[Mimedefang] Rejecting spam - users unsubscribed from distribution lists
I need some advice. We are a small university running Mimedefang with SpamAssassin and greylisting. For the last couple og months we have been rejecting spam with a SpamAssassin-score over 15 with the error message 554 5.7.1 Spam-score (16.887) too high. The problem we have recently discovered is that some distribution lists allows high scoring spam to be sent out. It then gets rejected by our mailserver and our users get unsubscribed from the lists as if we had returned User unknown. I'm not very fond of silently dropping high scoring spam on the floor since any real senders will not be notified of their message not getting through. How do you handle this? --Ingeborg -- Ingeborg Østrem Hellemo -- [EMAIL PROTECTED] (Univ. of Tromsø, Norway) ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Rejecting spam - users unsubscribed from distribution lists
I'm not very fond of silently dropping high scoring spam on the floor since any real senders will not be notified of their message not getting through. Real senders don't generally score over 15 - I silently drop anything over 10 on both my work (120 users) and home (3 users) systems, and have only ever had 1 false positive in 4 years. The best way to handle this is to always notify the administrator on close decisions, so you can see what is happening on your system, and pick up any false positives (or false negatives) so you can deal with them. For our system, anything scoring between 10 and 15 causes a notification to me so I can see what is being rejected on a close call, plus everything between 5 and 10 causes a notification so I can see what is almost being dropped but tagged as Possibly Spam. The reason I drop anything which I've classified as being Definitely Spam is because almost all of it has an invalid or spoofed return address, so either it causes some innocent person to get a bounce message possibly containing the Spam (which could be offensive), or your mail server gets a very long queue of messages which cannot be delivered because domains either do not resolve, or appear offline, or the spoofed sender's mailbox is full due to everyone bouncing the Spam. In your case, I would either whitelist the mailing list address and accept that you will get Spam via the list, or silently drop anything which you are sure is Spam (and 15 is a very conservative score). Bouncing messages will always get you into trouble with any mailing list, so if you really must bounce Spam, only bounce it to non-list addresses - the logic to do this is up to you, but I'd have a list of exceptions and my own bounce function which checks the list and then if necessary calls action_bounce() as required. Best Wishes, Paul. -- --- Paul Murphy Head of I.T. Argenta Discovery Tel. 01279 645 554 Fax. 01279 645 646 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Back into the loop...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 24 Oct 2006, Philip Prindeville wrote: from 192.150.1.3, then it will reject that the session... with a 5xx message... and will also blacklist incoming connections from that Add it to access_db, however, you cannot quadruple it, as you won't see it in Mimedefang anymore. Only ratware seems to like to open multiple connections in parallel. Oh, could someone please tell me, how to configure postfix to NOT open one connection per message? Another department bomb our sendmail on a regular base, when they flush their message queue. The downside of this method is that the mimedefang-filter file would have to contain all (or almost all) possible tests, and have an engine But that is exactly the reason to have a fully tweakable perl script. So we'd have to decide on a standard format for the XML test scripting, and a standard calling convention for the methods embedded in mimedefang-filter. There were a thread about to modulize the filter, maybe you should get in touch with the advocates of the idea. One other thing... about a year ago, I asked about adding a sort of IP CIDR based set of rules to Mimedefang, and was told to use rDNS instead of CIDR addresses (or alternatively, country codes) to block certain parties permanently. There had been some posts about it, but would do you ask about inb detail? http://www.mail-archive.com/search?l=mimedefang%40lists.roaringpenguin.comq=cidr http://www.mail-archive.com/search?l=mimedefang%40lists.roaringpenguin.comq=geo Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iQEVAwUBRT8+JegJIbZtwg6XAQLfqgf9FWVxLEAPx0Fnj3JrZ4NK/kLl16aQZ3KA qREQPeoP+nq4ZBH5OSPWnO6V+cqnjIdSzkdtRG+x2OdtpsFvjRj7yhXHEd/Y43GO LIu+sy3uBDIByGJZdvW8FJzNQTIXZKE8vJ2+Dy5lfBQh/hd9eRqv81ybSVsDiQMe Gau9BufLfD+CSlJJqwefMMY/lonGhPaW/dD810tqUob0FWYigAFGHCpsNuNBrW7+ byNZBH15JgUGju1sg5w71zCE+KOITRTFPrFlZgey+bxImsrpJdq+F/TmBNEeiirN mkhfHJFrhvVj3BI5SZyoGhHK5JXn++urrOOMm/UjVlzs/twQgByu8A== =50Ag -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Rejecting spam - users unsubscribed from distribution lists
Ingeborg Hellemo [EMAIL PROTECTED] wrote: The problem we have recently discovered is that some distribution lists allows high scoring spam to be sent out. It then gets rejected by our mailserver and our users get unsubscribed from the lists as if we had returned User unknown. I'm not very fond of silently dropping high scoring spam on the floor since any real senders will not be notified of their message not getting through. How do you handle this? You must be referring to Listserv. Its standard message tells people that all 5xx errors mean user unknown, that refusing mail for a valid user must be a system problem, that our mail server is unreliable, and that the user should consider another service provider. I send mail to postmaster and list owner. I ask whether THEIR server really delivers virus and spam to users, and if not, to stop libelling our university's IT department for refusing it. This is cc-d to our user. It sometimes gets action. I feel very strongly that nothing should be dropped. False positive is always a possibility however small. (OK, we do drop mail claiming to be from our own incoming service addresses like [EMAIL PROTECTED], since we know for certain that no legitimate mail comes from those addresses.) Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Rejecting spam - users unsubscribed from distribution lists
Paul Murphy [EMAIL PROTECTED] wrote: The reason I drop anything which I've classified as being Definitely Spam is because almost all of it has an invalid or spoofed return address, so either it causes some innocent person to get a bounce message possibly containing the Spam (which could be offensive), or your mail server gets a very long queue of messages With Mimedefang or any milter, you should be refusing. If you accept and then decide later to generate and mail a bounce, that's the cause of many problems just as stated above. The question was about refusing. Listserv's broken behavior pays no attention to the error code but reacts as if all 5xx errors were user unknown. Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Rejecting spam - users unsubscribed from distribution lists
Joseph, On 25 October 2006 at 14:18, Joseph Brennan [EMAIL PROTECTED] wrote: With Mimedefang or any milter, you should be refusing. If you accept and then decide later to generate and mail a bounce, that's the cause of many problems just as stated above. There are three options in MIMEDefang: 1. Accept 2. Reject 3. Discard The fact that the Reject option is called action_bounce() does not help to make things clear. A bounce message is only generated if the mail server has accepted a message and then been unable to deliver it. The whole point of any milter is to do the processing during the SMTP conversation, which allows you to accept or reject the message during the conversation. I choose to *discard* because that is my policy - reject pushes the problem back to the connecting server, which in 90% of cases does nothing with it because it is a spambot, but in the 10% where it is indeed a valid server which has incorrectly accepted the message for onward delivery, it then generates a bounce to the stated sender, which is normally spoofed anyway. We then get contacted by the owner of the spoofed address asking why our system is claiming to have rejected a message from them when they know they haven't sent one, and my support load goes up as a result. Every site has its own policy, which is one of the benefits of using MIMEDefang it allows a plethora of policies, all subtly different. The original poster asked for advice, and discarding spam rather than telling the sender they sent it is infinitely preferably to trying to work out whether to send a 5xx reject return code or not, as your 5xx code will almost certainly be ignored for spam. Best Wishes, Paul. -- --- Paul Murphy Head of I.T. Argenta Discovery Tel. 01279 645 554 Fax. 01279 645 646 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Rejecting spam - users unsubscribed from distribution lists
On Wed, 25 Oct 2006, Ingeborg Hellemo wrote: The problem we have recently discovered is that some distribution lists allows high scoring spam to be sent out. It then gets rejected by our mailserver and our users get unsubscribed from the lists as if we had returned User unknown. How do you handle this? I usually just whitelist the mailing list sender in SpamAssassin. Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Back into the loop...
--On Tuesday, October 24, 2006 6:28 PM -0600 Philip Prindeville [EMAIL PROTECTED] wrote: It's easier to share XML fragments and parameters (where the parameters change more often than the actual logic that implements the test). So we could make the scripting more stable, and the fine tuning easier to ship around and share. There are Perl modules to read XML, so you could create some standard filters that are parameterized by XML and that drop into MD. It's easier to see the applicability given some examples. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] RESULTS file wierdness
I stopped MD, removed all the crap that had accumulated in /var/spool/MIMEDefang, restarted MD, and voila, everything was good in the universe again. With that said, I guess I need a Unix education... :) When I do a df -h on the server, I see the following: Filesystem SizeUsed Avail Capacity iused ifree %iused Mounted on /dev/aacd0s1e 55G 13G 38G25% 3366728 4099254 45% /var The ifree size and iused percentage are approximately the same as they were prior to cleaning out the MIMEDefang directory. So why did deleting files and directories out of there fix the issue? Thanks! -- Dave I would guess that /var/spool/MIMEDefang is full. If it doesn't look full, it could be that it's run out of inodes. Try creating a file by hand: echo BLAT /var/spool/MIMEDefang/some_file and see what error message you get. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] RESULTS file wierdness
David Nelson wrote: Filesystem SizeUsed Avail Capacity iused ifree %iused Mounted on /dev/aacd0s1e 55G 13G 38G25% 3366728 4099254 45% /var The ifree size and iused percentage are approximately the same as they were prior to cleaning out the MIMEDefang directory. So why did deleting files and directories out of there fix the issue? Dunno. Could you have quotas turned on? Maybe the user MIMEDefang is running as went over-quota? Or could you have had a ramdisk mounted on /var/spool/MIMEDefang that isn't in your df output? -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] RESULTS file wierdness
David Nelson said the following on 10/25/06 2:57 PM: I stopped MD, removed all the crap that had accumulated in /var/spool/MIMEDefang, restarted MD, and voila, everything was good in the universe again. With that said, I guess I need a Unix education... :) When I do a df -h on the server, I see the following: Filesystem SizeUsed Avail Capacity iused ifree %iused Mounted on /dev/aacd0s1e 55G 13G 38G25% 3366728 4099254 45% /var The ifree size and iused percentage are approximately the same as they were prior to cleaning out the MIMEDefang directory. So why did deleting files and directories out of there fix the issue? You could have run into the maximum sub-directories limit. FreeBSD's UFS won't allow you to have more that 32K subdirectories in a single directory. Regards, Atanas ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang