Re: AWL DoS?
Ok, silly question time: Why aren't your users in the whitelist file? Sure, 70,000 users is a big list to check, but checking against a single long list is a lot faster than all those regexp pattern matches. (NOT AWL, but whitelist -- YOUR users are passed through to support no matter what their message. ) -- Sherwood Botsford St. John's School of Alberta
Re: AWL DoS?
On Sun, Sep 19, 2004 at 08:08:24AM -0700, Bill Landry wrote: > From: "Raymond Dijkxhoorn" <[EMAIL PROTECTED]> > > > Much better to simply not spam filter critical e-mail accounts > > > like postmaster/abuse/support/sales/etc. > > With around 35.000-70.000 mails to those above boxes daily thats not > > really do-able... > Do you see a lot of spam to these addresses? The reason I'm asking is > because we don't. At our organization, we see a /LOT/ of spam and viruses to these addresses, especially because we're already exempting them from our usual dnsbl checks. And, of course, most of the spam that hits these addresses is not even worth reporting - sent via open proxies, hosted via rogue ISPs overseas. abuse@ we don't filter for obvious reasons. Just making a rough guess, I'd say we probably get 30-40 spam / virus messages for every actual actual message of any sort... I just did a quick straw poll, and since yesterday afternoon (<24 hours) our abuse box received about 28 viruses / bounces from viruses, and 30 spams. Support gets a ton as well - but we ultimately just started only allowing through messages from addresses that are in our customer database, or responses to ongoing support cases; obviously we have other ways for customers to submit support tickets if they're unable to email us. Not perfect, perhaps, but neither is deleting huge volumes of spam from our customer support system's interface.
Re: AWL DoS?
Hi! Much better to simply not spam filter critical e-mail accounts like postmaster/abuse/support/sales/etc. With around 35.000-70.000 mails to those above boxes daily thats not really do-able... Do you see a lot of spam to these addresses? The reason I'm asking is because we don't. To bad there's not a way to exclude certain recipient addresses like postmaster/abuse/support/sales/etc. from AWL (hint to devs). Yes we do. Especially virus crap, but that can be filtered anyway. But besided that yes, we see a lot of cap going towards abuse@ postmaster@ and so on. But thats more or less also depending on the scale of the cluster. All is relative i guess :) messages to these accounts, without potentially poisoning your AWL database when spam is forwarded to the support or spam account from customers. Yes, so far we can only disable the whole SA checks for those boxes, but that not really workable or us. Bye, Rayhmond.
Re: AWL DoS?
- Original Message - From: "Raymond Dijkxhoorn" <[EMAIL PROTECTED]> > > Probably unrealistic to expect customers to know how to "bounce" a message. > > Yes. Exactly my point. > > > Much better to simply not spam filter critical e-mail accounts like > > postmaster/abuse/support/sales/etc. > > With around 35.000-70.000 mails to those above boxes daily thats not > really do-able... Do you see a lot of spam to these addresses? The reason I'm asking is because we don't. To bad there's not a way to exclude certain recipient addresses like postmaster/abuse/support/sales/etc. from AWL (hint to devs). That way you could still run all of your other SA spam tests against messages to these accounts, without potentially poisoning your AWL database when spam is forwarded to the support or spam account from customers. Bill
Re: AWL DoS?
Hi! This is why people are encouraged to _bounce_ the original message, so the sender email address is still the original one, and then won't hurt the customer. http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport http://www.stearns.org/doc/spamassassin-setup.current.html#redirect Probably unrealistic to expect customers to know how to "bounce" a message. Yes. Exactly my point. Much better to simply not spam filter critical e-mail accounts like postmaster/abuse/support/sales/etc. With around 35.000-70.000 mails to those above boxes daily thats not really do-able... Bye, Raymond.
Re: AWL DoS?
> - Original Message - > From: "William Stearns" <[EMAIL PROTECTED]> > > > Good afternoon, Raymond, all, > > (Raymond, you probably already know this, but I wanted to quickly > > cover it for other people that may also be considering whether or not to > > use AWL). > > > [SNIP] > > That's a different issue. If the customer used _forward_ rather > > than _bounce_, SA treats the entire message as coming from that email > > address and class B network, so yes, the customer's AWL score will be > > hurt. > > This is why people are encouraged to _bounce_ the original > > message, so the sender email address is still the original one, and then > > won't hurt the customer. > > http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting > > http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport > > http://www.stearns.org/doc/spamassassin-setup.current.html#redirect > > Probably unrealistic to expect customers to know how to "bounce" a message. > Much better to simply not spam filter critical e-mail accounts like > postmaster/abuse/support/sales/etc. Sorry for replying to my own post, but just wanted to also note that many of the most commonly used e-mail clients sadly do not support the bounce feature. Bill
Re: AWL DoS?
- Original Message - From: "William Stearns" <[EMAIL PROTECTED]> > Good afternoon, Raymond, all, > (Raymond, you probably already know this, but I wanted to quickly > cover it for other people that may also be considering whether or not to > use AWL). > [SNIP] > That's a different issue. If the customer used _forward_ rather > than _bounce_, SA treats the entire message as coming from that email > address and class B network, so yes, the customer's AWL score will be > hurt. > This is why people are encouraged to _bounce_ the original > message, so the sender email address is still the original one, and then > won't hurt the customer. > http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting > http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport > http://www.stearns.org/doc/spamassassin-setup.current.html#redirect Probably unrealistic to expect customers to know how to "bounce" a message. Much better to simply not spam filter critical e-mail accounts like postmaster/abuse/support/sales/etc. Bill
Re: AWL DoS?
Hi! We turned off AWL, we had a customer that forwarded two spam messages to our helpdesk, the third normal message never came in, since his AWL beat him... That's a different issue. If the customer used _forward_ rather than _bounce_, SA treats the entire message as coming from that email address and class B network, so yes, the customer's AWL score will be hurt. This is why people are encouraged to _bounce_ the original message, so the sender email address is still the original one, and then won't hurt the customer. http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport http://www.stearns.org/doc/spamassassin-setup.current.html#redirect I know, and we also tell people to do that, but thats most of the time after they encounter a problem ;) Its hard to explain people, especially with a very large customerbase... In our case we have several /16's and larger so mail from a customer block is most likely comming in from another netblock anyway. I personnally use bounce within pine, works nice. Thanks for the pointers (webpages) those we can use to clearify things a lot easier. Bye, Raymond.
Re: AWL DoS?
Good afternoon, Raymond, all, (Raymond, you probably already know this, but I wanted to quickly cover it for other people that may also be considering whether or not to use AWL). On Sun, 19 Sep 2004, Raymond Dijkxhoorn wrote: > >> I gotta think this isn't gonna happen... but anyone know if it can? If so, > >> I'm not going to enable AWL on my server. > > > > To the best of my knowledge, this has already been addressed. > > What goes in the AWL isn't just the raw email address, it's the email > > address plus the first two octets of the source IP address. For someone > > to successfully attack this way, the attacker would need a legal IP > > address in the same class B network as the legitimate sender. > > If sent from a different network, the +1000 user would show up in > > a different AWL entry than the legitimate sender. > > We turned off AWL, we had a customer that forwarded two spam messages to > our helpdesk, the third normal message never came in, since his AWL beat > him... That's a different issue. If the customer used _forward_ rather than _bounce_, SA treats the entire message as coming from that email address and class B network, so yes, the customer's AWL score will be hurt. This is why people are encouraged to _bounce_ the original message, so the sender email address is still the original one, and then won't hurt the customer. http://www.stearns.org/doc/spamassassin-setup.current.html#autoreporting http://www.stearns.org/doc/spamassassin-setup.current.html#restrictreport http://www.stearns.org/doc/spamassassin-setup.current.html#redirect Cheers, - Bill --- "Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its meritThe ancient concept that `a man's home is his castle' into which `not even the king may enter' has lost none of it vitalityWe therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another. If this prohibition operates to impede the flow of even valid ideas, the answer is that no one has a right to press even `good' ideas on an unwilling recipient. That we are often `captives' outside the sanctuary of the home and subject to objectionable speech and other sound does not mean we must be captives everywhereThe asserted right of a mailer, we repeat, stops at the outer boundary of every person's domain." -- Chief Justice Burger, U.S. Supreme Court http://www.euro.cauce.org/en/freespeech.html#rowan -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
Re: AWL DoS?
Hi! We turned off AWL, we had a customer that forwarded two spam messages to our helpdesk, the third normal message never came in, since his AWL beat him... Probably should not be spam filtering postmaster/abuse/support e-mails. Probably not, but at the moment its about the only way to get a normal workload there. Most spamware stuff takes those ones by default. Bye, Raymond.
Re: AWL DoS?
- Original Message - From: "Raymond Dijkxhoorn" <[EMAIL PROTECTED]> > We turned off AWL, we had a customer that forwarded two spam messages to > our helpdesk, the third normal message never came in, since his AWL beat > him... Probably should not be spam filtering postmaster/abuse/support e-mails. Bill
Re: AWL DoS?
Hi! I gotta think this isn't gonna happen... but anyone know if it can? If so, I'm not going to enable AWL on my server. You're asking the right questions. To the best of my knowledge, this has already been addressed. What goes in the AWL isn't just the raw email address, it's the email address plus the first two octets of the source IP address. For someone to successfully attack this way, the attacker would need a legal IP address in the same class B network as the legitimate sender. If sent from a different network, the +1000 user would show up in a different AWL entry than the legitimate sender. We turned off AWL, we had a customer that forwarded two spam messages to our helpdesk, the third normal message never came in, since his AWL beat him... For us it didnt work out. Bye, Raymond.
Re: AWL DoS?
On Sat, 18 Sep 2004 20:05:29 -0500 "Jason J. Ellingson" <[EMAIL PROTECTED]> wrote: > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked > FROM: address of Person Y. > > 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. > > 4) Future emails from Person Y to Person X now get tagged as spam since AWL > keeps bumping up the score because of the GTUBE that was sent earlier. > = > I hope that makes sense... I would suggest to simply set GTUBE to a very low score unless you really want to test something. +---+ - Mailto: [EMAIL PROTECTED] - No HTML mails please +---+
Re: AWL DoS?
On Sat, Sep 18, 2004 at 08:05:29PM -0500, Jason J. Ellingson wrote: > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a > faked FROM: address of Person Y. > 3) Now, GTUBE scores a 1000 points, How does person Z know that person X and person Y are friends? I don't think at this point that there are a lot of spammers taking advantage of this concept... too much work for too little payback. Obviously, there are ways around most / all filters - it's just a question of whether or not it's worth the trouble. That said, I imagine there are spammers who are already starting to track relationships between people, via addressbooks on compromised Windows machines, via bots social networking websites, etc... and I think we'll see more of this sort of activity as the arms race escalates (though I don't think the default AWL score is 1000 points, is it?). Imagine, for instance, spamware which goes through an infected user's sent mail and sends similar messages (possibly even from the infected user's computer, through their provider's mail server) with marketing messages interspersed /w
Re: AWL DoS?
- Original Message - From: "Jason J. Ellingson" <[EMAIL PROTECTED]> > Okay, follow-up question: > > Where does SpamAssassin get the IP? Is it the oldest IP in the received > headers (low), or the most recent (top)? > > If it is oldest (assuming originating IP), then that could be faked easily > enough. > > If it is top, then what does it do if there is no IP (as many SpamAssassin > implementations seem to have the message processed before adding appropriate > received headers.. tisk, tisk, tisk...) > > Either way... a lot of people I know are on Comcast in the same town... they > are all on the same sub-"b" class network (/17 I think)... So entirely > possible to have this nightmare happen. I just tested this and it used the address range of the client computer I sent the message from. When I sent another message with the same e-mail address but from a totally different subnet, it registered the same e-mail address with the different client computer address range, thus, I had two entries in the AWL database for the same e-mail address but with different client ip nets. Like you said, this address can be forged, but someone would really have to put some effort into it just to IP someone's AWL database, which can then be removed from the database even easier than it went in. And using the sending client machine IP address is certainly much safer and less prone to abuse then it would be if the sending mail servers IP address were used. Bill
RE: AWL DoS?
Okay, follow-up question: Where does SpamAssassin get the IP? Is it the oldest IP in the received headers (low), or the most recent (top)? If it is oldest (assuming originating IP), then that could be faked easily enough. If it is top, then what does it do if there is no IP (as many SpamAssassin implementations seem to have the message processed before adding appropriate received headers.. tisk, tisk, tisk...) Either way... a lot of people I know are on Comcast in the same town... they are all on the same sub-"b" class network (/17 I think)... So entirely possible to have this nightmare happen. Perhaps then, this is a time to look at using SPF along with AWL. Have AWL use the same record for all SPF'd IPs for that domain and then the usual (change to a class "c"?) records for those falling outside the SPF's listed IPs or no SPF for that domain. It won't stop those who truly use the same server/subnet, but it should help some? Getting later at night... and I'm starting to become more muddled in my thoughts... sorry. Jason J Ellingson Technical Consultant 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED] -Original Message- From: William Stearns [mailto:[EMAIL PROTECTED] Sent: Sunday, September 19, 2004 12:25 AM To: Jason J. Ellingson Cc: ML-spamassassin-talk; William Stearns Subject: Re: AWL DoS? Good evening, Jason, On Sat, 18 Sep 2004, Jason J. Ellingson wrote: > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked > FROM: address of Person Y. > > 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. > > 4) Future emails from Person Y to Person X now get tagged as spam since AWL > keeps bumping up the score because of the GTUBE that was sent earlier. > = > I hope that makes sense... > > I gotta think this isn't gonna happen... but anyone know if it can? If so, > I'm not going to enable AWL on my server. You're asking the right questions. To the best of my knowledge, this has already been addressed. What goes in the AWL isn't just the raw email address, it's the email address plus the first two octets of the source IP address. For someone to successfully attack this way, the attacker would need a legal IP address in the same class B network as the legitimate sender. If sent from a different network, the +1000 user would show up in a different AWL entry than the legitimate sender. Cheers, - Bill --- "I am Homer of Borg! Prepare to be... OOooo! donuts!" (Courtesy of: Carlos Morgado <[EMAIL PROTECTED]>) -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
Re: AWL DoS?
Good evening, Jason, On Sat, 18 Sep 2004, Jason J. Ellingson wrote: > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked > FROM: address of Person Y. > > 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. > > 4) Future emails from Person Y to Person X now get tagged as spam since AWL > keeps bumping up the score because of the GTUBE that was sent earlier. > = > I hope that makes sense... > > I gotta think this isn't gonna happen... but anyone know if it can? If so, > I'm not going to enable AWL on my server. You're asking the right questions. To the best of my knowledge, this has already been addressed. What goes in the AWL isn't just the raw email address, it's the email address plus the first two octets of the source IP address. For someone to successfully attack this way, the attacker would need a legal IP address in the same class B network as the legitimate sender. If sent from a different network, the +1000 user would show up in a different AWL entry than the legitimate sender. Cheers, - Bill --- "I am Homer of Borg! Prepare to be... OOooo! donuts!" (Courtesy of: Carlos Morgado <[EMAIL PROTECTED]>) -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
Re: AWL DoS?
- Original Message - From: "Jason J. Ellingson" <[EMAIL PROTECTED]> > I'm sure someone thought of this, but I don't see it asked before... so... > = > 1) Person X regularly gets emails from Person Y (good friends) > > 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked > FROM: address of Person Y. > > 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. > > 4) Future emails from Person Y to Person X now get tagged as spam since AWL > keeps bumping up the score because of the GTUBE that was sent earlier. > = > I hope that makes sense... Make sense, but wouldn't work unless bad guy Z was also sending his GTUBE message from the same address range that Person Y normally send his messages to Person X from. Here is a snippet from the AWL database: -2.9(-2.9/1) -- [EMAIL PROTECTED]|ip=216.33 2.0 (2.0/1) -- [EMAIL PROTECTED]|ip=64.225 5.3 (5.3/1) -- [EMAIL PROTECTED]|ip=67.171 0.4 (0.8/2) -- [EMAIL PROTECTED]|ip=205.244 -4.3(-4.3/1) -- [EMAIL PROTECTED]|ip=192.209 Note the "ip=xxx.xxx" at the end of each line, after the senders e-mail address. This helps to prevent malicious activities like you've discribed. It can happen, but not as easily as you thought (once again, the devs were thinking ahead). > I gotta think this isn't gonna happen... but anyone know if it can? If so, > I'm not going to enable AWL on my server. You're safe, go for it. Bill
Re: AWL DoS?
Jason J. Ellingson wrote: I'm sure someone thought of this, but I don't see it asked before... so... = 1) Person X regularly gets emails from Person Y (good friends) 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked FROM: address of Person Y. 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database. 4) Future emails from Person Y to Person X now get tagged as spam since AWL keeps bumping up the score because of the GTUBE that was sent earlier. = I hope that makes sense... I gotta think this isn't gonna happen... but anyone know if it can? If so, I'm not going to enable AWL on my server. Jason J Ellingson You have an evil mind. I would like a scheme like this to get back at whoever bombed me with over 1000 p0rn spams in an hour the other day. -- Jim Sabatke Hire Me!! - See my resume at http://my.execpc.com/~jsabatke Do not meddle in the affairs of Dragons, for you are crunchy and good with ketchup. NOTE: Please do not email me any attachments with Microsoft extensions. They are deleted on my ISP's server before I ever see them, and no bounce message is sent.