You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mike Bro <li...@gmail.com> on 2010/09/07 17:46:16 UTC
Checking envelope sender
Hello,
Enviroment:
latest sendmail and latest spamassassin
I am just trying to fight with spammer that used to send too many emails.
The pattern I discovered is that during smtp communication with my
incoming mail server in from field he puts something like:
MAIL FROM: <"some rubbish words" <>>
That results in my qf... file as line:
S<"some rubbish words" <>>
Any idea how I could write a rule in spamassassin to test this line?
Thanks in advance,
Mike
Re: Checking envelope sender
Posted by Joseph Brennan <br...@columbia.edu>.
> MAIL FROM: <"some rubbish words" <>>
Why doesn't sendmail reject it like it does here?
Sep 6 04:57:26 calabash sm-mta[22772]: [ID 801593 mail.notice]
o868vKo9022772: ruleset=check_mail, arg1=<"vjaqrra scuper acntive make your
sskexxual" <>>, relay=adsl-pool-124.157.160-227.dynamic.tttmaxnet.com
[124.157.160.227] (may be forged), reject=553 5.5.4 <"vjaqrra scuper
acntive make your sskexxual" <>>... Domain name required for sender address
Joseph Brennan
Columbia University Information Technology
Re: Checking envelope sender
Posted by John Hardin <jh...@impsec.org>.
On Wed, 8 Sep 2010, Mike Bro wrote:
> I cannot afford rejecting all null senders as those could be
> legitimate Delivery Status Notification messages.
>
> What I am looking is a pattern for line:
> MAIL FROM: <"do not mock at your poetenncy - bujyj vjaqrra ppislls" <>>
> while I want to allow:
> MAIL FROM: <>
>
> So any ideas are appreciated whether on sendmail or spamassassin level.
As I suggested earlier, take a look at milter-regex.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
9 days until the 223rd anniversary of the signing of the U.S. Constitution
Re: Checking envelope sender
Posted by Bowie Bailey <Bo...@BUC.com>.
On 9/8/2010 11:45 AM, Mike Bro wrote:
> Hi Bowie,
>
> You wrote:
>> The .qf file is not visible to SpamAssassin. SA only looks at the email
>> and headers. If you want to reject/score based on the envelope sender,
>> you will need to either do it at the MTA level or find out if sendmail
>> puts the information into a header that SA can see.
> Thanks for this information. I just wasn't completely sure that's the case.
> Any idea how I can politely (in .mc) ask sendmail to put the whole
> MAIL FROM line into
> a header?
I don't use sendmail myself, so I don't know. It might already be
there. Post one of the spams (with headers) to a pastebin so we can see
what's there.
--
Bowie
Re: Checking envelope sender
Posted by Bernd Petrovitsch <be...@petrovitsch.priv.at>.
Hi!
On Mit, 2010-09-08 at 16:45 +0100, Mike Bro wrote:
[...]
> You wrote:
> > The .qf file is not visible to SpamAssassin. SA only looks at the email
> > and headers. If you want to reject/score based on the envelope sender,
> > you will need to either do it at the MTA level or find out if sendmail
> > puts the information into a header that SA can see.
>
> Thanks for this information. I just wasn't completely sure that's the case.
> Any idea how I can politely (in .mc) ask sendmail to put the whole
> MAIL FROM line into
> a header?
http://www.mail-archive.com/spamassassin-talk@lists.sourceforge.net/msg16374.html
and the surrounding thread.
Bernd
--
Bernd Petrovitsch Email : bernd@petrovitsch.priv.at
LUGA : http://www.luga.at
Re: Checking envelope sender
Posted by Mike Bro <li...@gmail.com>.
Hi Bowie,
You wrote:
> The .qf file is not visible to SpamAssassin. SA only looks at the email
> and headers. If you want to reject/score based on the envelope sender,
> you will need to either do it at the MTA level or find out if sendmail
> puts the information into a header that SA can see.
Thanks for this information. I just wasn't completely sure that's the case.
Any idea how I can politely (in .mc) ask sendmail to put the whole
MAIL FROM line into
a header?
Re: Checking envelope sender
Posted by Bowie Bailey <Bo...@BUC.com>.
On 9/8/2010 11:10 AM, Mike Bro wrote:
> Thanks for your interest in this topic. The part of mail.log and the
> qf file is at:
> http://pastebin.com/0QzqLxs1
>
> This particular example has been marked as spam, but the sender's
> information didn't play a role in this classification.
>
> Re: Joseph Brennan:
>> Why doesn't sendmail reject it like it does here? (..) .. Domain name required for sender address
> I cannot afford rejecting all null senders as those could be
> legitimate Delivery Status Notification messages.
>
> What I am looking is a pattern for line:
> MAIL FROM: <"do not mock at your poetenncy - bujyj vjaqrra ppislls" <>>
> while I want to allow:
> MAIL FROM: <>
>
> So any ideas are appreciated whether on sendmail or spamassassin level.
The .qf file is not visible to SpamAssassin. SA only looks at the email
and headers. If you want to reject/score based on the envelope sender,
you will need to either do it at the MTA level or find out if sendmail
puts the information into a header that SA can see.
--
Bowie
Re: Checking envelope sender
Posted by Steve Freegard <st...@fsl.com>.
On 08/09/10 16:10, Mike Bro wrote:
> Thanks for your interest in this topic. The part of mail.log and the
> qf file is at:
> http://pastebin.com/0QzqLxs1
>
> This particular example has been marked as spam, but the sender's
> information didn't play a role in this classification.
>
> Re: Joseph Brennan:
>> Why doesn't sendmail reject it like it does here? (..) .. Domain name required for sender address
> I cannot afford rejecting all null senders as those could be
> legitimate Delivery Status Notification messages.
>
> What I am looking is a pattern for line:
> MAIL FROM:<"do not mock at your poetenncy - bujyj vjaqrra ppislls"<>>
> while I want to allow:
> MAIL FROM:<>
>
> So any ideas are appreciated whether on sendmail or spamassassin level.
>
Sounds like you have:
FEATURE(`accept_unresolvable_domains')dnl
Set in your sendmail.mc file; dnl it and Sendmail won't accept that as a
valid sender:
MAIL FROM: <"do not mock at your poetenncy - bujyj vjaqrra ppislls" <>>
553 5.5.4 <"do not mock at your poetenncy - bujyj vjaqrra ppislls"
<>>... Domain name required for sender address
Regards,
Steve.
Re: Checking envelope sender
Posted by Joseph Brennan <br...@columbia.edu>.
--
> Re: Joseph Brennan:
>> Why doesn't sendmail reject it like it does here? (..) .. Domain name
>> required for sender address
> I cannot afford rejecting all null senders as those could be
> legitimate Delivery Status Notification messages.
>
> What I am looking is a pattern for line:
> MAIL FROM: <"do not mock at your poetenncy - bujyj vjaqrra ppislls" <>>
> while I want to allow:
> MAIL FROM: <>
That's exactly the distinction sendmail is making on my system.
mail from:<>
250 2.1.0 <>... Sender ok
mail from:<"some words"<>>
553 5.5.4 <"some words"<>>... Domain name required for sender address
That error string comes from the standard proto.m4 file.
Joseph Brennan
Columbia University Information Technology
Re: Checking envelope sender
Posted by Mike Bro <li...@gmail.com>.
Thanks for your interest in this topic. The part of mail.log and the
qf file is at:
http://pastebin.com/0QzqLxs1
This particular example has been marked as spam, but the sender's
information didn't play a role in this classification.
Re: Joseph Brennan:
> Why doesn't sendmail reject it like it does here? (..) .. Domain name required for sender address
I cannot afford rejecting all null senders as those could be
legitimate Delivery Status Notification messages.
What I am looking is a pattern for line:
MAIL FROM: <"do not mock at your poetenncy - bujyj vjaqrra ppislls" <>>
while I want to allow:
MAIL FROM: <>
So any ideas are appreciated whether on sendmail or spamassassin level.
Re: Checking envelope sender
Posted by Bowie Bailey <Bo...@BUC.com>.
On 9/7/2010 12:50 PM, Martin Gregorie wrote:
> On Tue, 2010-09-07 at 16:46 +0100, Mike Bro wrote:
>> Hello,
>>
>> Enviroment:
>> latest sendmail and latest spamassassin
>>
>> I am just trying to fight with spammer that used to send too many emails.
>> The pattern I discovered is that during smtp communication with my
>> incoming mail server in from field he puts something like:
>> MAIL FROM: <"some rubbish words" <>>
>>
>> That results in my qf... file as line:
>> S<"some rubbish words" <>>
>>
>> Any idea how I could write a rule in spamassassin to test this line?
>>
> I don't recognise "MAIL FROM:" as any sort of standard mail header.
> Telling us some header is "something like" this is not useful
> information either.
>
> If you want help, show us *exactly* what the header looks like. Better
> yet, upload the entire mail message to Pastebin or an equivalent and
> post the URL here so we can see the entire spam.
"MAIL FROM:" is the envelope sender from the smtp dialog. This
information is not available to SA unless your MTA writes it into the
headers. Show us a sample message (headers and all) as Martin requested
and we may be able to help.
--
Bowie
Re: Checking envelope sender
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2010-09-07 at 16:46 +0100, Mike Bro wrote:
> Hello,
>
> Enviroment:
> latest sendmail and latest spamassassin
>
> I am just trying to fight with spammer that used to send too many emails.
> The pattern I discovered is that during smtp communication with my
> incoming mail server in from field he puts something like:
> MAIL FROM: <"some rubbish words" <>>
>
> That results in my qf... file as line:
> S<"some rubbish words" <>>
>
> Any idea how I could write a rule in spamassassin to test this line?
>
I don't recognise "MAIL FROM:" as any sort of standard mail header.
Telling us some header is "something like" this is not useful
information either.
If you want help, show us *exactly* what the header looks like. Better
yet, upload the entire mail message to Pastebin or an equivalent and
post the URL here so we can see the entire spam.
Martin
Re: Checking envelope sender
Posted by John Hardin <jh...@impsec.org>.
On Tue, 7 Sep 2010, Mike Bro wrote:
> Hello,
>
> Enviroment:
> latest sendmail and latest spamassassin
>
> I am just trying to fight with spammer that used to send too many
> emails. The pattern I discovered is that during smtp communication with
> my incoming mail server in from field he puts something like:
> MAIL FROM: <"some rubbish words" <>>
>
> That results in my qf... file as line:
> S<"some rubbish words" <>>
>
> Any idea how I could write a rule in spamassassin to test this line?
That depends on how Sendmail renders that in the message headers. It might
change <> to <MA...@your_domain.etc>
A better tool for this particular problem is milter-regex. That will let
you reject the guy the moment he sends that garbage.
Can you post an actual example of what he sends?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control is nothing more than an attempt to return to feudalism,
where the peasants are helpless and must humbly petition their lord
and master to protect them from bandits and thieves (when they can
get around to it), and where the lords and masters can abuse the
peasants whenever they like without fear of effective resistance.
-----------------------------------------------------------------------
10 days until the 223rd anniversary of the signing of the U.S. Constitution