You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ram <ra...@netcore.co.in> on 2008/03/27 11:06:04 UTC
Spam abuse report plugin
I get a lot of spam on my servers which get detected by SA though are
generated by innocent mail servers.
We see a lot of mail users have insanely simple passwords , spammers are
using these accounts and send spam. By the time the administrator
realizes the server has sent 1000's of spam
If spamassassin had an option to send abuse report to servers
automatically and send mails to abuse@<server-admin> the moment the
first sure spam comes in the admin could be warned before much damage
has been done. Obviously we limit to only 1 or 2 reports in an hour to a
particular id
Thanks
Ram
PS:
I know having strict passwords is the solution, but any admin worth his
job knows how difficult it is to get everyone change their passwords
RE: Spam abuse report plugin
Posted by "Michele Neylon :: Blacknight" <mi...@blacknight.ie>.
Jari
A LOT of clueless mail server admins send us reports about mailscanner.info
We have a standard reply telling them to get a $clue, but I'd prefer that my staff's time was spent dealing with proper issues :)
--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
Intl. +353 (0) 59 9183072
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Spam abuse report plugin
Posted by Jari Fredriksson <ja...@iki.fi>.
> As long as you whitelist MailScanner.info
>
> I am sick to my teeth of receiving abuse reports about a
> domain that never sends email and is used to block spam
>
> /me wanders off to rant elsewhere
WTF? is this all about?
Who has reported MailScanner.info as a spammer?
RE: Spam abuse report plugin
Posted by "Michele Neylon :: Blacknight" <mi...@blacknight.ie>.
As long as you whitelist MailScanner.info
I am sick to my teeth of receiving abuse reports about a domain that never sends email and is used to block spam
/me wanders off to rant elsewhere
--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
Intl. +353 (0) 59 9183072
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Spam abuse report plugin
Posted by Jari Fredriksson <ja...@iki.fi>.
> I get a lot of spam on my servers which get detected by
> SA though are generated by innocent mail servers.
>
> We see a lot of mail users have insanely simple passwords
> , spammers are using these accounts and send spam. By the
> time the administrator realizes the server has sent
> 1000's of spam
>
> If spamassassin had an option to send abuse report to
> servers automatically and send mails to
> abuse@<server-admin> the moment the first sure spam comes
> in the admin could be warned before much damage has been
> done. Obviously we limit to only 1 or 2 reports in an
> hour to a particular id
>
You could open a reporting account at SpamCop.net, and carefully redirect certain spam messages to their service (via email). SpamCop then generates an abuse report.
After SpamCop receives your report, they send you (the configured email address there) a confirmation mail, which has to be handled by you manually, or by a robot (like spamcup). When confirmed, they send abuse-reports on your behalf.
If you want to automate this, it needs some scripting (and automating it may be against SpamCop's policy), but it can be done.
Automatic system works quite well, if you can be sure not to post false positives there.
Abuse reporting is not SA's job, but it's a job well done by SpamCop.net
Re: Spam abuse report plugin
Posted by Matt Kettler <mk...@verizon.net>.
ram wrote:
> I get a lot of spam on my servers which get detected by SA though are
> generated by innocent mail servers.
>
> We see a lot of mail users have insanely simple passwords , spammers are
> using these accounts and send spam. By the time the administrator
> realizes the server has sent 1000's of spam
>
> If spamassassin had an option to send abuse report to servers
> automatically and send mails to abuse@<server-admin> the moment the
> first sure spam comes in the admin could be warned before much damage
> has been done. Obviously we limit to only 1 or 2 reports in an hour to a
> particular id
>
The problem is, where spamassassin ties into the mail chain, it doesn't
have any power to generate emails. It's a message filter, any action
beyond modifying the message at hand would be inappropriate.
You might want to look at a log watcher like swatch to handle this.
In my own setup, I use prelude IDS for log monitoring, and have Nagios
configured to fire off alarm emails when the prelude event rate gets too
high. However, that's probably very over-complicated if you don't
already use both tools for other network monitoring needs.
Re: Spam abuse report plugin
Posted by Jo Rhett <jr...@netconsonance.com>.
On Mar 28, 2008, at 7:42 AM, Matus UHLAR - fantomas wrote:
> On 27.03.08 19:58, ram wrote:
>> I personally dont like the traditional spamcop report method of
>> forwarding
>> Spamcop uses a double confirm method, and to confirm all mails is a
>> pain. I will look at how to automate this. I trust spamcop should not
>> mind. This is building spamcops database of spam originating machines
>
> I guess the main reason why SpamCop wants to confirm all
> submissions it to
> avoid automatic submissions. Unless you want to be refused by SpamCop,
> confirm everything manually or use other reporting site...
With good reason. We regularly see people enable some sort of
automation, and then start feeding us spamcop reports for all of
their opt-in mail. We report them, and the spamcop account gets shut
down.
Please people: if you're going to try and automate it, then test your
automation by sending all the reports to yourself first.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: Spam abuse report plugin
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 27.03.08 19:58, ram wrote:
> I personally dont like the traditional spamcop report method of
> forwarding
> Spamcop uses a double confirm method, and to confirm all mails is a
> pain. I will look at how to automate this. I trust spamcop should not
> mind. This is building spamcops database of spam originating machines
I guess the main reason why SpamCop wants to confirm all submissions it to
avoid automatic submissions. Unless you want to be refused by SpamCop,
confirm everything manually or use other reporting site...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Re: Spam abuse report plugin
Posted by ram <ra...@netcore.co.in>.
On Thu, 2008-03-27 at 10:04 -0400, Michael Scheidell wrote:
> > From: ram <ra...@netcore.co.in>
> > Date: Thu, 27 Mar 2008 15:36:04 +0530
> > To: spamassassin-users <us...@spamassassin.apache.org>
> > Subject: Spam abuse report plugin
> >
> > I get a lot of spam on my servers which get detected by SA though are
> > generated by innocent mail servers.
> >
> > We see a lot of mail users have insanely simple passwords , spammers are
> > using these accounts and send spam. By the time the administrator
> > realizes the server has sent 1000's of spam
> So you would spam the abuse@ account '-)
>
> >
> > If spamassassin had an option to send abuse report to servers
> > automatically and send mails to abuse@<server-admin> the moment the
> > first sure spam comes in the admin could be warned before much damage
> > has been done. Obviously we limit to only 1 or 2 reports in an hour to a
> > particular id
>
> Best is to set up something to use 'spamassassin -r' (report) feature.
> Set up a SpamCop account, put that information in local.cf.
> SpamCop will scan the emails for uri's add them to uri blacklists, add the
> server to spamcop blacklists, track down the responsible isp, and pre-format
> a complain email.
>
Ok. Will definitely try this Thanks. Does this work with the free
spamcop report id too
> If you have DCC and RAZOR, it will also submit the information to those
> databases.
>
> NOTE: YOU DO NOT WANT TO AUTOMATICALLY SEND REPORTS AS THIS _WILL_ SPAM
> INNOCENT, FORGED DOMAINS ADDING TO THE BACKSCATTER PROBLEMS.
>
>
I personally dont like the traditional spamcop report method of
forwarding
Spamcop uses a double confirm method, and to confirm all mails is a
pain. I will look at how to automate this. I trust spamcop should not
mind. This is building spamcops database of spam originating machines
I do not see how I will spam the abuse@<domain> or contribute to
backscatter, because the report will not be sent to the email-from
domain , but to the administrator of the mailserver from where the mail
originated ( That could be forged too .. but the percentages are too
small to bother about ), I assume these ips will have PTR's and point to
proper domains else discard
anyway 2 report mails an hour , will not spam an abuse@ account IMHO
Thanks
Ram
RE: Spam abuse report plugin
Posted by Giampaolo Tomassoni <g....@libero.it>.
> -----Original Message-----
> From: Eddy Beliveau [mailto:eddy.beliveau@hec.ca]
> Sent: Friday, April 04, 2008 6:17 PM
>
> ----- Message d'origine -----
> De : "Michael Scheidell" <sc...@secnap.net>
> À : "ram" <ra...@netcore.co.in>; "spamassassin-users"
> <us...@spamassassin.apache.org>
> Envoyé : 27 mars 2008 10:04
> Objet : Re: Spam abuse report plugin
>
>
>
> Hi!
>
> This subject is very interesting
>
> I received many spams daily and have to manually analyse headers or
> email
> content to be able to send abuse report
>
> Is there a tool which can do this for me ?
>
> I imagine some web form (unix/windows) in which I can put a cut/paste
> of
> original email (including headers)
> and that tool can prepare abuse complaint automagically.
>
> Does that beast exist ?
Of course, even this time my fast-reading capabilities have failed.
I previously replied suggesting something to you which doesn't fit your
needs at all.
You instead just need a standard reporting account in SpamCop (
www.spamcop.net ). This too is free. Through that account you may upload
messages by web or you may forward them by mail to the spamcop engine, which
will detect any possible mail address of people which is somehow involved in
that spam. It may also send an automatic report for you!
I strongly suggest to have a look at it.
Giampaolo
>
> Thanks,
> Eddy
Re: Spam abuse report plugin
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 04.04.08 12:16, Eddy Beliveau wrote:
> This subject is very interesting
>
> I received many spams daily and have to manually analyse headers or email
> content to be able to send abuse report
>
> Is there a tool which can do this for me ?
>
> I imagine some web form (unix/windows) in which I can put a cut/paste of
> original email (including headers)
> and that tool can prepare abuse complaint automagically.
>
> Does that beast exist ?
what about changing the way? First forward the mail to special address and
then confirm it via webform?
That's how SpamCop works now....
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
Re: Spam abuse report plugin
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 05.04.08 02:04, Benny Pedersen wrote:
> On Fri, April 4, 2008 19:22, decoder wrote:
>
> > first hop, thatone might be forged by spammers. So already determining a
> > sure source address is something that can hardly be automatised.
>
> well amavisd get the origin ip, and relay ip, why cant spamassassin not use
> that aswell ?
the origin IP can be faked and there may be more relays...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
Re: Spam abuse report plugin
Posted by Benny Pedersen <me...@junc.org>.
On Fri, April 4, 2008 19:22, decoder wrote:
> first hop, thatone might be forged by spammers. So already determining a
> sure source address is something that can hardly be automatised.
well amavisd get the origin ip, and relay ip, why cant spamassassin not use
that aswell ?
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Spam abuse report plugin
Posted by decoder <de...@own-hero.net>.
Eddy Beliveau wrote:
> ----- Message d'origine ----- De : "Michael Scheidell"
> <sc...@secnap.net>
> À : "ram" <ra...@netcore.co.in>; "spamassassin-users"
> <us...@spamassassin.apache.org>
> Envoyé : 27 mars 2008 10:04
> Objet : Re: Spam abuse report plugin
>
>
>>
>>> From: ram <ra...@netcore.co.in>
>>> Date: Thu, 27 Mar 2008 15:36:04 +0530
>>> To: spamassassin-users <us...@spamassassin.apache.org>
>>> Subject: Spam abuse report plugin
>>>
>>> I get a lot of spam on my servers which get detected by SA though are
>>> generated by innocent mail servers.
>>>
>>> We see a lot of mail users have insanely simple passwords , spammers
>>> are
>>> using these accounts and send spam. By the time the administrator
>>> realizes the server has sent 1000's of spam
>> So you would spam the abuse@ account '-)
>>
>>>
>>> If spamassassin had an option to send abuse report to servers
>>> automatically and send mails to abuse@<server-admin> the moment the
>>> first sure spam comes in the admin could be warned before much damage
>>> has been done. Obviously we limit to only 1 or 2 reports in an hour
>>> to a
>>> particular id
>>
>> Best is to set up something to use 'spamassassin -r' (report) feature.
>> Set up a SpamCop account, put that information in local.cf.
>> SpamCop will scan the emails for uri's add them to uri blacklists,
>> add the
>> server to spamcop blacklists, track down the responsible isp, and
>> pre-format
>> a complain email.
>>
>> If you have DCC and RAZOR, it will also submit the information to those
>> databases.
>>
>> NOTE: YOU DO NOT WANT TO AUTOMATICALLY SEND REPORTS AS THIS _WILL_ SPAM
>> INNOCENT, FORGED DOMAINS ADDING TO THE BACKSCATTER PROBLEMS.
>
> Hi!
>
> This subject is very interesting
>
> I received many spams daily and have to manually analyse headers or
> email content to be able to send abuse report
>
> Is there a tool which can do this for me ?
>
> I imagine some web form (unix/windows) in which I can put a cut/paste
> of original email (including headers)
> and that tool can prepare abuse complaint automagically.
>
> Does that beast exist ?
There is a very basic problem with that. You normally report abuse for
domains or IPs, however, you do not know the originating IP in most
cases, because you cannot trust headers. There might be innocent relays
(freemailers for example) in the middle, and you cannot simply pick the
first hop, thatone might be forged by spammers. So already determining a
sure source address is something that can hardly be automatised.
Best regards,
Chris
>
> Thanks,
> Eddy
RE: Spam abuse report plugin
Posted by Giampaolo Tomassoni <g....@libero.it>.
> -----Original Message-----
> From: Eddy Beliveau [mailto:eddy.beliveau@hec.ca]
> Sent: Friday, April 04, 2008 6:17 PM
>
> ----- Message d'origine -----
> De : "Michael Scheidell" <sc...@secnap.net>
> À : "ram" <ra...@netcore.co.in>; "spamassassin-users"
> <us...@spamassassin.apache.org>
> Envoyé : 27 mars 2008 10:04
> Objet : Re: Spam abuse report plugin
>
>
> >
> >> From: ram <ra...@netcore.co.in>
> >> Date: Thu, 27 Mar 2008 15:36:04 +0530
> >> To: spamassassin-users <us...@spamassassin.apache.org>
> >> Subject: Spam abuse report plugin
> >>
> >> I get a lot of spam on my servers which get detected by SA though
> are
> >> generated by innocent mail servers.
> >>
> >> We see a lot of mail users have insanely simple passwords , spammers
> are
> >> using these accounts and send spam. By the time the administrator
> >> realizes the server has sent 1000's of spam
> > So you would spam the abuse@ account '-)
> >
> >>
> >> If spamassassin had an option to send abuse report to servers
> >> automatically and send mails to abuse@<server-admin> the moment the
> >> first sure spam comes in the admin could be warned before much
> damage
> >> has been done. Obviously we limit to only 1 or 2 reports in an hour
> to a
> >> particular id
> >
> > Best is to set up something to use 'spamassassin -r' (report)
> feature.
> > Set up a SpamCop account, put that information in local.cf.
> > SpamCop will scan the emails for uri's add them to uri blacklists,
> add the
> > server to spamcop blacklists, track down the responsible isp, and
> > pre-format
> > a complain email.
> >
> > If you have DCC and RAZOR, it will also submit the information to
> those
> > databases.
> >
> > NOTE: YOU DO NOT WANT TO AUTOMATICALLY SEND REPORTS AS THIS _WILL_
> SPAM
> > INNOCENT, FORGED DOMAINS ADDING TO THE BACKSCATTER PROBLEMS.
>
> Hi!
>
> This subject is very interesting
>
> I received many spams daily and have to manually analyse headers or
> email
> content to be able to send abuse report
>
> Is there a tool which can do this for me ?
>
> I imagine some web form (unix/windows) in which I can put a cut/paste
> of
> original email (including headers)
> and that tool can prepare abuse complaint automagically.
>
> Does that beast exist ?
Well, if you run amavisd-new as a filter over postfix, I can spare my one
dirty script.
It is named "spamgrass". It should periodically run as the user owning the
amavisd quarantine directory (often "amavis", but your mileage may vary).
When run, it scans the quarantine dir looking for high-scoring spam (default
threshold is 20) and virus mails, then it "packs" as many messages as it can
in a report message to be sent to your own quickreport account at spamcop.
Also, it keeps track of the last message scanned, avoiding to report already
reported messages. There are also options to your own local handoff headers
in order to avoid disclosing your topology, antispam and antivirus kind and
setup to people whom reports will be sent.
You may get the latest copy @ http://www.tomassoni.biz/download/spamgrass.pl
.
Have a check to the plenty of options available first. In the first stages
of deploying, the --dry-run option may be very useful.
Enjoy,
Giampaolo
>
> Thanks,
> Eddy
Re: Spam abuse report plugin
Posted by Eddy Beliveau <ed...@hec.ca>.
----- Message d'origine -----
De : "Michael Scheidell" <sc...@secnap.net>
À : "ram" <ra...@netcore.co.in>; "spamassassin-users"
<us...@spamassassin.apache.org>
Envoyé : 27 mars 2008 10:04
Objet : Re: Spam abuse report plugin
>
>> From: ram <ra...@netcore.co.in>
>> Date: Thu, 27 Mar 2008 15:36:04 +0530
>> To: spamassassin-users <us...@spamassassin.apache.org>
>> Subject: Spam abuse report plugin
>>
>> I get a lot of spam on my servers which get detected by SA though are
>> generated by innocent mail servers.
>>
>> We see a lot of mail users have insanely simple passwords , spammers are
>> using these accounts and send spam. By the time the administrator
>> realizes the server has sent 1000's of spam
> So you would spam the abuse@ account '-)
>
>>
>> If spamassassin had an option to send abuse report to servers
>> automatically and send mails to abuse@<server-admin> the moment the
>> first sure spam comes in the admin could be warned before much damage
>> has been done. Obviously we limit to only 1 or 2 reports in an hour to a
>> particular id
>
> Best is to set up something to use 'spamassassin -r' (report) feature.
> Set up a SpamCop account, put that information in local.cf.
> SpamCop will scan the emails for uri's add them to uri blacklists, add the
> server to spamcop blacklists, track down the responsible isp, and
> pre-format
> a complain email.
>
> If you have DCC and RAZOR, it will also submit the information to those
> databases.
>
> NOTE: YOU DO NOT WANT TO AUTOMATICALLY SEND REPORTS AS THIS _WILL_ SPAM
> INNOCENT, FORGED DOMAINS ADDING TO THE BACKSCATTER PROBLEMS.
Hi!
This subject is very interesting
I received many spams daily and have to manually analyse headers or email
content to be able to send abuse report
Is there a tool which can do this for me ?
I imagine some web form (unix/windows) in which I can put a cut/paste of
original email (including headers)
and that tool can prepare abuse complaint automagically.
Does that beast exist ?
Thanks,
Eddy
Re: Spam abuse report plugin
Posted by Michael Scheidell <sc...@secnap.net>.
> From: ram <ra...@netcore.co.in>
> Date: Thu, 27 Mar 2008 15:36:04 +0530
> To: spamassassin-users <us...@spamassassin.apache.org>
> Subject: Spam abuse report plugin
>
> I get a lot of spam on my servers which get detected by SA though are
> generated by innocent mail servers.
>
> We see a lot of mail users have insanely simple passwords , spammers are
> using these accounts and send spam. By the time the administrator
> realizes the server has sent 1000's of spam
So you would spam the abuse@ account '-)
>
> If spamassassin had an option to send abuse report to servers
> automatically and send mails to abuse@<server-admin> the moment the
> first sure spam comes in the admin could be warned before much damage
> has been done. Obviously we limit to only 1 or 2 reports in an hour to a
> particular id
Best is to set up something to use 'spamassassin -r' (report) feature.
Set up a SpamCop account, put that information in local.cf.
SpamCop will scan the emails for uri's add them to uri blacklists, add the
server to spamcop blacklists, track down the responsible isp, and pre-format
a complain email.
If you have DCC and RAZOR, it will also submit the information to those
databases.
NOTE: YOU DO NOT WANT TO AUTOMATICALLY SEND REPORTS AS THIS _WILL_ SPAM
INNOCENT, FORGED DOMAINS ADDING TO THE BACKSCATTER PROBLEMS.
--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer
Charter member, ICSA labs anti-spam consortium
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________