Re: Checking my own users mail
Tom Lindell asked: Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. Tom, Don't you require password authentication as a prerequisite for users being allowed to relay message through your server? (and I'm always wondering if this is enough protection from trojans?) Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Checking my own users mail
At 12:00 PM 8/14/2006, you wrote: Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. There probably is. Not with spamassassin though. SpamAssassin cannot drop or reject mail. But depending on how you call SpamAssassin, ie procmail, you may be able to do something. But keep in mind, a trojan sending out 1000 messages an hour may not classify as SPAM. A better option may be something on your mail server, or a anti-virus program on your mail server.
RE: Checking my own users mail
I do however if they get a Msoutlook trojon that can use outlook to forward the spam it get's right on through -Original Message- From: Rob McEwen (PowerView Systems) [mailto:[EMAIL PROTECTED] Sent: Monday, August 14, 2006 1:59 PM To: Thomas Lindell; users@spamassassin.apache.org Subject: Re: Checking my own users mail Tom Lindell asked: Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. Tom, Don't you require password authentication as a prerequisite for users being allowed to relay message through your server? (and I'm always wondering if this is enough protection from trojans?) Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Checking my own users mail
Thomas Lindell wrote: Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. Thanks Tom Short answer .. If they are using your SMTP - yes If they aren't .. -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
RE: Checking my own users mail
I do have amavis running the problem is identifiying the message Idealy I guess I would like it to pop up an error in outlook like it does when they try to send a file attachment that's to large. I suppose I could implement some sort of rate limiting but that's just irritating I am trying to stay out of there way as much as possible and yet still protect the internet from spam generated by the odd customer. Tom -Original Message- From: Evan Platt [mailto:[EMAIL PROTECTED] Sent: Monday, August 14, 2006 2:00 PM To: users@spamassassin.apache.org Subject: Re: Checking my own users mail At 12:00 PM 8/14/2006, you wrote: Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. There probably is. Not with spamassassin though. SpamAssassin cannot drop or reject mail. But depending on how you call SpamAssassin, ie procmail, you may be able to do something. But keep in mind, a trojan sending out 1000 messages an hour may not classify as SPAM. A better option may be something on your mail server, or a anti-virus program on your mail server.
RE: Checking my own users mail
Tom said: I do however if they get a Msoutlook trojan that can use outlook to forward the spam it get's right on through What a nightmare. I've been aware of this possibility, but I didn't think it happened that often. Are there any particular characteristics of the outgoing spam and/or viruses? I'd bet that these types of trojans which use existing outlook accounts and send mail through outlook probably tend to fall within a narrow range as far as the actual spam or virus messages that are sent. Do you see a pattern with these? What I'm thinking is that if these fall within a narrow range, then that might make it more wise to scan outbound mail.. but to do so using a limited range of types of scanning to minimize resources... targetting just the types of spams that are being sent by these types of trojans. Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
RE: Checking my own users mail
They are generaly a clone of each other just substituting the send to address. Usualy there the typical viagra or stock scam. If they where incoming my SA would catch em and mark em but as there not being processed by sa they don't even get marked. Worse yet is even if sa marks em they still go out only with the SA header on them kindly notifying the recipient that this indeed is spam. Nifty huh -Original Message- From: Rob McEwen (PowerView Systems) [mailto:[EMAIL PROTECTED] Sent: Monday, August 14, 2006 2:23 PM To: users@spamassassin.apache.org Subject: RE: Checking my own users mail Tom said: I do however if they get a Msoutlook trojan that can use outlook to forward the spam it get's right on through What a nightmare. I've been aware of this possibility, but I didn't think it happened that often. Are there any particular characteristics of the outgoing spam and/or viruses? I'd bet that these types of trojans which use existing outlook accounts and send mail through outlook probably tend to fall within a narrow range as far as the actual spam or virus messages that are sent. Do you see a pattern with these? What I'm thinking is that if these fall within a narrow range, then that might make it more wise to scan outbound mail.. but to do so using a limited range of types of scanning to minimize resources... targetting just the types of spams that are being sent by these types of trojans. Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
RE: Checking my own users mail
At 12:36 PM 8/14/2006, you wrote: They are generaly a clone of each other just substituting the send to address. Usualy there the typical viagra or stock scam. If they where incoming my SA would catch em and mark em but as there not being processed by sa they don't even get marked. That's a function of your mail server. You likely can configure your mail server to check outgoing mail too. Worse yet is even if sa marks em they still go out only with the SA header on them kindly notifying the recipient that this indeed is spam. That is also a function of your system. With the right implementation, you can have your mail server delete any messages marked as spam, incoming or outgoing. However I would never reccomend this. If you do, however, be prepared for a call from a customer of How come I've sent this e-mail 20 times to my customer yet he never recieved it? Nifty huh SA never advertised it would delete mail. That's up to you to do.
RE: Checking my own users mail
Usually they're the typical viagra or stock scam. Text or image spam? If text, do they include a URL that might be caught by SURBL or URIBL? Rob McEwen PowerView Systems [EMAIL PROTECTED]
RE: Checking my own users mail
I appreciate where your going with this I just didn't know how to approach it. If my mail server must address it then I am off to check some man pages I really just needed a place to start Thanks Tom -Original Message- From: Evan Platt [mailto:[EMAIL PROTECTED] Sent: Monday, August 14, 2006 2:36 PM To: users@spamassassin.apache.org Subject: RE: Checking my own users mail At 12:36 PM 8/14/2006, you wrote: They are generaly a clone of each other just substituting the send to address. Usualy there the typical viagra or stock scam. If they where incoming my SA would catch em and mark em but as there not being processed by sa they don't even get marked. That's a function of your mail server. You likely can configure your mail server to check outgoing mail too. Worse yet is even if sa marks em they still go out only with the SA header on them kindly notifying the recipient that this indeed is spam. That is also a function of your system. With the right implementation, you can have your mail server delete any messages marked as spam, incoming or outgoing. However I would never reccomend this. If you do, however, be prepared for a call from a customer of How come I've sent this e-mail 20 times to my customer yet he never recieved it? Nifty huh SA never advertised it would delete mail. That's up to you to do.
Re: Checking my own users mail
If my mail server must address it then I am off to check some man pages I really just needed a place to start Yes. At a guess you may want to set up two different SA configurations, although you can probably do it wit a single one, somehow. You would somehow in your server chain route outgoing through one of the SA instances while incoming is going through the other one. Then you can catch the outgoing stuff easy enough and do whatever you want with it. Loren
Re: Checking my own users mail
On Mon, 14 Aug 2006, Thomas Lindell wrote: Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. What about enabling some sort of connection rate throttling (keyed by IP address) in your MTA? I believe sendmail has such a feature. Then, scan the log messages and alert the on-call person (you?) if some client machine starts connecting to send outgoing messages more than seems reasonable. If it's only every now and then, it might not be that bad to have to respond to it manually. You could check the logs to see if the traffic is really malicious (rather than someone using e-mail as an instant-messenger substitute), and if so, cut them off. Of course, this only works for certain classes of customers. If you're an ISP and your customers each have one desktop computer, it works great. If your customers have 100 users and their own mail server, it doesn't work as great... - Logan
