qmail, avoid spam mail
Title: qmail, avoid spam mail Hello recently, i found that someone using my qmail server to send mail. how can i avoid this? thanks regards KY
Re: qmail, avoid spam mail
On Mon, 13 Aug 2001 14:28:53 +0800, KY Lui [EMAIL PROTECTED] said: Hello recently, i found that someone using my qmail server to send mail. how can i avoid this? 1. Include logs in your mail 2. Tell us how they used your qmail server to send mail 3. Reinstall using www.lifewithqmail.org -- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.
New qmail spam-fighting script added
http://www.codegnome.org/scripting/showscript.php?script=qacct.sh -- Work: It's not just a job, it's an indenture.
Qmail - Spam mail control
Hi, Got this spam without TO; or CC: Can someone explain how it got to me when none of my working email addresses appears in the source info? Where in the Qmail setup files can I set the SMTP handshake, not to accept email without a To: or Cc Header (RULESET ? ) al -- Al Green The instructions said Install Windoze 95 or better So we installed LINUX.
Re: Qmail - Spam mail control
Al Green [EMAIL PROTECTED] wrote: Got this spam without TO; or CC: Can someone explain how it got to me when none of my working email addresses appears in the source info? The contents of the message (including the headers) don't matter -- it's the envelope recipient address which controls who the message is delivered to. This may be recorded my the receiving MTA in a Delivered-To:, Apparently-To:, or X-Envelope-To: header, but many sendmail boxen (in particular) don't do this. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ ---
Re: Qmail-scanner or spam problem??
Hi Chris, Seems to me, that the scanner reported the virus, that is running wild on the internet right now, it's called SirCam and is a worm. It uses a randomly chosen document attachments for its spreading out and disguises itself as a word document, but as you can see because of the .com extension it really is an executable. Check out http:[EMAIL PROTECTED] for further information. The last few days our Anti-Virus SMTP Gateway cleaned about 300 documents containing this beast. Regards Reto Inversini - Original Message - From: Chris Moore [EMAIL PROTECTED] To: Qmail (E-mail) [EMAIL PROTECTED] Sent: Thursday, July 26, 2001 7:34 PM Subject: Qmail-scanner or spam problem?? Hi, in the last few days, I have been getting about 30-50 of the following error messages daily related to qmail-scanner whereas I used to get only about 10 a day: --- Attention: System Anti-Virus Administrator. [This message was _not_ sent to the originator, as they appear to be a mailing-list or other automated Email message] A Illegal attachment type was found in an Email message you sent. This Email scanner intercepted it and stopped the entire message reaching it's destination. The Illegal attachment type was reported to be: Executables Please contact your I.T support personnel with any queries regarding this policy. Your message was sent with the following envelope: MAIL FROM: RCPT TO: [EMAIL PROTECTED] ... and with the following headers: From:System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Undeliverable: New Microsoft Word Document Message-ID: 89F778E18E64D511992900010276889622116C@MERCURY Date:Thu, 26 Jul 2001 13:20:52 -0400 The original message is kept in: xx.com:/var/spool/qmailscan/quarantine where the System Anti-Virus Administrator can further diagnose it. The Email scanner reported the following when it scanned that message: --- ---perlscanner results --- Illegal attachment type 'Executables' found in file /var/spool/qmailscan/xx.com9961680364862/_Microsoft_Word_Documen t.doc.com It appears to be relay spam, but could it be a problem with the scanning?...or a message stuck in the queue? I don't know the originator, but I assume they keep sending it periodically. It also looks like a way to get DoS by filling my disk with attachments. Anyone have any ideas or a workaround or solution? Thanks! ... Chris
Additional MAIL-FROM anti-spam checking:
Hi, Please excuse if this is an easy one to do but, we run a few Large QMAIL 1.03 servers and would like to try and control the Mail-From address our clients are using. We have qmail configured using tcpserver and our clients IP addresses are listed in the tcp.smtp (tcpserver allowed RELAYCLIENTS file) there for they are allowed to relay. What I wish to do is to control the relaying beyond that to the level of the MAIL-FROM address, I wish to make sure this is listed as a domain I'm an MX for or a domain listed in rcpthosts. The only patches I seem to be able to find are full MAIL-FROM authentication relaying patches which *isn't* what I wish to do. Thanks. -- Tim Philips ([EMAIL PROTECTED])
Re: Additional MAIL-FROM anti-spam checking:
Tim Philips [EMAIL PROTECTED] wrote: Please excuse if this is an easy one to do but, we run a few Large QMAIL 1.03 servers and would like to try and control the Mail-From address our clients are using. I personally don't think this is a great idea; your users may like being able to set the envelope sender address for certain messages to something outside of your control (like a Hotmail account) if they're mailing a company they don't trust not to spam them. We have qmail configured using tcpserver and our clients IP addresses are listed in the tcp.smtp (tcpserver allowed RELAYCLIENTS file) there for they are allowed to relay. What I wish to do is to control the relaying beyond that to the level of the MAIL-FROM address, I wish to make sure this is listed as a domain I'm an MX for or a domain listed in rcpthosts. ... however, Bruce Guenter's QMAILQUEUE patch and qmail-qfilter add-on could be used to implement this. You write a simple filter that simply checks that the envelope sender is in one of your domains (something in rcpthosts, presumably), and then use the tcpserver .cdb file to set the QMAILQUEUE variable only for the IP addresses of your clients. You can find Bruce's software at untroubled.org. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ ---
[ANNOUNCE] TMDA 0.22 - A qmail-based anti-SPAM system
Since I announced TMDA 0.10 here a couple months ago, the software has undergone several major feature additions including: * Support for site-wide installations using qmail-relay rewriting. This also allows TMDA to be used by non-qmail clients such as those running Microsoft Windows. * A powerful new matching syntax based on Unix shell-style wildcards. * Package installation options for Linux and FreeBSD. TMDA has also reached a level of stability where I feel it is now production-worthy. About TMDA: TMDA is an OSI certified Python application for qmail systems designed to significantly reduce (or eliminate) the amount of SPAM/UCE you receive by using unique, cryptographically enhanced (called tagged) e-mail addresses. TMDA can both filter your incoming e-mail, and tag your outgoing address. For more information, download locations, and installation instructions, visit the TMDA homepage: URL:http://tmda.sourceforge.net/ Enjoy.
Re: OT: RBL false positives (Follow-up from: Spam IP master list?)
On Thu, Jun 21, 2001 at 02:09:31PM -0400, Roger Merchberger wrote: [...] My main concern is rejecting real email using RBL... I recall hearing folks having problems with that in the past. Has RBL improved on the false positives problem? There is no such thing as an RBL false positive; any collateral damage (rejecting real email) is fully intentional. The RBL is a political tool, not a technical one. Rejecting email because of an RBL listing tells the sender: The owner of the host you sent this email through (which may be you) has refused to adopt minimal standards for responsible email interaction on the Internet. We do not accept mail fro such hosts. Vince.
Re: OT: RBL false positives (Follow-up from: Spam IP master list?)
Roger Merchberger [EMAIL PROTECTED] wrote: It seems that my tcpserver is older, and doesn't have the rblsmtpd daemon at all... so I'd have to download, compile install the latest greatest, and I dunno if that'd cause heartburn with my setup... It shouldn't. Dan has complete instructions on what to look for when upgrading from previous versions at http://cr.yp.to/ucspi-tcp/upgrade.html . You may want to install a patch to rblsmtpd at the same time which allows it to work with A records instead of the TXT records, as some of the list providers eliminated the TXT records to save space. You can find the patch from a link at qmail.org. My main concern is rejecting real email using RBL... I recall hearing folks having problems with that in the past. Has RBL improved on the false positives problem? They're not so much false positives as they are simple blocks of domains which also send legitimate mail -- that's the nature of the beast. Very few spam relays are used _only_ as spam relays. If you want a better chance of not blocking mail you care about, perhaps start with the DUL (dialup list). It only lists the IP addresses which ISPs have voluntarily submitted as belonging to dialup lines, and which therefore shouldn't be sending mail directly anyways. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Qmailt and spam
Yesterday I got about 100 failure notices bounced to me as postmaster. Today I got an abuse notice from my server provider. So this spammer must be able to relay through me somehow. Qmail has been working for me for over a year. Is anybody else having this problem? Where should I look for answers? The spammer seems to somehow be using the user qmailt as the originator. A copy follows. uid 12355 is the user qmailt. Mike Grier - Delivered-To: x Return-Path: [EMAIL PROTECTED] X-Envelope-To: xX-Envelope-From: [EMAIL PROTECTED] X-Delivery-Time: 993094914 Received: (qmail 13252 invoked from network); 21 Jun 2001 03:41:54 - Received: from lightning.mail.pipex.net (158.43.128.144) by firestorm.mail.pipex.net with SMTP; 21 Jun 2001 03:41:54 - Received: (qmail 6926 invoked from network); 21 Jun 2001 03:43:07 - Received: from e1city.com (216.110.45.57) by depot.dial.pipex.com with SMTP; 21 Jun 2001 03:43:07 - Received: (qmail 23293 invoked by uid 12355); 20 Jun 2001 22:30:44 - Date: 20 Jun 2001 22:30:44 - Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: x Content-Type: text/plain;charset=iso-8859-1 Subject: Attention!... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 20 June 2001 23:31 To: x Subject: Attention!... disgusting spam snipped
Re: Qmailt and spam
Michael Grier [EMAIL PROTECTED] wrote: Yesterday I got about 100 failure notices bounced to me as postmaster. Today I got an abuse notice from my server provider. So this spammer must be able to relay through me somehow. Qmail has been working for me for over a year. Is anybody else having this problem? Where should I look for answers? In your logs and your configuration. If qmail is an open relay on your system, you've configured it incorrectly. Give us the output of `qmail-showctl`, along with the script you start qmail-smtpd with, and copies of any tcprules files you use controlling access to qmail-smtpd. If you use inetd/xinetd, give us the appropriate control files for that. The spammer seems to somehow be using the user qmailt as the originator. A copy follows. uid 12355 is the user qmailt. There is no such user in a normal qmail install. Are you sure they didn't get into your system another way? A broken formmail CGI, or something else? Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: Qmailt and spam
- Original Message - From: Charles Cazabon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 21, 2001 5:39 PM Subject: Re: Qmailt and spam Michael Grier [EMAIL PROTECTED] wrote: Yesterday I got about 100 failure notices bounced to me as postmaster. Today I got an abuse notice from my server provider. So this spammer must be able to relay through me somehow. Qmail has been working for me for over a year. Is anybody else having this problem? Where should I look for answers? In your logs all logs are full of lines like this: @40003b326259244df3f4 alert: cannot start: unable to open mutex I rebooted. and your configuration. If qmail is an open relay on your system, you've configured it incorrectly. Give us the output of `qmail-showctl`, [root@server1 qmail]# bin/qmail-showctl qmail home directory: /var/qmail. user-ext delimiter: -. paternalism (in decimal): 2. silent concurrency limit: 120. subdirectory split: 23. user ids: 12346, 12347, 12348, 0, 12349, 12350, 12351, 12352. group ids: 12347, 12348. badmailfrom: (Default.) Any MAIL FROM is allowed. bouncefrom: (Default.) Bounce user name is MAILER-DAEMON. bouncehost: (Default.) Bounce host name is e1city.com. concurrencylocal: (Default.) Local concurrency is 10. concurrencyremote: (Default.) Remote concurrency is 20. databytes: (Default.) SMTP DATA limit is 0 bytes. defaultdomain: Default domain name is e1city.com. defaulthost: (Default.) Default host name is e1city.com. doublebouncehost: (Default.) 2B recipient host: e1city.com. doublebounceto: (Default.) 2B recipient user: postmaster. envnoathost: (Default.) Presumed domain name is e1city.com. helohost: (Default.) SMTP client HELO host name is e1city.com. idhost: (Default.) Message-ID host name is e1city.com. localiphost: (Default.) Local IP address becomes e1city.com. locals: Messages for localhost are delivered locally. me: My name is e1city.com. percenthack: (Default.) The percent hack is not allowed. plusdomain: Plus domain name is e1city.com. qmqpservers: (Default.) No QMQP servers. queuelifetime: (Default.) Message lifetime in the queue is 604800 seconds. rcpthosts: SMTP clients may send messages to recipients at localhost. SMTP clients may send messages to recipients at mgrier.com. SMTP clients may send messages to recipients at bigmweb.com. SMTP clients may send messages to recipients at e1city.com. SMTP clients may send messages to recipients at thecountrymill.com. SMTP clients may send messages to recipients at countrymill.com. SMTP clients may send messages to recipients at cherryjuiceconcentrate.com. SMTP clients may send messages to recipients at tartcherryjuice.com. SMTP clients may send messages to recipients at doccherry.com. SMTP clients may send messages to recipients at msistudios.com. SMTP clients may send messages to recipients at msi-studios.com. SMTP clients may send messages to recipients at tcsom.com. SMTP clients may send messages to recipients at gospelofthekingdom.org. SMTP clients may send messages to recipients at midlandfurniture.com. SMTP clients may send messages to recipients at midlandpiano.com. SMTP clients may send messages to recipients at michiganpiano.com. SMTP clients may send messages to recipients at michiganorgan.com. SMTP clients may send messages to recipients at sweetnita.com. SMTP clients may send messages to recipients at tennes.com. SMTP clients may send messages to recipients at j4t.org. SMTP clients may send messages to recipients at intruderlc.com. SMTP clients may send messages to recipients at sleepmethods.com. morercpthosts: (Default.) No effect. morercpthosts.cdb: (Default.) No effect. smtpgreeting: (Default.) SMTP greeting: 220 e1city.com. smtproutes: (Default.) No artificial SMTP routes. timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds. timeoutremote: (Default.) SMTP client data timeout is 1200 seconds. timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds. virtualdomains: Virtual domain: mgrier.com:mgrier Virtual domain: bigmweb.com:alias-bigmwebcom Virtual domain: e1city.com:alias-e1citycom Virtual domain: thecountrymill.com:mtennes Virtual domain: countrymill.com:mtennes Virtual domain: cherryjuiceconcentrate.com:mtennes Virtual domain: tartcherryjuice.com:mtennes Virtual domain: doccherry.com:mtennes Virtual domain: msistudios.com:gjgadwa Virtual domain: msi-studios.com:gjgadwa Virtual domain: tcsom.com:alias-tcsomcom Virtual domain: gospelofthekingdom.org:alias-gospelofthekingdomorg Virtual domain: midlandfurniture.com:alias-midlandfurniturecom Virtual domain: midlandpiano.com:alias-michiganpianocom Virtual domain: michiganpiano.com:alias-michiganpianocom Virtual domain: michiganorgan.com:alias-michiganpianocom Virtual domain: sweetnita.com:alias-sweetnitacom Virtual domain: tennes.com:mtennes Virtual domain: j4t.org:alias-j4torg Virtual domain: intruderlc.com:alias-intruderlccom Virtual domain: sleepmethods.com:alias-sleepmethodscom
Re: Qmailt and spam
The spammer seems to somehow be using the user qmailt as the originator. A copy follows. uid 12355 is the user qmailt. There is no such user in a normal qmail install. Are you sure they didn't get into your system another way? A broken formmail CGI, or something else? I've now found that this user was most likely created yesterday when this problem started, so now I probably have to figure out how I was hacked. I've deleted the user.
Re: Qmailt and spam
Michael Grier [EMAIL PROTECTED] wrote: The spammer seems to somehow be using the user qmailt as the originator. A copy follows. uid 12355 is the user qmailt. There is no such user in a normal qmail install. Are you sure they didn't get into your system another way? A broken formmail CGI, or something else? I've now found that this user was most likely created yesterday when this problem started, so now I probably have to figure out how I was hacked. I've deleted the user. I saw the other message you sent to me privately. Yes, you were hacked. If you don't have md5sums of all the files on your system, you should probably start out fresh -- you don't know what he ftp'd in, but he probably installed a rootkit and left all kinds of backdoors for him to come back. Plus, you still don't know how he gained access in the first place. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ ---
Spam IP master list?
Kindof an offtopic question, but is there a Master List of IP's that send spam regularly, with which I could use to update my tcprules deny list? I really don't want to patch reinstall qmail with the RBL... (and it seems ORBS went away...) Besides, I'm really only looking to stop the big chunks with something I can personally manage. Or is this a completely stupid idea??? TIA, Roger Merch Merchberger -- Roger Merch Merchberger --- sysadmin, Iceberg Computers Recycling is good, right??? Ok, so I'll recycle an old .sig. If at first you don't succeed, nuclear warhead disarmament should *not* be your first career choice.
Re: Spam IP master list?
On Wed, Jun 20, 2001 at 12:15:04PM -0400, Roger Merchberger wrote: Kindof an offtopic question, but is there a Master List of IP's that send spam regularly, with which I could use to update my tcprules deny list? RBL? I really don't want to patch reinstall qmail with the RBL... (and it seems ORBS went away...) Besides, I'm really only looking to stop the big chunks with something I can personally manage. Or is this a completely stupid idea??? *I* think it is. Greetz, Peter -- Against Free Sex! http://www.dataloss.nl/Megahard_en.html
Re: Spam IP master list?
On Wed, Jun 20, 2001 at 12:15:04PM -0400, Roger Merchberger wrote: Kindof an offtopic question, but is there a Master List of IP's that send spam regularly, with which I could use to update my tcprules deny list? I really don't want to patch reinstall qmail with the RBL... (and it seems ORBS went away...) Besides, I'm really only looking to stop the big chunks with something I can personally manage. There's no patching and reinstalling to do (unless you want to use relays.mail-abuse.org, which requires a small patch only to rblsmtpd). Just change the script you run your SMTP service with to use rblsmtpd, and you're done. It's certainly a lot less work than constantly updating your tcprules list. Chris PGP signature
Re: Spam IP master list?
Roger Merchberger [EMAIL PROTECTED] wrote: Kindof an offtopic question, but is there a Master List of IP's that send spam regularly, with which I could use to update my tcprules deny list? I really don't want to patch reinstall qmail with the RBL... (and it seems ORBS went away...) Besides, I'm really only looking to stop the big chunks with something I can personally manage. There's always the DUL. They're a huge source of direct-to-MX spam. That, however, is also available in an RBL-style lookup. You don't actually need to patch and reinstall to use rblsmtpd, anyways. Or is this a completely stupid idea??? Not necessarily. For me, it's quicker to just ignore spam, or have some fun and report it to SpamCop to see how fast the spammer gets shut down. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
RE: Spam IP master list?
Most of the big chunks of spam come from big guys utilizing little guys' servers as they find them open to relay. So you're best off using the various MAPS lists, especially the RSS (relay spam stopper). Dave -Original Message- From: Roger Merchberger [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 20, 2001 12:15 PM To: [EMAIL PROTECTED] Subject: Spam IP master list? Kindof an offtopic question, but is there a Master List of IP's that send spam regularly, with which I could use to update my tcprules deny list? I really don't want to patch reinstall qmail with the RBL... (and it seems ORBS went away...) Besides, I'm really only looking to stop the big chunks with something I can personally manage. Or is this a completely stupid idea??? TIA, Roger Merch Merchberger -- Roger Merch Merchberger --- sysadmin, Iceberg Computers Recycling is good, right??? Ok, so I'll recycle an old .sig. If at first you don't succeed, nuclear warhead disarmament should *not* be your first career choice.
Re: Spam IP master list?
* Peter van Dijk [EMAIL PROTECTED] [010620 18:34]: On Wed, Jun 20, 2001 at 12:15:04PM -0400, Roger Merchberger wrote: Kindof an offtopic question, but is there a Master List of IP's that send spam regularly, with which I could use to update my tcprules deny list? RBL? http://libertas.wirehub.net/spamlist.txt http://www.almqvist.net/johan/orbs/ I really don't want to patch reinstall qmail with the RBL... (and it seems ORBS went away...) Besides, I'm really only looking to stop the big chunks with something I can personally manage. You don't need to patch qmail to use rbl. No need to recompile either. rblsmtpd just drops in between tcpserver and qmail-smtpd in the supervise script... -Johan -- Johan Almqvist http://www.almqvist.net/johan/qmail/ PGP signature
Re: Spam IP master list?
Roger Merchberger writes: Kindof an offtopic question, but is there a Master List of IP's that send spam regularly, with which I could use to update my tcprules deny list? I really don't want to patch reinstall qmail with the RBL... (and it seems ORBS went away...) Besides, I'm really only looking to stop the big chunks with something I can personally manage. Use rblsmtpd (part of ucspi-tcp) and you need not patch or reinstall. -- -russ nelson [EMAIL PROTECTED] http://russnelson.com Crynwr sells support for free software | PGPok | 521 Pleasant Valley Rd. | +1 315 268 1925 voice | #exclude windows.h Potsdam, NY 13676-3213 | +1 315 268 9201 FAX |
spam/other custom bouncing
I am attempting to figure out the best way to set up an auto-response (bounce, in a manner of speaking) triggered by sender domain, in order to facilitate not just rejecting specific domains, but auto-answering mail from them. The situation is as follows: My company receives mail from vary large number of different domains, most legitimate, but some notorious spammers, and some a combo of both. The problem is that I am uncomfortable just adding a domain to badmailfrom, as I have to be really careful blocking out entire domains lest I block out some legitimate users. badmailfrom only provides an smtp rejection, and I cannot guarantee that an end-user could figure out what happened. Therefore, I would like to maintain a list of domains a la badmailfrom, but rather than doing an smtp reject, an autoreponse would result (your mail has been reject because blah, please contact blah etc. etc. ). This way, legitimate users on banned domains would have an opportunity to notify us and get unbanned. It seems simple on the surface, but most every filter I have found so far relies on RBLs (love em, but far too arbitrary for this task), or receiver address/domain (it's all coming to the same domain, I need to filter by sender domain). I am sure there must be a fairly simple way to complete this, but I'm not having a lot of luck so far. Any help/thoughts would be greatly appreciated. Thanks in advance. Mike Culbertson sysadmin P.S. The qmail boxes in question are acting as relays only, I am trying to avoid using procmail to filter all deliveries, as 99.9% is sent onwards to another host, not locally. Don't want to double-process the mail if I don't have to, rather have qmail handle all the filtering alone if possible.
more spam bouncing
After some thought, perhaps I shoud clarify what I am trying to do. I have looked and looked, and seems most every feature for filtering relies on .qmail files, or something like procmail. I would like to determine if there is a way to avoid both of these. Since the machines in question with this problem are relays (private relays in case you are wondering), there are no home directories for me to add .qmail files to. Also, since they don't hold mail locally, with procmail, the path would be: sender qmail procmail qmail relay target host which would signifigantly increase the load required to send each piece of mail on to it's destination. I don't want to send every piece of mail through procmail (or similar) if I don't have to. What would be great would be to have qmail-smtpd catch the HELO or MAIL FROM address the sender gives (a la badmailfrom) and do something, like perhaps dump the mail to a local account for further processing, or initiate a bounce, anything other than just an smtp reject. This way, good mail would travel clean on through the relay without being subject to any additional filtering, and only mail matching a bad domain would get handled further. This may be entirely out of the realm of capability within the parameters I have described, I'm not sure. It just seems there must be some way to fanagle qmail itself into reacting to the sender domain. If this answer is painfully obvious, feel free to slap me, but I'd rather know regardless :) Mike Culbertson
Re: more spam bouncing
Mike Culbertson [EMAIL PROTECTED] wrote: What would be great would be to have qmail-smtpd catch the HELO or MAIL FROM address the sender gives (a la badmailfrom) and do something, like perhaps dump the mail to a local account for further processing, or initiate a bounce, anything other than just an smtp reject. This is possible. For the particular hosts/IP addresses you want to filter mail from, have entries in your tcprules file like this: 1.2.3.4:allow,RELAYCLIENT=@mailfilter Then, in virtualdomains, have an entry like: mailfilter:alias-mailfilter Then, have ~alias/.qmail-mailfilter-default which contains appropriate instructions for what to do with these messages. Note that they could be addressed to any domain originally, and qmail-smtpd will append the contents of RELAYCLIENT to the address they supply. You can pipe all these messages through a filter, or simply do: | bouncesaying We don't really like your mail. Phone 555-1234 to change our minds. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: Spam Removal
Roger Walker wrote: You Wrote: Please let know if you find a way to block all of the domains you mentioned. Also do you think someone like arin.net would have there blocks of ips on file and then we can just block them ? I believe IANA has the master list of IP blocks that lists where they are assigned to (high level): http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space Unfortunately this list doesn't offer the necessary granularity to allow someone to block addresses in Korea and China. The closest you can come here, it would seem, would be to block the entire Pacific Rim. What about APNIC? -Stephen-
Re: spam/other custom bouncing
Mike Culbertson wrote: Therefore, I would like to maintain a list of domains a la badmailfrom, but rather than doing an smtp reject, an autoreponse would result (your mail has been reject because blah, please contact blah etc. etc. ). This way, legitimate users on banned domains would have an opportunity to notify us and get unbanned. Mike Culbertson sysadmin Hmmm . . . Check out a qmail homepage mirror, search for autoresponder. Try them, see which one you like best. Use qmail's alias files to sort through by domain and feed blocked domains to the autoresponder using qmail's environment variables to generate a message. That feasible? I've never tried it. :-) -- Nick (Keith) Fish Network Engineer Triton Technologies, Inc.
Re: Spam Removal
On Sun, 17 Jun 2001 17:13:51 -0500, Jeremy Suo-Anttila [EMAIL PROTECTED] wrote: I have already done this and yes i do have pop b4 smtp setup and running so i am not asking about me being a relay as some people on the list think. Does anyone know a good how to or site where i can get info on rejecting all mail that is not addressed directly to me or my users ? Sounds like you have a default mailbox set up. Just remove that mailbox and make sure each user has a .qmail file and those messages will be bounce. As to denying the servers they are using, I have been watching them. They originate from a different address that traced to .kr or .cn or some other unfriendly country, so you can't email their provider to turn them off. They also relay from a different relay each time. Every time they start these campaigns I get their spam for a few days, then every email address on their list gets 10 times the spam for a while. I am considering screening out ALL .cn and .kr mailservers. Is there an easy way to do that? Ed Weinberg, Q5 Comm, LLC. [EMAIL PROTECTED] tel 914-713-7222 fax 914-713-7227 Connecting you to the internet...
RE: Spam Removal
Please let know if you find a way to block all of the domains you mentioned. Also do you think someone like arin.net would have there blocks of ips on file and then we can just block them ? Thanks Jps From: Ed Weinberg [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 10:13 AM Subject: Re: Spam Removal On Sun, 17 Jun 2001 17:13:51 -0500, Jeremy Suo-Anttila [EMAIL PROTECTED] wrote: I have already done this and yes i do have pop b4 smtp setup and running so i am not asking about me being a relay as some people on the list think. Does anyone know a good how to or site where i can get info on rejecting all mail that is not addressed directly to me or my users ? Sounds like you have a default mailbox set up. Just remove that mailbox and make sure each user has a .qmail file and those messages will be bounce. As to denying the servers they are using, I have been watching them. They originate from a different address that traced to .kr or .cn or some other unfriendly country, so you can't email their provider to turn them off. They also relay from a different relay each time. Every time they start these campaigns I get their spam for a few days, then every email address on their list gets 10 times the spam for a while. I am considering screening out ALL .cn and .kr mailservers. Is there an easy way to do that? Ed Weinberg, Q5 Comm, LLC. [EMAIL PROTECTED] tel 914-713-7222 fax 914-713-7227 Connecting you to the internet...
RE: Spam Removal
You Wrote: Please let know if you find a way to block all of the domains you mentioned. Also do you think someone like arin.net would have there blocks of ips on file and then we can just block them ? I believe IANA has the master list of IP blocks that lists where they are assigned to (high level): http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space -- Roger Walker Tier III Messaging/News Team Internet Applications, National Consumer IP TELUS Corporation 780-493-2471
Re: Spam Removal
Hi, ... I am considering screening out ALL .cn and .kr mailservers. Is there an easy way to do that? how about the badmailfrom-file. I think append/inserting .cn and .kr to/in that file and all mails from that top-level domains will be rejected. Regards, Ruprecht
Re: Spam Removal
Ruprecht Helms wrote: Hi, ... I am considering screening out ALL .cn and .kr mailservers. Is there an easy way to do that? how about the badmailfrom-file. I think append/inserting .cn and .kr to/in that file and all mails from that top-level domains will be rejected. Regards, Ruprecht That will only help if .cn/.kr appears as the envelope sender. You're better of using tcpserver's rules file to block by domain address, assuming they don't have false DNS entries to hide their origin, in which case you would need to block by IP address. -- Nick (Keith) Fish Network Engineer Triton Technologies, Inc.
Spam Removal
I keep getting sent SPAM from this company based in CA trying to sell me a MasterDisc 2000 which i know is a scam i have followed all there procedures to remove my domains from there lists and they went and actaully added them and more to there lists so i ave been getting flooded with there crap mails. I have faxed in removal requests, emailed them, phoned them and they still will not remove my domains. Any suggestions on what i can do ? I would like to setup some sort of spam removal but i would also if possible like to take some sort of legal action. Any suggestions would be greatly appreciated. And i have pasted a header from one of there mails below. Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 10844 invoked by uid 98); 17 Jun 2001 16:02:45 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 10842 invoked from network); 17 Jun 2001 16:02:44 - Received: from tth.taiyo-toy.co.jp (HELO www.taiyo-toy.co.jp) (210.225.132.20) by ns1.ideathcare.com with SMTP; 17 Jun 2001 16:02:44 - Received: from ..! .. From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Date: Sun, 17 Jun 2001 12:09:02 -0400 To: [EMAIL PROTECTED] Subject: MasterCD 2001 - Customer Sources I know that replying to them will not work since the obvious are not a legitimate company. Why else would they use yahoo.com and excite.com email addresses for there return. I just do not see where i can block out there IP with my TCP Server. every letter i get from them is a different source account. Thanks Jeremy Suo-Anttila [EMAIL PROTECTED]
Re: Spam Removal
Jeremy Suo-Anttila wrote: I keep getting sent SPAM from this company based in CA trying to sell me a MasterDisc 2000 which i know is a scam i have followed all there procedures to remove my domains from there lists and they went and actaully added them and more to there lists so i ave been getting flooded with there crap mails. I have faxed in removal requests, emailed them, phoned them and they still will not remove my domains. I realize this is like closing the barn door after the horse has escaped, but --- as a general rule, you *never* reply to To Remove, Send Us An E-mail lines in a piece of spam. As you have now painfully discovered, 90% of the time that information is used to send you yet more spam. For the spammer, it's a confirmation that the address they have is valid. -Stephen-
Re: rss spam filtering problems
Bruno This should be in the archives. The RSS people dropped the Bruno text records, because of problems with the DNS server they Bruno use has handling the large number of text records. For a Bruno short time there was a mirror, but they started charging Bruno and the person doing the mirroring had to stop his service. relays.mail-abuse.org has seven mirror servers, one of which I run. It works fine and was most recently updated about two minutes ago. You should be running tcpserver something like this: exec tcpserver -u120 -g105 -v -p \ -x/var/qmail/rules/smtprules.cdb 0 smtp \ /usr/local/bin/rblsmtpd -b -rblackholes.mail-abuse.org. \ -r'relays.mail-abuse.org.:Open relay problem - see URL:http://www.mail-abuse.org/cgi-bin/nph-rss?%IP%' -rmail.services.net \ /var/qmail/bin/qmail-smtpd 21 -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Spam Removal
Jeremy Suo-Anttila wrote: I keep getting sent SPAM from this company based in CA trying to sell me a MasterDisc 2000 which i know is a scam i have followed all there procedures to remove my domains from there lists and they went and actaully added them and more to there lists so i ave been getting flooded with there crap mails. I have faxed in removal requests, emailed them, phoned them and they still will not remove my domains. Any suggestions on what i can do ? I would like to setup some sort of spam removal but i would also if possible like to take some sort of legal action. Ahh . . . if only we could sue them, think of the money to be had there. In all seriousness, just throw their mail server's IP address/block into your tcpservers' rules with a deny parameter. -- Nick (Keith) Fish Network Engineer Triton Technologies, Inc.
Re: Spam Removal
I have already done this and yes i do have pop b4 smtp setup and running so i am not asking about me being a relay as some people on the list think. Does anyone know a good how to or site where i can get info on rejecting all mail that is not addressed directly to me or my users ? ie so if it get mail like i did earlier that was sent to : [EMAIL PROTECTED] [EMAIL PROTECTED] It will just delete it or send it to a bulk mail folder ? I know that hotmail and excite have features like this so it should be possible i belive . Thanks Again Jps Jeremy Suo-Anttila wrote: I keep getting sent SPAM from this company based in CA trying to sell me a MasterDisc 2000 which i know is a scam i have followed all there procedures to remove my domains from there lists and they went and actaully added them and more to there lists so i ave been getting flooded with there crap mails. I have faxed in removal requests, emailed them, phoned them and they still will not remove my domains. Any suggestions on what i can do ? I would like to setup some sort of spam removal but i would also if possible like to take some sort of legal action. Ahh . . . if only we could sue them, think of the money to be had there. In all seriousness, just throw their mail server's IP address/block into your tcpservers' rules with a deny parameter. -- Nick (Keith) Fish Network Engineer Triton Technologies, Inc.
Re: rss spam filtering problems
Chris Johnson wrote: On Fri, Jun 15, 2001 at 01:17:24PM -0400, Brent B. Powers wrote: I don't seem to be filtering out relay sites via relays.mail-abuse.org. The address that gets through is on the relay list, www.loscabos.gob.mx, or 148.235.5.210, as it is pingable at 210.5.235.148.relays.mail-abuse.org My qmail setup is reasonably similar to that within life with qmail, and, hence, my /var/qmail/supervise/qmail-smtpd/run is: #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 200 \ /usr/local/bin/tcpserver -v -p -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID \ 0 smtp \ /usr/local/bin/rblsmtpd \ -rblackholes.mail-abuse.org \ -rdialups.mail-abuse.org \ -rrelays.mail-abuse.org \ /var/qmail/bin/qmail-smtpd 21 Note that the rbl and dul portions are indeed working. I have applied the patch to allow rblsmtpd to work with A records. Change: -rrelays.mail-abuse.org to: -r 'relays.mail-abuse.org:Open relay problem - see URL:http://www.mail-abuse.org/cgi-bin/nph-rss?query=%IP%' Chris rblsmtpd.c has to be patched for this to work, does it not? I tried the above *with* the patch, and it didn't work either. I don't think it's working right anymore. My system fails the RSS test at Russ Nelson's site. -Stephen-
Re: rss spam filtering problems
Stephen Bosch wrote: Chris Johnson wrote: On Fri, Jun 15, 2001 at 01:17:24PM -0400, Brent B. Powers wrote: I don't seem to be filtering out relay sites via relays.mail-abuse.org. The address that gets through is on the relay list, www.loscabos.gob.mx, or 148.235.5.210, as it is pingable at 210.5.235.148.relays.mail-abuse.org My qmail setup is reasonably similar to that within life with qmail, and, hence, my /var/qmail/supervise/qmail-smtpd/run is: #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 200 \ /usr/local/bin/tcpserver -v -p -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID \ 0 smtp \ /usr/local/bin/rblsmtpd \ -rblackholes.mail-abuse.org \ -rdialups.mail-abuse.org \ -rrelays.mail-abuse.org \ /var/qmail/bin/qmail-smtpd 21 Note that the rbl and dul portions are indeed working. I have applied the patch to allow rblsmtpd to work with A records. Change: -rrelays.mail-abuse.org to: -r 'relays.mail-abuse.org:Open relay problem - see URL:http://www.mail-abuse.org/cgi-bin/nph-rss?query=%IP%' Chris rblsmtpd.c has to be patched for this to work, does it not? Sorry -- missed that in the above mail. =) Anyway -- this doesn't work for me either. -Stephen-
Re: rss spam filtering problems
Chris Johnson wrote: I tried the above *with* the patch, and it didn't work either. I don't think it's working right anymore. My system fails the RSS test at Russ Nelson's site. Which is because the RSS people removed Russ's IP address from their database. Oh -- really? They don't approve of what he's doing? How can I test it, then? -Stephen-
Re: rss spam filtering problems
Stephen Bosch writes: Chris Johnson wrote: I tried the above *with* the patch, and it didn't work either. I don't think it's working right anymore. My system fails the RSS test at Russ Nelson's site. Which is because the RSS people removed Russ's IP address from their database. Oh -- really? They don't approve of what he's doing? No, I think a robot removed it. What's curious is that I get no response from [EMAIL PROTECTED] I'll ping 'em again. How can I test it, then? No idea. That's why I wrote the testing robot. -- -russ nelson [EMAIL PROTECTED] http://russnelson.com Crynwr sells support for free software | PGPok | 521 Pleasant Valley Rd. | +1 315 268 1925 voice | #exclude windows.h Potsdam, NY 13676-3213 | +1 315 268 9201 FAX |
SPAM Security
Hi, How i can do this task and how configure the software ? I have a system pop before smtp. When user [EMAIL PROTECTED] use with pop before smtp my smtp server he can send only e-mail to his domain (in this exemple domain.com) or to domain2.com. When user specify for smtp server a password (the server check in the list /etc/smtppassword, no use vpopmail), he can send mail to all domain. Thanks
rss spam filtering problems
I don't seem to be filtering out relay sites via relays.mail-abuse.org. The address that gets through is on the relay list, www.loscabos.gob.mx, or 148.235.5.210, as it is pingable at 210.5.235.148.relays.mail-abuse.org My qmail setup is reasonably similar to that within life with qmail, and, hence, my /var/qmail/supervise/qmail-smtpd/run is: #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 200 \ /usr/local/bin/tcpserver -v -p -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID \ 0 smtp \ /usr/local/bin/rblsmtpd \ -rblackholes.mail-abuse.org \ -rdialups.mail-abuse.org \ -rrelays.mail-abuse.org \ /var/qmail/bin/qmail-smtpd 21 Note that the rbl and dul portions are indeed working. I have applied the patch to allow rblsmtpd to work with A records. Versions: ucspi-tcp 0.88 qmail 1.03 Finally, the relevant portion of the smtpd logs are: @40003b295dc52fb2e254 tcpserver: status: 1/20 @40003b295dc52fdba004 tcpserver: pid 29861 from 148.235.5.210 @40003b295dc625252d9c tcpserver: ok 29861 lroot.b2pi.com:192.168.1.185:25 :148.235.5.210::2264 @40003b295dd020dbc804 tcpserver: end 29861 status 0 @40003b295dd020dc8f3c tcpserver: status: 0/20 and from the qmail logs : @40003b2a27123238606c new msg 106085 @40003b2a27123238f4dc info msg 106085: bytes 577 from [EMAIL PROTECTED] qp 32716 uid 502 @40003b2a271234648f3c starting delivery 61: msg 106085 to local [EMAIL PROTECTED] @40003b2a271234655e44 status: local 1/10 remote 0/20 @40003b2a271238fbb32c delivery 61: success: did_0+0+1/ @40003b2a271238fc6eac status: local 0/10 remote 0/20 @40003b2a271238fcdff4 end msg 106085 Your help is appreciated.
Re: rss spam filtering problems
On Fri, Jun 15, 2001 at 01:17:24PM -0400, Brent B. Powers [EMAIL PROTECTED] wrote: I don't seem to be filtering out relay sites via relays.mail-abuse.org. The address that gets through is on the relay This should be in the archives. The RSS people dropped the text records, because of problems with the DNS server they use has handling the large number of text records. For a short time there was a mirror, but they started charging and the person doing the mirroring had to stop his service.
Re: rss spam filtering problems
Bruno == Bruno Wolff, Bruno writes: Bruno On Fri, Jun 15, 2001 at 01:17:24PM -0400, Brent B. Powers Bruno [EMAIL PROTECTED] wrote: I don't seem to be filtering out relay sites via relays.mail-abuse.org. The address that gets through is on the relay Bruno This should be in the archives. The RSS people dropped the Bruno text records, because of problems with the DNS server they Bruno use has handling the large number of text records. For a Bruno short time there was a mirror, but they started charging Bruno and the person doing the mirroring had to stop his service. Yes, I understand that. It was, however, my impression that the patch mentioned would allow rpbsmtpd to lookup within A records
Re: rss spam filtering problems
On Fri, Jun 15, 2001 at 01:17:24PM -0400, Brent B. Powers wrote: I don't seem to be filtering out relay sites via relays.mail-abuse.org. The address that gets through is on the relay list, www.loscabos.gob.mx, or 148.235.5.210, as it is pingable at 210.5.235.148.relays.mail-abuse.org My qmail setup is reasonably similar to that within life with qmail, and, hence, my /var/qmail/supervise/qmail-smtpd/run is: #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 200 \ /usr/local/bin/tcpserver -v -p -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID \ 0 smtp \ /usr/local/bin/rblsmtpd \ -rblackholes.mail-abuse.org \ -rdialups.mail-abuse.org \ -rrelays.mail-abuse.org \ /var/qmail/bin/qmail-smtpd 21 Note that the rbl and dul portions are indeed working. I have applied the patch to allow rblsmtpd to work with A records. Change: -rrelays.mail-abuse.org to: -r 'relays.mail-abuse.org:Open relay problem - see URL:http://www.mail-abuse.org/cgi-bin/nph-rss?query=%IP%' Chris PGP signature
Re: SPAM Patches recomendations.
On Thu, May 03, 2001 at 10:30:52AM -0500, q question wrote: I know the qmail documentation says that the default for qmail is not to relay. I need to see proof, not just be told to assume that the documentation is correct. As I said above, I'll need time to reflect on this. You only need as much time as it takes to check the qmail log. Does it send mail ANYWHERE (except bounces to the envelope sender) in response to the tests? No? Then you're NOT an open relay and the test you used doesn't Get It(tm). I do appreciate your reply and I realize full well that I may end up deciding to ignore the Prodygy relay test failures someday myself. That someday will be the day you check your logs. -- Jurjen Oskam * http://www.stupendous.org/ for PGP key * Q265230 pro-life bombing bush hacker attack USA president 2600 decss assassinate nuclear strike terrorism gun control eta military disrupt economy encryption 1:03pm up 12 days, 16:49, 2 users, load average: 0.07, 0.04, 0.01
Re: SPAM Patches recomendations.
Charles, 1) What are the erroneous assumptions of the Prodygy relay test utility? 2) How is it so clear that the machine didn't relay mail? From: Charles Cazabon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SPAM Patches recomendations. Date: Tue, 1 May 2001 09:52:51 -0600 Eduardo Augusto Alvarenga [EMAIL PROTECTED] wrote: I've tested my qmail smtp server for spam using the Prodygy Solutions relay test utility: [...] And got 2(two) holes on my server: No, you don't. Your machine didn't relay mail, and the tests (hah!) didn't even actually do any testing; they inferred a result from erroneous assumptions. Ignore the tests you did; they're worthless, and tell you nothing about whether your server is an open relay or not. Provided you have /var/qmail/control/rcpthosts, and it contains only your domains, and you're not setting the RELAYCLIENT environment variable for random IP addresses which connect to your SMTP port, then you are NOT an open relay. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. --- _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
q question [EMAIL PROTECTED] wrote: 1) What are the erroneous assumptions of the Prodygy relay test utility? It assumes that because the RCPT TO: ... command succeeded, the mail will be delivered. This is not required by RFC821/2821, and is not true of qmail or any other MTA which does not have knowledge of the possible final delivery targets during the initial SMTP conversation. It's also making some broken assumptions about how certain conventions in the local-part of an SMTP envelope recipient address translate into implicit relaying requests -- these conventions are not part of the SMTP specification, and qmail doesn't use them. The fact that sendmail (or Domino, or Exchange, or whatever) is broken enough to do so should not implicate properly implemented SMTP servers. 2) How is it so clear that the machine didn't relay mail? -these types of questions come up every week on this mailing list -qmail has _never_ relayed mail unless the administrator specifically configures it to do so. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: SPAM Patches recomendations.
From: Charles Cazabon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SPAM Patches recomendations. Date: Thu, 3 May 2001 09:06:00 -0600 q question [EMAIL PROTECTED] wrote: 1) What are the erroneous assumptions of the Prodygy relay test utility? It assumes that because the RCPT TO: ... command succeeded, the mail will be delivered. This is not required by RFC821/2821, and is not true of qmail or any other MTA which does not have knowledge of the possible final delivery targets during the initial SMTP conversation. It's also making some broken assumptions about how certain conventions in the local-part of an SMTP envelope recipient address translate into implicit relaying requests -- these conventions are not part of the SMTP specification, and qmail doesn't use them. The fact that sendmail (or Domino, or Exchange, or whatever) is broken enough to do so should not implicate properly implemented SMTP servers. I appreciate your describing this in detail. I'm going to need some time to reflect on these assumptions. 2) How is it so clear that the machine didn't relay mail? -these types of questions come up every week on this mailing list -qmail has _never_ relayed mail unless the administrator specifically configures it to do so. I know the qmail documentation says that the default for qmail is not to relay. I need to see proof, not just be told to assume that the documentation is correct. As I said above, I'll need time to reflect on this. I appreciate that someone else suggested asking ORBS to do a relay test. However, that doesn't necessarily reassure me that the Prodygy Solutions relay test results should be ignored. I don't know anything specific about the Prodygy relay test failures but I don't just ignore something because someone else said to. I do appreciate your reply and I realize full well that I may end up deciding to ignore the Prodygy relay test failures someday myself. _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
From: q question [EMAIL PROTECTED] Date: Thu, 03 May 2001 10:30:52 -0500 From: Charles Cazabon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SPAM Patches recomendations. Date: Thu, 3 May 2001 09:06:00 -0600 It's also making some broken assumptions about how certain conventions in the local-part of an SMTP envelope recipient address translate into implicit relaying requests -- these conventions are not part of the SMTP specification, and qmail doesn't use them. The fact that sendmail (or Domino, or Exchange, or whatever) is broken enough to do so should not implicate properly implemented SMTP servers. I appreciate your describing this in detail. I'm going to need some time to reflect on these assumptions. The particular assumption that Charles didn't explain is that user%host2host1 or host2|user@host1 will be relayed by host1 to user@host2. Certainly software that does this is broken, but it's also perfectly legal for first%last@host1 or first!last@host1 to be delivered to an account on that machine. To assume that the only reason such an address would be accepted is to relay it is totally bogus. Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature
Re: SPAM Patches recomendations.
q question [EMAIL PROTECTED] wrote: I know the qmail documentation says that the default for qmail is not to relay. I need to see proof, not just be told to assume that the documentation is correct. The proper proof is to try to relay yourself, and see if the message makes it to its intended destination. With qmail, you'll find that it doesn't. Note that this isn't a proof in the mathematical sense. For that, you'll need to do a line-by-line analysis of the qmail source code. I appreciate that someone else suggested asking ORBS to do a relay test. However, that doesn't necessarily reassure me that the Prodygy Solutions relay test results should be ignored. What should convince you to ignore those tests is that they are providing a diagnosis (Relay attempt succeeded) which is patently false (it isn't a successful relay unless the mail makes it to the final destination, and they aren't even actually sending the mail, just testing the RCPT TO: command). Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: SPAM Patches recomendations.
On Thu, May 03, 2001 at 10:30:52AM -0500, q question wrote: SNIP 2) How is it so clear that the machine didn't relay mail? -these types of questions come up every week on this mailing list -qmail has _never_ relayed mail unless the administrator specifically configures it to do so. I know the qmail documentation says that the default for qmail is not to relay. I need to see proof, not just be told to assume that the documentation is correct. As I said above, I'll need time to reflect on this. I appreciate that someone else suggested asking ORBS to do a relay test. However, that doesn't necessarily reassure me that the Prodygy Solutions relay test results should be ignored. I don't know anything specific about the Prodygy relay test failures but I don't just ignore something because someone else said to. 'Proof'? If the relay test in question was acceptable, the OP would already have proof. A proper relay test involves the _actual receipt of relayed mail_. Try your own relay test, if you have addresses at multiple domains available, along the exact same lines as the 'tests' performed by prodigysolutions[1]. If you don't have another address available, use a friend's email account. If you manage to relay third-party mail through a qmail server with rcpthosts populated only with domains that you should actually deliver for (present in locals or virtualdomains[2]), and a properly set RELAYCLIENT environment variable, I will eat a bug on camera, and give you links to watch it on the web. :) [1] I didn't recall seeing recent results for the 'user@destination@relay' test, so I did them myself. Delivery attempt is to local user 'user@destination', which is unlikely to exist and in any case is not a relay. The '%' and '!' garbage comes up at least once a month, and is known _not_ to be a problem. Check that for yourself as well, if you like. [2] Or, of course, a domain that you're an MX for, but not the best-preference MX. I do appreciate your reply and I realize full well that I may end up deciding to ignore the Prodygy relay test failures someday myself. Avoid the rush! Start ignoring them today! 'Tests' which assume that they know better than the MTA they are testing how it will deliver mail are inherently broken. 'Tests' which do not actually attempt to deliver mail anywhere, and do not only count the _actual receipt of mail_ as a successful relay (failed test) are inherently broken. As far as I am concerned, any 'test' that does not actually attempt delivery should immediately be ignored. SNIP GW
Re: SPAM Patches recomendations.
Unless the network is lying to me again, Chris Garrigues said: The particular assumption that Charles didn't explain is that user%host2host1 or host2|user@host1 will be relayed by host1 to user@host2. Certainly software that does this is broken, If anyone cares, this used to be completely legal and actually, a very useful way of doing things. There were a number of UUCP sites that were much quicker to address via: [EMAIL PROTECTED] than giving the full ! path to the actual uucp site. This was not broken, it was operational. I guess those days are gone, however. Just for fun, does anyone remember the issues surrounding: [EMAIL PROTECTED] Other fun thing that nolonger works: finger user@somehost@otherhost AlanC -- Alan Clegg I do UNIX and Networks [EMAIL PROTECTED]I don't have any certification I have experience
Re: SPAM Patches recomendations.
I appreciate your pointing this out. From: Chris Garrigues [EMAIL PROTECTED] To: q question [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: SPAM Patches recomendations. Date: Thu, 03 May 2001 11:24:49 -0500 From: q question [EMAIL PROTECTED] Date: Thu, 03 May 2001 10:30:52 -0500 From: Charles Cazabon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SPAM Patches recomendations. Date: Thu, 3 May 2001 09:06:00 -0600 It's also making some broken assumptions about how certain conventions in the local-part of an SMTP envelope recipient address translate into implicit relaying requests -- these conventions are not part of the SMTP specification, and qmail doesn't use them. The fact that sendmail (or Domino, or Exchange, or whatever) is broken enough to do so should not implicate properly implemented SMTP servers. I appreciate your describing this in detail. I'm going to need some time to reflect on these assumptions. The particular assumption that Charles didn't explain is that user%host2host1 or host2|user@host1 will be relayed by host1 to user@host2. Certainly software that does this is broken, but it's also perfectly legal for first%last@host1 or first!last@host1 to be delivered to an account on that machine. To assume that the only reason such an address would be accepted is to relay it is totally bogus. Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. attach3 _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
What should convince you to ignore those tests is that they are providing a diagnosis (Relay attempt succeeded) which is patently false (it isn't a successful relay unless the mail makes it to the final destination, and they aren't even actually sending the mail, just testing the RCPT TO: command). Charles Relay test 7 MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com) 250 ok RCPT TO:(nobody%prodigysolutions.com) 250 ok (Failed Test) RSET 250 flushed Relay test 13 MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com) 250 ok RCPT TO:(prodigysolutions.com!nobody) 250 ok (Failed Test) RSET 250 flushed I see your point, the (Failed Test) occurs immediately after RCPT TO: ... 250 ok This is why your (and Chris's) explanations about the assumptions are very useful, that the mail could be successfully received either for a local delivery, or for a relay, or perhaps not delivered at all. _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
You don't need to look for any bugs to eat! I haven't installed qmail yet, I'm still in the planning stages. I wanted to know how to test for relays and I appreciate your points. Thanks! :) From: Greg White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SPAM Patches recomendations. Date: Thu, 3 May 2001 10:41:33 -0700 On Thu, May 03, 2001 at 10:30:52AM -0500, q question wrote: SNIP 2) How is it so clear that the machine didn't relay mail? -these types of questions come up every week on this mailing list -qmail has _never_ relayed mail unless the administrator specifically configures it to do so. I know the qmail documentation says that the default for qmail is not to relay. I need to see proof, not just be told to assume that the documentation is correct. As I said above, I'll need time to reflect on this. I appreciate that someone else suggested asking ORBS to do a relay test. However, that doesn't necessarily reassure me that the Prodygy Solutions relay test results should be ignored. I don't know anything specific about the Prodygy relay test failures but I don't just ignore something because someone else said to. 'Proof'? If the relay test in question was acceptable, the OP would already have proof. A proper relay test involves the _actual receipt of relayed mail_. Try your own relay test, if you have addresses at multiple domains available, along the exact same lines as the 'tests' performed by prodigysolutions[1]. If you don't have another address available, use a friend's email account. If you manage to relay third-party mail through a qmail server with rcpthosts populated only with domains that you should actually deliver for (present in locals or virtualdomains[2]), and a properly set RELAYCLIENT environment variable, I will eat a bug on camera, and give you links to watch it on the web. :) [1] I didn't recall seeing recent results for the 'user@destination@relay' test, so I did them myself. Delivery attempt is to local user 'user@destination', which is unlikely to exist and in any case is not a relay. The '%' and '!' garbage comes up at least once a month, and is known _not_ to be a problem. Check that for yourself as well, if you like. [2] Or, of course, a domain that you're an MX for, but not the best-preference MX. I do appreciate your reply and I realize full well that I may end up deciding to ignore the Prodygy relay test failures someday myself. Avoid the rush! Start ignoring them today! 'Tests' which assume that they know better than the MTA they are testing how it will deliver mail are inherently broken. 'Tests' which do not actually attempt to deliver mail anywhere, and do not only count the _actual receipt of mail_ as a successful relay (failed test) are inherently broken. As far as I am concerned, any 'test' that does not actually attempt delivery should immediately be ignored. SNIP GW _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
Alan Clegg [EMAIL PROTECTED] wrote: The particular assumption that Charles didn't explain is that user%host2host1 or host2|user@host1 will be relayed by host1 to user@host2. If anyone cares, this used to be completely legal and actually, a very useful way of doing things. There were a number of UUCP sites that were much quicker to address via: [EMAIL PROTECTED] than giving the full ! path to the actual uucp site. This was not broken, it was operational. The brokenness comes from a third party looking at the local-part of that address, and deducing that it implies relaying. The most recent SMTP RFC (2821) forbids this in section 2.3.10: The standard mailbox naming convention is defined to be local- part@domain: contemporary usage permits a much broader set of applications than simple user names. Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address. Prodygy (or whoever it was) was assuming that since a qmail server responded with a 2xx code to RCPT TO: [EMAIL PROTECTED]@baz.net that it would relay the mail. That assumption is incorrect, and has always been. The fact that some sites will interpret the local-part of that address and relay it does not mean that all sites which do not respond with a 4xx or 5xx code to that command should be identified as relays. I guess those days are gone, however. So are the days of the 5-cent Coke and the sub-$1000 new car. Doesn't mean I'm wistful about them. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
SPAM Patches recomendations.
Greetz, I've tested my qmail smtp server for spam using the Prodygy Solutions relay test utility: http://www.prodigysolutions.com/services/relay_test.php And got 2(two) holes on my server: * I'll omit the domain for security reasons of course. Relay test 7 MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com) 250 ok RCPT TO:(nobody%prodigysolutions.com) 250 ok (Failed Test) RSET 250 flushed Relay test 13 MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com) 250 ok RCPT TO:(prodigysolutions.com!nobody) 250 ok (Failed Test) RSET 250 flushed Anyone has any tip to fix these problems ? (patches/etc) ? Another question: Emails on using % and ! as the domain separator should work ? Best Regards, -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Eduardo Augusto Alvarenga - Analista de Suporte - #179653 Blumenau - Santa Catarina. Tel. (47) 9102-3303 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /\ \ / Campanha da Fita ASCII - Contra Mail HTML X ASCII Ribbon Campaign - Against HTML Mail / \
Re: SPAM Patches recomendations.
Eduardo Augusto Alvarenga [EMAIL PROTECTED] wrote: I've tested my qmail smtp server for spam using the Prodygy Solutions relay test utility: [...] And got 2(two) holes on my server: No, you don't. Your machine didn't relay mail, and the tests (hah!) didn't even actually do any testing; they inferred a result from erroneous assumptions. Ignore the tests you did; they're worthless, and tell you nothing about whether your server is an open relay or not. Provided you have /var/qmail/control/rcpthosts, and it contains only your domains, and you're not setting the RELAYCLIENT environment variable for random IP addresses which connect to your SMTP port, then you are NOT an open relay. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: SPAM Patches recomendations.
You are better off asking ORBS to do a relay test, which is more reliable. http://www.orbs.org/ -K Do not meddle in the affairs of dragons, because you are crunchy and taste good with ketchup. From: Eduardo Augusto Alvarenga [EMAIL PROTECTED] Date: Tue, 01 May 2001 12:15:19 -0300 To: [EMAIL PROTECTED] Subject: SPAM Patches recomendations. Greetz, I've tested my qmail smtp server for spam using the Prodygy Solutions relay test utility: http://www.prodigysolutions.com/services/relay_test.php And got 2(two) holes on my server: * I'll omit the domain for security reasons of course. Relay test 7 MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com) 250 ok RCPT TO:(nobody%prodigysolutions.com) 250 ok (Failed Test) RSET 250 flushed Relay test 13 MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com) 250 ok RCPT TO:(prodigysolutions.com!nobody) 250 ok (Failed Test) RSET 250 flushed Anyone has any tip to fix these problems ? (patches/etc) ? Another question: Emails on using % and ! as the domain separator should work ? Best Regards, -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Eduardo Augusto Alvarenga - Analista de Suporte - #179653 Blumenau - Santa Catarina. Tel. (47) 9102-3303 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /\ \ / Campanha da Fita ASCII - Contra Mail HTML X ASCII Ribbon Campaign - Against HTML Mail / \
[ANNOUNCE] TMDA 0.10 - python-based anti-spam system for qmail
I'm pleased to announce a new major release of my Tagged Message Delivery Agent (TMDA). New in release 0.10: * The amkCrypto package is no longer necessary. With this release, only the core Python language distribution version 1.5.2 or higher is required to run TMDA. See the `UPGRADE' file if you are upgrading from a previous TMDA release. * Many new features added, and some small bugs fixed. Further release announcements will take place on the tmda-announce mailing list http://libertine.org/lists/listinfo/. About TMDA: TMDA is an OSI certified Python application for qmail systems designed to significantly reduce (or eliminate) the amount of SPAM/UCE you receive by using unique, cryptographically enhanced (called tagged) e-mail addresses. TMDA can both filter your incoming e-mail, and tag your outgoing address. For more information, download locations, and installation instructions, visit the TMDA homepage: URL:http://tmda.sourceforge.net/ Enjoy, Jason R. Mastaler ([EMAIL PROTECTED]) PA HREF=http://tmda.sourceforge.net;TMDA 0.10/A - A qmail-based anti-SPAM system. (30-Apr-2001)
Spam is worse than a Virus
You know... the virus, I don't mind qmail-scanner-queue.pl places it quietly and calmly into the quarantine, sends me and email, and we all get on with our lives. The part that sucks is the hordes of email notices to the list about the virus from every anti-viral program on the list. If you're using qmail scanner, it checks for automated mail and does *not* send a response to the list is the virus came from a list... wouldn't that be nice? Happy Monday! Jer At 09:13 AM 4/23/2001, Todd Finney wrote: Wow. I expect my users to not know any better when it comes to virii and attachments. That's the purpose of anti-virus software, filtering, and the other sundry defenses. Consider yourself technical enough to administer a mail server? Then you should know better. Chris, Johan, David, RC, for your reading pleasure: http://vil.mcafee.com/dispVirus.asp?virus_k=98881; cheers, Todd
[ANNOUNCE] TMDA 0.01 - A qmail-based anti-SPAM system
I'm pleased to announce the first public release of my Tagged Message Delivery Agent (TMDA). If you're familiar with Thomas Erskine's `Tagged Message Sender', TMDA is essentially a re-write with lots of new functionality. TMDA is an OSI certified software application for qmail systems designed to significantly reduce (or eliminate) the amount of SPAM/UCE you receive by using unique, cryptographically enhanced (called tagged) e-mail addresses. TMDA can both filter your incoming e-mail, and tag your outgoing address. For complete information, visit the TMDA homepage: URL:http://tmda.sourceforge.net/ As a teaser, TMDA has reduced my influx of SPAM from 500+ junk-messages per month down to only 1-3. Enjoy, Jason
IP spoofed spam - off topic
hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 Again, sorry for the off topic post, and thanks. * Mick Dobra Systems Administrator MTCO Communications 1-800-859-6826 *
Re: IP spoofed spam - off topic
On Mon, Apr 16, 2001 at 04:00:32PM -0500, mick wrote: hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 How is anyone supposed to give you a sure answer if you munge/hide relevant information?
Re: IP spoofed spam - off topic
The system is off, and has had that ip removed. It no longer belongs to a functioning system. 207.179.205.110 if it helps. On Mon, 16 Apr 2001, Alex Pennace wrote: On Mon, Apr 16, 2001 at 04:00:32PM -0500, mick wrote: hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 How is anyone supposed to give you a sure answer if you munge/hide relevant information? * Mick Dobra Systems Administrator MTCO Communications 1-800-859-6826 *
Re: IP spoofed spam - off topic
On Mon, 16 Apr 2001, Alex Pennace wrote: On Mon, Apr 16, 2001 at 04:00:32PM -0500, mick wrote: hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 How is anyone supposed to give you a sure answer if you munge/hide relevant information? As an additional note: Looks like every system receiving the spam are Exchange servers. Is someone exploiting an exchange fault? * Mick Dobra Systems Administrator MTCO Communications 1-800-859-6826 *
Re: IP spoofed spam - off topic
mick [EMAIL PROTECTED] wrote: Can an IP be spoofed so totally in mail headers? Short answer: yes. Spammers are getting better at spoofing mail headers, as misguided "spam protection" features in MTAs force them to. Long answer: can't analyze the situation properly when you munge header information. You might try running the headers through SpamCop or SamSpade to see if they can detect the header forgery. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: IP spoofed spam - off topic
On Mon, 16 Apr 2001, Charles Cazabon wrote: mick [EMAIL PROTECTED] wrote: Can an IP be spoofed so totally in mail headers? Short answer: yes. Spammers are getting better at spoofing mail headers, as misguided "spam protection" features in MTAs force them to. Long answer: can't analyze the situation properly when you munge header information. You might try running the headers through SpamCop or SamSpade to see if they can detect the header forgery. munge the headers? that was a direct copy from the spamcop message! I changed the ip address because that ip (and the server it used to be on) is no longer operational. but thats it. 207.179.205.110 was the address. Charles * Mick Dobra Systems Administrator MTCO Communications 1-800-859-6826 *
Re: IP spoofed spam - off topic
From: mick [EMAIL PROTECTED] Date: Mon, 16 Apr 2001 16:00:54 -0500 (CDT) hello, sorry for the off topic post. real quick; had a server x.x.x.110 running sendmail. getting complaints of spam originating from that box. removed IP, still getting complaints. turned system off, still getting complaints. Can an IP be spoofed so totally in mail headers? headers: Received: from mailserv01.dartgc.com ([207.34.255.70]) by southwind.org (8.9.3/8.9.3) with ESMTP id WAA21910 for x; Sun, 15 Apr 2001 22:10:26 -0700 (PDT) Date: Sun, 15 Apr 2001 22:10:26 -0700 (PDT) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Received: from ngqjz.msn.com ([x.x.x.110]) by mailserv01.dartgc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H5VRZ1Y1; Mon, 16 Apr 2001 01:09:20 -0400 Again, sorry for the off topic post, and thanks. Who controls 207.34.255.70 and is it really mailserv01.dartgc.com? Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature
new TMS webpage (qmail-based anti-spam system)
Some of you might be familiar with Thomas Erskine's ``Tagged Message Sender''. I've been using this software for a few weeks now and have attempted to document in detail both the program itself and also my particular use of it. URL:http://jason.mastaler.com/tms/ Enjoy, Jason
simple spam filtering system: critiques welcome
We currently use rblsmtpd to block mail based on RSS, DUL and RBL. What I've wanted all along is a way for individual users to have this same ability, rather than as a system-wide setting. Here's what I've come up with, and I'd appreciate criticisms and comments from my fellow qmail admins: http://www.vcnet.com/~jon/qmail-filter/ In a nutshell I use qmail-qfilter + rblcheck to add an extra header to mail delivered through RBL-listed sites. The added header also contains a ranking based on which lists it matched (as defined in the modified rblcheck source I link to). Then, a dot-qmail called script scans the message headers and rejects or accepts based on this ranking. The same system could be used to flag suspected virus infected mail, but I haven't gotten that far just yet. Huge oversights, ways of making it more efficient, etc are welcomed. I have NOT put this into production yet, but have tested it on a limited basis. Thanks, jon
Re: simple spam filtering system: critiques welcome
On Thu, Mar 15, 2001 at 02:42:53PM -0800, Jon Rust wrote: We currently use rblsmtpd to block mail based on RSS, DUL and RBL. What I've wanted all along is a way for individual users to have this same ability, rather than as a system-wide setting. Here's what I've come up with, and I'd appreciate criticisms and comments from my fellow qmail admins: Sorry to follow up your announcement with mine ... I've done something like that, start at http://www.lamer.de/maex/creative/software/ucspi-tcp/ It consists of 3 parts: 1) is a modification to rblsmtpd that allows to define "tags" for RBLs. Each tag of a RBL that had a hit for that IP is put blank delimited into an evironment var RBLID 2) is a modification to qmail-smtpd it checks for RBLID env var and inserts one line per RBL tag into the header of the received mail like: X-RBL-Check: MAPS-RSS X-RBL-Check: MAPS-DUL 3) is a mess822 package called 822xrblcheck you can put it into .qmail files and call it e.g. with |bouncesaying "no messages from blacklisted hosts accepted" /path/to/822xrblcheck MAPS-RSS \Maex -- SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research Development | D-80807 Muenchen| Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
Spam from addresses harvested from message IDs
Somebody's stupid e-mail address harvester can't tell the difference between an e-mail address and a Message-ID header. The result is that a lot of spam is sent to addresses like [EMAIL PROTECTED], which came from the the Message-ID header ([EMAIL PROTECTED]) of a message that I once sent to this list. This mail bounces because there is no such address, and, since a lot of spammers aren't kind enough to provide a legitimate return addresses, much of this mail double bounces to the postmaster, which is annoying him (me). What I'd like to do is collect all of this mail in a Maildir, so I can avoid all the double bounces. What I propose to do is put this in ~alias/.qmail-default: |condredirect messageidspam sh -c "echo "$DEFAULT" | egrep -q '^a[0-9]+$'" |fastforward -d aliases.cdb (Right now ~alias/.qmail-default consists of just the fastforward line.) Can anyone see anything particularly evil about the above? Is there a better way to accomplish this? Am I the only one having this problem? Thanks! Chris PGP signature
Re: Spam from addresses harvested from message IDs
In the previous episode (03.03.2001), Chris Johnson [EMAIL PROTECTED] said: What I'd like to do is collect all of this mail in a Maildir, so I can avoid all the double bounces. What I propose to do is put this in ~alias/.qmail-default: |condredirect messageidspam sh -c "echo "$DEFAULT" | egrep -q '^a[0-9]+$'" why $DEFAULT ? wouldn't you want to use $LOCAL ? see http://Web.InfoAve.Net/~dsill/lwq.html#environment-variables |fastforward -d aliases.cdb wolfgang
Re: spam filter
"Brian Longwe" [EMAIL PROTECTED] writes: Harald I'm not running an open relay. I am using tcpserver and allowing relaying only for IP addresses that belong to my network (RELAYCLIENT). The problem here is that it's one of my customers who has an application that is sending out all this junk mail. How do I set up a filter to block until I can get them to disable the application? echo "[EMAIL PROTECTED]" /var/qmail/control/badmailfrom -- "I live in the heart of the machine. We are one."
Re: spam filter
On 8 Jan 2001, Jenny Holmberg wrote: "Brian Longwe" [EMAIL PROTECTED] writes: Harald I'm not running an open relay. I am using tcpserver and allowing relaying only for IP addresses that belong to my network (RELAYCLIENT). The problem here is that it's one of my customers who has an application that is sending out all this junk mail. How do I set up a filter to block until I can get them to disable the application? echo "[EMAIL PROTECTED]" /var/qmail/control/badmailfrom This won't work. The envelope sender for hahaha is empty. The address you see in the From line is part of the data. Vince. -- == Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directoryhttp://www.camping-usa.com Online Giftshop Superstorehttp://www.cloudninegifts.com ==
Re: spam filter
Vince Vielhaber [EMAIL PROTECTED] writes: This won't work. The envelope sender for hahaha is empty. The address you see in the From line is part of the data. You are correct - my apologies. I claim lack of caffeine. -- "I live in the heart of the machine. We are one."
RE: spam filter
OK Vince, what will work? Brian -Original Message- From: Vince Vielhaber [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 2:10 PM To: Jenny Holmberg Cc: [EMAIL PROTECTED] Subject: Re: spam filter On 8 Jan 2001, Jenny Holmberg wrote: "Brian Longwe" [EMAIL PROTECTED] writes: Harald I'm not running an open relay. I am using tcpserver and allowing relaying only for IP addresses that belong to my network (RELAYCLIENT). The problem here is that it's one of my customers who has an application that is sending out all this junk mail. How do I set up a filter to block until I can get them to disable the application? echo "[EMAIL PROTECTED]" /var/qmail/control/badmailfrom This won't work. The envelope sender for hahaha is empty. The address you see in the From line is part of the data. Vince. -- == Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directoryhttp://www.camping-usa.com Online Giftshop Superstorehttp://www.cloudninegifts.com ==
RE: spam filter
On Mon, 8 Jan 2001, Brian Longwe wrote: OK Vince, what will work? I've been letting them come in then contacting the user and pointing them to the fix. I've heard that qmail-scanner will detect this tho. There's a link to it on www.qmail.org. Vince. Brian -Original Message- From: Vince Vielhaber [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 2:10 PM To: Jenny Holmberg Cc: [EMAIL PROTECTED] Subject: Re: spam filter On 8 Jan 2001, Jenny Holmberg wrote: "Brian Longwe" [EMAIL PROTECTED] writes: Harald I'm not running an open relay. I am using tcpserver and allowing relaying only for IP addresses that belong to my network (RELAYCLIENT). The problem here is that it's one of my customers who has an application that is sending out all this junk mail. How do I set up a filter to block until I can get them to disable the application? echo "[EMAIL PROTECTED]" /var/qmail/control/badmailfrom This won't work. The envelope sender for hahaha is empty. The address you see in the From line is part of the data. Vince. -- == Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directoryhttp://www.camping-usa.com Online Giftshop Superstorehttp://www.cloudninegifts.com == -- == Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directoryhttp://www.camping-usa.com Online Giftshop Superstorehttp://www.cloudninegifts.com ==
qmail-scanner (was RE: spam filter)
OK, I'm looking at the qmail-scanner option and installing all the prerequisite applications. From what I see in the documentation, it looks like there might be significant increase in my memory/cpu overhead. I'm a bit worried about this does anyone have experience with qmail-scanner in a production environment? Brian -Original Message- From: Vince Vielhaber [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 3:10 PM To: Brian Longwe Cc: Jenny Holmberg; [EMAIL PROTECTED] Subject: RE: spam filter On Mon, 8 Jan 2001, Brian Longwe wrote: OK Vince, what will work? I've been letting them come in then contacting the user and pointing them to the fix. I've heard that qmail-scanner will detect this tho. There's a link to it on www.qmail.org. Vince. Brian -Original Message- From: Vince Vielhaber [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 2:10 PM To: Jenny Holmberg Cc: [EMAIL PROTECTED] Subject: Re: spam filter On 8 Jan 2001, Jenny Holmberg wrote: "Brian Longwe" [EMAIL PROTECTED] writes: Harald I'm not running an open relay. I am using tcpserver and allowing relaying only for IP addresses that belong to my network (RELAYCLIENT). The problem here is that it's one of my customers who has an application that is sending out all this junk mail. How do I set up a filter to block until I can get them to disable the application? echo "[EMAIL PROTECTED]" /var/qmail/control/badmailfrom This won't work. The envelope sender for hahaha is empty. The address you see in the From line is part of the data. Vince. -- == Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED] http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directoryhttp://www.camping-usa.com Online Giftshop Superstorehttp://www.cloudninegifts.com == -- == Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directoryhttp://www.camping-usa.com Online Giftshop Superstorehttp://www.cloudninegifts.com ==
Re: qmail-scanner (was RE: spam filter)
On Mon, Jan 08, 2001 at 04:27:45PM +0300, Brian Longwe wrote: OK, I'm looking at the qmail-scanner option and installing all the prerequisite applications. From what I see in the documentation, it looks like there might be significant increase in my memory/cpu overhead. I'm a bit worried about this does anyone have experience with qmail-scanner in a production environment? Qmail-Scanner can do what you want - but it is intended for bigger/more general things than blocking Emails with a certain From: header/etc... There are already other anti-spam patches referred to on www.qmail.org that can do what you want - with much less overhead that perl-based solutions like Qmail-Scanner. However, if you think you may soon want more than just header blocks - e.g. header regex matching, attachment blocking and anti-virus scanning, then Qmail-Scanner may be more for you.. http://qmail-scanner.sourceforge.net/ -- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417
Qmail BlackHole spam/other filter program
I have a program that is available under the GPL at http://www.groovy.org/open.shtml called BlackHole. It can be used in a .qmail file, and uses the major RBL/ORBS type sites plus has recipient good/bad lists using regular expressions. It is in Perl and can log and keep the email it blocks, and has a configurable bounce message. It can be extended to do any number of header checks, and would be useful for allowing users to do their own badmailfrom checks/virus header/spam checking. Thanks, Chris Kennedy [EMAIL PROTECTED]
RE: spam filter
Your observation is correct, the text I pasted is an incoming message. The point is, the only reason it bounced and is being sent back to the user (and me, the postmaster) is because the address got messed up with control characters. There are probably many others with correct addresses going out through my system. I *do* want to receive these bounce messages. But I want to find a way to stop the culprit from sending all this junk through my system. To me it looks like the "from" address that shows in the outgoing messages is [EMAIL PROTECTED], how can I block messages with this originating address (or subject line) from going through the system? Thanks, Brian -Original Message- From: Harald Hanche-Olsen [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 06, 2001 5:42 PM To: [EMAIL PROTECTED] Subject: Re: spam filter + "Brian Longwe" [EMAIL PROTECTED]: | Hi, | | I want to filter out messages with the following header from being | sent out by a user on my system: | - | Hi. This is the qmail-send program at relay.ispkenya.com. | I tried to deliver a bounce message to this address, but the bounce bounced! | | [EMAIL PROTECTED]/=: | Sorry, I couldn't find any host named compuserve.com/=. (#5.1.2) | | --- Below this line is the original bounce. [ ...] | - | | I have tried putting some portions of the above in the badmailfrom control | file to no avail. Any tips? That doesn't work because not only is the above text not in the header - it is in the body of the incoming message - but the badmailfrom file only controls messages based on the envelope from, which is not even in the header, it's outside the message itself. (Read the envelopes(5) man page to see what I mean.) In this case, the message is a doublebounce, so the envelope sender will be #@[] (it will be in the Return-Path header field after the message is finally delivered). Here is what you can do: # cat /var/qmail/alias/.qmail-doublebounce 'EOT' |if grep '[EMAIL PROTECTED]'; then exit 99; else exit 0; fi postmaster EOT # echo doublebounce /var/qmail/control/doublebounceto Then restart qmail. To understand what this all means, read the dot-qmail, qmail-command and qmail-send manual pages. Read them before you do anything; the above advice is just off the top of my head and untested, and you should understand the solution and its consequences yourself before implementing it. - Harald
RE: spam filter
+ "Brian Longwe" [EMAIL PROTECTED]: | But I want to find a way to stop the culprit from sending all this | junk through my system. To me it looks like the "from" address that | shows in the outgoing messages is [EMAIL PROTECTED], how can I | block messages with this originating address (or subject line) from | going through the system? Uh-oh. I guess I wasn't reading your original message well enough. Now it seems to me you're running an open relay, allowing email from anywhere to anywhere else through your system. Believe me, you don't want to do that. You will never be able to keep the spammers away by trying to filter out messages of certain characteristics. Read about relaying, what it is, and how to stop it here: http://Web.InfoAve.Net/~dsill/lwq.html#relaying - Harald
RE: spam filter
Harald I'm not running an open relay. I am using tcpserver and allowing relaying only for IP addresses that belong to my network (RELAYCLIENT). The problem here is that it's one of my customers who has an application that is sending out all this junk mail. How do I set up a filter to block until I can get them to disable the application? Brian -Original Message- From: Harald Hanche-Olsen [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 1:54 AM To: [EMAIL PROTECTED] Subject: RE: spam filter + "Brian Longwe" [EMAIL PROTECTED]: | But I want to find a way to stop the culprit from sending all this | junk through my system. To me it looks like the "from" address that | shows in the outgoing messages is [EMAIL PROTECTED], how can I | block messages with this originating address (or subject line) from | going through the system? Uh-oh. I guess I wasn't reading your original message well enough. Now it seems to me you're running an open relay, allowing email from anywhere to anywhere else through your system. Believe me, you don't want to do that. You will never be able to keep the spammers away by trying to filter out messages of certain characteristics. Read about relaying, what it is, and how to stop it here: http://Web.InfoAve.Net/~dsill/lwq.html#relaying - Harald
Re: spam filter
+ "Brian Longwe" [EMAIL PROTECTED]: | Hi, | | I want to filter out messages with the following header from being | sent out by a user on my system: | - | Hi. This is the qmail-send program at relay.ispkenya.com. | I tried to deliver a bounce message to this address, but the bounce bounced! | | [EMAIL PROTECTED]/=: | Sorry, I couldn't find any host named compuserve.com/=. (#5.1.2) | | --- Below this line is the original bounce. [ ...] | - | | I have tried putting some portions of the above in the badmailfrom control | file to no avail. Any tips? That doesn't work because not only is the above text not in the header - it is in the body of the incoming message - but the badmailfrom file only controls messages based on the envelope from, which is not even in the header, it's outside the message itself. (Read the envelopes(5) man page to see what I mean.) In this case, the message is a doublebounce, so the envelope sender will be #@[] (it will be in the Return-Path header field after the message is finally delivered). Here is what you can do: # cat /var/qmail/alias/.qmail-doublebounce 'EOT' |if grep '[EMAIL PROTECTED]'; then exit 99; else exit 0; fi postmaster EOT # echo doublebounce /var/qmail/control/doublebounceto Then restart qmail. To understand what this all means, read the dot-qmail, qmail-command and qmail-send manual pages. Read them before you do anything; the above advice is just off the top of my head and untested, and you should understand the solution and its consequences yourself before implementing it. - Harald
spam filter
Hi, I want to filter out messages with the following header from being sent out by a user on my system: - Hi. This is the qmail-send program at relay.ispkenya.com. I tried to deliver a bounce message to this address, but the bounce bounced! [EMAIL PROTECTED]/=: Sorry, I couldn't find any host named compuserve.com/=. (#5.1.2) --- Below this line is the original bounce. Return-Path: Received: (qmail 28950 invoked from network); 6 Jan 2001 05:27:45 - Received: from unknown (HELO aiesec?kenya) (216.252.186.94) by relay.ispkenya.com with SMTP; 6 Jan 2001 05:27:45 - From: Hahaha [EMAIL PROTECTED] Subject: Snowhite and the Seven Dwarfs - The REAL story! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VE5UFCHQFKPQVSHUN89Q741" - I have tried putting some portions of the above in the badmailfrom control file to no avail. Any tips? Thanks, Brian
how do I block this SPAM?
We're getting dozens of these SPAM now every day just on a single admin account. There is a flood going to user mail boxes too. I've not been successful blocking it with badmailfrom or badmailpatterns. procmail yes, but I'd rather push them back. It's coming from all over the place. We're running qmail-1.03 with the SPAMCONTROL patch. Can anyone help me with this please? Thanks, cfm From MAILER-DAEMON Mon Jan 01 18:30:53 2001 Return-Path: Delivered-To: [EMAIL PROTECTED] Received: (qmail 6035 invoked from network); 1 Jan 2001 18:30:52 - Received: from gray.maine.com (204.176.0.13) by sooshi.maine.com with SMTP; 1 Jan 2001 18:30:52 - Received: (qmail 13886 invoked by uid 64010); 1 Jan 2001 18:19:29 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 13883 invoked from network); 1 Jan 2001 18:19:28 - Received: from rly-ip02.mx.aol.com (152.163.225.160) by gray.maine.com with SMTP; 1 Jan 2001 18:19:28 - Received: from tot-tg1-th.proxy.aol.com (tot-tg1-th.proxy.aol.com [152.163.213.3]) by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id NAA12608 for [EMAIL PROTECTED]; Mon, 1 Jan 2001 13:18:49 -0500 (EST) Received: from oemcomputer (AC928F2E.ipt.aol.com [172.146.143.46]) by tot-tg1-th.proxy.aol.com (8.10.0/8.10.0) with SMTP id f01IIR421070 for [EMAIL PROTECTED]; Mon, 1 Jan 2001 13:18:27 -0500 (EST) Date: Mon, 1 Jan 2001 13:18:27 -0500 (EST) Message-Id: [EMAIL PROTECTED] From: Hahaha [EMAIL PROTECTED] Subject: Snowhite and the Seven Dwarfs - The REAL story! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VER0HE7WPQVW9YB0567WDEZOLYVKLM3S1" X-Apparently-From: [EMAIL PROTECTED] -- Jan 1 13:19:28 gray qmail: 978373168.993475 new msg 217092 Jan 1 13:19:28 gray qmail: 978373168.995066 info msg 217092: bytes 35410 from qp 13883 uid 71 Jan 1 13:19:29 gray qmail: 978373169.065436 starting delivery 14530: msg 217092 to local [EMAIL PROTECTED] Jan 1 13:19:29 gray qmail: 978373169.066836 status: local 2/10 remote 0/20 -- Christopher F. Miller, Publisher [EMAIL PROTECTED] MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039 1.207.657.5078 http://www.maine.com/ Content management, electronic commerce, internet integration, Debian linux
Re: how do I block this SPAM?
badmailfrom won't work on this. See the archives for discussions on why not (it checks Return-Path). Perhaps speak to [EMAIL PROTECTED] as it looks to be originating in there. Regards. On Mon, Jan 01, 2001 at 02:21:58PM -0500, [EMAIL PROTECTED] wrote: We're getting dozens of these SPAM now every day just on a single admin account. There is a flood going to user mail boxes too. I've not been successful blocking it with badmailfrom or badmailpatterns. procmail yes, but I'd rather push them back. It's coming from all over the place. We're running qmail-1.03 with the SPAMCONTROL patch. Can anyone help me with this please? Thanks, cfm From MAILER-DAEMON Mon Jan 01 18:30:53 2001 Return-Path: Delivered-To: [EMAIL PROTECTED] Received: (qmail 6035 invoked from network); 1 Jan 2001 18:30:52 - Received: from gray.maine.com (204.176.0.13) by sooshi.maine.com with SMTP; 1 Jan 2001 18:30:52 - Received: (qmail 13886 invoked by uid 64010); 1 Jan 2001 18:19:29 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 13883 invoked from network); 1 Jan 2001 18:19:28 - Received: from rly-ip02.mx.aol.com (152.163.225.160) by gray.maine.com with SMTP; 1 Jan 2001 18:19:28 - Received: from tot-tg1-th.proxy.aol.com (tot-tg1-th.proxy.aol.com [152.163.213.3]) by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id NAA12608 for [EMAIL PROTECTED]; Mon, 1 Jan 2001 13:18:49 -0500 (EST) Received: from oemcomputer (AC928F2E.ipt.aol.com [172.146.143.46]) by tot-tg1-th.proxy.aol.com (8.10.0/8.10.0) with SMTP id f01IIR421070 for [EMAIL PROTECTED]; Mon, 1 Jan 2001 13:18:27 -0500 (EST) Date: Mon, 1 Jan 2001 13:18:27 -0500 (EST) Message-Id: [EMAIL PROTECTED] From: Hahaha [EMAIL PROTECTED] Subject: Snowhite and the Seven Dwarfs - The REAL story! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VER0HE7WPQVW9YB0567WDEZOLYVKLM3S1" X-Apparently-From: [EMAIL PROTECTED] -- Jan 1 13:19:28 gray qmail: 978373168.993475 new msg 217092 Jan 1 13:19:28 gray qmail: 978373168.995066 info msg 217092: bytes 35410 from qp 13883 uid 71 Jan 1 13:19:29 gray qmail: 978373169.065436 starting delivery 14530: msg 217092 to local [EMAIL PROTECTED] Jan 1 13:19:29 gray qmail: 978373169.066836 status: local 2/10 remote 0/20 -- Christopher F. Miller, Publisher [EMAIL PROTECTED] MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039 1.207.657.5078 http://www.maine.com/ Content management, electronic commerce, internet integration, Debian linux
Re: how do I block this SPAM?
On 1 Jan 2001, Mark Delany wrote: badmailfrom won't work on this. See the archives for discussions on why not (it checks Return-Path). Not good idea on ORBS spamer's list can be found peoples, who don't write spam - for instace I. Each admin or groups of admin should made their own "blacklis". - for me - this is best method. The host, which relay spams should be listed in tcpserver control file as deny. (if smtp were use with tcpserver, what is recommended) in each (the secondary MX too) mailserver in domain. For instance file tcp.smtp can be seen as: my.host:allow;RELAYCLIENT="" bad.host:deny :allow Piotr --- Piotr Kasztelowicz [EMAIL PROTECTED] [http://www.am.torun.pl/~pekasz]
Re: how do I block this SPAM? Clarification
On Mon, Jan 01, 2001 at 07:25:49PM +, Mark Delany wrote: badmailfrom won't work on this. See the archives for discussions on why not (it checks Return-Path). Perhaps speak to [EMAIL PROTECTED] as it looks to be originating in there. My mistake, I was unclear. These are coming to us from all over the net, presumably from legitimate accounts. Looks to me like they - oemcomputer (AC928F2E.ipt.aol.com) in this case - have a virus of some sort. But it is not just that one user. Below is another one just in. Is this just a local "maine" thing or has anyone else seen it? Best, cfm From MAILER-DAEMON Mon Jan 01 19:32:31 2001 Return-Path: Delivered-To: [EMAIL PROTECTED] Received: (qmail 6104 invoked from network); 1 Jan 2001 19:32:30 - Received: from gray.maine.com (204.176.0.13) by sooshi.maine.com with SMTP; 1 Jan 2001 19:32:30 - Received: (qmail 14946 invoked by alias); 1 Jan 2001 19:21:05 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 14943 invoked from network); 1 Jan 2001 19:20:56 - Received: from 1087-maine-56k.ime.net (HELO pavilion) (209.90.240.137) by gray.maine.com with SMTP; 1 Jan 2001 19:20:56 - From: Hahaha [EMAIL PROTECTED] Subject: Snowhite and the Seven Dwarfs - The REAL story! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VE7K1EZWPU3" Status: RO Content-Length: 31628 Lines: 421 VE7K1EZWPU3 Content-Type: text/plain; charset="us-ascii" Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter... VE7K1EZWPU3 Content-Type: application/octet-stream; name="sexy virgin.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="sexy virgin.scr" Regards. On Mon, Jan 01, 2001 at 02:21:58PM -0500, [EMAIL PROTECTED] wrote: We're getting dozens of these SPAM now every day just on a single admin account. There is a flood going to user mail boxes too. I've not been successful blocking it with badmailfrom or badmailpatterns. procmail yes, but I'd rather push them back. It's coming from all over the place. We're running qmail-1.03 with the SPAMCONTROL patch. Can anyone help me with this please? Thanks, cfm From MAILER-DAEMON Mon Jan 01 18:30:53 2001 Return-Path: Delivered-To: [EMAIL PROTECTED] Received: (qmail 6035 invoked from network); 1 Jan 2001 18:30:52 - Received: from gray.maine.com (204.176.0.13) by sooshi.maine.com with SMTP; 1 Jan 2001 18:30:52 - Received: (qmail 13886 invoked by uid 64010); 1 Jan 2001 18:19:29 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 13883 invoked from network); 1 Jan 2001 18:19:28 - Received: from rly-ip02.mx.aol.com (152.163.225.160) by gray.maine.com with SMTP; 1 Jan 2001 18:19:28 - Received: from tot-tg1-th.proxy.aol.com (tot-tg1-th.proxy.aol.com [152.163.213.3]) by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id NAA12608 for [EMAIL PROTECTED]; Mon, 1 Jan 2001 13:18:49 -0500 (EST) Received: from oemcomputer (AC928F2E.ipt.aol.com [172.146.143.46]) by tot-tg1-th.proxy.aol.com (8.10.0/8.10.0) with SMTP id f01IIR421070 for [EMAIL PROTECTED]; Mon, 1 Jan 2001 13:18:27 -0500 (EST) Date: Mon, 1 Jan 2001 13:18:27 -0500 (EST) Message-Id: [EMAIL PROTECTED] From: Hahaha [EMAIL PROTECTED] Subject: Snowhite and the Seven Dwarfs - The REAL story! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VER0HE7WPQVW9YB0567WDEZOLYVKLM3S1" X-Apparently-From: [EMAIL PROTECTED] -- Jan 1 13:19:28 gray qmail: 978373168.993475 new msg 217092 Jan 1 13:19:28 gray qmail: 978373168.995066 info msg 217092: bytes 35410 from qp 13883 uid 71 Jan 1 13:19:29 gray qmail: 978373169.065436 starting delivery 14530: msg 217092 to local [EMAIL PROTECTED] Jan 1 13:19:29 gray qmail: 978373169.066836 status: local 2/10 remote 0/20 -- Christopher F. Miller, Publisher [EMAIL PROTECTED] MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039 1.207.657.5078 http://www.maine.com/ Content management, electronic commerce, internet integration, Debian linux -- Christopher F. Miller, Publisher [EMAIL PROTECTED] MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039 1.207.657.5078 http://www.maine.com/ Content management, electronic commerce, internet integration, Debian linux
Re: how do I block this SPAM?
On or about 08:50 PM 1/1/01 +0100, Piotr Kasztelowicz was caught in a dark alley speaking these words: On 1 Jan 2001, Mark Delany wrote: badmailfrom won't work on this. See the archives for discussions on why not (it checks Return-Path). Not good idea on ORBS spamer's list can be found peoples, who don't write spam - for instace I. The problem is, this isn't spam -- it's a virus. If you start blocking IP's from wherever you get this, you will start blocking a *lot* of non-relaying sites. This isn't relaying. This is a case of honest (albeit IMNSHO clueless) people sending out a copy of a virus they don't know they have. The virus sending out copies of itself to known good email addresses isn't my major problem, tho. The virus also sends itself to godawful strings of non-Internet related characters (like "aslkjjsdl@#.jskd") which is causing a very high load of double-bounces - with me being the postmaster, I'm getting a very large (to the order of 2-5 every *second*) number of these in my mailbox. One bad thing about this virus is it wipes out (almost) every piece of useful data that you could use to track down the person who has the virus. The only useful stuff is what qmail logs - namely the HELO string, the originating IP address time. (And the HELO string is useless if the user doesn't change the "Host" DNS setting from "oemcomputer" to the user's real ID.) Now, a .qmail file which filters on that idiot "[EMAIL PROTECTED]" and either a) sends that mail to the bit-bucket (which is by now overflowing... :-) or b) filters out the Received: header with the HELO line in it and stuffs it into a separate file would be a great boon... If I have a chance I'll bone up on .qmail files (one thing I don't like about qmail is it doesn't crash. "Set it and forget it" which is what usually happens... ;-) and write it myself, but I don't have the time just yet. I do have a perl script somewhere that does the HELO filter in (b) above, but it's a separate proggie - not an inline filter. (Oh, on larger files, it won't run under NT's perl, either. Hope you have a *nix box handy...) HTH, Roger "Merch" Merchberger = Roger "Merch" Merchberger -- [EMAIL PROTECTED] SysAdmin - Iceberg Computers = Merch's Wild Wisdom of the Moment: = Sometimes you know, you just don't know sometimes, you know?
Re: how do I block this SPAM?
[EMAIL PROTECTED] wrote: We're getting dozens of these SPAM now every day just on a single admin account. There is a flood going to user mail boxes too. I've not been successful blocking it with badmailfrom or badmailpatterns. procmail yes, but I'd rather push them back. It's coming from all over the place. We're running qmail-1.03 with the SPAMCONTROL patch. Can anyone help me with this please? Note that as mentioned before, this is not SPAM, it's a virus. See http://www.vet.com.au/html/zoo/descriptions/hybris.htm for more information. You can block this quite effectively with qmail-scanner. See http://qmail-scanner.sourceforge.net/ for more information. An entry in quarantine-attachments.txt of: Hahaha [EMAIL PROTECTED] Virus-From: Win32.Hybris would be effective without your having to purchase a virus scanner for your system. Cheers, -- Andrew Hill "Right now, I'd happily snort gunk from the sink if it would take my brain somewhere away from here" - JB
Question 4 a Guru: Adding a manual or semiautomatic rejection process for spam in vmailmgr/qmail..
Hi All, We have an application where we want to add a process of spam rejection. Fully automated spam rejection is not wanted, as not a single non-spam should not be redirected to /dev/nul. Also, full spam rejection is required. We want something like moderated mailing lists, where a defined user gets the mail identified as spam and is able to reverse the rejection of mail, in addition to bouncing the mail which has escaped the spam filters. Anyone know of such an application? Qmail/vmailmgr preferred but if any other available, we would love to have pointers, so that we can study it for adaptation purposes. IAC, can somebody please give me some idea how such a thing can be implemented in qmail/vmailmgr scenario? How should the application get mail from qmail/vmailmgr...at which point in the process of sending the mail to the mailbox? How should the application put the mail to vmailmanager mailbox? Would like to use existing qmail/vmailmgr procedures wherever possible!! Hope someone can help me. With best regards. Sanjay.
mail() spam question (PHP)!
How to set spam control on mail() function. We allow use mail() for our free hosting. How to set limit use mail() (PHP v4.0.3pl1). Method's of QMAIL plz.
Re: mail() spam question (PHP)!
How to set spam control on mail() function. We allow use mail() for our free hosting. How to set limit use mail() (PHP v4.0.3pl1). Method's of QMAIL plz. Forget it. php allows users to open sockets and send mails without using qmail at all. Felix
Re: mail() spam question (PHP)!
On Sun, Dec 24, 2000 at 02:34:22PM +0300, Michail A.Baikov wrote: How to set spam control on mail() function. We allow use mail() for our free hosting. How to set limit use mail() (PHP v4.0.3pl1). This is more of a PHP question than a QMail question. You might want to do something like build an extension to PHP where the access to the mail() and socket and other routies is restricted based on something like a cron.allow file. You'd probably also have to limit access to qmail-inject, qmail-queue, sendmail and datemail, possibly access to popen(), etc... The words "finger" and "dike" come to mind. Sean -- We are all in the gutter, but some of us are looking at the stars. -- Oscar Wilde Sean Reifschneider, Inimitably Superfluous [EMAIL PROTECTED] tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python