Re: Is there a way to block invalid non delivery notifications?

[Daniel Lemke]

jdow wrote:
 
 By the way, is it possible to rescore or disable one rule, if another
 already hit (thought on something like disabling bayes when
 BOUNCE_MESSAGE
 already hit)? This way I could disable Bayes when BOUNCE_MESSAGE already
 hit. Yeah I know that's kind of bogus config but it'd be very suitable
 for
 our purpose.
 
 META rules are good for this sort of application.
 
 {^_^} 
 
 

I know about two meta rules that would cause a proper rescore but both of
them are kind of dirty workarounds:
- Check if BOUNCE_MESSAGE and Bayes hit. If so, give it a appropriate
negative score (this wouldn't be really dynamic).
- Packing the whole Bayes scoring into a meta so it only is triggered when
BOUNCE_MESSAGE isn't hit.

I'd prefer something like the ifplugin key word in configuration, in
pseudo code:
ifrulehit BOUNCE_MESSAGE
skip BAYES_XX

Daniel
-- 
View this message in context: 
http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29073633.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Is there a way to block invalid non delivery notifications?

[jdow]

From: Daniel Lemke le...@jam-software.com
Sent: Friday, 2010/July/02 06:36


Matus UHLAR - fantomas wrote:


apparently not enough of NDRs. I trained bayes with many notices and it
was
able to detect as expected then.


It apparently does learn the ndrs given, but as we send a newsletter from
time to time (that produces ndrs as well), Bayes seems to learn ndrs as 
ham

continuously.


Matus UHLAR - fantomas wrote:


BAYES_99 and CHARSET_FARAWAY together should score enough to score as
spam.
*BOUNCE_MESSAGE score only 0.1 and rising them is not safe.


Is it such a bad idea to rise the score? Or is the general purpose to
combine it with some sort of meta?

By the way, is it possible to rescore or disable one rule, if another
already hit (thought on something like disabling bayes when BOUNCE_MESSAGE
already hit)? This way I could disable Bayes when BOUNCE_MESSAGE already
hit. Yeah I know that's kind of bogus config but it'd be very suitable for
our purpose.


META rules are good for this sort of application.

{^_^} 

Re: Is there a way to block invalid non delivery notifications?

[Daniel Lemke]

Matus UHLAR - fantomas wrote:
 
 apparently not enough of NDRs. I trained bayes with many notices and it
 was
 able to detect as expected then.
 
It apparently does learn the ndrs given, but as we send a newsletter from
time to time (that produces ndrs as well), Bayes seems to learn ndrs as ham
continuously.


Matus UHLAR - fantomas wrote:
 
 BAYES_99 and CHARSET_FARAWAY together should score enough to score as
 spam.
 *BOUNCE_MESSAGE score only 0.1 and rising them is not safe.
 
Is it such a bad idea to rise the score? Or is the general purpose to
combine it with some sort of meta?

By the way, is it possible to rescore or disable one rule, if another
already hit (thought on something like disabling bayes when BOUNCE_MESSAGE
already hit)? This way I could disable Bayes when BOUNCE_MESSAGE already
hit. Yeah I know that's kind of bogus config but it'd be very suitable for
our purpose. 


Daniel
-- 
View this message in context: 
http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29056475.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Is there a way to block invalid non delivery notifications?

[Matus UHLAR - fantomas]

 Matus UHLAR - fantomas wrote:
  the first can be catched by using ok_locales

On 30.06.10 04:14, Daniel Lemke wrote:
 We are already using ok_locales, but it does not score all of the mail and
 if it scores, the few points at all are not enough to identify it as spam
 (since bayes still scores negative). I already trained bayes with hundreds
 of mails, but it still doesn't recognize this ndr as spam.

apparently not enough of NDRs. I trained bayes with many notices and it was
able to detect as expected then.

BAYES_99 and CHARSET_FARAWAY together should score enough to score as spam.
*BOUNCE_MESSAGE score only 0.1 and rising them is not safe.

  For others, there's VBounce plugin that detects delivery notices (and
  similar messages like autoresponders) and tag them for other processing.
  
  You need to configure whitelist_bounce_relays for this plugin to work.

 That sounds quite nice, but the documentation says the plugin looks for the
 specified mta relay in the Received: header of the mail. If found, it is not
 marked as an invalid bounce.

No, it searches for it in the body of the mail, and the body of delivery
notice should contain IP of your MTA, if the original message went through
your MTA (although there are programs that don't include them). Otherwise
it's apparendly bounce on forged mail which the VBounce is designed to
catch.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
To Boot or not to Boot, that's the question. [WD1270 Caviar]

Is there a way to block invalid non delivery notifications?

[Daniel Lemke]

For a short time we receive several hundreds of non delivery notifications
and other failure notices on one of our mailboxes.
Most of them look very similar, containing Cyrillic charset and .ru
addresses.
Are there any special rules that are able to identify this kind of spam?
As our company is small sized, we use a site wide Bayes which scores this
mails negative (I’m not really sure, but I guess it does because sometimes
we send a newsletter to a couple of customers, so receiving a (“real”) ndr
from time to time is nothing special.

I don’t know how to convert ndr to plain text so I paste one of those
failure notices:
http://pastebin.com/X9ewhwG4 

Daniel

-- 
View this message in context: 
http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29032307.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Is there a way to block invalid non delivery notifications?

[Matus UHLAR - fantomas]

On 30.06.10 02:02, Daniel Lemke wrote:
 For a short time we receive several hundreds of non delivery notifications
 and other failure notices on one of our mailboxes.
 Most of them look very similar, containing Cyrillic charset and .ru
 addresses.

the first can be catched by using ok_locales

 Are there any special rules that are able to identify this kind of spam?
 As our company is small sized, we use a site wide Bayes which scores this
 mails negative (I’m not really sure, but I guess it does because sometimes
 we send a newsletter to a couple of customers, so receiving a (“real”) ndr
 from time to time is nothing special.

by proper training you can differ between NDR from your mail and from spam.

For others, there's VBounce plugin that detects delivery notices (and
similar messages like autoresponders) and tag them for other processing.

You need to configure whitelist_bounce_relays for this plugin to work.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

Re: Is there a way to block invalid non delivery notifications?

[Daniel Lemke]

Matus UHLAR - fantomas wrote:
 
 the first can be catched by using ok_locales
 
We are already using ok_locales, but it does not score all of the mail and
if it scores, the few points at all are not enough to identify it as spam
(since bayes still scores negative). I already trained bayes with hundreds
of mails, but it still doesn't recognize this ndr as spam.




 For others, there's VBounce plugin that detects delivery notices (and
 similar messages like autoresponders) and tag them for other processing.
 
 You need to configure whitelist_bounce_relays for this plugin to work.
 

That sounds quite nice, but the documentation says the plugin looks for the
specified mta relay in the Received: header of the mail. If found, it is not
marked as an invalid bounce. This may be a problem because most bounces do
have header information that looks like this (where
Merkur.intranet.jam-software.com is our mta):

Received: from mailgw.ase.az (89.147.200.68) by
 Merkur.intranet.jam-software.com (192.168.123.87) with Microsoft SMTP
Server
 id 14.0.694.0; Wed, 30 Jun 2010 12:20:36 +0200
Received: from Exchange.ase.local ([192.168.10.123] verified)  by
 mailgw.ase.az (CommuniGate Pro SMTP 5.2.5)  with ESMTP id 6308858 for
 i...@jam-software.com; Wed, 30 Jun 2010 15:14:11 +0500


Daniel
-- 
View this message in context: 
http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29033298.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Is there a way to block invalid non delivery notifications?

[Martin Gregorie]

On Wed, 2010-06-30 at 02:02 -0700, Daniel Lemke wrote:
 For a short time we receive several hundreds of non delivery notifications
 and other failure notices on one of our mailboxes.

You've been joe jobbed by a spammer who forged your address as the
sender of his junk and then randomly generated user names for the
domains he targeted.
 
By setting up a valid SPF record for your own domain you will allow the
spam targets to detect forged sender addresses and avoid sending
non-delivery notifications to you.

Find out about SPF: http://www.openspf.org/ 
SPF test tools: http://www.kitterman.com/spf/validate.html

This worked for me: as soon as I had a valid SPF record the joe jobbing
showers of messages dried up.


Martin

Re: Is there a way to block invalid non delivery notifications?

[Karsten Bräckelmann]

On Wed, 2010-06-30 at 04:14 -0700, Daniel Lemke wrote:
 [...]  I already trained bayes with hundreds
 of mails, but it still doesn't recognize this ndr as spam.

It is a bounce, backscatter. It is not spam. It should not be treated as
such, and a lot of (spam) tests won't trigger on them.

  For others, there's VBounce plugin that detects delivery notices (and
  similar messages like autoresponders) and tag them for other processing.
  
  You need to configure whitelist_bounce_relays for this plugin to work.
 
 That sounds quite nice, but the documentation says the plugin looks for the
 specified mta relay in the Received: header of the mail. If found, it is not
 marked as an invalid bounce. This may be a problem because most bounces do

Have you tried it? Configure the plugin and send a test message that
will produce a valid NDR.

Yes, VBounce is the way to go. Have a look at the vbounce cf file for
some hints how to treat hits. Use the rule hit to separate these from
your legit mail and spam. Don't try to raise the score.

 have header information that looks like this (where
 Merkur.intranet.jam-software.com is our mta):
 
 Received: from mailgw.ase.az (89.147.200.68) by
  Merkur.intranet.jam-software.com (192.168.123.87) with Microsoft SMTP

Yeah, well -- every incoming mail is likely to go through your MX, isn't
it? ;)  One should figure a specialized backscatter plugin knows about
that, don't you think? Come on, just try it.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Is there a way to block invalid non delivery notifications?

[Arvid Picciani]

On Wed, 30 Jun 2010 02:02:51 -0700 (PDT), Daniel Lemke le...@jam-software.com 
wrote:

 Are there any special rules that are able to identify this kind of spam?

Its not spam, its misconfigured mailservers. Stupid people and
malicious people are two different problems. Don't let bayes learn it as spam.
We block them at MTA level using subject matching and 
http://www.backscatterer.org/
Although we block _all_ NDAs, and only whitelist some that are
explicitly requested by $boss. May or may not suit your needs.

Re: Is there a way to block invalid non delivery notifications?

[Daniel Lemke]

Karsten Bräckelmann-2 wrote:
 
 It is a bounce, backscatter. It is not spam. It should not be treated as
 such, and a lot of (spam) tests won't trigger on them.
 
Some definitions of spam include backscatter/bounce as well... but you're
right, they shouldn't.


 Have you tried it? Configure the plugin and send a test message that
 will produce a valid NDR.
 
Ok, working as intended :)


Daniel
-- 
View this message in context: 
http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29034459.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Is there a way to block invalid non delivery notifications?

[John Hardin]

On Wed, 30 Jun 2010, Daniel Lemke wrote:

For a short time we receive several hundreds of non delivery 
notifications and other failure notices on one of our mailboxes.


Publishing SPF records for your domain may reduce this. Spammers _appear_ 
to avoid forging sender addresses from domains that publish SPF 
information.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #12: Have a plan.
  USMC Rules of Gunfighting #13: Have a back-up plan, because the
  first one won't work.
---
 4 days until the 234th anniversary of the Declaration of Independence

Re: Is there a way to block invalid non delivery notifications?

[Daniel Lemke]

Arvid Picciani wrote:
 
 We block them at MTA level using subject matching and
 http://www.backscatterer.org/
 Although we block _all_ NDAs, and only whitelist some that are
 explicitly requested by $boss. May or may not suit your needs.
 
I'll have a look into this, thanks for the hint.

Daniel
-- 
View this message in context: 
http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29034463.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Is there a way to block invalid non delivery notifications?

[Daniel Lemke]

John Hardin wrote:
 
 Publishing SPF records for your domain may reduce this. Spammers _appear_ 
 to avoid forging sender addresses from domains that publish SPF 
 information.
 

We do have a valid SPF record:

Found v=spf1 record for jam-software.com:
v=spf1 a mx mx ip4:212.18.213.197 ip4:80.153.37.144 ~all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!


Looks like they don't care about.

Daniel
-- 
View this message in context: 
http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29034520.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Is there a way to block invalid non delivery notifications?

[RW]

On Wed, 30 Jun 2010 06:19:45 -0700 (PDT)
Daniel Lemke le...@jam-software.com wrote:

 
 
 Arvid Picciani wrote:
  
  We block them at MTA level using subject matching and
  http://www.backscatterer.org/
  Although we block _all_ NDAs, and only whitelist some that are
  explicitly requested by $boss. May or may not suit your needs.
  
 I'll have a look into this, thanks for the hint.

You need to use backscatterer.org carefully, it it hits a substantial
minority of legitimate mail.

Re: Is there a way to block invalid non delivery notifications?

[corpus.defero]

On Wed, 2010-06-30 at 02:02 -0700, Daniel Lemke wrote:
 For a short time we receive several hundreds of non delivery notifications
 and other failure notices on one of our mailboxes.
 Most of them look very similar, containing Cyrillic charset and .ru
 addresses.
 Are there any special rules that are able to identify this kind of spam?
 As our company is small sized, we use a site wide Bayes which scores this
 mails negative (I’m not really sure, but I guess it does because sometimes
 we send a newsletter to a couple of customers, so receiving a (“real”) ndr
 from time to time is nothing special.
 
 I don’t know how to convert ndr to plain text so I paste one of those
 failure notices:
 http://pastebin.com/X9ewhwG4 
 
 Daniel
 
BATV (if your MTA supports it) - overview
http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

RE: Is there a way to block invalid non delivery notifications?

[Kevin Miller]

Daniel Lemke wrote:
 For a short time we receive several hundreds of non delivery
 notifications and other failure notices on one of our mailboxes. 
 Most of them look very similar, containing Cyrillic charset and .ru
 addresses. 
 Are there any special rules that are able to identify this kind of
 spam? 
 As our company is small sized, we use a site wide Bayes which scores
 this mails negative (I'm not really sure, but I guess it does because
 sometimes we send a newsletter to a couple of customers, so receiving
 a (real) ndr from time to time is nothing special.   
 
 I don't know how to convert ndr to plain text so I paste one of those
 failure notices: 
 http://pastebin.com/X9ewhwG4
 
 Daniel

Last year we were getting a ton of backscatter NDRs.  I implemented the 
following rule, for good or for ill, and it pretty effectively cleaned up the 
problem.
I do have SPF implemented, but many servers don't check it.

###
#  Tests to filter joe-job blowback from Russian servers.
#  Checks for .ru in the headers, foreign character set, and coming
#  from a null address, i.e., from server NDR notices.  If only they
#  checked SPF!
###
header  __CBJ_PESKY_RUSKIES1Received =~ /\.ru\b/
body__CBJ_PESKY_RUSKIES2/\.ru\b/
body__CBJ_PESKY_RUSKIES3/\.ru\/
metaCBJ_PESKY_RUSKIES   ((__CBJ_PESKY_RUSKIES1 || 
__CBJ_PESKY_RUSKIES2 || __CBJ_PESKY_RUSKIES3)   ANY_BOUNCE_MESSAGE)
describeCBJ_PESKY_RUSKIES   Joe-job blowback from Russian domains
score   CBJ_PESKY_RUSKIES   6
tflags  CBJ_PESKY_RUSKIES   noautolearn

...Kevin
-- 
Kevin MillerRegistered Linux User No: 307357
CBJ MIS Dept.   Network Systems Admin., Mail Admin.
155 South Seward Street ph: (907) 586-0242
Juneau, Alaska 99801fax: (907 586-4500