These slimy B*%$^&ds are forging whitelist_from_rcvd

[Scott Blomquist <sc...@innertraditions.com>]

Just in today. I only have Whitelist_from_rcvd entires in my local.cf.
This one hit on that rule. Damn...now what.
/header paste
Return-Path: <MY...@parkstpress.com>
Received: from 216.114.128.66 ([221.127.165.47])
	by babyblue-eth1.parkstpress.com (8.10.2/8.10.2) with SMTP id i69ACHo02440;
	Fri, 9 Jul 2004 06:12:17 -0400
X-Message-Info: 311I1VCl443hDzX704RUW0iDAFjvH8
Received: from y-0-3-84-1.VZXXHO34.MYUSER@parkstpress.com 
([208.236.71.0]) by xxek85-kjf25.MYUSER@parkstpress.com with Microsoft 
SMTPSVC(5.0.3550.1784);
	 Sat, 10 Jul 2004 09:08:40 -0100
Message-ID: <99...@parkstpress.com>
X-Originating-IP: [81.250.232.92]
X-Originating-Email: [MYUSER@parkstpress.com]
X-Sender: MYUSER@parkstpress.com
Reply-To: "Clara Call" <MY...@parkstpress.com>
From: "Clara Call" <MY...@parkstpress.com>
To: "Dawn" <MY...@parkstpress.com>
Subject: Hi MYUSER
Date: Sat, 10 Jul 2004 07:12:40 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="--289992752399318"
X-Spam-Status: No, hits=-83.3 required=5.0
	tests=BAYES_90,DRUGS_ANXIETY,DRUGS_ANXIETY_OBFU,DRUGS_DEPRESSION,
	      DRUGS_DIET,DRUGS_DIET_PAIN,DRUGS_MANYKINDS,DRUGS_MUSCLE,
	      DRUGS_PAIN,DRUGS_PAIN_OBFU,J_CHICKENPOX_13,J_CHICKENPOX_24,
	      J_CHICKENPOX_26,SARE_BOUNDARY_07,SARE_HEAD_SPAM,
	      SARE_MSGID_CHAR_2AT,SARE_RECV_IP_221124,SARE_RECV_SUSP_3,
	      USER_IN_WHITELIST
	version=2.53
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)
-- 
     Scott V. Blomquist,A-SA-CN-NRK    TINLC(tm)  #2598
           ITI/Bear&Co    Rochester, VT
     802-767-3174(v)           802-767-3726(f)
"Any technology sufficiently advanced is indistinguishable from Magic."
                                                  A. C. Clarke

Re: Discarding spam based on score range

[Tim Litwiller <ti...@litwiller.net>]

put this in you /etc/mail/spamassassin/local.cf
add_header all Level _STARS(*)_


then put this in your procmail
# Delete Blatant Spam
:0 H:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*
/dev/null





Craig Mayers wrote:

>Hi all, I am de-lurking to ask a question that has probably been asked
>before (forgive me).
>
>Is there a procmail recipe that can be crafted to forward any mail with a
>spam score above a certain threshold to /dev/null (or elsewhere)?  For
>example, anything over 15 is not likely to be an FP for us.  Would procmail
>be able to read the spam score header that gets added when SA runs and make
>a determination based on it?  If so, what syntax would we use?
>
>If this exists on the Wiki site, or elsewhere, I'd appreciate a point in the
>right direction.  Thanks in advance, this is a great group.  I'm only sorry
>I didn't discover it earlier, I'm sure our initial implementation would have
>gone much smoother!  8-)
>
>Thanks!
>
>Craig Mayers
>5DollarHosting.com
>
>
>  
>

Re: Discarding spam based on score range

[John Fleming <jo...@wa9als.com>]

This receipe should delete only those scoring 8 or higher in procmail:
 :0
 * ^X-Spam-Level: \*\*\*\*\*\*\*\*
 /dev/nullFrom:
http://www.exit0.us/index.php/So%20you%20want%20to%20'delete'%20all%20your%2
0spam!----- Original Message -----
From: "Craig Mayers" <sa...@5dollarhosting.com>
To: <sp...@incubator.apache.org>
Sent: Friday, July 09, 2004 2:14 PM
Subject: Discarding spam based on score range


> Hi all, I am de-lurking to ask a question that has probably been asked
> before (forgive me).
>
> Is there a procmail recipe that can be crafted to forward any mail with a
> spam score above a certain threshold to /dev/null (or elsewhere)?  For
> example, anything over 15 is not likely to be an FP for us.  Would
procmail
> be able to read the spam score header that gets added when SA runs and
make
> a determination based on it?  If so, what syntax would we use?
>
> If this exists on the Wiki site, or elsewhere, I'd appreciate a point in
the
> right direction.  Thanks in advance, this is a great group.  I'm only
sorry
> I didn't discover it earlier, I'm sure our initial implementation would
have
> gone much smoother!  8-)
>
> Thanks!
>
> Craig Mayers
> 5DollarHosting.com
>
>

Discarding spam based on score range

[Craig Mayers <sa...@5dollarhosting.com>]

Hi all, I am de-lurking to ask a question that has probably been asked
before (forgive me).

Is there a procmail recipe that can be crafted to forward any mail with a
spam score above a certain threshold to /dev/null (or elsewhere)?  For
example, anything over 15 is not likely to be an FP for us.  Would procmail
be able to read the spam score header that gets added when SA runs and make
a determination based on it?  If so, what syntax would we use?

If this exists on the Wiki site, or elsewhere, I'd appreciate a point in the
right direction.  Thanks in advance, this is a great group.  I'm only sorry
I didn't discover it earlier, I'm sure our initial implementation would have
gone much smoother!  8-)

Thanks!

Craig Mayers
5DollarHosting.com

Re: These slimy B*%$^&ds are forging whitelist_from_rcvd

[Matt Kettler <mk...@evi-inc.com>]

At 01:23 PM 7/9/2004, Duncan Hill wrote:
>Why does your mail server let other people claim to be it?  That's just 
>asking
>for abuse.  I don't have exact stats, but every time I look in my logs, I see
>hundreds of lines of rejects where remote nodes have said HELO with my IP
>address.  HELO is meant to identify the remote end, not me.

Bah, doesn't matter.. SA ignores the HELO part of the Received: headers in 
current versions of SA.. The poster's problem is entirely due to lack of 
update (the poster is using SA 2.53).

Of course, one could argue that SA problems aside it would be beneficial to 
block anyone trying to HELO as your own IP or hostname since they are 
obviously spammers or broken, but that's not really the root cause of his 
problems.

2.53 is vulnerable to a wide variety of forgery tricks that fool 
whitelist_from_rcvd, even the default ones like ebay are forgeable to it 
under the right circumstances.

Re: These slimy B*%$^&ds are forging whitelist_from_rcvd

[Duncan Hill <sa...@nacnud.force9.co.uk>]

On Friday 09 July 2004 17:12, Scott Blomquist wrote:
> Received: from 216.114.128.66 ([221.127.165.47])
>         by babyblue-eth1.parkstpress.com (8.10.2/8.10.2) with SMTP id
> i69ACHo02440; Fri, 9 Jul 2004 06:12:17 -0400

Lets see...

Ahh, 216.x.x.x is you.

Why does your mail server let other people claim to be it?  That's just asking 
for abuse.  I don't have exact stats, but every time I look in my logs, I see 
hundreds of lines of rejects where remote nodes have said HELO with my IP 
address.  HELO is meant to identify the remote end, not me.

Re: These slimy B*%$^&ds are forging whitelist_from_rcvd

[Matt Kettler <mk...@evi-inc.com>]

At 12:12 PM 7/9/2004, Scott Blomquist wrote:
>Just in today. I only have Whitelist_from_rcvd entires in my local.cf.
>This one hit on that rule. Damn...now what.
>/header paste



>X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)



Upgrade to a RECENT version of SpamAssassin. This bug was fixed AGES ago 
with the release of 2.60. (Your version is over a year old!)

http://bugzilla.spamassassin.org/show_bug.cgi?id=846
http://bugzilla.spamassassin.org/show_bug.cgi?id=1543