You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ka...@ourldsfamily.com on 2006/01/29 08:07:17 UTC
When Reply = To
In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm not
expert enough, nor smart enough to understand the cryptic nature of PHP
(cryptic to me, at least) and the SA rules.
When an email is spoofed as being from me and to me, the score is -100 (+-
the other rules caught) as being in the whitelist. I have a database of
email users of about 4000 and wrote a script that goes through them on
command and builds my whitelist.
I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7
--
karl
_/ _/ _/ _/_/_/ ____________ __o
_/ _/ _/ _/ _/ ____________ _-\<._
_/_/ _/ _/_/_/ (_)/ (_)
_/ _/ _/ _/ ......................
_/ _/ arl _/_/_/ _/ earson KarlP@ourldsfamily.com
---
Senior Consulting Sys/DB Analyst
http://consulting.ourldsfamily.com
---
My Thoughts on Terrorism In America:
http://www.ourldsfamily.com/wtc.shtml
---
A right is not what someone gives you; it's what no one can take from
you. -Ramsey Clark
---
Re: When Reply = To
Posted by jdow <jd...@earthlink.net>.
From: <ka...@ourldsfamily.com>
> On Sun, January 29, 2006 9:09 pm, jdow said:
>> From: <ka...@ourldsfamily.com>
>>>
>>> On Sun, January 29, 2006 4:42 pm, jdow said:
>> ...
>>>> Do you see ALL_TRUSTED in all or most of the email received? If so your
>>>> trust path is toast and many of the header consistency checks won't
>>>> work
>>>> right. As far as other issues, my brain's not functioning well at the
>>>> moment. Migraine's do that to me. But I do note that it's fairly
>>>> obvious
>>>> when an email has forged an Earthlink address. So perhaps catching it
>>>> here is easier than for you. I do not have anything at Earthlink
>>>> whitelisted
>>>> at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
>>>> is an effective whitelist, anyway. I don't mind that most of the
>>>> Earthlink
>>>> sales offers and such get clobbered by the spam filtering. {^_-}
>>>
>>> There aren't ever any ALL_TRUSTED entries in my headers. I've been very
>>> careful to tune that as accurately as I can. I'm behind a dual-homed
>>> Linux
>>> firewall which is behind a NATted Cisco gateway router, so it was a
>>> trial-and-error process. I still am not completely confident it's right.
>>>
>>> Currently I have:
>>>
>>> clear_trusted_networks
>>> internal_networks 127/8 10/8 172.20.20/24
>>> trusted_networks 172.20.20.2 10.0.0.1 127.0.0.1 My.Pub.lic.IP
>>> dns_available test: mydomain.com
>>
>> OK, do you in fact see messages from your own domain triggering as spam?
>> If so check the rules that triggered. Maybe they are not well suited for
>> the demands of your particular domain. You may need to override some
>> scores
>> or remove some rule sets. Or if somebody internally is spamming then it
>> might be wise to turn them off. I treat whitelist and its kith and kin as
>> an admission that a site may be spammy in nature but it is spam I want
>> and have asked for. I work hard not to need it. Although there are some
>> commercial theatrical and financial sites I do want that do trigger the
>> standard rule sets, sometimes humorously well. So I whitelist them for
>> awhile until their format bugs me too much and then they drift back to
>> spam status. But if anti-spam rules are very regularly rating messages
>> from your site as spam it might be a good idea to check on what those
>> messages look like rather than wallpapering over them. (The SARE rule
>> set 70_sare-whitelist.cf is a good place to find suitable formats for
>> the whitelist_from_rcvd rule. Some sites you want to accept wild card
>> user names while other sites you want to be more restrictive about.
>> The whitelist_from_rcvd requires that the email not only claim the
>> correct sender address format but also that it originates from the
>> correct domain for that address.
>
> Nope, never spam from inside the network. I've never had that problem with
> my users. I guess I'm lucky that way. There's no way (currently) to use my
> hosts as open relays either.
>
> It seems things have calmed down now with the use of the
> whitelist_from_rcvd inclusion.
I'm glad it worked and that there was no more serious problem lurking
behind the symptoms.
{^_-}
Re: When Reply = To
Posted by ka...@ourldsfamily.com.
On Sun, January 29, 2006 9:09 pm, jdow said:
> From: <ka...@ourldsfamily.com>
>>
>> On Sun, January 29, 2006 4:42 pm, jdow said:
> ...
>>> Do you see ALL_TRUSTED in all or most of the email received? If so your
>>> trust path is toast and many of the header consistency checks won't
>>> work
>>> right. As far as other issues, my brain's not functioning well at the
>>> moment. Migraine's do that to me. But I do note that it's fairly
>>> obvious
>>> when an email has forged an Earthlink address. So perhaps catching it
>>> here is easier than for you. I do not have anything at Earthlink
>>> whitelisted
>>> at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
>>> is an effective whitelist, anyway. I don't mind that most of the
>>> Earthlink
>>> sales offers and such get clobbered by the spam filtering. {^_-}
>>
>> There aren't ever any ALL_TRUSTED entries in my headers. I've been very
>> careful to tune that as accurately as I can. I'm behind a dual-homed
>> Linux
>> firewall which is behind a NATted Cisco gateway router, so it was a
>> trial-and-error process. I still am not completely confident it's right.
>>
>> Currently I have:
>>
>> clear_trusted_networks
>> internal_networks 127/8 10/8 172.20.20/24
>> trusted_networks 172.20.20.2 10.0.0.1 127.0.0.1 My.Pub.lic.IP
>> dns_available test: mydomain.com
>
> OK, do you in fact see messages from your own domain triggering as spam?
> If so check the rules that triggered. Maybe they are not well suited for
> the demands of your particular domain. You may need to override some
> scores
> or remove some rule sets. Or if somebody internally is spamming then it
> might be wise to turn them off. I treat whitelist and its kith and kin as
> an admission that a site may be spammy in nature but it is spam I want
> and have asked for. I work hard not to need it. Although there are some
> commercial theatrical and financial sites I do want that do trigger the
> standard rule sets, sometimes humorously well. So I whitelist them for
> awhile until their format bugs me too much and then they drift back to
> spam status. But if anti-spam rules are very regularly rating messages
> from your site as spam it might be a good idea to check on what those
> messages look like rather than wallpapering over them. (The SARE rule
> set 70_sare-whitelist.cf is a good place to find suitable formats for
> the whitelist_from_rcvd rule. Some sites you want to accept wild card
> user names while other sites you want to be more restrictive about.
> The whitelist_from_rcvd requires that the email not only claim the
> correct sender address format but also that it originates from the
> correct domain for that address.
Nope, never spam from inside the network. I've never had that problem with
my users. I guess I'm lucky that way. There's no way (currently) to use my
hosts as open relays either.
It seems things have calmed down now with the use of the
whitelist_from_rcvd inclusion.
Thanks for that help.
Karl
>
> {^_^}
>
Re: When Reply = To
Posted by jdow <jd...@earthlink.net>.
From: <ka...@ourldsfamily.com>
>
> On Sun, January 29, 2006 4:42 pm, jdow said:
...
>> Do you see ALL_TRUSTED in all or most of the email received? If so your
>> trust path is toast and many of the header consistency checks won't work
>> right. As far as other issues, my brain's not functioning well at the
>> moment. Migraine's do that to me. But I do note that it's fairly obvious
>> when an email has forged an Earthlink address. So perhaps catching it
>> here is easier than for you. I do not have anything at Earthlink
>> whitelisted
>> at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
>> is an effective whitelist, anyway. I don't mind that most of the Earthlink
>> sales offers and such get clobbered by the spam filtering. {^_-}
>
> There aren't ever any ALL_TRUSTED entries in my headers. I've been very
> careful to tune that as accurately as I can. I'm behind a dual-homed Linux
> firewall which is behind a NATted Cisco gateway router, so it was a
> trial-and-error process. I still am not completely confident it's right.
>
> Currently I have:
>
> clear_trusted_networks
> internal_networks 127/8 10/8 172.20.20/24
> trusted_networks 172.20.20.2 10.0.0.1 127.0.0.1 My.Pub.lic.IP
> dns_available test: mydomain.com
OK, do you in fact see messages from your own domain triggering as spam?
If so check the rules that triggered. Maybe they are not well suited for
the demands of your particular domain. You may need to override some scores
or remove some rule sets. Or if somebody internally is spamming then it
might be wise to turn them off. I treat whitelist and its kith and kin as
an admission that a site may be spammy in nature but it is spam I want
and have asked for. I work hard not to need it. Although there are some
commercial theatrical and financial sites I do want that do trigger the
standard rule sets, sometimes humorously well. So I whitelist them for
awhile until their format bugs me too much and then they drift back to
spam status. But if anti-spam rules are very regularly rating messages
from your site as spam it might be a good idea to check on what those
messages look like rather than wallpapering over them. (The SARE rule
set 70_sare-whitelist.cf is a good place to find suitable formats for
the whitelist_from_rcvd rule. Some sites you want to accept wild card
user names while other sites you want to be more restrictive about.
The whitelist_from_rcvd requires that the email not only claim the
correct sender address format but also that it originates from the
correct domain for that address.
{^_^}
Re: When Reply = To
Posted by ka...@ourldsfamily.com.
On Sun, January 29, 2006 4:42 pm, jdow said:
> From: <ka...@ourldsfamily.com>
>>
>> On Sun, January 29, 2006 12:50 am, jdow said:
>>> From: <ka...@ourldsfamily.com>
>>>
>>>> In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm
>>>> not
>>>> expert enough, nor smart enough to understand the cryptic nature of
>>>> PHP
>>>> (cryptic to me, at least) and the SA rules.
>>>>
>>>> When an email is spoofed as being from me and to me, the score is -100
>>>> (+-
>>>> the other rules caught) as being in the whitelist. I have a database
>>>> of
>>>> email users of about 4000 and wrote a script that goes through them on
>>>> command and builds my whitelist.
>>>>
>>>> I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7
>>>
>>> 1) It's whitelist_from_rcvd you want.
>>> 2) It's should not be necessary to whitelist your own site. If it is
>>> then
>>> investigate what aspects of your email load are causing the hits.
>>> Then
>>> take the proper remedial action.
>>
>> Okay, I've looked at whitelist_from_rcvd and added for email addresses
>> on
>> my site. The format I'm using is:
>>
>> whitelist_from_rcvd user@mydomain.com mydomain.com
>>
>> I'll watch and see if anymore of these fail to get tagged as spam.
>>
>> I'm confused on how to take proper remedial action because I'm not sure
>> what to look for on item #2 above. Please point me in the right
>> direction
>> and I'll get the rest of the work myself.
>
> Do you see ALL_TRUSTED in all or most of the email received? If so your
> trust path is toast and many of the header consistency checks won't work
> right. As far as other issues, my brain's not functioning well at the
> moment. Migraine's do that to me. But I do note that it's fairly obvious
> when an email has forged an Earthlink address. So perhaps catching it
> here is easier than for you. I do not have anything at Earthlink
> whitelisted
> at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
> is an effective whitelist, anyway. I don't mind that most of the Earthlink
> sales offers and such get clobbered by the spam filtering. {^_-}
There aren't ever any ALL_TRUSTED entries in my headers. I've been very
careful to tune that as accurately as I can. I'm behind a dual-homed Linux
firewall which is behind a NATted Cisco gateway router, so it was a
trial-and-error process. I still am not completely confident it's right.
Currently I have:
clear_trusted_networks
internal_networks 127/8 10/8 172.20.20/24
trusted_networks 172.20.20.2 10.0.0.1 127.0.0.1 My.Pub.lic.IP
dns_available test: mydomain.com
Karl
>
> {^_^}
>
Re: When Reply = To
Posted by jdow <jd...@earthlink.net>.
From: <ka...@ourldsfamily.com>
>
> On Sun, January 29, 2006 12:50 am, jdow said:
>> From: <ka...@ourldsfamily.com>
>>
>>> In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm
>>> not
>>> expert enough, nor smart enough to understand the cryptic nature of PHP
>>> (cryptic to me, at least) and the SA rules.
>>>
>>> When an email is spoofed as being from me and to me, the score is -100
>>> (+-
>>> the other rules caught) as being in the whitelist. I have a database of
>>> email users of about 4000 and wrote a script that goes through them on
>>> command and builds my whitelist.
>>>
>>> I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7
>>
>> 1) It's whitelist_from_rcvd you want.
>> 2) It's should not be necessary to whitelist your own site. If it is then
>> investigate what aspects of your email load are causing the hits. Then
>> take the proper remedial action.
>
> Okay, I've looked at whitelist_from_rcvd and added for email addresses on
> my site. The format I'm using is:
>
> whitelist_from_rcvd user@mydomain.com mydomain.com
>
> I'll watch and see if anymore of these fail to get tagged as spam.
>
> I'm confused on how to take proper remedial action because I'm not sure
> what to look for on item #2 above. Please point me in the right direction
> and I'll get the rest of the work myself.
Do you see ALL_TRUSTED in all or most of the email received? If so your
trust path is toast and many of the header consistency checks won't work
right. As far as other issues, my brain's not functioning well at the
moment. Migraine's do that to me. But I do note that it's fairly obvious
when an email has forged an Earthlink address. So perhaps catching it
here is easier than for you. I do not have anything at Earthlink whitelisted
at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
is an effective whitelist, anyway. I don't mind that most of the Earthlink
sales offers and such get clobbered by the spam filtering. {^_-}
{^_^}
Re: When Reply = To
Posted by ka...@ourldsfamily.com.
On Sun, January 29, 2006 12:50 am, jdow said:
> From: <ka...@ourldsfamily.com>
>
>> In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm
>> not
>> expert enough, nor smart enough to understand the cryptic nature of PHP
>> (cryptic to me, at least) and the SA rules.
>>
>> When an email is spoofed as being from me and to me, the score is -100
>> (+-
>> the other rules caught) as being in the whitelist. I have a database of
>> email users of about 4000 and wrote a script that goes through them on
>> command and builds my whitelist.
>>
>> I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7
>
> 1) It's whitelist_from_rcvd you want.
> 2) It's should not be necessary to whitelist your own site. If it is then
> investigate what aspects of your email load are causing the hits. Then
> take the proper remedial action.
Okay, I've looked at whitelist_from_rcvd and added for email addresses on
my site. The format I'm using is:
whitelist_from_rcvd user@mydomain.com mydomain.com
I'll watch and see if anymore of these fail to get tagged as spam.
I'm confused on how to take proper remedial action because I'm not sure
what to look for on item #2 above. Please point me in the right direction
and I'll get the rest of the work myself.
Thanks for your help.
Karl
>
> {^_^}
>
Re: When Reply = To
Posted by jdow <jd...@earthlink.net>.
From: <ka...@ourldsfamily.com>
> In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm not
> expert enough, nor smart enough to understand the cryptic nature of PHP
> (cryptic to me, at least) and the SA rules.
>
> When an email is spoofed as being from me and to me, the score is -100 (+-
> the other rules caught) as being in the whitelist. I have a database of
> email users of about 4000 and wrote a script that goes through them on
> command and builds my whitelist.
>
> I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7
1) It's whitelist_from_rcvd you want.
2) It's should not be necessary to whitelist your own site. If it is then
investigate what aspects of your email load are causing the hits. Then
take the proper remedial action.
{^_^}