You've presented good logic for acceping mail from self to self.
But you haven't explained by using the AWL for mail from self to
self is better than not having it.
On Jun 2, 2008, at 4:02 AM, Jonas Eckerman wrote:
Because it can help discriminate between spam and ham addressed from
self
Jo Rhett wrote:
And considering that SpamAssassin doesn't (in many configurations)
even know what recipient address a message has, it might actually be
easier than having the AWL ignore mail from self-self.
It has to, for the AWL to work.
No, it hasn't. The AWL only uses the *senders*
On May 29, 2008, at 4:18 AM, Jonas Eckerman wrote:
Please do remember that I am in no way trying to stop or hinder you
in implementing your fix. The fact that I have other suggestions
does not mean that I'm opposing you.
Of course. This is normal discussion.
A lot of work to hack around a
Please do remember that I am in no way trying to stop or hinder
you in implementing your fix. The fact that I have other
suggestions does not mean that I'm opposing you.
Jo Rhett wrote:
I don't trust my users in this context.
Nothing I said implied or required trust in your users.
A lot
On May 23, 2008, at 3:45 AM, Jonas Eckerman wrote:
1: Just read it as of when I said your own users I meant the users
of the host in question (the ones you mention above). More
specifically, the users using your host as a MSA (authenticated or
locally).
I don't trust my users in this
Jo Rhett wrote:
Lots of users of this host have Windows PCs,
Another way to do it would be to use different AWLs, or disabling AWL,
for mail from your own users (either authenticated or locally
submitted). This makes a lot of sense to me.
Have no my own users except me ;-) And disabling
Jo Rhett wrote:
I'm not -- my Treo delivers mail directly to my mail server. From
DHCP-assigned addresses all over the world. I enjoy travel ;-)
Then I guess you use authenticated SMTP for that.
The easiest way to handle this probably is to simply avoid
calling SA for authenticated mail.
On May 22, 2008, at 7:29 AM, Jonas Eckerman wrote:
Jo Rhett wrote:
I'm not -- my Treo delivers mail directly to my mail server. From
DHCP-assigned addresses all over the world. I enjoy travel ;-)
Then I guess you use authenticated SMTP for that.
The easiest way to handle this probably is
Jo Rhett wrote:
That's a hack with consequences. Like just disable the firewall.
Uh, no ;-)
Lots of users of this host have Windows PCs, and running SA on all
outbound mail has both alerted them quickly to the problem and avoided
nailing other people with spam and/or virus runs.
Something
On Thu, 22 May 2008, Jo Rhett wrote:
Then I guess you use authenticated SMTP for that.
The easiest way to handle this probably is to simply avoid calling SA for
authenticated mail.
That's a hack with consequences. Like just disable the firewall. Uh, no
;-)
Lots of users of this host
At 13:23 22-05-2008, Dave Funk wrote:
We require our PC users to authenticate when sending and I had
assumed that would stop viruses/trojans. Am I being naive?
No. But it's only one extra step for malware to capture SMTP
authentication information.
Regards,
-sm
On May 22, 2008, at 12:42 PM, Rob McEwen wrote:
First, even if this isn't what you meant, I must set the record
straight... requiring SMTP password-authentication is NOT a hack.
Instead, that is a security feature. I'm not sure if you meant that
differently, but I state this just to be on
On May 22, 2008, at 1:23 PM, Dave Funk wrote:
Lots of users of this host have Windows PCs, and running SA on all
outbound mail has both alerted them quickly to the problem and
avoided nailing other people with spam and/or virus runs.
Genuine curiosity Jo, have you seen instances of
On May 20, 2008, at 1:07 PM, Justin Mason wrote:
1. How does AWL deal with forgery (other than by saving a /16 of the
source IP)
No other way. What's wrong with saving a /16? In my experience it's
worked pretty well for the past few years...
Seems to. I can logically think of ways it
Jo Rhett wrote:
Matt, how can I possibly get you to move past this unfounded
assumption that my trust path is broken and focus on the real
problem? The trust path is not broken, it's just fine.
On May 20, 2008, at 5:47 PM, Matt Kettler wrote:
Ok, then the AWL code is *SEVERELY* bugged.
On 21 May 2008, Jo Rhett stated:
On May 20, 2008, at 1:07 PM, Justin Mason wrote:
2. How can I easily see the AWL database for a given destination
address?
tools/check_whitelist
Where can I find this? It's not in the Mail-SpamAssassin tarfile...
It's in SVN.
--
`If you are having a ua
On May 3, 2008, at 7:59 PM, Matt Kettler wrote:
Have you tried running one of the forged messages, and an actual
legitimate message through SA manually with the -D flag to see
what the trusted and untrusted hosts are, as SA sees it?
Yes. Many times. That's not the point of this thread.
I
Let's focus this on specific technical details:
1. How does AWL deal with forgery (other than by saving a /16 of the
source IP)
2. How can I easily see the AWL database for a given destination
address?
Jo Rhett writes:
Let's focus this on specific technical details:
1. How does AWL deal with forgery (other than by saving a /16 of the
source IP)
No other way. What's wrong with saving a /16? In my experience it's
worked pretty well for the past few years...
2. How can I easily see the
On Tue, May 20, 2008 22:07, Justin Mason wrote:
No other way. What's wrong with saving a /16? In my experience it's
worked pretty well for the past few years...
when mails is from [EMAIL PROTECTED] to [EMAIL PROTECTED] this should kill the
attempt to get negative scores
but positive should
Jo Rhett wrote:
On May 3, 2008, at 7:59 PM, Matt Kettler wrote:
Have you tried running one of the forged messages, and an actual
legitimate message through SA manually with the -D flag to see what
the trusted and untrusted hosts are, as SA sees it?
Yes. Many times. That's not the point of
On Apr 29, 2008, at 7:40 PM, Matt Kettler wrote:
I'm not repeating for the 5th time that there are no trusted
mailservers. Only this host.
That's a contradiction, because this host is a mailserver.
Clearly you have a trusted mailserver.
However, in the interest of moving the discussion
Jo Rhett wrote:
On Apr 29, 2008, at 7:40 PM, Matt Kettler wrote:
I'm not repeating for the 5th time that there are no trusted
mailservers. Only this host.
That's a contradiction, because this host is a mailserver. Clearly
you have a trusted mailserver.
However, in the interest of moving the
On Apr 21, 2008, at 10:01 PM, Theo Van Dinter wrote:
Actually I don't think it's that hard, at least for conversations
on public
lists.
Right now it seems to be more work than they bother with. As I've
noted, I read all my spam looking at the latest techniques and I've
never seen this.
On Apr 21, 2008, at 10:46 PM, Bob Proulx wrote:
Jo Rhett wrote:
Bob Proulx wrote:
Who to forge? The answer is Everyone! Any address that can be
You're going out of your way to miss the point. That's hard work
It is you who are missing the point. When spammers generate mail
from and to
On Apr 22, 2008, at 12:06 AM, Matus UHLAR - fantomas wrote:
On 21.04.08 23:46, Bob Proulx wrote:
It is you who are missing the point. When spammers generate mail
from and to every possible combination they will eventually hit a
combination that you will see. The distributed spamming engines
On Apr 23, 2008, at 3:27 PM, Matt Kettler wrote:
How and why? Are you saying I *must* have a 2nd-level MX host for
SA to work? That's not my experience, and 2-layer relays are
backscatter sources. Milter from the local MTA works just fine.
No, you don't need a second-level MX. However,
On Tue, 29 Apr 2008 at 17:53 -0700, [EMAIL PROTECTED] confabulated:
Now please stop arguing that AWL is useless. It works for me. If it doesn't
work for you, then you have no reason to reply on this thread. (not trying
to be rude, but this conversation is pointless)
Works for me too. I
On Tue, 29 Apr 2008 at 17:58 -0700, [EMAIL PROTECTED] confabulated:
I'm not repeating for the 5th time that there are no trusted mailservers.
Only this host.
Correct. On our filter server(s) which are strictly inbound only (nothing
trusted but itself):
# Begin SA Network Settings
Jo Rhett wrote:
On Apr 23, 2008, at 3:27 PM, Matt Kettler wrote:
How and why? Are you saying I *must* have a 2nd-level MX host for
SA to work? That's not my experience, and 2-layer relays are
backscatter sources. Milter from the local MTA works just fine.
No, you don't need a second-level
On Tue, Apr 29, 2008 at 05:51:17PM -0700, Jo Rhett wrote:
Do you have the same lhs? At least one of the botnets tries to match
lhs for the forged sender. A few of my messages came from my other
accounts, many others (in the same spam run) came from people I
didn't know with the same
Jo Rhett wrote:
Matt Kettler wrote:
There's nothing in trusted networks, I don't trust anything...
Jo, that's impossible in spamassasin. You cannot have an empty trust,
it doesn't make any logical sense, and would cause spamassassin to
fail miserably.
I should rather have said trust is
Jo Rhett wrote:
Bob Proulx wrote:
Who to forge? The answer is Everyone! Any address that can be
You're going out of your way to miss the point. That's hard work
On 21.04.08 23:46, Bob Proulx wrote:
It is you who are missing the point. When spammers generate mail
from and to every
Matt Kettler wrote:
There's
nothing in trusted networks, I don't trust anything...
Jo, that's impossible in spamassasin. You cannot have an empty trust, it
doesn't make any logical sense, and would cause spamassassin to fail
miserably.
I should rather have said trust is only localhost.
If
John Hardin wrote:
I'm only suggesting bypassing SA for mail that originates on the local
network and is destined to the local network.
No. I don't trust every user who can authenticate to this host to run
active anti-virus on their hosts. I scan all mail, everywhere.
And again, this
Bob Proulx wrote:
Who to forge? The answer is Everyone! Any address that can be
obtained from a spam-virus infected PC and any address that can be
harvested from a web page. Forge them all. They are (mostly) valid
email addresses and will pass sender verification. Send To: and From:
all of
Justin Mason wrote:
hmm, I'm not sure. It depends on your trusted_networks setting.
try running spamassassin -D and see what it logs...
I'm sorry -- feeling dense, how is this supposed to help? From the
headers quoted below you know what spamassassin is seeing. There's
nothing in
On Mon, Apr 21, 2008 at 09:56:39PM -0700, Jo Rhett wrote:
Yes, a spammer can forge anyone. Can they forge the exact e-mail
addresses used by people I correspond with regularly? Not in my
experience. Can they forge my e-mail to me? Easily.
Actually I don't think it's that hard, at least
Jo Rhett wrote:
Bob Proulx wrote:
Who to forge? The answer is Everyone! Any address that can be
You're going out of your way to miss the point. That's hard work
It is you who are missing the point. When spammers generate mail
from and to every possible combination they will eventually
Jo Rhett writes:
On Apr 1, 2008, at 3:14 PM, Justin Mason wrote:
Sorry, I don't the original messages any more. (I looked) But it
wouldn't surprise me if the /16 matched. The mail I send myself is
usually from Wifi or my phone carrier's GSM network, but accepted via
SMTP AUTH on the
Jo Rhett wrote:
On Apr 1, 2008, at 3:14 PM, Justin Mason wrote:
Sorry, I don't the original messages any more. (I looked) But it
wouldn't surprise me if the /16 matched. The mail I send myself is
usually from Wifi or my phone carrier's GSM network, but accepted via
SMTP AUTH on the local
On Thu, April 3, 2008 05:33, Bob Proulx wrote:
Who to forge? The answer is Everyone! Any address that can be
obtained from a spam-virus infected PC and any address that can be
harvested from a web page. Forge them all.
yes a big problem without spf
They are (mostly) valid email
On Apr 1, 2008, at 3:00 PM, Bob Proulx wrote:
I have never been fond of AWL because the information it relies upon,
the mail headers, is very easy to forge. It depends too much upon
Yes, but they have to know who to forge. Anyway, I'm not debating
its merits. It works very, very well in
On Apr 1, 2008, at 3:14 PM, Justin Mason wrote:
Sorry, I don't the original messages any more. (I looked) But it
wouldn't surprise me if the /16 matched. The mail I send myself is
usually from Wifi or my phone carrier's GSM network, but accepted via
SMTP AUTH on the local machine. So which
I'm not worried about mail from self to self. I'm annoying because
AWL is decreasing forged spam score so far that the SPF failure
doesn't catch.
On Apr 1, 2008, at 3:14 PM, Benny Pedersen wrote:
INSERT INTO `awl` VALUES('amavis', '[EMAIL PROTECTED]', '80.166', 4, -14,
'2008-04-02 00:02:15');
On Apr 1, 2008, at 4:03 PM, John Hardin wrote:
If you don't scan mails that you know originated from you, then
they won't affect AWL for a forged message...
Sorry, I'm not going to disable virus and bot protection just to
avoid a mis-feature in another module.
The right answer is a fix in
On Apr 1, 2008, at 5:46 PM, Benny Pedersen wrote:
What I am pointing out is that AWL should not be used for
mail from self to self, because this is an easy forgery.
explain why its a problem when awl logs ip
AWL counts on the spammer not being able to forge someone you
correspond
with
On Wed, 2 Apr 2008, Jo Rhett wrote:
On Apr 1, 2008, at 4:03 PM, John Hardin wrote:
If you don't scan mails that you know originated from you, then
they won't affect AWL for a forged message...
Sorry, I'm not going to disable virus and bot protection just to avoid a
mis-feature in another
Jo Rhett wrote:
Bob Proulx wrote:
I disagree with the premise that it is hard to forge mail from someone
you correspond with frequently. It is equally easy to forge.
Easy to forge, but who to forge? Hard for a spammer to know who I
correspond with frequently. Myself is the only one a
On Mar 28, 2008, at 6:21 PM, Theo Van Dinter wrote:
On Fri, Mar 28, 2008 at 06:09:03PM -0700, Jo Rhett wrote:
I think that mail from self to self should be ignored by the AWL.
(it's harder to forged mail from a regular correspondent, so this
makes AWL more useful)
If you know the mail is from
Benn, you are missing the point. AWL is working very well for our
needs. What I am pointing out is that AWL should not be used for
mail from self to self, because this is an easy forgery. AWL counts
on the spammer not being able to forge someone you correspond with
normally. This is
On Mar 29, 2008, at 3:21 AM, Justin Mason wrote:
the AWL is keyed on email address and /16 of the sending IP
address, so
this may warrant more investigation. could you post the Received hdrs
from the spam that hit the AWL, and a ham that properly hits the AWL?
I still believe that self-self
Jo Rhett wrote:
Benn, you are missing the point. AWL is working very well for our
needs.
I have never been fond of AWL because the information it relies upon,
the mail headers, is very easy to forge. It depends too much upon
trusting the sender. And in the case of spam that trust model is
Jo Rhett writes:
On Mar 29, 2008, at 3:21 AM, Justin Mason wrote:
the AWL is keyed on email address and /16 of the sending IP
address, so
this may warrant more investigation. could you post the Received hdrs
from the spam that hit the AWL, and a ham that properly hits the AWL?
I
On Tue, April 1, 2008 21:43, Jo Rhett wrote:
On Mar 28, 2008, at 6:21 PM, Theo Van Dinter wrote:
On Fri, Mar 28, 2008 at 06:09:03PM -0700, Jo Rhett wrote:
I think that mail from self to self should be ignored by the AWL.
(it's harder to forged mail from a regular correspondent, so this
makes
On Tue, 1 Apr 2008, Jo Rhett wrote:
On Mar 28, 2008, at 6:21 PM, Theo Van Dinter wrote:
On Fri, Mar 28, 2008 at 06:09:03PM -0700, Jo Rhett wrote:
I think that mail from self to self should be ignored by the AWL.
(it's harder to forged mail from a regular correspondent, so this
makes AWL
On Tue, April 1, 2008 21:45, Jo Rhett wrote:
Benn, you are missing the point. AWL is working very well for our
needs.
good
What I am pointing out is that AWL should not be used for
mail from self to self, because this is an easy forgery.
explain why its a problem when awl logs ip
AWL
Jo Rhett writes:
I send myself a lot of email from my phone. So AWL properly scores
me well.
I just got a piece of SPAM which should have scored 12.something that
got a -6 from the AWL.
I think that mail from self to self should be ignored by the AWL.
(it's harder to forged mail
I send myself a lot of email from my phone. So AWL properly scores
me well.
I just got a piece of SPAM which should have scored 12.something that
got a -6 from the AWL.
I think that mail from self to self should be ignored by the AWL.
(it's harder to forged mail from a regular
On Fri, Mar 28, 2008 at 06:09:03PM -0700, Jo Rhett wrote:
I think that mail from self to self should be ignored by the AWL.
(it's harder to forged mail from a regular correspondent, so this
makes AWL more useful)
If you know the mail is from you, don't waste the resources scanning the
On Sat, March 29, 2008 02:09, Jo Rhett wrote:
I send myself a lot of email from my phone. So AWL properly scores
me well.
and the sender ip with a fuss of /16
I just got a piece of SPAM which should have scored 12.something that
got a -6 from the AWL.
ok
I think that mail from self to
61 matches
Mail list logo