Re: [Declude.JunkMail] blocking spam faked as coming from local address

[Matthew Bramble]

Bill, Thanks for the link to the GNU stuff.  I might be asking for some help writing useful strings of pipes in the future :) I have noted from monitoring this for the last two days that the type of spam that forges the From address as being local has a high rate of passage through my server, albeit a very low overall volume (4 of 6 spams got through).  It's not that forging helps the spam, but instead it seems to be mostly of the type that is sparse in content and uses un-marked relays.  Adding a few points would help.  I'm still going to monitor for problems with valid forged senders before I assume this to be safe.  I will end up adding points to valid forged senders though that are my users and send E-mail to other local users using a different mail server than my own.  I think you might have overlooked this in your response because WHITELIST AUTH won't forgive these senders, and they have the possibility of showing up on some RBL's, though not likely anything that I score too high.  It's the non-customers that are valid and forging along with other issues that concerns me (mostly software notifications and at least one list from an automaker). I learned some important things from this discussion that I will make use of.  One of which is how my DYNAMIC filter can't just rely on WHITELIST AUTH for preventing false positives, and another is how I implement SPAMDOMAINS, likely using @ symbols so I don't pick up FP's from forwarded VERP stuff. Matt Bill Landry wrote: ----- Original Message ----- From: Matthew Bramble Let's keep in mind that the discussion has changed from the original topic of MAILFROM Forged to VERP > + Forged. Yep, my bad. Is that a fair enough presentation? Yes, very nice analysis! Based on this conversation I have modified my rules a bit (but probably not enough to meet your liking, however... ;-)) I have split up Forged and VERP rules in my global.cfg as follows (with a sample file entry after each): ===== VERP-FILTER filter M:\IMail\Declude\VERP-Filter.txt x 5 0 MAILFROM 0 CONTAINS hosted-domain.com ------- FORGED-DOMAINS spamdomains M:\IMail\Declude\ForgedDomains.txt x 5 0 @hosted-domain.com hosted-domain.com ===== This will allow me to track Forged versus VERP flagged messages separately, and provide additional weight to actual Forged addresses since they will fail both tests, whereas VERP addresses will only fail the VERP-Filter test. Here is my rational for using these test and why they should not be causing FP problems. Unless you are an open relay, you know what customer servers are relaying through your IMail server (http forms, mail, PDFs, whatever, it doesn't matter the content). So if you are not an open relay, then you must know the IP addresses of these other systems in order to permit them to relay through you, but not permit the rest of the world. So if that is the case, whitelist their IP addresses and then no worries about blocking their messages with either of these tests. If you have mobile/roving and remote users that relay through your IMail server, you must be supporting SMTP Auth (again to prevent being a open relay), and if you are using WHITELIST AUTH, then again, no worries, the messages will automatically be whitelisted, thus preventing their messages from being block by either of these tests. So once again, for me these are very valuable tests with very few false positives (meaning messages that get held for further manual processing). Messages that are incorrectly flagged (like legit mailing lists) still get passed on because they do not reach a hold or delete trigger weight. I can't help believing that this would also be the case for a lot of other Declude users. These tests works very well in a weighted environment for us, and as I have shown, they flag a lot of crap (which is the goal, correct?). BTW, are you using grep and other utilities on Windows? If so, where did you get your tools? This could > make pattern matching much less laborious for me, but I'd have to brush up (a lot) on regular expressions. Yes, on Windows. You can find the UNIX utilities for Win32 at: http://unxutils.sourceforge.net/ Bill