You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by bbxrider <bb...@job1data.com> on 2007/06/06 07:47:43 UTC
use of * with available spamassassin tools
ok thanks, now that thats all clear
i'm getting my domain spoofed and trying to stop the returns from the
spoofed targets coming to my
domain and then getting fwded to my default email account.
my mail servers spam assassin tools are:
blacklist_from
required_score
the only thing thats constant and identifiable in the returned header is a
variation of the spoofed name like spoofname*@mydomain.com
in the header its the 'to:' data
if this makes sense to anybody, i want to use spam asssassin functionality
available to me as a mail service customer, to tell my mail service to drop
any messages coming to my domain that are returns from other mail servers
that have been spammed with a spoofed email address from my domain. the only
thing thats constant enough in the messages is a variation of the spoofed
name that always starts with say 'spoofname' and has some combo of letters
after that and before the @. my dilema is the spam assassin tools available
to me don't seem to be able to identify a wild card identifiable name in the
'to:' field, they only allow testing for the content of the "from;"
if it can't be done, so be it, i'm just trying to figure out if its possible
to block this stuff from getting to me.
thanks
Matt Kettler-3 wrote:
>
> bbxrider wrote:
>> i'm not familiar with the term file-glob-style-patterns, so my question
>> is do
>> * and ? work like traditional searching tools?
>>
> I don't know what you mean "searching tools", but it's the same patterns
> used by any ordinary dos command prompt or unix shell.
>
> "globbing" is what the shell does to interpret things like "ls bayes*",
> or on windows "dir bayes*", hence the term "file-glob-style-patterns".
>
>> for creating a blacklist_from entry,
>> where fakename*@domain.com would block any email from domain.com that
>> started with 'fakename' and had any number of characters after fakename
>> and
>> before @
>> where fakename???@domain.com would block any email from domain.com that
>> started with 'fakename' and had any 3 characters following 'fakename' and
>> before @, but only 3 characters no more no less
>>
> That is 100% correct.
>> thanks bbxrider
>>
>>
>
>
>
--
View this message in context: http://www.nabble.com/use-of-*-and---in-blacklist_from-tf3874156.html#a10982745
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: use of * with available spamassassin tools
Posted by bbxrider <bb...@job1data.com>.
thanks for your help, i'm trying to get filters working now,
and thanks for list subjects.
bbxrider
Kris Deugau wrote:
>
> bbxrider wrote:
>> yes, but..........................
>> i have a spam filter on my client, spambayes, and it works fine to sort
>> out
>> spam sent
>> to a 'real' account
>> the problem here is numbers, the spammer is spoofing my domain with a
>> constantly changing
>> name (but with a constant piece of it) with dozens if not hundreds a
>> day,
>> are coming back to my domain pop3 with invalid address messages, i don't
>> want to deal with those and besides its further clogging the pipes with
>> messages being sent to me that are unnecessary, so my hunt continues to
>> determine a way
>> to have spam assassin handle it at my pop3, sitelutions.com, since they
>> don't seem to have
>> another way to handle it.
>> thanks bbxrider
>
> You might want to lean on your provider a little to allow you to
> *disable* the catchall email processing; that's a big part of your
> problem.
>
> That said, a quick and dirty method to brute-force SA into doing
> something it's really not designed for could look like this:
>
> header TO_VALID ToCC =~ /(good1|good2|good3)\@yourdomain.com/
> describe TO_VALID My valid accounts
> score TO_VALID -5
>
> header TO_INVALID ToCC =~ /\@yourdomain.com/
> describe TO_INVALID Everything is bad, unless it's good
> score TO_INVALID 5
>
> Adjust efficiency, accuracy, score levels to taste.
>
> This type of "identify the real valid accounts" processing belongs in
> the MTA or at least whatever hands off processing to SA - if you've got
> access to procmail, for instance, you can set up a fairly simple recipe
> to only deliver mail addressed to a valid account at your domain.
>
> Note that you'll have to create exceptions for things like, oh, say,
> this list, because such messages are usually sent "to" the list, not
> your account. This applies to pretty much any method not working at the
> MTA level.
>
> -kgd
>
>
--
View this message in context: http://www.nabble.com/use-of-*-and---in-blacklist_from-tf3874156.html#a11017078
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: use of * with available spamassassin tools
Posted by Kris Deugau <kd...@vianet.ca>.
bbxrider wrote:
> yes, but..........................
> i have a spam filter on my client, spambayes, and it works fine to sort out
> spam sent
> to a 'real' account
> the problem here is numbers, the spammer is spoofing my domain with a
> constantly changing
> name (but with a constant piece of it) with dozens if not hundreds a day,
> are coming back to my domain pop3 with invalid address messages, i don't
> want to deal with those and besides its further clogging the pipes with
> messages being sent to me that are unnecessary, so my hunt continues to
> determine a way
> to have spam assassin handle it at my pop3, sitelutions.com, since they
> don't seem to have
> another way to handle it.
> thanks bbxrider
You might want to lean on your provider a little to allow you to
*disable* the catchall email processing; that's a big part of your problem.
That said, a quick and dirty method to brute-force SA into doing
something it's really not designed for could look like this:
header TO_VALID ToCC =~ /(good1|good2|good3)\@yourdomain.com/
describe TO_VALID My valid accounts
score TO_VALID -5
header TO_INVALID ToCC =~ /\@yourdomain.com/
describe TO_INVALID Everything is bad, unless it's good
score TO_INVALID 5
Adjust efficiency, accuracy, score levels to taste.
This type of "identify the real valid accounts" processing belongs in
the MTA or at least whatever hands off processing to SA - if you've got
access to procmail, for instance, you can set up a fairly simple recipe
to only deliver mail addressed to a valid account at your domain.
Note that you'll have to create exceptions for things like, oh, say,
this list, because such messages are usually sent "to" the list, not
your account. This applies to pretty much any method not working at the
MTA level.
-kgd
Re: use of * with available spamassassin tools
Posted by bbxrider <bb...@job1data.com>.
thanks for the help dan
i will try one more time to reason with sitelutions, but my prob with them
is that they seem to think this is not a problem, and vaguely imply that
they
know better than me since they are tech gods and therefore i shouldn't be
concerned
and i'm still trying to see if there is some way to configure sa at
sitelutions to
filter this 'backscatter' coming back to me.
up till now i wanted to get the 'mail delivery system' etc subjects, so i
could tell
if there were problems with any recips i sent to, but its just too much of a
pain
with the amount i'm getting now
i think my email runs about 5-8meg per day, prob half of it is real spam
i'm even thinking of running my own on my xp box with a kinda mini iis
installed
for my smtp and thinking there should be some pop3 i can also run, if it all
seems
safe and easy enough.
i will let you know, either way
bbx
Jari Fredriksson wrote:
>
> bbxrider wrote:
>> yes, but..........................
>> i have a spam filter on my client, spambayes, and it works fine to
>> sort out spam sent
>> to a 'real' account
>> the problem here is numbers, the spammer is spoofing my domain with a
>> constantly changing
>> name (but with a constant piece of it) with dozens if not hundreds a
>> day, are coming back to my domain pop3 with invalid address messages,
>> i don't want to deal with those and besides its further clogging the
>> pipes with messages being sent to me that are unnecessary, so my hunt
>> continues to determine a way
>> to have spam assassin handle it at my pop3, sitelutions.com, since
>> they don't seem to have
>> another way to handle it.
>> thanks bbxrider
>>
>
> Ah, you are talking about "back-scatter". While it's a nuicance, it's not
> actually spam - no matter that it's caused by spam originally.
>
> I don't want my SpamAssassin to take those as spam.. because redirect my
> spam to SpamCop for reporting, and backscatter is not spam.
>
> If you can't turn off the catch-all feature of your email service, I think
> the best you can do is to filter backscatter in your POP-client using
> subject headers.
>
> Here is my collection of headers triggering my back-scatter procedure
> (which is to add a header "X-Bounce: Yes" which will then be used to
> direct the mail to a special folder.
>
> This is for maildrop, but the subject headers can be used in any mailer.
> 99% of delivery reports seem to get caught with these, so backscatter is
> no problem to me any more.
>
> if ( /^Subject: Mail Delivery Problem/ || \
> /^Subject: Mail Delivery \(failure/ || \
> /^Subject: Undelivered Mail Returned to Sender/ || \
> /^Subject: virus found in sent message/ || \
> /^Subject: failure notice / || \
> /^Subject: Mail delivery failed/ || \
> /^Subject: Delivery Status Notification/ || \
> /^Subject: Undeliverable:/ || \
> /^Subject: Undeliverable mail/ || \
> /^Subject: Returned mail: / || \
> /^Subject: DELIVERY FAILURE: User / || \
> /^Subject: Yahoo! Auto Response/ || \
> /^X-ME-bounce-domain:/ || \
> /^X-Failed-Recipients:/ || \
> /^X-Yahoo-Newman-Property: groups-bounce/ || \
> /^Diagnostic-Code: X-Postfix; host / || \
> /^Content-type: multipart\/report;/ || \
> /^Subject: Delivery failed:/ || \
> /^Subject: DELIVERY FAILURE:/ || \
> /^Subject: MESSAGE NOT DELIVERED: / || \
> /^Subject: Delivery problem/ || \
> /^Subject: Email Failure Notification/ || \
> /^Subject: Email not allowed/ || \
> /^Subject: failure delivery/ || \
> /^Subject: failure notice/ || \
> /^Subject: Mail Not Delivered/ || \
> /^Subject: mail failed, returning to sender/ || \
> /^Subject: Nondeliverable mail/ || \
> /^Subject: Warning: could not send message for/ || \
> /^Subject: MDaemon Warning - Virus Found/ || \
> /^Subject: Permanent Delivery Failure/ || \
> /^Subject: Mail System Error - Returned Mail/ || \
> /^Subject: Mail System Error - Undeliverable Mail/ || \
> /^Subject: Transient Delivery Failure/ || \
> /^Subject: Message status - undeliverable/ || \
> /^Subject: Warning: message / || \
> /^Subject: Undeliverable: / || \
> /^Subject: Delivery failure/ )
> {
> `logger -p mail.info "** BOUNCE RECEIVED **"`
> xfilter "reformail -a'X-Bounce: Yes '"
> SCAN_SPAM=0
> }
>
>
>
--
View this message in context: http://www.nabble.com/use-of-*-and---in-blacklist_from-tf3874156.html#a11014017
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: use of * with available spamassassin tools
Posted by Jari Fredriksson <ja...@iki.fi>.
bbxrider wrote:
> yes, but..........................
> i have a spam filter on my client, spambayes, and it works fine to
> sort out spam sent
> to a 'real' account
> the problem here is numbers, the spammer is spoofing my domain with a
> constantly changing
> name (but with a constant piece of it) with dozens if not hundreds a
> day, are coming back to my domain pop3 with invalid address messages,
> i don't want to deal with those and besides its further clogging the
> pipes with messages being sent to me that are unnecessary, so my hunt
> continues to determine a way
> to have spam assassin handle it at my pop3, sitelutions.com, since
> they don't seem to have
> another way to handle it.
> thanks bbxrider
>
Ah, you are talking about "back-scatter". While it's a nuicance, it's not actually spam - no matter that it's caused by spam originally.
I don't want my SpamAssassin to take those as spam.. because redirect my spam to SpamCop for reporting, and backscatter is not spam.
If you can't turn off the catch-all feature of your email service, I think the best you can do is to filter backscatter in your POP-client using subject headers.
Here is my collection of headers triggering my back-scatter procedure (which is to add a header "X-Bounce: Yes" which will then be used to direct the mail to a special folder.
This is for maildrop, but the subject headers can be used in any mailer. 99% of delivery reports seem to get caught with these, so backscatter is no problem to me any more.
if ( /^Subject: Mail Delivery Problem/ || \
/^Subject: Mail Delivery \(failure/ || \
/^Subject: Undelivered Mail Returned to Sender/ || \
/^Subject: virus found in sent message/ || \
/^Subject: failure notice / || \
/^Subject: Mail delivery failed/ || \
/^Subject: Delivery Status Notification/ || \
/^Subject: Undeliverable:/ || \
/^Subject: Undeliverable mail/ || \
/^Subject: Returned mail: / || \
/^Subject: DELIVERY FAILURE: User / || \
/^Subject: Yahoo! Auto Response/ || \
/^X-ME-bounce-domain:/ || \
/^X-Failed-Recipients:/ || \
/^X-Yahoo-Newman-Property: groups-bounce/ || \
/^Diagnostic-Code: X-Postfix; host / || \
/^Content-type: multipart\/report;/ || \
/^Subject: Delivery failed:/ || \
/^Subject: DELIVERY FAILURE:/ || \
/^Subject: MESSAGE NOT DELIVERED: / || \
/^Subject: Delivery problem/ || \
/^Subject: Email Failure Notification/ || \
/^Subject: Email not allowed/ || \
/^Subject: failure delivery/ || \
/^Subject: failure notice/ || \
/^Subject: Mail Not Delivered/ || \
/^Subject: mail failed, returning to sender/ || \
/^Subject: Nondeliverable mail/ || \
/^Subject: Warning: could not send message for/ || \
/^Subject: MDaemon Warning - Virus Found/ || \
/^Subject: Permanent Delivery Failure/ || \
/^Subject: Mail System Error - Returned Mail/ || \
/^Subject: Mail System Error - Undeliverable Mail/ || \
/^Subject: Transient Delivery Failure/ || \
/^Subject: Message status - undeliverable/ || \
/^Subject: Warning: message / || \
/^Subject: Undeliverable: / || \
/^Subject: Delivery failure/ )
{
`logger -p mail.info "** BOUNCE RECEIVED **"`
xfilter "reformail -a'X-Bounce: Yes '"
SCAN_SPAM=0
}
Re: use of * with available spamassassin tools
Posted by bbxrider <bb...@job1data.com>.
yes, but..........................
i have a spam filter on my client, spambayes, and it works fine to sort out
spam sent
to a 'real' account
the problem here is numbers, the spammer is spoofing my domain with a
constantly changing
name (but with a constant piece of it) with dozens if not hundreds a day,
are coming back to my domain pop3 with invalid address messages, i don't
want to deal with those and besides its further clogging the pipes with
messages being sent to me that are unnecessary, so my hunt continues to
determine a way
to have spam assassin handle it at my pop3, sitelutions.com, since they
don't seem to have
another way to handle it.
thanks bbxrider
Jari Fredriksson wrote:
>
> bbxrider wrote:
>> i would very much like to be able to do that, but my mail service,
>> sitelutions.com, evidently doesn't have that functionality, which
>> doesn't make any sense to me at all, so i'm forced to try and deal
>> with it with sa i would have thought that pop3 services would easily
>> include an option to just
>> drop any message for a non-existant account (or bounce it back like
>> what is causing my problem), ideally this would be at the option of
>> the pop3 user, so
>> they could decide if messages coming in were just spam or a
>> legitimate typo, etc
>> so my question remains trying to see if i can get spam assassin to
>> get the job
>> done, thanks for your reply
>> bbxrider
>>
>
> "pop3-accounts" normally drop mail sent to invalid addresses, meaning that
> each pop-box only get the messages for that one pop address.
>
> Seems there is some kind of "catch-all" arrangement, and you have an own
> domain, so that *@mydomain.tld gets into that mailbox.
>
> I have similar, and I like it;) It's great as a spamtrap.
>
>
--
View this message in context: http://www.nabble.com/use-of-*-and---in-blacklist_from-tf3874156.html#a10998014
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: use of * with available spamassassin tools
Posted by Jari Fredriksson <ja...@iki.fi>.
bbxrider wrote:
> i would very much like to be able to do that, but my mail service,
> sitelutions.com, evidently doesn't have that functionality, which
> doesn't make any sense to me at all, so i'm forced to try and deal
> with it with sa i would have thought that pop3 services would easily
> include an option to just
> drop any message for a non-existant account (or bounce it back like
> what is causing my problem), ideally this would be at the option of
> the pop3 user, so
> they could decide if messages coming in were just spam or a
> legitimate typo, etc
> so my question remains trying to see if i can get spam assassin to
> get the job
> done, thanks for your reply
> bbxrider
>
"pop3-accounts" normally drop mail sent to invalid addresses, meaning that each pop-box only get the messages for that one pop address.
Seems there is some kind of "catch-all" arrangement, and you have an own domain, so that *@mydomain.tld gets into that mailbox.
I have similar, and I like it;) It's great as a spamtrap.
Re: use of * with available spamassassin tools
Posted by bbxrider <bb...@job1data.com>.
i would very much like to be able to do that, but my mail service,
sitelutions.com, evidently doesn't have that functionality, which doesn't
make any sense to me at all, so i'm forced to try and deal with it with sa
i would have thought that pop3 services would easily include an option to
just
drop any message for a non-existant account (or bounce it back like what is
causing my problem), ideally this would be at the option of the pop3 user,
so
they could decide if messages coming in were just spam or a legitimate typo,
etc
so my question remains trying to see if i can get spam assassin to get the
job
done, thanks for your reply
bbxrider
Wolfgang-7 wrote:
>
> In an older episode (Wednesday, 6. June 2007 07:47), bbxrider wrote:
>> i'm getting my domain spoofed and trying to stop the returns from the
>> spoofed targets coming to my
>> domain and then getting fwded to my default email account.
>
>> the only thing thats constant and identifiable in the returned
>> header is a variation of the spoofed name like
>> spoofname*@mydomain.com
>> in the header its the 'to:' data
>
> Have you considered to block invalid recipient addresses at the MTA
> level, before even passing them to SA? Why accept mails and create
> spamassassin rules for them if the recipient does not exist?
>
> Cheers,
>
> wolfgang
>
>
--
View this message in context: http://www.nabble.com/use-of-*-and---in-blacklist_from-tf3874156.html#a10992512
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: use of * with available spamassassin tools
Posted by wolfgang <me...@gmx.net>.
In an older episode (Wednesday, 6. June 2007 07:47), bbxrider wrote:
> i'm getting my domain spoofed and trying to stop the returns from the
> spoofed targets coming to my
> domain and then getting fwded to my default email account.
> the only thing thats constant and identifiable in the returned
> header is a variation of the spoofed name like
> spoofname*@mydomain.com
> in the header its the 'to:' data
Have you considered to block invalid recipient addresses at the MTA
level, before even passing them to SA? Why accept mails and create
spamassassin rules for them if the recipient does not exist?
Cheers,
wolfgang