RE: Problems with Received: header checks and ALL_TRUSTED rule...
I've checked my logs and noticed the following entry whenever I restart the spamassassin service: config: dup unknown type msa_networks, Mail::SpamAssassin::NetSet Is this something I should be worried about? Cheers, AK. -Original Message- From: Anthony Kamau [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 June 2007 5:12 PM To: Daryl C. W. O'Shea Cc: SpamAssassin Mailing List Subject: RE: Problems with Received: header checks and ALL_TRUSTED rule... Thanks a ton Daryl. I've patched my SA 3.1.7 per [1] and it is working as expected. Cheers, AK.
Re: Problems with Received: header checks and ALL_TRUSTED rule...
Anthony Kamau wrote: I've checked my logs and noticed the following entry whenever I restart the spamassassin service: config: dup unknown type msa_networks, Mail::SpamAssassin::NetSet Is this something I should be worried about? As long as you don't have any users calling clear_msa_networks in their per user config I believe it's a harmless warning. In any case, attached is a patch to correct the issue. Daryl Index: lib/Mail/SpamAssassin/Conf.pm === --- lib/Mail/SpamAssassin/Conf.pm (revision 541336) +++ lib/Mail/SpamAssassin/Conf.pm (working copy) @@ -3160,7 +3160,7 @@ # keys that should can be copied using a -clone() method, in -clone() my @CLONABLE_KEYS = qw( -internal_networks trusted_networks +internal_networks trusted_networks msa_networks ); my %done = ();
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Thanks Daryl. That error is now no more. Cheers, AK. -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Monday, 18 June 2007 12:59 PM To: Anthony Kamau Cc: SpamAssassin Mailing List Subject: Re: Problems with Received: header checks and ALL_TRUSTED rule... As long as you don't have any users calling clear_msa_networks in their per user config I believe it's a harmless warning. In any case, attached is a patch to correct the issue. Daryl
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Daryl, You'll be glad to know that I'm now rejecting at RCPT instead of blindly forwarding to the exchange box! We don't have numerous updates in active directory so for now I'm doing a manual export to the sendmail box. Cheers, AK. -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Thursday, 14 June 2007 11:53 AM To: Anthony Kamau Cc: SpamAssassin Mailing List Subject: Re: Problems with Received: header checks and ALL_TRUSTED rule... In any case, spamming people with backscatter in the form of NDRs from your system is completely unacceptable. You have at least three options to prevent this; (i) configure out how to do LDAP queries from Sendmail against your Exchange system to verify addresses, or (ii) use a milter such as Anthony Howe's milter-ahead (which I believe he licenses for 90 Euros), or (iii) export all of your addresses to your Sendmail box. Daryl
Re: Problems with Received: header checks and ALL_TRUSTED rule...
Anthony Kamau wrote: OT Any chance you know of a quick and dirty method to implement sendmail AD authentication? I did search during build of the sendmail box, but did not find conclusive instructions to do so - possibly because I was under immense pressure to get a spam identifier installed. /OT Check out MIMEDefang, http://www.mimedefang.org. Among other things, it can do exactly this in several ways, and may also help with your problem of spam-tagged mail having the spam tags stripped off in some cases. -kgd
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Thanks Kris. OT I Googled for MIMEDefang and AD and came across this post [1] by Brian at RoaringPenguine; he suggests not to use MIMEDefang as it imposes a heavy load on Exchange/AD on Windows 2003. He provides an alternative by releasing 2 scripts that automate the harvesting of email addresses from AD via LDAP and dumps those addresses into the accessdb file to filter on. Not wanting to cause performance issues on the Exchange box, I'll try this 'easy' way out first! [1] http://lists.roaringpenguin.com/pipermail/mimedefang/2003-December/01863 3.html Cheers, AK. -Original Message- From: Kris Deugau [mailto:[EMAIL PROTECTED] Sent: Friday, 15 June 2007 12:56 AM To: users@spamassassin.apache.org Subject: Re: Problems with Received: header checks and ALL_TRUSTED rule... Anthony Kamau wrote: OT Any chance you know of a quick and dirty method to implement sendmail AD authentication? I did search during build of the sendmail box, but did not find conclusive instructions to do so - possibly because I was under immense pressure to get a spam identifier installed. /OT Check out MIMEDefang, http://www.mimedefang.org. Among other things, it can do exactly this in several ways, and may also help with your problem of spam-tagged mail having the spam tags stripped off in some cases. -kgd
Re: Problems with Received: header checks and ALL_TRUSTED rule...
Anthony Kamau wrote: How then can I tell spamassassin to fire the ALL_TRUSTED rule if the connecting host is on the trusted list and ignore further Received: header checks? I have read Mail::SpamAssassin::Conf help file but cannot find the solution yet. I thought the whitelist_allows_relays would help, but I'm not too sure what that does! Is there a better source of documentation somewhere? msa_networks
Re: Problems with Received: header checks and ALL_TRUSTED rule...
Daryl C. W. O'Shea wrote: Anthony Kamau wrote: How then can I tell spamassassin to fire the ALL_TRUSTED rule if the connecting host is on the trusted list and ignore further Received: header checks? I have read Mail::SpamAssassin::Conf help file but cannot find the solution yet. I thought the whitelist_allows_relays would help, but I'm not too sure what that does! Is there a better source of documentation somewhere? msa_networks That's only available with 3.2, though, so you'll either need to patch SA [1] or do something else [2]. Daryl [1] http://people.apache.org/~dos/sa-patches/msa_networks.3.1 [2] http://wiki.apache.org/spamassassin/DynablockIssues
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Thanks Daryl. I've done a little bit of reading on msa_netowrks and it appears I need to upgrade to SA 3.2.x to get this added benefit - correct? Cheers, AK. -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 June 2007 4:07 PM To: Anthony Kamau Cc: SpamAssassin Mailing List Subject: Re: Problems with Received: header checks and ALL_TRUSTED rule... Anthony Kamau wrote: How then can I tell spamassassin to fire the ALL_TRUSTED rule if the connecting host is on the trusted list and ignore further Received: header checks? I have read Mail::SpamAssassin::Conf help file but cannot find the solution yet. I thought the whitelist_allows_relays would help, but I'm not too sure what that does! Is there a better source of documentation somewhere? msa_networks
Re: Problems with Received: header checks and ALL_TRUSTED rule...
Anthony Kamau wrote: Thanks Daryl. I've done a little bit of reading on msa_netowrks and it appears I need to upgrade to SA 3.2.x to get this added benefit - correct? Yeah, I missed that you were using 3.1.7 in my first reply. If you can't upgrade I think that the 3.1 patch for msa_networks still applies cleanly to 3.1.7 (maybe even 3.1.9). Daryl
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Thanks a ton Daryl. I've patched my SA 3.1.7 per [1] and it is working as expected. Cheers, AK. -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 June 2007 4:15 PM To: Anthony Kamau Cc: SpamAssassin Mailing List Subject: Re: Problems with Received: header checks and ALL_TRUSTED rule... That's only available with 3.2, though, so you'll either need to patch SA [1] or do something else [2]. Daryl [1] http://people.apache.org/~dos/sa-patches/msa_networks.3.1 [2] http://wiki.apache.org/spamassassin/DynablockIssues
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Hey Daryl, et al, I've just discovered something rather interesting after I enabled the msa_networks feature in local.cf. What's happening is this: 1/ spam arrives at the sendmail box from someone who has used a non-existent email address in our domain 2/ spamassassin clearly marks this as spam, sendmail adds the necessary headers, modifies the subject and relays to exchange 3/ if exchange is configured to send a copy of received email to an external account OR the message is destined for a non-existent mailbox, exchange will initiate a connection with sendmail either for forwarding mail or for NDR 4/ since the exchange box is now trusted via msa_networks, the email receives a clean bill of health from spamassassin and sendmail proceeds to remove the headers previously added for the incoming message except for the subject line which is left with the previously changed header! How can I tell sendmail milter not to remove any of the headers as the email message is really still spam??? Although we could drop all spam and forget about this whole issue, company policy dictates that any email destined to an existing recipient mailbox will be delivered be it spam or not (false positives in the past have left many weary of lost email)! Cheers, AK.
RE: Problems with Received: header checks and ALL_TRUSTED rule...
I've just discovered something rather interesting after I enabled the msa_networks feature in local.cf. What's happening is this: 1/ spam arrives at the sendmail box from someone who has used a non-existent email address in our domain 2/ spamassassin clearly marks this as spam, sendmail adds the necessary headers, modifies the subject and relays to exchange 3/ if exchange is configured to send a copy of received email to an external account OR the message is destined for a non-existent mailbox, exchange will initiate a connection with sendmail either for forwarding mail or for NDR 4/ since the exchange box is now trusted via msa_networks, the email receives a clean bill of health from spamassassin and sendmail proceeds to remove the headers previously added for the incoming message except for the subject line which is left with the previously changed header! How can I tell sendmail milter not to remove any of the headers as the email message is really still spam??? Although we could drop all spam and forget about this whole issue, company policy dictates that any email destined to an existing recipient mailbox will be delivered be it spam or not (false positives in the past have left many weary of lost email)! Cheers, AK. AK, The MTA should not accept email for non existent email addresses - rh
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Thanks Robert. And you are correct - the exchange rejects mail destined to non-existent mailboxes! Due to lack of time, I have not yet found a quick method to have sendmail authenticate against active directory so I've instructed sendmail to relay all mail and leave it to exchange to deal with rejection and NDR's. OT Any chance you know of a quick and dirty method to implement sendmail AD authentication? I did search during build of the sendmail box, but did not find conclusive instructions to do so - possibly because I was under immense pressure to get a spam identifier installed. /OT Cheers, AK. -Original Message- From: Robert - eLists [mailto:[EMAIL PROTECTED] Sent: Thursday, 14 June 2007 10:47 AM To: users@spamassassin.apache.org Subject: RE: Problems with Received: header checks and ALL_TRUSTED rule... AK, The MTA should not accept email for non existent email addresses - rh
Re: Problems with Received: header checks and ALL_TRUSTED rule...
Anthony Kamau wrote: 3/ if exchange is configured to send a copy of received email to an external account OR the message is destined for a non-existent mailbox, exchange will initiate a connection with sendmail either for forwarding mail or for NDR 4/ since the exchange box is now trusted via msa_networks, the email receives a clean bill of health from spamassassin and sendmail proceeds to remove the headers previously added for the incoming message except for the subject line which is left with the previously changed header! How can I tell sendmail milter not to remove any of the headers as the email message is really still spam??? This depends entirely on the milter. Perhaps you can configure it to either not scan mail that has already been scanned by your system or to not scan outgoing mail at all. In any case, spamming people with backscatter in the form of NDRs from your system is completely unacceptable. You have at least three options to prevent this; (i) configure out how to do LDAP queries from Sendmail against your Exchange system to verify addresses, or (ii) use a milter such as Anthony Howe's milter-ahead (which I believe he licenses for 90 Euros), or (iii) export all of your addresses to your Sendmail box. Daryl
