Re: WrongMX plugin
On 02.08.08 13:10, Daryl C. W. O'Shea wrote: Sorry for the huge delay in responding... Better than not at all... On 30.05.08 11:46, Matus UHLAR - fantomas wrote: I was also thinking about modifying it to be allowed to hit more times with different scores for smaller time differences (resulting would be sum of all matched). Any opinions? Here I've meant two or more different rules for different delays, e.g. 30s, 5min and see the results. since nobody replied, I installed it, but it does not produce anything. Could you please check if it still should work? Sorry for bugging. It works, I only need to find a way for using the current recipient. I'm not sure what it is you are wanting to do. I found out that WRONGMX currently hits on our company's mailservers only when the original recipient is in To:, for messages forwarded from other domains, when they were delivered through backup MX for those domains. So, it actually hits correctly, but not when mail is delivered through our backups, and we only get ~5 hits per day, while many spams go through our MXes. I guess the problem may lie in lack of knowledge of who current recipient really is, as we don't (want to) add X-Envelope-To: header unless the mail goes to wildcard addresses). I tried to spcify recipient to spamc using -u option, did not help... It also may be in setup of our mailservers (primary MX is behind loadbalancer, mail is directed onto mailhub.nextra.sk, but mailservers' names are mailhub[1-4].nextra.sk). Does this matter? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: WrongMX plugin
Hi Matus, Sorry for the huge delay in responding... On 03/07/2008 4:50 AM, Matus UHLAR - fantomas wrote: On 11.06.08 15:40, Matus UHLAR - fantomas wrote: On 30.05.08 11:46, Matus UHLAR - fantomas wrote: I'd like to use WrongMX plugin on our mailservers (I found it very good idea and I was explicitly searching for it), but I'd like to ask a few questions, if someone of you uses it: - did you modify score of it? - did you modify the maximum time difference allowed for the plugin to hit? - why does it has single score of '1' when it's a network rule? I was also thinking about modifying it to be allowed to hit more times with different scores for smaller time differences (resulting would be sum of all matched). Any opinions? since nobody replied, I installed it, but it does not produce anything. Could you please check if it still should work? Sorry for bugging. It works, I only need to find a way for using the current recipient. I'm not sure what it is you are wanting to do. Regards, Daryl
Re: WrongMX plugin
On 11.06.08 15:40, Matus UHLAR - fantomas wrote: On 30.05.08 11:46, Matus UHLAR - fantomas wrote: I'd like to use WrongMX plugin on our mailservers (I found it very good idea and I was explicitly searching for it), but I'd like to ask a few questions, if someone of you uses it: - did you modify score of it? - did you modify the maximum time difference allowed for the plugin to hit? - why does it has single score of '1' when it's a network rule? I was also thinking about modifying it to be allowed to hit more times with different scores for smaller time differences (resulting would be sum of all matched). Any opinions? since nobody replied, I installed it, but it does not produce anything. Could you please check if it still should work? Sorry for bugging. It works, I only need to find a way for using the current recipient. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: WrongMX plugin
Hello, On 30.05.08 11:46, Matus UHLAR - fantomas wrote: I'd like to use WrongMX plugin on our mailservers (I found it very good idea and I was explicitly searching for it), but I'd like to ask a few questions, if someone of you uses it: - did you modify score of it? - did you modify the maximum time difference allowed for the plugin to hit? - why does it has single score of '1' when it's a network rule? I was also thinking about modifying it to be allowed to hit more times with different scores for smaller time differences (resulting would be sum of all matched). Any opinions? since nobody replied, I installed it, but it does not produce anything. Could you please check if it still should work? Thank you. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
WrongMX plugin
Hello, I'd like to use WrongMX plugin on our mailservers (I found it very good idea and I was explicitly searching for it), but I'd like to ask a few questions, if someone of you uses it: - did you modify score of it? - did you modify the maximum time difference allowed for the plugin to hit? - why does it has single score of '1' when it's a network rule? I was also thinking about modifying it to be allowed to hit more times with different scores for smaller time differences (resulting would be sum of all matched). Any opinions? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends?
Re: WrongMX plugin
Rainer Sokoll wrote: On Tue, Dec 28, 2004 at 11:58:23AM -0500, Matt Kettler wrote: Disclaimer: I've never used the plugin, but I can casually read the code... Lucky you ;-) wrongmx needs to run on your primary, and will detect that mail first went through one of your secondaries before hitting the primary... If there's only one received: header it bails out immediately, as it can't have been relayed this way yet. Both my primary and secondaries forward any accepted mail to an internal mailserver (which cannot run SA), so this particular plugin will never do any useful things to mails in my case. I understand. If you're running SA on your secondaries, you could just save yourself the effort and add +1.0 to every email. Hm, nice idea ;-) I wrote the WrongMX plugin for a regional ISP that a friend owns. As Matt said, it was designed to run only on a primary MX, or at least on an MX that may receive mail from a lower preference MX. The mail system it was designed for has four primary MXes (all preference 0) multihomed with connections from three different networks. A secondary MX was added mainly to attract spam. The secondary MX doesn't scan mail, it just queues it and passes it along to the primaries. It shouldn't receive too much legitimate mail since it is on the same networks as the primary MXes so cost based routing shouldn't be causing legit mail to be delivered to it (yes, there are still some very large companies doing cost based mail routing -- Thomson Worldwide and all their divisions, Technicolor, RCA, etc, do this along with others). That brings up the issue of scoring. Many people will get legit mail on their secondary MX(es), even if their primary MX(es) are up, so I wouldn't score the rule any higher than 2, maybe 3. Also note that the plugin code is blocking. The DNS lookups are sent out and waited for, instead of doing them in the background. This is a result of the plugin being written quickly when I dropped in to my friend's ISP one afternoon and being lazy knowing that he's got a a couple of large and fast DNS caches in front of the spam filtering machines. This shouldn't be a huge issue though since there are only a couple of lookups done. It will increasing processing times by a small amount though -- not system load though. That said, I posted the plugin expecting it to be used mainly be people with a primary MX of their own and a secondary MX that they don't control which most likely doesn't scan their mail, or that they at least scan their mail again themselves. It's been my experience that any MX used for spam filtering would have the same preference as the rest of the filtering MXes, at least for medium sized installations or smaller. Larger sized/volume installations generally have a group of primary MXes that only do virus scanning (since it's faster than spam filtering) which drastically cuts down on the amount of messages passed to the spam filtering machines. So... like Matt said, and I've recommended to numerous people who have emailed me, you could simply add a rule on your secondary MX that adds a point or two to each email that passes through it. However, keep in mind that legitimate mail can be expected to pass through it, even if your primary MX never goes down or stops accepting mail due to a high load average. Daryl
Re: WrongMX plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daryl C. W. O'Shea writes: The mail system it was designed for has four primary MXes (all preference 0) multihomed with connections from three different networks. A secondary MX was added mainly to attract spam. [...] BTW, related: a good way to setup a secondary as a spamtrap is to setup the secondary as an aliased interface on the primary MX host. That way, if the primary goes down, the spamtrap secondary does too. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFB3d+QMJF5cimLx9ARAmJdAKCBPIchg8TTyAEX2CPU702gxAXvTQCdEnMp u/vQzcnoMAO5gapbae3T+uE= =Gbvx -END PGP SIGNATURE-
WrongMX plugin
Hi all, is someone here using $SUBJECT from http://wiki.apache.org/spamassassin/WrongMXPlugin ? Here, it seems to do nothing :-( A mail sent to a secondary MX: -8 From [EMAIL PROTECTED] Tue Dec 28 15:18:28 2004 Received: from hcou105200.catv.ppp.infoweb.ne.jp (hcou105200.catv.ppp.infoweb.ne.jp [218.229.219.200]) by mailrelay.intershop.de (8.11.6/8.11.6) with SMTP id iBSEI5F01084 for [EMAIL PROTECTED]; Tue, 28 Dec 2004 15:18:17 +0100 Message-Id: [EMAIL PROTECTED] From: =?utf-8?q?Sally Jsa?= [EMAIL PROTECTED] To: =?utf-8?q?Ethel Lnowyg?= [EMAIL PROTECTED] Subject: =?utf-8?q?Impress her with a R?= =?utf-8?q?olex?= Date: Tue, 28 Dec 2004 09:31:36 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=dVr0u7EBATa5zijOP7WgRU X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) X-Spam-Status: No, score=9.1 required=100.0 tests=BAYES_99,HTML_MESSAGE, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.0.2 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mailrelay.intershop.de -8 The output from spamassassin -D --siteconfigpath=/etc/mail/spamassassin /tmp/spammail is as follows: -8 debug: SpamAssassin version 3.0.2 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/games/bin', keeping. debug: PATH included '/usr/games', keeping. debug: PATH included '/opt/gnome/bin', keeping. debug: Final PATH set to: /usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games/bin:/usr/games:/opt/gnome/bin debug: using /usr/local/perl-5.8.5/share/spamassassin for default rules dir debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/10_misc.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_body_tests.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_compensate.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_drugs.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_head_tests.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_html_tests.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_phrases.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_porn.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_ratware.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/23_bayes.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/25_hashcash.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/25_spf.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/25_uribl.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/30_text_de.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/30_text_fr.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/30_text_nl.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/30_text_pl.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/50_scores.cf debug: config: read file /usr/local/perl-5.8.5/share/spamassassin/60_whitelist.cf debug: using /etc/mail/spamassassin for site rules dir debug: config: read file /etc/mail/spamassassin/antidrug.cf debug: config: read file /etc/mail/spamassassin/local.cf debug: config: read file /etc/mail/spamassassin/wrongmx.cf debug: using /var/spool/vscan/.spamassassin for user state dir debug: using /var/spool/vscan/.spamassassin/user_prefs for user prefs file debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8dfd4a8) debug: plugin: fixed relative path: /etc/mail/spamassassin/wrongmx.pm debug: plugin: loading WrongMX from /etc/mail/spamassassin/wrongmx.pm debug: plugin: registered WrongMX=HASH(0x8ca69a0) debug: using /var/spool/vscan/.spamassassin for user state dir debug: bayes: 5338 tie-ing to DB file R/O /var/spool/vscan/.spamassassin/bayes_toks debug: bayes: 5338 tie-ing to DB file R/O /var/spool/vscan/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: using
Re: WrongMX plugin
On Tue, Dec 28, 2004 at 11:58:23AM -0500, Matt Kettler wrote: Hi, Disclaimer: I've never used the plugin, but I can casually read the code... Lucky you ;-) wrongmx needs to run on your primary, and will detect that mail first went through one of your secondaries before hitting the primary... If there's only one received: header it bails out immediately, as it can't have been relayed this way yet. Both my primary and secondaries forward any accepted mail to an internal mailserver (which cannot run SA), so this particular plugin will never do any useful things to mails in my case. I understand. If you're running SA on your secondaries, you could just save yourself the effort and add +1.0 to every email. Hm, nice idea ;-) Thank you, Rainer -- tempora mutantur et nos mutamur in illis (N.N.)
WrongMX Plugin
Good afternoon, For those interested, I've uploaded to the Wiki, and attached for your convenience, a plugin to detect when an email was sent to a secondary or lower preference MX server when a higher preference MX server was likely to have been available (the message was passed to the higher preference MX within 30 seconds). Net::DNS is required. It is also required that your servers' clocks are somewhat accurately set. Daryl package WrongMX; use strict; use Mail::SpamAssassin; use Mail::SpamAssassin::Plugin; use Net::DNS; our @ISA = qw(Mail::SpamAssassin::Plugin); sub new { my ($class, $mailsa) = @_; $class = ref($class) || $class; my $self = $class-SUPER::new($mailsa); bless ($self, $class); $self-register_eval_rule(wrongmx); return $self; } sub wrongmx { my ($self, $permsgstatus) = @_; my $MAXTIMEDIFF = 30; return 0 if $self-{main}-{local_tests_only}; # in case plugins ever get called # if a user set dns_available to no we shouldn't be doing MX lookups return 0 unless $permsgstatus-is_dns_available(); # avoid FPs (and wasted processing) by not checking when all_trusted return 0 if $permsgstatus-check_all_trusted; # if there is only one received header we can bail my $times_ref = ($permsgstatus-{received_header_times}); return 0 if (scalar(@$times_ref) 2); # if it only hit one server were done # next we need the recipient domain's MX records... who's the recipient my $recipient_domain; if ($self-{main}-{username} =~ /\@(\S+\.\S+)/) { $recipient_domain = $1; } else { foreach my $to ($permsgstatus-all_to_addrs) { next unless defined $to; $to =~ tr/././s; # bug 3366? if ($to =~ /\@(\S+\.\S+)/) { $recipient_domain = $1; last; } } } return 0 unless defined $recipient_domain; # no domain means no MX records # Now we need to get the recipient domain's MX records. # We'll resolve the hosts so we can look for IP overlaps. my $res = Net::DNS::Resolver-new; my @rmx = mx($res, $recipient_domain); my %mx_prefs; if (@rmx) { foreach my $rr (@rmx) { unless (exists $mx_prefs{$rr-exchange} $mx_prefs{$rr-exchange} $rr-preference) { $mx_prefs{$rr-exchange} = $rr-preference; } my @ips = $permsgstatus-lookup_a($rr-exchange); next unless @ips; foreach my $ip (@ips) { unless (exists $mx_prefs{$ip} $mx_prefs{$ip} $rr-preference) { $mx_prefs{$ip} = $rr-preference; } } } } else { return 0; # no recipient domain MX records found, no way to check MX flow } # get relay hosts my @relays; foreach my $rcvd (@{$permsgstatus-{relays_trusted}}, @{$permsgstatus-{relays_untrusted}}) { push @relays, $rcvd-{by}; } return 0 if (!scalar(@relays)); # this probably won't happen, but whatever # Bail if we don't have the same number of relays and times, or if we have # fewer preferences than times (or relays). return 0 if (scalar(@relays) != scalar(@$times_ref) || scalar(@$times_ref) scalar(keys(%mx_prefs))); # Check to see if a higher preference relay passes mail to a lower # preference relay within $MAXDELAY seconds. If we do decide that a message # has done this, wait till AFTER we lookup the sender domain's MX records # to return 1 since there may be MX overlaps that we'll bail on... see below. # We could do the sender domain MX lookups first, but we might as well save # the overhead if we're going to end up bailing anyway ($hits == 0). # We'll go through backwards so that we can detect weird local configs # that pass mail from the primary MX to the secondary MX for spam/virus # scanning, or even final delivery. See BACKWARDS comment below. # We'll resolve the 'by' hosts found to see if they match any of our # resolved MX hosts' IPs. my $hits = 0; my $last_pref; my $last_time; foreach (my $i = $#relays; $i = 0; $i--) { my $MX = 0; if (exists($mx_prefs{$relays[$i]})) { $MX = $relays[$i]; } else { my @ips = $permsgstatus-lookup_a($relays[$i]); next unless @ips; foreach my $ip (@ips) { if ( exists $mx_prefs{$ip} ) { $MX = $ip; last; } } } if ($MX) { if (defined ($last_pref) defined ($last_time)) { # BACKWARDS -- uncomment the next line if you need to pass mail from a # higher pref MX to a lower MX (for virus scanning/etc) AND back, # before SA sees it... this opens you up to FNs with forged headers # last if ($mx_prefs{$MX} $last_pref); $hits++ if ($mx_prefs{$MX} $last_pref ($last_time - $MAXTIMEDIFF = @$times_ref[$i] @$times_ref[$i] = $last_time + $MAXTIMEDIFF) ); # within max time diff } $last_pref = $mx_prefs{$MX}; $last_time = @$times_ref[$i]; } last if $hits; } # Determine the sender's domain. # Don't bail if we can't determine the sender since it's probably spam. my $sender_domain;