RE: [qmailtoaster] Re: Spam Help Plz
Good point Eric... I didn't think of this, since I'm not yet using the QMT in production yet, and am still using Qmailrocks (Is that a 4 letter word around here? :-) ) w/Spamdyke set to handle TLS directly...So, in my case, only Spamdyke is handling TLS, since my Qmail doesn't support it. (I don't think I ever configured it, or installed the patch, or whatever..I forget now!) I didn't like the way Spamdyke worked when allowing the TLS connection to bypass it, so I felt it better to have Spamdyke offer TLS, and then still be able to utilize all of it's filters. Although, I think the most of it's filters would still work, those based on the initial SMTP connection (RBL's etc), but graylisting, white/black listed sender/recipients, etc would not, so it could be exploited to some degree. I still think the best way to determine your issue Raphael is to provide the e-mail headers... :-) I've got my users trained...When they have any issues, either with spam getting through, or someone trying to send e-mail to them getting a bounce, they send me headers. Usually makes short work of figuring out the problem. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: news [mailto:n...@ger.gmane.org] On Behalf Of Eric Shubert Sent: Thursday, November 05, 2009 11:02 AM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: Spam Help Plz Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_R CPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/con trol/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120 ,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainke ys/%/private,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRO NGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.w mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt cat /etc/spamdyke/spamdyke.conf # rbl dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net dns-blacklist-entry=bogons.cymru.com dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=dnsbl.njabl.org # graylist #graylist-dir=/etc/spamdyke/graylist.d graylist-dir=/home/vpopmail/graylist.d graylist-level=always graylist-max-secs=2678400 graylist-min-secs=180 greeting-delay-secs=5 local-domains-file=/var/qmail/control/rcpthosts #log-level=debug log-level=info log-target=syslog #log-target=stderr max-recipients=50 #policy-url=http://my.policy.explanation.url/ reject-empty-rdns #reject-ip-in-cc-rdns reject-missing-sender-mx reject-unresolvable-rdns tls-certificate-file=/var/qmail/control/servercert.pem # blacklist and whitelist ip ip-blacklist-file=/etc/spamdyke/blacklist_ip ip-whitelist-file=/etc/spamdyke/whitelist_ip # blacklist and whitelist keywords ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords # blacklist and whitelist senders sender-blacklist-file=/etc/spamdyke/blacklist_senders sender-whitelist-file=/etc/spamdyke/whitelist_senders # blacklist and whitelist rdns rdns-blacklist-file=/etc/spamdyke/blacklist_rdns rdns-whitelist-file=/etc/spamdyke/whitelist_rdns # whitelist dns dns-whitelist-file=/etc/spamdyke/whitelist_dns # blacklist and whitelist recipients recipient-blacklist-file=/etc/spamdyke/blacklist_recipients recipient-whitelist-file=/etc/spamdyke/whitelist_recipients Raphael, I just came across what I think is a possible hole in spamdyke's configuration. I've been reading through the documentation regarding TLS, and it appears that with no tls-level option specified, if a spammer were to use TLS (advertised by qmail), spamdyke would be unable to use several of its filters because the data is encrypted passing through spamdyke to qmail-smtp. If you add tls-level=smtp to the spamdyke configuration file, this will cause spamdyke
[qmailtoaster] Re: Spam Help Plz
Thanks, Michael. I agree. I just happened to think of this as I was communicating with Sam about adding an option to spamdyke which will require TLS before authentication. Would be a nice enhancement. Dovecot can do this. Michael Colvin wrote: Good point Eric... I didn't think of this, since I'm not yet using the QMT in production yet, and am still using Qmailrocks (Is that a 4 letter word around here? :-) ) w/Spamdyke set to handle TLS directly...So, in my case, only Spamdyke is handling TLS, since my Qmail doesn't support it. (I don't think I ever configured it, or installed the patch, or whatever..I forget now!) I didn't like the way Spamdyke worked when allowing the TLS connection to bypass it, so I felt it better to have Spamdyke offer TLS, and then still be able to utilize all of it's filters. Although, I think the most of it's filters would still work, those based on the initial SMTP connection (RBL's etc), but graylisting, white/black listed sender/recipients, etc would not, so it could be exploited to some degree. I still think the best way to determine your issue Raphael is to provide the e-mail headers... :-) I've got my users trained...When they have any issues, either with spam getting through, or someone trying to send e-mail to them getting a bounce, they send me headers. Usually makes short work of figuring out the problem. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: news [mailto:n...@ger.gmane.org] On Behalf Of Eric Shubert Sent: Thursday, November 05, 2009 11:02 AM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: Spam Help Plz Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_R CPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/con trol/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120 ,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainke ys/%/private,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRO NGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.w mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt cat /etc/spamdyke/spamdyke.conf # rbl dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net dns-blacklist-entry=bogons.cymru.com dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=dnsbl.njabl.org # graylist #graylist-dir=/etc/spamdyke/graylist.d graylist-dir=/home/vpopmail/graylist.d graylist-level=always graylist-max-secs=2678400 graylist-min-secs=180 greeting-delay-secs=5 local-domains-file=/var/qmail/control/rcpthosts #log-level=debug log-level=info log-target=syslog #log-target=stderr max-recipients=50 #policy-url=http://my.policy.explanation.url/ reject-empty-rdns #reject-ip-in-cc-rdns reject-missing-sender-mx reject-unresolvable-rdns tls-certificate-file=/var/qmail/control/servercert.pem # blacklist and whitelist ip ip-blacklist-file=/etc/spamdyke/blacklist_ip ip-whitelist-file=/etc/spamdyke/whitelist_ip # blacklist and whitelist keywords ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords # blacklist and whitelist senders sender-blacklist-file=/etc/spamdyke/blacklist_senders sender-whitelist-file=/etc/spamdyke/whitelist_senders # blacklist and whitelist rdns rdns-blacklist-file=/etc/spamdyke/blacklist_rdns rdns-whitelist-file=/etc/spamdyke/whitelist_rdns # whitelist dns dns-whitelist-file=/etc/spamdyke/whitelist_dns # blacklist and whitelist recipients recipient-blacklist-file=/etc/spamdyke/blacklist_recipients recipient-whitelist-file=/etc/spamdyke/whitelist_recipients Raphael, I just came across what I think is a possible hole in spamdyke's configuration. I've been reading through the documentation regarding TLS, and it appears that with no tls-level option specified, if a spammer were to use TLS (advertised by qmail), spamdyke would be unable to use several of its filters because the data is encrypted passing through spamdyke to qmail-smtp. If you add
Re: [qmailtoaster] Re: Spam Help Plz
W dniu 05.11.2009 20:02, Eric Shubert pisze: I just came across what I think is a possible hole in spamdyke's configuration. I've been reading through the documentation regarding TLS, and it appears that with no tls-level option specified, if a spammer were to use TLS (advertised by qmail), spamdyke would be unable to use several of its filters because the data is encrypted passing through spamdyke to qmail-smtp. [...] I don't think so. From http://www.spamdyke.org/documentation/README.html ,,If |tls-level| is not given, spamdyke will use a value of |smtp|.'' -- Pozdrawiam / Regards, Aleksander Podsiad?y mail: a...@westside.kielce.pl jid: a...@jabber.westside.kielce.pl ICQ: 201121279 gg: 9150578
Re: [qmailtoaster] Re: Spam Help Plz
See response below; Aleksander Podsiadly wrote: W dniu 05.11.2009 20:02, Eric Shubert pisze: I just came across what I think is a possible hole in spamdyke's configuration. I've been reading through the documentation regarding TLS, and it appears that with no tls-level option specified, if a spammer were to use TLS (advertised by qmail), spamdyke would be unable to use several of its filters because the data is encrypted passing through spamdyke to qmail-smtp. [...] I don't think so. From http://www.spamdyke.org/documentation/README.html ,,If |tls-level| is not given, spamdyke will use a value of |smtp|.'' -- Elsewhere on the same page: First, with no TLS options given, spamdyke will identify a TLS conversation and simply pass the data back and forth between qmail and the remote client. Can you say Ambiguous? Hey, HOW's about those headers so we can help solve this problem??? Kent Busbee Director of Technology Northlake Christian School - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Spam Help Plz
I seem to recall asking before, but am not sure. Is there a version of this script that works with stderr/smtp logs? Brent Gardner wrote: Thanks! Rafael Andrade wrote: Excuse for the delay. The spamdyke-stats code above. usage = ./spamdyke-stats /var/log/maillog (stdout of spamdyke) cat spamdyke-stats #!/usr/bin/perl -w use diagnostics; use strict; # Usage: # cat /var/log/qmail/smtpd/current | ./this_file my %status = ();# hash of status connections my ($allow, $deny, $spampercentage, $sum); $allow = 0; while(){ my $line = $_; if( m/spamdyke\[/ ){ my ($a, $b, $c, $d) = split(/:/ , $line); my ($e, $sdstatus) = split(/ /, $d); #print $b\n; next if $sdstatus eq CHKUSER; $status{$sdstatus}++; } } foreach my $stat (sort keys %status){ if( $stat =~ m/ALLOWED/){ $allow = $status{$stat}; } else{ $deny += $status{$stat}; } } $spampercentage = sprintf(%.2f, ($deny/($allow+$deny)*100) ); foreach my $key (sort { $status{$b} = $status{$a} || $a cmp $b; } keys %status){ print $status{$key}\t$key\n; } $sum = ($deny + $allow); print \n; print Allowed: $allow \n; print Denied : $deny \n; print Sum: $sum \n; print % Spam : $spampercentage% \n; #EOF Brent Gardner escreveu: Rafael Andrade wrote: Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% snip Where can I find spamdyke-stats? This command intrigues me. Brent Gardner - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Spam Help Plz
Kent Busbee wrote: Did anyone else notice that he is missing spam_hits in his config file? Does it default to something without it? HIS: cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.wmv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr:.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt MINE: # cat /var/qmail/control/simcontrol :clam=yes,spam=yes,spam_hits=7,attach=.mp3:.src:.bat:.pif:.exe:.com:.cmd:.dll:.msi:.msp:.reg:.vbe:.vbs:.vxd:.wsc:.wsf:.wsh Yes I did notice, but I'm trying to catch up on the thread. Depending on what version of simscan he's running, it will default to either 20 or 40 (40 is the newer versions, 20 being the older versions). We really need to see the headers of a spam that got through to help any more though. Anything else is just guessing at this point. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Spam Help Plz
Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.wmv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr:.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt cat /etc/spamdyke/spamdyke.conf # rbl dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net dns-blacklist-entry=bogons.cymru.com dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=dnsbl.njabl.org # graylist #graylist-dir=/etc/spamdyke/graylist.d graylist-dir=/home/vpopmail/graylist.d graylist-level=always graylist-max-secs=2678400 graylist-min-secs=180 greeting-delay-secs=5 local-domains-file=/var/qmail/control/rcpthosts #log-level=debug log-level=info log-target=syslog #log-target=stderr max-recipients=50 #policy-url=http://my.policy.explanation.url/ reject-empty-rdns #reject-ip-in-cc-rdns reject-missing-sender-mx reject-unresolvable-rdns tls-certificate-file=/var/qmail/control/servercert.pem # blacklist and whitelist ip ip-blacklist-file=/etc/spamdyke/blacklist_ip ip-whitelist-file=/etc/spamdyke/whitelist_ip # blacklist and whitelist keywords ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords # blacklist and whitelist senders sender-blacklist-file=/etc/spamdyke/blacklist_senders sender-whitelist-file=/etc/spamdyke/whitelist_senders # blacklist and whitelist rdns rdns-blacklist-file=/etc/spamdyke/blacklist_rdns rdns-whitelist-file=/etc/spamdyke/whitelist_rdns # whitelist dns dns-whitelist-file=/etc/spamdyke/whitelist_dns # blacklist and whitelist recipients recipient-blacklist-file=/etc/spamdyke/blacklist_recipients recipient-whitelist-file=/etc/spamdyke/whitelist_recipients - (Wow - that's a lot of RBLs) Are you sure that spamdyke's running? I like to use log-target=stderr so I can see spamdyke's messages in the smtp log along with the other related messages. Make sure spamdyke is running. Looks to me like you have the screws turned down pretty tight spam wise. I think the next step would be to look at a representative sample of the spam you're receiving, to see why it's getting through. Perhaps there is a workstation or server on your network that's been compromised and is sending out the spam. Examining the headers of the spams you're receiving to see where they originate. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Spam Help Plz
Rafael Andrade wrote: Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. The sender domain is commonly spoofed (faked), so you can't go by that. Are you certain that they are coming from outside of your domain? Check the headers on many spam messages. You need to find something in common with several of them. Verify that they're not coming from your domain. Also, are they originating from private or public addresses? You need to do some investigative type work. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% in logfile: Nov 3 13:48:42 net spamdyke[20038]: DENIED_RBL_MATCH from: misdirecti...@hamiltoncompany.com to: cristi...@domain.com origin_ip: 84.153.125.187 origin_rdns: p54997dbb.dip.t-dialin.net auth: (unknown) I`m using lots of Rbls to try reduce the spam numbers but not working correctly. Does anybody have some idea? Thanks so much Rafael Eric Shubert escreveu: Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.wmv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr:.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt cat /etc/spamdyke/spamdyke.conf # rbl dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net dns-blacklist-entry=bogons.cymru.com dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=dnsbl.njabl.org # graylist #graylist-dir=/etc/spamdyke/graylist.d graylist-dir=/home/vpopmail/graylist.d graylist-level=always graylist-max-secs=2678400 graylist-min-secs=180 greeting-delay-secs=5 local-domains-file=/var/qmail/control/rcpthosts #log-level=debug log-level=info log-target=syslog #log-target=stderr max-recipients=50 #policy-url=http://my.policy.explanation.url/ reject-empty-rdns #reject-ip-in-cc-rdns reject-missing-sender-mx reject-unresolvable-rdns tls-certificate-file=/var/qmail/control/servercert.pem # blacklist and whitelist ip ip-blacklist-file=/etc/spamdyke/blacklist_ip ip-whitelist-file=/etc/spamdyke/whitelist_ip # blacklist and whitelist keywords ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords # blacklist and whitelist senders sender-blacklist-file=/etc/spamdyke/blacklist_senders sender-whitelist-file=/etc/spamdyke/whitelist_senders # blacklist and whitelist rdns rdns-blacklist-file=/etc/spamdyke/blacklist_rdns rdns-whitelist-file=/etc/spamdyke/whitelist_rdns # whitelist dns dns-whitelist-file=/etc/spamdyke/whitelist_dns # blacklist and whitelist recipients recipient-blacklist-file=/etc/spamdyke/blacklist_recipients recipient-whitelist-file=/etc/spamdyke/whitelist_recipients - (Wow - that's a lot of RBLs) Are you sure that spamdyke's running? I like to use log-target=stderr so I can see spamdyke's messages in the smtp log along with the other related messages. Make sure spamdyke is running. Looks to me like you have the screws turned down pretty tight spam wise. I think the next step would be to look at a representative sample of the spam you're receiving, to see why it's getting through. Perhaps there is a workstation or server on your network that's been compromised and is sending out the spam. Examining the headers of the spams you're receiving to see where they originate. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need
RE: [qmailtoaster] Re: Spam Help Plz
Like Eric mentioned, at this point, you need to take a look at the headers of the spam e-mails that your users are getting. You need to find something in the type of e-mails you're getting that you can filter on... Or, as also mentioned, it might be an internal user that is bypassing some of the filtering because they are authenticated... At this point, you need to look at the specific spam, and use specific techniques to filter it, not simply add more RBL's, or blacklists, etc. It's likely that just making one small tweak will eliminate most of your spam. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Rafael Andrade [mailto:raf...@riosulense.com.br] Sent: Tuesday, November 03, 2009 8:50 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Spam Help Plz Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% in logfile: Nov 3 13:48:42 net spamdyke[20038]: DENIED_RBL_MATCH from: misdirecti...@hamiltoncompany.com to: cristi...@domain.com origin_ip: 84.153.125.187 origin_rdns: p54997dbb.dip.t-dialin.net auth: (unknown) I`m using lots of Rbls to try reduce the spam numbers but not working correctly. Does anybody have some idea? Thanks so much Rafael Eric Shubert escreveu: Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_R CPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/con trol/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120 ,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainke ys/%/private,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRO NGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.w mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt cat /etc/spamdyke/spamdyke.conf # rbl dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net dns-blacklist-entry=bogons.cymru.com dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=dnsbl.njabl.org # graylist #graylist-dir=/etc/spamdyke/graylist.d graylist-dir=/home/vpopmail/graylist.d graylist-level=always graylist-max-secs=2678400 graylist-min-secs=180 greeting-delay-secs=5 local-domains-file=/var/qmail/control/rcpthosts #log-level=debug log-level=info log-target=syslog #log-target=stderr max-recipients=50 #policy-url=http://my.policy.explanation.url/ reject-empty-rdns #reject-ip-in-cc-rdns reject-missing-sender-mx reject-unresolvable-rdns tls-certificate-file=/var/qmail/control/servercert.pem # blacklist and whitelist ip ip-blacklist-file=/etc/spamdyke/blacklist_ip ip-whitelist-file=/etc/spamdyke/whitelist_ip # blacklist and whitelist keywords ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords # blacklist and whitelist senders sender-blacklist-file=/etc/spamdyke/blacklist_senders sender-whitelist-file=/etc/spamdyke/whitelist_senders # blacklist and whitelist rdns rdns-blacklist-file=/etc/spamdyke/blacklist_rdns rdns-whitelist-file=/etc/spamdyke/whitelist_rdns # whitelist dns dns-whitelist-file=/etc/spamdyke/whitelist_dns # blacklist and whitelist recipients recipient-blacklist-file=/etc/spamdyke/blacklist_recipients recipient-whitelist-file=/etc/spamdyke/whitelist_recipients --- -- (Wow - that's a lot of RBLs) Are you sure that spamdyke's running? I like to use log-target=stderr so I can see spamdyke's messages in the smtp log along with the other related messages. Make sure spamdyke is running. Looks to me like you have the screws turned down pretty
RE: [qmailtoaster] Re: Spam Help Plz
Did anyone else notice that he is missing spam_hits in his config file? Does it default to something without it? HIS: cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.wmv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr:.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt MINE: # cat /var/qmail/control/simcontrol :clam=yes,spam=yes,spam_hits=7,attach=.mp3:.src:.bat:.pif:.exe:.com:.cmd:.dll:.msi:.msp:.reg:.vbe:.vbs:.vxd:.wsc:.wsf:.wsh See response above; Michael Colvin wrote: Like Eric mentioned, at this point, you need to take a look at the headers of the spam e-mails that your users are getting. You need to find something in the type of e-mails you're getting that you can filter on... Or, as also mentioned, it might be an internal user that is bypassing some of the filtering because they are authenticated... At this point, you need to look at the specific spam, and use specific techniques to filter it, not simply add more RBL's, or blacklists, etc. It's likely that just making one small tweak will eliminate most of your spam. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Rafael Andrade [mailto:raf...@riosulense.com.br] Sent: Tuesday, November 03, 2009 8:50 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Spam Help Plz Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% in logfile: Nov 3 13:48:42 net spamdyke[20038]: DENIED_RBL_MATCH from: misdirecti...@hamiltoncompany.com to: cristi...@domain.com origin_ip: 84.153.125.187 origin_rdns: p54997dbb.dip.t-dialin.net auth: (unknown) I`m using lots of Rbls to try reduce the spam numbers but not working correctly. Does anybody have some idea? Thanks so much Rafael Eric Shubert escreveu: Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_R CPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/con trol/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120 ,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainke ys/%/private,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRO NGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.w mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt cat /etc/spamdyke/spamdyke.conf # rbl dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net dns-blacklist-entry=bogons.cymru.com dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=dnsbl.njabl.org # graylist #graylist-dir=/etc/spamdyke/graylist.d graylist-dir=/home/vpopmail/graylist.d graylist-level=always graylist-max-secs=2678400 graylist-min-secs=180 greeting-delay-secs=5 local-domains-file=/var/qmail/control/rcpthosts #log-level=debug log-level=info log-target=syslog #log-target=stderr max-recipients=50 #policy-url=http://my.policy.explanation.url/ reject-empty-rdns #reject-ip-in-cc-rdns reject-missing-sender-mx reject-unresolvable-rdns tls-certificate-file=/var/qmail/control/servercert.pem # blacklist and whitelist ip ip-blacklist-file=/etc/spamdyke/blacklist_ip ip-whitelist-file=/etc/spamdyke/whitelist_ip # blacklist and whitelist keywords ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords # blacklist and whitelist senders sender-blacklist-file=/etc/spamdyke/blacklist_senders sender-whitelist-file=/etc/spamdyke/whitelist_senders # blacklist and whitelist rdns rdns-blacklist-file=/etc/spamdyke/blacklist_rdns rdns-whitelist-file=/etc
RE: [qmailtoaster] Re: Spam Help Plz
Did anyone else notice that he is missing spam_hits in his config file? Does it default to something without it? I believe it defaults to 5 or something similar. It would only effect SpamAssassin anyway, and I've come to not really rely on SpamAssassin to block most of my spam. SpamDyke catches nearly all of it. If he's getting a lot of spam through, SpamAssassin is likely not the answer, blocking it with SpamDyke is. :-) Mike HIS: cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.w mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt MINE: # cat /var/qmail/control/simcontrol :clam=yes,spam=yes,spam_hits=7,attach=.mp3:.src:.bat:.pif:.exe:.com:.cmd:. dll:.msi:.msp:.reg:.vbe:.vbs:.vxd:.wsc:.wsf:.wsh See response above; Michael Colvin wrote: Like Eric mentioned, at this point, you need to take a look at the headers of the spam e-mails that your users are getting. You need to find something in the type of e-mails you're getting that you can filter on... Or, as also mentioned, it might be an internal user that is bypassing some of the filtering because they are authenticated... At this point, you need to look at the specific spam, and use specific techniques to filter it, not simply add more RBL's, or blacklists, etc. It's likely that just making one small tweak will eliminate most of your spam. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Rafael Andrade [mailto:raf...@riosulense.com.br] Sent: Tuesday, November 03, 2009 8:50 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Spam Help Plz Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% in logfile: Nov 3 13:48:42 net spamdyke[20038]: DENIED_RBL_MATCH from: misdirecti...@hamiltoncompany.com to: cristi...@domain.com origin_ip: 84.153.125.187 origin_rdns: p54997dbb.dip.t-dialin.net auth: (unknown) I`m using lots of Rbls to try reduce the spam numbers but not working correctly. Does anybody have some idea? Thanks so much Rafael Eric Shubert escreveu: Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_R CPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/con trol/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120 ,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainke ys/%/private,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRO NGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.w mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt cat /etc/spamdyke/spamdyke.conf # rbl dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net dns-blacklist-entry=bogons.cymru.com dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=dnsbl.njabl.org # graylist #graylist-dir=/etc/spamdyke/graylist.d graylist-dir=/home/vpopmail/graylist.d graylist-level=always graylist-max-secs=2678400 graylist-min-secs=180 greeting-delay-secs=5 local-domains-file=/var/qmail/control/rcpthosts #log-level=debug log-level=info log-target=syslog #log-target=stderr max-recipients=50 #policy-url=http://my.policy.explanation.url/ reject-empty-rdns #reject-ip-in-cc-rdns reject-missing-sender-mx reject-unresolvable-rdns tls-certificate-file=/var/qmail/control/servercert.pem # blacklist and whitelist ip ip-blacklist-file=/etc/spamdyke
Re: [qmailtoaster] Re: Spam Help Plz
Hi Rafael, Why do you have disabled the spamdyke- ip-in-cc-rdns? #reject-ip-in-cc-rdns This spamdyke-rule catches about 30% of incoming mails because coming from dynamic addresses. Andreas Am Tuesday 03 November 2009 18:44:15 schrieb Michael Colvin: Did anyone else notice that he is missing spam_hits in his config file? Does it default to something without it? I believe it defaults to 5 or something similar. It would only effect SpamAssassin anyway, and I've come to not really rely on SpamAssassin to block most of my spam. SpamDyke catches nearly all of it. If he's getting a lot of spam through, SpamAssassin is likely not the answer, blocking it with SpamDyke is. :-) Mike HIS: cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:. :w mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dw r :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt MINE: # cat /var/qmail/control/simcontrol :clam=yes,spam=yes,spam_hits=7,attach=.mp3:.src:.bat:.pif:.exe:.com:.cmd: :. dll:.msi:.msp:.reg:.vbe:.vbs:.vxd:.wsc:.wsf:.wsh See response above; Michael Colvin wrote: Like Eric mentioned, at this point, you need to take a look at the headers of the spam e-mails that your users are getting. You need to find something in the type of e-mails you're getting that you can filter on... Or, as also mentioned, it might be an internal user that is bypassing some of the filtering because they are authenticated... At this point, you need to look at the specific spam, and use specific techniques to filter it, not simply add more RBL's, or blacklists, etc. It's likely that just making one small tweak will eliminate most of your spam. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Rafael Andrade [mailto:raf...@riosulense.com.br] Sent: Tuesday, November 03, 2009 8:50 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Spam Help Plz Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% in logfile: Nov 3 13:48:42 net spamdyke[20038]: DENIED_RBL_MATCH from: misdirecti...@hamiltoncompany.com to: cristi...@domain.com origin_ip: 84.153.125.187 origin_rdns: p54997dbb.dip.t-dialin.net auth: (unknown) I`m using lots of Rbls to try reduce the spam numbers but not working correctly. Does anybody have some idea? Thanks so much Rafael Eric Shubert escreveu: Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_ R CPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/co n trol/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=12 0 ,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domaink e ys/%/private,NOP0FCHECK=1 : :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WR :O : NGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol : :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:. :w : mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dw r :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. : idw:.ipt cat /etc/spamdyke/spamdyke.conf # rbl dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net dns-blacklist-entry=bogons.cymru.com dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=dnsbl.njabl.org # graylist #graylist-dir=/etc/spamdyke/graylist.d graylist-dir=/home/vpopmail/graylist.d graylist-level=always graylist-max-secs=2678400 graylist-min-secs=180 greeting-delay-secs=5 local-domains-file
Re: [qmailtoaster] Re: Spam Help Plz
Rafael Andrade wrote: Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% snip Where can I find spamdyke-stats? This command intrigues me. Brent Gardner - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Spam Help Plz
of the spam e-mails that your users are getting. You need to find something in the type of e-mails you're getting that you can filter on... Or, as also mentioned, it might be an internal user that is bypassing some of the filtering because they are authenticated... At this point, you need to look at the specific spam, and use specific techniques to filter it, not simply add more RBL's, or blacklists, etc. It's likely that just making one small tweak will eliminate most of your spam. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Rafael Andrade [mailto:raf...@riosulense.com.br] Sent: Tuesday, November 03, 2009 8:50 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Spam Help Plz Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% in logfile: Nov 3 13:48:42 net spamdyke[20038]: DENIED_RBL_MATCH from: misdirecti...@hamiltoncompany.com to: cristi...@domain.com origin_ip: 84.153.125.187 origin_rdns: p54997dbb.dip.t-dialin.net auth: (unknown) I`m using lots of Rbls to try reduce the spam numbers but not working correctly. Does anybody have some idea? Thanks so much Rafael Eric Shubert escreveu: Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_R CPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/con trol/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120 ,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domainke ys/%/private,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRO NGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.w mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt cat /etc/spamdyke/spamdyke.conf # rbl dns-blacklist-entry=bl.spamcop.net dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=dnsbl.sorbs.net dns-blacklist-entry=bogons.cymru.com dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=cbl.abuseat.org dns-blacklist-entry=dnsbl.njabl.org # graylist #graylist-dir=/etc/spamdyke/graylist.d graylist-dir=/home/vpopmail/graylist.d graylist-level=always graylist-max-secs=2678400 graylist-min-secs=180 greeting-delay-secs=5 local-domains-file=/var/qmail/control/rcpthosts #log-level=debug log-level=info log-target=syslog #log-target=stderr max-recipients=50 #policy-url=http://my.policy.explanation.url/ reject-empty-rdns #reject-ip-in-cc-rdns reject-missing-sender-mx reject-unresolvable-rdns tls-certificate-file=/var/qmail/control/servercert.pem # blacklist and whitelist ip ip-blacklist-file=/etc/spamdyke/blacklist_ip ip-whitelist-file=/etc/spamdyke/whitelist_ip # blacklist and whitelist keywords ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords # blacklist and whitelist senders sender-blacklist-file=/etc/spamdyke/blacklist_senders sender-whitelist-file=/etc/spamdyke/whitelist_senders # blacklist and whitelist rdns rdns-blacklist-file=/etc/spamdyke/blacklist_rdns rdns-whitelist-file=/etc/spamdyke/whitelist_rdns # whitelist dns dns-whitelist-file=/etc/spamdyke/whitelist_dns # blacklist and whitelist recipients recipient-blacklist-file=/etc/spamdyke/blacklist_recipients recipient-whitelist-file=/etc/spamdyke/whitelist_recipients --- -- (Wow - that's a lot of RBLs) Are you sure that spamdyke's running? I like to use log-target=stderr so I can see spamdyke's messages in the smtp log along with the other related messages. Make sure spamdyke is running. Looks to me like you have the screws turned down pretty tight spam wise. I think the next step would be to look at a representative sample of the spam you're receiving, to see why it's getting through. Perhaps there is a workstation or server on your network that's been compromised and is sending out the spam
[qmailtoaster] Re: Spam Help Plz
Kent Busbee wrote: Did anyone else notice that he is missing spam_hits in his config file? Does it default to something without it? Yes. [r...@doris documentation]# rpm -qi simscan-toaster Name: simscan-toaster Relocations: (not relocatable) Version : 1.4.0 Vendor: (none) Release : 1.3.8 Build Date: Sat 03 Oct 2009 09:50:36 AM MST Install Date: Sat 03 Oct 2009 10:03:58 AM MST Build Host: doris.shubes Group : Networking/Other Source RPM: simscan-toaster-1.4.0-1.3.8.src.rpm Size: 113364 License: GPL Signature : (none) Packager: Jake Vickers j...@qmailtoaster.com URL : http://www.inter7.com/vpopmail Summary : Simscan for qmail-toaster Description : SimScan is a simplified scanner for qmail similar to qmail-scanner and qscand. It uses clamav, trophie, and/or spamassassin. It also supports attachment blocking by extension. Simscan is written entirely in C to ensure maximum speed. There are several options to allow simscan to scan per domain, and reject spam mail. Current settings --- user = clamav qmail directory = /var/qmail work directory= /var/qmail/simscan control directory = /var/qmail/control qmail queue program = /var/qmail/bin/qmail-queue clamdscan program = /usr/bin/clamdscan clamav scan = ON trophie scanning = OFF attachement scan = ON ripmime program = /usr/bin/ripmime custom smtp reject= ON drop message = OFF regex scanner = OFF quarantine processing = OFF domain based checking = ON add received header = ON spam scanning = ON spamc program = /usr/bin/spamc spamc arguments = spamc user= OFF authenticated users scanned = OFF spam passthru = OFF spam hits = 40 Current simcontrol config -- :clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif [r...@doris documentation]# HIS: cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.wmv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr:.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt MINE: # cat /var/qmail/control/simcontrol :clam=yes,spam=yes,spam_hits=7,attach=.mp3:.src:.bat:.pif:.exe:.com:.cmd:.dll:.msi:.msp:.reg:.vbe:.vbs:.vxd:.wsc:.wsf:.wsh See response above; Michael Colvin wrote: Like Eric mentioned, at this point, you need to take a look at the headers of the spam e-mails that your users are getting. You need to find something in the type of e-mails you're getting that you can filter on... Or, as also mentioned, it might be an internal user that is bypassing some of the filtering because they are authenticated... At this point, you need to look at the specific spam, and use specific techniques to filter it, not simply add more RBL's, or blacklists, etc. It's likely that just making one small tweak will eliminate most of your spam. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Rafael Andrade [mailto:raf...@riosulense.com.br] Sent: Tuesday, November 03, 2009 8:50 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Spam Help Plz Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% in logfile: Nov 3 13:48:42 net spamdyke[20038]: DENIED_RBL_MATCH from: misdirecti...@hamiltoncompany.com to: cristi...@domain.com origin_ip: 84.153.125.187 origin_rdns: p54997dbb.dip.t-dialin.net auth: (unknown) I`m using lots of Rbls to try reduce the spam numbers but not working correctly. Does anybody have some idea? Thanks so much Rafael Eric Shubert escreveu: Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_R CPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/con trol/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=120
[qmailtoaster] Re: Spam Help Plz
It's disabled by default in the QMT install as a courtesy to international users. It is indeed effective in the USA, but impractical for international use. http://www.spamdyke.org/documentation/README.html#RDNS As an alternative, you might find the ip-in-rdns-keyword-blacklist-entry effective. IIRC there were some suggested uses of this on the spamdyke users list a while back. You might want to search the archive of that list for examples. Rafael Andrade wrote: I will enable this feature, i dont remember why this rule is disabled. reject-ip-in-cc-rdns Enable Now. Anyone have other ideia? thanks so much again ;@ Andreas Galatis escreveu: Hi Rafael, Why do you have disabled the spamdyke- ip-in-cc-rdns? #reject-ip-in-cc-rdns This spamdyke-rule catches about 30% of incoming mails because coming from dynamic addresses. Andreas Am Tuesday 03 November 2009 18:44:15 schrieb Michael Colvin: Did anyone else notice that he is missing spam_hits in his config file? Does it default to something without it? I believe it defaults to 5 or something similar. It would only effect SpamAssassin anyway, and I've come to not really rely on SpamAssassin to block most of my spam. SpamDyke catches nearly all of it. If he's getting a lot of spam through, SpamAssassin is likely not the answer, blocking it with SpamDyke is. :-) Mike HIS: cat /var/qmail/control/simcontrol :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:. :w mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dw r :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:. idw:.ipt MINE: # cat /var/qmail/control/simcontrol :clam=yes,spam=yes,spam_hits=7,attach=.mp3:.src:.bat:.pif:.exe:.com:.cmd: :. dll:.msi:.msp:.reg:.vbe:.vbs:.vxd:.wsc:.wsf:.wsh See response above; Michael Colvin wrote: Like Eric mentioned, at this point, you need to take a look at the headers of the spam e-mails that your users are getting. You need to find something in the type of e-mails you're getting that you can filter on... Or, as also mentioned, it might be an internal user that is bypassing some of the filtering because they are authenticated... At this point, you need to look at the specific spam, and use specific techniques to filter it, not simply add more RBL's, or blacklists, etc. It's likely that just making one small tweak will eliminate most of your spam. Michael J. Colvin NorCal Internet Services www.norcalisp.com -Original Message- From: Rafael Andrade [mailto:raf...@riosulense.com.br] Sent: Tuesday, November 03, 2009 8:50 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Spam Help Plz Hello, Eric and all list, First thank u for the answer My users receiving lots of spams dont have a specific sender domain, or default spam type. My spamdyke is running see: spamdyke-stats /var/log/maillog Allowed: 35619 Denied : 140729 Sum: 176348 % Spam : 79.80% in logfile: Nov 3 13:48:42 net spamdyke[20038]: DENIED_RBL_MATCH from: misdirecti...@hamiltoncompany.com to: cristi...@domain.com origin_ip: 84.153.125.187 origin_rdns: p54997dbb.dip.t-dialin.net auth: (unknown) I`m using lots of Rbls to try reduce the spam numbers but not working correctly. Does anybody have some idea? Thanks so much Rafael Eric Shubert escreveu: Rafael Andrade wrote: Hello all, Im using qmailtoaster two years a go, and i`m very satisfied... some days a go my users receiving lots of spams, Tagged in subjects (spamassassin) or not. What could I be making to get better? Actually im using Qmailtoaster + Spamdyke with greylist. Excuse for english. My confs below: cat /etc/tcprules.d/tcp.smtp 127.:allow,RELAYCLIENT= 192.168.1.:allow,RELAYCLIENT=,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_ R CPTLIMIT=120,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJ Kfh,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/co n trol/domainkeys/%/private,NOP0FCHECK=1 xxx.xx.xx.xx:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=12 0 ,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=DEGIJKfh,QMAILQUE UE=/var/qmail/bin/simscan,DKQUEUE=,DKSIGN=/var/qmail/control/domaink e ys/%/private,NOP0FCHECK=1 : :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WR :O : NGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIG N=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 cat /var/qmail/control/simcontrol : :clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:. :w : mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dw r :.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam