 25, and add a little to the spamminess score if the connection is refused or times out. There are some well-known domains that have SMTP outgoing-only servers. The scoring would affect them more than the spammy senders. It might also be useful to try connecting to the backdoor ports for the better-known spam worms and add a few points if the connection succeeds. That would be too much overhead if it is done in realtime. Regards, -sm
