Re: [spamdyke-users] Timer for objects in blacklist
Interesting concept. Care to share your script? -Original Message- From: Gary Gendel g...@genashor.com To: spamdyke users spamdyke-users@spamdyke.org Sent: Tue, Mar 26, 2013 9:41 am Subject: Re: [spamdyke-users] Timer for objects in blacklist I do something similar for my ip blacklist. I have a honeypot that, if it receives email. it adds the sender's ip to the blacklist with a timestamp in a preceding comment. If I get another email from that server, it just updates the comment so the expiration gets extended. I run a nightly cron job to clear away ip addresses that have been inactive for = 30 days. So the entries in the file look like this: # 2013-03-18 72.30.239.144 Gary On 03/26/2013 10:28 AM, David wrote: Is there a way we could get a configuration for a timer to be set on blacklist items in any blacklist? For instance when I configure firewall rules and use address lists I always use a timer on these list to be removed from the list after a certain amount of time but the rule is always there so if the address gets caught by the rule gets re added to the list again. I was thinking if there was an easier way to manage these list better and the timer came up. If I was able to place a timer on the items in the list say for 30days or less to be emptied out would be great. Something else to consider is dumping them into another list to be watched and if they show up again then re-add them back to the current list and drop the others in the old list after a few days. this may help with my pain of these list growing out of control. Thanks Dave ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Timer for objects in blacklist
Thanks! -Original Message- From: Gary Gendel g...@genashor.com To: spamdyke users spamdyke-users@spamdyke.org Sent: Tue, Mar 26, 2013 11:22 am Subject: Re: [spamdyke-users] Timer for objects in blacklist Denny, Sure, But I'll probably embarrass myself. I wrote it a long time ago, pre-spamdyke, when I had a homebrew spam solution. It consists of a few small programs written in c and some scripts. From what I remember... A cron job runs a script called blacklist.csh that calls a program called extractSpam for each new mail from the honeypot's inbox. The script expects maildir format, but it can take an mbox file instead. It then calls a program called mergeSpam to merge this info into the blacklist file as well expire any old records. This is the blacklist file that spamdyke uses. extractSpam takes -x options to specify special ip addresses you want it to ignore such as your own address in the event of a bounced email to the honeypot. See blacklist.csh for examples. The only argument is the file you want to append the ip addresses to. Note that mergeSpam has this file hard-coded in so it better match that. I used this feature to test the program on various emails without disturbing the production setup. mergeSpam takes two arguments, the first is the expiration time and the second is a comment to put at the head of the file. I use jam instead of make but it should be easy to figure out what needs to be done from the included Jamfile. Feel free to use it, modify it, or throw it away as needed. :) Gary On 03/26/2013 11:05 AM, Denny Jones wrote: Interestingconcept. Care to share yourscript? -OriginalMessage- From: Gary Gendel g...@genashor.com To: spamdyke users spamdyke-users@spamdyke.org Sent: Tue, Mar 26, 2013 9:41 am Subject: Re: [spamdyke-users] Timer for objects in blacklist I do something similar for myip blacklist. I have a honeypot that, if it receivesemail. it adds the sender's ip to the blacklist with atimestamp in a preceding comment. If I get anotheremail from that server, it just updates the comment so the expiration gets extended. I run a nightly cron job to clear away ip addresses that have been inactive for= 30 days. So the entries in the file look likethis: # 2013-03-18 72.30.239.144 Gary On 03/26/2013 10:28 AM, David wrote: Is there a way we could get aconfiguration for a timer to be set on blacklist itemsin any blacklist? For instance when I configure firewall rules and use address lists I always use a timer on these list to be removed from the list after a certain amount of time but the rule is always there so if the address gets caught by the rule gets re added to the list again. I was thinking if there was an easier way to manage these list better and the timer came up. If I was able to place a timer on the items in the list say for 30days or less to be emptied out would be great. Something else to consider is dumping them into another list to be watched and if they show up again then re-add them back to the current list and drop the others in the old list after a few days. this may help with my pain of these list growing out of control. Thanks Dave ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] rDNS always shows up as unknown
When I first setup SpamDyke I had to modify my QMail run file to make sure it passed the sending IP. You might check that. - Denny -Original Message- From: JP Kelly listu...@jpkvideo.net To: spamdyke users spamdyke-users@spamdyke.org Sent: Fri, Aug 23, 2013 1:15 pm Subject: Re: [spamdyke-users] rDNS always shows up as unknown That was not set in my config but it is still not working after setting dns-server-ip to my DNS servers ip. Does this setting need the port added to the ip address? if so is the format xx.xx.xx.xx:port? from the maillog it looks like qmail is able to resolve rDNS: Aug 23 10:59:38 dv2 /var/qmail/bin/relaylock[22273]: /var/qmail/bin/relaylock: mail from 201.151.76.82:36001 (static-201-151-76-82.alestra.net.mx) but spamdyke comes up empty for rDNS (along with some other empty info). Aug 23 10:59:44 dv2 spamdyke[22273]: DENIED_GRAYLISTED from: virgilap...@acengenhariase.com.br to: virgilap...@jpkvideo.com origin_ip: 201.151.76.82 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) Here is my complete /etc/spamdyke.conf file: # cat /etc/spamdyke.conf # This is an example spamdyke configuration file for spamdyke version 4.3.1. # # Without editing, this file will do nothing -- every available option is # commented out. To enable options, edit the values and remove the comment # markers at the beginning of the lines (#). # See the README.html file in spamdyke's documentation directory for a full # description of each option. The documentation is also available on spamdyke's # website: # http://www.spamdyke.org/ # Sets spamdyke's overall filter behavior. # Available values: allow-all, normal, require-auth, reject-all # Default: normal filter-level=normal # Delays the SMTP greeting banner for SECS seconds. A value of 0 disables this # feature. # Default: 0 #greeting-delay-secs=SECS # Limit incoming messages to NUM recipients. A value of 0 disables this max-recipients=15 # Drop superuser privileges and run as USER instead. # Default: none #run-as-user=USER[:GROUP] # DNS TESTS # Reject connections from remote servers without rDNS names. # Default: no # Reject connections from servers with rDNS names that contain their IP address # and end in a two-character country code. # Reject messages from sender whose domain names have no MX records. # Reject connections from servers with rDNS names that do not resolve to IP # addresses. # Default:no # LOGGING # Controls the amount (and detail) of the log messages spamdyke produces. # Available values: none, error, info, verbose, debug, excessive # Default: error log-level=debug # Controls where spamdyke's log messages are sent. # Available values: syslog, stderr # Default: syslog log-target=syslog # Outputs all SMTP data into files in DIR. #full-log-dir=DIR # CONFIGURATION FILES # Configuration files can include other configuration files. #config-file=FILE # Configuration directories are very powerful but can also be very complicated; # don't use them if you don't need to. # Controls how configuration directories are searched. # Available values: first, all-ip, all-rdns, all-sender, all-recipient # Default: first # TIMEOUTS # Close the connection after SECS seconds, regardless of activity. A value of # 0 disables this feature. #connection-timeout-secs=SECS # Close the connection after SECS seconds of inactivity. A value of 0 disables # this feature. #idle-timeout-secs=SECS # SENDERS AND RECIPIENTS # Reject all recipients that exactly match the sender address. # LOCAL BLACKLISTS # Reject connections from IP addresses that match IPADDRESS. #ip-blacklist-entry=IPADDRESS # Reject connections from IP addresses that match entries in FILE. ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip # Reject connections from rDNS names that match NAME. # Reject connections from rDNS names that match entries in FILE. #rdns-blacklist-file=FILE # Reject connections from rDNS names that match files in DIR. #rdns-blacklist-dir=DIR # Reject all messages sent to recipient ADDRESS. #recipient-blacklist-entry=ADDRESS # Reject all messages sent to any recipient address listed in FILE. recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients # Reject all messages sent from sender ADDRESS. #sender-blacklist-entry=ADDRESS # Reject all messages sent from any sender address listed in FILE. sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders # Reject connections from rDNS names that contain their IP address and KEYWORD. #ip-in-rdns-keyword-blacklist-entry=KEYWORD # Reject connections from rDNS names that contain their IP address and a keyword # in FILE. ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords # Reject all messages with header lines that match VALUE. #header-blacklist-entry=VALUE # Reject all messages sent header lines that match entries in FILE. #header-blacklist-file=FILE # LOCAL WHITELISTS #
[spamdyke-users] Blacklist Delemma
Hello, I've got one account (on QmailToaster w/SpamDyke) who gets mail from a legitimate sender via the mail servers at eigbox.net. That domain has a range of IP's: 66.96.xxx.xxx. The problem is I also get a ton of spam from this same server (not from that sender). When I block 66.96., It blocks everything. Things I've tried: 1. white listing the legitimate sender which I don't like (the sender can be spoofed). 2. white listing the whole IP (66.96.186.10) that the legitimate sender sent from (this works temporarily but will change when the IP rotates). How can I let mail come trough for this one sender from a known spam sender but block all the other junk? Ideas? Thanks, Denny ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Blacklist Delemma
Sam, Thanks for the reply. I want to understand what is happening here... I think setting it up as you described tells spamdyke to behave like this: when it see's the user myu...@mydomain.com either don't block the 66.96. IP structure or always allow mail from @eigbox.net - depending upon the way i set it up. Thereby making the rule for blocking 66.96 NOT apply to that user. Am I getting this correct? Sorry to be do dense - I just want to be clear in my understanding, Denny -Original Message- From: Sam Clippinger s...@silence.org To: spamdyke users spamdyke-users@spamdyke.org Sent: Mon, Sep 23, 2013 4:29 pm Subject: Re: [spamdyke-users] Blacklist Delemma Sounds like you need to create a configuration directory so you can turn off the blacklist entry for that one user and leave it turned on for everyone else. If your user's email address is myu...@mydomain.com, create a folder structure like this: /var/qmail/spamdyke/config.d/_recipient_/com/mydomain/_at_ At the bottom of that folder structure, create a text file named for the username portion of the email address: /var/qmail/spamdyke/config.d/_recipient_/com/mydomain/_at_/myuser Inside that text file, put the spamdyke configuration commands to turn off the blacklist filter (assuming you added the IP range using ip-blacklist-entry): ip-blacklist-entry=!66.96. Or better yet, just whitelist the sender domain (it'll only affect this one recipient): sender-whitelist-entry=@eigbox.net Last, add the configuration directory option to your main spamdyke configuration file: config-dir=/var/qmail/spamdyke/config.d That should do it. -- Sam Clippinger On Sep 23, 2013, at 4:00 PM, Denny Jones wrote: Hello, I've got one account (on QmailToaster w/SpamDyke) who gets mail from a legitimate sender via the mail servers at eigbox.net. That domain has a range of IP's: 66.96.xxx.xxx. The problem is I also get a ton of spam from this same server (not from that sender). When I block 66.96., It blocks everything. Things I've tried: 1. white listing the legitimate sender which I don't like (the sender can be spoofed). 2. white listing the whole IP (66.96.186.10) that the legitimate sender sent from (this works temporarily but will change when the IP rotates). How can I let mail come trough for this one sender from a known spam sender but block all the other junk? Ideas? Thanks, Denny ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Blacklist Delemma
Sam, Thanks for all of your help on this. I'm having issues though. Here's my setup: Email I'm trying to allow access for a specific IP range and a specific domain: mi...@choicewireless.biz IP Range: 66.96 Domain mail is coming from: jtwowireless.com My Config.d Dir structure: /etc/spamdyke/config.d/_recipient_/biz/choicewireless/_at_/mindy The contents of mindy: sender-whitelist-entry=@jtwowireless.com ip-blacklist-entry=!66.96. I have 66.96. in the blacklist_ip file I have added the following to my spamdyke.conf file: config-dir=/etc/spamdyke/config.d Emails from jtwowireless.com still get denied as DENIED_BLACKLIST_IP. I'm scratching my head here. What am I doing wrong? Denny -Original Message- From: Sam Clippinger s...@silence.org To: spamdyke users spamdyke-users@spamdyke.org Sent: Tue, Sep 24, 2013 11:20 am Subject: Re: [spamdyke-users] Blacklist Delemma That's correct. The configuration directory feature allows you to specify different configurations based on the recipient address, the sender address, the remote IP address, the remote rDNS name or any combination of those items. In the example I gave, it will override the ip-blacklist-entry setting for that one recipient address (or add a sender whitelist entry for that one recipient address, if you use that option). -- Sam Clippinger On Sep 24, 2013, at 11:08 AM, Denny Jones wrote: Sam, Thanks for the reply. I want to understand what is happening here... I think setting it up as you described tells spamdyke to behave like this: when it see's the user myu...@mydomain.com either don't block the 66.96. IP structure or always allow mail from @eigbox.net - depending upon the way i set it up. Thereby making the rule for blocking 66.96 NOT apply to that user. Am I getting this correct? Sorry to be do dense - I just want to be clear in my understanding, Denny -Original Message- From: Sam Clippinger s...@silence.org To: spamdyke users spamdyke-users@spamdyke.org Sent: Mon, Sep 23, 2013 4:29 pm Subject: Re: [spamdyke-users] Blacklist Delemma Sounds like you need to create a configuration directory so you can turn off the blacklist entry for that one user and leave it turned on for everyone else. If your user's email address is myu...@mydomain.com, create a folder structure like this: /var/qmail/spamdyke/config.d/_recipient_/com/mydomain/_at_ At the bottom of that folder structure, create a text file named for the username portion of the email address: /var/qmail/spamdyke/config.d/_recipient_/com/mydomain/_at_/myuser Inside that text file, put the spamdyke configuration commands to turn off the blacklist filter (assuming you added the IP range using ip-blacklist-entry): ip-blacklist-entry=!66.96. Or better yet, just whitelist the sender domain (it'll only affect this one recipient): sender-whitelist-entry=@eigbox.net Last, add the configuration directory option to your main spamdyke configuration file: config-dir=/var/qmail/spamdyke/config.d That should do it. -- Sam Clippinger On Sep 23, 2013, at 4:00 PM, Denny Jones wrote: Hello, I've got one account (on QmailToaster w/SpamDyke) who gets mail from a legitimate sender via the mail servers at eigbox.net. That domain has a range of IP's: 66.96.xxx.xxx. The problem is I also get a ton of spam from this same server (not from that sender). When I block 66.96., It blocks everything. Things I've tried: 1. white listing the legitimate sender which I don't like (the sender can be spoofed). 2. white listing the whole IP (66.96.186.10) that the legitimate sender sent from (this works temporarily but will change when the IP rotates). How can I let mail come trough for this one sender from a known spam sender but block all the other junk? Ideas? Thanks, Denny ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Blocking Authenticated Users Taken Over By Virus
Hello all, I have this intermittent issue... I host many clients and every once in a while one of my users will get a virus and start spewing out spam emails. I came in this morning and found one had sent over 3000 in just an hour. I have scripts in place that alert me about this so I'm able to catch it but I want to catch it sooner - perhaps auto-stop it. NOTE: These are authenticated users who's email programs have been hi-jacked and are sending with valid logins. My setup is QmailToaster Plus, SpamDyke, SpamAssassin, Fail2Ban, ClamV - all with the latest versions. I am curious about how other admins handle this situation? Surely I'm not the only one being bitten by this. FYI - I ran this on the Qmail list and it was suggested that I might run this by the SpamDyke list as well. Thanks in advance, Denny___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Bliaklist_ip and Unblaclistable_domains Conflict
Hello all! I have an IP range that I need to block (208.123.) but there is one domain (gfoxconsulting.com) that comes in on that IP range that I need to whitelist. I added the domain to the unblacklistable_domains file but it still get's blocked. How do I allow this one domain to come through but keep other traffic on that subnet off? Thanks, Denny ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RDNS WhiteList Not Working
Not to point directly to a bug but I have been working on this issue for quite some time so I'm pretty sure it'll keep on occurring. Also, I only pasted 2 lines from the log file. In reality there are many of DENIED_RDNS_MISSING entries with a few ALLOWED entries throughout. In other words, spamdyke will reject a bunch attempts and then allow one to come through and then go back to denying them only to allow another one later. There's no real pattern to speak of. To be clear, all the entries point to the same IP. I guess I could just add the IP to the whitelist_rdns file to fix this? My concern is that redglue might have many sending IP's and I'll have add everyone of them to the file. I'm not sure how to go about finding that information out. Thanks for the reply! -Original Message- From: Eric Shubert e...@shubes.net To: spamdyke-users spamdyke-users@spamdyke.org Sent: Fri, Jan 31, 2014 4:59 pm Subject: Re: [spamdyke-users] RDNS WhiteList Not Working On 01/31/2014 03:32 PM, Denny Jones wrote: I'm using SpamDyke 4.3.1 I have whitelisted gfoxconsulting.com in whitelist_rdns (I simply added gfoxconsulting.com to that file) I have the whitelist_rdns file indicated correctly in the spamdyke.conf file: rdns-whitelist-file=/etc/spamdyke/whitelist_rdns ...but I still, this domain (gfoxconsulting.com) being rejected: Jan 31 09:58:04 michael spamdyke[13182]: DENIED_RDNS_MISSING from: l...@gfoxconsulting.com to: al...@texasalliance.org origin_ip: 208.123.81.4 origin_rdns: (unknown) auth: (unknown) encryption: TLS reason: (empty) However on the very next log line I get: Jan 31 10:08:35 michael spamdyke[15441]: ALLOWED from: l...@gfoxconsulting.com to: al...@texasalliance.org origin_ip: 208.123.81.4 origin_rdns: exch01.redglue.com auth: (unknown) encryption: TLS reason: 250_ok_1391184515_qp_15469 What is going on here? Thanks, Denny ___ I think you're perhaps missing how rdns whitelisting works. rDNS is a name which is associated with an ip address. In the first instance, the rDNS record is missing, so there's no name to match to (origin_rdns = (unknown)). There's no way to use rdns whitelisting to let this one through. You'd need to whitelist something else, like either the IP address (good choice) or the sender domain (not recommended). It's possible (even likely) that someone at redglue.com discovered that there was no rdns for this IP, and it was fixed sometime before 10:08 (the missing message could have resulted from a cached lookup). It's also possible that there's an obscure bug in spamdyke. This is unlikely, but it's been known to happen occasionally with odd DNS configurations. I'd call this an odd rDNS configuration: $ host 208.123.81.4 4.81.123.208.in-addr.arpa is an alias for 4.255-0.81.123.208.in-addr.arpa. 4.255-0.81.123.208.in-addr.arpa domain name pointer exch01.redglue.com. $ There's a cname record pointing to the ptr record. Usually the rdns name is a ptr record, not a cname (ttbomk). Sam will know the bottom line here. -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Exempt Domain from RDNs Checks
My understanding of the RNDs whitelist options is that it allows for allowing/denying the SENDING domain. I need to make a entire domain that is hosted on MY mail server not use RDNs checks for incoming mail while keeping other domains I host in tact. Is this possible? Thanks, Denny ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Exempt Domain from RDNs Checks
Thak you for the information! Sorry to waste the band-width though, I should have done a site search first. -Original Message- From: Sam Clippinger s...@silence.org To: spamdyke users spamdyke-users@spamdyke.org Sent: Sat, Feb 8, 2014 3:41 pm Subject: Re: [spamdyke-users] Exempt Domain from RDNs Checks Yes, this is completely possible. The feature you're looking for is a configuration directory -- it'll let you turn different options on or off for different domains (and other conditions). http://www.spamdyke.org/documentation/FAQ.html#FEATURE8 -- Sam Clippinger On Feb 7, 2014, at 4:23 PM, Denny Jones lhweb...@aol.com wrote: My understanding of the RNDs whitelist options is that it allows for allowing/denying the SENDING domain. I need to make a entire domain that is hosted on MY mail server not use RDNs checks for incoming mail while keeping other domains I host in tact. Is this possible? Thanks, Denny ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Trouble Blocking .eu emails
We're getting numerous spam message from email and domains that end in .eu. We should never receive any mail from that country. I've added @.eu to SpamDyke's blacklist_senders file and emails still continue to make it through. Any ideas on how to stop these messages? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] DENIED_RDNS_RESOLVE Question
Hello, Here's the log entry I'm getting: Mar 24 08:16:09 michael spamdyke[12081]: DENIED_RDNS_RESOLVE from: em...@domina.com to: ema...@domina2.com origin_ip: 173.10.76.81 origin_rdns: m1.compxroads.com auth: (unknown) encryption: TLS reason: (empty) Seems like it shouldn't list a domain if it can't resolve t he RDNS. I'm I missing something here? NOTE: If I do a reverse look up on 173.10.76.81 I get: compxroads.com Is the error because the origin RDNS is m1.compxroads.com? Thanks, Denny ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users