roaming users sending mail internally and dynamic IPs issue
Whenever our users travel outside the internal networks and send email to each other, the emails get tagged by the below reports (yes, I cranked up the default scores because of the botnet crap out there) because they are on dyn IPs and sending direct to the receiving MTA. I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Thanks, Tom * 0.7 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [xx.xx.xx.xx listed in dnsbl.sorbs.net] * 2.5 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [xx.xx.xx.xx listed in combined.njabl.org]
Re: roaming users sending mail internally and dynamic IPs issue
Dan Horne wrote: I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Set up SMTP AUTH and require your users to log in to send email. If I understand correctly Spamassassin automatically trusts mails sent via SMTP AUTH. Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. Any ideas? Thanks, Tom
Re: roaming users sending mail internally and dynamic IPs issue
Dan Horne wrote: I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Set up SMTP AUTH and require your users to log in to send email. If I understand correctly Spamassassin automatically trusts mails sent via SMTP AUTH. Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. Any ideas? Thanks, Tom
Re: roaming users sending mail internally and dynamic IPs issue
Thomas Bolioli wrote: Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. Any ideas? Thanks, Tom One solution that I used for this problem was a custom rule. We had one client site that had a lot of roadwarriors so they had their own SMTP machine. On that machine, I used a mail-filter to add an X tag with an MD5 hash of the company name as a validation stamp. Every email coming into that machine from the Roadwarrriors got the Stamp. The MX boxen all had a custom rule in SA that took 20 points off. Every Sunday night, the system redid the Stamp and passed out new versions of the rule with the correct Stamp in it to the MX boxen. It worked like a charm. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
RE: roaming users sending mail internally and dynamic IPs issue
Set up SMTP AUTH and require your users to log in to send email. If I understand correctly Spamassassin automatically trusts mails sent via SMTP AUTH. Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. Any ideas? Thanks, Tom I found out about it at the link below and had to add a config option to my postfix I think to get it to add the appropriate info in the headers (documented in the page below). http://wiki.apache.org/spamassassin/DynablockIssues If you're using postfix, the parameter is smtpd_sasl_authenticated_header = yes which makes your received headers contain info like: Received: from host.example.com (dyna-IP-AD-DRE-SS.example.com [IP.AD.DRE.SS]) (Authenticated sender: [EMAIL PROTECTED]) by mail.example.org (Postfix) with ESMTP id 6A3922B22E0; Tue, 12 Dec 2006 15:24:46 -0500 (EST) Spamassassin picks up on the Authenticated sender: portion of this line and trusts the sender. CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476)
RE: roaming users sending mail internally and dynamic IPs issue
Another issue you'll run into with road warriors is blocks on port 25. They may not be ABEL to authenticate with your server. They'll have to use port 587 (submission) on some connections. This is so common, that I even support 587 inside my firewall so the client setup doesn't need to change when my laptop comes home. Dan -Original Message- From: Thomas Bolioli [mailto:[EMAIL PROTECTED] Sent: Monday, December 18, 2006 10:37 AM To: users@spamassassin.apache.org Subject: roaming users sending mail internally and dynamic IPs issue Whenever our users travel outside the internal networks and send email to each other, the emails get tagged by the below reports (yes, I cranked up the default scores because of the botnet crap out there) because they are on dyn IPs and sending direct to the receiving MTA. I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Thanks, Tom * 0.7 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [xx.xx.xx.xx listed in dnsbl.sorbs.net] * 2.5 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [xx.xx.xx.xx listed in combined.njabl.org]
Re: roaming users sending mail internally and dynamic IPs issue
Dan Barker wrote: Another issue you'll run into with road warriors is blocks on port 25. They may not be ABEL to authenticate with your server. They'll have to use port 587 (submission) on some connections. This is so common, that I even support 587 inside my firewall so the client setup doesn't need to change when my laptop comes home. Dan Yeah, I have had this setup myself after running into the issue @ a hotel last year. Thanks, Tom
Re: roaming users sending mail internally and dynamic IPs issue
On Mon, 18 Dec 2006 16:13:32 -0500, Thomas Bolioli [EMAIL PROTECTED] wrote: Dan Horne wrote: Set up SMTP AUTH and require your users to log in to send email. If I understand correctly Spamassassin automatically trusts mails sent via SMTP AUTH. Thanks for the response. SMTP auth is set up so there must be something I need to do to tell SA that it was auth'd. Any ideas? Thanks, Tom I found out about it at the link below and had to add a config option to my postfix I think to get it to add the appropriate info in the headers (documented in the page below). http://wiki.apache.org/spamassassin/DynablockIssues If you're using postfix, the parameter is smtpd_sasl_authenticated_header = yes which makes your received headers contain info like: Received: from host.example.com (dyna-IP-AD-DRE-SS.example.com [IP.AD.DRE.SS]) (Authenticated sender: [EMAIL PROTECTED]) by mail.example.org (Postfix) with ESMTP id 6A3922B22E0; Tue, 12 Dec 2006 15:24:46 -0500 (EST) Spamassassin picks up on the Authenticated sender: portion of this line and trusts the sender. CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) You nailed it. That was it and it is now working. Thanks for the assist. Tom Is this applicable to sa servers that receive mail from a sender as well as those that send mail from said users? Our systems currently bypass all sa tests for auth'd users but I wonder what receiving servers make of this. Many of my users are on the road and regularly send mail from places that would get an outright block locally without the bypass. Would they get a better reception from the recipient server if the header above was included? To date I've not had a reported problem, we use an alternate port for auth'd users so the usual muppetry of proxies is avoided. KR Nigel
RE: roaming users sending mail internally and dynamic IPs issue
-Original Message- From: Thomas Bolioli [mailto:[EMAIL PROTECTED] Sent: Monday, December 18, 2006 5:37 PM To: users@spamassassin.apache.org Subject: roaming users sending mail internally and dynamic IPs issue Whenever our users travel outside the internal networks and send email to each other, the emails get tagged by the below reports (yes, I cranked up the default scores because of the botnet crap out there) because they are on dyn IPs and sending direct to the receiving MTA. I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Thanks, Tom * 0.7 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [xx.xx.xx.xx listed in dnsbl.sorbs.net] * 2.5 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [xx.xx.xx.xx listed in combined.njabl.org] If you using postfix+amavis+SA, there are many ways to bypass SA checks for your users: http://www200.pair.com/mecham/spam/bypassing.html Regards, Leon
