You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marcio Humpris <ma...@gmail.com> on 2013/10/16 16:58:49 UTC
one word spam (continued)
Hi everyone
If I use digest mode how do I reply to a specific mail?
In reply to axb...
about one word spam
http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser
here is the sample http://pastebin.com/download.php?i=0D7tfsjf
Can you help with some regex pls?
Tks
Re: one word spam (continued)
Posted by Axb <ax...@gmail.com>.
On 10/16/2013 04:58 PM, Marcio Humpris wrote:
> In reply to axb...
>
> about one word spam
> http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser
>
> here is the sample http://pastebin.com/download.php?i=0D7tfsjf
>
> Can you help with some regex pls?
This has two words :) and no SA header / spam report so we have little
to work with
Nice to see that Comtouch (X-CTCH header: Spam="Unknown" didn't detect
it either :)
Re: one word spam (continued)
Posted by John Hardin <jh...@impsec.org>.
On Wed, 16 Oct 2013, Martin Gregorie wrote:
> On Wed, 2013-10-16 at 11:47 -0400, Bowie Bailey wrote:
>
>> I'm not quite sure what you were intending to match.
>>
> On more mature reflection, neither am I! I should have said:
>
> /^\s{0,80}\S{0,20}\s{0,80}$/
...which matches /^$/, or any message having a blank line.
Body lines are space-collapsed, so how about this:
body __SINGLE_WORD /^\s?\S{1,20}\s?$/
You'd probably also want to meta it with __BODY_TEXT_LINE to avoid hitting
on a long message that has a single-word line somewhere within it (like
this message, for example).
You also have to allow for the subject, which is included in body rules. I
assume you don't want a single-word-body rule to fire on a multi-word
message body having a single-word subject.
20 might be a bit conservative, too. :)
Giving:
body __SINGLE_WORD_LINE /^\s?\S{1,40}\s?$/
tflags __SINGLE_WORD_LINE multiple maxhits=2
header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,40}\s*$/
meta SINGLE_WORD_BODY __BODY_TEXT_LINE < 3 && (__SINGLE_WORD_LINE = 2 || (__SINGLE_WORD_LINE > 0 && !__SINGLE_WORD_SUBJ))
(__BODY_TEXT_LINE counts a nonempty subject because the subject is
included in body text.)
Untested, of course.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 09/13/07: Microsoft patents in-OS
adware architecture that incorporates monitoring and analysis of
user actions and interrupting the user to display apparently
relevant advertisements (U.S. Patent #20070214042)
-----------------------------------------------------------------------
503 days since the first successful private support mission to ISS (SpaceX)
Re: one word spam (continued)
Posted by Martin Gregorie <ma...@gregorie.org>.
On Wed, 2013-10-16 at 11:47 -0400, Bowie Bailey wrote:
> I'm not quite sure what you were intending to match.
>
On more mature reflection, neither am I! I should have said:
/^\s{0,80}\S{0,20}\s{0,80}$/
which should catch messages of 20 characters or less. I was in a hurry
(quite a bit of C to write) and somewhat thrown by the OP saying he
wanted to catch single word messages but showed us a two word example.
Martin
Re: one word spam (continued)
Posted by Bowie Bailey <Bo...@BUC.com>.
On 10/16/2013 11:33 AM, Martin Gregorie wrote:
> On Wed, 2013-10-16 at 11:58 -0300, Marcio Humpris wrote:
>> Hi everyone
>>
>> If I use digest mode how do I reply to a specific mail?
>>
>> In reply to axb...
>>
>> about one word spam
>> http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser
>>
>> here is the sample http://pastebin.com/download.php?i=0D7tfsjf
>>
>> Can you help with some regex pls?
>>
> Not one work is it?
>
> However, this catches it: /\s{0,80}\S{1,20}\s{0,80}/
>
> Be aware that messages like your example are quite common between
> friends, so I personally would be wary of using this type of regex
> outside a meta-rule.
You do realize that this regex is equivelent to /\S/. If it is a body
rule, it will match on every email that has any kind of text in either
the subject or the body.
I'm not quite sure what you were intending to match.
--
Bowie
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by Jason Haar <Ja...@trimble.com>.
On 17/10/13 09:03, Kevin A. McGrail wrote:
> We've done similar real time checks using Sendmail but seen this
> actually bring down Exchange Servers (more like bringing it to its
> knees from a resource perspective than actually crashing it) from the
> LDAP queries associated with these type of issues. So I agree the
> instantaneous nature is nice but we switch to the store because the
> volume we could handle with Sendmail was so much higher than what was
> effectively halting Exchange Servers.
>
We saw the same thing, so we have hourly cronjobs dumping the email
addresses out of Active Directory and push the addresses to the edge
Unix mail relays. We find Active Directory LDAP too slow and too
unreliable to rely on for a realtime service. Internally, even our
Windows IT staff do something similar: batch jobs to dump data out via
LDAP so that their actual websites and/or applications can reference
LDAP data without having to talk to what Microsoft thinks passes for an
LDAP server (eg try to figure out all the groups a user is a member of,
in a multi-forest AD spread across 5 continents - and do it in <1sec -
go on, I dare ya ;-)
</rant ;-)>
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 10/16/2013 3:46 PM, David F. Skoll wrote:
> On Wed, 16 Oct 2013 15:41:04 -0400
> "Kevin A. McGrail" <KM...@PCCC.com> wrote:
>
>> So in the beginning for our issue, our firm implemented something
>> similar and it's documented at http://www.pccc.com/downloads/ldap/
>> thanks primarily to Brian Landers <br...@packetslave.com> and his
>> work. This is a nice solution that uses LDAP and queries it to build
>> an access list with sendmail.
> We use MIMEDefang and we make real-time LDAP calls in filter_recipient.
> So when a modification to Active Directory is made, it's instant... no
> need to wait for the data to be updated on the Sendmail server.
>
> The downside is that you can get a *lot* of LDAP traffic if there's
> a dictionary attack.
>
We've done similar real time checks using Sendmail but seen this
actually bring down Exchange Servers (more like bringing it to its
knees from a resource perspective than actually crashing it) from the
LDAP queries associated with these type of issues. So I agree the
instantaneous nature is nice but we switch to the store because the
volume we could handle with Sendmail was so much higher than what was
effectively halting Exchange Servers.
This was back in 2007 and revolved around small companies with one
server so it was bringing down other operations as well. We wrote about
it a bit on this page
https://raptor.pccc.com/raptor.cgim?template=raptorFAST (warning
commercial site not affiliated with project though it's where I put a
lot of stuff I'm working on. I'll open a ticket to add as much as we
can. Anyway, please ignore if you aren't interested in my day job).
Regards,
KAM
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 16 Oct 2013 15:41:04 -0400
"Kevin A. McGrail" <KM...@PCCC.com> wrote:
> So in the beginning for our issue, our firm implemented something
> similar and it's documented at http://www.pccc.com/downloads/ldap/
> thanks primarily to Brian Landers <br...@packetslave.com> and his
> work. This is a nice solution that uses LDAP and queries it to build
> an access list with sendmail.
We use MIMEDefang and we make real-time LDAP calls in filter_recipient.
So when a modification to Active Directory is made, it's instant... no
need to wait for the data to be updated on the Sendmail server.
The downside is that you can get a *lot* of LDAP traffic if there's
a dictionary attack.
Regards,
David.
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 10/16/2013 2:27 PM, David F. Skoll wrote:
> I think this is a deliberate strategy on the part of Microsoft. I
> think they're making Exchange so complicated and such a PITA that
> people give up and go to the cloud, ideally to Office 365. For many
> small companies, going to the cloud probably makes lots of sense, as
> long as they don't mind paying extra and don't mind the NSA having
> access to their email. :) Regards, David.
That is giant tin-hat foil worthy! LOL. I also do not know why
Microsoft makes it so difficult but it really started to become
difficult a while ago. Really long before their cloud initiative.
So in the beginning for our issue, our firm implemented something
similar and it's documented at http://www.pccc.com/downloads/ldap/
thanks primarily to Brian Landers <br...@packetslave.com> and his
work. This is a nice solution that uses LDAP and queries it to build an
access list with sendmail.
However, for our proprietary stuff, we had turned that concept on it's
head and used a program to push the data to the server (we call it
Forward and Store Technology) and support sendmail and exchange. I'll
see if I can share more about that.
Regards,
KAM
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one
word spam (continued))
Posted by Joe Acquisto-j4 <jo...@j4computers.com>.
>>>> "David F. Skoll" <df...@roaringpenguin.com> 10/16/13 2:32 PM >>>
>. . . .as long as they don't mind
>paying extra and don't mind the NSA having access to their email. :)
>
>Regards,
>
>David.
Of course you mean "easier access" . . . ?
joe a.
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 16 Oct 2013 10:52:08 -0700
Ted Mittelstaedt <te...@ipinc.net> wrote:
> Just be aware that Microsoft's "standard" is to use LDAP queries to
> the AD.
True, and we support that. But not everyone wants to open up their LDAP
to the outside world, even to a few outside IPs.
Furthermore, if you use Office 365 (Microsoft's hosted Exchange
product) you're out of luck. I don't believe they give you LDAP
access, at least not unless you're a very large company.
> Go big or go elsewhere.
I think this is a deliberate strategy on the part of Microsoft. I think
they're making Exchange so complicated and such a PITA that people give
up and go to the cloud, ideally to Office 365. For many small companies,
going to the cloud probably makes lots of sense, as long as they don't mind
paying extra and don't mind the NSA having access to their email. :)
Regards,
David.
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Tue, 22 Jul 2014 13:30:13 -0800
Kevin Miller <Ke...@ci.juneau.ak.us> wrote:
> I guess catting the output of the ldap
> query onto the access table and hash it once a night would be just as
> easy. I'll give that test.
Another option, since you're running Sendmail, is to use a milter such
as MIMEDefang and do a real-time LDAP lookup for each RCPT command.
If the overhead is not too high, this is a nice solution because
any changes to Active Directory are immediately seen by Sendmail.
Regards,
David.
RE: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by Kevin Miller <Ke...@ci.juneau.ak.us>.
At the moment I'm using spf-sav talking to Exchange 2007. I mentioned virtualuser because that's what Ted said he was using to good affect. I am using the access table as well, mostly to reject mail from specific places. I guess catting the output of the ldap query onto the access table and hash it once a night would be just as easy. I'll give that test.
Best...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
-----Original Message-----
From: Kevin A. McGrail [mailto:KMcGrail@PCCC.com]
Sent: Tuesday, July 22, 2014 12:01 PM
To: Kevin Miller; users@spamassassin.apache.org
Subject: Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))
On 7/22/2014 3:54 PM, Kevin Miller wrote:
> Resurrecting an old thread here. We're finally migrating to Exchange 2013, and I have a script that will extract email addresses from ldap, but when looking at the virtualuser table it seems that it's used to map one address to another. The script puts out addresses in the following format:
> Some_User@ci.juneau.ak.us OK
> suser@jnuairport.com OK
> some_user@skijuneau.com OK
>
> Easy enough to strip the "OK" out in a bash scritp to create the virtualuser table, but what does the virtualuser table actually look like? The preamble in the file in /etc/mail shows:
Why are you using virtusertable and not the access table?
regards,
KAM
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 7/22/2014 3:54 PM, Kevin Miller wrote:
> Resurrecting an old thread here. We're finally migrating to Exchange 2013, and I have a script that will extract email addresses from ldap, but when looking at the virtualuser table it seems that it's used to map one address to another. The script puts out addresses in the following format:
> Some_User@ci.juneau.ak.us OK
> suser@jnuairport.com OK
> some_user@skijuneau.com OK
>
> Easy enough to strip the "OK" out in a bash scritp to create the virtualuser table, but what does the virtualuser table actually look like? The preamble in the file in /etc/mail shows:
Why are you using virtusertable and not the access table?
regards,
KAM
RE: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by Kevin Miller <Ke...@ci.juneau.ak.us>.
Resurrecting an old thread here. We're finally migrating to Exchange 2013, and I have a script that will extract email addresses from ldap, but when looking at the virtualuser table it seems that it's used to map one address to another. The script puts out addresses in the following format:
Some_User@ci.juneau.ak.us OK
suser@jnuairport.com OK
some_user@skijuneau.com OK
Easy enough to strip the "OK" out in a bash scritp to create the virtualuser table, but what does the virtualuser table actually look like? The preamble in the file in /etc/mail shows:
# Examples:
#
#info@foo.com foo-info
#info@bar.com bar-info
#joe@bar.com error:nouser No such user here
#jax@bar.com error:D.S.N:unavailable Address invalid
#@baz.org jane@example.net
That's clear enough, but I'm not mapping one address to another - I'm just wanting to validate the entries that are in there. Do I just create a single column file with the output from my ldap query script and hash it? And after that sendmail will reject anything not in there? Do I have to tweak sendmail.mc beyond
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
to achieve the desired behavior of rejecting unknown inbound emails?
I'm unclear on what "and combine them with a fixed file" means in Ted's comments below. Pearls of wisdom greatly appreciated...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
-----Original Message-----
From: Ted Mittelstaedt [mailto:tedm@ipinc.net]
Sent: Wednesday, October 16, 2013 9:52 AM
To: users@spamassassin.apache.org
Subject: Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))
Just be aware that Microsoft's "standard" is to use LDAP queries to the AD. Every major commercial antispam product does this and you will save yourself a lot of work later when MS changes the next version of Exchange to not support the 2525 hack. (which they could easily do) if you do it that way.
This issue has been discussed to the death elsewhere but I guess for me I can't understand why I would have to -pay- for a milter like milter-ahead when on my prefilter Sendmail server I can simply once a day issue an ldapsearch to the domain controller the exchange server is in, then strip the results down to just the email addresses and combine them with a fixed file then replace the virtusertable.
I can run clamav, and spamassassin on the prefilter and I don't have to fool with the ldap routing in sendmail or worry about uncontrolled access to the AD server.
But I realize that's a "large company" approach to the problem and many people still want a single-server solution. Well wake up folks, Exchange is a "large company" product nowadays.
We still have a few customers on honeymoons with exchange 2010 all-in-ones but they have all been given notice that Microsoft has provided no future roadmap for this approach. Go big or go elsewhere.
Ted
On 10/16/2013 10:27 AM, David F. Skoll wrote:
> On Wed, 16 Oct 2013 09:21:46 -0800
> Kevin Miller <Ke...@ci.juneau.ak.us> wrote:
>
>> So if I'm reading this right, milters such as smf-sav or milter-ahead
>> will no longer be of any use?
>
> You are reading it correctly. On our anti-spam service, we require
> some sort of recipient validation so we don't go insane scanning
> messages destined to nonexistent addresses. SMTP call-ahead was the
> easiest way to do this, but now our customers either have to let us
> hook into their Active Directory or explicitly provide a list of valid recipients.
>
> Someone did send me a hack for doing recipient verification on
> Exchange 2013 which I include here for archiving purposes. Please
> note that I have not tested this. I'm also not familiar with
> Exchange, so some of the terminology means nothing to me...
>
> Regards,
>
> David.
>
> ======================================================================
> ====
> From: Leon Black
> To: "info@roaringpenguin.com" <in...@roaringpenguin.com>
> Subject: Recipient Verification correction
> Date: Sat, 7 Sep 2013 03:59:27 +0000
>
> Hey Guys,
>
> Just saw your info on this page
> http://www.roaringpenguin.com/recipient-verification re Exchange 2013
> recipient verification.
>
> I have found the workable solution with exchange 2013 to get recipient
> verification working correctly with an antispam product.
>
> The problem is when it is a single server with CAS and Mailbox roles.
> To use correct verification you need to talk to the hub transport
> receive connector (mailbox role) and this rejects the address as per
> normal.
>
> This is by default on port 2525, all you need to do is enable
> anonymous access on the connector and open port 2525 to the antispam
> IP. Set your product to do recipient verification on port 2525 and
> deliver to port 25 and it works perfectly.
>
> Hopefully this information can help you guys out :) We do this with a
> number of our exchange 2013 single server clients and it rejects
> emails correctly.
>
> Oh! Just make sure they do not create another hub transport connector.
> If there is an additional one it will cause exchange transport to stop
> receiving emails after a few hours.
>
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Just be aware that Microsoft's "standard" is to use LDAP queries to the
AD. Every major commercial antispam product does this and you will
save yourself a lot of work later when MS changes the next version of
Exchange to not support the 2525 hack. (which they could easily do)
if you do it that way.
This issue has been discussed to the death elsewhere but I guess for me
I can't understand why I would have to -pay- for a milter like
milter-ahead when on my prefilter Sendmail server I can simply once a
day issue an ldapsearch to the domain controller the exchange server is
in, then strip the results down to just the email addresses and
combine them with a fixed file then replace the virtusertable.
I can run clamav, and spamassassin on the prefilter and I don't have
to fool with the ldap routing in sendmail or worry about uncontrolled
access to the AD server.
But I realize that's a "large company" approach to the problem and
many people still want a single-server solution. Well
wake up folks, Exchange is a "large company" product nowadays.
We still have a few customers on honeymoons with exchange 2010
all-in-ones but they have all been given notice that Microsoft
has provided no future roadmap for this approach. Go big or go
elsewhere.
Ted
On 10/16/2013 10:27 AM, David F. Skoll wrote:
> On Wed, 16 Oct 2013 09:21:46 -0800
> Kevin Miller <Ke...@ci.juneau.ak.us> wrote:
>
>> So if I'm reading this right, milters such as smf-sav or milter-ahead
>> will no longer be of any use?
>
> You are reading it correctly. On our anti-spam service, we require
> some sort of recipient validation so we don't go insane scanning
> messages destined to nonexistent addresses. SMTP call-ahead was the easiest
> way to do this, but now our customers either have to let us hook into their
> Active Directory or explicitly provide a list of valid recipients.
>
> Someone did send me a hack for doing recipient verification on
> Exchange 2013 which I include here for archiving purposes. Please
> note that I have not tested this. I'm also not familiar with Exchange,
> so some of the terminology means nothing to me...
>
> Regards,
>
> David.
>
> ==========================================================================
> From: Leon Black
> To: "info@roaringpenguin.com" <in...@roaringpenguin.com>
> Subject: Recipient Verification correction
> Date: Sat, 7 Sep 2013 03:59:27 +0000
>
> Hey Guys,
>
> Just saw your info on this page
> http://www.roaringpenguin.com/recipient-verification re Exchange 2013
> recipient verification.
>
> I have found the workable solution with exchange 2013 to get recipient
> verification working correctly with an antispam product.
>
> The problem is when it is a single server with CAS and Mailbox
> roles. To use correct verification you need to talk to the hub
> transport receive connector (mailbox role) and this rejects the
> address as per normal.
>
> This is by default on port 2525, all you need to do is enable
> anonymous access on the connector and open port 2525 to the antispam
> IP. Set your product to do recipient verification on port 2525 and
> deliver to port 25 and it works perfectly.
>
> Hopefully this information can help you guys out :) We do this with a
> number of our exchange 2013 single server clients and it rejects
> emails correctly.
>
> Oh! Just make sure they do not create another hub transport connector.
> If there is an additional one it will cause exchange transport to stop
> receiving emails after a few hours.
>
Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam
(continued))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 16 Oct 2013 09:21:46 -0800
Kevin Miller <Ke...@ci.juneau.ak.us> wrote:
> So if I'm reading this right, milters such as smf-sav or milter-ahead
> will no longer be of any use?
You are reading it correctly. On our anti-spam service, we require
some sort of recipient validation so we don't go insane scanning
messages destined to nonexistent addresses. SMTP call-ahead was the easiest
way to do this, but now our customers either have to let us hook into their
Active Directory or explicitly provide a list of valid recipients.
Someone did send me a hack for doing recipient verification on
Exchange 2013 which I include here for archiving purposes. Please
note that I have not tested this. I'm also not familiar with Exchange,
so some of the terminology means nothing to me...
Regards,
David.
==========================================================================
From: Leon Black
To: "info@roaringpenguin.com" <in...@roaringpenguin.com>
Subject: Recipient Verification correction
Date: Sat, 7 Sep 2013 03:59:27 +0000
Hey Guys,
Just saw your info on this page
http://www.roaringpenguin.com/recipient-verification re Exchange 2013
recipient verification.
I have found the workable solution with exchange 2013 to get recipient
verification working correctly with an antispam product.
The problem is when it is a single server with CAS and Mailbox
roles. To use correct verification you need to talk to the hub
transport receive connector (mailbox role) and this rejects the
address as per normal.
This is by default on port 2525, all you need to do is enable
anonymous access on the connector and open port 2525 to the antispam
IP. Set your product to do recipient verification on port 2525 and
deliver to port 25 and it works perfectly.
Hopefully this information can help you guys out :) We do this with a
number of our exchange 2013 single server clients and it rejects
emails correctly.
Oh! Just make sure they do not create another hub transport connector.
If there is an additional one it will cause exchange transport to stop
receiving emails after a few hours.
Re: one word spam (continued)
Posted by Axb <ax...@gmail.com>.
On 10/16/2013 07:21 PM, Kevin Miller wrote:
> So if I'm reading this right, milters such as smf-sav or milter-ahead will no longer be of any use?
yep... One will have to be creative, start mantaining local rcpt list
copies, LDAP exports, etc - lottsa fun for all parties.
This also applies to Postfix's recipient address verification.
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500
> Registered Linux User No: 307357
>
> -----Original Message-----
> From: Axb [mailto:axb.lists@gmail.com]
> Sent: Wednesday, October 16, 2013 9:18 AM
> To: users@spamassassin.apache.org
> Subject: Re: one word spam (continued)
>
> On 10/16/2013 06:42 PM, David F. Skoll wrote:
>> On 16 Oct 2013 09:15:07 -0700
>> "Neil Schwartzman" <ne...@cauce.org> wrote:
>>
>>> List verification. Many receiving sites will block after X bounces,
>>> clean up your list from 550s, and spam the real thing from another
>>> botted IP.
>>
>> <rant>
>> And you know who we can thank [sic] for this mechanism of list verification?
>>
>> Microsoft, that's who.
>>
>> For versions of Microsoft Exchange prior to 2013, you need to jump
>> through ridiculous hoops to configure it so that invalid RCPT commands are rejected.
>> By default, Exchange accepts any old RCPT command and then either
>> rejects after DATA or (if a RCPT was valid) is forced to generate a
>> delivery failure notification.
>>
>> For Exchange 2013, the ridiculous hoops no longer work and I don't
>> believe it is even possible to configure Exchange 2013 to reject
>> invalid RCPTs without truly grotesque hacks.
>>
>> Thank you, Microsoft, for making the Internet a better place.
>> </rant>
>
> Exchange 2013 can still reject mail to unknown users, except that it does it _AFTER_ DATA, which means that everybody that tried to be a good player has become a backscatterer, including their own services which have they have elegantly turned into spam spewin bazookas.
>
> May I join you?
> <rant>
> Thank you, Microsoft, for making the Internet a better place.
> </rant>
>
>
>
>
>
>
RE: one word spam (continued)
Posted by Kevin Miller <Ke...@ci.juneau.ak.us>.
So if I'm reading this right, milters such as smf-sav or milter-ahead will no longer be of any use?
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
-----Original Message-----
From: Axb [mailto:axb.lists@gmail.com]
Sent: Wednesday, October 16, 2013 9:18 AM
To: users@spamassassin.apache.org
Subject: Re: one word spam (continued)
On 10/16/2013 06:42 PM, David F. Skoll wrote:
> On 16 Oct 2013 09:15:07 -0700
> "Neil Schwartzman" <ne...@cauce.org> wrote:
>
>> List verification. Many receiving sites will block after X bounces,
>> clean up your list from 550s, and spam the real thing from another
>> botted IP.
>
> <rant>
> And you know who we can thank [sic] for this mechanism of list verification?
>
> Microsoft, that's who.
>
> For versions of Microsoft Exchange prior to 2013, you need to jump
> through ridiculous hoops to configure it so that invalid RCPT commands are rejected.
> By default, Exchange accepts any old RCPT command and then either
> rejects after DATA or (if a RCPT was valid) is forced to generate a
> delivery failure notification.
>
> For Exchange 2013, the ridiculous hoops no longer work and I don't
> believe it is even possible to configure Exchange 2013 to reject
> invalid RCPTs without truly grotesque hacks.
>
> Thank you, Microsoft, for making the Internet a better place.
> </rant>
Exchange 2013 can still reject mail to unknown users, except that it does it _AFTER_ DATA, which means that everybody that tried to be a good player has become a backscatterer, including their own services which have they have elegantly turned into spam spewin bazookas.
May I join you?
<rant>
Thank you, Microsoft, for making the Internet a better place.
</rant>
Re: one word spam (continued)
Posted by Axb <ax...@gmail.com>.
On 10/16/2013 06:42 PM, David F. Skoll wrote:
> On 16 Oct 2013 09:15:07 -0700
> "Neil Schwartzman" <ne...@cauce.org> wrote:
>
>> List verification. Many receiving sites will block after X bounces,
>> clean up your list from 550s, and spam the real thing from another
>> botted IP.
>
> <rant>
> And you know who we can thank [sic] for this mechanism of list verification?
>
> Microsoft, that's who.
>
> For versions of Microsoft Exchange prior to 2013, you need to jump through
> ridiculous hoops to configure it so that invalid RCPT commands are rejected.
> By default, Exchange accepts any old RCPT command and then either rejects
> after DATA or (if a RCPT was valid) is forced to generate a delivery failure
> notification.
>
> For Exchange 2013, the ridiculous hoops no longer work and I don't
> believe it is even possible to configure Exchange 2013 to reject
> invalid RCPTs without truly grotesque hacks.
>
> Thank you, Microsoft, for making the Internet a better place.
> </rant>
Exchange 2013 can still reject mail to unknown users, except that it
does it _AFTER_ DATA, which means that everybody that tried to be a good
player has become a backscatterer, including their own services which
have they have elegantly turned into spam spewin bazookas.
May I join you?
<rant>
Thank you, Microsoft, for making the Internet a better place.
</rant>
Re: one word spam (continued)
Posted by Ted Mittelstaedt <te...@ipinc.net>.
On 10/16/2013 9:42 AM, David F. Skoll wrote:
> On 16 Oct 2013 09:15:07 -0700
> "Neil Schwartzman" <ne...@cauce.org> wrote:
>
>> List verification. Many receiving sites will block after X bounces,
>> clean up your
you mean "their" list
> list from 550s, and spam the real thing from another
>> botted IP.
>
> <rant>
> And you know who we can thank [sic] for this mechanism of list verification?
>
> Microsoft, that's who.
>
> For versions of Microsoft Exchange prior to 2013, you need to jump through
> ridiculous hoops to configure it so that invalid RCPT commands are rejected.
> By default, Exchange accepts any old RCPT command and then either rejects
> after DATA or (if a RCPT
you mean if sender was valid, right
> was valid) is forced to generate a delivery failure
> notification.
>
> For Exchange 2013, the ridiculous hoops no longer work and I don't
> believe it is even possible to configure Exchange 2013 to reject
> invalid RCPTs without truly grotesque hacks.
>
Yeah I had forgotten about that.
I think what's going on here is that Microsoft has been positioning
Exchange for use as a large company platform for some time - the last
version of SBS contained Exchange 2010 and that was the last way that
a smaller company could afford an Exchange server. Check out the
prices on Exchange 2012 and you will see what I mean, plus there's
no easy way that was provided migrate from Exchange 2010 to Exchange
2012. Their hope is that smaller customers will go to the cloud.
To this end they have had an eye on the Exchange server being just a
single cog in a large network. That's why they make you go to an
additional server (or appliance) for spam and antivirus filtering, and
they don't provide that on Exchange.
We never sell an Exchange server installation without specing some
sort of spam prefiltering like a Sophos box or Cisco ASA or something
like that in front of it, and all of those devices have active directory
hooks that query the DC for the usernames and -don't- accept just any
old bogus RCPTs.
> Thank you, Microsoft, for making the Internet a better place.
> </rant>
>
Naw, it's much more neglect and forgetting where they came from.
There was a time that people replaced old post.office and other hacky
malservers with exchange because exchange was inexpensive, simple, and
easy for just any monkey to configure.
There was also a time people replaced old Novell Netware servers and
other hacky fileservers with WIndows NT because NT was inexpensive,
simple, and easy for any monkey to configure.
But those days are gone and those products have been replaced by very
expensive, very complicated products that even people who are
professionals have a hard time configuring.
And to be perfectly honest about it I can say exactly the same thing
about the Linux distros who are also headed full speed away from
simplicity and ease and into complexity and difficulty.
I can't boot any current linux distro on an older P4 with 4GB of
ram and have it run any faster than a slug would travel. And there's
a LOT of older 2003 servers out there running on older HP Proliant
G4 and G3 servers or Dell 2650 servers that are 32 bit, running
Exchange 2003, but are rock-solid and have been for years. There's an
opportunity there but nobody in the FOSS community wants to service it.
Instead the Linux people think they can go head-to-head with Microsoft
on brand new $4,000 server hardware.
Ted
> Regards,
>
> David.
>
Re: one word spam (continued)
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On 16 Oct 2013 09:15:07 -0700
"Neil Schwartzman" <ne...@cauce.org> wrote:
> List verification. Many receiving sites will block after X bounces,
> clean up your list from 550s, and spam the real thing from another
> botted IP.
<rant>
And you know who we can thank [sic] for this mechanism of list verification?
Microsoft, that's who.
For versions of Microsoft Exchange prior to 2013, you need to jump through
ridiculous hoops to configure it so that invalid RCPT commands are rejected.
By default, Exchange accepts any old RCPT command and then either rejects
after DATA or (if a RCPT was valid) is forced to generate a delivery failure
notification.
For Exchange 2013, the ridiculous hoops no longer work and I don't
believe it is even possible to configure Exchange 2013 to reject
invalid RCPTs without truly grotesque hacks.
Thank you, Microsoft, for making the Internet a better place.
</rant>
Regards,
David.
Re: one word spam (continued)
Posted by Neil Schwartzman <ne...@cauce.org>.
List verification. Many receiving sites will block after X bounces, clean up your list from 550s, and spam the real thing from another botted IP.
Neil Schwartzman
Executive Director
Coalition Against unsolicited Commercial Email
Tel :(303) 800-6345
Mob: (415) 361-0069
@cauce
On Oct 16, 2013, at 8:41 AM, Ted Mittelstaedt <te...@ipinc.net> wrote:
>
> Dumb question here perhaps - how exactly would sending a single word
> to a victim help a spammer? Why would they do it?
>
> Ted
>
> On 10/16/2013 8:33 AM, Martin Gregorie wrote:
>> On Wed, 2013-10-16 at 11:58 -0300, Marcio Humpris wrote:
>>> Hi everyone
>>>
>>> If I use digest mode how do I reply to a specific mail?
>>>
>>> In reply to axb...
>>>
>>> about one word spam
>>> http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser
>>>
>>> here is the sample http://pastebin.com/download.php?i=0D7tfsjf
>>>
>>> Can you help with some regex pls?
>>>
>> Not one work is it?
>>
>> However, this catches it: /\s{0,80}\S{1,20}\s{0,80}/
>>
>> Be aware that messages like your example are quite common between
>> friends, so I personally would be wary of using this type of regex
>> outside a meta-rule.
>>
>>
>> Martin
>>
>>
>>
>>> Tks
>>
>>
>>
>
Re: one word spam (continued)
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Dumb question here perhaps - how exactly would sending a single word
to a victim help a spammer? Why would they do it?
Ted
On 10/16/2013 8:33 AM, Martin Gregorie wrote:
> On Wed, 2013-10-16 at 11:58 -0300, Marcio Humpris wrote:
>> Hi everyone
>>
>> If I use digest mode how do I reply to a specific mail?
>>
>> In reply to axb...
>>
>> about one word spam
>> http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser
>>
>> here is the sample http://pastebin.com/download.php?i=0D7tfsjf
>>
>> Can you help with some regex pls?
>>
> Not one work is it?
>
> However, this catches it: /\s{0,80}\S{1,20}\s{0,80}/
>
> Be aware that messages like your example are quite common between
> friends, so I personally would be wary of using this type of regex
> outside a meta-rule.
>
>
> Martin
>
>
>
>> Tks
>
>
>
Re: one word spam (continued)
Posted by Martin Gregorie <ma...@gregorie.org>.
On Wed, 2013-10-16 at 11:58 -0300, Marcio Humpris wrote:
> Hi everyone
>
> If I use digest mode how do I reply to a specific mail?
>
> In reply to axb...
>
> about one word spam
> http://mail-archives.apache.org/mod_mbox/spamassassin-users/201308.mbox/browser
>
> here is the sample http://pastebin.com/download.php?i=0D7tfsjf
>
> Can you help with some regex pls?
>
Not one work is it?
However, this catches it: /\s{0,80}\S{1,20}\s{0,80}/
Be aware that messages like your example are quite common between
friends, so I personally would be wary of using this type of regex
outside a meta-rule.
Martin
> Tks