You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Lars Ebeling <la...@leopg9.no-ip.org> on 2011/12/23 22:10:22 UTC
Am i sending spam?
http://pastebin.com/78gUdaCj
--
Med vänliga hälsningar/Regards
Lars Ebeling
Rentier
http://leopg9.no-ip.org
"I am not young enough to know everything."
-- Oscar Wilde
Re: Am i sending spam?
Posted by Patrick Ben Koetter <p...@state-of-mind.de>.
* Lars Ebeling <la...@leopg9.no-ip.org>:
> >You are not sending spam. Someone on the machine SR1S4.mesa.gmu.edu
> >[129.174.112.124 connected to your machine and said:
> >
> >HELO leopg9.no-ip.org
> >
> >In other words, the HELO domain was faked. We automatically block mail
> >from anyone who HELOs as our machine (unless it really *is* from our
> >machine, of course!)
>
> how do you do that?
In Postfix:
smtpd_recipient_restrictions =
...
permit_mynetworks
reject_unauth_destination
...
check_helo_access pcre:/etc/postfix/helo.chk
...
# /etc/postfix/helo.chk
/^mail\.state-of-mind\.de$/ 550 hostname abuse: mail.state-of-mind.de
/^state-of-mind\.de$/ 550 domainname abuse: state-of-mind.de
/^194\.126\.158\.24$/ 550 IP address abuse: 194.126.158.24
/^\[194\.126\.158\.24\]$/ 550 IP address abuse: [194.126.158.24]
/^[0-9.]+$/ 550 RFC 2821 compliance error
HTH,
p@rick
--
state of mind ()
http://www.state-of-mind.de
Franziskanerstraße 15 Telefon +49 89 3090 4664
81669 München Telefax +49 89 3090 4666
Amtsgericht München Partnerschaftsregister PR 563
Re: Am i sending spam?
Posted by John Hardin <jh...@impsec.org>.
On Sat, 24 Dec 2011, Benny Pedersen wrote:
> On Sat, 24 Dec 2011 08:47:44 -0800 (PST), John Hardin wrote:
>
>> Ha. This is what I get for replying to mail as I read it. :)
>
> +1
>
> can you make it more generic exsample without your own domain in it, atleast
> i dont think users will use it unmodified ? :)
Yeah, that's not too hard.
> mary xmax
I think my wife would object.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas
Re: Am i sending spam?
Posted by John Hardin <jh...@impsec.org>.
On Sat, 24 Dec 2011, Benny Pedersen wrote:
> On Sat, 24 Dec 2011 08:47:44 -0800 (PST), John Hardin wrote:
>
>> Ha. This is what I get for replying to mail as I read it. :)
>
> +1
>
> can you make it more generic exsample without your own domain in it, atleast
> i dont think users will use it unmodified ? :)
OK, done.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas
Re: Am i sending spam?
Posted by Benny Pedersen <me...@junc.org>.
On Sat, 24 Dec 2011 08:47:44 -0800 (PST), John Hardin wrote:
> Ha. This is what I get for replying to mail as I read it. :)
+1
can you make it more generic exsample without your own domain in it,
atleast i dont think users will use it unmodified ? :)
mary xmax
Re: Am i sending spam?
Posted by Lars Ebeling <la...@leopg9.no-ip.org>.
I solved the problem (hopefully) with a workaround. I added a rule in
iptables
--
Regards
Lars Ebeling
http://leopg9.no-ip.org
"It is better to keep your mouth shut and appear stupid than to open it and
remove all doubt."
-- Mark Twain
----- Original Message -----
From: "Lars Ebeling" <la...@leopg9.no-ip.org>
To: <us...@spamassassin.apache.org>
Sent: Sunday, December 25, 2011 11:47 AM
Subject: Re: Am i sending spam?
> To be honest I really don't know how to stop. I tried to create a filter
> in my router running TomatoUSB, but didn´t success.
>
> Regards
> Lars
>
> ----- Original Message -----
> From: "Lars Ebeling" <la...@leopg9.no-ip.org>
> To: <us...@spamassassin.apache.org>
> Sent: Saturday, December 24, 2011 5:55 PM
> Subject: Re: Am i sending spam?
>
>
>>I am using Postfix.
>>
>> /Lars
>> ----- Original Message -----
>> From: "John Hardin" <jh...@impsec.org>
>> To: <us...@spamassassin.apache.org>
>> Sent: Saturday, December 24, 2011 5:47 PM
>> Subject: Re: Am i sending spam?
>>
>>
>>> On Sat, 24 Dec 2011, Benny Pedersen wrote:
>>>
>>>> On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:
>>>>
>>>>> > In other words, the HELO domain was faked. We automatically block
>>>>> > mail
>>>>> > from anyone who HELOs as our machine (unless it really *is* from
>>>>> > our machine,
>>>>> > of course!)
>>>>> how do you do that?
>>>>
>>>> http://www.impsec.org/~jhardin/antispam/milter-regex.conf
>>>>
>>>> change recipient domain in this example, in generic reject anything
>>>> that your own mta use on sending
>>>
>>> Ha. This is what I get for replying to mail as I read it. :)
>>>
>>> --
>>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>>> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
>>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>>> -----------------------------------------------------------------------
>>> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>>> does quite what I want. I wish Christopher Robin was here."
>>> -- Peter da Silva in a.s.r
>>> -----------------------------------------------------------------------
>>> Tomorrow: Christmas
>>>
>>
>>
>
>
Re: Am i sending spam?
Posted by Lars Ebeling <la...@leopg9.no-ip.org>.
To be honest I really don't know how to stop. I tried to create a filter in
my router running TomatoUSB, but didn´t success.
Regards
Lars
----- Original Message -----
From: "Lars Ebeling" <la...@leopg9.no-ip.org>
To: <us...@spamassassin.apache.org>
Sent: Saturday, December 24, 2011 5:55 PM
Subject: Re: Am i sending spam?
>I am using Postfix.
>
> /Lars
> ----- Original Message -----
> From: "John Hardin" <jh...@impsec.org>
> To: <us...@spamassassin.apache.org>
> Sent: Saturday, December 24, 2011 5:47 PM
> Subject: Re: Am i sending spam?
>
>
>> On Sat, 24 Dec 2011, Benny Pedersen wrote:
>>
>>> On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:
>>>
>>>> > In other words, the HELO domain was faked. We automatically block
>>>> > mail
>>>> > from anyone who HELOs as our machine (unless it really *is* from our
>>>> > machine,
>>>> > of course!)
>>>> how do you do that?
>>>
>>> http://www.impsec.org/~jhardin/antispam/milter-regex.conf
>>>
>>> change recipient domain in this example, in generic reject anything that
>>> your own mta use on sending
>>
>> Ha. This is what I get for replying to mail as I read it. :)
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>> -----------------------------------------------------------------------
>> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>> does quite what I want. I wish Christopher Robin was here."
>> -- Peter da Silva in a.s.r
>> -----------------------------------------------------------------------
>> Tomorrow: Christmas
>>
>
>
Re: Am i sending spam?
Posted by Lars Ebeling <la...@leopg9.no-ip.org>.
I am using Postfix.
/Lars
----- Original Message -----
From: "John Hardin" <jh...@impsec.org>
To: <us...@spamassassin.apache.org>
Sent: Saturday, December 24, 2011 5:47 PM
Subject: Re: Am i sending spam?
> On Sat, 24 Dec 2011, Benny Pedersen wrote:
>
>> On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:
>>
>>> > In other words, the HELO domain was faked. We automatically block
>>> > mail
>>> > from anyone who HELOs as our machine (unless it really *is* from our
>>> > machine,
>>> > of course!)
>>> how do you do that?
>>
>> http://www.impsec.org/~jhardin/antispam/milter-regex.conf
>>
>> change recipient domain in this example, in generic reject anything that
>> your own mta use on sending
>
> Ha. This is what I get for replying to mail as I read it. :)
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
> does quite what I want. I wish Christopher Robin was here."
> -- Peter da Silva in a.s.r
> -----------------------------------------------------------------------
> Tomorrow: Christmas
>
Re: Am i sending spam?
Posted by John Hardin <jh...@impsec.org>.
On Sat, 24 Dec 2011, Benny Pedersen wrote:
> On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:
>
>> > In other words, the HELO domain was faked. We automatically block mail
>> > from anyone who HELOs as our machine (unless it really *is* from our
>> > machine,
>> > of course!)
>> how do you do that?
>
> http://www.impsec.org/~jhardin/antispam/milter-regex.conf
>
> change recipient domain in this example, in generic reject anything that your
> own mta use on sending
Ha. This is what I get for replying to mail as I read it. :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas
Re: Am i sending spam?
Posted by Benny Pedersen <me...@junc.org>.
On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:
>> In other words, the HELO domain was faked. We automatically block
>> mail
>> from anyone who HELOs as our machine (unless it really *is* from our
>> machine,
>> of course!)
> how do you do that?
http://www.impsec.org/~jhardin/antispam/milter-regex.conf
change recipient domain in this example, in generic reject anything
that your own mta use on sending
Re: Am i sending spam?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 23 Dec 2011, David F. Skoll wrote:
> On Fri, 23 Dec 2011 23:13:43 +0100
> "Lars Ebeling" <la...@leopg9.no-ip.org> wrote:
>
>>> We automatically block mail from anyone who HELOs as our machine
>>> (unless it really *is* from our machine, of course!)
>
>> how do you do that?
>
> We use MIMEDefang which lets you code tests like that in Perl.
> (So this is done outside of SpamAssassin, but you may be able
> to hack a SpamAssassin rule to do it too.)
Ideally this sort of check should be done at the incoming MTA (mx)
level (before it ever gets handed to SA). Right up front do your HELO,
DNS, DNSBL checks of the opening connection and reject right there.
Why let spam in the front door if you know you're going to reject it
later.
Thus these sort of tests are MTA specific. You need to know what
your MTA is and check the appropriate FAQs, lists, config resources
for your MTA.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Am i sending spam?
Posted by Larry Rosenman <le...@lerctr.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/23/2011 4:23 PM, David F. Skoll wrote:
> On Fri, 23 Dec 2011 23:13:43 +0100 "Lars Ebeling"
> <la...@leopg9.no-ip.org> wrote:
>
>>> We automatically block mail from anyone who HELOs as our
>>> machine (unless it really *is* from our machine, of course!)
>
>> how do you do that?
>
> We use MIMEDefang which lets you code tests like that in Perl. (So
> this is done outside of SpamAssassin, but you may be able to hack a
> SpamAssassin rule to do it too.)
>
> Regards,
>
> David.
In Exim, I do the following:
# kill off the folks that use OUR ip's in HELO Nice and Early.
drop message = Forged IP detected in HELO: $sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${if \
eq{$sender_helo_name}{$interface_address}{yes}{no}}
# Forged hostname - HELOs as my own hostname or domain (early as well)
drop message = Forged hostname detected in HELO:
$sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${lookup {$sender_helo_name} \
lsearch{/usr/local/etc/exim/checkfiles/our_host_names}{yes}{no}}
- --
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJO9QKnAAoJENC8dtAvA1zmv9EIAKReeH0gP6j2oOojXIJ9fMjJ
y32vFdjm8wvzBFxdHIHsqZ88yV//LDEUqq1JPWeFbz0XvXirRAmgJXuF8JAwWIiP
WqttoEsm9ljreZFOTrkH6Ak8DwR0Jx8fBSMIWVU9dcUOLAV2pxnATWAcuoLAIJ5N
dtM4SEiKlypcAEh46D5ih7d4iztMGCDIZLKxSokiUNfRIDU2COVLBdajYUQn2vd6
cmuY2Mr8UlDVETnZZVwJnFGfjsIsWSUsLvV/LFop/Dpq++nlZNxWxaX7QVj+ZoY2
vsQtgj0w7jdfmEpcTVuTv+sFNSo/VjpwhXB0Y0PM1NLiP5w49J0RN8CwpakhBVg=
=WSY8
-----END PGP SIGNATURE-----
Re: Am i sending spam?
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Fri, 23 Dec 2011 23:13:43 +0100
"Lars Ebeling" <la...@leopg9.no-ip.org> wrote:
> > We automatically block mail from anyone who HELOs as our machine
> > (unless it really *is* from our machine, of course!)
> how do you do that?
We use MIMEDefang which lets you code tests like that in Perl.
(So this is done outside of SpamAssassin, but you may be able
to hack a SpamAssassin rule to do it too.)
Regards,
David.
Re: Am i sending spam?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 23 Dec 2011, Lars Ebeling wrote:
> ----- Original Message ----- From: "David F. Skoll" <df...@roaringpenguin.com>
>> In other words, the HELO domain was faked. We automatically block mail
>> from anyone who HELOs as our machine (unless it really *is* from our
>> machine, of course!)
> how do you do that?
There are several ways, depending on which MTA you use.
I do it using milter-regex. For example:
http://www.impsec.org/~jhardin/antispam/milter-regex.conf
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas
Re: Am i sending spam?
Posted by Lars Ebeling <la...@leopg9.no-ip.org>.
----- Original Message -----
From: "David F. Skoll" <df...@roaringpenguin.com>
To: <us...@spamassassin.apache.org>
Sent: Friday, December 23, 2011 10:14 PM
Subject: Re: Am i sending spam?
> On Fri, 23 Dec 2011 22:10:22 +0100
> "Lars Ebeling" <la...@leopg9.no-ip.org> wrote:
>
>> http://pastebin.com/78gUdaCj
>
> You are not sending spam. Someone on the machine
> SR1S4.mesa.gmu.edu [129.174.112.124 connected to your machine and
> said:
>
> HELO leopg9.no-ip.org
>
> In other words, the HELO domain was faked. We automatically block mail
> from anyone who HELOs as our machine (unless it really *is* from our
> machine,
> of course!)
how do you do that?
>
> Regards,
>
> David.
>
Re: Am i sending spam?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 23 Dec 2011, David B Funk wrote:
> On Fri, 23 Dec 2011, David F. Skoll wrote:
>
>> On Fri, 23 Dec 2011 22:10:22 +0100
>> "Lars Ebeling" <la...@leopg9.no-ip.org> wrote:
>>
>>> http://pastebin.com/78gUdaCj
>>
>> You are not sending spam. Someone on the machine
>> SR1S4.mesa.gmu.edu [129.174.112.124 connected to your machine and
>> said:
>>
>> HELO leopg9.no-ip.org
>>
>> In other words, the HELO domain was faked. We automatically block mail
>> from anyone who HELOs as our machine (unless it really *is* from our
>> machine,
>> of course!)
>
> Not to mention the fact that IP addr is listed in cbl.abuseat.org
> as a malware source and that "message.bat" attachment looks -very-
> suspicious.
>
> Do you have any kind of AV running in your mail system?
> The original of that message gets identified as "Worm.Mydoom.M FOUND"
> by ClamAV. We run ClamAV as an input milter filter ahead of spamassasin,
> no sense wasting time/cycles on known viri. ;)
One additional odd-tristing thing about that message;
That IP addr ([129.174.112.124]) is listed in multiple DNSBLS
(eg cbl.abuseat.org, zen.spamhaus ) but gets a "whitelist" rating
from hostkarma.junkemailfilter.com.
So if I were to actually believe hostkarma I wouldn't have filtered
that message at all. ;(
Does anybody actually believe hostkarma's "whitelist" ratings?
I've seen lots of blatant spammers get whitelist. I used to
report them to Marc but gave up when after reporting a whitelisted
malware/phish message he replied 'looks ok to me'.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Am i sending spam?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 23 Dec 2011, David F. Skoll wrote:
> On Fri, 23 Dec 2011 22:10:22 +0100
> "Lars Ebeling" <la...@leopg9.no-ip.org> wrote:
>
>> http://pastebin.com/78gUdaCj
>
> You are not sending spam. Someone on the machine
> SR1S4.mesa.gmu.edu [129.174.112.124 connected to your machine and
> said:
>
> HELO leopg9.no-ip.org
>
> In other words, the HELO domain was faked. We automatically block mail
> from anyone who HELOs as our machine (unless it really *is* from our machine,
> of course!)
Not to mention the fact that IP addr is listed in cbl.abuseat.org
as a malware source and that "message.bat" attachment looks -very-
suspicious.
Do you have any kind of AV running in your mail system?
The original of that message gets identified as "Worm.Mydoom.M FOUND"
by ClamAV. We run ClamAV as an input milter filter ahead of spamassasin,
no sense wasting time/cycles on known viri. ;)
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Am i sending spam?
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Fri, 23 Dec 2011 22:10:22 +0100
"Lars Ebeling" <la...@leopg9.no-ip.org> wrote:
> http://pastebin.com/78gUdaCj
You are not sending spam. Someone on the machine
SR1S4.mesa.gmu.edu [129.174.112.124 connected to your machine and
said:
HELO leopg9.no-ip.org
In other words, the HELO domain was faked. We automatically block mail
from anyone who HELOs as our machine (unless it really *is* from our machine,
of course!)
Regards,
David.
Re: Am i sending spam?
Posted by Benny Pedersen <me...@junc.org>.
On Fri, 23 Dec 2011 22:10:22 +0100, Lars Ebeling wrote:
> http://pastebin.com/78gUdaCj
line 82-86 shows that outlook is slowly dieing :-)
line 86 contains content outside us-ascii, non encoded chars