You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeff Drury <in...@impactps.com> on 2009/06/18 20:26:29 UTC
Spoofed Email
SA is working for the most part beyond expectations, the only problem I¹m
having is filtering spoofed email address (i.e. Valid_user@ourdomain.com). I
am able to filter out non-valid user addresses (i.e. spammer@ourdomain.com).
I run SA-Update daily, have piped well over 500 of these messages through
sa-learn, yet they still come through. I know this is a generic outline of
the problem, but it¹s a start, if you need more info I can send it.
-Jeff
Server Specs:
Mac OSX Server 10.5.7
SA 3.2.1
Perl 5.8.8
Postfix 2.4.3
Amavisd 2.5.1
Re: Spoofed Email
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Am 2009-06-18 11:26:29, schrieb Jeff Drury:
> SA is working for the most part beyond expectations, the only problem I¹m
> having is filtering spoofed email address (i.e. Valid_user@ourdomain.com). I
> am able to filter out non-valid user addresses (i.e. spammer@ourdomain.com).
WHY DOES YOUR MAILSERVER ACCEPT SUCH MESSAGES?
currently I am am hit by more then 1.450.000 per day and they are
rejectes on SMTP level. If I would filter this crap with spamassassin I
would have the need for a "Sun Enterprise T5240" with all 4 CPU's and
maximum memory.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: Spoofed Email
Posted by Rick Macdougall <ri...@ummm-beer.com>.
Benny Pedersen wrote:
> On Tors, Juni 18, 2009 20:36, Rick Macdougall wrote:
>> I'd recommend upgrading to the latest version (3.2.5) and running and
>> sa-update to get the latest rules.
>
> how will this help on spoofed mail problem ?
>
The improved rules should help catch them.
Rick
Re: Spoofed Email
Posted by Benny Pedersen <me...@junc.org>.
On Tors, Juni 18, 2009 20:36, Rick Macdougall wrote:
> I'd recommend upgrading to the latest version (3.2.5) and running and
> sa-update to get the latest rules.
how will this help on spoofed mail problem ?
--
xpoint
Re: Spoofed Email
Posted by Rick Macdougall <ri...@ummm-beer.com>.
Jeff Drury wrote:
> SA is working for the most part beyond expectations, the only problem
> I’m having is filtering spoofed email address (i.e.
> Valid_user@ourdomain.com). I am able to filter out non-valid user
> addresses (i.e. spammer@ourdomain.com). I run SA-Update daily, have
> piped well over 500 of these messages through sa-learn, yet they still
> come through. I know this is a generic outline of the problem, but it’s
> a start, if you need more info I can send it.
>
> -Jeff
>
>
>
> Server Specs:
> Mac OSX Server 10.5.7
> SA 3.2.1
SA 3.2.1 is a very old version.
I'd recommend upgrading to the latest version (3.2.5) and running and
sa-update to get the latest rules.
Regards,
Rick
Re: Spoofed Email
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Invalid Message-ID:
> Message-ID: <LVBSQCQHEKCZPO.NUKHYYIVQHOZNFT25042911437@[78.30.163.198]>
I use courierfilter to drop such "Message-ID:"
and the message will never see my system.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: Spoofed Email
Posted by Benny Pedersen <me...@junc.org>.
On Thu, June 18, 2009 23:33, Jeff Drury wrote:
> No errors... The only error I ever received had to do with rewriting the
> subject which was unimportant to me so I commented it out, other then that
> no errors
stop sending me mail in private for things you ask public about
still like to see the pastebin
>> spamassassin 2>&1 -D -t msgtotest | less
--
xpoint
Re: Spoofed Email
Posted by Jeff Drury <in...@impactps.com>.
No errors... The only error I ever received had to do with rewriting the
subject which was unimportant to me so I commented it out, other then that
no errors
On 6/18/09 2:00 PM, "Benny Pedersen" <me...@junc.org> wrote:
>
> On Thu, June 18, 2009 22:33, Jeff Drury wrote:
>> > They don¹t appear to be scored at all (see attached header)
>
> test:
>
> spamassassin 2>&1 -D --lint
>
> any errors here ?
>
> spamassassin 2>&1 -D -t msgtotest | less
>
> press s in the less output and post on pastebin
>
> i belive you miss envelope_sender_header in local.cf if i remember it right
>
> envelope_sender_header Return-Path
P please consider the environment before printing this e-mail
Life is not measured by the number of breaths we take, but by the
moments that take our breath away.
- George Carlin
Jeff Drury
_________________________________________________
p 602.264.2914
f 602.263-5240
e info@impactps.com
This message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply E-mail, and destroy all copies
of the original message.
Re: Spoofed Email
Posted by Benny Pedersen <me...@junc.org>.
On Fri, June 19, 2009 01:22, Jeff Drury wrote:
> http://pastebin.ca/1465504
#
[49973] dbg: spf: cannot get Envelope-From, cannot use SPF
#
[49973] dbg: spf: def_spf_whitelist_from: could not find useable envelope
sender
#
[49973] dbg: spf: already checked for Received-SPF headers, proceeding
with DNS based checks
this is your problem
>> envelope_sender_header Return-Path
add this above line to local.cf
perldoc Mail::SpamAssassin::Conf for more info
perldoc Mail::SpamAssassin::Plugin::SPF
i dont have your sa version here so i cant help more specifik more on this
--
xpoint
Re: Spoofed Email
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 19 Jun 2009, Benny Pedersen wrote:
> On Fri, June 19, 2009 04:09, David B Funk wrote:
> > The last 3 you can install using CPAN, Razor2 has to be explcitly fetched
> > installed and configured (but is worth it).
>
> newer use CPAN direct on a host that uses RPM/DEB/PORTAGE/BSD
>
> make a native RPM/DEP/PORTAGE/BSD from CPAN is the way to go, if your
> distro is way behind something is missing in spamassassin :)
The OP said he's running Mac OS X, which is why I reccomended CPAN.
Theoretically you -could- make up a Mac OS X .mpkg package but that's
way beyond the scope of ordinary users & this list.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Spoofed Email
Posted by Benny Pedersen <me...@junc.org>.
On Fri, June 19, 2009 04:09, David B Funk wrote:
> The last 3 you can install using CPAN, Razor2 has to be explcitly fetched
> installed and configured (but is worth it).
newer use CPAN direct on a host that uses RPM/DEB/PORTAGE/BSD
make a native RPM/DEP/PORTAGE/BSD from CPAN is the way to go, if your
distro is way behind something is missing in spamassassin :)
--
xpoint
Re: Spoofed Email
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Thu, 18 Jun 2009, Jeff Drury wrote:
> http://pastebin.ca/1465504
>
>
> On 6/18/09 2:00 PM, "Benny Pedersen" <me...@junc.org> wrote:
>
>>
>> On Thu, June 18, 2009 22:33, Jeff Drury wrote:
>>>> They don¹t appear to be scored at all (see attached header)
>>
>> test:
>>
>> spamassassin 2>&1 -D --lint
>>
>> any errors here ?
>>
>> spamassassin 2>&1 -D -t msgtotest | less
>>
>> press s in the less output and post on pastebin
>>
>> i belive you miss envelope_sender_header in local.cf if i remember it right
>>
>> envelope_sender_header Return-Path
Jeff,
Looking at your pastebin posting, noticed a few things.
1)
You mistyped that command that Benny wanted you to run:
"spamassassin 2>&1 -D -t msgtotest | less"
Note that the second part is '2>&1' Not '2>&l' that 4th character
is the digit 1 not the letter lowercase-l.
However it would be even better to use the following test:
save an example spam into a file (complete with full headers)
(call that file spam_example ).
Now run the command:
spamassassin -D -t < spam_example > spam_example_results.txt 2>&1
Note that the order of those command parts is important and the last
two characters on that line are "ampersand" "digit-1"
This will run spamassasin in debug mode, processing your saved spam
example and put all the output into the file spam_example_results.txt
which you can then view via "less" (or your favorite text file reader).
2) Your spamassasin install is missing a few optional Perl modules
which spamassasin can use to run addtional tests:
Razor2::Client
Mail::DKIM
Encode::Detect
IP::Country
The last 3 you can install using CPAN, Razor2 has to be explcitly fetched
installed and configured (but is worth it).
John Rudd's "BOTNET" is also worth fetching & installing but watch it
for FPs, you'll probably want to adjust its scoring.
3) It doesn't look like the RBL/DNSBL tests are working for you.
In that first spam example you posted the headers from, the IP address
of the machine that handed the message to your mail server hit several
DNS based tests that I use (bl.spamcop.net, cbl.abuseat.org,
zen.spamhaus.net).
Find out why your DNS tests aren't working. They & BOTNET often hit spams
from spam-bots.
4) Once you've got SPF working, you can create a custom rule that looks
for your domain in the From address, combined with SPF-fail result into
a meta-rule which adds points for a detected forgery of your address.
I know this sounds like a bunch of work, but when completed the results
should be worth it. ;)
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Spoofed Email
Posted by Jeff Drury <in...@impactps.com>.
http://pastebin.ca/1465504
On 6/18/09 2:00 PM, "Benny Pedersen" <me...@junc.org> wrote:
>
> On Thu, June 18, 2009 22:33, Jeff Drury wrote:
>> > They don¹t appear to be scored at all (see attached header)
>
> test:
>
> spamassassin 2>&1 -D --lint
>
> any errors here ?
>
> spamassassin 2>&1 -D -t msgtotest | less
>
> press s in the less output and post on pastebin
>
> i belive you miss envelope_sender_header in local.cf if i remember it right
>
> envelope_sender_header Return-Path
P please consider the environment before printing this e-mail
Life is not measured by the number of breaths we take, but by the
moments that take our breath away.
- George Carlin
Jeff Drury
_________________________________________________
p 602.264.2914
f 602.263-5240
e info@impactps.com
This message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply E-mail, and destroy all copies
of the original message.
Re: Spoofed Email
Posted by Benny Pedersen <me...@junc.org>.
On Thu, June 18, 2009 22:33, Jeff Drury wrote:
> They don¹t appear to be scored at all (see attached header)
test:
spamassassin 2>&1 -D --lint
any errors here ?
spamassassin 2>&1 -D -t msgtotest | less
press s in the less output and post on pastebin
i belive you miss envelope_sender_header in local.cf if i remember it right
envelope_sender_header Return-Path
--
xpoint
Re: Spoofed Email
Posted by Jeff Drury <in...@impactps.com>.
They don¹t appear to be scored at all (see attached header)
Return-Path: <in...@impactps.com>
Received: from murder ([unix socket])
by impactps.com (Cyrus v2.3.8-OS X Server 10.5: 9C31) with LMTPA;
Thu, 18 Jun 2009 12:28:22 -0700
X-Sieve: CMU Sieve 2.3
Received: from localhost (localhost [127.0.0.1])
by impactps.com (Postfix) with ESMTP id CA1EE16DD83A
for <in...@impactps.com>; Thu, 18 Jun 2009 12:28:22 -0700 (MST)
Received: from impactps.com ([127.0.0.1])
by localhost (impactps.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id VhO7fJORAYkP for <in...@impactps.com>;
Thu, 18 Jun 2009 12:28:19 -0700 (MST)
Received: from [78.30.163.198] (dynamic-78-30-163-198.adsl.eunet.rs
[78.30.163.198])
by impactps.com (Postfix) with ESMTP id 8C4BA16DD833
for <in...@impactps.com>; Thu, 18 Jun 2009 12:28:17 -0700 (MST)
From: "Selena Uzox" <in...@impactps.com>
To: info@impactps.com
Subject: Scanned your photos
Date: Thu, 18 Jun 2009 21:28:04 +0200
Message-ID: <LVBSQCQHEKCZPO.NUKHYYIVQHOZNFT25042911437@[78.30.163.198]>
MIME-version: 1.0
Content-type: text/html; charset="iso-8859-1"
On 6/18/09 12:02 PM, "John Hardin" <jh...@impsec.org> wrote:
> On Thu, 18 Jun 2009, Jeff Drury wrote:
>
>> > SA is working for the most part beyond expectations, the only problem
>> > I¹m having is filtering spoofed email address (i.e.
>> > Valid_user@ourdomain.com). I am able to filter out non-valid user
>> > addresses (i.e. spammer@ourdomain.com). I run SA-Update daily, have
>> > piped well over 500 of these messages through sa-learn, yet they still
>> > come through. I know this is a generic outline of the problem, but it¹s
>> > a start, if you need more info I can send it.
>
> Are the spoofed address in the sender address or the recipient address?
>
> Are these messages hitting a whitelist and getting large negative scores?
> Have you used "whitelist_from" anywhere in your configs? You probably
> don't want to do that.
>
> Benny suggested SPF; setting up an SPF record will (apparently) reduce
> (but not eliminate) the attempts to send spam using forged addresses from
> your domain, and will allow you to filter forged sender addresses from
> your domain by verifying the message matches the claimed domain's SPF
> information. There are other ways to do this; for example, I use
> milter-regex.
>
> There may be still other ways to say "a sender domain of X should be
> rejected if it comes from the internet", but I am not a postfix guru.
P please consider the environment before printing this e-mail
Life is not measured by the number of breaths we take, but by the
moments that take our breath away.
- George Carlin
Jeff Drury
_________________________________________________
p 602.264.2914
f 602.263-5240
e info@impactps.com
This message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply E-mail, and destroy all copies
of the original message.
Re: Spoofed Email
Posted by John Hardin <jh...@impsec.org>.
On Thu, 18 Jun 2009, Jeff Drury wrote:
> SA is working for the most part beyond expectations, the only problem
> I�m having is filtering spoofed email address (i.e.
> Valid_user@ourdomain.com). I am able to filter out non-valid user
> addresses (i.e. spammer@ourdomain.com). I run SA-Update daily, have
> piped well over 500 of these messages through sa-learn, yet they still
> come through. I know this is a generic outline of the problem, but it�s
> a start, if you need more info I can send it.
Are the spoofed address in the sender address or the recipient address?
Are these messages hitting a whitelist and getting large negative scores?
Have you used "whitelist_from" anywhere in your configs? You probably
don't want to do that.
Benny suggested SPF; setting up an SPF record will (apparently) reduce
(but not eliminate) the attempts to send spam using forged addresses from
your domain, and will allow you to filter forged sender addresses from
your domain by verifying the message matches the claimed domain's SPF
information. There are other ways to do this; for example, I use
milter-regex.
There may be still other ways to say "a sender domain of X should be
rejected if it comes from the internet", but I am not a postfix guru.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Politicians never accuse you of "greed" for wanting other people's
money, only for wanting to keep your own money. -- Joseph Sobran
-----------------------------------------------------------------------
Today: SWMBO's Birthday
Re: Spoofed Email
Posted by Brandon Champion <br...@amba.info>.
Configuring postfix well is extremely effective. For all the time I've
invested trying to minimize the spam that reaches my company's users, that
single web page has helped greater than anything else I've done.
Postfix should be your first line of defense. SpamAssassin is usually your
second and second-line defenders always have the harder job, so make it
easier by having a good first-line defense.
spamsux wrote:
>
> Has this caught spoofed mail? On an average day I successfully filter
> approx
> 10k junk mail messages, only about 5-10 make it through for the entire
> organization, of these our individual mail programs filter these as
> junk...
> I guess many would find this acceptable, but to me no spam is my target
>
>
> On 6/19/09 8:47 AM, "Brandon Champion" <br...@amba.info> wrote:
>
>>
>> I highly recommend using Postfix to prevent some of this from even
>> getting
>> through to SpamAssassin to begin with.
>> This was the most helpful page for me. I've modified things to suit my
>> own
>> needs, of course. The results have been stellar. SpamAssassin barely does
>> any work now.
>>
>> http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
>
>
--
View this message in context: http://www.nabble.com/Spoofed-Email-tp24098585p24118364.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spoofed Email
Posted by Benny Pedersen <me...@junc.org>.
On Fri, June 19, 2009 18:18, Jeff Drury wrote:
> I guess many would find this acceptable, but to me no spam is my target
no it wont stop users sending html and images to maillists, but it would
be nice if it did :)
--
xpoint
Re: Spoofed Email
Posted by Jeff Drury <in...@impactps.com>.
Has this caught spoofed mail? On an average day I successfully filter approx
10k junk mail messages, only about 5-10 make it through for the entire
organization, of these our individual mail programs filter these as junk...
I guess many would find this acceptable, but to me no spam is my target
On 6/19/09 8:47 AM, "Brandon Champion" <br...@amba.info> wrote:
>
> I highly recommend using Postfix to prevent some of this from even getting
> through to SpamAssassin to begin with.
> This was the most helpful page for me. I've modified things to suit my own
> needs, of course. The results have been stellar. SpamAssassin barely does
> any work now.
>
> http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
>
>
>
> spamsux wrote:
>> >
>> > SA is working for the most part beyond expectations, the only problem I¹m
>> > having is filtering spoofed email address (i.e. Valid_user@ourdomain.com).
>> > I
>> > am able to filter out non-valid user addresses (i.e.
>> > spammer@ourdomain.com).
>> > I run SA-Update daily, have piped well over 500 of these messages through
>> > sa-learn, yet they still come through. I know this is a generic outline of
>> > the problem, but it¹s a start, if you need more info I can send it.
>> >
>> > -Jeff
>> >
>> >
>> >
>> > Server Specs:
>> > Mac OSX Server 10.5.7
>> > SA 3.2.1
>> > Perl 5.8.8
>> > Postfix 2.4.3
>> > Amavisd 2.5.1
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
P please consider the environment before printing this e-mail
Life is not measured by the number of breaths we take, but by the
moments that take our breath away.
- George Carlin
Jeff Drury
_________________________________________________
p 602.264.2914
f 602.263-5240
e info@impactps.com
This message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply E-mail, and destroy all copies
of the original message.
Re: Spoofed Email
Posted by Brandon Champion <br...@amba.info>.
I highly recommend using Postfix to prevent some of this from even getting
through to SpamAssassin to begin with.
This was the most helpful page for me. I've modified things to suit my own
needs, of course. The results have been stellar. SpamAssassin barely does
any work now.
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
spamsux wrote:
>
> SA is working for the most part beyond expectations, the only problem I¹m
> having is filtering spoofed email address (i.e. Valid_user@ourdomain.com).
> I
> am able to filter out non-valid user addresses (i.e.
> spammer@ourdomain.com).
> I run SA-Update daily, have piped well over 500 of these messages through
> sa-learn, yet they still come through. I know this is a generic outline of
> the problem, but it¹s a start, if you need more info I can send it.
>
> -Jeff
>
>
>
> Server Specs:
> Mac OSX Server 10.5.7
> SA 3.2.1
> Perl 5.8.8
> Postfix 2.4.3
> Amavisd 2.5.1
>
>
>
>
>
>
>
>
>
>
--
View this message in context: http://www.nabble.com/Spoofed-Email-tp24098585p24114019.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spoofed Email
Posted by Benny Pedersen <me...@junc.org>.
On Tors, Juni 18, 2009 20:26, Jeff Drury wrote:
> sa-learn, yet they still come through. I know this is a generic outline of
> the problem, but it¹s a start, if you need more info I can send it.
http://old.openspf.org/wizard.html?mydomain=impactps.com&submit=Go!
next do a spf test in mta level, problem gone :)
--
xpoint