Re: [spamdyke-users] Blocking "Reply-To:" addresses
Sam, thank you very much for your answer. It is as you describe ... header without the "From" Ej: Oct 4 01:08:44 ns spamdyke[15166]: ALLOWED from: (unknown) to: i...@dominio.cl origin_ip: 157.55.234.249 origin_rdns: mail-db3hn0249.outbound.protection.outlook.com auth: (unknown) encryption: TLS reason: 250_ok_1443931724_qp_15172 Original Header: Return-Path: <> Delivered-To: i...@dominio.cl Received: (qmail 15172 invoked by uid 89); 4 Oct 2015 04:08:44 - Received: from unknown (HELO emea01-db3-obe.outbound.protection.outlook.com) (157.55.234.249) by ns.dominio.cl with SMTP; 4 Oct 2015 04:08:44 - Received-SPF: pass (ns.dominio.cl: SPF record at spf.protection.outlook.com designates 157.55.234.249 as permitted sender) Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; Received: from [104.243.24.168] (104.243.24.168) by VI1PR09MB0430.eurprd09.prod.outlook.com (10.162.9.146) with Microsoft SMTP Server (TLS) id 15.1.286.20; Sun, 4 Oct 2015 04:10:37 + Content-Type: multipart/alternative; boundary="===1143449470==" MIME-Version: 1.0 Subject: E-Mail Update To: Recipients From: Administrator Date: Sun, 4 Oct 2015 00:10:15 -0700 Reply-To:X-Originating-IP: [104.243.24.168] X-ClientProxiedBy: CY1PR13CA0087.namprd13.prod.outlook.com (25.164.65.13) To VI1PR09MB0430.eurprd09.prod.outlook.com (25.162.9.146) Return-Path: <> Message-ID: < vi1pr09mb04304bf51c82487363476aa8b8...@vi1pr09mb0430.eurprd09.prod.outlook.com > X-Microsoft-Exchange-Diagnostics: 1;VI1PR09MB0430;2:xmJp4A8bl5Y8HNBBaHwn02MUj6nIoi8l8Rglo9n8gOlyGDIIoJKqzHzKyzTiNIs/ruzH0ix+Yv3NVbl/xsLBpfmNEjqbU6ZWcsLq/0VPd1JYFFKpP26sbclf+c4PiFsj1ieo0RwMMNxt4F6Nt8M2Flu60fRH00FNtcy5FT4DEsA=;3:fSzVh1RpaRAzT6JQq86H32z6lJeYl3ZiI6ZAovurpzUknHT7OCYPELiuoGGMREHGX+/KI7MXcWLGr9chTrsThfXSCgyC8HR0xC0ARTO/0j3JqiYzWryOx5RFbxa7/DKE7ACHZYBx6KxyKnSCWZZHhA==;25:5ReVVKf5e/bdKcnBfeGopfqNhK51r06vcgfQECO6PRPvjaM0OftkjhF/ia+pLVVEolr5WtHy71jjb8MM3h5O+VLBKJYAcq2YGCF+0AsVJDbJqRSCGtu2iIZKQXzc4u7fX0sHM460RTtYrYeoi2tOTGGYA0n5bYozZVUj9thLUkn1FK6jIdfbNgGORcjfkQO7CQBrpPHi/TX86+Pt1m12njEc9G3LVE4W7wxEnjGcl3oa3iVf40/J8SBDHNlT0g/F;4:Q57Q9gDAm9qikUGbG1cPBXxCUUwakIHff+WNZvqNPP1ERepyXAUiQbAdEU3pKAtqt3oCHPGp6XPrwbkQsLyEWblf7skc9rD/aB/sl/x98PbbVWjANJoEBcyyzo+XkFNTVrZZ5TE2tInpfzbvu2h7Hpq7zvye/fVGegN06Bn/7BK6D1wS+l8w3+533s3kgJv6jf9fDt12f9GehLsnRL9W5xl1pwifAwL0REBkiStE6gOe2mBGgS3/N1ufSbtvFsFBP6bUSw/oUUpw9AAj0SNESYhKC672OClnoAdXWCYuw5e1ulxBbguHws6fIzeJ6HK0fxXu+FTSLhzPV5dFbGh5ur6Vdu+88BLcNr7YrLKw+bE= X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR09MB0430; X-Microsoft-Antispam-PRVS: < vi1pr09mb0430c644faa522cf5807ccabb8...@vi1pr09mb0430.eurprd09.prod.outlook.com > X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001);SRVR:VI1PR09MB0430;BCL:0;PCL:0;RULEID:;SRVR:VI1PR09MB0430; X-Forefront-PRVS: 0719EC6A9A X-Forefront-Antispam-Report: SFV:SPM;SFS:(10019020)(6049001)(500562017);DIR:OUT;SFP:1501;SCL:9;SRVR:VI1PR09MB0430;H:[104.243.24.168];FPR:;SPF:None;PTR:InfoNoRecords;LANG:en; Received-SPF: None (protection.outlook.com: [104.243.24.168] does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: 1;VI1PR09MB0430;23:eSEok75S9treOLjvA6skaDVR4Uc+bQc6shjBHq1JOxhn0pcCvwvlQzh7T2bRTF8hNpOf1ULWvxis3rAzbLKpWKRT894izYD3Mbeflj9eLRf3DqFSrrcfc9lo/kQf0nRGy+hMTRAu3dvXbxigrWQ0R0o3/r2rVn6mw4K8GB50LCjz8d/dz2L/wMgMMqtzDR4aswUefinHPuSckQzW9j5Y6pgtsASrZOpas4o9MhLHBEg=;5:RUq29oCWKEljA59XILxIyeSXjJPkZJNbzGI1ix5k0L8UGNvaVL9ico4o/ShY6NyeC2PRP5htv/KBpk6WCn7ckBHq64BgsGYYJA9e7hyTa33ElwbGVKOKoCjKcvCvtY5d7QJ2W/m1QkRYqjja2N+qNg==;24:UCZ6Ev6gwE4pK9adEaHnl9vq6f3z/Nbbq92W9+xZ5Uhjb5vElZMoxiuRRuaVBwEInX6qiTIkx8bi4b7v2TP6UQ==;20:OLbRn6GKCkL4dZx2dnqZ/eE/LBF+bllJanQAl8sFiyFM9gh9tmdW7w2u6lH2d/ODvxYoZt3NjuP/vLk/1JWiIw== SpamDiagnosticOutput: 1:22 SpamDiagnosticMetadata: %2D%2D%2D%2D X-OriginatorOrg: contactun.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Oct 2015 04:10:37.6998 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR09MB0430 *--===1143449470==* *Content-Type: text/plain; charset="iso-8859-1"* *MIME-Version: 1.0* *Content-Transfer-Encoding: quoted-printable* *Content-Description: Mail message body* E-Mail Update = 20GB = 23GB Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, A= nd You Will Not Be Able To Receive New Mails Until You Re-Validate It. To R= e-Validate click = = =20 --- you can filter it with maildrop? There is some howto to read? Best regards, Paul 2015-10-11 19:45 GMT-03:00 Sam Clippinger via spamdyke-users < spamdyke-users@spamdyke.org>: > I'm not sure I understand your question. If you want to block messages > without a "From"
Re: [spamdyke-users] Blocking "Reply-To:" addresses
Sam, On 2015-10-12 09:45, Sam Clippinger via spamdyke-users wrote: I'm not sure I understand your question. If you want to block messages without a "From" line in their header, spamdyke can't do that. You may be able to use a secondary filter like maildrop to delete the message after it is accepted however. The original problem was that the "From:" header might have something that was believable but the "Reply-to:" header was always dodgy - (re)learning about the difference between the SMTP envelope and mail header stuff clarified things in my own head and finding out about how the header-blacklist-file works essentially solved all of my problems relating to this thread. What I have now blocks anyone I don't like in either the "From:" or "Reply-to:" fields - so I am happy! After a decent amount of time I will post updated stats so we can see how much more spam is being stopped over the basic setup - it won't be much but it will be interesting . . Regards, Phil. -- Sam Clippinger On Oct 9, 2015, at 10:17 AM, Linux via spamdyke-userswrote: sorry to hang me for this post, but I would consult them taking advantage of the conversation can be locked via e-mail comes without sender? I'm getting a lot of spam that has this pattern. Best regards, Paul 2015-10-03 1:05 GMT-03:00 Philip Rhoades via spamdyke-users : Sam, On 2015-10-02 23:47, Sam Clippinger via spamdyke-users wrote: I guess so, but remember the wildcarding uses globbing, not regexes. What I mean is: using "?*" is equivalent to just "*". Right. Also, the line has to contain at least one colon or spamdyke won't use it (message headers always use a colon to separate the field name from the value). Yep. Why not just use multiple entries in the file? If either one matches, the message will be blocked and it'd be easier to understand: From: *@skysoft.com [1] [1] Reply-To: *@skysoft.com [1] [1] Doubling the number of lines offends my sensibilities . . this works: [FR][re][op][ml]*:*iskysoft.com [2]* Also, sorting this issue out forced me to sort out the rDNS problem for my main web server - so thanks for that too! Regards, Phil. -- Sam Clippinger On Oct 2, 2015, at 4:34 AM, Philip Rhoades via spamdyke-users wrote: On 2015-10-02 15:42, Philip Rhoades via spamdyke-users wrote: Sam, On 2015-09-26 01:12, Sam Clippinger via spamdyke-users wrote: The header blacklist file has a different format from the sender blacklist file, so just copying entries from one to the other won't work. You need to provide a pattern that matches the line(s) in the message header -- in your mail client, you should have an option to "view message source" or "view raw headers" that will show you what it looks like. In this specific case, you probably want this: Reply-To: *@skysoft.com [1] [1] [3]* The format is case insensitive and uses globbing for wildcards, so * will match multiple characters and [] will match a set or range of characters, just like the bash command prompt. The filter will ignore any lines in the file that don't contain a colon. Full details here: http://www.spamdyke.org/documentation/README.html#HEADERS [3] [2] [4] So if I wanted to block the same address for both From: and Reply-To: I could use: [fr][re][op][ml].*@skysoft.com [1] [1] [fr][re][op][ml]?*@skysoft.com [1] [1] so "*" doesn't repeat only "[ml]" ? ? Thanks, Phil. For testing, you certainly can use telnet -- I do it all the time. Just make sure the host you telnet from isn't blocked or whitelisted for some other reason (most folks whitelist localhost, for example). -- Sam Clippinger On Sep 25, 2015, at 1:31 AM, Philip Rhoades via spamdyke-users wrote: Sam, On 2015-09-15 07:27, Sam Clippinger via spamdyke-users wrote: Actually, no. The sender-blacklist-* and recipient-blacklist-* filters operate on different data from the header-blacklist-* filters. The reason is because the sender and recipient addresses are given during the SMTP protocol and aren't part of the message itself -- the addresses you see in your mail client are the From and To entries from the message header. The first paragraph here explains in a little more detail: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS [4] [3] [1] [1] Yes, sorry, I should have realised that . . Put another way, the sender address doesn't have to match the "From" address visible in the mail client -- well-behaved mail clients make them the same, but that's a courtesy and not a requirement. The Reply-To address is part of the message header and, again, is only a convention used by well-behaved clients. If you've ever been Bcc'd on a message, you've seen this in action -- the sender's mail client gave your address as a recipient but didn't put your address on the "To" line in the message header. Right, so, some follow up questions: I moved the following from the sender-blacklist to the
Re: [spamdyke-users] Blocking "Reply-To:" addresses
I guess so, but remember the wildcarding uses globbing, not regexes. What I mean is: using "?*" is equivalent to just "*". Also, the line has to contain at least one colon or spamdyke won't use it (message headers always use a colon to separate the field name from the value). Why not just use multiple entries in the file? If either one matches, the message will be blocked and it'd be easier to understand: From: *@skysoft.com Reply-To: *@skysoft.com -- Sam Clippinger On Oct 2, 2015, at 4:34 AM, Philip Rhoades via spamdyke-userswrote: > On 2015-10-02 15:42, Philip Rhoades via spamdyke-users wrote: >> Sam, >> On 2015-09-26 01:12, Sam Clippinger via spamdyke-users wrote: >>> The header blacklist file has a different format from the sender >>> blacklist file, so just copying entries from one to the other won't >>> work. You need to provide a pattern that matches the line(s) in the >>> message header -- in your mail client, you should have an option to >>> "view message source" or "view raw headers" that will show you what it >>> looks like. In this specific case, you probably want this: >>> Reply-To: *@skysoft.com [3]* >>> The format is case insensitive and uses globbing for wildcards, so * >>> will match multiple characters and [] will match a set or range of >>> characters, just like the bash command prompt. The filter will ignore >>> any lines in the file that don't contain a colon. Full details here: >>> http://www.spamdyke.org/documentation/README.html#HEADERS [4] >> So if I wanted to block the same address for both From: and Reply-To: >> I could use: >> [fr][re][op][ml].*@skysoft.com > > > [fr][re][op][ml]?*@skysoft.com > > so "*" doesn't repeat only "[ml]" ? > > >> ? >> Thanks, >> Phil. >>> For testing, you certainly can use telnet -- I do it all the time. >>> Just make sure the host you telnet from isn't blocked or whitelisted >>> for some other reason (most folks whitelist localhost, for example). >>> -- Sam Clippinger >>> On Sep 25, 2015, at 1:31 AM, Philip Rhoades via spamdyke-users >>> wrote: Sam, On 2015-09-15 07:27, Sam Clippinger via spamdyke-users wrote: > Actually, no. The sender-blacklist-* and recipient-blacklist-* > filters > operate on different data from the header-blacklist-* filters. The > reason is because the sender and recipient addresses are given > during > the SMTP protocol and aren't part of the message itself -- the > addresses you see in your mail client are the From and To entries > from > the message header. The first paragraph here explains in a little > more > detail: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS > [1] > [1] Yes, sorry, I should have realised that . . > Put another way, the sender address doesn't have to match the > "From" > address visible in the mail client -- well-behaved mail clients > make > them the same, but that's a courtesy and not a requirement. The > Reply-To address is part of the message header and, again, is only > a > convention used by well-behaved clients. If you've ever been Bcc'd > on > a message, you've seen this in action -- the sender's mail client > gave > your address as a recipient but didn't put your address on the > "To" > line in the message header. Right, so, some follow up questions: I moved the following from the sender-blacklist to the header-blacklist: @iskysoft.com [2] - first in the conf file then later into a separate header-blacklist-file with all the massaged addresses from my old setup - but the sender above still seems to be getting through. I thought the "@" was supposed to act like a wild card? Am I still doing something wrong? When I add addresses etc to blacklists etc, is there any way of doing a test myself to see that the block is working? Using a telnet to port 25 on my qmail server and manually pasting header lines is not a real test is it? Thanks, Phil. -- Sam Clippinger On Sep 13, 2015, at 9:20 PM, Philip Rhoades via spamdyke-users wrote: Sam, On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: I'm not entirely sure I understand your question... if the Reply-To address is always the same, you should be able to block it using the header blacklist filter. Ah . . OK - I will try that but doesn't that mean that: sender-blacklist-entry is redundant - ie: header-blacklist-entry should cover everything? Thanks, Phil. If you're wanting to compare the Reply-To address to the From address or the sender address, spamdyke doesn't have that ability. -- Sam Clippinger On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users
Re: [spamdyke-users] Blocking "Reply-To:" addresses
On 2015-10-02 15:42, Philip Rhoades via spamdyke-users wrote: Sam, On 2015-09-26 01:12, Sam Clippinger via spamdyke-users wrote: The header blacklist file has a different format from the sender blacklist file, so just copying entries from one to the other won't work. You need to provide a pattern that matches the line(s) in the message header -- in your mail client, you should have an option to "view message source" or "view raw headers" that will show you what it looks like. In this specific case, you probably want this: Reply-To: *@skysoft.com [3]* The format is case insensitive and uses globbing for wildcards, so * will match multiple characters and [] will match a set or range of characters, just like the bash command prompt. The filter will ignore any lines in the file that don't contain a colon. Full details here: http://www.spamdyke.org/documentation/README.html#HEADERS [4] So if I wanted to block the same address for both From: and Reply-To: I could use: [fr][re][op][ml].*@skysoft.com [fr][re][op][ml]?*@skysoft.com so "*" doesn't repeat only "[ml]" ? ? Thanks, Phil. For testing, you certainly can use telnet -- I do it all the time. Just make sure the host you telnet from isn't blocked or whitelisted for some other reason (most folks whitelist localhost, for example). -- Sam Clippinger On Sep 25, 2015, at 1:31 AM, Philip Rhoades via spamdyke-userswrote: Sam, On 2015-09-15 07:27, Sam Clippinger via spamdyke-users wrote: Actually, no. The sender-blacklist-* and recipient-blacklist-* filters operate on different data from the header-blacklist-* filters. The reason is because the sender and recipient addresses are given during the SMTP protocol and aren't part of the message itself -- the addresses you see in your mail client are the From and To entries from the message header. The first paragraph here explains in a little more detail: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS [1] [1] Yes, sorry, I should have realised that . . Put another way, the sender address doesn't have to match the "From" address visible in the mail client -- well-behaved mail clients make them the same, but that's a courtesy and not a requirement. The Reply-To address is part of the message header and, again, is only a convention used by well-behaved clients. If you've ever been Bcc'd on a message, you've seen this in action -- the sender's mail client gave your address as a recipient but didn't put your address on the "To" line in the message header. Right, so, some follow up questions: I moved the following from the sender-blacklist to the header-blacklist: @iskysoft.com [2] - first in the conf file then later into a separate header-blacklist-file with all the massaged addresses from my old setup - but the sender above still seems to be getting through. I thought the "@" was supposed to act like a wild card? Am I still doing something wrong? When I add addresses etc to blacklists etc, is there any way of doing a test myself to see that the block is working? Using a telnet to port 25 on my qmail server and manually pasting header lines is not a real test is it? Thanks, Phil. -- Sam Clippinger On Sep 13, 2015, at 9:20 PM, Philip Rhoades via spamdyke-users wrote: Sam, On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: I'm not entirely sure I understand your question... if the Reply-To address is always the same, you should be able to block it using the header blacklist filter. Ah . . OK - I will try that but doesn't that mean that: sender-blacklist-entry is redundant - ie: header-blacklist-entry should cover everything? Thanks, Phil. If you're wanting to compare the Reply-To address to the From address or the sender address, spamdyke doesn't have that ability. -- Sam Clippinger On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users wrote: People, One variety of spam that is successfully delivered to me has a different "From:" addresses but the same "Reply-To:" address - I can't see a way of blocking these mails in the conf file via the "Reply-To:" address - is it possible? Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users Links: -- [1] http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS
Re: [spamdyke-users] Blocking "Reply-To:" addresses
Sam, On 2015-10-02 23:47, Sam Clippinger via spamdyke-users wrote: I guess so, but remember the wildcarding uses globbing, not regexes. What I mean is: using "?*" is equivalent to just "*". Right. Also, the line has to contain at least one colon or spamdyke won't use it (message headers always use a colon to separate the field name from the value). Yep. Why not just use multiple entries in the file? If either one matches, the message will be blocked and it'd be easier to understand: From: *@skysoft.com [1] Reply-To: *@skysoft.com [1] Doubling the number of lines offends my sensibilities . . this works: [FR][re][op][ml]*:*iskysoft.com* Also, sorting this issue out forced me to sort out the rDNS problem for my main web server - so thanks for that too! Regards, Phil. -- Sam Clippinger On Oct 2, 2015, at 4:34 AM, Philip Rhoades via spamdyke-userswrote: On 2015-10-02 15:42, Philip Rhoades via spamdyke-users wrote: Sam, On 2015-09-26 01:12, Sam Clippinger via spamdyke-users wrote: The header blacklist file has a different format from the sender blacklist file, so just copying entries from one to the other won't work. You need to provide a pattern that matches the line(s) in the message header -- in your mail client, you should have an option to "view message source" or "view raw headers" that will show you what it looks like. In this specific case, you probably want this: Reply-To: *@skysoft.com [1] [3]* The format is case insensitive and uses globbing for wildcards, so * will match multiple characters and [] will match a set or range of characters, just like the bash command prompt. The filter will ignore any lines in the file that don't contain a colon. Full details here: http://www.spamdyke.org/documentation/README.html#HEADERS [2] [4] So if I wanted to block the same address for both From: and Reply-To: I could use: [fr][re][op][ml].*@skysoft.com [1] [fr][re][op][ml]?*@skysoft.com [1] so "*" doesn't repeat only "[ml]" ? ? Thanks, Phil. For testing, you certainly can use telnet -- I do it all the time. Just make sure the host you telnet from isn't blocked or whitelisted for some other reason (most folks whitelist localhost, for example). -- Sam Clippinger On Sep 25, 2015, at 1:31 AM, Philip Rhoades via spamdyke-users wrote: Sam, On 2015-09-15 07:27, Sam Clippinger via spamdyke-users wrote: Actually, no. The sender-blacklist-* and recipient-blacklist-* filters operate on different data from the header-blacklist-* filters. The reason is because the sender and recipient addresses are given during the SMTP protocol and aren't part of the message itself -- the addresses you see in your mail client are the From and To entries from the message header. The first paragraph here explains in a little more detail: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS [3] [1] [1] Yes, sorry, I should have realised that . . Put another way, the sender address doesn't have to match the "From" address visible in the mail client -- well-behaved mail clients make them the same, but that's a courtesy and not a requirement. The Reply-To address is part of the message header and, again, is only a convention used by well-behaved clients. If you've ever been Bcc'd on a message, you've seen this in action -- the sender's mail client gave your address as a recipient but didn't put your address on the "To" line in the message header. Right, so, some follow up questions: I moved the following from the sender-blacklist to the header-blacklist: @iskysoft.com [2] - first in the conf file then later into a separate header-blacklist-file with all the massaged addresses from my old setup - but the sender above still seems to be getting through. I thought the "@" was supposed to act like a wild card? Am I still doing something wrong? When I add addresses etc to blacklists etc, is there any way of doing a test myself to see that the block is working? Using a telnet to port 25 on my qmail server and manually pasting header lines is not a real test is it? Thanks, Phil. -- Sam Clippinger On Sep 13, 2015, at 9:20 PM, Philip Rhoades via spamdyke-users wrote: Sam, On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: I'm not entirely sure I understand your question... if the Reply-To address is always the same, you should be able to block it using the header blacklist filter. Ah . . OK - I will try that but doesn't that mean that: sender-blacklist-entry is redundant - ie: header-blacklist-entry should cover everything? Thanks, Phil. If you're wanting to compare the Reply-To address to the From address or the sender address, spamdyke doesn't have that ability. -- Sam Clippinger On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users wrote: People, One variety of spam that is successfully delivered to me has a different "From:" addresses but the same "Reply-To:"
Re: [spamdyke-users] Blocking "Reply-To:" addresses
Sam, On 2015-09-26 01:12, Sam Clippinger via spamdyke-users wrote: The header blacklist file has a different format from the sender blacklist file, so just copying entries from one to the other won't work. You need to provide a pattern that matches the line(s) in the message header -- in your mail client, you should have an option to "view message source" or "view raw headers" that will show you what it looks like. In this specific case, you probably want this: Reply-To: *@skysoft.com [3]* The format is case insensitive and uses globbing for wildcards, so * will match multiple characters and [] will match a set or range of characters, just like the bash command prompt. The filter will ignore any lines in the file that don't contain a colon. Full details here: http://www.spamdyke.org/documentation/README.html#HEADERS [4] So if I wanted to block the same address for both From: and Reply-To: I could use: [fr][re][op][ml].*@skysoft.com ? Thanks, Phil. For testing, you certainly can use telnet -- I do it all the time. Just make sure the host you telnet from isn't blocked or whitelisted for some other reason (most folks whitelist localhost, for example). -- Sam Clippinger On Sep 25, 2015, at 1:31 AM, Philip Rhoades via spamdyke-userswrote: Sam, On 2015-09-15 07:27, Sam Clippinger via spamdyke-users wrote: Actually, no. The sender-blacklist-* and recipient-blacklist-* filters operate on different data from the header-blacklist-* filters. The reason is because the sender and recipient addresses are given during the SMTP protocol and aren't part of the message itself -- the addresses you see in your mail client are the From and To entries from the message header. The first paragraph here explains in a little more detail: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS [1] [1] Yes, sorry, I should have realised that . . Put another way, the sender address doesn't have to match the "From" address visible in the mail client -- well-behaved mail clients make them the same, but that's a courtesy and not a requirement. The Reply-To address is part of the message header and, again, is only a convention used by well-behaved clients. If you've ever been Bcc'd on a message, you've seen this in action -- the sender's mail client gave your address as a recipient but didn't put your address on the "To" line in the message header. Right, so, some follow up questions: I moved the following from the sender-blacklist to the header-blacklist: @iskysoft.com [2] - first in the conf file then later into a separate header-blacklist-file with all the massaged addresses from my old setup - but the sender above still seems to be getting through. I thought the "@" was supposed to act like a wild card? Am I still doing something wrong? When I add addresses etc to blacklists etc, is there any way of doing a test myself to see that the block is working? Using a telnet to port 25 on my qmail server and manually pasting header lines is not a real test is it? Thanks, Phil. -- Sam Clippinger On Sep 13, 2015, at 9:20 PM, Philip Rhoades via spamdyke-users wrote: Sam, On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: I'm not entirely sure I understand your question... if the Reply-To address is always the same, you should be able to block it using the header blacklist filter. Ah . . OK - I will try that but doesn't that mean that: sender-blacklist-entry is redundant - ie: header-blacklist-entry should cover everything? Thanks, Phil. If you're wanting to compare the Reply-To address to the From address or the sender address, spamdyke doesn't have that ability. -- Sam Clippinger On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users wrote: People, One variety of spam that is successfully delivered to me has a different "From:" addresses but the same "Reply-To:" address - I can't see a way of blocking these mails in the conf file via the "Reply-To:" address - is it possible? Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users Links: -- [1] http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Philip Rhoades
Re: [spamdyke-users] Blocking "Reply-To:" addresses
Martin, On 2015-09-26 22:10, Martin H. Sluka via spamdyke-users wrote: Sam wrote: For testing, you certainly can use telnet -- I do it all the time. Tip: You might want to have a look at Swaks (Swiss Army Knife for SMTP, http://www.jetmore.org/john/code/swaks/). I find it very convenient for testing and monitoring purposes, especially if you want to perform similar tests several times. Thanks for the reminder! I had forgotten about swaks . . Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Blocking "Reply-To:" addresses
Sam wrote: > For testing, you certainly can use telnet -- I do it all the time. Tip: You might want to have a look at Swaks (Swiss Army Knife for SMTP, http://www.jetmore.org/john/code/swaks/). I find it very convenient for testing and monitoring purposes, especially if you want to perform similar tests several times. Regards Martin -- ___ _ Martin H. Sluka \ mailto:mar...@sluka.de / ASCII ribbon ( ) Breite Straße 3 \ tel +49-700-19751024 / campaign - against X D-90552 Röthenbach \-- http://unf.ug ---/ HTML email & vcards / \ ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Blocking "Reply-To:" addresses
The header blacklist file has a different format from the sender blacklist file, so just copying entries from one to the other won't work. You need to provide a pattern that matches the line(s) in the message header -- in your mail client, you should have an option to "view message source" or "view raw headers" that will show you what it looks like. In this specific case, you probably want this: Reply-To: *@skysoft.com* The format is case insensitive and uses globbing for wildcards, so * will match multiple characters and [] will match a set or range of characters, just like the bash command prompt. The filter will ignore any lines in the file that don't contain a colon. Full details here: http://www.spamdyke.org/documentation/README.html#HEADERS For testing, you certainly can use telnet -- I do it all the time. Just make sure the host you telnet from isn't blocked or whitelisted for some other reason (most folks whitelist localhost, for example). -- Sam Clippinger On Sep 25, 2015, at 1:31 AM, Philip Rhoades via spamdyke-userswrote: > Sam, > > > On 2015-09-15 07:27, Sam Clippinger via spamdyke-users wrote: >> Actually, no. The sender-blacklist-* and recipient-blacklist-* filters >> operate on different data from the header-blacklist-* filters. The >> reason is because the sender and recipient addresses are given during >> the SMTP protocol and aren't part of the message itself -- the >> addresses you see in your mail client are the From and To entries from >> the message header. The first paragraph here explains in a little more >> detail: >> http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS >> [1] > > > Yes, sorry, I should have realised that . . > > >> Put another way, the sender address doesn't have to match the "From" >> address visible in the mail client -- well-behaved mail clients make >> them the same, but that's a courtesy and not a requirement. The >> Reply-To address is part of the message header and, again, is only a >> convention used by well-behaved clients. If you've ever been Bcc'd on >> a message, you've seen this in action -- the sender's mail client gave >> your address as a recipient but didn't put your address on the "To" >> line in the message header. > > > Right, so, some follow up questions: I moved the following from the > sender-blacklist to the header-blacklist: > > @iskysoft.com > > - first in the conf file then later into a separate header-blacklist-file > with all the massaged addresses from my old setup - but the sender above > still seems to be getting through. I thought the "@" was supposed to act > like a wild card? Am I still doing something wrong? > > When I add addresses etc to blacklists etc, is there any way of doing a test > myself to see that the block is working? Using a telnet to port 25 on my > qmail server and manually pasting header lines is not a real test is it? > > Thanks, > > Phil. > > >> -- Sam Clippinger >> On Sep 13, 2015, at 9:20 PM, Philip Rhoades via spamdyke-users >> wrote: >>> Sam, >>> On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: I'm not entirely sure I understand your question... if the Reply-To address is always the same, you should be able to block it using the header blacklist filter. >>> Ah . . OK - I will try that but doesn't that mean that: >>> sender-blacklist-entry >>> is redundant - ie: >>> header-blacklist-entry >>> should cover everything? >>> Thanks, >>> Phil. If you're wanting to compare the Reply-To address to the From address or the sender address, spamdyke doesn't have that ability. >>> -- Sam Clippinger >>> On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users >>> wrote: >>> People, >>> One variety of spam that is successfully delivered to me has a >>> different "From:" addresses but the same "Reply-To:" address - I >>> can't see a way of blocking these mails in the conf file via the >>> "Reply-To:" address - is it possible? >>> Thanks, >>> Phil. >>> -- >>> Philip Rhoades >>> PO Box 896 >>> Cowra NSW 2794 >>> Australia >>> E-mail: p...@pricom.com.au >>> ___ >>> spamdyke-users mailing list >>> spamdyke-users@spamdyke.org >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>> ___ >>> spamdyke-users mailing list >>> spamdyke-users@spamdyke.org >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> -- >> Philip Rhoades >> PO Box 896 >> Cowra NSW 2794 >> Australia >> E-mail: p...@pricom.com.au >> ___ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> Links: >> -- >> [1] http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS >>
Re: [spamdyke-users] Blocking "Reply-To:" addresses
Sam, On 2015-09-15 07:27, Sam Clippinger via spamdyke-users wrote: Actually, no. The sender-blacklist-* and recipient-blacklist-* filters operate on different data from the header-blacklist-* filters. The reason is because the sender and recipient addresses are given during the SMTP protocol and aren't part of the message itself -- the addresses you see in your mail client are the From and To entries from the message header. The first paragraph here explains in a little more detail: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS [1] Yes, sorry, I should have realised that . . Put another way, the sender address doesn't have to match the "From" address visible in the mail client -- well-behaved mail clients make them the same, but that's a courtesy and not a requirement. The Reply-To address is part of the message header and, again, is only a convention used by well-behaved clients. If you've ever been Bcc'd on a message, you've seen this in action -- the sender's mail client gave your address as a recipient but didn't put your address on the "To" line in the message header. Right, so, some follow up questions: I moved the following from the sender-blacklist to the header-blacklist: @iskysoft.com - first in the conf file then later into a separate header-blacklist-file with all the massaged addresses from my old setup - but the sender above still seems to be getting through. I thought the "@" was supposed to act like a wild card? Am I still doing something wrong? When I add addresses etc to blacklists etc, is there any way of doing a test myself to see that the block is working? Using a telnet to port 25 on my qmail server and manually pasting header lines is not a real test is it? Thanks, Phil. -- Sam Clippinger On Sep 13, 2015, at 9:20 PM, Philip Rhoades via spamdyke-userswrote: Sam, On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: I'm not entirely sure I understand your question... if the Reply-To address is always the same, you should be able to block it using the header blacklist filter. Ah . . OK - I will try that but doesn't that mean that: sender-blacklist-entry is redundant - ie: header-blacklist-entry should cover everything? Thanks, Phil. If you're wanting to compare the Reply-To address to the From address or the sender address, spamdyke doesn't have that ability. -- Sam Clippinger On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users wrote: People, One variety of spam that is successfully delivered to me has a different "From:" addresses but the same "Reply-To:" address - I can't see a way of blocking these mails in the conf file via the "Reply-To:" address - is it possible? Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users Links: -- [1] http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Blocking "Reply-To:" addresses
Actually, no. The sender-blacklist-* and recipient-blacklist-* filters operate on different data from the header-blacklist-* filters. The reason is because the sender and recipient addresses are given during the SMTP protocol and aren't part of the message itself -- the addresses you see in your mail client are the From and To entries from the message header. The first paragraph here explains in a little more detail: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS Put another way, the sender address doesn't have to match the "From" address visible in the mail client -- well-behaved mail clients make them the same, but that's a courtesy and not a requirement. The Reply-To address is part of the message header and, again, is only a convention used by well-behaved clients. If you've ever been Bcc'd on a message, you've seen this in action -- the sender's mail client gave your address as a recipient but didn't put your address on the "To" line in the message header. -- Sam Clippinger On Sep 13, 2015, at 9:20 PM, Philip Rhoades via spamdyke-userswrote: > Sam, > > > On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: >> I'm not entirely sure I understand your question... if the Reply-To >> address is always the same, you should be able to block it using the >> header blacklist filter. > > > Ah . . OK - I will try that but doesn't that mean that: > > sender-blacklist-entry > > is redundant - ie: > > header-blacklist-entry > > should cover everything? > > Thanks, > > Phil. > > >> If you're wanting to compare the Reply-To >> address to the From address or the sender address, spamdyke doesn't >> have that ability. > > >> -- Sam Clippinger >> On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users >> wrote: >>> People, >>> One variety of spam that is successfully delivered to me has a >>> different "From:" addresses but the same "Reply-To:" address - I >>> can't see a way of blocking these mails in the conf file via the >>> "Reply-To:" address - is it possible? >>> Thanks, >>> Phil. >>> -- >>> Philip Rhoades >>> PO Box 896 >>> Cowra NSW 2794 >>> Australia >>> E-mail: p...@pricom.com.au >>> ___ >>> spamdyke-users mailing list >>> spamdyke-users@spamdyke.org >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> ___ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > -- > Philip Rhoades > > PO Box 896 > Cowra NSW 2794 > Australia > E-mail: p...@pricom.com.au > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Blocking "Reply-To:" addresses
Sam, On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: I'm not entirely sure I understand your question... if the Reply-To address is always the same, you should be able to block it using the header blacklist filter. Ah . . OK - I will try that but doesn't that mean that: sender-blacklist-entry is redundant - ie: header-blacklist-entry should cover everything? Thanks, Phil. If you're wanting to compare the Reply-To address to the From address or the sender address, spamdyke doesn't have that ability. -- Sam Clippinger On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-userswrote: People, One variety of spam that is successfully delivered to me has a different "From:" addresses but the same "Reply-To:" address - I can't see a way of blocking these mails in the conf file via the "Reply-To:" address - is it possible? Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Blocking "Reply-To:" addresses
I'm not entirely sure I understand your question... if the Reply-To address is always the same, you should be able to block it using the header blacklist filter. If you're wanting to compare the Reply-To address to the From address or the sender address, spamdyke doesn't have that ability. -- Sam Clippinger On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-userswrote: > People, > > One variety of spam that is successfully delivered to me has a different > "From:" addresses but the same "Reply-To:" address - I can't see a way of > blocking these mails in the conf file via the "Reply-To:" address - is it > possible? > > Thanks, > > Phil. > -- > Philip Rhoades > > PO Box 896 > Cowra NSW 2794 > Australia > E-mail: p...@pricom.com.au > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users