Re: Is there a way to block invalid non delivery notifications?
jdow wrote: By the way, is it possible to rescore or disable one rule, if another already hit (thought on something like disabling bayes when BOUNCE_MESSAGE already hit)? This way I could disable Bayes when BOUNCE_MESSAGE already hit. Yeah I know that's kind of bogus config but it'd be very suitable for our purpose. META rules are good for this sort of application. {^_^} I know about two meta rules that would cause a proper rescore but both of them are kind of dirty workarounds: - Check if BOUNCE_MESSAGE and Bayes hit. If so, give it a appropriate negative score (this wouldn't be really dynamic). - Packing the whole Bayes scoring into a meta so it only is triggered when BOUNCE_MESSAGE isn't hit. I'd prefer something like the ifplugin key word in configuration, in pseudo code: ifrulehit BOUNCE_MESSAGE skip BAYES_XX Daniel -- View this message in context: http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29073633.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Is there a way to block invalid non delivery notifications?
From: Daniel Lemke le...@jam-software.com Sent: Friday, 2010/July/02 06:36 Matus UHLAR - fantomas wrote: apparently not enough of NDRs. I trained bayes with many notices and it was able to detect as expected then. It apparently does learn the ndrs given, but as we send a newsletter from time to time (that produces ndrs as well), Bayes seems to learn ndrs as ham continuously. Matus UHLAR - fantomas wrote: BAYES_99 and CHARSET_FARAWAY together should score enough to score as spam. *BOUNCE_MESSAGE score only 0.1 and rising them is not safe. Is it such a bad idea to rise the score? Or is the general purpose to combine it with some sort of meta? By the way, is it possible to rescore or disable one rule, if another already hit (thought on something like disabling bayes when BOUNCE_MESSAGE already hit)? This way I could disable Bayes when BOUNCE_MESSAGE already hit. Yeah I know that's kind of bogus config but it'd be very suitable for our purpose. META rules are good for this sort of application. {^_^}
Re: Is there a way to block invalid non delivery notifications?
Matus UHLAR - fantomas wrote: apparently not enough of NDRs. I trained bayes with many notices and it was able to detect as expected then. It apparently does learn the ndrs given, but as we send a newsletter from time to time (that produces ndrs as well), Bayes seems to learn ndrs as ham continuously. Matus UHLAR - fantomas wrote: BAYES_99 and CHARSET_FARAWAY together should score enough to score as spam. *BOUNCE_MESSAGE score only 0.1 and rising them is not safe. Is it such a bad idea to rise the score? Or is the general purpose to combine it with some sort of meta? By the way, is it possible to rescore or disable one rule, if another already hit (thought on something like disabling bayes when BOUNCE_MESSAGE already hit)? This way I could disable Bayes when BOUNCE_MESSAGE already hit. Yeah I know that's kind of bogus config but it'd be very suitable for our purpose. Daniel -- View this message in context: http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29056475.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Is there a way to block invalid non delivery notifications?
Matus UHLAR - fantomas wrote: the first can be catched by using ok_locales On 30.06.10 04:14, Daniel Lemke wrote: We are already using ok_locales, but it does not score all of the mail and if it scores, the few points at all are not enough to identify it as spam (since bayes still scores negative). I already trained bayes with hundreds of mails, but it still doesn't recognize this ndr as spam. apparently not enough of NDRs. I trained bayes with many notices and it was able to detect as expected then. BAYES_99 and CHARSET_FARAWAY together should score enough to score as spam. *BOUNCE_MESSAGE score only 0.1 and rising them is not safe. For others, there's VBounce plugin that detects delivery notices (and similar messages like autoresponders) and tag them for other processing. You need to configure whitelist_bounce_relays for this plugin to work. That sounds quite nice, but the documentation says the plugin looks for the specified mta relay in the Received: header of the mail. If found, it is not marked as an invalid bounce. No, it searches for it in the body of the mail, and the body of delivery notice should contain IP of your MTA, if the original message went through your MTA (although there are programs that don't include them). Otherwise it's apparendly bounce on forged mail which the VBounce is designed to catch. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. To Boot or not to Boot, that's the question. [WD1270 Caviar]
Is there a way to block invalid non delivery notifications?
For a short time we receive several hundreds of non delivery notifications and other failure notices on one of our mailboxes. Most of them look very similar, containing Cyrillic charset and .ru addresses. Are there any special rules that are able to identify this kind of spam? As our company is small sized, we use a site wide Bayes which scores this mails negative (I’m not really sure, but I guess it does because sometimes we send a newsletter to a couple of customers, so receiving a (“real”) ndr from time to time is nothing special. I don’t know how to convert ndr to plain text so I paste one of those failure notices: http://pastebin.com/X9ewhwG4 Daniel -- View this message in context: http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29032307.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Is there a way to block invalid non delivery notifications?
On 30.06.10 02:02, Daniel Lemke wrote: For a short time we receive several hundreds of non delivery notifications and other failure notices on one of our mailboxes. Most of them look very similar, containing Cyrillic charset and .ru addresses. the first can be catched by using ok_locales Are there any special rules that are able to identify this kind of spam? As our company is small sized, we use a site wide Bayes which scores this mails negative (I’m not really sure, but I guess it does because sometimes we send a newsletter to a couple of customers, so receiving a (“real”) ndr from time to time is nothing special. by proper training you can differ between NDR from your mail and from spam. For others, there's VBounce plugin that detects delivery notices (and similar messages like autoresponders) and tag them for other processing. You need to configure whitelist_bounce_relays for this plugin to work. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: Is there a way to block invalid non delivery notifications?
Matus UHLAR - fantomas wrote: the first can be catched by using ok_locales We are already using ok_locales, but it does not score all of the mail and if it scores, the few points at all are not enough to identify it as spam (since bayes still scores negative). I already trained bayes with hundreds of mails, but it still doesn't recognize this ndr as spam. For others, there's VBounce plugin that detects delivery notices (and similar messages like autoresponders) and tag them for other processing. You need to configure whitelist_bounce_relays for this plugin to work. That sounds quite nice, but the documentation says the plugin looks for the specified mta relay in the Received: header of the mail. If found, it is not marked as an invalid bounce. This may be a problem because most bounces do have header information that looks like this (where Merkur.intranet.jam-software.com is our mta): Received: from mailgw.ase.az (89.147.200.68) by Merkur.intranet.jam-software.com (192.168.123.87) with Microsoft SMTP Server id 14.0.694.0; Wed, 30 Jun 2010 12:20:36 +0200 Received: from Exchange.ase.local ([192.168.10.123] verified) by mailgw.ase.az (CommuniGate Pro SMTP 5.2.5) with ESMTP id 6308858 for i...@jam-software.com; Wed, 30 Jun 2010 15:14:11 +0500 Daniel -- View this message in context: http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29033298.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Is there a way to block invalid non delivery notifications?
On Wed, 2010-06-30 at 02:02 -0700, Daniel Lemke wrote: For a short time we receive several hundreds of non delivery notifications and other failure notices on one of our mailboxes. You've been joe jobbed by a spammer who forged your address as the sender of his junk and then randomly generated user names for the domains he targeted. By setting up a valid SPF record for your own domain you will allow the spam targets to detect forged sender addresses and avoid sending non-delivery notifications to you. Find out about SPF: http://www.openspf.org/ SPF test tools: http://www.kitterman.com/spf/validate.html This worked for me: as soon as I had a valid SPF record the joe jobbing showers of messages dried up. Martin
Re: Is there a way to block invalid non delivery notifications?
On Wed, 2010-06-30 at 04:14 -0700, Daniel Lemke wrote: [...] I already trained bayes with hundreds of mails, but it still doesn't recognize this ndr as spam. It is a bounce, backscatter. It is not spam. It should not be treated as such, and a lot of (spam) tests won't trigger on them. For others, there's VBounce plugin that detects delivery notices (and similar messages like autoresponders) and tag them for other processing. You need to configure whitelist_bounce_relays for this plugin to work. That sounds quite nice, but the documentation says the plugin looks for the specified mta relay in the Received: header of the mail. If found, it is not marked as an invalid bounce. This may be a problem because most bounces do Have you tried it? Configure the plugin and send a test message that will produce a valid NDR. Yes, VBounce is the way to go. Have a look at the vbounce cf file for some hints how to treat hits. Use the rule hit to separate these from your legit mail and spam. Don't try to raise the score. have header information that looks like this (where Merkur.intranet.jam-software.com is our mta): Received: from mailgw.ase.az (89.147.200.68) by Merkur.intranet.jam-software.com (192.168.123.87) with Microsoft SMTP Yeah, well -- every incoming mail is likely to go through your MX, isn't it? ;) One should figure a specialized backscatter plugin knows about that, don't you think? Come on, just try it. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Is there a way to block invalid non delivery notifications?
On Wed, 30 Jun 2010 02:02:51 -0700 (PDT), Daniel Lemke le...@jam-software.com wrote: Are there any special rules that are able to identify this kind of spam? Its not spam, its misconfigured mailservers. Stupid people and malicious people are two different problems. Don't let bayes learn it as spam. We block them at MTA level using subject matching and http://www.backscatterer.org/ Although we block _all_ NDAs, and only whitelist some that are explicitly requested by $boss. May or may not suit your needs.
Re: Is there a way to block invalid non delivery notifications?
Karsten Bräckelmann-2 wrote: It is a bounce, backscatter. It is not spam. It should not be treated as such, and a lot of (spam) tests won't trigger on them. Some definitions of spam include backscatter/bounce as well... but you're right, they shouldn't. Have you tried it? Configure the plugin and send a test message that will produce a valid NDR. Ok, working as intended :) Daniel -- View this message in context: http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29034459.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Is there a way to block invalid non delivery notifications?
On Wed, 30 Jun 2010, Daniel Lemke wrote: For a short time we receive several hundreds of non delivery notifications and other failure notices on one of our mailboxes. Publishing SPF records for your domain may reduce this. Spammers _appear_ to avoid forging sender addresses from domains that publish SPF information. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #12: Have a plan. USMC Rules of Gunfighting #13: Have a back-up plan, because the first one won't work. --- 4 days until the 234th anniversary of the Declaration of Independence
Re: Is there a way to block invalid non delivery notifications?
Arvid Picciani wrote: We block them at MTA level using subject matching and http://www.backscatterer.org/ Although we block _all_ NDAs, and only whitelist some that are explicitly requested by $boss. May or may not suit your needs. I'll have a look into this, thanks for the hint. Daniel -- View this message in context: http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29034463.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Is there a way to block invalid non delivery notifications?
John Hardin wrote: Publishing SPF records for your domain may reduce this. Spammers _appear_ to avoid forging sender addresses from domains that publish SPF information. We do have a valid SPF record: Found v=spf1 record for jam-software.com: v=spf1 a mx mx ip4:212.18.213.197 ip4:80.153.37.144 ~all evaluating... SPF record passed validation test with pySPF (Python SPF library)! Looks like they don't care about. Daniel -- View this message in context: http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29034520.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Is there a way to block invalid non delivery notifications?
On Wed, 30 Jun 2010 06:19:45 -0700 (PDT) Daniel Lemke le...@jam-software.com wrote: Arvid Picciani wrote: We block them at MTA level using subject matching and http://www.backscatterer.org/ Although we block _all_ NDAs, and only whitelist some that are explicitly requested by $boss. May or may not suit your needs. I'll have a look into this, thanks for the hint. You need to use backscatterer.org carefully, it it hits a substantial minority of legitimate mail.
Re: Is there a way to block invalid non delivery notifications?
On Wed, 2010-06-30 at 02:02 -0700, Daniel Lemke wrote: For a short time we receive several hundreds of non delivery notifications and other failure notices on one of our mailboxes. Most of them look very similar, containing Cyrillic charset and .ru addresses. Are there any special rules that are able to identify this kind of spam? As our company is small sized, we use a site wide Bayes which scores this mails negative (I’m not really sure, but I guess it does because sometimes we send a newsletter to a couple of customers, so receiving a (“real”) ndr from time to time is nothing special. I don’t know how to convert ndr to plain text so I paste one of those failure notices: http://pastebin.com/X9ewhwG4 Daniel BATV (if your MTA supports it) - overview http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation
RE: Is there a way to block invalid non delivery notifications?
Daniel Lemke wrote: For a short time we receive several hundreds of non delivery notifications and other failure notices on one of our mailboxes. Most of them look very similar, containing Cyrillic charset and .ru addresses. Are there any special rules that are able to identify this kind of spam? As our company is small sized, we use a site wide Bayes which scores this mails negative (I'm not really sure, but I guess it does because sometimes we send a newsletter to a couple of customers, so receiving a (real) ndr from time to time is nothing special. I don't know how to convert ndr to plain text so I paste one of those failure notices: http://pastebin.com/X9ewhwG4 Daniel Last year we were getting a ton of backscatter NDRs. I implemented the following rule, for good or for ill, and it pretty effectively cleaned up the problem. I do have SPF implemented, but many servers don't check it. ### # Tests to filter joe-job blowback from Russian servers. # Checks for .ru in the headers, foreign character set, and coming # from a null address, i.e., from server NDR notices. If only they # checked SPF! ### header __CBJ_PESKY_RUSKIES1Received =~ /\.ru\b/ body__CBJ_PESKY_RUSKIES2/\.ru\b/ body__CBJ_PESKY_RUSKIES3/\.ru\/ metaCBJ_PESKY_RUSKIES ((__CBJ_PESKY_RUSKIES1 || __CBJ_PESKY_RUSKIES2 || __CBJ_PESKY_RUSKIES3) ANY_BOUNCE_MESSAGE) describeCBJ_PESKY_RUSKIES Joe-job blowback from Russian domains score CBJ_PESKY_RUSKIES 6 tflags CBJ_PESKY_RUSKIES noautolearn ...Kevin -- Kevin MillerRegistered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801fax: (907 586-4500