Re: FreeMail plugin updated
On Thursday September 2 2010 01:52:28 Runbox wrote: Would you please remove Runbox.com from that list as we have not been a free email provider since 2001. Kim Thanks, removed! Should propagate with the next sa-update. Mark
Adding custom surbl servers to local.cf
Hi, i have set up an RBLDNSD server hopefully to do surbl for me, but i have no clue how to make spamassassin query that, i don't have any clue how to add that in local.cf .. if someone could point me to the right direction, that'll be really appreciated. thanks -- $3|v3n
Re: Adding custom surbl servers to local.cf
On tor 02 sep 2010 12:31:16 CEST, selven wrote Hi, i have set up an RBLDNSD server hopefully to do surbl for me, but i have no clue how to make spamassassin query that, i don't have any clue how to add that in local.cf .. if someone could point me to the right direction, that'll be really appreciated. okay let me show how i do, there might be more how to outthere :) #/etc/bind/named.conf zone dnsbl-that-are-checked-in-spamassassin IN { type forward; forward only; forwarders { 127.0.0.2; }; }; #/etc/conf.d/rbldns (gentoo) OPTIONS=-q -f \ -r /var/db/rbldnsd \ -b 127.0.0.2 \ -u rbldns \ -p /var/run/rbldnsd.pid \ dnsbl-that-are-checked-in-spamassassin:set-type:file-to-raed-locally i bind rbldnsd to 127.0.0.2 so i can still have named on 127.0.0.1 -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Spamassassin not checking user provided RBLs
On tor 02 sep 2010 09:08:30 CEST, Chris Datfung wrote I ran sa-update. As you pointed out, there are a number of RBLs in the standard configuration that for some reason aren't checked, thus I thought I could easily fix that by adding them to local.cf and when that didn't work I tried in init.pre. I do see other RBL generated scores in the message headers, so it appears that some RBL checks are indeed performed. try to debug it as below with spamassassing 21 -D -t msg | less what are being tested at what fails ? Do you see any obvious problems? only that you posted to much on a maillist :) well fun aside check the pre files that you load plugins right as you like it to be, and then check again for not installed plugins eg if you have DKIM loaded in pre it does not wotk if the DKIM plugin is not installed -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Spamassassin not checking user provided RBLs
On 2010-09-01 22:47, Chris Datfung wrote: I'm running spamassassin version 3.3.1-1 from the Debian package. I added several RBLs to /etc/mail/spamassassin/init.pre but spamassassin only queries its built in RBLs and not the ones I added. An example RBL entry to init.pre is shown below: header IN_NJABL_ORGrbleval:check_rbl('njabl','dnsbl.njabl.org.') describe IN_NJABL_ORG Received via a relay in dnsbl.njabl.org tflags IN_NJABL_ORGnet score IN_NJABL_ORG 5 I also find messages that aren't tagged as being in an RBL that are listed in cbl.abuseat.org and zen.spamhaus.org which should be automatically checked by spamassassin using the default configuration. As mentioned before other (built-in) RBL checks work. Any hints as to why my custom RBL checks added to init.pre (and also tried local.cf) aren't queried after restarting spamassassin? Thanks, Chris You don't EVER add rules to a .pre file only .cf are rules files use local.cf for custom rules
Re: Spamassassin not checking user provided RBLs
On 9/2/2010 3:08 AM, Chris Datfung wrote: On Thu, Sep 2, 2010 at 5:06 AM, Benny Pedersen m...@junc.org mailto:m...@junc.org wrote: On ons 01 sep 2010 22:47:36 CEST, Chris Datfung wrote header IN_NJABL_ORG rbleval:check_rbl('njabl','dnsbl.njabl.org.') describe IN_NJABL_ORG Received via a relay in dnsbl.njabl.org http://dnsbl.njabl.org tflags IN_NJABL_ORGnet score IN_NJABL_ORG 5 first errpr is you added it to a pre file, next is that it is in std rules being checked did you or debian run sa-update ? Hi Benny, I ran sa-update. As you pointed out, there are a number of RBLs in the standard configuration that for some reason aren't checked, thus I thought I could easily fix that by adding them to local.cf http://local.cf and when that didn't work I tried in init.pre. I do see other RBL generated scores in the message headers, so it appears that some RBL checks are indeed performed. what gives spamassassin 21 -D --lint | less snip Do you see any obvious problems? Hmm, --lint isn't really the best option for a DNS problem. --lint implies local-only mode, which limits its usefulness for this particular kind of issue. I can see you do have Net::DNS installed, which is good: Sep 2 16:56:51.709 [986] dbg: dns: is Net::DNS::Resolver available? yes Sep 2 16:56:51.709 [986] dbg: dns: Net::DNS version: 0.63 and I don't see any parse errors, which is also good.. Sep 2 16:56:53.771 [986] dbg: dns: is DNS available? 0 Sep 2 16:56:53.771 [986] dbg: rules: local tests only, ignoring RBL eval But local-only mode is enforced, cutting our investigation short. Can you try again using a message, such as the sample-spam.txt that comes with the SA tarball. spamassassin sample-spam.txt 21 -D In particular, we want to look at the dbg: dns: is DNS available? line and other DNS related ones nearby. Thanks! Chris
Re: Adding custom surbl servers to local.cf
i mean, how do i tell spamassassin to look query which server. rbldnsd is already up and running On Thu, Sep 2, 2010 at 2:49 PM, Benny Pedersen m...@junc.org wrote: On tor 02 sep 2010 12:31:16 CEST, selven wrote Hi, i have set up an RBLDNSD server hopefully to do surbl for me, but i have no clue how to make spamassassin query that, i don't have any clue how to add that in local.cf .. if someone could point me to the right direction, that'll be really appreciated. okay let me show how i do, there might be more how to outthere :) #/etc/bind/named.conf zone dnsbl-that-are-checked-in-spamassassin IN { type forward; forward only; forwarders { 127.0.0.2; }; }; #/etc/conf.d/rbldns (gentoo) OPTIONS=-q -f \ -r /var/db/rbldnsd \ -b 127.0.0.2 \ -u rbldns \ -p /var/run/rbldnsd.pid \ dnsbl-that-are-checked-in-spamassassin:set-type:file-to-raed-locally i bind rbldnsd to 127.0.0.2 so i can still have named on 127.0.0.1 -- xpoint http://www.unicom.com/pw/reply-to-harmful.html -- $3|v3n
Re: Adding custom surbl servers to local.cf
On 02.09.10 15:51, selven wrote: i mean, how do i tell spamassassin to look query which server. you will not. SpamAssassin uses standard system libraries for querying DNS. you must configure your resolving name server(s) to preferrably forward configured zone to your rbldnsd. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: Adding custom surbl servers to local.cf
ahh okie. thanks On Thu, Sep 2, 2010 at 3:53 PM, Matus UHLAR - fantomas uh...@fantomas.skwrote: On 02.09.10 15:51, selven wrote: i mean, how do i tell spamassassin to look query which server. you will not. SpamAssassin uses standard system libraries for querying DNS. you must configure your resolving name server(s) to preferrably forward configured zone to your rbldnsd. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it ! -- $3|v3n
Re: Spamassassin not checking user provided RBLs
On Thu, Sep 2, 2010 at 2:30 PM, Matt Kettler mkettler...@verizon.netwrote: Can you try again using a message, such as the sample-spam.txt that comes with the SA tarball. spamassassin sample-spam.txt 21 -D In particular, we want to look at the dbg: dns: is DNS available? line and other DNS related ones nearby. Hi Matt, I included (hopefully only) the relevant data from the above command below: Sep 2 22:13:37.978 [11886] dbg: dns: is Net::DNS::Resolver available? yes Sep 2 22:13:37.979 [11886] dbg: dns: Net::DNS version: 0.63 [...snip] Sep 2 22:13:39.147 [11886] dbg: dns: is_dns_available() last checked 1283429619.1 seconds ago; re-checking Sep 2 22:13:39.147 [11886] dbg: dns: is Net::DNS::Resolver available? yes Sep 2 22:13:39.147 [11886] dbg: dns: Net::DNS version: 0.63 Sep 2 22:13:39.148 [11886] dbg: dns: name server: x.x.x.x, LocalAddr: 0.0.0.0 Sep 2 22:13:39.148 [11886] dbg: dns: resolver socket rx buffer size is 126976 bytes Sep 2 22:13:39.148 [11886] dbg: dns: testing resolver nameservers: x.x.x.x Sep 2 22:13:39.148 [11886] dbg: dns: trying (3) adelphia.net... Sep 2 22:13:39.148 [11886] dbg: dns: looking up NS for 'adelphia.net' Sep 2 22:13:39.149 [11886] dbg: dns: providing a callback for id: 53318/ adelphia.net/NS/IN Sep 2 22:13:42.151 [11886] dbg: dns: NS lookup of adelphia.net using x.x.x.x failed, no results found Sep 2 22:13:42.151 [11886] dbg: dns: trying (2) colorado.edu... Sep 2 22:13:42.151 [11886] dbg: dns: looking up NS for 'colorado.edu' Sep 2 22:13:42.151 [11886] dbg: dns: providing a callback for id: 53742/ colorado.edu/NS/IN Sep 2 22:13:42.198 [11886] dbg: dns: NS lookup of colorado.edu using x.x.x.x succeeded = DNS available (set dns_available to override) [...snip] Sep 2 22:13:42.200 [11886] dbg: dns: is DNS available? 1 Sep 2 22:13:42.201 [11886] dbg: uridnsbl: domains to query: Sep 2 22:13:42.201 [11886] dbg: dns: checking RBL bl.spamcop.net., set spamcop Sep 2 22:13:42.202 [11886] dbg: dns: checking RBL combined.njabl.org., set njabl Sep 2 22:13:42.202 [11886] dbg: dns: checking RBL bl.spamcop.net., set spamcop Sep 2 22:13:42.202 [11886] dbg: dns: checking RBL dnsbl.njabl.org., set njabl Sep 2 22:13:42.202 [11886] dbg: dns: checking RBL cbl.abuseat.org., set abuseat Sep 2 22:13:42.203 [11886] dbg: dns: checking RBL b.barracudacentral.org., set barracuda Sep 2 22:13:42.203 [11886] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal Sep 2 22:13:42.203 [11886] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal Sep 2 22:13:42.203 [11886] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs Sep 2 22:13:42.203 [11886] dbg: dns: checking RBL bl.score.senderscore.com., set rnbl-lastexternal Sep 2 22:13:42.203 [11886] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal Sep 2 22:13:42.203 [11886] dbg: dns: checking RBL psbl.surriel.com., set psbl-lastexternal Thanks, Chris
Re: Adding custom surbl servers to local.cf
On tor 02 sep 2010 13:51:02 CEST, selven wrote i mean, how do i tell spamassassin to look query which server. rbldnsd is already up and running i only forget to tell that you also need nameserver 127.0.0.1 in /etc/resolv.conf only that nameserver no more no less :-) did you bind rbldnsd to 127.0.0.2 like me ? the magic is that you need it On Thu, Sep 2, 2010 at 2:49 PM, Benny Pedersen m...@junc.org wrote: On tor 02 sep 2010 12:31:16 CEST, selven wrote Hi, i have set up an RBLDNSD server hopefully to do surbl for me, but i have no clue how to make spamassassin query that, i don't have any clue how to add that in local.cf .. if someone could point me to the right direction, that'll be really appreciated. okay let me show how i do, there might be more how to outthere :) #/etc/bind/named.conf zone dnsbl-that-are-checked-in-spamassassin IN { type forward; forward only; forwarders { 127.0.0.2; }; }; #/etc/conf.d/rbldns (gentoo) OPTIONS=-q -f \ -r /var/db/rbldnsd \ -b 127.0.0.2 \ -u rbldns \ -p /var/run/rbldnsd.pid \ dnsbl-that-are-checked-in-spamassassin:set-type:file-to-raed-locally i bind rbldnsd to 127.0.0.2 so i can still have named on 127.0.0.1 -- xpoint http://www.unicom.com/pw/reply-to-harmful.html -- $3|v3n -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Adding custom surbl servers to local.cf
On Thursday, September 2, 2010, 4:51:02 AM, selven selven wrote: i mean, how do i tell spamassassin to look query which server. As Benny said you serve the zone with a local domain then query that local domain. Instructions are at: http://www.surbl.org/public-dns.html Post a copy of your rbldnsd an BIND configs for the zone and spamassassin rule, and we will check them. Jeff C. -- Jeff Chan mailto:je...@surbl.org http://www.surbl.org/
Re: Delivery Status Notification (Failure)
On 9/1/2010 5:57 PM, Emin Akbulut wrote: /* */ There is no second MTA/SMTP server. Imagine 3 machines in my environment: 1. Mail client, 2: Mail server 3: SA server. Test message is OUTGOING message, I'm authenticated user. The only HELO command sender is my mail client and it's not a relay server, huh? Original test message headers: Received: from ea2 ([78.186.240.194]) by izsmmmo.com http://izsmmmo.com/ with MailEnable ESMTP; Wed, 1 Sep 2010 15:30:15 +0300 Message-ID: e9bfbdbd61f044c288b222e857ff6...@ea2 From: emin.akbu...@izsmmmo.com mailto:emin.akbu...@izsmmmo.com To: eminakbu...@gmail.com mailto:eminakbu...@gmail.com Subject: HELO_NO_DOMAIN test Date: Wed, 1 Sep 2010 15:23:20 +0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0003_01CB49E9.9C0B6070 X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8117.416 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416 Bu, MIME biçiminde çok taraflı bir iletidir. --=_NextPart_000_0003_01CB49E9.9C0B6070 Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: quoted-printable XJS*C4JDBQADN1.NSBN3*2IDNEN*@@@GTUBE@@@-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X --=_NextPart_000_0003_01CB49E9.9C0B6070 Content-Type: text/html; charset=iso-8859-9 Content-Transfer-Encoding: quoted-printable 1) I lost track of your question. 2) Those headers do not look like the message passed through SA. If you are questioning what SA is doing, we need to see the headers AFTER SA has processed the message so we can see what it did. -- Bowie
Re: Delivery Status Notification (Failure)
On Thu, 2 Sep 2010, Emin Akbulut wrote: Good. My test mail headers rejected here: : P It's best to post sample messages to a site like pastebin, and then just post the URL for that here. A sample sent to the mailing list will, as you've seen, be subject to scanning and rejection, as well as subject to modification by any host it passes through, making it more difficult to trust as the basis for analysis. *I try again:* There is no second MTA/SMTP server. Imagine 3 machines in my environment: 1. Mail client, 2: Mail server 3: SA server. Test message is OUTGOING message, I'm authenticated user. That's the second possible scenario I was wondering about, but I did not want to complicate my original question too much. You are scanning outbound email. That detail may not have been clear in the original posts. Someone else with experience scanning outbound mail may have more suggestions to offer, as I do not scan outbound mail and don't have experience with all of the gotchas. The only HELO command sender is my mail client and it's not a relay server, huh? No, but from the point of view of the SMTP exchange there isn't any explicit distinction between an originator of a message and an intermediate relay. A quick note before all my commentary: setting your mail client(s) to use a fully-qualified domain name as the HELO string would fix the problem. Doing this in Outlook might require changing the network name of your computer. I don't use Outlook so I can't offer exact instructions. On to the commentary... Is the IP address below modified by you in any way to protect privacy? If not, then that's a public Internet IP address. Not seeing a reserved network there makes me assume your mail client is not on a private subnet on the private side of your MTA. Some of my comments will be based on that assumption, I apologize if I am in error. From the headers that it appears you are not using authenticated SMTP. You should be. That would greatly help SA figure things out when the mail clients you're serving are on the public Internet. Since you are not using authenticated SMTP, you are not an authenticated user as you claimed to be above. What exactly makes you an authenticated user? To check my assumption: is your mail client actually on a private subnet under your control, or is it directly connected to the Internet somewhere else and getting an IP address you cannot control or predict? If the clients are on a private subnet under your control, you can tell SA that their subnet is internal, you can tell your MTA to not pass outbound messages to SA (based on the IP address), or you write an offsetting rule that matches locally-originated email (based on the IP address in a Received: header) and adds some negative points to the score. (Side question: if your mail clients _are_ on a privately-controlled subnetwork, why didn't you use one of the network address spaces reserved for that purpose?) Original test message headers: Received: from ea2 ([78.186.240.194]) by izsmmmo.com with MailEnable ESMTP; Wed, 1 Sep 2010 15:30:15 +0300 Message-ID: e9bfbdbd61f044c288b222e857ff6...@ea2 From: emin.akbu...@izsmmmo.com To: eminakbu...@gmail.com Subject: HELO_NO_DOMAIN test Date: Wed, 1 Sep 2010 15:23:20 +0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0003_01CB49E9.9C0B6070 X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8117.416 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416 Bu, MIME bi??iminde ??ok tarafl?? bir iletidir. --=_NextPart_000_0003_01CB49E9.9C0B6070 Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: quoted-printable XJS*C4JDBQADN1.NSBN3*2IDNEN*@@@GTUBE@ @@-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X --=_NextPart_000_0003_01CB49E9.9C0B6070 Content-Type: text/html; charset=iso-8859-9 Content-Transfer-Encoding: quoted-printable -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Therapeutic Phrenologist - send email for affordable rate schedule. --- 15 days until the 223rd anniversary of the signing of the U.S. Constitution
Re: Delivery Status Notification (Failure)
On Thu, 2010-09-02 at 00:57 +0300, Emin Akbulut wrote: Good. My test mail headers rejected here: : P Ugh, yeah -- do not send spam this way. GTUBE by its very definition is meant to be caught by SA. Replying to the DSN probably wasn't the best of choices either. What's that subject got to do with your question? I try again: There is no second MTA/SMTP server. Imagine 3 machines in my environment: 1. Mail client, 2: Mail server 3: SA server. So your MUA on the client machine sends the message to your MailEnable SMTP server. Which is, what the single Received header shows. Kind of repeating myself here, but... HOW does SA running on the third machine get the message? The headers you showed us aren't necessarily the ones SA ultimately gets to see. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Escape characters passing spam through
I've had problems sa-learning some particular emails that have some ASCII escape characters, I've been getting this email that passes right through the filter Subject: (¯`·._..babes_in_blue^(TM).._.·´¯) sa-learn won't recognize it as a message scanned, I'm pretty sure these characters (¯`·._.. are escaping it some how. Any ideas?
Re: Delivery Status Notification (Failure)
2010/9/2 Karsten Bräckelmann guent...@rudersport.de Kind of repeating myself here, but... HOW does SA running on the third machine get the message? The headers you showed us aren't necessarily the ones SA ultimately gets to see. Oh god, it's not mystery, my mail server got two IP, an internal and a real IP. SA has only internal IP. That's it. So my hop count from mail client to server, server to SA, always 1. I'm authenticated, there is no doubt. Let me explain why I did ask that question; what is HELO_NO_DOMAIN? because SA scores our users and they are not spammers, they are ordinary authenticated message senders, just like me. HELO_NO_DOMAIN and FSL_HELO_NON_FQDN_1 and a few others make innocent messages nearly spam. A non-spam message scored ~4 points at first. If user types ALL CAPS SUBJECT vs. then his message becomes a spam. I cannot tell to everybody; hey do not use caps in subject. So I have to fix HELO_NO_DOMAIN problem. I'm asking in another way another point of view: *HELO_NO_DOMAIN Relay reports its domain incorrectly* So what/who is relay here and what reports incorrect?
Re: Delivery Status Notification (Failure)
On Fri, 3 Sep 2010, Emin Akbulut wrote: 2010/9/2 Karsten Br?ckelmann guent...@rudersport.de Kind of repeating myself here, but... HOW does SA running on the third machine get the message? The headers you showed us aren't necessarily the ones SA ultimately gets to see. Oh god, it's not mystery, my mail server got two IP, an internal and a real IP. SA has only internal IP. That's it. So my hop count from mail client to server, server to SA, always 1. I'm authenticated, there is no doubt. Using just the mail headers that you provided as an example, show us how we are to know the sender is authenticated. Proof by vigorous assertion is not proof. Let me explain why I did ask that question; what is HELO_NO_DOMAIN? The HELO does not contain a domain part. From your example: Received: from ea2 ([78.186.240.194]) by izsmmmo.com with MailEnable ESMTP; ea2 is not a fully qualified host name. There is no domain part. because SA scores our users and they are not spammers, they are ordinary authenticated message senders, just like me. HELO_NO_DOMAIN and FSL_HELO_NON_FQDN_1 and a few others make innocent messages nearly spam. That is because you are scanning outbound mail while making no provision for the way a MUA will submit messages. If you configured all of your mail clients to use a fully-qualified host name instead of just a machine name, these problems would go away. So I have to fix HELO_NO_DOMAIN problem. I told you how to do that. (1) fix your mail clients to use fully-qualified host names rather than just machine names, or (2) stop scanning outbound mail, or (3) write a rule that recognizes locally-originated messages and subtracts (say) five points from the score. I'm asking in another way another point of view: *HELO_NO_DOMAIN Relay reports its domain incorrectly* So what/who is relay here and what reports incorrect? Relay is the system that submitted the message. For the purposes of the HELO string it does not matter whether that is a MTA or a MUA. Incorrect is it did not use a FQDN. There is no problem with the rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Vista is at best mildly annoying and at worst makes you want to rush to Redmond, Wash. and rip somebody's liver out. -- Forbes --- 15 days until the 223rd anniversary of the signing of the U.S. Constitution