You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Andy Norris <an...@tireswing.net> on 2004/12/14 16:46:41 UTC
need a rule to whitelist spamassassin users group
As the subject implies... what would be a good rule to use to make sure all
this talk about spam doesn't end up in my spam trap?
(I also need to whitelist the mailscanner list messages.)
I'm just cutting my teeth on the rules writing gig. My first was to get all
those jackrabb1t vlbrat0r5 out of my inbox ;-)
Thanks very much,
Andy
Re: need a rule to whitelist spamassassin users group
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Andy
look in the examples rule in your MailScanner rules directory...
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Andy Norris wrote:
>
> More to learn for me. I need to figure out how, then, not to pass list
> mail through the scanner.
>
> Thanks,
>
> Andy
>
> At 10:17 am 2004-12-14, you wrote:
>
>> On Tuesday 14 December 2004 15:46, Andy Norris might have typed:
>> > As the subject implies... what would be a good rule to use to make
>> sure all
>> > this talk about spam doesn't end up in my spam trap?
>>
>> Don't pass list mail through your scanning engine. Best whitelist
>> there is,
>> and it won't poison your Bayes.
>
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
Re: need a rule to whitelist spamassassin users group
Posted by Andy Norris <an...@tireswing.net>.
More to learn for me. I need to figure out how, then, not to pass list mail
through the scanner.
Thanks,
Andy
At 10:17 am 2004-12-14, you wrote:
>On Tuesday 14 December 2004 15:46, Andy Norris might have typed:
> > As the subject implies... what would be a good rule to use to make sure all
> > this talk about spam doesn't end up in my spam trap?
>
>Don't pass list mail through your scanning engine. Best whitelist there is,
>and it won't poison your Bayes.
Re: need a rule to whitelist spamassassin users group
Posted by Duncan Hill <sa...@nacnud.force9.co.uk>.
On Tuesday 14 December 2004 15:46, Andy Norris might have typed:
> As the subject implies... what would be a good rule to use to make sure all
> this talk about spam doesn't end up in my spam trap?
Don't pass list mail through your scanning engine. Best whitelist there is,
and it won't poison your Bayes.
RE: need a rule to whitelist spamassassin users group
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Tue, 14 Dec 2004, Evan Platt wrote:
> Andy Norris said:
>
> > Or if a company uses more than one mail server... getting all the IPs? Is
> > this just something I should email support at eBay for and see if they've
> > got something of a canned response for this?
>
> You're kidding right? First, I seriously doubt they have a canned response
> for it. Then, what are the chances of the monkey hitting the keyboard
> hitting the right key to get you the response to fit your needs?
[snip..]
> or something...) I mentioned that it was in a Usenet Newsgroup post, not
> an e-mail and then posted the usenet article, full headers and all. About
> 4 days later, I get a e-mail that in order to investigate, they need the
> full headers, and give examples of e-mail headers. I reply back that this
> is a USENET post, not e-mail, and reiterate the situation. I then another
> 4 days later get a e-mail that they will investigate <User3> and thank me
> for the information. USER3??? WHO'S THAT?? I respond again for them to
Evan,
You've got to remember that USENET predates most of the people on
the net these days. 'Course given that USENET predates the internet
that's not hard to do.
The kids these days don't know anything unless it works via point-&-click
with a broswer. ;)
Don't call it USENET, call it Google-Groups. That's browserish
and so comprehensible by the masses. ;(
Dave
A computer curmudgeon who predates USENET
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
RE: need a rule to whitelist spamassassin users group
Posted by Evan Platt <ev...@espphotography.com>.
Andy Norris said:
> Or if a company uses more than one mail server... getting all the IPs? Is
> this just something I should email support at eBay for and see if they've
> got something of a canned response for this?
You're kidding right? First, I seriously doubt they have a canned response
for it. Then, what are the chances of the monkey hitting the keyboard
hitting the right key to get you the response to fit your needs?
I had a fairly lengthy exchange with eBay "SafeHarbor" once I should throw
up on my website. Essentially, User1 posted all the contact information
about User2 in a "Stay away from User2" message to a newsgroup. I went to
their appropriate form (a user published contact details of another member
or something...) I mentioned that it was in a Usenet Newsgroup post, not
an e-mail and then posted the usenet article, full headers and all. About
4 days later, I get a e-mail that in order to investigate, they need the
full headers, and give examples of e-mail headers. I reply back that this
is a USENET post, not e-mail, and reiterate the situation. I then another
4 days later get a e-mail that they will investigate <User3> and thank me
for the information. USER3??? WHO'S THAT?? I respond again for them to
READ, and see that it's USER1 - don't even know who User3 is. I then get a
reply thanking me, and that I may wish to Block User1 from e-mailing me
again by using the filters in my e-mail program...
The sound of my head hitting the desk was heard for miles.
Re: need a rule to whitelist spamassassin users group
Posted by jdow <jd...@earthlink.net>.
From: "David B Funk" <db...@engineering.uiowa.edu>
> On Tue, 14 Dec 2004, jdow wrote:
>
> > Of course, for the spamassassin lists I found something like what I did
> > in procmail is best:
> >
> > ---9<---
> > :0 fw: spamassassin.lock
> > * < 250000
> > * !^List-Id: .*(spamassassin\.apache.\org)
> > | /usr/bin/spamc -t 150
> > ---9<---
> >
> > {^_^}
>
> Ahh, I see.
> OK spammers, to blast Jane with spam just forge a spamassassin.apache.org
> List-Id header in your messages. It'll then waltz right past her filter.
;)
>
> The whole reason for the complexity of whitelist_from_rcvd is the
> work that it does to make it immune to header forgeries.
That changes to another indicator or a set of indicators once the spammers
attempt that "List-Id:" thing. Meantime it is an easy trick.
{^_-} Joanne
Re: need a rule to whitelist spamassassin users group
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Tue, 14 Dec 2004, jdow wrote:
> Of course, for the spamassassin lists I found something like what I did
> in procmail is best:
>
> ---9<---
> :0 fw: spamassassin.lock
> * < 250000
> * !^List-Id: .*(spamassassin\.apache.\org)
> | /usr/bin/spamc -t 150
> ---9<---
>
> {^_^}
Ahh, I see.
OK spammers, to blast Jane with spam just forge a spamassassin.apache.org
List-Id header in your messages. It'll then waltz right past her filter. ;)
The whole reason for the complexity of whitelist_from_rcvd is the
work that it does to make it immune to header forgeries.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: need a rule to whitelist spamassassin users group
Posted by jdow <jd...@earthlink.net>.
From: "David B Funk" <db...@engineering.uiowa.edu>
> On Tue, 14 Dec 2004, Andy Norris wrote:
>
> >
> > In that case, this leads to another question -- how, then, to reliably
> > whitelist eBay? I would imagine they are a big target of forgers? I
tried
> >
> > def_whitelist_from_rcvd *@ebay.com ebay.com
> >
> > but that didn't work. Now I just have
> >
> > whitelist_from *@ebay.com yes
.....
> With those caveats, def_whitelist_from_rcvd works just fine, I've got
> a local config file with hundreds of them to make sure that all sorts
> of potentially "troublesome" messages get properly delivered (EG lists
> like this one, Yahoo groups messages, Airline notices, etc).
>
> FYI, whitelist_from_rcvd entry for this list looks like:
>
> whitelist_from_rcvd *@*.apache.org apache.org
>
> By using the wild-card for the mail host (*@*.apache.org) it works
> for lots of apache.org projects lists. ;)
>
> My eBay entries looks like:
>
> def_whitelist_from_rcvd *@*.ebay.com ebay.com
> def_whitelist_from_rcvd *@ebay.com ebay.com
> def_whitelist_from_rcvd *@*.ebay.com emailebay.com
> def_whitelist_from_rcvd *@ebay.com emailebay.com
Of course, for the spamassassin lists I found something like what I did
in procmail is best:
---9<---
:0 fw: spamassassin.lock
* < 250000
* !^List-Id: .*(spamassassin\.apache.\org)
| /usr/bin/spamc -t 150
---9<---
{^_^}
RE: need a rule to whitelist spamassassin users group
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Tue, 14 Dec 2004, Andy Norris wrote:
>
> In that case, this leads to another question -- how, then, to reliably
> whitelist eBay? I would imagine they are a big target of forgers? I tried
>
> def_whitelist_from_rcvd *@ebay.com ebay.com
>
> but that didn't work. Now I just have
>
> whitelist_from *@ebay.com yes
>
> With IP addresses is there a greater chance of the server (theirs)
> crashing, and now the whitelist doesn't account for the backup mail server?
> Or if a company uses more than one mail server... getting all the IPs? Is
> this just something I should email support at eBay for and see if they've
> got something of a canned response for this?
>
> Any ideas why my first whitelist_from_rcvd rule might not have worked? It's
> in a custom rules file I have (TireSwing.cf)... I linted, and all seemed fine??
>
> Thanks,
> Andy
If everything is properly configured, (?:def_)?whitelist_from_rcvd
works just fine to whitelist mailing lists and major mail senders.
However it is a bit finikey and demands that particular things be
correct:
1) DNS resolution MUST work correctly.
2) trusted_networks MUST be set correctly.
In particular, the system you wish to whitelist must be handing
the messages to a system you trust & that system needs to be able
to successfully DNS resolve the address of the sender.
3) If the predictable sending address is only found in the envelope-From
header, that header must be made available to SA in a recognized
form. This is particularly pertinate for list messages such as this
one. The header-From is not predictable, only the envelope-From, so
that MUST be passed to SA for def_whitelist_from_rcvd to work
for whilisting this list.
With those caveats, def_whitelist_from_rcvd works just fine, I've got
a local config file with hundreds of them to make sure that all sorts
of potentially "troublesome" messages get properly delivered (EG lists
like this one, Yahoo groups messages, Airline notices, etc).
FYI, whitelist_from_rcvd entry for this list looks like:
whitelist_from_rcvd *@*.apache.org apache.org
By using the wild-card for the mail host (*@*.apache.org) it works
for lots of apache.org projects lists. ;)
My eBay entries looks like:
def_whitelist_from_rcvd *@*.ebay.com ebay.com
def_whitelist_from_rcvd *@ebay.com ebay.com
def_whitelist_from_rcvd *@*.ebay.com emailebay.com
def_whitelist_from_rcvd *@ebay.com emailebay.com
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
RE: need a rule to whitelist spamassassin users group
Posted by Andy Norris <an...@tireswing.net>.
In that case, this leads to another question -- how, then, to reliably
whitelist eBay? I would imagine they are a big target of forgers? I tried
def_whitelist_from_rcvd *@ebay.com ebay.com
but that didn't work. Now I just have
whitelist_from *@ebay.com yes
With IP addresses is there a greater chance of the server (theirs)
crashing, and now the whitelist doesn't account for the backup mail server?
Or if a company uses more than one mail server... getting all the IPs? Is
this just something I should email support at eBay for and see if they've
got something of a canned response for this?
Any ideas why my first whitelist_from_rcvd rule might not have worked? It's
in a custom rules file I have (TireSwing.cf)... I linted, and all seemed fine??
Thanks,
Andy
At 11:32 am 2004-12-14, Rob McEwen wrote:
>Wouldn't the best options be to whitelist the sending server's IP address
>(209.237.227.199).
>
>"FROM" values can be forged, both in the e-mail and in the SMTP envelope.
>
>(Of course, we'd be in big trouble if the apache server were hacked or virus
>infected... but I'm assuming that the security there is top notch...)
>
>Rob McEwen
RE: need a rule to whitelist spamassassin users group
Posted by Rob McEwen <ro...@powerviewsystems.com>.
Wouldn't the best options be to whitelist the sending server's IP address
(209.237.227.199).
"FROM" values can be forged, both in the e-mail and in the SMTP envelope.
(Of course, we'd be in big trouble if the apache server were hacked or virus
infected... but I'm assuming that the security there is top notch...)
Rob McEwen
Re: need a rule to whitelist spamassassin users group
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Andy
as you're using MailScanner, could do it in that ...
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Andy Norris wrote:
>
> As the subject implies... what would be a good rule to use to make sure
> all this talk about spam doesn't end up in my spam trap?
>
> (I also need to whitelist the mailscanner list messages.)
>
> I'm just cutting my teeth on the rules writing gig. My first was to get
> all those jackrabb1t vlbrat0r5 out of my inbox ;-)
>
> Thanks very much,
>
> Andy
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************