Re: JMF whitelist and RAZOR conflict
On lør 12 sep 2009 23:46:44 CEST, John Hardin wrote The latter. Possibly through another list instead of trusted_networks; the semantics are slightly different and overloading the current trusted list with an SPF meaning might be a it will be one more networks list to manage, and keeping track of what is what later will get more confused if there is a seperate list for spf, it just magic that it have worked so long without any wondering why all that spf fails in sa :) bad idea. spf_forwarders perhaps? imho i will say no keep it trusted_networks, makes lees lists and it still make sense to trusted_networks to also include spf testing outside this barrier, to minic how pypolicyd-spf does it in mta whar types of ips i whitelist is: 1: isp that are known to forward custommers emails 2: forwarders that dont use srs or else have type of email handling email forward systems what types i remove from trusted_networks is: 1: ips that send spams 2: forwards where there is spam scanning and still forward the spam i still have to see spf pass and spf whitelist in spam here :) (first part is easy for the spammer, 2nd part is the paying one) -- xpoint
Re: JMF whitelist and RAZOR conflict
On Sat, 12 Sep 2009, Benny Pedersen wrote: On lør 12 sep 2009 20:22:21 CEST, John Hardin wrote Hrm. Changing that might be something to consider, then. change sa to support srs ? or spf trusted_networks ? The latter. Possibly through another list instead of trusted_networks; the semantics are slightly different and overloading the current trusted list with an SPF meaning might be a bad idea. spf_forwarders perhaps? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- There is no doubt in my mind that millions of lives could have been saved if the people were not "brainwashed" about gun ownership and had been well armed. ... Gun haters always want to forget the Warsaw Ghetto uprising, which is a perfect example of how a ragtag, half-starved group of Jews took 10 handguns and made asses out of the Nazis.-- Theodore Haas, Dachau survivor --- 5 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: JMF whitelist and RAZOR conflict
On lør 12 sep 2009 20:22:21 CEST, John Hardin wrote Hrm. Changing that might be something to consider, then. change sa to support srs ? or spf trusted_networks ? the later does work in my setup, if one know its not so, please tell me what my error is -- xpoint
Re: JMF whitelist and RAZOR conflict
On lør 12 sep 2009 19:30:09 CEST, Henrik K wrote PS. SPF is checked on internal, not trusted border. Even though they are the same for most people.. some ? and I don't think you can disable SPF checks in any way except fully. if spf test is done in mta stage with prepended header for spf pass, no problem to whitelist trusted forwards this header can be used as a spf test header in spf plugin, remember to disable perl spf test perldoc Mail::SpamAssassin::Plugin::SPF cam freemail plugin use spf softfail and or spf fail domain as a freemail domain test ? (maybe even spf neotral) bad idear ? pypolicyd-spf is used here in my postfix after postfix do its rbl testing -- xpoint
Re: JMF whitelist and RAZOR conflict
On Sat, 12 Sep 2009, Henrik K wrote: On Sat, Sep 12, 2009 at 09:02:35AM -0700, John Hardin wrote: On Fri, 11 Sep 2009, MySQL Student wrote: are you recieving forwarded emails from spf domains ? If I understand correctly, no. I have no relationship with any external source and their SPF records. if so add the forward ip to trusted_networks (so spf will be disabled from this hosts) Do you mean to avoid the processing overhead? IOW, don't bother checking SPF records for trusted domains? One of the problems with SPF is that someone who sets up forwarding (e.g. you have a gmail account, and you set it to automatically forward messages to your "real" account) breaks SPF checks for messages received via the forward. If I send a mail to your gmail account, and google forwards it to your real account, your MTA will see a message from an @impsec.org address originating from an MTA that my SPF record says is not a valid source. SPF fail. Bad example, gmail rewrites forwards properly coming from y...@gmail.com. Oops. But you get the idea. If you tell SA that google is trusted, that pushes the SPF test point back one step - where did *google* receive the message from? mail.impsec.org? Okay, then - SPF pass. PS. SPF is checked on internal, not trusted border. Even though they are the same for most people.. and I don't think you can disable SPF checks in any way except fully. Hrm. Changing that might be something to consider, then. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- So Microsoft's invented the ASCII equivalent to ugly ink spots that appear on your letter when your pen is malfunctioning. -- Greg Andrews, about Microsoft's way to encode apostrophes --- 5 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: JMF whitelist and RAZOR conflict
On Sat, Sep 12, 2009 at 09:02:35AM -0700, John Hardin wrote: > On Fri, 11 Sep 2009, MySQL Student wrote: > >>> are you recieving forwarded emails from spf domains ? >> >> If I understand correctly, no. I have no relationship with any external >> source and their SPF records. >> >>> if so add the forward ip to trusted_networks (so spf will be disabled >>> from this hosts) >> >> Do you mean to avoid the processing overhead? IOW, don't bother >> checking SPF records for trusted domains? > > One of the problems with SPF is that someone who sets up forwarding (e.g. > you have a gmail account, and you set it to automatically forward > messages to your "real" account) breaks SPF checks for messages received > via the forward. If I send a mail to your gmail account, and google > forwards it to your real account, your MTA will see a message from an > @impsec.org address originating from an MTA that my SPF record says is > not a valid source. SPF fail. Bad example, gmail rewrites forwards properly coming from y...@gmail.com. > If you tell SA that google is trusted, that pushes the SPF test point > back one step - where did *google* receive the message from? > mail.impsec.org? Okay, then - SPF pass. PS. SPF is checked on internal, not trusted border. Even though they are the same for most people.. and I don't think you can disable SPF checks in any way except fully.
Re: JMF whitelist and RAZOR conflict
On Fri, 11 Sep 2009, MySQL Student wrote: are you recieving forwarded emails from spf domains ? If I understand correctly, no. I have no relationship with any external source and their SPF records. if so add the forward ip to trusted_networks (so spf will be disabled from this hosts) Do you mean to avoid the processing overhead? IOW, don't bother checking SPF records for trusted domains? One of the problems with SPF is that someone who sets up forwarding (e.g. you have a gmail account, and you set it to automatically forward messages to your "real" account) breaks SPF checks for messages received via the forward. If I send a mail to your gmail account, and google forwards it to your real account, your MTA will see a message from an @impsec.org address originating from an MTA that my SPF record says is not a valid source. SPF fail. If you tell SA that google is trusted, that pushes the SPF test point back one step - where did *google* receive the message from? mail.impsec.org? Okay, then - SPF pass. On a somewhat related note, how does BOTNET differ from RDNS_NONE? What is the logic behind the BOTNET rule? Is there some known list that it's checking, or is it just likely to be a dynamic IP or compromised host if it doesn't have a reverse DNS entry? RDNS_NONE is, well, _no_ rDNS data. BOTNET uses a lot of heuristics to determine whether the sender looks dynamic. I suggest you read the list archives back when it was first proposed and released for more details. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- An entitlement beneficiary is a person or special interest group who didn't earn your money, but demands the right to take your money because they *want* it.-- John McKay, _The Welfare State: No Mercy for the Middle Class_ --- 5 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: JMF whitelist and RAZOR conflict
Hi, >> I have several emails that are tagged with RCVD_IN_JMF_W, >> SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: >> http://pastebin.com/m4a4d990e > > why accept SPF_SOFTFAIL ? > > cant this be solved ? I don't understand. I'm still learning how the SPF rules work. Shouldn't I be adding points for an SPF_FAIL? This indicates a spoof attempt, no? > are you recieving forwarded emails from spf domains ? If I understand correctly, no. I have no relationship with any external source and their SPF records. > if so add the forward ip to trusted_networks (so spf will be disabled from > this hosts) Do you mean to avoid the processing overhead? IOW, don't bother checking SPF records for trusted domains? >> Is the criteria for being listed on the JMF_W simply that it >> contains a domain that is whitelisted, despite whether it >> contains another URL that is blacklisted? > > this is spamassassin working, if there is a blacklisted domain add it to > your uribl_skip_domain list Ah, you mean if the domain is erroneously on the blacklist, right? >> Would I be advised to make the JMF_W score very low, or create a >> meta that doesn't really whitelist it unless it isn't also blacklisted? > > this is ip and not domains On a somewhat related note, how does BOTNET differ from RDNS_NONE? What is the logic behind the BOTNET rule? Is there some known list that it's checking, or is it just likely to be a dynamic IP or compromised host if it doesn't have a reverse DNS entry? Thanks so much for the clarification, and confirmation about Gevalia/Kraft. Thanks, Alex
Re: JMF whitelist and RAZOR conflict
RW wrote: Razor looks-up fuzzy hashes of an email on a server that records the values that have previously been reported for spam. JMF_W is based on the IP address of the last hop into your trusted network (or internal if you set it up that way). Neither is based on URLs. Actually, Razor does check URLs as well. It's one of the signature types. Type 8, I think. -- Kelson Vibber SpeedGate Communications
Re: JMF whitelist and RAZOR conflict
On Fri 11 Sep 2009 01:21:16 AM CEST, MySQL Student wrote I have several emails that are tagged with RCVD_IN_JMF_W, SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: http://pastebin.com/m4a4d990e why accept SPF_SOFTFAIL ? cant this be solved ? are you recieving forwarded emails from spf domains ? if so add the forward ip to trusted_networks (so spf will be disabled from this hosts) Is the criteria for being listed on the JMF_W simply that it contains a domain that is whitelisted, despite whether it contains another URL that is blacklisted? this is spamassassin working, if there is a blacklisted domain add it to your uribl_skip_domain list Would I be advised to make the JMF_W score very low, or create a meta that doesn't really whitelist it unless it isn't also blacklisted? this is ip and not domains meta META_NOT_JMF_RAZOR(RCVD_IN_JMF_W && !RAZOR2_CHECK) It also appears to spoof the kraftfoods.com mail server, correct? Is there a possible rule to be created here? rule is okay as a ham score, well writed -- xpoint
RE: JMF whitelist and RAZOR conflict
No - that really came out of mail2.kraftfoods.com (parent corporation of Gevalia, remember?) I have seen other samples of the same message spamming other recipients, and there's no question of source IP. Bob -Original Message- From: MySQL Student [mailto:mysqlstud...@gmail.com] Sent: Thursday, September 10, 2009 4:21 PM It also appears to spoof the kraftfoods.com mail server, correct? Is there a possible rule to be created here? -- Check out the Barracuda Spam & Virus Firewall - offering the fastest virus & malware protection in the industry: www.barracudanetworks.com/spam
Re: JMF whitelist and RAZOR conflict
On Thu, 10 Sep 2009 21:23:11 -0400 MySQL Student wrote: > Hi, > > >> http://pastebin.com/m4a4d990e > >> > >> Is the criteria for being listed on the JMF_W simply that it > >> contains a domain that is whitelisted, despite whether it contains > >> another URL that is blacklisted? > > > > I'm not sure what you are saying here, it's not as if the people > > running the whitelist could lookup the IP address on razor. > > I'm saying that it appears odd that it would be listed on both RAZOR > and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR > rules found the bogus > http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com > is a legitimate kraftfoods site? Razor looks-up fuzzy hashes of an email on a server that records the values that have previously been reported for spam. JMF_W is based on the IP address of the last hop into your trusted network (or internal if you set it up that way). Neither is based on URLs. DNS whitelists are hard to spoof. Both examples involve exchange server, perhaps a spammer is exploiting a Windows or exchange vulnerability.
Re: JMF whitelist and RAZOR conflict
Hi, >> http://pastebin.com/m4a4d990e >> >> Is the criteria for being listed on the JMF_W simply that it contains >> a domain that is whitelisted, despite whether it contains another URL >> that is blacklisted? > > I'm not sure what you are saying here, it's not as if the people > running the whitelist could lookup the IP address on razor. I'm saying that it appears odd that it would be listed on both RAZOR and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR rules found the bogus http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com is a legitimate kraftfoods site? >> meta META_NOT_JMF_RAZOR (RCVD_IN_JMF_W && !RAZOR2_CHECK) > > Why RAZOR2_CHECK? Why not other positive scoring rules? The trouble is > that the whitelist rule is then pointless. Set it's score at a value > that's commensurate with it's effectiveness on your email. Does my question now make sense? I was looking at it from more of a validation point of view for JMF_W, because of the apparent conflict with RAZOR. >> It also appears to spoof the kraftfoods.com mail server, correct? Is >> there a possible rule to be created here? > > No, it was almost certainly sent through kraftfoods.com. It's based on > an IP address recorded by your trusted network. Maybe I should have used a better example. Can I ask you to look at this one? http://pastebin.com/m7d61b26f This uses IP 66.132.135.108 as its URL (xybersleuth.com), and unless that's not a spammer's site, then there's something wrong. This email includes JMF_W and RAZOR2_CF_RANGE_51_100 and URIBL_BLACK in the same message, although it has a very low bayes score. Which is correct? Thanks, Alex
Re: JMF whitelist and RAZOR conflict
On Thu, 10 Sep 2009 19:21:16 -0400 MySQL Student wrote: > Hi, > > I have several emails that are tagged with RCVD_IN_JMF_W, > SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: > > http://pastebin.com/m4a4d990e > > Is the criteria for being listed on the JMF_W simply that it contains > a domain that is whitelisted, despite whether it contains another URL > that is blacklisted? I'm not sure what you are saying here, it's not as if the people running the whitelist could lookup the IP address on razor. > Would I be advised to make the JMF_W score very low, or create a meta > that doesn't really whitelist it unless it isn't also blacklisted? > > meta META_NOT_JMF_RAZOR(RCVD_IN_JMF_W && !RAZOR2_CHECK) Why RAZOR2_CHECK? Why not other positive scoring rules? The trouble is that the whitelist rule is then pointless. Set it's score at a value that's commensurate with it's effectiveness on your email. It might be sensible to make metarules for RCVD_IN_DNSWL_* and RCVD_IN_JMF_W, if you are going to use both. > It also appears to spoof the kraftfoods.com mail server, correct? Is > there a possible rule to be created here? No, it was almost certainly sent through kraftfoods.com. It's based on an IP address recorded by your trusted network.
