Re: [Mimedefang] Monitoring Selected User Emails

On Wed, 8 Sep 2004, Ted Beaton wrote: have been tasked with monitoring all incoming and outgoing mail for a couple targeted users. Is mimedefang the best way to attack this or is there a simpler solution? Thinking that mimedefang was the way to go I have Because aliases are expanded later than MI

[Mimedefang] graphdefang issues

I brought up the graphdefang bundled with the latest MD beta (GD files dated 10/22/2003) and it's mostly working great. Lately I've been getting some Perl errors. Before I dig deeper, has anyone seen these who can hint what to look for? Use of uninitialized value in hash element at /home/ken/g

Re: [Mimedefang] Catching the porn spams

--On Thursday, September 09, 2004 4:06 PM -0400 [EMAIL PROTECTED] wrote: So the spammers buy a domain in January along with 999 others, but don't actually use it until September. Hey, it's 9 months old, it must be OK! Umm, no. I think it needs to be based on when it's first used. Then you're back

Re: [Mimedefang] Re: Calm AV setup - Almost done

If you have a sniff through the MD configure script, you can run it with --enable-clamd or --enable-clamav which should then force a detection. Also, don't quote me too strongly on this one, but I don't think you *need* to run both clamd and clam-milter. I was attempting to do that but could not f

[Mimedefang] Re: Calm AV setup - Almost done

On Date: Thu, 09 Sep 2004 14:15:45 -0400, Mark Penkower <[EMAIL PROTECTED]> wrote: > I then need to recompile MimeDefang (2.39) to recognize the scanner. After > running .configure, I get: MD 2.39 is a little old now, I suggest upgrading to 2.44 if for no other reason than because you can ;) Also

Re: [Mimedefang] Spamhaus on SA

First, skip_rbl_checks 0 is already unset in my SA. I just incorporated spamhaus into my sendmail.mc as you suggested and it works. So, what runs first with this configuration? Spamhaus or MD? === Al --- Jason Gurtz <[EMAIL PROTECTED]> wrote: > > I use spamhaus in sendmail > > FEATURE

[Mimedefang] SuspiciousCharsInBody

FYI, We've been experimenting with blocking on $SuspiciousCharsInBody, but we quickly found out that that is a bad idea (due to the amount of utter crappy MUAs out there). Is anyone using this to block messages on a real production mailserver? I quarantined some messages for half an hour, to see

RE: [Mimedefang] Catching the porn spams

We are running MD 2.45 beta-2 and spamassassin 3.0.0-RC3 (release candidate 3 of version 3), along with the full set of SARE (SpamAssassin Rules Emporium) rule sets, other custom rule sets and DCC (not through SA, but direct from MD using DCCIFD). We have found that the combination of DCC, the sur

Re: [Mimedefang] Catching the porn spams

On 9 Sep 2004 at 8:17, David F. Skoll wrote: > On Thu, 9 Sep 2004, Jeff Rife wrote: > > > No, because a spammer could buy up 365 domains on Jan 1, then use one > > each day. > > Darn! You're too clever. Not a spammer, are you? :-) Every good cop knows the best ways to break the law, because i

RE: [Mimedefang] Catching the porn spams

[EMAIL PROTECTED] wrote on 09/09/2004 03:52:46 PM: > What stops spammers from pre-registering a domain, and then pre-querying DNS? Not a gosh darned thing, unfortuantely. Or is there... Disallow (or ignore) querys from servers that are blacklisted by IP.

RE: [Mimedefang] Catching the porn spams

[EMAIL PROTECTED] wrote on 09/09/2004 03:40:41 PM: > Just had to deal with this. My address had been used by a zombie with HTTP > and SOCKS proxies in mid-2003 and the SORBS records were still present. > Fortunately the list had a straightforward way to get de-listed. It did > have some compl

Re: [Mimedefang] Catching the porn spams

[EMAIL PROTECTED] wrote on 09/09/2004 03:43:43 PM: > What would be really nice is a new record type maintained in the TLD > servers that held the domain creation time. One could then write a > SpamAssassin plugin to monitor this. So the spammers buy a domain in January along with 999 others, bu

Re: [Mimedefang] Queer MIME::Entity error

On 9/9/2004 15:37, David F. Skoll wrote: > On Thu, 9 Sep 2004, Jason Gurtz wrote: >> action_add_part("$entity","text/plain","-suggest","$report\n", >> "SpamAssassinReport.txt","inline"); > > *that's* not what's in the sample filter! :-) > > Read it carefully... shall I keep you in suspense? > >

RE: [Mimedefang] Catching the porn spams

--On Thursday, September 09, 2004 9:13 AM -0400 [EMAIL PROTECTED] wrote: Most of the problems w/ blacklisting I have seen is that things stay on the list long after the problem is resolved. in the past, I've seen open relays get fixed, but it's still on some obscure list that the relay owner wasn

Re: [Mimedefang] Spamhaus on SA

On 9/9/2004 15:10, Al Sparks wrote: > The FAQ you're referring to says that: >$SALocalTestsOnly = 0; > for DCC to work. I already have that set (I guess I have it UNSET actually), > and I already have DCC working. > > I can't get Spamhaus to work, though. So to start, has anyone out there >

RE: [Mimedefang] Catching the porn spams

Kenneth Porter wrote: > --On Thursday, September 09, 2004 10:33 AM -0400 [EMAIL PROTECTED] wrote: > >> That's an interesting idea! Query a DNS to see if xyz.com is known. >> If it isn't, the DNS returns 127.0.0.1 and add it to the database. >> If it is known, but for less than some time period

Re: [Mimedefang] HTML ok?

On 9/9/2004 05:58, Jan Pieter Cornet wrote: > Anyway, the fix is to somehow make the call to > "remove_redundant_html_parts", that is currently in your sub filter_end, > optional. > > Something along the lines of: > > unless ( user_allowed_to_send_html($Sender) > or html_allowed_in_me

Re: [Mimedefang] Catching the porn spams

--On Thursday, September 09, 2004 10:33 AM -0400 [EMAIL PROTECTED] wrote: That's an interesting idea! Query a DNS to see if xyz.com is known. If it isn't, the DNS returns 127.0.0.1 and add it to the database. If it is known, but for less than some time period - long enough for them to make it

Re: [Mimedefang] Queer MIME::Entity error

On Thu, 9 Sep 2004, Jason Gurtz wrote: > The only place is as included in the default filter: > # If you find the SA report useful, add it, I guess... > action_add_part("$entity","text/plain","-suggest","$report\n", > "SpamAssassinReport.txt","inline"); *that's* not what's in the sample filter! :

Re: [Mimedefang] Queer MIME::Entity error

On 9/9/2004 14:58, David F. Skoll wrote: > On Thu, 9 Sep 2004, Jason Gurtz wrote: > >> Sep 9 13:32:32 ophiopogon mimedefang-multiplexor[23691]: Slave 0 >> stderr: Can't locate object method "head" via package >> "MIME::Entity=HASH(0x93b22bc)" (perhaps you forgot to load >> "MIME::Entity=HASH(0x93

Re: [Mimedefang] Spamhaus on SA

The FAQ you're referring to says that: $SALocalTestsOnly = 0; for DCC to work. I already have that set (I guess I have it UNSET actually), and I already have DCC working. I can't get Spamhaus to work, though. So to start, has anyone out there gotten Spamhaus to work within SA using MD? I'd a

Re: [Mimedefang] Catching the porn spams

[EMAIL PROTECTED] wrote on 09/09/2004 01:54:40 PM: > Maybe we need to think a little outside the box. Porn spam's objective > is to get you to go to their website, subscribe etc. > Now maybe we need to search the body for web links then match them > against a blacklist. Yes. That's what SURBL

Re: [Mimedefang] HTML ok?

Jan Pieter Cornet wrote: Well, that depends on what you want, exactly. Do you want to base it on certain messages, or on certain senders? :) And if so, how many? Certain senders. The same sender can sent different messages, so basing it on messages won't make sense. :) As for how many...

Re: [Mimedefang] Queer MIME::Entity error

On Thu, 9 Sep 2004, Jason Gurtz wrote: > Sep 9 13:32:32 ophiopogon mimedefang-multiplexor[23691]: Slave 0 > stderr: Can't locate object method "head" via package > "MIME::Entity=HASH(0x93b22bc)" (perhaps you forgot to load > "MIME::Entity=HASH(0x93b22bc)"?) at /usr/bin/mimedefang.pl line 739. Ho

Re: [Mimedefang] Rewriting Subject header not working

On 9/9/2004 02:15, Patric Wust wrote: > Hi Jason, > >> # Prepend '*SPAM*' to the Subject >> action_change_header("Subject", "\*\*\*\*\*SPAM\*\*\*\*\* $Subject"); > > > The only thing that is different to my configuration (which is working > correctly) is, do not escape the asterisks, i

[Mimedefang] Queer MIME::Entity error

This same problem was brought up before (a while ago): and from the thread I don't know if it was ever solved. Just like the reference thread I'm seeing: Sep 9 13:32:32 ophiopogon mimedefang-multiplexor[23691]: Slave 0

Re: [Mimedefang] Catching the porn spams

Keith Patton wrote: Maybe we need to think a little outside the box. Porn spam's objective is to get you to go to their website, subscribe etc. Now maybe we need to search the body for web links then match them against a blacklist. Actually, that's where this thread started -- with SURBL. More

[Mimedefang] Calm AV setup - Almost done

I have clamav working fine on a backup mail server. I set it up on the production mail server, but am having an issue. I successfully compiled up clamav and clamav-milter and ran them. Here are entries: ps -ef defang5494 1 0 13:55 ?00:00:00 [clamd] defang5760 1 0 13:59

Re: [Mimedefang] SURBL effectiveness and domain turnaround time

On 9/8/2004 23:27, David F. Skoll wrote: > in. (Unless you use Microsoft's bloated Sender ID XML garbage that > probably forces you to use TCP for your queries.) I've been following IETF-mxcomp some and AFAIK the MARID working group has struck XML from the standard :) Cheers, ~Jason --

Re: [Mimedefang] Catching the porn spams

On Thu, 9 Sep 2004, Keith Patton wrote: > Maybe we need to think a little outside the box. Porn spam's objective > is to get you to go to their website, subscribe etc. > Now maybe we need to search the body for web links then match them > against a blacklist. That's how sc.surbl.org works. Rega

RE: [Mimedefang] Monitoring Selected User Emails

Matthew.van.Eerde wrote: > David F. Skoll wrote: >> On Wed, 8 Sep 2004, Ted Beaton wrote: >> >>> if ($recip = [EMAIL PROTECTED]) { Or if I wanted to get really crazy I'd do something like sub email_lists_overlap(\@@); sub lists_overlap(\@@); sub canonify_email($); ... if

Re: [Mimedefang] Catching the porn spams

Maybe we need to think a little outside the box. Porn spam's objective is to get you to go to their website, subscribe etc. Now maybe we need to search the body for web links then match them against a blacklist. just a thought, -Keith Kevin A. McGrail wrote: There are certainly ways to code aro

RE: [Mimedefang] Monitoring Selected User Emails

David F. Skoll wrote: > On Wed, 8 Sep 2004, Ted Beaton wrote: > >> if ($recip = [EMAIL PROTECTED]) { > > That's invalid perl. Should be: > > if ($recip eq '<[EMAIL PROTECTED]>') { > Can the @Recipients collection be counted upon to have <> and lc pre-applied? Erring on the

Re: [Mimedefang] Monitoring Selected User Emails

On Wed, 8 Sep 2004, Ted Beaton wrote: > if ($recip = [EMAIL PROTECTED]) { That's invalid perl. Should be: if ($recip eq '<[EMAIL PROTECTED]>') { > Not fully understanding the complete workings I made a couple assumptions > and tested. That's a good way to break a mail sy

[Mimedefang] Monitoring Selected User Emails

Hi, I am running Fedora Core 2 w/ dovecot imap, spamassassin and mimedefang 2.44. This is not our active mail server yet, it is still in test mode. I have been tasked with monitoring all incoming and outgoing mail for a couple targeted users. Is mimedefang the best way to attack this or is there

[Mimedefang] dropping attachments by mime type

Dear All, I see certain messages with a winmail.dat attachment that I would like to drop. I would prefer to control dropping such attachments by mime type and not by file name. How do I do this? Kees Jan PS. If you recevied an empty mail from me, please accept my apoligies. I pressed the wron

Re: [Mimedefang] Catching the porn spams

There are certainly ways to code around this and it *might* be a very valid way to stop spammers. I'll leave that debate to continue. However, my point was just to make sure that some admins didn't go code up a whois lookup that was automated and find themselves in violation of the whois rules ag

Re: [Mimedefang] Catching the porn spams

On Thu, 9 Sep 2004, Kevin A. McGrail wrote: > Besides the point of pre-purchasing the domains, I think if you coded this > up, you would be in violation of many whois access rules and end up getting > blocked. Well, you could do an enhanced form of greylisting. If mail comes from an unknown doma

RE: [Mimedefang] Catching the porn spams

Easy? Maybe. But at least it would have verified the spammer's e-mail address/domain/IP in a world where 99.% of spam hides behind fake e-mail addresses and zombie machines. Like SPF is supposed to do. With a whitelist based system of course the user has to manage their whitelist if they wa

Re: [Mimedefang] Catching the porn spams

On Wed, 8 Sep 2004, Penelope Fudd wrote: > Is there a way to say "deny email from all domains that are less than 12 > hours old"? I've thought about that, even looked at CPAN to see if there is a Whois module for perl. Is anyone else doing anything like this? Jim McCullars __

[Mimedefang] OT: Rant about disappearing email

Thank that Mimedefang/CanIT rejects mail instead of simply dropping it! I just spent half my morning tracking down a listserv message and proving that it made it to Hotmail. User claims she never got it, nor several others from the same list. Thanks David for the nice design work!! --- SP

Re: [Mimedefang] Dealing with massive spam burst

On Wed, 2004-09-08 at 21:38, David F. Skoll wrote: > MIMEDefang can do that to, with md_check_against_smtp_server. However, > the SMTP lookahead doesn't work with MS Exchange older than Exchange 2003, > and even Exchange 2003 makes you jump through 87 hoops to get it working. Putting everything

RE: [Mimedefang] Catching the porn spams

[EMAIL PROTECTED] wrote on 09/08/2004 06:33:00 PM: > There's a George Carlin video that pretty much has them all. > > It's got the sequel to the "Seven Words" sketch where he says "it's > increased a bit" and unrolls a 25-foot long, single-spaced list of > words, and then reads them. This lis

RE: [Mimedefang] Catching the porn spams

[EMAIL PROTECTED] wrote on 09/08/2004 05:46:48 PM: >Blacklist based systems cannot keep up and cause too many > false positives. It's like we have two billion doors and are trying to > identify and close the doors a bad e-mail might come through. Most of the problems w/ blacklisting I h

Re: [Mimedefang] Catching the porn spams

Besides the point of pre-purchasing the domains, I think if you coded this up, you would be in violation of many whois access rules and end up getting blocked. Regards, KAM - Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September

Re: [Mimedefang] Catching the porn spams

[EMAIL PROTECTED] wrote on 09/09/2004 08:17:00 AM: > On Wed, 8 Sep 2004, Penelope Fudd wrote: > > Now there's a terrific idea! This info can be gleaned from WHOIS: But if the domain was registered Jan 1 2004 as part of a bulk purchase, but not used until Sep 9 2004, it wouldn't have made it t

Re: [Mimedefang] Catching the porn spams

[EMAIL PROTECTED] wrote on 09/09/2004 01:05:06 AM: > Is there a way to say "deny email from all domains that are less than 12 > hours old"? That's an interesting idea! Query a DNS to see if xyz.com is known. If it isn't, the DNS returns 127.0.0.1 and add it to the database. If it is known, b

Re: [Mimedefang] SURBL effectiveness and domain turnaround time

13 servers which are 486/50dx2's and 13 thousand node zeon clusters makes a bit of a difference. It's not the number but the size that counts. ;) > sc.surbl.org has 13 name servers, just like the root name servers of > the Internet. You can imagine that if 13 name servers can handle all > the roo

Re: [Mimedefang] SURBL effectiveness and domain turnaround time

On Thu, 9 Sep 2004, Jeff Rife wrote: > I'll have to > see if I can set up my cache so that negative responses from specific > domains/servers have a different TTL than "general" ones. This is set in the SOA record of the domain, which for sc.surbl.org is 15 minutes. You can, of course, override

Re: [Mimedefang] Catching the porn spams

On Wed, 8 Sep 2004, Penelope Fudd wrote: > Is there a way to say "deny email from all domains that are less than 12 > hours old"? Now there's a terrific idea! This info can be gleaned from WHOIS: $ whois roaringpenguin.com ... Record created on 19-Mar-1999. It looks like the granularity i

Re: [Mimedefang] Catching the porn spams

On Thu, 9 Sep 2004, Jeff Rife wrote: > No, because a spammer could buy up 365 domains on Jan 1, then use one > each day. Darn! You're too clever. Not a spammer, are you? :-) -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDe

[Mimedefang] RE: Error

Any ideas on this error? I am going to assume that my portupgrade of the MIME:Tools broke Perl or something. I am on FreeBSD 4.8. Thanks, --Mike From: Mike Carlson Sent: Tue 9/7/2004 5:06 PM To: [EMAIL PROTECTED] Subject: Error I am getting the following error: Sep 7 17:08:54 hades mimed

Re: [Mimedefang] Novice Question

On Wed, Sep 08, 2004 at 11:42:59AM -0400, Baker, Darryl wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I have spamassassin, clamav, pyzor, and razor loaded. How do I check > that the mail is being scanned by all of these? Any way of having > MIMEDefang report what it does? You c

Re: [Mimedefang] HTML ok?

On Wed, Sep 08, 2004 at 08:29:02PM -0600, Ashley M. Kirchner wrote: > >This got lost a while back, so I'm posting again. We have a few > e-mails we'd like to come through as-is, in HTML format. Right now, the > current filter will strip/defang the message, as it does all of them > (and we