Re: [spamdyke-users] can't block envelope sender

2016-07-27 Thread Faris Raouf via spamdyke-users
Yup! That would be great. I just think it would be useful to know it is
happening, and where to look, sort of thing.

 

From: spamdyke-users [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf
Of Sam Clippinger via spamdyke-users
Sent: 25 July 2016 14:50
To: spamdyke users <spamdyke-users@spamdyke.org>
Subject: Re: [spamdyke-users] can't block envelope sender

 

Could probably do that.  Or maybe print the matching file/line in the
"reason" field, the same way it already does for blacklist matches?


-- Sam Clippinger

 

 

 

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users


Re: [spamdyke-users] can't block envelope sender

2016-07-25 Thread Sam Clippinger via spamdyke-users
Could probably do that.  Or maybe print the matching file/line in the "reason" 
field, the same way it already does for blacklist matches?

-- Sam Clippinger




On Jul 22, 2016, at 11:37 AM, Faris Raouf  wrote:

> Hi Sam,
>  
> I just had a chance to have a go with the tests, and just as you expected it 
> was down to the rDNS of the sender being whitelisted.
> I don’t know how many times I’d checked, and missed seeing it J
>  
> Unfortunately I can’t remember why I whitelisted it L It belongs to an ESP. 
> If they are sending stuff that can’t pass SD’s filters, it doesn’t belong in 
> anybody’s mailbox. But obviously I needed to whitelist it for some reason at 
> some point. I will have to have a think about this.
>  
> But this situation inspires me to ask you to consider adding something to the 
> wishlist:
>  
> When a messages is allowed to pass as a result of being whitelisted, could 
> there be an option to change the logging so that instead of just ALLOWED it 
> shows ALLOWED_WL_[type] or maybe WHITELIST_[type] or something along those 
> lines?
>  
>  
>  
> If you can login to ms2 at the command line, you could also try running 
> spamdyke by hand so you can see more verbose output without flooding your 
> logs.
>  

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users


Re: [spamdyke-users] can't block envelope sender

2016-07-22 Thread Faris Raouf via spamdyke-users
Hi Sam,

 

I just had a chance to have a go with the tests, and just as you expected it
was down to the rDNS of the sender being whitelisted. 

I don't know how many times I'd checked, and missed seeing it :)

 

Unfortunately I can't remember why I whitelisted it :( It belongs to an ESP.
If they are sending stuff that can't pass SD's filters, it doesn't belong in
anybody's mailbox. But obviously I needed to whitelist it for some reason at
some point. I will have to have a think about this.

 

But this situation inspires me to ask you to consider adding something to
the wishlist: 

 

When a messages is allowed to pass as a result of being whitelisted, could
there be an option to change the logging so that instead of just ALLOWED it
shows ALLOWED_WL_[type] or maybe WHITELIST_[type] or something along those
lines?

 

 

 

If you can login to ms2 at the command line, you could also try running
spamdyke by hand so you can see more verbose output without flooding your
logs. 

 

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users


Re: [spamdyke-users] can't block envelope sender

2016-07-21 Thread Faris Raouf via spamdyke-users
Thanks Sam. That's brilliant and hugely helpful.

 

I'll try to do this this evening, and failing that over the weekend.

 

I will also check the whitelists again in case I missed something.

 

Yes, ms2 is the edge server and that's where the sender is backlisted,
although I've just added it to the ip147 one as well for good measure :)

 

 

 

From: spamdyke-users [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf
Of Sam Clippinger via spamdyke-users
Sent: 21 July 2016 14:14
To: spamdyke users <spamdyke-users@spamdyke.org>
Subject: Re: [spamdyke-users] can't block envelope sender

 

>From what I can see, spamdyke should be blocking those messages.  This could
be a bug, but first I'd suggest carefully checking your whitelists.  In
almost every case I've seen like this where a blacklist simply will not
work, it turns out to be a whitelist entry that's overriding it.  You
mentioned your email flows through several different servers before it
reaches the user's mailbox... from the message headers, it looks like ms2 is
your edge server, is that where the blacklist entry is set?

 

If you can login to ms2 at the command line, you could also try running
spamdyke by hand so you can see more verbose output without flooding your
logs.  You don't need to stop your mail server for this; it won't interfere
with any normal operations.  First, set an environment variable so spamdyke
will think it's getting a connection from a remote server:

  export TCPREMOTEIP=94.143.105.188

Next create a very small spamdyke config file (can be anywhere, doesn't have
to be in /etc) with two options:

  log-target=stderr

  log-level=excessive

Then find the command line spamdyke is started with (in your "run" file) and
run it the same way, but add another "-f" for the new config file AFTER your
real config file.  (If you're curious why, it's because config options are
applied in the order they are read.  We want to override those two options
for this run, so they need to be read last.)  For example, on my server I
would run this:

  spamdyke -f /etc/spamdyke.d/spamdyke.conf -f /tmp/testing.conf --
/var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true

You should see the SMTP greeting banner just like a mail client does
(possibly delayed a few seconds by spamdyke) plus debug messages that would
normally go in the logs.  Type in these SMTP commands to imitate a client
and test the blacklist:

  EHLO cloudtengroup1.mta.dotmailer.com
<http://cloudtengroup1.mta.dotmailer.com> 

  MAIL FROM:<bo-3ueb-2dqy-yto27-c0...@tooplemail.com
<mailto:bo-3ueb-2dqy-yto27-c0...@tooplemail.com> >

  RCPT TO:<redac...@redacted.tld <mailto:redac...@redacted.tld> >

At that point, you should see either a 250 response if the message is
accepted or a 500 response if it is blocked, plus tons of debugging output
from spamdyke to show what it's thinking.  You can type QUIT or ctrl-C to
exit.

 

Hopefully that'll show what's happening.  If you can't spot the issue or
have trouble deciphering the output, feel free to email it to me privately
and I'll take a look.





 

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users


Re: [spamdyke-users] can't block envelope sender

2016-07-21 Thread Sam Clippinger via spamdyke-users
From what I can see, spamdyke should be blocking those messages.  This could be 
a bug, but first I'd suggest carefully checking your whitelists.  In almost 
every case I've seen like this where a blacklist simply will not work, it turns 
out to be a whitelist entry that's overriding it.  You mentioned your email 
flows through several different servers before it reaches the user's mailbox... 
from the message headers, it looks like ms2 is your edge server, is that where 
the blacklist entry is set?

If you can login to ms2 at the command line, you could also try running 
spamdyke by hand so you can see more verbose output without flooding your logs. 
 You don't need to stop your mail server for this; it won't interfere with any 
normal operations.  First, set an environment variable so spamdyke will think 
it's getting a connection from a remote server:
export TCPREMOTEIP=94.143.105.188
Next create a very small spamdyke config file (can be anywhere, doesn't have to 
be in /etc) with two options:
log-target=stderr
log-level=excessive
Then find the command line spamdyke is started with (in your "run" file) and 
run it the same way, but add another "-f" for the new config file AFTER your 
real config file.  (If you're curious why, it's because config options are 
applied in the order they are read.  We want to override those two options for 
this run, so they need to be read last.)  For example, on my server I would run 
this:
spamdyke -f /etc/spamdyke.d/spamdyke.conf -f /tmp/testing.conf -- 
/var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
You should see the SMTP greeting banner just like a mail client does (possibly 
delayed a few seconds by spamdyke) plus debug messages that would normally go 
in the logs.  Type in these SMTP commands to imitate a client and test the 
blacklist:
EHLO cloudtengroup1.mta.dotmailer.com
MAIL FROM:
RCPT TO:
At that point, you should see either a 250 response if the message is accepted 
or a 500 response if it is blocked, plus tons of debugging output from spamdyke 
to show what it's thinking.  You can type QUIT or ctrl-C to exit.

Hopefully that'll show what's happening.  If you can't spot the issue or have 
trouble deciphering the output, feel free to email it to me privately and I'll 
take a look.

-- Sam Clippinger




On Jul 21, 2016, at 6:39 AM, Faris Raouf via spamdyke-users 
 wrote:

> Dear all,
> 
> I'm having a bit of an issue trying to block messages based on the envelope
> sender. Basically it doesn't seem to work at all, so I'm obviously doing
> something wrong.
> 
> All the other types of blacklists and whitelists seem to work just fine.
> 
> I understand the difference between the "From" and the envelope sender, and
> that TLS can be an issue.
> 
> But as far as I'm aware it is the envelope sender that I'm targeting, and in
> this case my qmail installation doesn't support TLS so spamdyke is set to
> handle the TLS and should be able to read the contents of the message.
> 
> I'm using SpamDyke 5.01
> 
> Please could someone kindly take a quick look at my log/config/header of an
> example email, to see what I'm doing wrong?
> 
> In the example below, the envelope sender I'm trying to block has
> (some-reference-or-other)@tooplemail.com as the envelope sender so I'm using
> @tooplemail.com in my blacklist_sender file.
> 
> 
> ***
> 
> Maillog extract:
> 
> Jul 21 10:32:55 ms2 spamd[30006]: spamd: checking message
> <2dqy.87yto274c.20160721093145...@tooplemail.com> for qscand:500
> 
> Jul 21 10:32:57 ms2 spamd[30006]: spamd: result: Y 4 -
> BAYES_00,DIGEST_MULTIPLE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREE_QUOTE_INS
> TANT,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_1
> 00,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS
> scantime=1.9,size=55241,user=qscand,uid=500,required_score=3.0,rhost=localho
> st,raddr=127.0.0.1,rport=53794,mid=<2DQY.87YTO274C.20160721093145243@tooplem
> ail.com>,bayes=0.00,autolearn=no
> 
> Jul 21 10:32:57 ms2 qmail-scanner-queue.pl: qmail-scanner[25272]:
> Clear:RC:0(94.143.105.188):SA:1(4.3/3.0): 2.092064 55184
> bo-3ueb-2dqy-yto27-c0...@tooplemail.com redac...@redacted.tld
> Why_is_Toople.com_different_to_the_rest?
> <2dqy.87yto274c.20160721093145...@tooplemail.com>
> 1469093575.25274-0.ms2.redac...@redacted.tld:3611
> orig-ms2.redacted.tld146909357479725272:55184
> 1469093575.25274-1.ms2.redacted.tld:46150
> 
> Jul 21 10:32:57 ms2 spamdyke[25257]: ALLOWED from:
> bo-3ueb-2dqy-yto27-c0...@tooplemail.com to: redac...@redacted.tld origin_ip:
> 94.143.105.188 origin_rdns: cloudtengroup1.mta.dotmailer.com auth: (unknown)
> encryption: TLS reason: 250_ok_1469093577_qp_25272
> 
> **
> 
> 
> **
> Spamdyke config file:
> 
> log-level=verbose
> idle-timeout-secs=60
> greeting-delay-secs=11
> 

[spamdyke-users] can't block envelope sender

2016-07-21 Thread Faris Raouf via spamdyke-users
Dear all,

I'm having a bit of an issue trying to block messages based on the envelope
sender. Basically it doesn't seem to work at all, so I'm obviously doing
something wrong.

All the other types of blacklists and whitelists seem to work just fine.

I understand the difference between the "From" and the envelope sender, and
that TLS can be an issue.

But as far as I'm aware it is the envelope sender that I'm targeting, and in
this case my qmail installation doesn't support TLS so spamdyke is set to
handle the TLS and should be able to read the contents of the message.

I'm using SpamDyke 5.01

Please could someone kindly take a quick look at my log/config/header of an
example email, to see what I'm doing wrong?

In the example below, the envelope sender I'm trying to block has
(some-reference-or-other)@tooplemail.com as the envelope sender so I'm using
@tooplemail.com in my blacklist_sender file.


***

Maillog extract:

Jul 21 10:32:55 ms2 spamd[30006]: spamd: checking message
<2dqy.87yto274c.20160721093145...@tooplemail.com> for qscand:500

Jul 21 10:32:57 ms2 spamd[30006]: spamd: result: Y 4 -
BAYES_00,DIGEST_MULTIPLE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREE_QUOTE_INS
TANT,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_1
00,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS
scantime=1.9,size=55241,user=qscand,uid=500,required_score=3.0,rhost=localho
st,raddr=127.0.0.1,rport=53794,mid=<2DQY.87YTO274C.20160721093145243@tooplem
ail.com>,bayes=0.00,autolearn=no

Jul 21 10:32:57 ms2 qmail-scanner-queue.pl: qmail-scanner[25272]:
Clear:RC:0(94.143.105.188):SA:1(4.3/3.0): 2.092064 55184
bo-3ueb-2dqy-yto27-c0...@tooplemail.com redac...@redacted.tld
Why_is_Toople.com_different_to_the_rest?
<2dqy.87yto274c.20160721093145...@tooplemail.com>
1469093575.25274-0.ms2.redac...@redacted.tld:3611
orig-ms2.redacted.tld146909357479725272:55184
1469093575.25274-1.ms2.redacted.tld:46150

Jul 21 10:32:57 ms2 spamdyke[25257]: ALLOWED from:
bo-3ueb-2dqy-yto27-c0...@tooplemail.com to: redac...@redacted.tld origin_ip:
94.143.105.188 origin_rdns: cloudtengroup1.mta.dotmailer.com auth: (unknown)
encryption: TLS reason: 250_ok_1469093577_qp_25272

**


**
Spamdyke config file:

log-level=verbose
idle-timeout-secs=60
greeting-delay-secs=11
policy-url=http://www.redacted.tld/email.html

graylist-dir=/var/qmail/graylist
graylist-level=none
graylist-min-secs=300
graylist-max-secs=1814400

ip-blacklist-file=/etc/spamdyke.d/blacklist_ip
sender-blacklist-file=/etc/spamdyke.d/blacklist_sender
rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns
recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient

ip-whitelist-file=/etc/spamdyke.d/whitelist_ip
rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns
recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient
sender-whitelist-file=/etc/spamdyke.d/whitelist_sender

tls-certificate-file=/ssl/c1org1516.pem
tls-level=smtp-no-passthrough

#(Blacklists redacted)

reject-empty-rdns

**



**

/etc/spamdyke.d/blacklist_sender contains:

@tooplemail.com

**



**
EXAMPLE EMAIL HEADER 
(Slightly complicated because it goes through two qmail-scanner/spamdyke
servers, 
ms2.redacted.tld and 147.redacted.tld,
each with different spamassassin configs (hence the odd subject
modification!), 
to get to the mailbox)


Received: (qmail 25508 invoked by uid 2523); 21 Jul 2016 10:33:11 +0100
X-Qmail-Scanner-Diagnostics: from ms2.redacted.tld by ip147.redacted.tld
(envelope-from , uid 2020) with
qmail-scanner-2.10st 
 (clamdscan: 0.99.2/21940. mhr: 1.0. spamassassin: 3.3.2. perlscan: 2.10st.

 Clear:RC:0(178.62.199.136):SA:1(3.6/3.0):. 
 Processed in 2.510301 secs); 21 Jul 2016 09:33:11 -
X-Spam-Status: Yes, hits=3.6 required=3.0
X-Spam-Level: +++
Received: from ms2.redacted.tld (redacted)
  by ip147.redacted.tld with SMTP; 21 Jul 2016 10:33:08 +0100
Received: (qmail 25293 invoked by uid 500); 21 Jul 2016 09:32:57 -
X-Qmail-Scanner-Diagnostics: from cloudtengroup1.mta.dotmailer.com by
ms2.redacted.tld (envelope-from ,
uid 496) with qmail-scanner-2.10st 
 (clamdscan: 0.99.2/21940. mhr: 1.0. spamassassin: 3.3.2. perlscan: 2.10st.

 Clear:RC:0(94.143.105.188):SA:1(4.3/3.0):. 
 Processed in 2.094403 secs); 21 Jul 2016 09:32:57 -
X-Qmail-Scanner-MOVED-X-Spam-Status: Yes, hits=4.3 required=3.0
X-Qmail-Scanner-MOVED-X-Spam-Level: 
Received: from cloudtengroup1.mta.dotmailer.com (94.143.105.188)
  by ms2.redacted.tld with SMTP; 21 Jul 2016 09:32:54 -
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim1024;
d=tooplemail.com;
 
h=From:To:Subject:MIME-Version:Content-Type:Date:List-Unsubscribe:Reply-To:M
essage-ID; i=daniel.clem...@tooplemail.com;
 bh=l80qAnWoe07RouX288jDc7eGwnI=;
 
b=eKFZ6Hdnf2Y6CSyjmyGiZVhZ0sLTRBhdvTW6lTPSBXcSi4sN1cOahISl7yHYH+6e3C5BVWZhZR
Ac