You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by "Noel J. Bergman" <no...@devtech.com> on 2002/06/03 03:47:50 UTC
SPAM origin
Right now InSpammerBlacklist checks the remote address of the proximate
relay to see if it is open. Is that sufficient? We are trusting that relay
to filter out e-mail from open relay sources.
Should we be (at least optionally) checking the entire series, and rejecting
if we find any open server in the chain?
--- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: SPAM origin
Posted by "Noel J. Bergman" <no...@devtech.com>.
> To answer my own question, it looks like I just had to turn the
> <attachError> to TRUE.
That only works because ToProcessor will set the error message to the notice
if there is not error message already set, and it does not provide for
passing the TXT record, unless InSpammerBlackList is modified to set the
error message to the TXT record. If you want to pass the e-mail along, but
set an X-Spam-Warning or X-RBL-Warning header, you'd need to affect other
changes.
--- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: SPAM origin
Posted by Clinton Goudie <Cl...@magicalspirits.net>.
To answer my own question, it looks like I just had to turn the
<attachError> to TRUE.
-----Original Message-----
From: Clinton Goudie [mailto:ClintJakarta@magicalspirits.net]
Sent: Wednesday, June 05, 2002 11:43 AM
To: James Developers List
Subject: RE: SPAM origin
Is there any way for me to include the notice from:
<mailet match="InSpammerBlacklist=relays.ordb.org"
class="ToProcessor">
<processor> blacklist </processor>
<notice> Open relay - see http://www.ordb.org/ </notice>
</mailet>
using the redirect mailet without extending it and making my own?
Ideally I'd just change <inline>notice</inline> but I have no idea if that
would work...
Thanks for the info...
Clint
-----Original Message-----
From: Danny Angus [mailto:danny@apache.org]
Sent: Wednesday, June 05, 2002 3:01 AM
To: James Developers List
Subject: RE: SPAM origin
> If anyone knows how
> to configure
> the send from address using the NotifySender mailet, please let
> me know. The
> current alternative I'm using is to bit-bucket emails from postmaster to
> postmaster.
Try using the Redirect mailet instead, it is designed to be much more
configurable in its behaviour than the simpler Notify mailets.
to get you started you might try this:
<mailet match="All" class="Redirect">
<!--send it back to the sender-->
<recipients>sender</recipients>
<!--From a special address-->
<sender>spam-manager@mydomain.com</sender>
<!--with this message as the message body-->
<message>Spam rejected by mydomain</message>
<!--With nothing else appended-->
<inline>none</inline>
<!--Attach the original message-->
<attachment>message</attachment>
<!--Dont send generated error messages-->
<attachError>FALSE</attachError>
<!--Prefix the original subject with this-->
<prefix>[mail delivery system spam
notification]</prefix>
<!--calculate the sender address every
time-->
<static>FALSE</static>
<!--Kill the original mail in this mailet-->
<passThrough>FALSE</passThrough>
</mailet>
and if you're into hacking mailets Redirect is intended to be extended to
allow you to override the methods that generate sender and recipient
addresses so you can quickly deploy your own, more obscure, behaviour.
d.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: SPAM origin
Posted by "Noel J. Bergman" <no...@devtech.com>.
> Is there any way for me to include the notice from:
> <mailet match="InSpammerBlacklist=relays.ordb.org" class="ToProcessor">
> ...
> </mailet>
> using the redirect mailet without extending it and making my own?
At the moment, the only way to pass information from one mailet to another
would be to add an X- header to the MimeMessage. Serge and I discussed this
earlier, and he plans to add support for named attributes to the Mail
object.
Your example is one of those I gave for wanting to pass meta-information
along with the message as it goes through the chain.
--- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: SPAM origin
Posted by Clinton Goudie <Cl...@magicalspirits.net>.
Is there any way for me to include the notice from:
<mailet match="InSpammerBlacklist=relays.ordb.org"
class="ToProcessor">
<processor> blacklist </processor>
<notice> Open relay - see http://www.ordb.org/ </notice>
</mailet>
using the redirect mailet without extending it and making my own?
Ideally I'd just change <inline>notice</inline> but I have no idea if that
would work...
Thanks for the info...
Clint
-----Original Message-----
From: Danny Angus [mailto:danny@apache.org]
Sent: Wednesday, June 05, 2002 3:01 AM
To: James Developers List
Subject: RE: SPAM origin
> If anyone knows how
> to configure
> the send from address using the NotifySender mailet, please let
> me know. The
> current alternative I'm using is to bit-bucket emails from postmaster to
> postmaster.
Try using the Redirect mailet instead, it is designed to be much more
configurable in its behaviour than the simpler Notify mailets.
to get you started you might try this:
<mailet match="All" class="Redirect">
<!--send it back to the sender-->
<recipients>sender</recipients>
<!--From a special address-->
<sender>spam-manager@mydomain.com</sender>
<!--with this message as the message body-->
<message>Spam rejected by mydomain</message>
<!--With nothing else appended-->
<inline>none</inline>
<!--Attach the original message-->
<attachment>message</attachment>
<!--Dont send generated error messages-->
<attachError>FALSE</attachError>
<!--Prefix the original subject with this-->
<prefix>[mail delivery system spam
notification]</prefix>
<!--calculate the sender address every
time-->
<static>FALSE</static>
<!--Kill the original mail in this mailet-->
<passThrough>FALSE</passThrough>
</mailet>
.and if you're into hacking mailets Redirect is intended to be extended to
allow you to override the methods that generate sender and recipient
addresses so you can quickly deploy your own, more obscure, behaviour.
d.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: SPAM origin
Posted by Danny Angus <da...@apache.org>.
> If anyone knows how
> to configure
> the send from address using the NotifySender mailet, please let
> me know. The
> current alternative I'm using is to bit-bucket emails from postmaster to
> postmaster.
Try using the Redirect mailet instead, it is designed to be much more
configurable in its behaviour than the simpler Notify mailets.
to get you started you might try this:
<mailet match="All" class="Redirect">
<!--send it back to the sender-->
<recipients>sender</recipients>
<!--From a special address-->
<sender>spam-manager@mydomain.com</sender>
<!--with this message as the message body-->
<message>Spam rejected by mydomain</message>
<!--With nothing else appended-->
<inline>none</inline>
<!--Attach the original message-->
<attachment>message</attachment>
<!--Dont send generated error messages-->
<attachError>FALSE</attachError>
<!--Prefix the original subject with this-->
<prefix>[mail delivery system spam notification]</prefix>
<!--calculate the sender address every time-->
<static>FALSE</static>
<!--Kill the original mail in this mailet-->
<passThrough>FALSE</passThrough>
</mailet>
..and if you're into hacking mailets Redirect is intended to be extended to
allow you to override the methods that generate sender and recipient
addresses so you can quickly deploy your own, more obscure, behaviour.
d.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: SPAM origin
Posted by Clinton Goudie <Cl...@magicalspirits.net>.
Something I read while I was researching the RBL was that often if the
address resolves that you should do a dns lookup of type text, for
example....
----------------------------------------------------------------------------
-
> set type=all
> 101.83.241.128.sbl.spamhaus.org
Server: UnKnown
Address: 10.0.0.1
Non-authoritative answer:
101.83.241.128.sbl.spamhaus.org internet address = 127.0.0.2
101.83.241.128.sbl.spamhaus.org text =
"Listed on SBL - see
http://spamhaus.org/SBL/sbl.lasso?query=SBX3120"
----------------------------------------------------------------------------
-
This is the text you're supposed to send back with the reply, although the
way James does it, it doesn't look up this information, rather I just sends
back the notice posted in the <notify> tag.
It might be valuable to collect this information when notifying the sender
that they are blacklisted... This information will immediately lead them to
why they are there, instead of just leaving some poor user, whose ISP has
ended up on the blacklist, out in the cold.
The ORDB and osirusoft are the good way to go.
Also, another good option is sbl.spamhaus.org. (
http://www.spamhaus.org/SBL/ ) I've added this rbl filter for my server, and
all I can say is they have an incredible spam kill rate. I've not seen a
spam message come through my server since I added this one, where as ORDB
and osirusoft do less of specific spam filtering types of things, and more
of the open relay prevention. These guys trace down the individuals sending
the spam and have some really interesting information about them.
On another note, I really like the idea of getting James to trace back
through the forwarding steps as an option and do rbl lookups on each one.
Something I found extremely handy was to create a separate processor in my
config.xml for blacklisted items so I could attempt to notify the sender in
specific ways, send it to a different repository, or just bit-bucket it.
This is when I got into trying to have the mailet notify sender from a
bit-bucket address instead of postmaster, as most of the sender addresses
were bogus, and then I end up receiving the spam through the postmaster
account as a delivery notification failure. If anyone knows how to configure
the send from address using the NotifySender mailet, please let me know. The
current alternative I'm using is to bit-bucket emails from postmaster to
postmaster.
I'd be happy to incorporate my changes in a well documented config.xml and
send them though should anyone be interested...
Clint
-----Original Message-----
From: Noel J. Bergman [mailto:noel@devtech.com]
Sent: Sunday, June 02, 2002 10:22 PM
To: James Users List
Subject: RE: SPAM origin
Serge,
Well, as it happens, I received some e-mail fitting the criteria just
earlier today. A legit host carried it from an open relay.
As for the DNS checks, I'm going to remove the mail-abuse checks, and pare
down to just relays.osirusoft.com and relays.ordb.org.
I'm thinking that it might be a good policy to tag possible SPAM with
X-Spam-Warning or X-RBL-Warning headers. That would allow someone to pass
the e-mail along, but make it easy to filter on the client. [More on this
in a James-Dev thread]
--- Noel
-----Original Message-----
From: Serge Knystautas [mailto:sergek@lokitech.com]
Sent: Sunday, June 02, 2002 23:20
To: James Users List
Cc: Russell Coker
Subject: Re: SPAM origin
It might be worth doing... the thing is, if there is an open relay, it's
probably getting to you from that open relay (as opposed to going from
one to another). Downside though is it makes mail processing a lot
slower. If you comment out the DNS related checks in your spool
processor, generally you'll see a huge increase in performance. So
doubling or more the number of checks probably is overkill. But it
certainly might be worth having as an option.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
Noel J. Bergman wrote:
> Right now InSpammerBlacklist checks the remote address of the proximate
> relay to see if it is open. Is that sufficient? We are trusting that
relay
> to filter out e-mail from open relay sources.
>
> Should we be (at least optionally) checking the entire series, and
rejecting
> if we find any open server in the chain?
>
> --- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: SPAM origin
Posted by "Noel J. Bergman" <no...@devtech.com>.
Serge,
Well, as it happens, I received some e-mail fitting the criteria just
earlier today. A legit host carried it from an open relay.
As for the DNS checks, I'm going to remove the mail-abuse checks, and pare
down to just relays.osirusoft.com and relays.ordb.org.
I'm thinking that it might be a good policy to tag possible SPAM with
X-Spam-Warning or X-RBL-Warning headers. That would allow someone to pass
the e-mail along, but make it easy to filter on the client. [More on this
in a James-Dev thread]
--- Noel
-----Original Message-----
From: Serge Knystautas [mailto:sergek@lokitech.com]
Sent: Sunday, June 02, 2002 23:20
To: James Users List
Cc: Russell Coker
Subject: Re: SPAM origin
It might be worth doing... the thing is, if there is an open relay, it's
probably getting to you from that open relay (as opposed to going from
one to another). Downside though is it makes mail processing a lot
slower. If you comment out the DNS related checks in your spool
processor, generally you'll see a huge increase in performance. So
doubling or more the number of checks probably is overkill. But it
certainly might be worth having as an option.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
Noel J. Bergman wrote:
> Right now InSpammerBlacklist checks the remote address of the proximate
> relay to see if it is open. Is that sufficient? We are trusting that
relay
> to filter out e-mail from open relay sources.
>
> Should we be (at least optionally) checking the entire series, and
rejecting
> if we find any open server in the chain?
>
> --- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: SPAM origin
Posted by Serge Knystautas <se...@lokitech.com>.
It might be worth doing... the thing is, if there is an open relay, it's
probably getting to you from that open relay (as opposed to going from
one to another). Downside though is it makes mail processing a lot
slower. If you comment out the DNS related checks in your spool
processor, generally you'll see a huge increase in performance. So
doubling or more the number of checks probably is overkill. But it
certainly might be worth having as an option.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
Noel J. Bergman wrote:
> Right now InSpammerBlacklist checks the remote address of the proximate
> relay to see if it is open. Is that sufficient? We are trusting that relay
> to filter out e-mail from open relay sources.
>
> Should we be (at least optionally) checking the entire series, and rejecting
> if we find any open server in the chain?
>
> --- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: SPAM origin
Posted by Russell Coker <ru...@coker.com.au>.
On Mon, 3 Jun 2002 03:47, Noel J. Bergman wrote:
> Right now InSpammerBlacklist checks the remote address of the proximate
> relay to see if it is open. Is that sufficient? We are trusting that
> relay to filter out e-mail from open relay sources.
>
> Should we be (at least optionally) checking the entire series, and
> rejecting if we find any open server in the chain?
Ideally yes.
Most email programs only check the IP address that is being used to make the
connection, it's much easier to code that way and impossible to fool.
But what we would ideally like to do is catch the case where an ISP customer
is running an open relay and the ISP relays mail for it's customers. Then
the ISP relay may be operating correctly but allowing spam through from it's
customer. ORBS used to run two separate lists for such things, one would
list the spam outputs (ISP relays) and the other would list the spam inputs
(open relays run by ISP customers).
I don't think that the current DNSBL setups give you that choice now
(although I haven't investigated it closely - my email setup only allows
filtering on IP address used to make the connection).
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>