You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Liam-PrintingAutomation <li...@printingautomation.com> on 2008/10/10 17:05:26 UTC
Block all incoming mail from domain except certain users?
I'm noticing we're getting a lot of spam coming through with a from
address of our own domain. This gives spamassassin an automatic -100 on
the score pretty much guaranteeing that it'll not get flagged as spam.
Since we have a limited number of people using that domain, is there a
way to tell spamassassin to block or at least give a really bad score ot
any email with a FROM as coming from our domain but is not a user (left
of @ sign) that isn't one of these X addresses?
Thanks for any advice!
Liam
Re: Block all incoming mail from domain except certain users?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2008-10-10 at 21:03 +0200, Benny Pedersen wrote:
> On Fri, October 10, 2008 17:14, mouss wrote:
>
> > This is a common configuration error. don't whitelist mail from your
> > domain.
>
> olso wroung advice without known config, whitelist is ok if it cant be abused
Err. Did you read the original question? Obviously, it is being abused.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Block all incoming mail from domain except certain users?
Posted by Benny Pedersen <me...@junc.org>.
On Fri, October 10, 2008 17:14, mouss wrote:
> This is a common configuration error. don't whitelist mail from your
> domain.
olso wroung advice without known config, whitelist is ok if it cant be abused
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Block all incoming mail from domain except certain users?
Posted by mouss <mo...@netoyen.net>.
Liam-PrintingAutomation a écrit :
> Sorry. I didn't realize I was hijacking anything since I completely
> replaced the subject line and used all new text body.
> I had no idea that doing that was somehow not creating a "new" message
> for all intents and purposes.
>
now you know ;-p google for "thread hijacking" to learn more.
your mailer probably has distinct "new" and a "reply to" buttons. you
don't think the mailer developpers did so because they like adding
buttons :)
Threading (was: Re: Block all incoming mail from domain except
certain users?)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2008-10-10 at 10:42 -0500, Liam-PrintingAutomation wrote:
> mouss wrote:
> > Please repost you mail "correctly". do not hijack unrelated threads: do
> > not reply to an urelated message. compaose a new message instead.
>
> Sorry. I didn't realize I was hijacking anything since I completely
> replaced the subject line and used all new text body.
> I had no idea that doing that was somehow not creating a "new" message
> for all intents and purposes.
For educational purposes, have a look at the In-Reply-To and References
headers. :-)
These account for proper threading, which is a most-useful feature for
mailing lists and often even personal discussions. Since you're using
Thunderbird, try this:
View / Sort By / Threaded
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Block all incoming mail from domain except certain users?
Posted by Liam-PrintingAutomation <li...@printingautomation.com>.
mouss wrote:
> Liam-PrintingAutomation a écrit :
>
>> I'm noticing we're getting a lot of spam coming through with a from
>> address of our own domain. This gives spamassassin an automatic -100 on
>> the score pretty much guaranteeing that it'll not get flagged as spam.
>>
>>
>
> Please repost you mail "correctly". do not hijack unrelated threads: do
> not reply to an urelated message. compaose a new message instead.
>
>
Sorry. I didn't realize I was hijacking anything since I completely
replaced the subject line and used all new text body.
I had no idea that doing that was somehow not creating a "new" message
for all intents and purposes.
Sorry.
Liam
Re: Block all incoming mail from domain except certain users?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2008-10-10 at 17:14 +0200, mouss wrote:
> Liam-PrintingAutomation a écrit :
> > I'm noticing we're getting a lot of spam coming through with a from
> > address of our own domain. This gives spamassassin an automatic -100 on
> > the score pretty much guaranteeing that it'll not get flagged as spam.
> > Since we have a limited number of people using that domain, is there a
> > way to tell spamassassin to block or at least give a really bad score ot
> > any email with a FROM as coming from our domain but is not a user (left
> > of @ sign) that isn't one of these X addresses?
>
> This is a common configuration error. don't whitelist mail from your
> domain.
Ah, finally found the wiki page explaining to use whitelist_from_rcvd
rather than whitelist_from.
http://wiki.apache.org/spamassassin/WhitelistingEverybody
If you properly constrain your whitelisting, you can do so for the
entire domain, instead of adding one line per user. Also have a look
here:
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
HTH
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Block all incoming mail from domain except certain users?
Posted by mouss <mo...@netoyen.net>.
Liam-PrintingAutomation a écrit :
> I'm noticing we're getting a lot of spam coming through with a from
> address of our own domain. This gives spamassassin an automatic -100 on
> the score pretty much guaranteeing that it'll not get flagged as spam.
>
Please repost you mail "correctly". do not hijack unrelated threads: do
not reply to an urelated message. compaose a new message instead.
> Since we have a limited number of people using that domain, is there a
> way to tell spamassassin to block or at least give a really bad score ot
> any email with a FROM as coming from our domain but is not a user (left
> of @ sign) that isn't one of these X addresses?
>
This is a common configuration error. don't whitelist mail from your
domain.
Re: Block all incoming mail from domain except certain users?
Posted by Ned Slider <ne...@unixmail.co.uk>.
Liam-PrintingAutomation wrote:
> I'm noticing we're getting a lot of spam coming through with a from
> address of our own domain. This gives spamassassin an automatic -100 on
> the score pretty much guaranteeing that it'll not get flagged as spam.
> Since we have a limited number of people using that domain, is there a
> way to tell spamassassin to block or at least give a really bad score ot
> any email with a FROM as coming from our domain but is not a user (left
> of @ sign) that isn't one of these X addresses?
>
> Thanks for any advice!
> Liam
>
Presumably this is because you've whitelisted your whole domain. For
example:
whitelist_from *@mydomain.tld
but some more information as to exactly how these mails are being
assigned -100 would be useful. Assuming the above, IMHO this is a Bad
Idea for the reasons you've just discovered.
If you're going to whitelist like this, maybe try *only* whitelisting
legitimate accounts:
whitelist_from user1@mydomain.tld
whitelist_from user2@mydomain.tld
etc...
which would achieve what you've asked for.
Personally, I don't whitelist any of my domains and just leave SA to get
on with it and scan my mail as normal. If I get any problematic mails
then I add a rule on a case by case basis (usually a meta rule). For
example, if the MD always sends a "monthly sales figures" mail that gets
snagged by SA I'd write a meta rule to detect mail from the MD with the
subject containing "monthly sales figures" and give it a negative score
as appropriate.
Other measures like SPF would allow you to specify servers allowed to
send mail for your domain(s) but they're not going to help when a
whitelisting score of -100 is arbitrarily applied to all mails.
Re: Block all incoming mail from domain except certain users?
Posted by mouss <mo...@netoyen.net>.
Karl Pearson a écrit :
> On Sat, 11 Oct 2008, Matus UHLAR - fantomas wrote:
>
>>> On Fri, October 10, 2008 17:05, Liam-PrintingAutomation wrote:
>>>> any email with a FROM as coming from our domain but is not a user
>>>> (left
>>>> of @ sign) that isn't one of these X addresses?
>>
>> On 10.10.08 21:01, Benny Pedersen wrote:
>>> what rule gives -100 ?
>>
>> whitelist, of course: "any email with a FROM as coming from our domain"
>> That's common mistake of adding local domain to whitelist_from, often
>> used
>> by spammers to get mail through.
>>
>>> there is a number of ways to make sure its not giveing -100 to own
>>> domains
>>> that is sent outside of localhost or even from localhost olso
>>>
>>> adjust the score -100 to something like -0.01 and make use of
>>> dkim/spf to
>>> compensate for real users thar send correct not just have your
>>> domain in
>>> sender from
>>
>> simply using whitelist_auth or whitelist_from_rcvd instead of
>> whitelist_from
>> should be enough
>
> I use whitelist_from_rcvd but am not sure I use it right:
>
> whitelist_from_rcvd root@mail.ourldsfamily.com ourldsfamily.com
>
> Is that right?
In general, yes.
This wouldn't be right if ourldsfamily.com is a large domain with "bad"
clients. for example, you wouldn't do that with a (large) ISP.
>
> Also, I've never heard of whitelist_auth and am curious to see an
> example. Would using both _auth and _from_rcvd be good/better/worse?
whitelist_auth whitelists the message under SPF or DKIM or DK success.
The right combination depends on the domain.
Re: Block all incoming mail from domain except certain users?
Posted by Karl Pearson <ka...@ourldsfamily.com>.
On Sat, 11 Oct 2008, Matus UHLAR - fantomas wrote:
>> On Fri, October 10, 2008 17:05, Liam-PrintingAutomation wrote:
>>> any email with a FROM as coming from our domain but is not a user (left
>>> of @ sign) that isn't one of these X addresses?
>
> On 10.10.08 21:01, Benny Pedersen wrote:
>> what rule gives -100 ?
>
> whitelist, of course: "any email with a FROM as coming from our domain"
> That's common mistake of adding local domain to whitelist_from, often used
> by spammers to get mail through.
>
>> there is a number of ways to make sure its not giveing -100 to own domains
>> that is sent outside of localhost or even from localhost olso
>>
>> adjust the score -100 to something like -0.01 and make use of dkim/spf to
>> compensate for real users thar send correct not just have your domain in
>> sender from
>
> simply using whitelist_auth or whitelist_from_rcvd instead of whitelist_from
> should be enough
I use whitelist_from_rcvd but am not sure I use it right:
whitelist_from_rcvd root@mail.ourldsfamily.com ourldsfamily.com
Is that right?
Also, I've never heard of whitelist_auth and am curious to see an example.
Would using both _auth and _from_rcvd be good/better/worse?
Karl
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> - Holmes, what kind of school did you study to be a detective?
> - Elementary, Watson.
>
---
_/ _/ _/ _/_/_/ ____________ __o
_/ _/ _/ _/ _/ ____________ _-\\<._
_/_/ _/ _/_/_/ (_)/ (_)
_/ _/ _/ _/ ......................
_/ _/ arl _/_/_/ _/ earson KarlP@ourldsfamily.com
---
http://consulting.ourldsfamily.com
---
"To mess up your Linux PC, you have to really work at it;
to mess up a microsoft PC you just have to work on it."
---
Re: Block all incoming mail from domain except certain users?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Fri, October 10, 2008 17:05, Liam-PrintingAutomation wrote:
> > any email with a FROM as coming from our domain but is not a user (left
> > of @ sign) that isn't one of these X addresses?
On 10.10.08 21:01, Benny Pedersen wrote:
> what rule gives -100 ?
whitelist, of course: "any email with a FROM as coming from our domain"
That's common mistake of adding local domain to whitelist_from, often used
by spammers to get mail through.
> there is a number of ways to make sure its not giveing -100 to own domains
> that is sent outside of localhost or even from localhost olso
>
> adjust the score -100 to something like -0.01 and make use of dkim/spf to
> compensate for real users thar send correct not just have your domain in
> sender from
simply using whitelist_auth or whitelist_from_rcvd instead of whitelist_from
should be enough
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.
Re: Block all incoming mail from domain except certain users?
Posted by mouss <mo...@netoyen.net>.
Joseph Brennan a écrit :
>
>>> any email with a FROM as coming from our domain but is not a user (left
>>> of @ sign)
>
> You might be able to get your MTA to check that, the same as it does
> for recipients. You know what addresses are valid @ your own domain,
> so it's reasonable to refuse mail from any others. We have sendmail
> doing this during check_mail. It stops 2% of our incoming. You use
> postfix and I am not familiar with how it might be done with that.
smtpd_reject_unlisted_sender = yes
in some cases, you may want to accept "unlisted" senders from your own
machines (software installed on few machines that send mail as their own
user, but this user not added on the mail server). if so, instead of the
above, use
reject_unlisted_sender
in smtpd restrictions, after having allowed "trusted" mail
(permit_mynetworks, ...).
Re: Block all incoming mail from domain except certain users?
Posted by Joseph Brennan <br...@columbia.edu>.
>> any email with a FROM as coming from our domain but is not a user (left
>> of @ sign)
You might be able to get your MTA to check that, the same as it does
for recipients. You know what addresses are valid @ your own domain,
so it's reasonable to refuse mail from any others. We have sendmail
doing this during check_mail. It stops 2% of our incoming. You use
postfix and I am not familiar with how it might be done with that.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: Block all incoming mail from domain except certain users?
Posted by Benny Pedersen <me...@junc.org>.
On Fri, October 10, 2008 17:05, Liam-PrintingAutomation wrote:
> any email with a FROM as coming from our domain but is not a user (left
> of @ sign) that isn't one of these X addresses?
what rule gives -100 ?
there is a number of ways to make sure its not giveing -100 to own domains
that is sent outside of localhost or even from localhost olso
adjust the score -100 to something like -0.01 and make use of dkim/spf to
compensate for real users thar send correct not just have your domain in
sender from
how is your
trusted_networks
internal_networks
msa_networks
?
perldoc Mail::SpamAssassin::Conf
perldoc Mail::SpamAssassin::Plugin::DKIM
perldoc Mail::SpamAssassin::Plugin::SPF
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098