Re: [Mimedefang] suspicious characters
My experience with $SuspiciousCharsInBody are that it is pretty much useless in all circumstances except for a very strict home system with a few users. There are simply too many crappy MUAs out there. Cyrus rejects messages with these characters, and I'd rather refuse during smtp than generate bounces after Cyrus delivery fails. Almost all of it really is garbage, about 15,000 a day (of 1.5 million-- exactly the .01% Per reported previously!). Mimedefang strips all CR characters from the input, before putting them in INPUTMSG, even if they are lone CR characters that trigger the suspiciousBody flag. So you will never see the CR characters in mimedefang (and neither will any virus scanner or other content scanner you might use). So that's it! So the best I can do is distinguish null from return. Thanks. Joseph Brennan Columbia University Information Technology ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Requesting help making a mod to my filter
Hello, I would like to modify my filter to include the scores for the spamassassin tests next to the name of the test, Using SA config options you can make your X-Spam-Score line look like this: BAYES_50=0.001,HTML_MESSAGE=0.0001,FOO=1.0, etc. Is it possible to reproduce this in the mimedefang-filter? Thank you, Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Please review: new Spamc feature
I've broken down and coded a mimedefang-filter that calls spamc instead of use'ing Mail::SpamAssassin. I'd ideally like to post this on the wiki for those who might find it useful... but I'm interested in feedback first. Can you glance over the code and tell me what you think? The idea is to trim down the MIMEDefang threads to be lightweight, so I can make a whole lot of them. I do all sorts of things w/ MIMEDefang besides spam-scan, and while the MIMEDefang threads are doing all these things, that SpamAssassin module is sitting there idle, but taking up space. I do have a performance hit from spawning the spamc process, but I thought I'd experiment to see if the tradeoff is a net benefit or loss. This requires a working spamd setup and a custom spamd report template. Modifications to /etc/mail/spamassassin/local.cf: # This changes the default report template to one which is easier to parse # but not necessarily easier to read # only the first five report lines are used by MIMEDefang... # the rest can contain custom flavor text # note the characters after each colon must be a TAB (\t) clear_report_template report Score: _SCORE()_ report Required:_REQD_ report Tests: _TESTS(,)_ report report _SUMMARY_ Modifications to mimedefang-filter: # Outside of any function, but # before detect_and_load_perl_modules(); $Features{SpamAssassin} = 0; # false but defined $Features{Spamc} = 1; # new feature # this function creates a spamc-scannable version of the message # this is basically INPUTMSG with some extra headers # the headers imitate what sendmail will eventually add anyway sub create_spamc_scan_file() { # code liberally stolen from # mimedefang.pl's spam_assassin_mail open(IN, ./INPUTMSG) or return undef; my @msg = IN; close(IN); # Synthesize a Return-Path and Received: header my @sahdrs; push (@sahdrs, Return-Path: $Sender\n); push (@sahdrs, split(/^/m, synthesize_received_header())); push (@sahdrs, gen_msgid_header()) if ($MessageID eq NOQUEUE); unshift (@msg, @sahdrs); open(FORSPAMC, ./FORSPAMC) or return undef; print FORSPAMC @msg; close(FORSPAMC); return 1; } # in filter_end, instead of the # if ($Features{SpamAssassin}) block: if ( $Features{Spamc} and # is there spamc? -s ./INPUTMSG 100 * 1024 and # don't scan messages over 100KB create_spamc_scan_file() # create a spamc-scannable file ) { my $forcespamreport = 0; # this if() is another custom feature, unrelated to spamc # if this is to [EMAIL PROTECTED] # and ONLY to [EMAIL PROTECTED] # then force a spam report even if the message isn't spam if ( @Recipients == 1 and $Recipients[0] =~ /^[EMAIL PROTECTED]?$/i ) { $forcespamreport = 1; } # spamc options # -r shows a report only if it's spam # -R shows a report whether it's spam or not my $r = ($forcespamreport ? -R : -r); my $report = `spamc $r ./FORSPAMC`; unlink('./FORSPAMC'); if ($report eq ) { # not spam! nothing to do. } elsif ( $report =~ /^ Score: \t ([\d\.]+?) \n Required: \t ([\d\.]+?) \n Tests: \t ([\w,]+?) \n \n /x ) { my $score = $1; my $required = $2; my $tests = $3; my $stars = * x ($score 40 ? int($score) : 40); if ($forcespamreport) { action_add_part( $entity, text/plain, -suggest, $report . \n, SpamAssassinReport.txt, inline ); } if ($score = $required) { action_change_header( X-Spam-Score, $stars . ( . $score . ) . $tests ); action_delete_all_headers(Subject); action_add_header( Subject,
RE: [Mimedefang] Requesting help making a mod to my filter
Fred wrote: Hello, I would like to modify my filter to include the scores for the spamassassin tests next to the name of the test, Using SA config options you can make your X-Spam-Score line look like this: BAYES_50=0.001,HTML_MESSAGE=0.0001,FOO=1.0, etc. Is it possible to reproduce this in the mimedefang-filter? This is a mimedefang.pl hack that might work for you. Untested. sub spam_assassin_check (;$) { my($status) = spam_assassin_status(@_); return undef if (!defined($status)); my $hits = $status-get_hits; my $req = $status-get_required_hits(); # CHANGE LINE # my $tests = $status-get_names_of_tests_hit(); my $tests = $status-get_tag(TESTSSCORES); my $report = $status-get_report(); $status-finish(); return ($hits, $req, $tests, $report, $testsscores); } -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MX - 127.0.0.1
On Mon, Oct 24, 2005 at 05:07:40AM -0400, Kevin A. McGrail wrote: So for example, we don't reject outright on private IP space in MX records, as long as there are other reachable addresses too. I chose to only check the primary MX because my analysis showed that it was likely to be a good test to get rid of unwanted junk mail. I also agree with you and do not personally bounce based on privatized IP usage but I think I see what you are saying. Well, it's worth taking an extra look at it, we block just over 2000 mails per day that have MX records only to private IP space (versus 34000 for localhost MX, and 65000 for non-resolving MX records). For example, see geg.com as an example of private IP space MX records. - sendmail (and possibly other MTAs) will actually understand this grossly wrong MX record: example.com. IN MX 10 12.34.56.78. And use the hostname there as the IP address. (Of course, if you want your MTA to help fight for a better world, you'd probably want to RST your TCP connection to any loser mailing from such a domain with a christmas tree of death packet. But I digress...) Technically, DNS handles this as a CNAME which isn't RFC compliant for email but I'm choosing to follow sendmail's lax interpretation to prevent false positives. I believe this will definitely now pass v2 of the check stub. It passes because the A query of that name gives an error (NXDOMAIN), and when that happens you get to the point in the code where it says #THE ANSWER COULDN'T BE RESOLVED (I think... you have deeply nested code! It's not illegal to put stuff in subroutines occasionally, did you know that? :). But you might want to bounce in case that record doesn't resolve, but still allow mail from the occasional idi...eh...MCSE behind the buttons who accidentally puts an IP address in the MX record. - if an MX record doesn't resolve at all, you can also consider it a malicious error (this one is quite common even). I'm dropping that at a sendmail level and expect others to do so as well. Therefore, I'm considering a non-resolve as an internal problem or timeout issue. Since I set the timeout to only 4 seconds for DNS queries, I aiming for a shotgun, get a lot of bad guys approach. I don't believe sendmail can reject that case. I'm not talking about the domain not resolving at all, I'm talking about the case where the domain itself doesn't resolve (like MAIL From:[EMAIL PROTECTED]), but where the domain resolves and has MX records, but those MX records do not resolve. See for example: tennesseen.com or .com We count about 65000 per day of these mails, about twice as much as localhost MX. - The domain could be in the form [127.0.0.1], causing your MX lookup to fail (in which case you currently accept). Can you give me an example email address that has DNS that does this? Sure. [EMAIL PROTECTED] should send mail to yourself (or rather your postmaster, I'm assuming that's you :) (In doing so... I notice that we aren't even accepting mail addressed to [EMAIL PROTECTED] nobody complained so far. But that's why I cannot give you a real working remote email address of this form right now). - The domain could even be [IPv6:::1234:5678:9abc:def0] (but we currently reject this, it's too obscure). Can you give me an example email address that has DNS that does this? Not a working one, offhand, again, [EMAIL PROTECTED]:::1] should reach yourself, provided you have IPv6 working and your MTA listening on IPv6 - This specific syntax: example.com IN MX 0 . is commonly understood to mean this domain does not do email at all, So we currently only block on MX 0 . when it's the only MX record (or only one in a set of equal preferenced records). I've implemented a basic check for this, thanks for the detailed info. I am only block if the MX at priority 0 is a period (which translates as blank). Hmm, you might want to be relaxed about the priority. Even though in http://www.ietf.org/internet-drafts/draft-delany-nullmx-00.txt Mark Delany specifies a priority of 0, he's now using a priority of 1 himself in the yahoo.com zones. See for example the domain: web54410.mail.yahoo.com - We explicitly test for lone hostnames and non-existing TLDs to give understandable error messages. These cases are usually due to incompetence, and the reject messages are actually read by users. I believe sendmails resolution checks will bounce non-existent TLDs but what is a lone hostname? A hostname without a domainname, so, anything that isn't a FQDN. For example, someone is repeatedly trying to mail us as MAIL From:[EMAIL PROTECTED], which we don't accept. Note that I only give this error after checking if accidentally this isn't a tld with MX records. Yes, those exist... the primary MX of va. is lists.vatican.va, and it just told me: RCPT To:[EMAIL PROTECTED] 250 Ok Interesting... not only does God exist (and proves He exists,
Re: [Mimedefang] Please review: new Spamc feature
On Mar 17, 5:37am, [EMAIL PROTECTED] wrote: } } I've broken down and coded a mimedefang-filter that calls spamc } instead of use'ing Mail::SpamAssassin. } } I'd ideally like to post this on the wiki for those who might find it } useful... but I'm interested in feedback first. Can you glance over } the code and tell me what you think? } } The idea is to trim down the MIMEDefang threads to be lightweight, so } I can make a whole lot of them. I do all sorts of things w/ } MIMEDefang besides spam-scan, and while the MIMEDefang threads are } doing all these things, that SpamAssassin module is sitting there } idle, but taking up space. I do have a performance hit from spawning } the spamc process, but I thought I'd experiment to see if the } tradeoff is a net benefit or loss. Why don't you create a function to call spamd directly, similar to the way that MIMEDefang calls clamd? That way, you won't have the spamc process overhead? }-- End of excerpt from [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Please review: new Spamc feature
On Tue, 2005-10-25 at 11:01 -0700, [EMAIL PROTECTED] wrote: I do all sorts of things w/ MIMEDefang besides spam-scan, and while the MIMEDefang threads are doing all these things, that SpamAssassin module is sitting there idle, but taking up space. Use the embedded Perl feature of MIMEDefang and use compile_now() from SpamAssassin. That way, the SpamAssassin initialization is done once. fork() on Linux (and Unix in general, I believe) is very lightweight. The SpamAssassin stuff in memory will be shared by all the threads. I do this, and ... unless I'm very confused ;) ... it saves TONS of memory. Richard ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang