How to use BUILD_SPAMC=no ?

2016-11-25 Thread Dan Jacobson 
In Makefile.PL we observe

  'BUILD_SPAMC'  ,# Set to 'no' to skip build of spamc.
  'BUILD_SPAMD',  # Set to 'no' to skip build of spamd.

Does this mean we can do
perl Makefile.PL BUILD_SPAMC=no BUILD_SPAMD=no ?

But if I see

cd spamc
/usr/bin/perl version.h.pl

in the compilation, does that mean I have made a mistake?

Re: Spam with attachments and UNPARSEABLE_RELAY

2016-11-25 Thread Ian Zimmerman 
On 2016-11-25 13:57, Bill Cole wrote:

> It LOOKS like that is being generated by a PHP script on the host that's 
> delivering it, which appears to be running some atrocious mail handler 
> calling itself 'nullmailer' that doesn't do Received headers in any 
> useful way.

FWIW nullmailer is a respected minimalist MTA:

 [1+0]~$ apt-cache show nullmailer
Package: nullmailer
Version: 1:1.13-1+deb8u1
Installed-Size: 2360
Maintainer: Nick Leverton 
Architecture: amd64
Replaces: mail-transport-agent
Provides: mail-transport-agent
Depends: lsb-base, debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.15),
 libgnutls-deb0-28 (>= 3.3.0), libstdc++6 (>= 4.1.1)
Recommends: rsyslog | system-log-daemon
Conflicts: mail-transport-agent
Description-en: simple relay-only mail transport agent
 Nullmailer is a replacement MTA for hosts, which relay to a fixed set of
 smart relays. It is designed to be simple to configure and especially
 useful on slave machines and in chroots.
Description-md5: cf5bb13c21a01ffa34dc0048e9689c33
Homepage: http://untroubled.org/nullmailer/
Tag: interface::daemon, mail::transport-agent, network::server,
 protocol::smtp, role::program, works-with::mail
Section: mail
Priority: extra
Filename: pool/main/n/nullmailer/nullmailer_1.13-1+deb8u1_amd64.deb
Size: 92642


-- 
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html

Re: Spam with attachments and UNPARSEABLE_RELAY

2016-11-25 Thread Bill Cole 

On 25 Nov 2016, at 5:28, geoff.sa_users_161...@alphaworks.co.uk wrote:


On 25/11/2016 10:26, Paul Stead wrote:

On 25/11/16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote:

X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message
X-Antivirus-Status: Infected
X-Attachment: INVOICE_.zip#1783656308|>HQ2s9y6f.js   Virus: 
JS:LockyDownloader [Trj] Deleted


Your AV correctly identified the bad attachment - generally these 
don't

even get as far as SA in my setup

This all depends on the glue used and ordering within your MTA and 
how

it reacts to malware attachments



I don't have a lot of control over my setup as it's a hosted VPS. The 
AV is locally on my PC so comes late in the process...



That might explain why there's no valid Received header in the whole 
message...


It LOOKS like that is being generated by a PHP script on the host that's 
delivering it, which appears to be running some atrocious mail handler 
calling itself 'nullmailer' that doesn't do Received headers in any 
useful way. It might help to know what the 'x.x.x.x' was, but I suspect 
not much. The mess of headers MAY be secondary to your AV mangling the 
message and reconstructing it without the original headers.

Re: Spam with attachments and UNPARSEABLE_RELAY

2016-11-25 Thread geoff . sa_users_161124 

On 25/11/2016 11:22, Matus UHLAR - fantomas wrote:

On 24.11.16 10:23, Geoff Soper wrote:

Subject: Spam with attachments and UNPARSEABLE_RELAY

For a few weeks I've been suffering spam messages with attachments 
getting through with a suspicious score of 0.0. Upon inspection, 
they all had the following lines in the header:


On 25.11.16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote:
1. See attached example. I've removed the username and replaced it 
with .
2. Other mail is getting correctly identified as spam so that's 
something...



Return-Path: 
X-Spam-Report:
*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable 
relay lines



Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
X-No-Auth: unauthenticated sender
Received: from internal (unknown [x.x.x.x])
Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
X-PHP-Originating-Script: 7637323:SendMail.class.php


This says that the mail was received from webpage on your server, and the
local mailer "nullmailer" seems have delivered it directly to you.

in fact, you don't know anything about this mail - it was apparently
received via HTTP, but the SendMail.class.php running under uid 
7637323 did

not provide even remote IP address.

apparently SA can't parse nullmailer headers - apparently because 
nullmailer

provides no useful headers.

in this case it's really hard to detect anything, since all information
about mail is lost in PHP.
Maybe PHP could at least provide client's IP (maybe all in 
x-forwarded-for

path) and that could help us.



Thanks for this analysis, this rings alarm bells. Can you be sure that 
this is definitely coming from a PHP on my server? I'll start 
investigating on the assumption that it is.


Many thanks,
Geoff

Re: Spam with attachments and UNPARSEABLE_RELAY

2016-11-25 Thread Matus UHLAR - fantomas 

On 24.11.16 10:23, Geoff Soper wrote:

Subject: Spam with attachments and UNPARSEABLE_RELAY

For a few weeks I've been suffering spam messages with 
attachments getting through with a suspicious score of 0.0. Upon 
inspection, they all had the following lines in the header:


On 25.11.16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote:
1. See attached example. I've removed the username and replaced it 
with .

2. Other mail is getting correctly identified as spam so that's something...



Return-Path: 
X-Spam-Report:
*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay 
lines



Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
X-No-Auth: unauthenticated sender
Received: from internal (unknown [x.x.x.x])
Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
X-PHP-Originating-Script: 7637323:SendMail.class.php


This says that the mail was received from webpage on your server, and the
local mailer "nullmailer" seems have delivered it directly to you.

in fact, you don't know anything about this mail - it was apparently
received via HTTP, but the SendMail.class.php running under uid 7637323 did
not provide even remote IP address.

apparently SA can't parse nullmailer headers - apparently because nullmailer
provides no useful headers.

in this case it's really hard to detect anything, since all information
about mail is lost in PHP.
Maybe PHP could at least provide client's IP (maybe all in x-forwarded-for
path) and that could help us.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

Re: Spam with attachments and UNPARSEABLE_RELAY

2016-11-25 Thread geoff . sa_users_161124 

On 25/11/2016 10:26, Paul Stead wrote:

On 25/11/16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote:

X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message
X-Antivirus-Status: Infected
X-Attachment: INVOICE_.zip#1783656308|>HQ2s9y6f.js   Virus: 
JS:LockyDownloader [Trj] Deleted


Your AV correctly identified the bad attachment - generally these don't
even get as far as SA in my setup

This all depends on the glue used and ordering within your MTA and how
it reacts to malware attachments



I don't have a lot of control over my setup as it's a hosted VPS. The AV 
is locally on my PC so comes late in the process...

Re: Spam with attachments and UNPARSEABLE_RELAY

2016-11-25 Thread Paul Stead 

On 25/11/16 10:18, geoff.sa_users_161...@alphaworks.co.uk wrote:

X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message
X-Antivirus-Status: Infected
X-Attachment: INVOICE_.zip#1783656308|>HQ2s9y6f.js   Virus: 
JS:LockyDownloader [Trj] Deleted


Your AV correctly identified the bad attachment - generally these don't
even get as far as SA in my setup

This all depends on the glue used and ordering within your MTA and how
it reacts to malware attachments

Paul
--
Paul Stead
Systems Engineer
Zen Internet

Re: Spam with attachments and UNPARSEABLE_RELAY

2016-11-25 Thread geoff . sa_users_161124 

On 24/11/2016 13:15, Matus UHLAR - fantomas wrote:

On 24.11.16 10:23, Geoff Soper wrote:

Subject: Spam with attachments and UNPARSEABLE_RELAY

For a few weeks I've been suffering spam messages with attachments 
getting through with a suspicious score of 0.0. Upon inspection, they 
all had the following lines in the header:


X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
server.alphaworks.co.uk
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=3.0 tests=UNPARSEABLE_RELAY
autolearn=unavailable autolearn_force=no version=3.4.1
X-Spam-Score: 0.0


1. can you post headers from any such mail?

2. do other mails get catched or at least score different from 0.0 ?


Hi,
1. See attached example. I've removed the username and replaced it with 
.

2. Other mail is getting correctly identified as spam so that's something...

Many thanks,
Geoff
Return-Path: 
X-Spam-Relays-External: 
X-Spam-Relays-Untrusted: 
X-Spam-Flag: NO
X-Spam-Status: No, Score=0.0
X-Spam-Report: 
*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay 
lines
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
server.alphaworks.co.uk
X-Spam-Score: 0.0
X-Original-To: @alphaworks.co.uk
Delivered-To: @alphaworks.co.uk
X-No-Auth: unauthenticated sender
Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
X-No-Auth: unauthenticated sender
Received: from internal (unknown [x.x.x.x])
Received: (nullmailer pid 36796 invoked by uid 7637323);
Fri, 25 Nov 2016 12:23:11 +0500
To: @alphaworks.co.uk>
Subject: *** VIRUS ***It Is Important
X-PHP-Originating-Script: 7637323:SendMail.class.php
From: "Esmeralda Gardner" 
Date: Fri, 25 Nov 2016 12:23:11 +0500
MIME-Version: 1.0
Content-Type: multipart/related; boundary="4863c15906b03373f7d9d5b584584773"
Message-Id: <1124330643.045726.43998.sendm...@alphaworks.co.uk>
X-Procmail-Alphaworks-Geoff: 27/01/2014
X-Procmail-HeaderInclude: 27/01/2014
X-Procmail-Alphaworks-Whitelist: 27/01/2014
X-Procmail-DomainInclude: 27/01/2014
X-Procmail-Alphaworks-Blacklist: 27/01/2014
X-Procmail-BounceInclude: 27/01/2014
X-Procmail-DotInclude: 25/12/2009
X-Procmail-SpamAssassinInclude: 25/12/2009
X-Procmail-FooterInclude: 25/12/2009
X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message
X-Antivirus-Status: Infected
X-Attachment: INVOICE_.zip#1783656308|>HQ2s9y6f.js Virus: 
JS:LockyDownloader [Trj] Deleted

--4863c15906b03373f7d9d5b584584773
Content-type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Dear , we received your invoice but couldn't pay, =
because your requisites were invalid.
Sending you the report of the problem - please open the attachment and =
check the data.
--4863c15906b03373f7d9d5b584584773--