Re: [Mimedefang] suspicious characters

2005-10-25 Thread Joseph Brennan 



My experience with $SuspiciousCharsInBody are that it is pretty much
useless in all circumstances except for a very strict home system
with a few users. There are simply too many crappy MUAs out there.


Cyrus rejects messages with these characters, and I'd rather refuse
during smtp than generate bounces after Cyrus delivery fails.  Almost
all of it really is garbage, about 15,000 a day (of 1.5 million--
exactly the .01% Per reported previously!).




Mimedefang strips all CR
characters from the input, before putting them in INPUTMSG, even if they
are lone CR characters that trigger the suspiciousBody flag. So you
will never see the CR characters in mimedefang (and neither will any
virus scanner or other content scanner you might use).


So that's it!  So the best I can do is distinguish null from return.
Thanks.



Joseph Brennan
Columbia University Information Technology

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Requesting help making a mod to my filter

2005-10-25 Thread Fred 
Hello,
I would like to modify my filter to include the scores for the spamassassin
tests next to the name of the test,
Using SA config options you can make your X-Spam-Score line look like this:

BAYES_50=0.001,HTML_MESSAGE=0.0001,FOO=1.0, etc.

Is it possible to reproduce this in the mimedefang-filter?

Thank you,

Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Please review: new Spamc feature

2005-10-25 Thread Matthew.van.Eerde 
I've broken down and coded a mimedefang-filter that calls spamc instead of 
use'ing Mail::SpamAssassin.

I'd ideally like to post this on the wiki for those who might find it useful... 
but I'm interested in feedback first. Can you glance over the code and tell me 
what you think?

The idea is to trim down the MIMEDefang threads to be lightweight, so I can 
make a whole lot of them.  I do all sorts of things w/ MIMEDefang besides 
spam-scan, and while the MIMEDefang threads are doing all these things, that 
SpamAssassin module is sitting there idle, but taking up space.  I do have a 
performance hit from spawning the spamc process, but I thought I'd experiment 
to see if the tradeoff is a net benefit or loss.

This requires a working spamd setup and a custom spamd report template.

Modifications to /etc/mail/spamassassin/local.cf:
# This changes the default report template to one which is easier to parse
# but not necessarily easier to read
# only the first five report lines are used by MIMEDefang...
# the rest can contain custom flavor text
# note the characters after each colon must be a TAB (\t)
clear_report_template
report Score:   _SCORE()_
report Required:_REQD_
report Tests:   _TESTS(,)_
report
report _SUMMARY_

Modifications to mimedefang-filter:

# Outside of any function, but
# before detect_and_load_perl_modules();

$Features{SpamAssassin} = 0; # false but defined
$Features{Spamc} = 1; # new feature

# this function creates a spamc-scannable version of the message
# this is basically INPUTMSG with some extra headers
# the headers imitate what sendmail will eventually add anyway
sub create_spamc_scan_file()
{
# code liberally stolen from
# mimedefang.pl's spam_assassin_mail
open(IN, ./INPUTMSG) or return undef;
my @msg = IN;
close(IN);

# Synthesize a Return-Path and Received: header
my @sahdrs;
push (@sahdrs, Return-Path: $Sender\n);
push (@sahdrs, split(/^/m, synthesize_received_header()));
push (@sahdrs, gen_msgid_header()) if ($MessageID eq NOQUEUE);

unshift (@msg, @sahdrs);

open(FORSPAMC, ./FORSPAMC) or return undef;
print FORSPAMC @msg;
close(FORSPAMC);

return 1;
}

# in filter_end, instead of the
# if ($Features{SpamAssassin}) block:
if (
$Features{Spamc} and # is there spamc?
-s ./INPUTMSG  100 * 1024 and # don't scan messages over 
100KB
create_spamc_scan_file() # create a spamc-scannable file
)
{

my $forcespamreport = 0;

# this if() is another custom feature, unrelated to spamc
# if this is to [EMAIL PROTECTED]
# and ONLY to [EMAIL PROTECTED]
# then force a spam report even if the message isn't spam
if (
@Recipients == 1 and
$Recipients[0] =~ /^[EMAIL PROTECTED]?$/i
)
{
$forcespamreport = 1;
}

# spamc options
# -r shows a report only if it's spam
# -R shows a report whether it's spam or not
my $r = ($forcespamreport ? -R : -r);

my $report = `spamc $r  ./FORSPAMC`;
unlink('./FORSPAMC'); 

if ($report eq )
{
# not spam! nothing to do.
} elsif ( $report =~
/^
Score:  \t  ([\d\.]+?)  \n
Required:   \t  ([\d\.]+?)  \n
Tests:  \t  ([\w,]+?)   \n
\n
/x
)
{
my $score = $1;
my $required = $2;
my $tests = $3;
my $stars = * x ($score  40 ? int($score) : 40);


if ($forcespamreport)
{
action_add_part(
$entity,
text/plain,
-suggest,
$report . \n,
SpamAssassinReport.txt, inline
);
}

if ($score = $required)
{
action_change_header(
X-Spam-Score,
$stars .  ( . $score . )  . $tests
);

action_delete_all_headers(Subject);
action_add_header(
Subject,

RE: [Mimedefang] Requesting help making a mod to my filter

2005-10-25 Thread Matthew.van.Eerde 
Fred wrote:
 Hello,
 I would like to modify my filter to include the scores for the
 spamassassin tests next to the name of the test,
 Using SA config options you can make your X-Spam-Score line look like
 this: 
 
 BAYES_50=0.001,HTML_MESSAGE=0.0001,FOO=1.0, etc.
 
 Is it possible to reproduce this in the mimedefang-filter?

This is a mimedefang.pl hack that might work for you.  Untested.

sub spam_assassin_check (;$) {

my($status) = spam_assassin_status(@_);
return undef if (!defined($status));

my $hits = $status-get_hits;
my $req = $status-get_required_hits();
# CHANGE LINE
#   my $tests = $status-get_names_of_tests_hit();
my $tests = $status-get_tag(TESTSSCORES);

my $report = $status-get_report();

$status-finish();

 return ($hits, $req, $tests, $report, $testsscores);
}

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MX - 127.0.0.1

2005-10-25 Thread Jan Pieter Cornet 
On Mon, Oct 24, 2005 at 05:07:40AM -0400, Kevin A. McGrail wrote:
 So for example, we don't reject
 outright on private IP space in MX records, as long as there are
 other reachable addresses too.
 
 I chose to only check the primary MX because my analysis showed that it was
 likely to be a good test to get rid of unwanted junk mail.  I also agree
 with you and do not personally bounce based on privatized IP usage but I
 think I see what you are saying.

Well, it's worth taking an extra look at it, we block just over 2000
mails per day that have MX records only to private IP space (versus
34000 for localhost MX, and 65000 for non-resolving MX records).

For example, see geg.com as an example of private IP space MX records.

 - sendmail (and possibly other MTAs) will actually understand this
   grossly wrong MX record:
 
 example.com. IN MX 10 12.34.56.78.
 
   And use the hostname there as the IP address. (Of course, if you
   want your MTA to help fight for a better world, you'd probably want
   to RST your TCP connection to any loser mailing from such a domain
   with a christmas tree of death packet. But I digress...)
 
 Technically, DNS handles this as a CNAME which isn't RFC compliant for email
 but I'm choosing to follow sendmail's lax interpretation to prevent false
 positives.  I believe this will definitely now pass v2 of the check stub.

It passes because the A query of that name gives an error
(NXDOMAIN), and when that happens you get to the point in the code
where it says #THE ANSWER COULDN'T BE RESOLVED (I think... you have
deeply nested code! It's not illegal to put stuff in subroutines occasionally,
did you know that? :).

But you might want to bounce in case that record doesn't resolve, but
still allow mail from the occasional idi...eh...MCSE behind the buttons
who accidentally puts an IP address in the MX record.

 - if an MX record doesn't resolve at all, you can also consider it
   a malicious error (this one is quite common even).
 
 I'm dropping that at a sendmail level and expect others to do so as well.
 Therefore, I'm considering a non-resolve as an internal problem or timeout
 issue.  Since I set the timeout to only 4 seconds for DNS queries, I aiming
 for a shotgun, get a lot of bad guys approach.

I don't believe sendmail can reject that case. I'm not talking about the
domain not resolving at all, I'm talking about the case where the domain
itself doesn't resolve (like MAIL From:[EMAIL PROTECTED]), but where
the domain resolves and has MX records, but those MX records do not resolve.

See for example: tennesseen.com or .com

We count about 65000 per day of these mails, about twice as much as
localhost MX.

 - The domain could be in the form [127.0.0.1], causing your MX lookup
   to fail (in which case you currently accept).
 
 Can you give me an example email address that has DNS that does this?

Sure. [EMAIL PROTECTED] should send mail to yourself (or rather
your postmaster, I'm assuming that's you :)

(In doing so... I notice that we aren't even accepting mail addressed
to [EMAIL PROTECTED] nobody complained so far. But that's
why I cannot give you a real working remote email address of this
form right now).
 
 - The domain could even be [IPv6:::1234:5678:9abc:def0] (but we
   currently reject this, it's too obscure).
 
 Can you give me an example email address that has DNS that does this?

Not a working one, offhand, again, [EMAIL PROTECTED]:::1] should reach
yourself, provided you have IPv6 working and your MTA listening on IPv6

 - This specific syntax:
 
 example.com   IN MX 0 .
 
   is commonly understood to mean this domain does not do email at all,
  So we currently
   only block on MX 0 . when it's the only MX record (or only one in
   a set of equal preferenced records).
 
 I've implemented a basic check for this, thanks for the detailed info.  I 
 am only block if the MX at priority 0 is a period (which translates as 
 blank).

Hmm, you might want to be relaxed about the priority. Even though
in http://www.ietf.org/internet-drafts/draft-delany-nullmx-00.txt
Mark Delany specifies a priority of 0, he's now using a priority of
1 himself in the yahoo.com zones. See for example the domain:
web54410.mail.yahoo.com

 - We explicitly test for lone hostnames and non-existing TLDs to give
   understandable error messages. These cases are usually due to
   incompetence, and the reject messages are actually read by users.
 
 I believe sendmails resolution checks will bounce non-existent TLDs but what
 is a lone hostname?

A hostname without a domainname, so, anything that isn't a FQDN. For
example, someone is repeatedly trying to mail us as MAIL From:[EMAIL 
PROTECTED],
which we don't accept.

Note that I only give this error after checking if accidentally this
isn't a tld with MX records. Yes, those exist... the primary MX of va. is
lists.vatican.va, and it just told me:
 RCPT To:[EMAIL PROTECTED]
 250 Ok
Interesting... not only does God exist (and proves He exists,

Re: [Mimedefang] Please review: new Spamc feature

2005-10-25 Thread John Nemeth 
On Mar 17,  5:37am, [EMAIL PROTECTED] wrote:
}
} I've broken down and coded a mimedefang-filter that calls spamc
} instead of use'ing Mail::SpamAssassin.
} 
} I'd ideally like to post this on the wiki for those who might find it
} useful... but I'm interested in feedback first. Can you glance over
} the code and tell me what you think?
} 
} The idea is to trim down the MIMEDefang threads to be lightweight, so
} I can make a whole lot of them.  I do all sorts of things w/
} MIMEDefang besides spam-scan, and while the MIMEDefang threads are
} doing all these things, that SpamAssassin module is sitting there
} idle, but taking up space.  I do have a performance hit from spawning
} the spamc process, but I thought I'd experiment to see if the
} tradeoff is a net benefit or loss.

 Why don't you create a function to call spamd directly, similar to
the way that MIMEDefang calls clamd?  That way, you won't have the
spamc process overhead?

}-- End of excerpt from [EMAIL PROTECTED]
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Please review: new Spamc feature

2005-10-25 Thread Richard Laager 
On Tue, 2005-10-25 at 11:01 -0700, [EMAIL PROTECTED] wrote:
 I do all sorts of things w/ MIMEDefang besides spam-scan,
 and while the MIMEDefang threads are doing all these things,
 that SpamAssassin module is sitting there idle, but taking
 up space.

Use the embedded Perl feature of MIMEDefang and use compile_now() from
SpamAssassin. That way, the SpamAssassin initialization is done once.
fork() on Linux (and Unix in general, I believe) is very lightweight.
The SpamAssassin stuff in memory will be shared by all the threads.

I do this, and ... unless I'm very confused ;) ... it saves TONS of
memory.

Richard


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang