You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Gerald Turner <gt...@unzane.com> on 2009/01/06 23:39:55 UTC
Alternative to Postfix header_checks?
Hello, I have been using SpamAssassin integrated with Postfix via spampd
SMTP proxy and I have the following header_checks file:
/^X-Spam-Level: \*{8,}/ DISCARD Spam score 8+
/^X-Spam-Level: \*{4,}/ REJECT Spam score 4+
There are cases where I'd rather DISCARD the low score mail (>= 4, < 8)
than REJECT, for instance:
When the mail contains mailing-list headers - some mailing lists
unsubscribe after too many bounces, particularly Debian with
open/unmoderated lists.
When the mail was sent to a quasi-spamtrap address - I'm aliased on a
few hosts with webmaster@example.com type addresses, some of which
will generate bounce warnings to mailer-daemon who is aliased to
several people, evil!
Unfortunately Postfix header_checks can only process one header at a
time, there's no way to compound conditions of multiple headers. I've
searched and can't seem to come up with any possibility of configuring
Postfix to conditionally discard rather than bounce. I'm on the verge
of customizing an example Perl milter to do the job, but it seems like
something that should be built-in to either Postfix, spampd, or perhaps
amavisd-new - any suggestions?
--
Gerald Turner Email: gturner@unzane.com JID: gturner@jabber.unzane.com
GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5
Re: Alternative to Postfix header_checks?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2009-01-06 at 14:39 -0800, Gerald Turner wrote:
> Hello, I have been using SpamAssassin integrated with Postfix via spampd
> SMTP proxy and I have the following header_checks file:
>
> /^X-Spam-Level: \*{8,}/ DISCARD Spam score 8+
> /^X-Spam-Level: \*{4,}/ REJECT Spam score 4+
>
> There are cases where I'd rather DISCARD the low score mail (>= 4, < 8)
> than REJECT, for instance:
>
> When the mail contains mailing-list headers - some mailing lists
> unsubscribe after too many bounces, particularly Debian with
> open/unmoderated lists.
Any particular reason you are focusing on a postfix solution to a SA
score issue?
What about custom rules, to assign negative scores to such messages? Or
maybe simply use whitelist_from_rcvd for the messages in question. After
all, they seem to exhibit special relays and addresses known in advance.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Alternative to Postfix header_checks?
Posted by John Hardin <jh...@impsec.org>.
On Tue, 6 Jan 2009, Gerald Turner wrote:
> Not with header_checks (http://www.postfix.org/header_checks.5.html),
> although there is a REPLACE action, it still couldn't operate on a
> combination of headers.
Think two passes, one to check for the SA score and another to check for
the presence of the mailing list headers.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
W-w-w-w-w-where did he learn to n-n-negotiate like that?
-----------------------------------------------------------------------
11 days until Benjamin Franklin's 303rd Birthday
Re: Alternative to Postfix header_checks?
Posted by Gerald Turner <gt...@unzane.com>.
LuKreme <kr...@kreme.com> writes:
> On 6-Jan-2009, at 15:39, Gerald Turner wrote:
>> Unfortunately Postfix header_checks can only process one header at a
>> time, there's no way to compound conditions of multiple headers.
>> I've searched and can't seem to come up with any possibility of
>> configuring Postfix to conditionally discard rather than bounce. I'm
>> on the verge of customizing an example Perl milter to do the job, but
>> it seems like something that should be built-in to either Postfix,
>> spampd, or perhaps amavisd-new - any suggestions?
>
> Can't you rewrite a header based on conditions?
>
Not with header_checks (http://www.postfix.org/header_checks.5.html),
although there is a REPLACE action, it still couldn't operate on a
combination of headers.
> The other thing you could do is setup a separate submission port for
> tested messages? Or a policy server?
>
Yeah, that's kind of what I'm thinking with writing a hacked up Perl
milter.
Thanks.
--
Gerald Turner Email: gturner@unzane.com JID: gturner@jabber.unzane.com
GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5
Re: Alternative to Postfix header_checks?
Posted by LuKreme <kr...@kreme.com>.
On 6-Jan-2009, at 15:39, Gerald Turner wrote:
> Unfortunately Postfix header_checks can only process one header at a
> time, there's no way to compound conditions of multiple headers. I've
> searched and can't seem to come up with any possibility of configuring
> Postfix to conditionally discard rather than bounce. I'm on the verge
> of customizing an example Perl milter to do the job, but it seems like
> something that should be built-in to either Postfix, spampd, or
> perhaps
> amavisd-new - any suggestions?
Can't you rewrite a header based on conditions?
That is, check for spam score of 4-8, and if true, then write a header
X-myexample-test: True
Then test for, say, mailing list header and if found, rewrite x-
myexample-test to
X-myexample-test: True, Maillist
The other thing you could do is setup a separate submission port for
tested messages? Or a policy server?
--
Not that I condone fascism, or any -ism for that matter. -Ism's in
my opinion are not good. A person should not believe in an
-ism, he should believe in himself. I quote John Lennon, "I
don't believe in The Beatles, I just believe in me." Good point
there. After all, he was The Walrus. I could be The Walrus and
I'd still have to bum rides off of people.
Re: Alternative to Postfix header_checks?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 9 Jan 2009, Gerald Turner wrote:
>> - There are other cases when you don't want to reject (mail to
>> abuse@example.com, ... etc).
>
> That's the other problem I'm trying to solve (don't reject mail sent to
> these "quasi-spamtrap" addresses, simply discard) - I can see how to do
> it now with custom rules checked in X-Spam-Status header.
How is abuse@ a spamtrap address, even quasi-?
I would suggest that discarding mail to abuse@ is a bad idea, too. How
would someone report abuse of your systems with evidence, if the evidence
attached to the report gets the report discarded?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men by their constitutions are naturally divided in to two parties:
1. Those who fear and distrust the people and wish to draw all
powers from them into the hands of the higher classes. 2. Those who
identify themselves with the people, have confidence in them,
cherish and consider them as the most honest and safe, although not
the most wise, depository of the public interests.
-- Thomas Jefferson
-----------------------------------------------------------------------
8 days until Benjamin Franklin's 303rd Birthday
Re: Alternative to Postfix header_checks?
Posted by mouss <mo...@ml.netoyen.net>.
Gerald Turner a écrit :
> [snip]
>
> It is before-queue while the SMTP connection is still active. I like to
> bounce in case legitimate people that have yet to be whitelisted trigger
> a false-positive.
>
yes, reject is generally better than discard.
>
> Other than possibly dropping a false-positive is there anything else I
> should know of?
>
No. just false positives. but this is a real problem. of course, this is
site/person dependent.
Instead of discarding mail, deliver it to a mailbox or folder that you
can review. This review can be done quickly (sort by subject, ... etc).
>
> Yes but I think I'm getting what I want in this case: list spam is
> discarded, whether forged or not.
>
Indeed. I hope you are aware that mail from some lists (such as this
one) may contain spammy text or patterns (people sending a sample, ...
etc).
>> - There are other cases when you don't want to reject (mail to
>> abuse@example.com, ... etc).
>
> That's the other problem I'm trying to solve (don't reject mail sent to
> these "quasi-spamtrap" addresses, simply discard) - I can see how to do
> it now with custom rules checked in X-Spam-Status header. Thanks for
> the suggestion.
>
No, mail to abuse@* should be read. if there is a problem with your
server, this is how we would tell you. and to avoid N steps
conversations, we will include headers or the content of the spam we
received from you... etc. abuse@ and postmaster@ are part of the mail
system. don't let spammers destroy this system.
Re: Alternative to Postfix header_checks?
Posted by Gerald Turner <gt...@unzane.com>.
mouss <mo...@ml.netoyen.net> writes:
> Gerald Turner a écrit :
>> Hello, I have been using SpamAssassin integrated with Postfix via
>> spampd SMTP proxy and I have the following header_checks file:
>>
>> /^X-Spam-Level: \*{8,}/ DISCARD Spam score 8+
>> /^X-Spam-Level: \*{4,}/ REJECT Spam score 4+
>>
>> There are cases where I'd rather DISCARD the low score mail (>= 4, <
>> 8) than REJECT, for instance:
>>
>> When the mail contains mailing-list headers - some mailing lists
>> unsubscribe after too many bounces, particularly Debian with
>> open/unmoderated lists.
>>
>> When the mail was sent to a quasi-spamtrap address - I'm aliased
>> on a few hosts with webmaster@example.com type addresses, some of
>> which will generate bounce warnings to mailer-daemon who is
>> aliased to several people, evil!
>>
>> Unfortunately Postfix header_checks can only process one header at a
>> time, there's no way to compound conditions of multiple headers.
>> I've searched and can't seem to come up with any possibility of
>> configuring Postfix to conditionally discard rather than bounce. I'm
>> on the verge of customizing an example Perl milter to do the job, but
>> it seems like something that should be built-in to either Postfix,
>> spampd, or perhaps amavisd-new - any suggestions?
>>
>
> first, add an SA rule to detect mailing lists. for example
>
> header H_FROM_ML ...
> score H_FROM_ML 0.01
>
> (actually, you will need multiple rules, then combine them with a
> meta).
>
> then your header checks would become
>
> /^X-Spam-Status: Yes, score=([8-9]|\d{2}).*H_FROM_ML/ ....
>
Excellent! Checking X-Spam-Status rather than X-Spam-Level totally
escaped me, thanks.
> some notes:
>
> - unless you are calling SA during the smtp transaction, you should
> not reject mail (ie after it was queued by postfix)
>
It is before-queue while the SMTP connection is still active. I like to
bounce in case legitimate people that have yet to be whitelisted trigger
a false-positive.
> - discarding mail is risky.
>
Other than possibly dropping a false-positive is there anything else I
should know of?
> - spammers can forge list headers...
>
Yes but I think I'm getting what I want in this case: list spam is
discarded, whether forged or not.
> - There are other cases when you don't want to reject (mail to
> abuse@example.com, ... etc).
That's the other problem I'm trying to solve (don't reject mail sent to
these "quasi-spamtrap" addresses, simply discard) - I can see how to do
it now with custom rules checked in X-Spam-Status header. Thanks for
the suggestion.
--
Gerald Turner Email: gturner@unzane.com JID: gturner@jabber.unzane.com
GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5
Re: Alternative to Postfix header_checks?
Posted by mouss <mo...@ml.netoyen.net>.
Gerald Turner a écrit :
> Hello, I have been using SpamAssassin integrated with Postfix via spampd
> SMTP proxy and I have the following header_checks file:
>
> /^X-Spam-Level: \*{8,}/ DISCARD Spam score 8+
> /^X-Spam-Level: \*{4,}/ REJECT Spam score 4+
>
> There are cases where I'd rather DISCARD the low score mail (>= 4, < 8)
> than REJECT, for instance:
>
> When the mail contains mailing-list headers - some mailing lists
> unsubscribe after too many bounces, particularly Debian with
> open/unmoderated lists.
>
> When the mail was sent to a quasi-spamtrap address - I'm aliased on a
> few hosts with webmaster@example.com type addresses, some of which
> will generate bounce warnings to mailer-daemon who is aliased to
> several people, evil!
>
> Unfortunately Postfix header_checks can only process one header at a
> time, there's no way to compound conditions of multiple headers. I've
> searched and can't seem to come up with any possibility of configuring
> Postfix to conditionally discard rather than bounce. I'm on the verge
> of customizing an example Perl milter to do the job, but it seems like
> something that should be built-in to either Postfix, spampd, or perhaps
> amavisd-new - any suggestions?
>
first, add an SA rule to detect mailing lists. for example
header H_FROM_ML ...
score H_FROM_ML 0.01
(actually, you will need multiple rules, then combine them with a meta).
then your header checks would become
/^X-Spam-Status: Yes, score=([8-9]|\d{2}).*H_FROM_ML/ ....
some notes:
- unless you are calling SA during the smtp transaction, you should not
reject mail (ie after it was queued by postfix)
- discarding mail is risky.
- spammers can forge list headers...
- There are other cases when you don't want to reject (mail to
abuse@example.com, ... etc).