RE: Trouble whitelisting domain users with whitelist_from_rcvd
On ons 28 jul 2010 19:21:53 CEST, "Rosenbaum, Larry M." wrote What is the best way to completely whitelist all internal emails so that there is no danger of any internal emails being blacklisted The best way is to not feed internal emails to SpamAssassin. best as in ones own ip can be blacklisted for spamming users, and its faster to get removed from blacklistning then to bounce spam to local users and by not scanning outgoing mails one also loose the ham learning :( so if thats the intention its good :) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Trouble whitelisting domain users with whitelist_from_rcvd
On ons 28 jul 2010 17:37:51 CEST, Jeff Mincy wrote meta __TRUSTED_NETWORKS (NO_RELAYS || ALL_TRUSTED) header __LOCAL_SENDER From =~ /\...@mydomain\.com/i that can and will be forged in its own, to solve: header __LOCAL_SENDER Return-Path:addr =~ /\...@mydomain\.com/i mta newer sets or add from: thats why return-path is more safe here for that rule meta FORGED_LOCAL_SENDER (__LOCAL_SENDER && !__TRUSTED_NETWORKS) score FORGED_LOCAL_SENDER 0.1 meta VALID_LOCAL_SENDER (__LOCAL_SENDER && __TRUSTED_NETWORKS) score VALID_LOCAL_SENDER -0.1 or simply add spf or dkim on recipient domain will also solve the forges attempts -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Trouble whitelisting domain users with whitelist_from_rcvd
> Matus UHLAR - fantomas wrote: > > afaik whitelist_* is applied on mail sent from remote hosts. I am not sure > > if it hits on internal_netowrks or trusted_networks boundary (i guess it's > > the former) but this mail never crossed the internal network boundary, do > > any blacklist or whitelist rule can't hit here. On 28.07.10 08:28, keithcommins wrote: > > Thanks for the quick response Matus. Uh, are you aware of what is quoting and why it is used? You entered your own text quoted as if I wrote this, which makes it hard to distinguish which is yours and which is mine. > > Cool , so whitelist_from_rcvd is applicable to whitelisting internal > > mail?? as I said, it is not. you can whitelist only mail coming from remote network, your mail did not. > >> Couple of things to note , we use Active Directory which means the FQDN > >> name > >> of all our machines end in *.local rather than *.com. Should the > >> whitelist_rcvd reflect this in any way?? > > > > I don't see any .local in this mail, show us Received: lines with .local > > hostnames. > > I'm afraid there isn't any in the header, but I have tried running > > spamassassin with both .local and .com. in the local.cf. > > Would I be right in saying that spamassassin takes the mail domain name ( > > *.com ) to whitelist any incoming mail rather than normal Active Directory > > FQDN ( as said previously *.local )?? spamassassin uses what is in the mail headers, it rarely does anything with them (it resolves hostnames in Received: headers added by some MTAs). However it's irelevant here since the whitelisting can't apply. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!".
RE: Trouble whitelisting domain users with whitelist_from_rcvd
> What is the best way to completely whitelist all internal emails so that > there is no danger of any internal emails being blacklisted The best way is to not feed internal emails to SpamAssassin.
Re: Trouble whitelisting domain users with whitelist_from_rcvd
I've put score FH_DATE_PAST_20XX 0.0 into my local.cf ( sa-update didnt do the job ) and its removed that from my spam score, its down to ~0.5 for internal emails. What is the best way to completely whitelist all internal emails so that there is no danger of any internal emails being blacklisted ( ie to get the score down to -100, is this possible ?? ) As a separate issue , as mentioned running sa-update had no effect on removing the rule for some reason. sa-update runs every night via a cron , but I suspected that it mightn't be running correctly for a while. I don't see much in my sa-update -D however ?? Does sa-update require any firewall ports to be opened up?? [r...@mail /usr/local/share/spamassassin]# sa-update -D [75283] dbg: logger: adding facilities: all [75283] dbg: logger: logging level is DBG [75283] dbg: generic: SpamAssassin version 3.2.5 [75283] dbg: config: score set 0 chosen. [75283] dbg: dns: is Net::DNS::Resolver available? yes [75283] dbg: dns: Net::DNS version: 0.65 [75283] dbg: generic: sa-update version svn607589 [75283] dbg: generic: using update directory: /var/db/spamassassin/3.002005 [75283] dbg: diag: perl platform: 5.008009 freebsd [75283] dbg: diag: module installed: Digest::SHA1, version 2.10 [75283] dbg: diag: module installed: HTML::Parser, version 3.60 [75283] dbg: diag: module installed: Net::DNS, version 0.65 [75283] dbg: diag: module installed: MIME::Base64, version 3.05 [75283] dbg: diag: module installed: DB_File, version 1.817 [75283] dbg: diag: module installed: Net::SMTP, version 2.31 [75283] dbg: diag: module not installed: Mail::SPF ('require' failed) [75283] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [75283] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [75283] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 [75283] dbg: diag: module not installed: Net::Ident ('require' failed) [75283] dbg: diag: module installed: IO::Socket::INET6, version 2.56 [75283] dbg: diag: module installed: IO::Socket::SSL, version 1.22 [75283] dbg: diag: module installed: Compress::Zlib, version 2.015 [75283] dbg: diag: module installed: Time::HiRes, version 1.68 [75283] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [75283] dbg: diag: module not installed: Mail::DKIM ('require' failed) [75283] dbg: diag: module installed: DBI, version 1.607 [75283] dbg: diag: module installed: Getopt::Long, version 2.37 [75283] dbg: diag: module installed: LWP::UserAgent, version 5.824 [75283] dbg: diag: module installed: HTTP::Date, version 5.810 [75283] dbg: diag: module installed: Archive::Tar, version 1.44 [75283] dbg: diag: module installed: IO::Zlib, version 1.09 [75283] dbg: diag: module installed: Encode::Detect, version 1.01 [75283] dbg: gpg: Searching for 'gpg' [75283] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin [75283] dbg: util: executable for gpg was found at /usr/local/bin/gpg [75283] dbg: gpg: found /usr/local/bin/gpg [75283] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE [75283] dbg: channel: attempting channel updates.spamassassin.org [75283] dbg: channel: update directory /var/db/spamassassin/3.002005/updates_spamassassin_org [75283] dbg: channel: channel cf file /var/db/spamassassin/3.002005/updates_spamassassin_org.cf [75283] dbg: channel: channel pre file /var/db/spamassassin/3.002005/updates_spamassassin_org.pre [75283] dbg: channel: metadata version = 895075 [75283] dbg: dns: 5.2.3.updates.spamassassin.org => 895075, parsed as 895075 [75283] dbg: channel: current version is 895075, new version is 895075, skipping channel [75283] dbg: diag: updates complete, exiting with code 1 Keith -- View this message in context: http://old.nabble.com/Trouble-whitelisting-domain-users-with-whitelist_from_rcvd-tp29287372p29288192.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Trouble whitelisting domain users with whitelist_from_rcvd
On Wed, 2010-07-28 at 07:57 -0700, keithcommins wrote: > X-Spam-Checker-Version: SpamAssassin 3.2.5 ( 2008-06-10 ) on > mail.mydomain.com > X-Spam-Level: *** > X-Spam-Status: No, score=3.8 required=8.0 > tests=ALL_TRUSTED,FH_DATE_PAST_20XX, ^ Run sa-update. > HTML_IMAGE_ONLY_20,HTML_MESSAGE autolearn=no version=3.2.5 Score set 1 -- network tests, no Bayes. FH_DATE_PAST_20XX scores 3.384 and accounts for the lions share of that (non-spam) level. That rule started to FP since this year. A bug that has immediately been fixed. Distributed via sa-update. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Trouble whitelisting domain users with whitelist_from_rcvd
From: keithcommins Date: Wed, 28 Jul 2010 07:57:43 -0700 (PDT) Hi there , Having some trouble getting this to work correctly , it would seem.. Firstly, here is my whitelist_from rcvd config from my local.cf file. You can't use whitelist_from_rcvd on internal email. You don't have an external relay to match against. It doesn't matter if your machine ends in .local or not. Note the FH_DATE_PAST_20XX. You probably need to run sa-update sometime this year. The ALL_TRUSTED should be enough by itself. If you need to have a separate whitelisting you could try something like the following: meta __TRUSTED_NETWORKS (NO_RELAYS || ALL_TRUSTED) header __LOCAL_SENDER From =~ /\...@mydomain\.com/i meta FORGED_LOCAL_SENDER (__LOCAL_SENDER && !__TRUSTED_NETWORKS) score FORGED_LOCAL_SENDER 0.1 meta VALID_LOCAL_SENDER (__LOCAL_SENDER && __TRUSTED_NETWORKS) score VALID_LOCAL_SENDER -0.1 -jeff whitelist_from_rcvd *...@mydomain.com mydomain.local trusted_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 xx.xx.xx.xx internal_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 xx.xx.xx.xx ( xx.xx.xx.xx represents the outward facing IP of my mail server ) Secondly, below is a header from a test email I sent to myself.. Return-Path: Received: by mydomain.com (CommuniGate Pro PIPE 5.2.12) with PIPE id 18275900; Wed, 28 Jul 2010 11:31:13 +0100 X-TFF-CGPSA-Version: 1.5 X-TFF-CGPSA-Filter: Scanned X-Spam-DCC: wuwien: mail.mydomain.com 1290; Body=1 Fuz1=2 Fuz2=6 X-Spam-Checker-Version: SpamAssassin 3.2.5 ( 2008-06-10 ) on mail.mydomain.com X-Spam-Level: *** X-Spam-Status: No, score=3.8 required=8.0 tests=ALL_TRUSTED,FH_DATE_PAST_20XX, HTML_IMAGE_ONLY_20,HTML_MESSAGE autolearn=no version=3.2.5 X-Spam-Pyzor: Received: from [172.16.3.150] (account some.user [172.16.3.150] verified) by mydomain.com (CommuniGate Pro SMTP 5.2.12) with ESMTPA id 18275888 for some.u...@mydomain.com; Wed, 28 Jul 2010 11:31:04 +0100 Message-ID: <4c500626.7010...@mydomain.com> Date: Wed, 28 Jul 2010 11:27:50 +0100 From: Some User User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Some User Subject: (no subject) Content-Type: multipart/alternative; boundary="020906000403080006070205" X-EsetId: 90695D289D6435708F6F5D7C933375 This is a multi-part message in MIME format. --020906000403080006070205 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Couple of things to note , we use Active Directory which means the FQDN name of all our machines end in *.local rather than *.com. Should the whitelist_rcvd reflect this in any way?? Its my understanding that all mails should get a Spam Assassin score of -100 or thereabouts , thus permanently whitelisting all our domain users. However , as you can see this isn't happening?? Is there anything else I should be doing to whitelist my domain users?? Thanks in advance for all your help.. Keith -- View this message in context: http://old.nabble.com/Trouble-whitelisting-domain-users-with-whitelist_from_rcvd-tp29287372p29287372.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Trouble whitelisting domain users with whitelist_from_rcvd
On 28.7.2010 17:57, keithcommins wrote: > > Hi there , > > Having some trouble getting this to work correctly , it would seem.. > > Firstly, here is my whitelist_from rcvd config from my local.cf file. > > whitelist_from_rcvd *...@mydomain.com mydomain.local > trusted_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 xx.xx.xx.xx > internal_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 > xx.xx.xx.xx > > ( xx.xx.xx.xx represents the outward facing IP of my mail server ) > > Secondly, below is a header from a test email I sent to myself.. > > Return-Path: > Received: by mydomain.com (CommuniGate Pro PIPE 5.2.12) > with PIPE id 18275900; Wed, 28 Jul 2010 11:31:13 +0100 > X-TFF-CGPSA-Version: 1.5 > X-TFF-CGPSA-Filter: Scanned > X-Spam-DCC: wuwien: mail.mydomain.com 1290; Body=1 Fuz1=2 Fuz2=6 > X-Spam-Checker-Version: SpamAssassin 3.2.5 ( 2008-06-10 ) on > mail.mydomain.com > X-Spam-Level: *** > X-Spam-Status: No, score=3.8 required=8.0 > tests=ALL_TRUSTED,FH_DATE_PAST_20XX, > HTML_IMAGE_ONLY_20,HTML_MESSAGE autolearn=no version=3.2.5 > X-Spam-Pyzor: > Received: from [172.16.3.150] (account some.user [172.16.3.150] verified) > by mydomain.com (CommuniGate Pro SMTP 5.2.12) > with ESMTPA id 18275888 for some.u...@mydomain.com; Wed, 28 Jul 2010 > 11:31:04 +0100 > Message-ID: <4c500626.7010...@mydomain.com> > Date: Wed, 28 Jul 2010 11:27:50 +0100 > From: Some User > User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) > MIME-Version: 1.0 > To: Some User > Subject: (no subject) > Content-Type: multipart/alternative; > boundary="020906000403080006070205" > X-EsetId: 90695D289D6435708F6F5D7C933375 > > This is a multi-part message in MIME format. > --020906000403080006070205 > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > > Couple of things to note , we use Active Directory which means the FQDN name > of all our machines end in *.local rather than *.com. Should the > whitelist_rcvd reflect this in any way?? > Its my understanding that all mails should get a Spam Assassin score of -100 > or thereabouts , thus permanently whitelisting all our domain users. However > , as you can see this isn't happening?? > > Is there anything else I should be doing to whitelist my domain users?? mydomain.com is a valid domain in internet, they provide domain names and services. example.com|org|net is a better|valid pick for a munged domain name. That is here for the purpose. -- Your society will be sought by people of taste and refinement.
Re: Trouble whitelisting domain users with whitelist_from_rcvd
Matus UHLAR - fantomas wrote: > > On 28.07.10 07:57, keithcommins wrote: >> Having some trouble getting this to work correctly , it would seem.. >> >> Firstly, here is my whitelist_from rcvd config from my local.cf file. >> >> whitelist_from_rcvd *...@mydomain.com mydomain.local >> trusted_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 >> xx.xx.xx.xx >> internal_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 >> xx.xx.xx.xx >> >> ( xx.xx.xx.xx represents the outward facing IP of my mail server ) >> >> Secondly, below is a header from a test email I sent to myself.. > >> Received: by mydomain.com (CommuniGate Pro PIPE 5.2.12) >> with PIPE id 18275900; Wed, 28 Jul 2010 11:31:13 +0100 >> X-Spam-Status: No, score=3.8 required=8.0 >> tests=ALL_TRUSTED,FH_DATE_PAST_20XX, >> HTML_IMAGE_ONLY_20,HTML_MESSAGE autolearn=no version=3.2.5 >> Received: from [172.16.3.150] (account some.user [172.16.3.150] verified) >> by mydomain.com (CommuniGate Pro SMTP 5.2.12) >> with ESMTPA id 18275888 for some.u...@mydomain.com; Wed, 28 Jul 2010 >> 11:31:04 +0100 > > afaik whitelist_* is applied on mail sent from remote hosts. I am not sure > if it hits on internal_netowrks or trusted_networks boundary (i guess it's > the former) but this mail never crossed the internal network boundary, do > any blacklist or whitelist rule can't hit here. > > Thanks for the quick response Matus. > Cool , so whitelist_from_rcvd is applicable to whitelisting internal > mail?? > >> Couple of things to note , we use Active Directory which means the FQDN >> name >> of all our machines end in *.local rather than *.com. Should the >> whitelist_rcvd reflect this in any way?? > > I don't see any .local in this mail, show us Received: lines with .local > hostnames. > > I'm afraid there isn't any in the header, but I have tried running > spamassassin with both .local and .com. in the local.cf. > Would I be right in saying that spamassassin takes the mail domain name ( > *.com ) to whitelist any incoming mail rather than normal Active Directory > FQDN ( as said previously *.local )?? > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > "The box said 'Requires Windows 95 or better', so I bought a Macintosh". > > -- View this message in context: http://old.nabble.com/Trouble-whitelisting-domain-users-with-whitelist_from_rcvd-tp29287372p29287763.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Trouble whitelisting domain users with whitelist_from_rcvd
On 28.07.10 07:57, keithcommins wrote: > Having some trouble getting this to work correctly , it would seem.. > > Firstly, here is my whitelist_from rcvd config from my local.cf file. > > whitelist_from_rcvd *...@mydomain.com mydomain.local > trusted_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 xx.xx.xx.xx > internal_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 > xx.xx.xx.xx > > ( xx.xx.xx.xx represents the outward facing IP of my mail server ) > > Secondly, below is a header from a test email I sent to myself.. > Received: by mydomain.com (CommuniGate Pro PIPE 5.2.12) > with PIPE id 18275900; Wed, 28 Jul 2010 11:31:13 +0100 > X-Spam-Status: No, score=3.8 required=8.0 > tests=ALL_TRUSTED,FH_DATE_PAST_20XX, > HTML_IMAGE_ONLY_20,HTML_MESSAGE autolearn=no version=3.2.5 > Received: from [172.16.3.150] (account some.user [172.16.3.150] verified) > by mydomain.com (CommuniGate Pro SMTP 5.2.12) > with ESMTPA id 18275888 for some.u...@mydomain.com; Wed, 28 Jul 2010 > 11:31:04 +0100 afaik whitelist_* is applied on mail sent from remote hosts. I am not sure if it hits on internal_netowrks or trusted_networks boundary (i guess it's the former) but this mail never crossed the internal network boundary, do any blacklist or whitelist rule can't hit here. > Couple of things to note , we use Active Directory which means the FQDN name > of all our machines end in *.local rather than *.com. Should the > whitelist_rcvd reflect this in any way?? I don't see any .local in this mail, show us Received: lines with .local hostnames. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".