Re: Low Scores on Bounce Backs
On Friday 11 April 2008 15:05:59 Justin Mason wrote: > Mark Martinec writes: > > It would also block some messages which you may or may not want to block, > > such as: > > - some automatic notifications such as calendar/meeting reminders, > > notifications from ticketing/PR systems (OTRS), status reports, > > job completion reports and similar automatic notifications; > > samples of these FPs would be welcome. Ok, opening the: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5882 providing a couple of samples. > > - messages with NOTIFY=NEVER in DSN options, which some upstream MTA > > converted to a null return path when the next MTA in chain does not > > support DSN; > > yeah, that's true. have you seen this happening? Not frequently enough to warrant worrying about it. > > - mail from senders which happen to have a word 'postmaster' in the > > author's name: From: "ICSOFT Secretariat" <[EMAIL PROTECTED]>; > > urgh, that's bad. now fixed Thanks! > > - message disposition notifications (MDN, RFC 3798); > > fixed already I'm not sure if attachment #5 to the above bug 5882 is one of them. I see log entries (subject, from, message-id) which lets me believe there are more of these, but it is hard for me to get the actual received samples from our users. > > Also, the parsing of Received by VBounce.pm is rather simpleminded. > > Typically it only sees a HELO name in the Received 'from' subfield, > > as it does not examine continuation lines of Received header fields, > > and is distracted by parenthesis in a tcp-info field. > > it doesn't? feel free to open a bug. It doesn't. Still, the HELO from a well behaved MTA usually does contain the fqdn of the MTA host, so the simpleminded regexp match on the first line is lucky more often than not. To do a proper parsing of Received subfields would involve substantial code. I'll let it pass for the time being, unless someone feels otherwise. Mark
Re: Low Scores on Bounce Backs
Justin Mason wrote: Jeff Koch writes: From what I've seen the VBounce ruleset catches ALL backscatter and does not distinguish between legitimate bounce-backs and bounce-backs of emails with forged return addresses - which basically makes it useless for filtering out joe-jobs. VBounce should be matching the forged name of the orginating mailserver against the IP address of the originating mailserver. If you set whitelist_bounce_relays, that's exactly what it does. ...then I'm not getting it. I just forged an email from myself from an Internet host separate from our work one, to a bogus recipient on a Qmail server I own (where I turned off recipient checking). The server accepting my forged email and generated a bounce. It went back into our work network (where I have Vbounce enabled and whitelist_bounce_relays set), and none of the BOUNCE vars triggered. Running it through "spamassassin -D" shows vbounce loading and __HAVE_BOUNCE_RELAYS triggered - but neither MY_SERVERS_FOUND, VBOUNCE_MESSAGE nor ANY_BOUNCE_MESSAGE triggered. Unless there's a bug (this is SA 3.2.4), I can't see how this will work to detect forged mail causing bounces??? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Low Scores on Bounce Backs
> From: Jesse Regier <[EMAIL PROTECTED]> > Organization: Access 2000, Inc. > Date: Fri, 11 Apr 2008 15:37:16 -0500 > To: > Subject: Re: Low Scores on Bounce Backs > > I have some domains whos users send mail from variouis places on the > web and some whose relays I know, so I don't have a definitive list > of mail relays. > > 1.) Can whitelist_bounce_relays have any wildcards or match on a > partial domain? Yes, like *.secnap.com > > 2.) Can whitelist_bounce_relays be set per domain? No. -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Low Scores on Bounce Backs
Matus UHLAR - fantomas writes: > > Jeff Koch writes: > > > From what I've seen the VBounce ruleset catches ALL backscatter and does > > > not distinguish between legitimate bounce-backs and bounce-backs of > > > emails > > > with forged return addresses - which basically makes it useless for > > > filtering out joe-jobs. > > > > > > VBounce should be matching the forged name of the orginating mailserver > > > against the IP address of the originating mailserver. > > On 11.04.08 16:55, Justin Mason wrote: > > If you set whitelist_bounce_relays, that's exactly what it does. > > Doesn't that require having different servers for sending mail than for > receiving it? As I understand the docs, it does. And it's impossible for us, > at least for now. no, definitely not -- I have a single machine acting as both MX and MSA and use it. (bounces generated by my own MSA are "good" bounces, since they're to do with mail I've generated. bounces generated by "external" machines are nothing to do with my outbound mail, so I don't want them.) --j.
Re: Low Scores on Bounce Backs
> Jeff Koch writes: > > From what I've seen the VBounce ruleset catches ALL backscatter and does > > not distinguish between legitimate bounce-backs and bounce-backs of emails > > with forged return addresses - which basically makes it useless for > > filtering out joe-jobs. > > > > VBounce should be matching the forged name of the orginating mailserver > > against the IP address of the originating mailserver. On 11.04.08 16:55, Justin Mason wrote: > If you set whitelist_bounce_relays, that's exactly what it does. Doesn't that require having different servers for sending mail than for receiving it? As I understand the docs, it does. And it's impossible for us, at least for now. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
Re: Low Scores on Bounce Backs
On 11 Apr 2008 at 16:55, Justin Mason wrote: > > Jeff Koch writes: > > From what I've seen the VBounce ruleset catches ALL backscatter and does > > not distinguish between legitimate bounce-backs and bounce-backs of emails > > with forged return addresses - which basically makes it useless for > > filtering out joe-jobs. > > > > VBounce should be matching the forged name of the orginating mailserver > > against the IP address of the originating mailserver. > > If you set whitelist_bounce_relays, that's exactly what it does. > > > > At 04:59 AM 4/11/2008, Justin Mason wrote: > > > > >Jason Haar writes: > > > > I think we've detoured from the actual problem? > > > > > > > > The fact is that lots of spam is now being sent to other sites, > > > > pretending to be from (collectively) our email addresses, so that we get > > > > the bounces containing the spam. And SA isn't marking these messages as > > > > spam, whereas if it was directly sent the same spam, it would. > > > > > > > > So how do we fix this situation? What about getting SA to "detach" the > > > > associated bounced message as a separate message and score that instead? > > > > I know I can casually just say that - doing is a different matter - but > > > > isn't that really the only answer to this problem? > > > > > >There's no problem. SpamAssassin 3.2.x includes the VBounce ruleset which > > >is expressly designed to catch backscatter -- and does a good job at it. > > > > > >If you have a backscatter problem, you need to start using that ruleset. > > > > > >--j. > > > > Best Regards, > > > > Jeff Koch, Intersessions I have some domains whos users send mail from variouis places on the web and some whose relays I know, so I don't have a definitive list of mail relays. 1.) Can whitelist_bounce_relays have any wildcards or match on a partial domain? 2.) Can whitelist_bounce_relays be set per domain? Thanks, Jesse Regier -- Jesse Regier Computer Systems, Inc. (402) 330-3600 --
Re: Low Scores on Bounce Backs
Jeff Koch writes: > From what I've seen the VBounce ruleset catches ALL backscatter and does > not distinguish between legitimate bounce-backs and bounce-backs of emails > with forged return addresses - which basically makes it useless for > filtering out joe-jobs. > > VBounce should be matching the forged name of the orginating mailserver > against the IP address of the originating mailserver. If you set whitelist_bounce_relays, that's exactly what it does. > At 04:59 AM 4/11/2008, Justin Mason wrote: > > >Jason Haar writes: > > > I think we've detoured from the actual problem? > > > > > > The fact is that lots of spam is now being sent to other sites, > > > pretending to be from (collectively) our email addresses, so that we get > > > the bounces containing the spam. And SA isn't marking these messages as > > > spam, whereas if it was directly sent the same spam, it would. > > > > > > So how do we fix this situation? What about getting SA to "detach" the > > > associated bounced message as a separate message and score that instead? > > > I know I can casually just say that - doing is a different matter - but > > > isn't that really the only answer to this problem? > > > >There's no problem. SpamAssassin 3.2.x includes the VBounce ruleset which > >is expressly designed to catch backscatter -- and does a good job at it. > > > >If you have a backscatter problem, you need to start using that ruleset. > > > >--j. > > Best Regards, > > Jeff Koch, Intersessions
Re: Low Scores on Bounce Backs
From what I've seen the VBounce ruleset catches ALL backscatter and does not distinguish between legitimate bounce-backs and bounce-backs of emails with forged return addresses - which basically makes it useless for filtering out joe-jobs. VBounce should be matching the forged name of the orginating mailserver against the IP address of the originating mailserver. At 04:59 AM 4/11/2008, Justin Mason wrote: Jason Haar writes: > I think we've detoured from the actual problem? > > The fact is that lots of spam is now being sent to other sites, > pretending to be from (collectively) our email addresses, so that we get > the bounces containing the spam. And SA isn't marking these messages as > spam, whereas if it was directly sent the same spam, it would. > > So how do we fix this situation? What about getting SA to "detach" the > associated bounced message as a separate message and score that instead? > I know I can casually just say that - doing is a different matter - but > isn't that really the only answer to this problem? There's no problem. SpamAssassin 3.2.x includes the VBounce ruleset which is expressly designed to catch backscatter -- and does a good job at it. If you have a backscatter problem, you need to start using that ruleset. --j. Best Regards, Jeff Koch, Intersessions
Re: Low Scores on Bounce Backs
Joseph Brennan wrote: > Jeff Koch <[EMAIL PROTECTED]> wrote: > > One of the problems is that the actual spam email is sometimes not > > attached. But interestly enough we are usually sent the email header of > > the original email. From that we (the humans) can easily spot that the IP > > address of the mailserver claiming to be ours is, in fact, not. So, if > > that line in the returned email header can be parsed perhaps a program > > can validate the IP address. > > Check the precise format, but if you have something like this in the > original header, with your host's name... > (hostname.example.com [11.22.33.44]) > ...and that's not the right IP, that would be a good test. > > It sounds like you could get that with a 'body' rule. A 'body' rule does not see a header section of an attached mail, a 'full' rule is needed, as pointed out elsewhere (but the 'full' rule sees a main header section too). See: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5872 Mark
Re: Low Scores on Bounce Backs
Jeff Koch <[EMAIL PROTECTED]> wrote: One of the problems is that the actual spam email is sometimes not attached. But interestly enough we are usually sent the email header of the original email. From that we (the humans) can easily spot that the IP address of the mailserver claiming to be ours is, in fact, not. So, if that line in the returned email header can be parsed perhaps a program can validate the IP address. It sounds like you could get that with a 'body' rule. Check the precise format, but if you have something like this in the original header, with your host's name... (hostname.example.com [11.22.33.44]) ...and that's not the right IP, that would be a good test. I realize you're thinking of generalizing to any case where an apparent hostname stands next to an apparent IP in text, but if you have a specific problem it's OK to be specific. Joseph Brennan Columbia University Information Technology
Re: Low Scores on Bounce Backs
> Justin Mason wrote: > >There's no problem. SpamAssassin 3.2.x includes the VBounce ruleset which > >is expressly designed to catch backscatter -- and does a good job at it. > > > >If you have a backscatter problem, you need to start using that ruleset. On 11.04.08 21:13, Jason Haar wrote: > ...but vbounce scores 0.1 - and there's all this talk about it "not > being a spam detector". yes, so DSN's currently should not be processed as spams - we need more checks to see if they are real backscatters or "valid" DSNs. > ...and the score is 0.1 - and I don't fiddle with SA scores as a rule > 'cause you guys > Know Best (TM). > > So are you saying as I know what all our relays are (ie > whitelist_bounce_relays), I should pump that score up to 20, and > effectively blacklist (we block at scores >10) any bounces (which should > just happen to be 100% forged spam) sent from anyone in the world using > our domains - which isn't from our relays? I wouldn't set scores to be so high. Maybe altogethher with other rules e.g. BAYES (3.5 for BAYES_99) 1.5 or 2.0 would be enough. I was always careful when training on bounces, because of valid bounces. (we don't have separate servers for outgoing mail, so we can't use whitelist_bounce_relays). Seems that VBounce plugin needs more code to be used for more than just catching bounces... then, it could effectively catch backscatter -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Low Scores on Bounce Backs
Mark Martinec writes: > On Friday 11 April 2008 11:13:09 Jason Haar wrote: > > So are you saying as I know what all our relays are (ie > > whitelist_bounce_relays), I should pump that score up to 20, and > > effectively blacklist (we block at scores >10) any bounces (which should > > just happen to be 100% forged spam) sent from anyone in the world using > > our domains - which isn't from our relays? > > It would also block some messages which you may or may not want to block, > such as: > - some automatic notifications such as calendar/meeting reminders, > notifications from ticketing/PR systems (OTRS), status reports, > job completion reports and similar automatic notifications; samples of these FPs would be welcome. > - messages with NOTIFY=NEVER in DSN options, which some upstream MTA > converted to a null return path when the next MTA in chain does not > support DSN; yeah, that's true. have you seen this happening? > - mail from senders which happen to have a word 'postmaster' in the > author's name: From: "ICSOFT Secretariat" <[EMAIL PROTECTED]>; urgh, that's bad. now fixed > - message disposition notifications (MDN, RFC 3798); fixed already > - out of office replies (alright, no damage there); Unless the message contains the relays -- this is by design. ;) A good portion of my blowback was OOO noise. > Also, the parsing of Received by VBounce.pm is rather simpleminded. > Typically it only sees a HELO name in the Received 'from' subfield, > as it does not examine continuation lines of Received header fields, > and is distracted by parenthesis in a tcp-info field. it doesn't? feel free to open a bug. In general, bug reports on these, with samples, would be welcome. --j.
Re: Low Scores on Bounce Backs
> On Fri, Apr 11, 2008 at 09:13:09PM +1200, Jason Haar wrote: > > > > ...and the score is 0.1 - and I don't fiddle with SA scores as a rule > > 'cause you guys > > Know Best (TM). On 11.04.08 12:17, Henrik K wrote: > No, the guys can't know what the best scores are for _your_ system. > Therefore if you want efficient SA, you need to modify many scores, possibly > running mass-checks for your traffic. I think many of people can't run such mass-checks so they just have to accept what SA people set up. Playing with scores and setting them w/o mass-checks can be quite dangerous. This thread shows some examples :) And it's sometimes better to ask why scores are as high as they are instead of blindly changing them - we may learn something new. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: Low Scores on Bounce Backs
On Friday 11 April 2008 11:13:09 Jason Haar wrote: > So are you saying as I know what all our relays are (ie > whitelist_bounce_relays), I should pump that score up to 20, and > effectively blacklist (we block at scores >10) any bounces (which should > just happen to be 100% forged spam) sent from anyone in the world using > our domains - which isn't from our relays? It would also block some messages which you may or may not want to block, such as: - some automatic notifications such as calendar/meeting reminders, notifications from ticketing/PR systems (OTRS), status reports, job completion reports and similar automatic notifications; - messages with NOTIFY=NEVER in DSN options, which some upstream MTA converted to a null return path when the next MTA in chain does not support DSN; - mail from senders which happen to have a word 'postmaster' in the author's name: From: "ICSOFT Secretariat" <[EMAIL PROTECTED]>; - message disposition notifications (MDN, RFC 3798); - out of office replies (alright, no damage there); Also, the parsing of Received by VBounce.pm is rather simpleminded. Typically it only sees a HELO name in the Received 'from' subfield, as it does not examine continuation lines of Received header fields, and is distracted by parenthesis in a tcp-info field. Mark
Re: Low Scores on Bounce Backs
Jason Haar wrote: > So how do we fix this situation? Peridoically there are a lot of bounces (especially to me and the another sysadmin), but SA catches almost all of it. What about getting SA to "detach" the associated bounced message as a separate message and score that instead? I do that with MIMEDefang here. Wehenever a message is flagged with ANY_BOUNCE_MESSAGE by SA (VBounce), the filter tries to extract the original message and then run that through SA. The filter then uses the higher of the two scores when deciding what to do with the message. During my initial tests this did catch more bounce back spam, but I haven't any numbers so I don't really know if it still has merit. Besides this, bayes helps with some of the bounces, and I've just added a rule that checks for messages that are flagged with ANY_BOUNCE_MESSAGE *and* sent from a relay listed in "backscatterer.org". I don't yet know if this rule will turn out to be a good one or not. Regards /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: Low Scores on Bounce Backs
Jason Haar writes: > Justin Mason wrote: > > There's no problem. SpamAssassin 3.2.x includes the VBounce ruleset > > which is expressly designed to catch backscatter -- and does a good > > job at it. > > > > If you have a backscatter problem, you need to start using that > > ruleset. > > > ...but vbounce scores 0.1 - and there's all this talk about it "not > being a spam detector". > > ...and the score is 0.1 - and I don't fiddle with SA scores as a rule > 'cause you guys Know Best (TM). > > So are you saying as I know what all our relays are (ie > whitelist_bounce_relays), I should pump that score up to 20, and > effectively blacklist (we block at scores >10) any bounces (which should > just happen to be 100% forged spam) sent from anyone in the world using > our domains - which isn't from our relays? yep! If that is the desired policy for your site, it can be done using vbounce. --j.
Re: Low Scores on Bounce Backs
On Fri, Apr 11, 2008 at 09:13:09PM +1200, Jason Haar wrote: > > ...and the score is 0.1 - and I don't fiddle with SA scores as a rule > 'cause you guys > Know Best (TM). No, the guys can't know what the best scores are for _your_ system. Therefore if you want efficient SA, you need to modify many scores, possibly running mass-checks for your traffic.
Re: Low Scores on Bounce Backs
Justin Mason wrote: There's no problem. SpamAssassin 3.2.x includes the VBounce ruleset which is expressly designed to catch backscatter -- and does a good job at it. If you have a backscatter problem, you need to start using that ruleset. ...but vbounce scores 0.1 - and there's all this talk about it "not being a spam detector". ...and the score is 0.1 - and I don't fiddle with SA scores as a rule 'cause you guys Know Best (TM). So are you saying as I know what all our relays are (ie whitelist_bounce_relays), I should pump that score up to 20, and effectively blacklist (we block at scores >10) any bounces (which should just happen to be 100% forged spam) sent from anyone in the world using our domains - which isn't from our relays? Damn - too many words in that last sentence ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Low Scores on Bounce Backs
Jason Haar writes: > I think we've detoured from the actual problem? > > The fact is that lots of spam is now being sent to other sites, > pretending to be from (collectively) our email addresses, so that we get > the bounces containing the spam. And SA isn't marking these messages as > spam, whereas if it was directly sent the same spam, it would. > > So how do we fix this situation? What about getting SA to "detach" the > associated bounced message as a separate message and score that instead? > I know I can casually just say that - doing is a different matter - but > isn't that really the only answer to this problem? There's no problem. SpamAssassin 3.2.x includes the VBounce ruleset which is expressly designed to catch backscatter -- and does a good job at it. If you have a backscatter problem, you need to start using that ruleset. --j.
Re: Low Scores on Bounce Backs
On Fri, April 11, 2008 01:28, Jason Haar wrote: > How are others (successfully) handling backscatter? Moving bounces into > yet another separate folder isn't a solution for our users - and I'm > sure the same applies elsewhere. Spam is spam... backscatter have more signs of why you get them, mailto the postmaster on sender domain, if you can clearly see its not spam but backscatter spam is clueless :-) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Low Scores on Bounce Backs
Our users are getting hundreds of these! One of the problems is that the actual spam email is sometimes not attached. But interestly enough we are usually sent the email header of the original email. From that we (the humans) can easily spot that the IP address of the mailserver claiming to be ours is, in fact, not. So, if that line in the returned email header can be parsed perhaps a program can validate the IP address. Only a suggestion - I'm sure a lot harder in real life. SPF only works in these instances if (1) the domain users know what mailservers they might use amd (2) the mailserver that received the original SMTP connection analyzes SPF before accepting the connection and doesn't just bounce the email back to the sender. At 07:28 PM 4/10/2008, Jason Haar wrote: I think we've detoured from the actual problem? The fact is that lots of spam is now being sent to other sites, pretending to be from (collectively) our email addresses, so that we get the bounces containing the spam. And SA isn't marking these messages as spam, whereas if it was directly sent the same spam, it would. So how do we fix this situation? What about getting SA to "detach" the associated bounced message as a separate message and score that instead? I know I can casually just say that - doing is a different matter - but isn't that really the only answer to this problem? How are others (successfully) handling backscatter? Moving bounces into yet another separate folder isn't a solution for our users - and I'm sure the same applies elsewhere. Spam is spam... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 Best Regards, Jeff Koch, Intersessions
Re: Low Scores on Bounce Backs
I think we've detoured from the actual problem? The fact is that lots of spam is now being sent to other sites, pretending to be from (collectively) our email addresses, so that we get the bounces containing the spam. And SA isn't marking these messages as spam, whereas if it was directly sent the same spam, it would. So how do we fix this situation? What about getting SA to "detach" the associated bounced message as a separate message and score that instead? I know I can casually just say that - doing is a different matter - but isn't that really the only answer to this problem? How are others (successfully) handling backscatter? Moving bounces into yet another separate folder isn't a solution for our users - and I'm sure the same applies elsewhere. Spam is spam... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Low Scores on Bounce Backs
On Tue, 2008-04-08 at 12:33 +0200, Matus UHLAR - fantomas wrote: > Sorry for previous mail, I accidentally hit send... > > > On Sun, 2008-04-06 at 23:25 -0400, Jeff Koch wrote: > > > Thanks for the reply. I thought the purpose of adding the > > > > > > 'whitelist_bounce_relays mailserver_name.com' > > > > > > in local.cf was so that SA could assign a higher score to bounces that > > > never originated at your own mailserver. Thereby identifying return > > > address > > > forgery. > > On 07.04.08 12:17, Karsten Bräckelmann wrote: > > Actually quite the opposite. :) Rather than increasing a score, it is > > used to 'rescue' legitimate bounce messages. See the docs [1]. > > I don't think it's "opposite". I think he said the same as you - the > whitelist_bounce_relays identify bounces originating on own mailserver, > while the others, matching ANY_BOUNCE_MESSAGE indicate forgery. Well, I stand to what I said. *shrug* > > Basically, it serves two purposes: (a) Setting this option enables the > > VBounce plugin, and (b) it prevents legit bounces from being marked > > with the ANY_BOUNCE_MESSAGE and friends rules. > > does whitelist_bounce_relays really turn on VBounce? Does that mean that > *BOUNCE* won't match when it's not set up? Yes -- IIRC, no time to dig through the code again, today. > > Of course, we can't stop you from assigning a custom, absurdly high > > score to ANY_BOUNCE_MESSAGE to abuse the existing score based filtering. > > I guess score e.g. 1 is not absurdly high. Especially not when he uses > SPF/DKIM and his users send mail through his servers. Please read the context again. Neither me nor the OP mentioned setting a score like 1. Actually, this thread started, because the assigned 0.2 "doesn't help much" in crossing the spam threshold. Neither does a score of 1. VBounce detects backscatter. And it does so, even without the original spam attached. It does detect backscatter with a score of 0 or less, too. (Coincidentally, the backscatter I get just raised dramatically a few days ago.) VBounce is not intended to raise the score anyway. It's the sole triggering of these rules and thus flagging. NOT marking as spam, as I explained earlier. A score of -1 would do just the same. The only reason to set a score at all is, so SA does not skip these tests, as it would do with a neutral score of 0. > > However, the purpose of this plugin and the low default score is to not > > weigh in into classifying spam, but to provide a nice handler (see my > > previous post) to identify bounces and treat them specially. > > However, this plugin can be easily used to detect backscatter and it's > probably what users will use it for. ^^ Exactly. *Detect* backscatter, not mark it as spam. Moreover, it is an understatement to claim VBounce "can be easily used to detect backscatter". That's its purpose. That is all it does. Please see the most important part of the docs again, how VBounce is intended and document to be used: $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Low Scores on Bounce Backs
Sorry for previous mail, I accidentally hit send... > On Sun, 2008-04-06 at 23:25 -0400, Jeff Koch wrote: > > Thanks for the reply. I thought the purpose of adding the > > > > 'whitelist_bounce_relays mailserver_name.com' > > > > in local.cf was so that SA could assign a higher score to bounces that > > never originated at your own mailserver. Thereby identifying return address > > forgery. On 07.04.08 12:17, Karsten Bräckelmann wrote: > Actually quite the opposite. :) Rather than increasing a score, it is > used to 'rescue' legitimate bounce messages. See the docs [1]. I don't think it's "opposite". I think he said the same as you - the whitelist_bounce_relays identify bounces originating on own mailserver, while the others, matching ANY_BOUNCE_MESSAGE indicate forgery. > Basically, it serves two purposes: (a) Setting this option enables the > VBounce plugin, and (b) it prevents legit bounces from being marked > with the ANY_BOUNCE_MESSAGE and friends rules. does whitelist_bounce_relays really turn on VBounce? Does that mean that *BOUNCE* won't match when it's not set up? > Of course, we can't stop you from assigning a custom, absurdly high > score to ANY_BOUNCE_MESSAGE to abuse the existing score based filtering. I guess score e.g. 1 is not absurdly high. Especially not when he uses SPF/DKIM and his users send mail through his servers. > However, the purpose of this plugin and the low default score is to not > weigh in into classifying spam, but to provide a nice handler (see my > previous post) to identify bounces and treat them specially. However, this plugin can be easily used to detect backscatter and it's probably what users will use it for. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
Re: Low Scores on Bounce Backs
On 07.04.08 12:17, Karsten Bräckelmann wrote: > From: Karsten Bräckelmann <[EMAIL PROTECTED]> > Date: Mon, 07 Apr 2008 12:17:36 +0200 > Subject: Re: Low Scores on Bounce Backs > To: users@spamassassin.apache.org > > On Sun, 2008-04-06 at 23:25 -0400, Jeff Koch wrote: > > Thanks for the reply. I thought the purpose of adding the > > > > 'whitelist_bounce_relays mailserver_name.com' > > > > in local.cf was so that SA could assign a higher score to bounces that > > never originated at your own mailserver. Thereby identifying return address > > forgery. > > Actually quite the opposite. :) Rather than increasing a score, it is > used to 'rescue' legitimate bounce messages. See the docs [1]. > > Basically, it serves two purposes: (a) Setting this option enables the > VBounce plugin, and (b) it prevents legit bounces from being marked > with the ANY_BOUNCE_MESSAGE and friends rules. > Of course, we can't stop you from assigning a custom, absurdly high > score to ANY_BOUNCE_MESSAGE to abuse the existing score based filtering. assign a score about 1 doesn't abuse the filtering :) > However, the purpose of this plugin and the low default score is to not > weigh in into classifying spam, but to provide a nice handler (see my > previous post) to identify bounces and treat them specially. bounces that contain original spam as mime attachment could -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: Low Scores on Bounce Backs
On Sun, 2008-04-06 at 23:25 -0400, Jeff Koch wrote: > Thanks for the reply. I thought the purpose of adding the > > 'whitelist_bounce_relays mailserver_name.com' > > in local.cf was so that SA could assign a higher score to bounces that > never originated at your own mailserver. Thereby identifying return address > forgery. Actually quite the opposite. :) Rather than increasing a score, it is used to 'rescue' legitimate bounce messages. See the docs [1]. Basically, it serves two purposes: (a) Setting this option enables the VBounce plugin, and (b) it prevents legit bounces from being marked with the ANY_BOUNCE_MESSAGE and friends rules. Of course, we can't stop you from assigning a custom, absurdly high score to ANY_BOUNCE_MESSAGE to abuse the existing score based filtering. However, the purpose of this plugin and the low default score is to not weigh in into classifying spam, but to provide a nice handler (see my previous post) to identify bounces and treat them specially. guenther [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_VBounce.html -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Low Scores on Bounce Backs
Hello Karsten: Thanks for the reply. I thought the purpose of adding the 'whitelist_bounce_relays mailserver_name.com' in local.cf was so that SA could assign a higher score to bounces that never originated at your own mailserver. Thereby identifying return address forgery. At 02:04 PM 4/6/2008, Karsten Bräckelmann wrote: On Sun, 2008-04-06 at 13:19 -0400, Jeff Koch wrote: > Maybe I'm doing something wrong but the bounces we receive are getting > extremely low scores. My understanding was that by enabling VBounce in the > V3.2.4 config's and by adding: > > whitelist_bounce_relays mailserver_name.com > > we would have a shot at filtering out bounces. Instead we are seeing very > low bounces scores: The goal of VBounce is to *identify* and spot backscatter, not to flag it as spam. Actually, IIRC it's stated intention is, to treat back- scatter differently from spam, because (strictly) it is not. > * 0.1 BOUNCE_MESSAGE MTA bounce message > * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message > > A scoring of 0.2 does little. Here's the full header. If anyone can help > explain what we're doing wrong or should change I'd appreciate it. $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf # If you use this, set up procmail or your mail app to spot the # "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} Best Regards, Jeff Koch, Intersessions
Re: Low Scores on Bounce Backs
On Sun, 2008-04-06 at 13:19 -0400, Jeff Koch wrote: > Maybe I'm doing something wrong but the bounces we receive are getting > extremely low scores. My understanding was that by enabling VBounce in the > V3.2.4 config's and by adding: > > whitelist_bounce_relays mailserver_name.com > > we would have a shot at filtering out bounces. Instead we are seeing very > low bounces scores: The goal of VBounce is to *identify* and spot backscatter, not to flag it as spam. Actually, IIRC it's stated intention is, to treat back- scatter differently from spam, because (strictly) it is not. > * 0.1 BOUNCE_MESSAGE MTA bounce message > * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message > > A scoring of 0.2 does little. Here's the full header. If anyone can help > explain what we're doing wrong or should change I'd appreciate it. $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf # If you use this, set up procmail or your mail app to spot the # "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Low Scores on Bounce Backs
Maybe I'm doing something wrong but the bounces we receive are getting extremely low scores. My understanding was that by enabling VBounce in the V3.2.4 config's and by adding: whitelist_bounce_relays mailserver_name.com we would have a shot at filtering out bounces. Instead we are seeing very low bounces scores: * 0.1 BOUNCE_MESSAGE MTA bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message A scoring of 0.2 does little. Here's the full header. If anyone can help explain what we're doing wrong or should change I'd appreciate it. Return-Path: <> Delivered-To: [EMAIL PROTECTED] Received: (qmail 32048 invoked by uid 89); 6 Apr 2008 16:11:23 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 32046 invoked by uid 89); 6 Apr 2008 16:11:23 - Received: by simscan 1.3.1 ppid: 32002, pid: 32005, t: 2.3057s scanners: clamav: 0.92/m: spam: 3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mailserver_name.com X-Spam-Level: X-Spam-Status: No, score=4.7 required=5.0 tests=ANY_BOUNCE_MESSAGE, BOUNCE_MESSAGE,DATE_IN_PAST_03_06,INVALID_DATE,RDNS_NONE,URI_HEX autolearn=no version=3.2.4 X-Spam-Report: * 1.7 INVALID_DATE Invalid Date: header (not RFC 2822) * 1.4 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date * 1.3 URI_HEX URI: URI hostname has long hexadecimal sequence * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 0.1 BOUNCE_MESSAGE MTA bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message Received: from unknown (HELO eSolutionsWebServer.esolutions.com.jo) (69.46.25.141) by 0 with SMTP; 6 Apr 2008 16:11:20 - Date: Sun, 6 Apr 2008 12:23:42 Message-Id: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Postmaster" <[EMAIL PROTECTED]> Sender: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Undeliverable Mail X-Mailer: X-UID: 74000 User mailbox exceeds allowed size: [EMAIL PROTECTED] Original message follows. Received: from Dynamic-IP-19015811685.cable.net.co [190.158.116.85] by eSolutionsWebServer.esolutions.com.jo with ESMTP (SMTPD-9.23) id A3340334; Sun, 06 Apr 2008 12:23:32 -0700 Message-ID: <[EMAIL PROTECTED]> From: "Replicae" <[EMAIL PROTECTED]> To: "Most Exclusive" <[EMAIL PROTECTED]> Subject: [SPAM Premium Filter] [X-IMail-SPAM-Connection] Handbags Date: Sun, 06 Apr 2008 14:23:50 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0003_01C89800.06801453" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-IMAIL-SPAM-DNSBL: (dul.dnsbl.sorbs.net,233101d0db85,127.0.0.10) X-Mail-Filters-Spam: Spam [ID=2 4B300C2D2BC44937ABDB0C10BEF68235] X-IMAIL-SPAM-PREMIUM: (233101d0db85) This is a multi-part message in MIME format. Best Regards, Jeff Koch, Intersessions