You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Lars Jørgensen <la...@kb.dk> on 2011/05/19 08:46:49 UTC
sa-learn in an Exchange 2010 environment
Hi,
I have searched thoroughly for any information on the above constellation, but have not found anything useful.
We have spamassassin running on a gateway server delivering mail to users on an exchange 2010 server. Sometimes spam gets through, and I would like for users to be able to send that spam to sa-learn.
I set up a forwaring scheme and that works fine. But reading around on the internets, people seem to warn about that kind of setup, because From-fields on the forwarded mails belong to users and that can mark them as spammers. People recommends to either redirect the spam to sa-learn or move it to a public folder and have some sort of IMAP-mechanism pick it up and deliver it to sa-learn.
There are a number of problems with those recommendations on exchange 2010: You can no longer resend mail that was not directly sent to you (or some other rule, the gist is that most spam cannot be resent), and there is no longer IMAP access to public folders (I am led to believe).
The forwarding method is very convenient and uses a method that users are already intimate with, so there is no need to teach them new things. So my question is: Can I continue doing this? How bad is it that the users' names gets marked adversely in the bayesian database, when all outgoing mail is whitelisted because of trusted sources?
Lars
Re: sa-learn in an Exchange 2010 environment
Posted by "Rolf E. Sonneveld" <R....@sonnection.nl>.
On 5/19/11 8:46 AM, Lars J�rgensen wrote:
>
> Hi,
>
> I have searched thoroughly for any information on the above
> constellation, but have not found anything useful.
>
> We have spamassassin running on a gateway server delivering mail to
> users on an exchange 2010 server. Sometimes spam gets through, and I
> would like for users to be able to send that spam to sa-learn.
>
> I set up a forwaring scheme and that works fine. But reading around on
> the internets, people seem to warn about that kind of setup, because
> From-fields on the forwarded mails belong to users and that can mark
> them as spammers. People recommends to either redirect the spam to
> sa-learn or move it to a public folder and have some sort of
> IMAP-mechanism pick it up and deliver it to sa-learn.
>
> There are a number of problems with those recommendations on exchange
> 2010: You can no longer resend mail that was not directly sent to you
> (or some other rule, the gist is that most spam cannot be resent), and
> there is no longer IMAP access to public folders (I am led to believe).
>
> The forwarding method is very convenient and uses a method that users
> are already intimate with, so there is no need to teach them new
> things. So my question is: Can I continue doing this? How bad is it
> that the users' names gets marked adversely in the bayesian database,
> when all outgoing mail is whitelisted because of trusted sources?
>
forwarding from Exchange for this purpose is pretty useless, IMHO. Apart
from the problem with the From address you mentioned, there is the
problem of Exchange removing all header information in forwarded
addresses, except for From, To, Subject and Date. Furthermore, the To
address is replaced with the common name/personal name of the recipient,
as it is registered in Active Directory. This leaves only the body of
the message to be learned by sa-learn.
BTW: did you consider the fact that autowhitelisting outbound mail also
whitelists spam addresses, which sent spam and for which an Out of
Office message is send outbound? Or do you mean you whitelist the sender
addresses of your Exchange users? If so, any inbound spam that carries
an internal name as sender address is accepted and delivered... But
maybe I just simply don't understand the way your whitelisting setup works.
/rolf
RE: sa-learn in an Exchange 2010 environment
Posted by Kevin Miller <Ke...@ci.juneau.ak.us>.
We use Exchange 2007, but I have a gateway sitting in front of it running spamassassin. I also use MailScanner (sort of similar to amavisd) and MailWatch which is a web based front end to MailScanner.
MailScanner: www.mailscanner.info<http://www.mailscanner.info>
MailWatch: http://mailwatch.sourceforge.net/doku.php
Any messages that come in are 'quarantined' in either a spam or non-spam directory as well as being sent to the Exchange server. If a slew of spam comes in that doesn't quite tip the scales it's easy to pull up a report in MailWatch that allows me to submit them for learning, all on the gateway machine, w/o being modified by Exchange. Of course, if we have ham that is tagged as spam, I can feed it through as well so it can be learned a legitimate.
You may want to look into using them. One shortcoming you'd encounter is the users would lose the forwarding option since it's done through the web. You can set up accounts for them to get in and submit messages themselves but you'd either need an account for everybody, or everybody could see all the messages. Or they'd have to contact you for help, so it may or may not be the best option...
...Kevin
--
Kevin Miller Registered Linux User No: 307357
CBJ MIS Dept. Network Systems Admin., Mail Admin.
155 South Seward Street ph: (907) 586-0242
Juneau, Alaska 99801 fax: (907 586-4500
________________________________
From: Lars Jørgensen [mailto:lajo@kb.dk]
Sent: Wednesday, May 18, 2011 10:47 PM
To: 'users@spamassassin.apache.org'
Subject: sa-learn in an Exchange 2010 environment
Hi,
I have searched thoroughly for any information on the above constellation, but have not found anything useful.
We have spamassassin running on a gateway server delivering mail to users on an exchange 2010 server. Sometimes spam gets through, and I would like for users to be able to send that spam to sa-learn.
I set up a forwaring scheme and that works fine. But reading around on the internets, people seem to warn about that kind of setup, because From-fields on the forwarded mails belong to users and that can mark them as spammers. People recommends to either redirect the spam to sa-learn or move it to a public folder and have some sort of IMAP-mechanism pick it up and deliver it to sa-learn.
There are a number of problems with those recommendations on exchange 2010: You can no longer resend mail that was not directly sent to you (or some other rule, the gist is that most spam cannot be resent), and there is no longer IMAP access to public folders (I am led to believe).
The forwarding method is very convenient and uses a method that users are already intimate with, so there is no need to teach them new things. So my question is: Can I continue doing this? How bad is it that the users' names gets marked adversely in the bayesian database, when all outgoing mail is whitelisted because of trusted sources?
Lars
Re: sa-learn in an Exchange 2010 environment
Posted by Dominic Benson <do...@lenny.cus.org>.
On 19 May 2011, at 07:46, Lars Jørgensen wrote:
> Hi,
>
> I have searched thoroughly for any information on the above constellation, but have not found anything useful.
>
> We have spamassassin running on a gateway server delivering mail to users on an exchange 2010 server. Sometimes spam gets through, and I would like for users to be able to send that spam to sa-learn.
>
> I set up a forwaring scheme and that works fine. But reading around on the internets, people seem to warn about that kind of setup, because From-fields on the forwarded mails belong to users and that can mark them as spammers. People recommends to either redirect the spam to sa-learn or move it to a public folder and have some sort of IMAP-mechanism pick it up and deliver it to sa-learn.
Certainly it isn't ideal. A fair amount of header info will be different; the impact will depend on the proportion of spam learned this way versus other sa-learn. Also on how 'spammy' the body is.
A possible idea (may not be viable, depending on your environment) would be to save a copy messages alongside their message ID on the gateway before they are relayed to Exchange (possibly only for a day or two), have users forward spam as at present, but rather than sa-learning the contents of that mailbox, read the original message id out of the in-reference-to headers, and use that to look up the *original* message, then sa-learn on that. If the original has been cleaned up, log to say it happened and ignore it. If lots of log messages show that messages are being flagged as spam after they have been cleaned, consider extending the period for which they are kept.
The obvious potential issues are
1) Regulatory overhead in storing the messages on the gateway
2) I/O / disk overhead in writing them to disk on the gateway, storing them and cleaning them up
3) Relative effort of parsing out the individual message-ids and sa-learning individually compared to sa-learning a whole directory
>
> There are a number of problems with those recommendations on exchange 2010: You can no longer resend mail that was not directly sent to you (or some other rule, the gist is that most spam cannot be resent), and there is no longer IMAP access to public folders (I am led to believe).
>
> The forwarding method is very convenient and uses a method that users are already intimate with, so there is no need to teach them new things. So my question is: Can I continue doing this? How bad is it that the users' names gets marked adversely in the bayesian database, when all outgoing mail is whitelisted because of trusted sources?
>
>
> Lars
RE: sa-learn in an Exchange 2010 environment
Posted by Lars Jørgensen <la...@kb.dk>.
Hi Michael,
I knew Exchange was pretty .. phuckulated, as you say, but I was not aware that forwarded emails was useless for bayes keys.
I understand your suggestion (and yes, we're on postfix), and I will try to work out something to that effect. Thank you for pointing me in the right direction.
Lars
-----Original Message-----
From: Michael Scheidell [mailto:michael.scheidell@secnap.com]
Sent: Thursday, May 19, 2011 4:17 PM
To: users@spamassassin.apache.org
Subject: Re: sa-learn in an Exchange 2010 environment
On 5/19/11 2:46 AM, Lars Jørgensen wrote:
>
> nd have some sort of IMAP-mechanism pick it up and deliver it to sa-learn.
>
ms broke imap to public folders in 2007 sp1. so, no, you can't use imap
folders.
only option is ews (outlook web access), and with ews, you get a
'microsoft approved' representation of the 'similar' email, formatted to
work nice with ms.
so, not only are the headers broken, but the whole email is totally
useless for bayes keys.
if postfix: always bcc to a local (on the sa box) folder, and if a user
wants to learn from a spam/ham, you need to pull the UNPHUCKULATED email
from the bcc folder.
no option.
we needed to do something similar to this in our commercial offerings.
want to see what ms does with an email?
see the original (bcc), then use an ews type client and compare them.
attachments are moved, text re-written, html TOTALLY rewritten.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network Products Guide
* King of Spam Filters, SC Magazine
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: sa-learn in an Exchange 2010 environment
Posted by Michael Scheidell <mi...@secnap.com>.
On 5/19/11 2:46 AM, Lars Jørgensen wrote:
>
> nd have some sort of IMAP-mechanism pick it up and deliver it to sa-learn.
>
ms broke imap to public folders in 2007 sp1. so, no, you can't use imap
folders.
only option is ews (outlook web access), and with ews, you get a
'microsoft approved' representation of the 'similar' email, formatted to
work nice with ms.
so, not only are the headers broken, but the whole email is totally
useless for bayes keys.
if postfix: always bcc to a local (on the sa box) folder, and if a user
wants to learn from a spam/ham, you need to pull the UNPHUCKULATED email
from the bcc folder.
no option.
we needed to do something similar to this in our commercial offerings.
want to see what ms does with an email?
see the original (bcc), then use an ews type client and compare them.
attachments are moved, text re-written, html TOTALLY rewritten.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network Products Guide
* King of Spam Filters, SC Magazine
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________