Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?
One of my users just started getting slammed. This one user, out of 400+ is getting a dictionary attack that's overwhelming all my spamd process slots. Doing this on the spamd side would make simply stopping this really simple -- even programmatically (i.e. automatically). Manually, even with the best .procmailrc in the world I don't have a way. Just my 0.02 -Dan -- "We are basically...'Bandwidth Pimps'...Hrmmm...But that's cool man! You see these gold chains? It's all good!" -Ali Dhoon 03/03/2003, 7PM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] RE: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Dan Mahoney, System Admin wrote: > > Dan Mahoney, System Admin wrote: > >> I'm looking for an easy way to override ALL scanning (NOT scoring) > >> for a specific user. > > See my previous message. I don't see an easy macro in procmail for the > current effective UID, nor do I know an easy way to say: > If you can supply a snippet of code that does it, I'd love it. http://www.impsec.org/~jhardin/antispam/spamassassin.procmail Drop it in your /etc/procmail/ directory and INCLUDERC it from your /etc/procmailrc file. Hack to fit. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- Tomorrow: Bill of Rights day
Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Theo Van Dinter wrote: > On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote: > > At the moment, that's a hack in the system-wide procmailrc that I don't > > know how to do, since the only thing procmail knows about userspace is > > "dropprivs="yes"", and there's no translation for an easy way to equate > > that to email address (i.e. it allows me to do it per *domain* not per > > user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have > > to > > do them each separately). > > If you're using procmail, you could look at the X-Original-To (or > similar) header to figure out who the mail is going to. > Otherwise, you could modify your setup to pass information in to > procmail from the MTA. Try looking at $LOGNAME. Procmail knows who it's delivering the message to - it's a *delivery agent* after all. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- Tomorrow: Bill of Rights day
Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, Dec 14, 2006 at 12:26:54PM -0500, Dan Mahoney, System Admin wrote: > I'm running procmail with dropprivs=yes. There's no easy procmail thing > for (getpwnam($<)) and I do NOT feel like firing up perl on every message > to evaluate that just to figure out if I should fire up the C program that > I use so I don't have to fire up perl. There are environment variables with this kind of info. Look at LOGNAME, for instance. Worst case, you could run "id -un" and get the information that way. -- Randomly Selected Tagline: "To the engineer, the world is a toy box full of sub-optimized and feature-poor toys."- Scott Adams pgp6WEjGGjW5r.pgp Description: PGP signature
Re: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Theo Van Dinter wrote: As an aside, part of this is why I had asked for (a while back) a way to specify the "domain" portion of the -u argument, i.e. so it could be done per-calling server (i.e. it is assumed that if shell server A and shell server B, each with a distinct user-base are sharing a spamd machine, then their user bases will have prefnames derived from the hostnames of A and B.) -- regardless of the email address used. i.e. localusername @ suffix (where the suffix is supplied to spamc in some global config file, and the localusername is automatic). Knowing how to do this (get the current username) in procmail (without firing up perl or even SED -- I could call a binary like "whoami" but that's a bit less universal) would also make THIS mostly unnecessary. Again, this is not at all based on email address (except in the case of emails like mine, where my address accurately reflects the FQDN of the calling server -- but then I've always been the exception rather than the rule), but on UID and HOSTNAME. The servers in question have 400 uids each, two hostnames, and potentially MILLIONS of email addresses, especially in a dictionary attack, where the user has a catch-all account. Which does it make sense to modify stats by? -- "I am a professional drinker, and I know that that was NOT Jose Cuervo!" "Well, what was it then?" "I think it was some mixture of Rubbing Alcohol, and Desenex(TM) Foot Powder, because my feet feel okay, and my back doesn't hurt, but my stomach is killing me!" -Dan Mahoney, Costa Rica, August 12th, 1994 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Theo Van Dinter wrote: On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote: At the moment, that's a hack in the system-wide procmailrc that I don't know how to do, since the only thing procmail knows about userspace is "dropprivs="yes"", and there's no translation for an easy way to equate that to email address (i.e. it allows me to do it per *domain* not per user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to do them each separately). If you're using procmail, you could look at the X-Original-To (or similar) header to figure out who the mail is going to. Otherwise, you could modify your setup to pass information in to procmail from the MTA. Presuming we're looking for the value of the "user" based on the email address, yes, I understand, but can't you check the value of -u before you even do that? (i.e. at the earliest point) Ah, there you're talking about spamc/spamd which is a different beasty all together. If you want to skip checks based on how you're calling spamc, then check the value you're going to use for the username and don't call spamc if you don't want the mail scanned. I'm running procmail with dropprivs=yes. There's no easy procmail thing for (getpwnam($<)) and I do NOT feel like firing up perl on every message to evaluate that just to figure out if I should fire up the C program that I use so I don't have to fire up perl. I see procmail macros for the email address, and for the _TO thing, but NOTHING that just gives you the goddamned login. I don't need -u on spamc, spamc just picks up that username and runs with it. If I'm running spamc as danm, spamd grabs danm's prefs. When I said -u, I was asking how spamd would recognize the implied value of -u, not the actual command line flag. If that makes sense? -Dan -- "It would be bad." -Egon Spengler, "Ghostbusters" Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] RE: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Coffey, Neal wrote: Dan Mahoney, System Admin wrote: I'm looking for an easy way to override ALL scanning (NOT scoring) for a specific user. This needs to be done in whatever you're using to call SpamAssassin (postfix, exim, sendmail, etc). This shouldn't be a difficult feature to implement at all -- I'd imagine about three lines of code :) How do you handle messages with multiple recipients? Not to mention that the envelope "to" address(s) (who the mail is *actually* delivered to) don't have to match the headers that SA sees. I said per-user, not per email address. Spamd knows which local user is doing the calling before it ever reads the first line of the message. With spamassassin proper (assuming SQL prefs are in play), check $< or $> -- with spamc/spamd, it's being communicated. Since SA needs to be called by another program, and that program will be aware of all of this, that's really the place to do the exemption. See my previous message. I don't see an easy macro in procmail for the current effective UID, nor do I know an easy way to say: if (**my uid is any of these) { } else { call spamassassin } Where as a bonus ** is generated dynamically. If you can supply a snippet of code that does it, I'd love it. If I was only doing scanning FOR a few select users this might make a bit more sense, but it makes sense to me that this be a user_prefable item, as opposed to my users asking me to edit /etc/procmailrc -Dan -- "SOY BOMB!" -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote: > At the moment, that's a hack in the system-wide procmailrc that I don't > know how to do, since the only thing procmail knows about userspace is > "dropprivs="yes"", and there's no translation for an easy way to equate > that to email address (i.e. it allows me to do it per *domain* not per > user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to > do them each separately). If you're using procmail, you could look at the X-Original-To (or similar) header to figure out who the mail is going to. Otherwise, you could modify your setup to pass information in to procmail from the MTA. > Presuming we're looking for the value of the "user" based on the email > address, yes, I understand, but can't you check the value of -u before you > even do that? (i.e. at the earliest point) Ah, there you're talking about spamc/spamd which is a different beasty all together. If you want to skip checks based on how you're calling spamc, then check the value you're going to use for the username and don't call spamc if you don't want the mail scanned. -- Randomly Selected Tagline: Every man has the freedom to jump as high as his own penis. pgpxNQnmGTItc.pgp Description: PGP signature
Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Theo Van Dinter wrote: On Thu, Dec 14, 2006 at 11:59:26AM -0500, Dan Mahoney, System Admin wrote: I'm looking for an easy way to override ALL scanning (NOT scoring) for a specific user. Don't send mails for that user to SA. At the moment, that's a hack in the system-wide procmailrc that I don't know how to do, since the only thing procmail knows about userspace is "dropprivs="yes"", and there's no translation for an easy way to equate that to email address (i.e. it allows me to do it per *domain* not per user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to do them each separately). what I want instead is some special way that SA will say "nope, not even testing" and "short circuit". At the moment, you can't do that. This shouldn't be a difficult feature to implement at all -- I'd imagine about three lines of code :) There's code in 3.2 to do it, but it's still the most efficient to just not call SA for mails you don't want scanned (SA will still need to do all the processing to start looking at the mail, until it realizes that the mail is whitelisted or whatever, and then stop processing). Presuming we're looking for the value of the "user" based on the email address, yes, I understand, but can't you check the value of -u before you even do that? (i.e. at the earliest point) -Dan -- "A mother can be an inspiration to her little son, change his thoughts, his mind, his life, just with her gentle hum." -No Doubt, "Different People", from "Tragic Kingdom" Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
RE: Way to skip scanning per-user?
Dan Mahoney, System Admin wrote: > I'm looking for an easy way to override ALL scanning (NOT scoring) > for a specific user. This needs to be done in whatever you're using to call SpamAssassin (postfix, exim, sendmail, etc). > This shouldn't be a difficult feature to implement at all -- I'd > imagine about three lines of code :) How do you handle messages with multiple recipients? Not to mention that the envelope "to" address(s) (who the mail is *actually* delivered to) don't have to match the headers that SA sees. Since SA needs to be called by another program, and that program will be aware of all of this, that's really the place to do the exemption. > Any ideas on how to do this? amavisd-new is the only solution I've seen that sanely handles multiple-recipient emails where one recipient is excluded, without requiring a large amount of work or awkward mail path configurations.
Re: Way to skip scanning per-user?
On Thu, Dec 14, 2006 at 11:59:26AM -0500, Dan Mahoney, System Admin wrote: > I'm looking for an easy way to override ALL scanning (NOT scoring) for a > specific user. Don't send mails for that user to SA. > what I want instead is some special way that SA will say "nope, not even > testing" and "short circuit". At the moment, you can't do that. > This shouldn't be a difficult feature to implement at all -- I'd imagine > about three lines of code :) There's code in 3.2 to do it, but it's still the most efficient to just not call SA for mails you don't want scanned (SA will still need to do all the processing to start looking at the mail, until it realizes that the mail is whitelisted or whatever, and then stop processing). -- Randomly Selected Tagline: Does killing time damage eternity? pgpXbMW99yFlN.pgp Description: PGP signature