You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex Woick <al...@wombaz.de> on 2007/11/08 15:24:48 UTC
What to do with known spam connections
There seem to exist some address harvester that greps message-id's and
other non-address content as mail address, since I get spam to such
proven never-existed mail addresses. This list is harvested this way,
for example. There are already a few message-id's from my older list
postings that regularly get spam since a few months.
Is it safe to add the sender systems to an internal blacklist database
automatically and let my MTA reject further mail from it for perhaps 6
hours?
It should be safe because no one except the harvester+spammer could have
gotten such an address. I assume this way spamtraps work, aren't they?
This would be quite efficient, since the same bot often tries to deliver
10 spams within a few seconds, and if it were blocked after the first
connection, 9 of 10 spams would be blocked right away. And the 1st would
not get through greylisting, since it gets no 2nd connection try.
I have postfix as MTA, and I think this could be integrated into a
greylisting daemon very efficiently. Is there already a daemon that
works this way? It should use a spamtrap address database that I fill
manually. If an ip address is to be added to the pending greylist table
by the daemon, and the mail destination address is in the spamtrap
address table, the entry gets flagged as always-reject. Further
connections from this ip address are not processed according to the
greylist algorithm but always rejected until the entry is older than x
hours.
Re: Skip SA checks for mails from SA list
Posted by Byung-Hee HWANG <bh...@izb.knu.ac.kr>.
On Wed, 2007-11-14 at 15:09 +0530, K Anand wrote:
> K Anand wrote:
> > Byung-Hee HWANG wrote:
> >> hi,
> >>
> >> On Wed, 2007-11-14 at 11:43 +0530, K Anand wrote:
> >>> Matus UHLAR - fantomas wrote:
> >>>> On 13.11.07 15:52, K Anand wrote:
> >>>>> Received: from unknown (HELO mail.apache.org) (140.211.11.2)
> >>>> configure your smtp server to add DNS data to Received: line.
> >>>> *list_from_rcvd doesn't work without list
> >>>>
> >>>> (although it could be worth adding IP or CIDR check in such cases)
> >>>>
> >>> I use qmail. Do I have to do anything extra to get it to put this info ?
> >>
> >> you just tell qmail to do rDNS. it is very easy. there is no problem.
> >>
> >> respect,
> >> bh
> >>
> > Finally managed to get it working...Thanx to all.
> >
> > Anand
> >
>
>
> A small problem..
>
> X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00
> autolearn=ham version=3.1.1
> Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
>
> Still this is not getting tagged into whitelist.
>
> This is my whitelist rule.
>
> whitelist_from_rcvd *@spamassassin.apache.org hermes.apache.org
well, i have no good idea about this matter. here is my config.
http://izb.knu.ac.kr/~bh/stuff/izb-spamassassin-local.cf.example
my spamassassin is running with postfix under freebsd ;;
and the above rule works fine for me ;;
respect,
bh
--
"He's a responsible man in his own way."
-- Michael Corleone, "Chapter 25", page 363
Re: Skip SA checks for mails from SA list
Posted by K Anand <ka...@sail-steel.com>.
K Anand wrote:
> Byung-Hee HWANG wrote:
>> hi,
>>
>> On Wed, 2007-11-14 at 11:43 +0530, K Anand wrote:
>>> Matus UHLAR - fantomas wrote:
>>>> On 13.11.07 15:52, K Anand wrote:
>>>>> Received: from unknown (HELO mail.apache.org) (140.211.11.2)
>>>> configure your smtp server to add DNS data to Received: line.
>>>> *list_from_rcvd doesn't work without list
>>>>
>>>> (although it could be worth adding IP or CIDR check in such cases)
>>>>
>>> I use qmail. Do I have to do anything extra to get it to put this info ?
>>
>> you just tell qmail to do rDNS. it is very easy. there is no problem.
>>
>> respect,
>> bh
>>
> Finally managed to get it working...Thanx to all.
>
> Anand
>
A small problem..
X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00
autolearn=ham version=3.1.1
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
Still this is not getting tagged into whitelist.
This is my whitelist rule.
whitelist_from_rcvd *@spamassassin.apache.org hermes.apache.org
Anand
Re: Skip SA checks for mails from SA list
Posted by K Anand <ka...@sail-steel.com>.
Byung-Hee HWANG wrote:
> hi,
>
> On Wed, 2007-11-14 at 11:43 +0530, K Anand wrote:
>> Matus UHLAR - fantomas wrote:
>>> On 13.11.07 15:52, K Anand wrote:
>>>> Received: from unknown (HELO mail.apache.org) (140.211.11.2)
>>> configure your smtp server to add DNS data to Received: line.
>>> *list_from_rcvd doesn't work without list
>>>
>>> (although it could be worth adding IP or CIDR check in such cases)
>>>
>> I use qmail. Do I have to do anything extra to get it to put this info ?
>
> you just tell qmail to do rDNS. it is very easy. there is no problem.
>
> respect,
> bh
>
Finally managed to get it working...Thanx to all.
Anand
Re: Skip SA checks for mails from SA list
Posted by Byung-Hee HWANG <bh...@izb.knu.ac.kr>.
hi,
On Wed, 2007-11-14 at 11:43 +0530, K Anand wrote:
> Matus UHLAR - fantomas wrote:
> > On 13.11.07 15:52, K Anand wrote:
> >>
> >> Received: from unknown (HELO mail.apache.org) (140.211.11.2)
> >
> > configure your smtp server to add DNS data to Received: line.
> > *list_from_rcvd doesn't work without list
> >
> > (although it could be worth adding IP or CIDR check in such cases)
> >
>
> I use qmail. Do I have to do anything extra to get it to put this info ?
you just tell qmail to do rDNS. it is very easy. there is no problem.
respect,
bh
--
"As the CONSIGLIERE, you agree that it's dangerous to the Don and our Family
to let Sollozzo live?
"Yes."
-- Michael Corleone and Tom Hagen, "Chapter 11", page 145
Re: Skip SA checks for mails from SA list
Posted by K Anand <ka...@sail-steel.com>.
Matus UHLAR - fantomas wrote:
> On 13.11.07 15:52, K Anand wrote:
>>
>> Received: from unknown (HELO mail.apache.org) (140.211.11.2)
>
> configure your smtp server to add DNS data to Received: line.
> *list_from_rcvd doesn't work without list
>
> (although it could be worth adding IP or CIDR check in such cases)
>
I use qmail. Do I have to do anything extra to get it to put this info ?
Anand
Re: Skip SA checks for mails from SA list
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 13.11.07 15:52, K Anand wrote:
> This is what I get ::::
[...]
> I think the problem has something to do with this line :
>
> Received: from unknown (HELO mail.apache.org) (140.211.11.2)
configure your smtp server to add DNS data to Received: line.
*list_from_rcvd doesn't work without list
(although it could be worth adding IP or CIDR check in such cases)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
Re: Skip SA checks for mails from SA list
Posted by K Anand <ka...@sail-steel.com>.
Byung-Hee HWANG wrote:
> On Tue, 2007-11-13 at 14:58 +0530, K Anand wrote:
>> K Anand wrote:
>>>> Matt Kettler wrote:
>>>>
>>>>> As an alternative, you can use whitelist_from_spf or
>>>>> whitelist_from_rcvd on the list's return-path. From there, you can
>>>>> configure shortcircuiting to bypass the rest of SA and bayes_ignore_from
>>>>> to prevent learning.
>>>> Would this be OK
>>>>
>>>> whitelist_from_rcvd *@spamassassin.apache.org spamassassin.apache.org
>>>>
>>> read the doc. I think it should be
>>>
>>> whitelist_from_rcvd *@spamassassin.apache.org hermes.apache.org
>>>
>>> This is what is the rdns for the mail relay that is sending me mails
>>> from the list.
>>>
>> I tried this but rule is not triggered...So something is wrong. Can
>> anyone help ?
>
> in my case, the rule works fine.
>
> whitelist_from_rcvd *@spamassassin.apache.org hermes.apache.org
>
> here is the shot:
>
> Received: by pinus.izb.knu.ac.kr (Postfix, from userid 59)
> id E9FE13ECD; Tue, 13 Nov 2007 18:26:07 +0900 (KST)
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
> pinus.izb.knu.ac.kr
> X-Spam-Level:
> X-Spam-Status: No, score=-37.7 required=15.1
> tests=DKIM_SIGNED,DKIM_VERIFIED,
> RCVD_IN_DNSWL_MED,USER_IN_WHITELIST autolearn=disabled
> version=3.2.3
> X-Spam-Comment: DKIM? See http://www.google.com/search?btnI&q=RFC+4871
> Received: from mail.apache.org (hermes.apache.org [140.211.11.2])
> by pinus.izb.knu.ac.kr (Postfix) with SMTP id A7E1F3ECB
> for <bh...@izb.knu.ac.kr>; Tue, 13 Nov 2007 18:25:58 +0900 (KST)
This is what I get ::::
Return-Path:
<us...@spamassassin.apache.org>
Delivered-To: kanand@sail-steel.com
Received: (qmail 32150 invoked by uid 89); 13 Nov 2007 09:48:01 -0000
Received: by simscan 1.2.0 ppid: 32094, pid: 32122, t: 4.4853s
scanners: attach: 1.2.0 clamav: 0.90/m:42 spam: 3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on sail-steel.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00
autolearn=unavailable version=3.1.1
Received: from unknown (HELO mail.apache.org) (140.211.11.2)
by sail-steel.com with SMTP; 13 Nov 2007 09:47:57 -0000
Received-SPF: pass (sail-steel.com: SPF record at
spamassassin.apache.org designates 140.211.11.2 as permitted sender)
I think the problem has something to do with this line :
Received: from unknown (HELO mail.apache.org) (140.211.11.2)
Anand
Re: Skip SA checks for mails from SA list
Posted by Byung-Hee HWANG <bh...@izb.knu.ac.kr>.
On Tue, 2007-11-13 at 14:58 +0530, K Anand wrote:
> K Anand wrote:
> >
> >> Matt Kettler wrote:
> >>
> >
> >>> As an alternative, you can use whitelist_from_spf or
> >>> whitelist_from_rcvd on the list's return-path. From there, you can
> >>> configure shortcircuiting to bypass the rest of SA and bayes_ignore_from
> >>> to prevent learning.
> >>
> >> Would this be OK
> >>
> >> whitelist_from_rcvd *@spamassassin.apache.org spamassassin.apache.org
> >>
> >
> > read the doc. I think it should be
> >
> > whitelist_from_rcvd *@spamassassin.apache.org hermes.apache.org
> >
> > This is what is the rdns for the mail relay that is sending me mails
> > from the list.
> >
>
> I tried this but rule is not triggered...So something is wrong. Can
> anyone help ?
in my case, the rule works fine.
whitelist_from_rcvd *@spamassassin.apache.org hermes.apache.org
here is the shot:
Received: by pinus.izb.knu.ac.kr (Postfix, from userid 59)
id E9FE13ECD; Tue, 13 Nov 2007 18:26:07 +0900 (KST)
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
pinus.izb.knu.ac.kr
X-Spam-Level:
X-Spam-Status: No, score=-37.7 required=15.1
tests=DKIM_SIGNED,DKIM_VERIFIED,
RCVD_IN_DNSWL_MED,USER_IN_WHITELIST autolearn=disabled
version=3.2.3
X-Spam-Comment: DKIM? See http://www.google.com/search?btnI&q=RFC+4871
Received: from mail.apache.org (hermes.apache.org [140.211.11.2])
by pinus.izb.knu.ac.kr (Postfix) with SMTP id A7E1F3ECB
for <bh...@izb.knu.ac.kr>; Tue, 13 Nov 2007 18:25:58 +0900 (KST)
respect,
bh
--
"Did you do the job on Sollozzo?"
"Both of them."
"Sure?"
"I saw their brains."
-- Tessio and Michael Corleone, "Chapter 11", page 151
Re: Skip SA checks for mails from SA list
Posted by K Anand <ka...@sail-steel.com>.
K Anand wrote:
>
>> Matt Kettler wrote:
>>
>
>>> As an alternative, you can use whitelist_from_spf or
>>> whitelist_from_rcvd on the list's return-path. From there, you can
>>> configure shortcircuiting to bypass the rest of SA and bayes_ignore_from
>>> to prevent learning.
>>
>> Would this be OK
>>
>> whitelist_from_rcvd *@spamassassin.apache.org spamassassin.apache.org
>>
>
> read the doc. I think it should be
>
> whitelist_from_rcvd *@spamassassin.apache.org hermes.apache.org
>
> This is what is the rdns for the mail relay that is sending me mails
> from the list.
>
I tried this but rule is not triggered...So something is wrong. Can
anyone help ?
Anand
Re: Skip SA checks for mails from SA list
Posted by K Anand <ka...@sail-steel.com>.
> Matt Kettler wrote:
>
>> As an alternative, you can use whitelist_from_spf or
>> whitelist_from_rcvd on the list's return-path. From there, you can
>> configure shortcircuiting to bypass the rest of SA and bayes_ignore_from
>> to prevent learning.
>
> Would this be OK
>
> whitelist_from_rcvd *@spamassassin.apache.org spamassassin.apache.org
>
read the doc. I think it should be
whitelist_from_rcvd *@spamassassin.apache.org hermes.apache.org
This is what is the rdns for the mail relay that is sending me mails
from the list.
Anand
Re: Skip SA checks for mails from SA list
Posted by K Anand <ka...@sail-steel.com>.
Matt Kettler wrote:
> K Anand wrote:
>> Hi all,
>>
>> I'm currently using SA 3.1.x....Due to certain custom rules regarding
>> images and html messages, mails from SA list are getting tagged as
>> SPAM. What I want to do is to skip SA checks for mails from SA list.
>>
>> DO I have to use trusted_networks ?
> No, that won't cause messages to be skipped, and will significantly
> screw up your RBL checks.
>> or is there some other way?
>
> Ideally, you'd not call SA in the first place. (ie: if you use procmail,
> use a procmail rule to bypass the list).
I use simscan. So I can't do this.
>
> As an alternative, you can use whitelist_from_spf or
> whitelist_from_rcvd on the list's return-path. From there, you can
> configure shortcircuiting to bypass the rest of SA and bayes_ignore_from
> to prevent learning.
Would this be OK
whitelist_from_rcvd *@spamassassin.apache.org spamassassin.apache.org
Anand
Re: Skip SA checks for mails from SA list
Posted by Matt Kettler <mk...@verizon.net>.
K Anand wrote:
> Hi all,
>
> I'm currently using SA 3.1.x....Due to certain custom rules regarding
> images and html messages, mails from SA list are getting tagged as
> SPAM. What I want to do is to skip SA checks for mails from SA list.
>
> DO I have to use trusted_networks ?
No, that won't cause messages to be skipped, and will significantly
screw up your RBL checks.
> or is there some other way?
Ideally, you'd not call SA in the first place. (ie: if you use procmail,
use a procmail rule to bypass the list).
As an alternative, you can use whitelist_from_spf or
whitelist_from_rcvd on the list's return-path. From there, you can
configure shortcircuiting to bypass the rest of SA and bayes_ignore_from
to prevent learning.
>
> Thanx
>
> Anand
>
>
Skip SA checks for mails from SA list
Posted by K Anand <ka...@sail-steel.com>.
Hi all,
I'm currently using SA 3.1.x....Due to certain custom rules regarding
images and html messages, mails from SA list are getting tagged as SPAM.
What I want to do is to skip SA checks for mails from SA list.
DO I have to use trusted_networks ? or is there some other way?
Thanx
Anand
Re: What to do with known spam connections
Posted by Kelson <ke...@speed.net>.
mouss wrote:
> Kelson wrote:
>> Rob Sterenborg wrote:
>>> SM wrote:
>>>> The spam content shouldn't even be getting through as the recipient
>>>> address is invalid.
>>> Unless you don't know who your recipients are, which may be the case
>>> when operating a mailrelay. (I'm not saying that such situation is
>>> optimal...)
>> Or unless they send to a mix of real and bogus addresses. It could be
>> worth blocking them from hitting any real addresses after they've hit
>> a couple of spamtraps.
>
> while some people can afford to block a large ISP, many of us don't.
So run some heuristics before deciding to block an IP. Factor in other
criteria. It doesn't have to be a snap judgment on one piece of data.
We're on the SpamAssassin list, after all. The whole philosophy of
SpamAssassin is to take a bunch of signs that, individually, might not
be enough to make the call, but taken together can be reasonably
accurate. Surely that philosophy can be extended to tactics other than
message analysis.
How about...
Using it to greylist instead of blocking?
Or looking at the rDNS and trying to determine whether it looks like a
mail server?
Or only blocking it if it appears on a list of dynamic IPs (assuming
you're not blocking those IPs outright)?
Or whitelisting those large ISPs?
Or looking at your own recent traffic from that IP, and only blocking it
if you don't see any legit traffic?
Or adding points to the SA score the next time the IP shows up instead
of blocking it?
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: What to do with known spam connections
Posted by mouss <mo...@netoyen.net>.
Kelson wrote:
> Rob Sterenborg wrote:
>> SM wrote:
>>> The spam content shouldn't even be getting through as the recipient
>>> address is invalid.
>>
>> Unless you don't know who your recipients are, which may be the case
>> when operating a mailrelay. (I'm not saying that such situation is
>> optimal...)
>
> Or unless they send to a mix of real and bogus addresses. It could be
> worth blocking them from hitting any real addresses after they've hit
> a couple of spamtraps.
>
while some people can afford to block a large ISP, many of us don't.
Re: What to do with known spam connections
Posted by Kelson <ke...@speed.net>.
Rob Sterenborg wrote:
> SM wrote:
>> The spam content shouldn't even be getting through as the recipient
>> address is invalid.
>
> Unless you don't know who your recipients are, which may be the case
> when operating a mailrelay. (I'm not saying that such situation is
> optimal...)
Or unless they send to a mix of real and bogus addresses. It could be
worth blocking them from hitting any real addresses after they've hit a
couple of spamtraps.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
RE: What to do with known spam connections
Posted by Rob Sterenborg <R....@netsourcing.nl>.
SM wrote:
> The spam content shouldn't even be getting through as the recipient
> address is invalid.
Unless you don't know who your recipients are, which may be the case
when operating a mailrelay. (I'm not saying that such situation is
optimal...)
Grts,
Rob
Re: What to do with known spam connections
Posted by SM <sm...@resistor.net>.
At 06:24 08-11-2007, Alex Woick wrote:
>There seem to exist some address harvester that greps message-id's
>and other non-address content as mail address, since I get spam to
>such proven never-existed mail addresses. This list is harvested
>this way, for example. There are already a few message-id's from my
>older list postings that regularly get spam since a few months.
>Is it safe to add the sender systems to an internal blacklist
>database automatically and let my MTA reject further mail from it
>for perhaps 6 hours?
No. It can lead to a denial of service unless you combine it with
whitelisting from "trusted" sources.
>It should be safe because no one except the harvester+spammer could
>have gotten such an address. I assume this way spamtraps work, aren't they?
A simple spamtrap would work like that.
>This would be quite efficient, since the same bot often tries to
>deliver 10 spams within a few seconds, and if it were blocked after
>the first connection, 9 of 10 spams would be blocked right away. And
>the 1st would not get through greylisting, since it gets no 2nd connection try.
The spam content shouldn't even be getting through as the recipient
address is invalid.
Regards,
-sm