Re: Whitelist_from??
On 3/14/19 5:50 PM, @lbutlr wrote: > I've been having a lot of problems with emails from comixology getting tagged > as spam and then the message attachment is often, but not always, corrupt. > > Content analysis details: (6.8 points, 5.0 required) > > pts rule name description > -- -- > -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, > no trust > [54.240.13.78 listed in list.dnswl.org] > 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > [score: 1.] > 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > [score: 1.] > 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level > mail domains are different > 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.4 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME > 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily > valid > 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required > MIME headers > 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid > 1.0 BODY_URI_ONLY Message body is only a URI in one line of text or > for an image > 0.0 T_REMOTE_IMAGE Message contains an external image > > The attached message when I open it starts: > > =23outlook A =7B PADDING-BOTTOM: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: > 0px= > ; PADDING-TOP: 0px =7D > BODY =7BPADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 100% = > =21important; PADDING-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjus= > t: 100%; -ms-text-size-adjust: 100% > =7D > =7D =20 > > > I added whitelist_auth comixology.com to local.cf and still had issues, so I > also added whitelist_from comixology.com, but messages are still tagged as > spam. > > From: Comics by comiXology > > But the message are actually coming from amazon.com. I have these references > to amazon in local.cf > > adsp_override amazon.com custom_high > adsp_override amazon.com > whitelist_auth *@amazon.com > > (not sure about the first two lines, don't recall those settings) > > > I would recommend using this if they hit SPF_PASS or DKIM_VALID_AU whitelist_auth *@*.comixology.com If they don't have good SPF or DKIM like this one, then use: whitelist_from_rcvd *@*.comixology.com amazonses.com The "amazonses.com" would be the part of the sending mail server's name when it has good FCrDNS. If that mail server doesn't have good FCrDNS, then use: whitelist_from_rcvd *@*.comixology.com [ip.ad.dr.ess] whitelist_from should be the last option and I only use it on a full email address that is very unique so spammers won't be able to match that by accident from any source server or IP address. -- David Jones
Re: Whitelist_from??
On 14 Mar 2019, at 22:03, @lbutlr wrote: > On 14 Mar 2019, at 17:00, RW wrote: >> >> whitelist entries need to be globs that match an email address, not a >> domain name. > > How sophisticated is SA's globbing? > > ^(\w+)([\-.'][\w]+)+@domain.tld$ For whitelist entries the match string is a simple glob, not a regex. "perldoc Mail::SpamAssassin::Conf" will tell you the details. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: Whitelist_from??
On 14 Mar 2019, at 17:00, RW wrote: > > whitelist entries need to be globs that match an email address, not a > domain name. How sophisticated is SA's globbing? ^(\w+)([\-.'][\w]+)+@domain.tld$ ? -- These are the thoughts that kept me out of the really good schools. -- George Carlin
Re: Whitelist_from??
On Thu, 14 Mar 2019 16:50:01 -0600 @lbutlr wrote: > I've been having a lot of problems with emails from comixology > getting tagged as spam and then the message attachment is often, but > not always, corrupt. ... > I added whitelist_auth comixology.com to local.cf and still had > issues, so I also added whitelist_from comixology.com, but messages > are still tagged as spam. whitelist entries need to be globs that match an email address, not a domain name.
RE: whitelist_from in user_prefs is not being processed.
That worked, many thanks.. Missing @ makes a difference ;) -RIckH -Original Message- From: RW [mailto:rwmailli...@googlemail.com] Sent: Thursday, March 12, 2015 11:44 AM To: users@spamassassin.apache.org Subject: Re: whitelist_from in user_prefs is not being processed. On Thu, 12 Mar 2015 11:23:33 -0700 Rick Hantz \(TirNanOg\) wrote: However, none of the whitelist seems to get processed. Mail that should have a high negative number doesn't and ends up in the spam folder. whitelist_from 23andme.com ... whitelist_from *.aarp.com try: whitelist_from *@23andme.com whitelist_from *@*.aarp.com etc
Re: whitelist_from in user_prefs is not being processed.
On 03/12/2015 07:23 PM, Rick Hantz (TirNanOg) wrote: whitelist_from alfranken.com bad syntax http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt unwhitelist_from u...@example.com Used to override a default whitelist_from entry, so for example a distribution whitelist_from can be overridden in a local.cf file, or an individual user can override a whitelist_from entry in their own user_prefs file. The specified email address has to match exactly (although case-insensitively) the address previously used in a whitelist_from line, which implies that a wildcard only matches literally the same wildcard (not 'any' address). e.g. unwhitelist_from j...@example.com f...@example.com unwhitelist_from *@example.com whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Works similarly to whitelist_from, except that in addition to matching a sender address, a relay's rDNS name or its IP address must match too for the whitelisting rule to fire. The first parameter is a sender's e-mail address to whitelist, and the second is a string to match the relay's rDNS, or its IP address. Matching is case-insensitive. This second parameter is matched against the TCP-info information field as provided in a FROM clause of a trace information (i.e. the Received header field, see RFC 5321). Only the Received header fields inserted by trusted hosts are considered. This parameter can either be a full hostname, or the domain component of that hostname, or an IP address in square brackets. The reverse DNS lookup is done by a MTA, not by SpamAssassin. In case of an IPv4 address in brackets, it may be truncated on classful boundaries to cover whole subnets, e.g. [10.1.2.3], [10.1.2], [10.1], [10]. CIDR notation is currently not supported, nor is IPv6. The matching on IP address is mainly provided to cover rare cases where whitelisting of a sending MTA is desired which does not have a correct reverse DNS configured. In other words, if the host that connected to your MX had an IP address 192.0.2.123 that mapped to 'sendinghost.example.org', you should specify sendinghost.example.org, or example.org, or [192.0.2.123] or [192.0.2] here. Note that this requires that internal_networks be correct. For simple cases, it will be, but for a complex network you may get better results by setting that parameter. It also requires that your mail exchangers be configured to perform DNS reverse lookups on the connecting host's IP address, and to record the result in the generated Received header field according to RFC 5321. e.g. whitelist_from_rcvd j...@example.com example.com whitelist_from_rcvd *@axkit.org sergeant.org whitelist_from_rcvd *@axkit.org [192.0.2.123]
Re: whitelist_from in user_prefs is not being processed.
On Thu, 12 Mar 2015 11:23:33 -0700 Rick Hantz \(TirNanOg\) wrote: However, none of the whitelist seems to get processed. Mail that should have a high negative number doesn't and ends up in the spam folder. whitelist_from 23andme.com ... whitelist_from *.aarp.com try: whitelist_from *@23andme.com whitelist_from *@*.aarp.com etc
Re: whitelist_from in user_prefs is not being processed.
Am 12.03.2015 um 19:23 schrieb Rick Hantz (TirNanOg): My mail is hosted on Lunarpages.com on my own domain. I train SpamAssassin frequently. However, I get hundreds of spam messages daily (500-700). This is an old public account that I need to maintain, otherwise I’d delete it. After a while, the tokens files get corrupt, so I delete them and start over. (I start getting a lot of spam missed). To filter most everything, I set the spam level at -1. I maintain a whitelist in user_prefs, so I can easily start over. However, none of the whitelist seems to get processed. Mail that should have a high negative number doesn’t and ends up in the spam folder. Any ideas or workarounds? without logs - no signature.asc Description: OpenPGP digital signature
Re: whitelist_from in user_prefs is not being processed.
On March 12, 2015 11:10:13 PM Rick Hantz \(TirNanOg\) rick...@tirnanog.com wrote: In my user_prefs file, I have: (see resulting header below) whitelist_from mailto:*@sailthru.com read perldoc Mail::SpamAssassin::Conf note whitelist_from allows forged senders, if possible use whitelist_auth instaed
Re: whitelist_from in user_prefs is not being processed.
In my user_prefs file, I have: (see resulting header below) whitelist_from mailto:*@sailthru.com whitelist_from mailto:*@e.washingtonpost.com Do I also need whitelist_from mailto:*@*.sailthru.com ? Appreciate all the help. -RickH Return-path: deliv...@mx.sailthru.com Envelope-to: rickhan!!tirnanog.com Delivery-date: Thu, 12 Mar 2015 14:21:53 -0700 Received: from mx-washpost-a.sailthru.com ([192.64.237.165]:50811) by coeus.lunarmania.com with esmtp (Exim 4.82) (envelope-from deliv...@mx.sailthru.com) id 1YWAYA-0004uL-M3 for rickhan!!tirnanog.com; Thu, 12 Mar 2015 14:21:53 -0700 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; s=mt; d=pmta.sailthru.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe ; bh=/lxmlrJQKq6fl1OmIaekS84ZalE=; b=Rqtg31H8M0M7AiYslW+Ts/cy/igfo2wn6vw+km/vpsEAUcEi9s+m9aDCfLzoG7L5upSDBWrzwo 83 sT7eKPwz4iPAa7fB2PMzLJpDmExu1qv7lN5xKl2JLLrOjlVQQiKhoXAIxRfp/e2KUi4LkdTpSiEr y5gMs8tOcZis8Icxo2E= Received: from nyp1-p-p4136-prd-jma-04.sailthru.pvt (64.34.57.233) by mx-washpost-a.sailthru.com id h081mu1qqbs6 for rick...@tirnanog.com; Thu, 12 Mar 2015 17:21:50 -0400 (envelope-from deliv...@mx.sailthru.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; t=1426195310; s=sailthru; d=e.washingtonpost.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe ; bh=h1kKlRHR3FV/7FTdYTfMs9u9pPrGdkNPKUp05V1qrVk=; b=B/lK29y/CHuHLJ/uY/BZCgCN0XZsku3MaOW/I+KGW/Xqd9NA5jdxyRG3Fz0eq5Cj u5F0C3Q+vuIparPPdGqqBEifv6bCdVWN92wBDOslNf9qHyJeJpn43LatKbWsw3+nvuR EEBdWGj2tt1nSrzqNlO64g+TdXMKltQWkxkHCaeA= Date: Thu, 12 Mar 2015 17:21:50 -0400 (EDT) From: The Washington Post em...@e.washingtonpost.com To: rickhan!!tirnanog.com Message-ID: 20150312212150.3994150.72...@sailthru.com Subject: News Alert: American with Ebola to be treated at National Institutes of Health MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_1695_1383230446.1426195310303 Precedence: bulk X-TM-ID: 20150312212150.3994150.72694 X-Info: Message sent by sailthru.com customer The Washington Post X-Info: We do not permit unsolicited commercial email X-Info: Please report abuse by forwarding complete headers to X-Info: ab...@sailthru.com X-Mailer: sailthru.com X-JMailer: nyp1-p-p4136-prd-jma-04.sailthru.pvt X-Unsubscribe-Web: http://link.washingtonpost.com/oc/54836cd23b35d0d5728c41ca2dlwm.1k3a/a618a63 9 List-Unsubscribe: http://link.washingtonpost.com/oc/54836cd23b35d0d5728c41ca2dlwm.1k3a/a618a6 39, mailto:unsubscribe_20150312212150.3994150.72...@mx.sailthru.com X-rpcampaign: sthiq3994150 X-Spam-Subject: ***SPAM*** News Alert: American with Ebola to be treated at National Institutes of Health X-Spam-Status: Yes, score=-0.5 X-Spam-Score: -4 X-Spam-Bar: / X-Spam-Flag: YES
Re: whitelist_from in user_prefs is not being processed.
Am 12.03.2015 um 23:06 schrieb Rick Hantz (TirNanOg): In my user_prefs file, I have: (see resulting header below) whitelist_from mailto:*@sailthru.com whitelist_from mailto:*@e.washingtonpost.com Do I also need whitelist_from mailto:*@*.sailthru.com ? Return-path: deliv...@mx.sailthru.com i guess all that mailto:; crap comes from sending HTML mails for whatever reason, besides that: @sailthru.com surely is not the same as @mx.sailthru.com signature.asc Description: OpenPGP digital signature
Re: whitelist_from conditioned to hostname
nik600 skrev den 2013-10-18 17:24: Can i do that? sure: whitelist_auth postmas...@example.org whitelist_from allow forges, dont use it, its still candidate to be removed from spamassassin
Re: whitelist_from conditioned to hostname
On 18.10.13 17:24, nik600 wrote: is possible to specify a whitelist_from in local.cf limiting it for some hosts? yes, use whitelist_from_rcvd for that. Note that applies to external mail, e.g. mail received from hosts not in your internal_network. i want to whitelist my postmas...@foo.tld to avoid backscatter or bouce_message classifications, but want to limit this whitelist only if the sender is from my server, if the smtp client is something different than i trust i don't want to whitelist it. well, this it exactly what VBounce plugin is for, and you need to specify whitelist_bounce_relays for it to work. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: whitelist_from conditioned to hostname
nik600 wrote: is possible to specify a whitelist_from in local.cf http://local.cf limiting it for some hosts? Example: i want to whitelist my postmas...@foo.tld to avoid backscatter or bouce_message classifications, but want to limit this whitelist only if the sender is from my server, if the smtp client is something different than i trust i don't want to whitelist it. whitelist_from_rcvd postmas...@foo.tld smtp.foo.tld Note this requires you have properly configured reverse DNS on your server's IP. -kgd
RE: whitelist_from in SQL not applied?
1: spamassassin 21 -D --lint | less 2: perldoc Mail::SpamAssassin::Plugin::SPF could still be relevant problem if its added remotely and not localy, but this is why i asked 1: on above, can you post it to pastebin and give a link here ? http://pastebin.com/xErBy0ej 2: is just informative to you what to configure in local.cf Ok, will try whitelist_from_spf for the sql whitelist use same preferences as it would be in local.cf, and btw have you multiple sql users preferences or just one ?, is it really checking the right user ? Just one user prefs in the DB for this user, how can't I be sure that it's checking the right user? Other whitelist_from all work Thanks
RE: whitelist_from in SQL not applied?
Philippe Ratté skrev den 2013-02-19 16:15: 1: spamassassin 21 -D --lint | less 2: perldoc Mail::SpamAssassin::Plugin::SPF could still be relevant problem if its added remotely and not localy, but this is why i asked 1: on above, can you post it to pastebin and give a link here ? http://pastebin.com/xErBy0ej Feb 19 10:02:25.354 [19195] dbg: spf: cannot get Envelope-From, cannot use SPF is this why whitelist_from are the only one that works ? first get it to work from local.cf, if this is working move the same rule to sql is the right way to test if envelope-from is non default, then set it in local.cf, info here perldoc Mail::SpamAssassin::Conf postfix is using Return-Path, if you are using another mta you may change this in the settings so spf does not say it does not find envelope-from as above 2: is just informative to you what to configure in local.cf Ok, will try whitelist_from_spf i noticed you are using openprotect rule set with 99% depricated rule sets :( why not just use spamassassin rule sets ? and a side note: dont loadplugin from an cf file, use pre files for loadplugin, see freemail error in your pastbin its gets loaded twice :( if you can add the missing perl modules then do it, but i cant remember if it solves problems, it depends on what to test for the sql whitelist use same preferences as it would be in local.cf, and btw have you multiple sql users preferences or just one ?, is it really checking the right user ? Just one user prefs in the DB for this user, how can't I be sure that it's checking the right user? Other whitelist_from all work lets solve envelope sender first
RE: whitelist_from in SQL not applied?
Benny, Feb 19 10:02:25.354 [19195] dbg: spf: cannot get Envelope-From, cannot use SPF is this why whitelist_from are the only one that works ? first get it to work from local.cf, if this is working move the same rule to sql is the right way to test if envelope-from is non default, then set it in local.cf, info here perldoc Mail::SpamAssassin::Conf postfix is using Return-Path, if you are using another mta you may change this in the settings so spf does not say it does not find envelope-from as above I'm using qmail, along with qmail-scanner-st, and I just added a patch so that qmail adds the envelope-from to the headers It works; this is what the first header now looks like: Received: from mail-ve0-f193.google.com (209.85.128.193) by myserver.com (envelope-from u...@gmail.com) with SMTP; 19 Feb 2013 22:12:37 - If I run spamassassin using these params, I don't see any SPF errors: spamassassin -D email.msg 2debug.log [...] Feb 19 17:39:22.803 [10817] dbg: spf: checking to see if the message has a Received-SPF header that we can use Feb 19 17:39:22.848 [10817] dbg: spf: using Mail::SPF for SPF checks Feb 19 17:39:22.848 [10817] dbg: spf: checking HELO (helo=falcon594.startdedicated.com, ip=69.64.33.211) Feb 19 17:39:22.850 [10817] dbg: dns: providing a callback for id: 55831/falcon594.startdedicated.com/SPF/IN Feb 19 17:39:22.857 [10817] dbg: spf: query for /69.64.33.211/falcon594.startdedicated.com: result: none, comment: , text: No applicable sender policy available Feb 19 17:39:22.858 [10817] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks Feb 19 17:39:22.858 [10817] dbg: spf: found Envelope-From in first external Received header Feb 19 17:39:22.858 [10817] dbg: spf: checking EnvelopeFrom (helo=falcon594.startdedicated.com, ip=69.64.33.211, envfrom=nore...@sonico.com) Feb 19 17:39:22.859 [10817] dbg: dns: providing a callback for id: 65122/sonico.com/SPF/IN Feb 19 17:39:22.941 [10817] dbg: spf: query for nore...@sonico.com/69.64.33.211/falcon594.startdedicated.com: result: fail, comment: Please see http://www.openspf.org/Why?s=mfromid=noreply%40sonico.comip=69.64.33.211r=myserver.com, text: Mechanism '-all' matched Feb 19 17:39:22.948 [10817] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check Feb 19 17:39:22.949 [10817] dbg: rules: ran eval rule SPF_FAIL == got hit (1) Feb 19 17:39:22.950 [10817] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check Feb 19 17:39:23.222 [10817] dbg: rules: ran uri rule __LOCAL_PP_NONPPURL == got hit: http://www.openspf.org; [...] However, if I run spamassassin 21 -D --lint | less I still see the error: Feb 19 17:41:54.196 [11019] dbg: spf: cannot get Envelope-From, cannot use SPF Feb 19 17:41:54.196 [11019] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender i noticed you are using openprotect rule set with 99% depricated rule sets :( /var/lib/spamassassin/3.002005/saupdates_openprotect_com.pre /var/lib/spamassassin/3.002005/saupdates_openprotect_com /var/lib/spamassassin/3.002005/saupdates_openprotect_com.cf /var/lib/spamassassin/3.003001/saupdates_openprotect_com.pre /var/lib/spamassassin/3.003001/saupdates_openprotect_com /var/lib/spamassassin/3.003001/saupdates_openprotect_com.cf /var/lib/spamassassin/3.002004/saupdates_openprotect_com.pre /var/lib/spamassassin/3.002004/saupdates_openprotect_com /var/lib/spamassassin/3.002004/saupdates_openprotect_com.cf /var/lib/spamassassin/3.003002/saupdates_openprotect_com.pre /var/lib/spamassassin/3.003002/saupdates_openprotect_com /var/lib/spamassassin/3.003002/saupdates_openprotect_com.cf I can simply delete them, correct? why not just use spamassassin rule sets ? Most likely from previous SA versions Thanks for your help btw!
RE: whitelist_from in SQL not applied?
Philippe Ratté skrev den 2013-02-19 23:49: I'm using qmail, along with qmail-scanner-st, and I just added a patch so that qmail adds the envelope-from to the headers ? It works; this is what the first header now looks like: Received: from mail-ve0-f193.google.com (209.85.128.193) by myserver.com (envelope-from u...@gmail.com) with SMTP; 19 Feb 2013 22:12:37 - received is not envelope-from If I run spamassassin using these params, I don't see any SPF errors: spamassassin -D email.msg 2debug.log [...] Feb 19 17:39:22.803 [10817] dbg: spf: checking to see if the message has a Received-SPF header that we can use it reuse pypolicyd-spf here it does not use envelope-from However, if I run spamassassin 21 -D --lint | less I still see the error: Feb 19 17:41:54.196 [11019] dbg: spf: cannot get Envelope-From, cannot use SPF Feb 19 17:41:54.196 [11019] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender you did not fix spamassassin, just found a received-spf example does not show the problem I can simply delete them, correct? yes why not just use spamassassin rule sets ? Most likely from previous SA versions :-) Thanks for your help btw! wait until it works
RE: whitelist_from in SQL not applied?
On Tue, 19 Feb 2013, Philippe Ratté wrote:
Benny,
Feb 19 10:02:25.354 [19195] dbg: spf: cannot get Envelope-From, cannot
use SPF
is this why whitelist_from are the only one that works ?
first get it to work from local.cf, if this is working move the same
rule to sql is the right way to test
[snip..]
I'm using qmail, along with qmail-scanner-st, and I just added a patch so that
qmail adds the envelope-from to the headers
It works; this is what the first header now looks like:
Received: from mail-ve0-f193.google.com (209.85.128.193)
by myserver.com (envelope-from u...@gmail.com)
with SMTP; 19 Feb 2013 22:12:37 -
If I run spamassassin using these params, I don't see any SPF errors:
spamassassin -D email.msg 2debug.log
[...]
Feb 19 17:39:22.803 [10817] dbg: spf: checking to see if the message has a
Received-SPF header that we can use
Feb 19 17:39:22.848 [10817] dbg: spf: using Mail::SPF for SPF checks
Feb 19 17:39:22.848 [10817] dbg: spf: checking HELO
(helo=falcon594.startdedicated.com, ip=69.64.33.211)
Feb 19 17:39:22.850 [10817] dbg: dns: providing a callback for id:
55831/falcon594.startdedicated.com/SPF/IN
Feb 19 17:39:22.857 [10817] dbg: spf: query for
/69.64.33.211/falcon594.startdedicated.com: result: none, comment: , text: No
applicable sender policy available
Feb 19 17:39:22.858 [10817] dbg: spf: already checked for Received-SPF headers,
proceeding with DNS based checks
Feb 19 17:39:22.858 [10817] dbg: spf: found Envelope-From in first external
Received header
OK, this says that your envelope-from patch to qmail is working
Feb 19 17:39:22.858 [10817] dbg: spf: checking EnvelopeFrom
(helo=falcon594.startdedicated.com, ip=69.64.33.211, envfrom=nore...@sonico.com)
Feb 19 17:39:22.949 [10817] dbg: rules: ran eval rule SPF_FAIL == got hit
(1)
Feb 19 17:39:22.950 [10817] dbg: spf: whitelist_from_spf: already checked spf
and didn't get pass, skipping whitelist check
Feb 19 17:39:23.222 [10817] dbg: rules: ran uri rule __LOCAL_PP_NONPPURL == got hit:
http://www.openspf.org;
[...]
this says that SA can now make valid decisions about whitelist_from_spf, so you
should be good to go with using whitelist_from_spf
However, if I run spamassassin 21 -D --lint | less I still see the error:
Feb 19 17:41:54.196 [11019] dbg: spf: cannot get Envelope-From, cannot use SPF
Feb 19 17:41:54.196 [11019] dbg: spf: def_spf_whitelist_from: could not find
useable envelope sender
Don't worry about this error. When you do a --lint SA uses a special built-in
test message for system configuration checking which has very little network
related info, including lacking anything that it can use for Envelope-From
detection.
Bottom line, this error is expected with --lint. As long as you
get that found Envelope-From in... debug message when checking with live
data you're OK.
Now, on with your whitelist testing.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
RE: whitelist_from in SQL not applied?
David B Funk skrev den 2013-02-20 01:18: On Tue, 19 Feb 2013, Philippe Ratté wrote: Benny, Feb 19 10:02:25.354 [19195] dbg: spf: cannot get Envelope-From, cannot use SPF is this why whitelist_from are the only one that works ? first get it to work from local.cf, if this is working move the same rule to sql is the right way to test [snip..] I'm using qmail, along with qmail-scanner-st, and I just added a patch so that qmail adds the envelope-from to the headers It works; this is what the first header now looks like: Received: from mail-ve0-f193.google.com (209.85.128.193) by myserver.com (envelope-from u...@gmail.com) with SMTP; 19 Feb 2013 22:12:37 - If I run spamassassin using these params, I don't see any SPF errors: spamassassin -D email.msg 2debug.log [...] Feb 19 17:39:22.803 [10817] dbg: spf: checking to see if the message has a Received-SPF header that we can use Feb 19 17:39:22.848 [10817] dbg: spf: using Mail::SPF for SPF checks read perldoc Mail::SpamAssassin::Plugin::SPF was not fun when i say it :) if you want to reuse that received-spf header then tell spf plugin to not use Mail::SPF and see more info on perldoc Mail::SpamAssassin::Conf for envelope-sender-header Feb 19 17:39:22.848 [10817] dbg: spf: checking HELO (helo=falcon594.startdedicated.com, ip=69.64.33.211) Feb 19 17:39:22.850 [10817] dbg: dns: providing a callback for id: 55831/falcon594.startdedicated.com/SPF/IN Feb 19 17:39:22.857 [10817] dbg: spf: query for /69.64.33.211/falcon594.startdedicated.com: result: none, comment: , text: No applicable sender policy available Feb 19 17:39:22.858 [10817] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks Feb 19 17:39:22.858 [10817] dbg: spf: found Envelope-From in first external Received header OK, this says that your envelope-from patch to qmail is working but it still miss what header is the envelope-from ?, received-spf is not envelope-from Feb 19 17:39:22.858 [10817] dbg: spf: checking EnvelopeFrom (helo=falcon594.startdedicated.com, ip=69.64.33.211, envfrom=nore...@sonico.com) Feb 19 17:39:22.949 [10817] dbg: rules: ran eval rule SPF_FAIL == got hit (1) Feb 19 17:39:22.950 [10817] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check Feb 19 17:39:23.222 [10817] dbg: rules: ran uri rule __LOCAL_PP_NONPPURL == got hit: http://www.openspf.org; [...] this says that SA can now make valid decisions about whitelist_from_spf, so you should be good to go with using whitelist_from_spf +1 However, if I run spamassassin 21 -D --lint | less I still see the error: Feb 19 17:41:54.196 [11019] dbg: spf: cannot get Envelope-From, cannot use SPF Feb 19 17:41:54.196 [11019] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender Don't worry about this error. When you do a --lint SA uses a special built-in test message for system configuration checking which has very little network related info, including lacking anything that it can use for Envelope-From detection. it was to detect loadplugin errors Bottom line, this error is expected with --lint. As long as you get that found Envelope-From in... debug message when checking with live data you're OK. Now, on with your whitelist testing. yep but first test is in local.cf, when that works try sql problems :)
RE: whitelist_from in SQL not applied?
Philippe Ratté skrev den 2013-02-14 15:24: The mail came from 65.54.190.123 and it passes SPF dont use whitelist_from, with that setting anyone can use that email as sender to get whitelisted, this is okay if you do spf testing in mta only, so spamassassin follow it as an ok, but not if you are not testing spf in mta What should I use, then? 1: spamassassin 21 -D --lint | less 2: perldoc Mail::SpamAssassin::Plugin::SPF SPF is not checked at mta ok have you configured Mail::SPF to reuse mta spf (recieved-spf header) ? No could still be relevant problem if its added remotely and not localy, but this is why i asked 1: on above, can you post it to pastebin and give a link here ? 2: is just informative to you what to configure in local.cf for the sql whitelist use same preferences as it would be in local.cf, and btw have you multiple sql users preferences or just one ?, is it really checking the right user ?
Re: whitelist_from in SQL not applied?
Philippe Ratté skrev den 2013-02-13 23:05: dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check why does it not get pass when spf is okay ? http://dmarcian.com/spf-survey/hotmail.com | 3485 | %domain.ca | whitelist_from | u...@hotmail.com | dont use whitelist_from, with that setting anyone can use that email as sender to get whitelisted, this is okay if you do spf testing in mta only, so spamassassin follow it as an ok, but not if you are not testing spf in mta have you configured Mail::SPF to reuse mta spf (recieved-spf header) ?
RE: whitelist_from in SQL not applied?
The mail came from 65.54.190.123 and it passes SPF dont use whitelist_from, with that setting anyone can use that email as sender to get whitelisted, this is okay if you do spf testing in mta only, so spamassassin follow it as an ok, but not if you are not testing spf in mta What should I use, then? SPF is not checked at mta have you configured Mail::SPF to reuse mta spf (recieved-spf header) ? No
Re: whitelist_from and whitelst_from_rcvd
thank you sir, i think this worked. On 3/17/2010 3:26 AM, John Hardin wrote: On Tue, 16 Mar 2010, John Hardin wrote: header POGO_CUSTOMER Received =~ /\(\...@pinoyonthego\.net\@[\d\.]+\).*by mail\.pinoyonthego\.net/ Watch the line wrap on that...
Re: whitelist_from and whitelst_from_rcvd
hi sir, yes i am using vchkpw to auth users. are you talking about using whitelist_auth? i have tried using that coz i have spf defined on my domain, but i am not sure if whitelist_auth is for that. dig -t TXT pinoyonthego.net ;; QUESTION SECTION: ;pinoyonthego.net. IN TXT ;; ANSWER SECTION: pinoyonthego.net. 604800 IN TXT v=spf1 a mx ip4:202.79.221.135 mx:mail.pinoyonthego.net -all basically my setup is i just followed qmailrocks.org and now i am trying to understand how everything works which is quite alot of things to understand. :( Ron On 3/16/2010 12:51 AM, John Hardin wrote: On Tue, 16 Mar 2010, Ron wrote: i think the only way to not scan outgoing mails in qmail is to add the users IP address to /etc/tcp.smtp, unfortunately my users are on dynamic IP that i cannot add it one by one. Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki.
Re: whitelist_from and whitelst_from_rcvd
On Tue, 16 Mar 2010, Ron wrote: On 3/16/2010 12:51 AM, John Hardin wrote: Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki. yes i am using vchkpw to auth users. are you talking about using whitelist_auth? i have tried using that coz i have spf defined on my domain, but i am not sure if whitelist_auth is for that. No, it's not. It's not going to be quite as simple as a one-line whitelist_* entry. Can you post the Received: headers from a properly-suthorized mail sent by one of your users from a dynamic IP address? I'll try to point out what you need to write a rule to detect and subtract points for. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority.-- Cringely, 4/8/2004 --- 158 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from and whitelst_from_rcvd
thank you sir, please see attached file. test header set score to 15 just to be able to send out, i have setup report_safe to but x-spam-report does not show up on the header, i can't tell what's causing all the points to increase. regards Ron On 3/16/2010 11:16 PM, John Hardin wrote: On Tue, 16 Mar 2010, Ron wrote: On 3/16/2010 12:51 AM, John Hardin wrote: Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki. yes i am using vchkpw to auth users. are you talking about using whitelist_auth? i have tried using that coz i have spf defined on my domain, but i am not sure if whitelist_auth is for that. No, it's not. It's not going to be quite as simple as a one-line whitelist_* entry. Can you post the Received: headers from a properly-suthorized mail sent by one of your users from a dynamic IP address? I'll try to point out what you need to write a rule to detect and subtract points for. From - Tue Mar 16 23:27:53 2010 X-Account-Key: account7 X-UIDL: GmailId127679517268da5f X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Delivered-To: nha...@gmail.com Received: by 10.229.43.14 with SMTP id u14cs96637qce; Tue, 16 Mar 2010 08:27:39 -0700 (PDT) Received: by 10.115.51.20 with SMTP id d20mr10746wak.151.1268753177038; Tue, 16 Mar 2010 08:26:17 -0700 (PDT) Return-Path: nha...@pinoyonthego.net Received: from mail.pinoyonthego.net ([202.79.221.135]) by mx.google.com with ESMTP id 1si13561053pxi.86.2010.03.16.08.26.15; Tue, 16 Mar 2010 08:26:16 -0700 (PDT) Received-SPF: pass (google.com: domain of nha...@pinoyonthego.net designates 202.79.221.135 as permitted sender) client-ip=202.79.221.135; Authentication-Results: mx.google.com; spf=pass (google.com: domain of nha...@pinoyonthego.net designates 202.79.221.135 as permitted sender) smtp.mail=nha...@pinoyonthego.net Received: (qmail 24730 invoked by uid 1012); 16 Mar 2010 23:23:02 +0800 Received: from 116.87.219.30 by pog (envelope-from nha...@pinoyonthego.net, uid 1008) with qmail-scanner-1.25-st-qms (clamdscan: 0.87/1082. spamassassin: 3.3.0. perlscan: 1.25-st-qms. Clear:RC:0(116.87.219.30):SA:0(11.1/15.0):. Processed in 0.342791 secs); 16 Mar 2010 15:23:02 - X-Spam-Status: No, hits=11.1 required=15.0 X-Spam-Level: +++ X-Antivirus-SILVERBACKASP-Mail-From: nha...@pinoyonthego.net via pog X-Antivirus-SILVERBACKASP: 1.25-st-qms (Clear:RC:0(116.87.219.30):SA:0(11.1/15.0):. Processed in 0.342791 secs Process 24720) Received: from cm30.zeta219.maxonline.com.sg (HELO ?192.168.1.107?) (nha...@pinoyonthego.net@116.87.219.30) by mail.pinoyonthego.net with SMTP; 16 Mar 2010 23:23:02 +0800 Message-ID: 4b9fa313.8030...@pinoyonthego.net Date: Tue, 16 Mar 2010 23:26:11 +0800 From: nhadie nha...@pinoyonthego.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 To: Ron nha...@gmail.com Subject: mail from pog Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit mail from pog
Re: whitelist_from and whitelst_from_rcvd
On Tue, 16 Mar 2010, Ron wrote: please see attached file. Is mail.pinoyonthego.net your MTA? If so, try this: header POGO_CUSTOMER Received =~ /\(\...@pinoyonthego\.net\@[\d\.]+\).*by mail\.pinoyonthego\.net/ score POGO_CUSTOMER -1 Run in test for a while, if you only get hits on customer emails then drop it to -20 or so to offset the scores they are getting. Note: this assumes that your MTA is putting this header into the emails before passing them on to SA. If it is not, they you're stuck. You'll need to figure out hot to tell your MTA to not pass those messages to SA in the first place. regards Ron On 3/16/2010 11:16 PM, John Hardin wrote: On Tue, 16 Mar 2010, Ron wrote: On 3/16/2010 12:51 AM, John Hardin wrote: Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki. yes i am using vchkpw to auth users. are you talking about using whitelist_auth? i have tried using that coz i have spf defined on my domain, but i am not sure if whitelist_auth is for that. No, it's not. It's not going to be quite as simple as a one-line whitelist_* entry. Can you post the Received: headers from a properly-suthorized mail sent by one of your users from a dynamic IP address? I'll try to point out what you need to write a rule to detect and subtract points for. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The United States has become a place where entertainers and professional athletes are mistaken for people of importance. -- Maureen Johnson Smith Long --- 158 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from and whitelst_from_rcvd
On Tue, 16 Mar 2010, John Hardin wrote: header POGO_CUSTOMER Received =~ /\(\...@pinoyonthego\.net\@[\d\.]+\).*by mail\.pinoyonthego\.net/ Watch the line wrap on that... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The United States has become a place where entertainers and professional athletes are mistaken for people of importance. -- Maureen Johnson Smith Long --- 158 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from and whitelst_from_rcvd
On Mon, 15 Mar 2010 21:43:03 +0800 Ron nha...@gmail.com wrote: Hi All, Newbie here, i have a qmail server, and i installed qmail-scanner+clav+spamassassin. I'm trying to allow all my users using whitelist_from but filter spoofed e-mail address using whitelist_from_rcvd. Whitelist rules whitelist, they don't filter. Not sure If i'm following the manual correctly, but here's what on local.cf internal_networks 202.79.221.135 trusted_networks 202.79.221.135 whitelist_from *...@imagetransforms.com whitelist_from_rcvd *...@imagetransforms.com mail.pinoyonthego.net This last line means whitelist *...@imagetransforms.com if it's received into your internal network from mail.pinoyonthego.net. mail.pinoyonthego.net isn't going to receive from mail.pinoyonthego.net so that wont work. And in any case your server is called ip135.silverbackasp.com since whitelist_from_rcvd uses reverse dns. but with that config, i'm still receiving spam e-mail with spoofed e-mail address, so i tried removing whitelist_from *...@imagetransforms.com and retained whitelist_from_rcvd, but when i send an e-mail i'm getting denied because my email was tagged as spam. Why is your outgoing mail identified as spam? Do you even want to be scanning this? another thing i'm confused is that there 2 Received From on the header, one from my IP address at home, and one which is the IP address of my qmail server. There's nothing unusual about that. You sent an email to gmail, your server added a header and gmail added a header
Re: whitelist_from and whitelst_from_rcvd
Hi Sir, Please see inline. Thank You On 3/16/2010 12:05 AM, RW wrote: On Mon, 15 Mar 2010 21:43:03 +0800 Ronnha...@gmail.com wrote: Hi All, Newbie here, i have a qmail server, and i installed qmail-scanner+clav+spamassassin. I'm trying to allow all my users using whitelist_from but filter spoofed e-mail address using whitelist_from_rcvd. Whitelist rules whitelist, they don't filter. Not sure If i'm following the manual correctly, but here's what on local.cf internal_networks 202.79.221.135 trusted_networks 202.79.221.135 whitelist_from *...@imagetransforms.com whitelist_from_rcvd *...@imagetransforms.com mail.pinoyonthego.net This last line means whitelist *...@imagetransforms.com if it's received into your internal network from mail.pinoyonthego.net. mail.pinoyonthego.net isn't going to receive from mail.pinoyonthego.net so that wont work. And in any case your server is called ip135.silverbackasp.com since whitelist_from_rcvd uses reverse dns. does this mean i have to add reverse DNS of IP address of my users where they send the mail from? does it also mean since they are on dynamic IP i won't be able to use this command? but with that config, i'm still receiving spam e-mail with spoofed e-mail address, so i tried removing whitelist_from *...@imagetransforms.com and retained whitelist_from_rcvd, but when i send an e-mail i'm getting denied because my email was tagged as spam. Why is your outgoing mail identified as spam? Do you even want to be scanning this? i think the only way to not scan outgoing mails in qmail is to add the users IP address to /etc/tcp.smtp, unfortunately my users are on dynamic IP that i cannot add it one by one. another thing i'm confused is that there 2 Received From on the header, one from my IP address at home, and one which is the IP address of my qmail server. There's nothing unusual about that. You sent an email to gmail, your server added a header and gmail added a header
Re: whitelist_from and whitelst_from_rcvd
On Mon, 15 Mar 2010, Ron wrote: whitelist_from *...@imagetransforms.com Do not do this. The From: address is trivially easy to spoof. You should not trust it to this degree. whitelist_from should only be used in unusual situations, when you know exactly why one of the other whitelist options won't work. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- 157 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from and whitelst_from_rcvd
On Tue, 16 Mar 2010, Ron wrote: i think the only way to not scan outgoing mails in qmail is to add the users IP address to /etc/tcp.smtp, unfortunately my users are on dynamic IP that i cannot add it one by one. Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- 157 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from questions
Le 26/07/2009 04:00, McDonald, Dan a écrit :
From: Robert [mailto:list...@abbacomm.net]
There are no doubt lots of ways, but how about:
egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2
TXT;}' | xargs dig | grep v=spf1
what is this supposed to do?
select all of your whitelist_from entries, parse out the domain part,
dig the TXT record for each domain, then display only the ones that have
a v=spf1 notation. That would give you a list of all of the domains in
your whitelist_from that could be migrated to whitelist_from_spf
... provided, as Matus pointed out, all your whitelist_from entries are
nicely formatted one address per line, and provided you don't have any
domain wildcards. If those two conditions aren't met then you'll have to
do some extra mangling to extract the domains properly. It also only
looks for TXT RRs, so if any of the target domains are using only SPF
RRs it won't find them.
John.
--
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr
Re: whitelist_from questions
Hi, I'm looking an email that appears to be one of the users from the whitelist, but instead was from: From probesqt...@segunitb1.freeserve.co.uk Mon Jul 27 19:49:19 2009 Why can't a comparison be made between the From: info and the actual sender? Is this because of virtual domains and/or users? Thanks, Alex
Re: whitelist_from questions
MySQL Student wrote: Hi, I'm looking an email that appears to be one of the users from the whitelist, but instead was from: From probesqt...@segunitb1.freeserve.co.uk Mon Jul 27 19:49:19 2009 Why can't a comparison be made between the From: info and the actual sender? Is this because of virtual domains and/or users? It's not done because this mismatch happens for nearly every mailing list in existence (including this one). Every message you get from this mailing list is From: the poster, but the envelope is from the apache list server's bounce handler. The To: header and Rcpt to: mismatch for similar reasons (To: will be the list, but RCPT TO will be your mailbox).
Re: whitelist_from questions
On 25.07.09 01:25, jida...@jidanni.org wrote: Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country we still have def_whitelist_* with score of -15. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
RE: whitelist_from questions
There are no doubt lots of ways, but how about:
egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2
TXT;}' | xargs dig | grep v=spf1
John.
john,
what is this supposed to do?
- rh
RE: whitelist_from questions
From: Robert [mailto:list...@abbacomm.net]
There are no doubt lots of ways, but how about:
egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2
TXT;}' | xargs dig | grep v=spf1
what is this supposed to do?
select all of your whitelist_from entries, parse out the domain part, dig the
TXT record for each domain, then display only the ones that have a v=spf1
notation. That would give you a list of all of the domains in your
whitelist_from that could be migrated to whitelist_from_spf
Re: whitelist_from questions
Le 24/07/2009 04:09, MySQL Student a écrit :
I don't doubt that if we removed a substantial amount of them that SA
would do what's right, but there doesn't seem to be any scientific way
to do that successfully.
Can't you just look at the scores that the whitelisted messages are
getting and see whether any would be close to being considered as spam
without the -100 of the whitelist? [How best to do that depends on how
you've integrated spamassassin into your mail setup, but grepping
through logs ought to do it in most cases].
And perhaps a few carefully-chosen negative-scoring rules (for words or
phrases common to your customer's business) might be a far more
effective way of handling the rest.
Is there a way to script that for the 1000 or so entries, to see which
have SPF records?
There are no doubt lots of ways, but how about:
egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' |
xargs dig | grep v=spf1
John.
--
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr
Re: whitelist_from questions
Le 24/07/2009 04:09, MySQL Student a écrit :
I don't doubt that if we removed a substantial amount of them that SA
would do what's right, but there doesn't seem to be any scientific way
to do that successfully.
Can't you just look at the scores that the whitelisted messages are
getting and see whether any would be close to being considered as spam
without the -100 of the whitelist? [How best to do that depends on how
you've integrated spamassassin into your mail setup, but grepping
through logs ought to do it in most cases].
And perhaps a few carefully-chosen negative-scoring rules (for words or
phrases common to your customer's business) might be a far more
effective way of handling the rest.
Is there a way to script that for the 1000 or so entries, to see which
have SPF records?
There are no doubt lots of ways, but how about:
On 24.07.09 08:58, John Wilcock wrote:
egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' |
xargs dig | grep v=spf1
well
- addresses can contain wildcards
- more addresses can be at one line
- SPF records should be checked before TXT
the first issue is hard to avoid by scripting, others can be solved.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
Re: whitelist_from questions
Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country
Re: whitelist_from questions
jida...@jidanni.org writes: Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. pgp3aDYuXaIPC.pgp Description: PGP signature
Re: whitelist_from questions
On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 13 days since a sunspot last seen - EPA blames CO2 emissions
Re: whitelist_from questions
John Hardin jhar...@impsec.org writes: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 It does, but doesn't it require allowing user rules? Plus, it's two lines for each whitelist_from_score entry, with a magic regexp. pgpMetL9X7grj.pgp Description: PGP signature
Re: whitelist_from questions
On Fri, 24 Jul 2009, Greg Troxel wrote: John Hardin jhar...@impsec.org writes: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 It does, but doesn't it require allowing user rules? Yeah, but that requirement wasn't specified. Sorry. Plus, it's two lines for each whitelist_from_score entry, with a magic regexp. Yeah, the whitelist_* do a lot of magic in the background. This would get hard to manage for more than a few entries. I was assuming you only wanted to do a few. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 13 days since a sunspot last seen - EPA blames CO2 emissions
Re: whitelist_from questions
On Fri, 2009-07-24 at 11:57 -0700, John Hardin wrote:
On Fri, 24 Jul 2009, Greg Troxel wrote:
I have long wanted to be able to
whitelist_from f...@bar -3.0
to have per-entry scores. Obviously though I haven't wanted it
enough to write the code.
First of all -- I don't like the term whitelist in this context. What's
being discussed is a small, almost marginal adjustment to the score.
Using whitelist for anything that low (even -1 has been mentioned
previously) is just watering down the definition.
That said, something like the above might be useful in some cases. Not
that I ever felt the need for it, but still.
Also, there are custom plugins [1] out there, which provide similar or
related functionality -- and even are *much* easier to maintain for
*users*, than the user_prefs.
See the Addressbook and LDAPfilter plugins. The latter even mentions
support for per-domain listings.
However, I strongly agree with a note in the Addressbook plugin's
description. This doesn't really work for all addresses (unless rcvd or
auth constrained, sic!). It is a common spammer pattern to send From
forged address A, to Recipient A, B and C at the same domain. Thus,
giving negative scores to your family, friends or co-workers is in some
cases likely to result in FNs.
Anyway, I hope everyone who really needs and uses whitelisting, also has
the ShortCircuit plugin enabled. If you deliberately WHITE-list, why
waste more cycles on the mail?
[1] http://wiki.apache.org/spamassassin/CustomPlugins
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from questions
On Fri, July 24, 2009 20:10, John Hardin wrote: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 another example: whitelist_from_spf f...@bar -3.0 only give -3.0 if spf pass or whitelist_from_dkim f...@bar -3.0 same for dkim or both whitelist_from_auth f...@bar -3.0 i still wonder why so many dont care more about forged senders :( good such bad plugin does not exists, its bad enough that whitelist_from does -- xpoint
Re: whitelist_from questions
Le 22/07/2009 17:48, MySQL Student a écrit : So, forever I have been using whitelist_from and have probably a thousand entries. Firstly, before you convert all these to whitelist_from_rcvd, perhaps you ought to ask yourself whether you really need 1000 entries on your whitelist. Does mail from these addresses actually get miscategorised as spam, or would SA get it right without the whitelist? Secondly, don't forget about whitelist_from_spf. If a domain has an SPF record, this is a better solution than whitelist_from_rcvd as it avoids the need for *you* to work out which are the outgoing servers. Lastly, if you do use whitelist_from_rcvd, remember that there may be multiple outgoing servers for a given domain, and worse they may change over time. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: whitelist_from questions
Hi, Firstly, before you convert all these to whitelist_from_rcvd, perhaps you ought to ask yourself whether you really need 1000 entries on your whitelist. I'm surprised you were the first to make that very comment, so thanks. Does mail from these addresses actually get miscategorised as spam, or would SA get it right without the whitelist? Mail was being tagged as spam, and the organization became concerned that others would be tagged, so it seemed anytime there was a high-profile external business contact that they couldn't risk being tagged, they had it added to the whitelist. The list used to be much larger until we spent quite a while (months and months) going through it with them to prune it. I don't doubt that if we removed a substantial amount of them that SA would do what's right, but there doesn't seem to be any scientific way to do that successfully. Secondly, don't forget about whitelist_from_spf. If a domain has an SPF record, this is a better solution than whitelist_from_rcvd as it avoids the need for *you* to work out which are the outgoing servers. Is there a way to script that for the 1000 or so entries, to see which have SPF records? Lastly, if you do use whitelist_from_rcvd, remember that there may be multiple outgoing servers for a given domain, and worse they may change over time. Yeah, I thought of that too, so it doesn't sound like that's going to work well here. Thanks, Alex
Re: whitelist_from questions
MySQL Student wrote: Hi all, Some time ago someone had mentioned to never use whitelist_from but instead use whitelist_from_rcvd. Where is whitelist_from_rcvd documented? It doesn't appear in the SA docs in the same place that whitelist_from is listed. So, forever I have been using whitelist_from and have probably a thousand entries. Given that it doesn't appear to be well documented, Is it okay to do a one-to-one translation of my whitelist_from rules to whitelist_from_rcvd? Do these entries have to be in local.cf, or can I create a whitelist_from.cf file to place them in? Thanks, Alex It is documented on the Mail::SpamAssassin::Conf man page just like whitelist_from. -- whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. This string is matched against the reverse DNS lookup used during the handover from the internet to your internal network’s mail exchangers. It can either be the full hostname, or the domain component of that hostname. In other words, if the host that connected to your MX had an IP address that mapped to ’sendinghost.spamassassin.org’, you should specify send- inghost.spamassassin.org or just spamassassin.org here. Note that this requires that internal_networks be correct. For simple cases, it will be, but for a complex network you may get better results by setting that parameter. It also requires that your mail exchangers be configured to perform DNS reverse lookups on the connecting host’s IP address, and to record the result in the generated Received: header. e.g. whitelist_from_rcvd j...@example.com example.com whitelist_from_rcvd *...@axkit.org sergeant.org -- You can't just do a simple switch from one to another. You have to look at each address and determine where the mail will be coming from. This way you are only whitelisting mail from that address if it comes from the correct servers. You can also use whitelist_auth (described a bit further down on the same man page) to whitelist addresses from domains that use SPF, Domain Keys, or DKIM, assuming you have the SPF and DKIM Perl modules installed (I'm too lazy to look up the module names at the moment). -- Bowie
Re: whitelist_from questions
It is documented on the Mail::SpamAssassin::Conf man page just like whitelist_from. Ugh, thanks. whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. Okay, so for example if I was going to whitelist j...@orbitz.com, the appropriate line would be: whitelist_from_rcvd j...@orbitz.com psmtp.com psmtp.com is the domain that controls mail for orbitz, according to the MX records. Thanks, Alex
Re: whitelist_from questions
It is documented on the Mail::SpamAssassin::Conf man page just like whitelist_from. Ugh, thanks. whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. Okay, so for example if I was going to whitelist j...@orbitz.com, the appropriate line would be: whitelist_from_rcvd j...@orbitz.com psmtp.com psmtp.com is the domain that controls mail for orbitz, according to the MX records. psmtp.com may well, or may not handle their outgoing mail. MX records to not tell that. Of they are the same, but not necessarily always. You ought to look at the headers of a received email and see where it came from.
RE: Whitelist_From Woes
/var/log/maillog output: May 13 10:53:46 cerberus MailScanner[3309]: Message n4DFrTip004779 from 63.93.193.30 (a...@easymatch.com) to saintjoe.edu http://saintjoe.edu/ is spam, SpamAssassin (not cached, score=68.739, required 4, AWL -33.17, BAYES_50 0.00, FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_MESSAGE 0.00, NO_REAL_NAME 0.96, RE_PASSWORD 100.00, RE_PASSWORDV 100.00, USER_IN_WHITELIST -100.00, X_PRIORITY_HIGH 0.43) - Not trying to ne rude here Mike, but you log entry actually answers your question. After all the scores are totaled you still have a score of 68.739 and you only allow 4..Seems to me you need to get the other issues fixed like going through the RE_PASSWORD filter twice. Regards, Pete To have principles... First have courage.. With principles comes integrity!!!
Re: Whitelist_From Woes
Well maybe you should figure out what is going on with these two: RE_PASSWORD 100.00, RE_PASSWORDV 100.00 since your choice of -100 (it is not a magic pass value, just another factor in the arithmetic) for your manual whitelist only counteracts one of them ... or run your manual whitelist score to an even larger value. In other words, you are apparently NOT having a problem getting the domain whitelisted - you are having a problem fully balancing the effects of spammy-ness elements in their mail. Michael Lyon mjl...@gmail.com 05/13/09 12:16 PM We're using spamassassin 3.1.7 on a slack-10 box, invoked via cron. I'm having problems getting a domain whitelisted. Previously, adding domains to be whitelisted simply meant adding a whitelist_from *...@domain.com to my /opt/MailScanner/etc/spam.assassin.prefs.conf file. Now, however, my maillog shows the messages as being marked as spam. Yesterday, I added a spam.whitelist.rules, which takes -100 down from the score, but the message is still marked as spam and not delivered: /var/log/maillog output: May 13 10:53:46 cerberus MailScanner[3309]: Message n4DFrTip004779 from 63.93.193.30 (a...@easymatch.com) to saintjoe.edu is spam, SpamAssassin (not cached, score=68.739, required 4, AWL -33.17, BAYES_50 0.00, FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_MESSAGE 0.00, NO_REAL_NAME 0.96, RE_PASSWORD 100.00, RE_PASSWORDV 100.00, USER_IN_WHITELIST -100.00, X_PRIORITY_HIGH 0.43) SO...I see the USER_IN_WHITELIST -100 score, but it never is delivered... Thoughts? Thanks, Mike
Re: Whitelist_From Woes
On Wed, 2009-05-13 at 11:16 -0500, Michael Lyon wrote:
We're using spamassassin 3.1.7 on a slack-10 box, invoked via cron.
I suggest upgrading. That's quite ancient...
I'm having problems getting a domain whitelisted. Previously, adding
domains to be whitelisted simply meant adding a whitelist_from
*...@domain.com to my /opt/MailScanner/etc/spam.
assassin.prefs.conf file.
Now, however, my maillog shows the messages as being marked as spam.
Yesterday, I added a spam.whitelist.rules, which takes -100 down from
the score, but the message is still marked as spam and not delivered:
/var/log/maillog output:
May 13 10:53:46 cerberus MailScanner[3309]: Message n4DFrTip004779
from 63.93.193.30 (a...@easymatch.com) to saintjoe.edu is spam,
SpamAssassin (not cached, score=68.739, required 4, AWL -33.17,
BAYES_50 0.00, FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_MESSAGE
0.00, NO_REAL_NAME 0.96, RE_PASSWORD 100.00, RE_PASSWORDV 100.00,
USER_IN_WHITELIST -100.00, X_PRIORITY_HIGH 0.43)
SO...I see the USER_IN_WHITELIST -100 score, but it never is
delivered...
As Peter said, your whitelist_from works just as expected. The issue is
with *your* custom password rules, both scoring a whopping 100. So the
solution is to fix these rules.
Some more notes: It's generally better to use whitelist_from_rcvd if
possible, and use that unconstrained one only as a last resort. Also,
your custom rules' scores are *way* too high, unless you seriously want
them to act as a kill-switch. In that case, they did as the score asked
for.
And of course, after fixing the custom rules, you will need to correct
(or drop) the AWL entry for that address. As you can see, AWL even tried
to rescue the email, lowering the score significantly. However, as one
can see, too, the average already is quite high (due to triggering the
password rules in the past), so that AWL will *add* points next time
(without tripping over your password rules), unless cleaned.
guenther
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Whitelist_From Woes
Please always keep threads on-list by replying to list. I am not the
only one, who can help you.
On Wed, 2009-05-13 at 11:57 -0500, Michael Lyon wrote:
But...how do I remove an autowhitelist entry for just one user? I
have a rule that was duplicated and causing me problems (It was to
prevent the Verify your password scams).
See the options concerning the persistent address list in man
spamassassin-run, in particular --remove-addr-from-whitelist.
Now, I have just one of the Verify rules...I'd like to keep it at 100
so as to not ever let them get through, but the auto-whitelist score
is pushing it back to Spam.
Exactly what I predicted. Thus, remove that address from the AWL
persistent address list database.
I'd like to not AWL just the one domain if possible.
Not possible. The AWL actually is just a historical score averager. In
your case poisoned for that one address, fed with bad scores due to the
custom password rules going berserk. Just correct that incident.
Also, have a look here.
http://wiki.apache.org/spamassassin/AutoWhitelist
Apart from that, I strongly suggest revisiting your password rule(s).
Obviously, they are hitting on mail they shouldn't, so they are too
broad. Also, I still suggest lowering that score.
Regarding the whitelisting: You aren't whitelisting your *own* domain,
are you? That's a bad idea. Definitely unless using the variants with
additional constraints, like whitelist_from_rcvd.
guenther
[ useless full-quote including sig snipped ]
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from not working
On 29.10.08 17:18, Nelson Serafica wrote: I'm using spamassassin 3.2.5. Now, I must a whitelist_from containing *@ foo.com in my local.cf. However, there are still 1 email that has been tagged as spam. Only one? show the headers or upload it somewhere.. In my understanding, if a domain was in whitelist_from, even if it was tagged as spam, it will delivered to the recipient. No, It will have -100 points added, so it should get classified as not spam (ham). It seems does not work. I restart the spamd after I edit local.cf so it must take effect. Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have.
Re: whitelist_from not working
On Wed, October 29, 2008 10:18, Nelson Serafica wrote: Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. the more i hear about whitelist_from the more i want to make a bug on it, whitelist_from should imho newer have being implemented use whitelist_auth, whitelist_from_spf, whitelist_from_dkim, whitelist_from_rcvd see perldocs how to make this -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: whitelist_from not working
Nelson Serafica wrote: I'm using spamassassin 3.2.5. http://3.2.5. Now, I must a whitelist_from containing [EMAIL PROTECTED] http://foo.com in my local.cf http://local.cf. However, there are still 1 email that has been tagged as spam. In my understanding, if a domain was in whitelist_from, even if it was tagged as spam, it will delivered to the recipient. First, be aware that SpamAssassin itself does not directly cause messages to be deleted, rejected, or otherwise alter delivery. SpamAssassin itself *ONLY* tags. The way it inserts itself into the mail chain is very flexible, but gives SA no direct power over message delivery, so tagging is the only thing it can possibly do. If it were to try to delete the message, most mail tools would assume SA had crashed and recover the original, unscanned message and deliver that. Therefore, there is nothing in the SpamAssassin configuration that can cause a message to be delivered even if it is tagged as spam. SA can only tag, or not tag. whitelist_from causes messages to be hit with a -100 point rule named USER_IN_WHITELIST. This large negative score makes it more-or-less impossible for the message to be tagged as spam. Pretty much the only way to get SA to tag it when matching a whitelist would be to put a GTUBE test signature into the message. Your previously posted example was working perfectly, in that the whitelist configuration caused SA to match USER_IN_WHITELIST, which generated a hugely negative score, and therefore was not tagged as spam. That's exactly what it should do. If you've got something else that deletes mail when SA tags messages, then that is the tool you'd need to configure if you want the message to get tagged as spam, but still be delivered. Reconfiguring SA can't change this, because SA doesn't (and in fact can't) delete the messages. I restart the spamd after I edit local.cf http://local.cf so it must take effect. Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. whitelist_from is never the right way to do anything. It is horribly easy to forge. Use whitelist_from_rcvd, or preferably, whitelist in your tools that call SA, bypassing it entirely and saving CPU time.
Re: whitelist_from not working
Benny Pedersen wrote: On Wed, October 29, 2008 10:18, Nelson Serafica wrote: Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. the more i hear about whitelist_from the more i want to make a bug on it, whitelist_from should imho newer have being implemented Agreed. whitelist_from sucks. However, it's there as a method of last-resort. There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). use whitelist_auth, whitelist_from_spf, whitelist_from_dkim, whitelist_from_rcvd see perldocs how to make this Agreed, and the man Mail::SpamAssassin::Conf section on whitelist_from (which should have been read in the first place) will tell you the same.
Re: whitelist_from not working
On Wed, Oct 29, 2008 at 08:24:25AM -0400, Matt Kettler wrote: There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). You can use trusted_networks + ALL_TRUSTED to whitelist. Given of course that there aren't any dynamic IPs in the path.
Re: whitelist_from not working
From: Matt Kettler [EMAIL PROTECTED] Date: Wed, 29 Oct 2008 08:24:25 -0400 Benny Pedersen wrote: On Wed, October 29, 2008 10:18, Nelson Serafica wrote: Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. the more i hear about whitelist_from the more i want to make a bug on it, whitelist_from should imho newer have being implemented Agreed. whitelist_from sucks. However, it's there as a method of last-resort. There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). Since whitelist_from is spoofable wouldn't it make sense to have different scores assigned to whitelist_from and whitelist_from_rcvd? Right now if an email is in either you get a hit on USER_IN_WHITELIST, which is scored at a -100 by default. So split out USER_IN_RCVD_WHITELIST hits from USER_IN_WHITELIST. -jeff
Re: whitelist_from not working
Jeff Mincy [EMAIL PROTECTED] writes: Agreed. whitelist_from sucks. However, it's there as a method of last-resort. There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). Since whitelist_from is spoofable wouldn't it make sense to have different scores assigned to whitelist_from and whitelist_from_rcvd? Right now if an email is in either you get a hit on USER_IN_WHITELIST, which is scored at a -100 by default. So split out USER_IN_RCVD_WHITELIST hits from USER_IN_WHITELIST. I use whitelist_from to be sure I whitelist mail from some people (not part of my organization). For those addreses, it's better to get FN on spam than a single FP. I don't know what IP addresses they use, and they keep changing. So the 'better' whitelist rules won't work. I have sometimes wanted a way to give a per-rule score for whitelist entries, instead of a fixed -100. But not enough to implement it :-) pgplJGqhwfxdz.pgp Description: PGP signature
Re: whitelist_from not working
On Wed, 29 Oct 2008, Matt Kettler wrote: Benny Pedersen wrote: the more i hear about whitelist_from the more i want to make a bug on it, whitelist_from should imho newer have being implemented Agreed. whitelist_from sucks. However, it's there as a method of last-resort. There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). I'm going to suggest again that, given how much pain it causes noobs, perhaps the use of whitelist_from should generate a lint _warning_ that it should only be used if no other whitelist method will work... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 2 days until Halloween
Re: whitelist_from not working
On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote:
I'm going to suggest again that, given how much pain it causes noobs,
perhaps the use of whitelist_from should generate a lint _warning_ that it
should only be used if no other whitelist method will work...
The thing with noobs and whitelist_from (according to my experience on
this list) appears to be a lack of reading. I got the impression most of
them just blindly whitelist_from their own domain to be on the safe
side, without any prior investigation and usually without any need.
I believe some of the recent threads like this clearly showed that SA
has been set up right before that, for the first time, and this is kind
of the very first customization...
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from not working
On Wed, 29 Oct 2008, Karsten Br?ckelmann wrote: On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote: I'm going to suggest again that, given how much pain it causes noobs, perhaps the use of whitelist_from should generate a lint _warning_ that it should only be used if no other whitelist method will work... The thing with noobs and whitelist_from (according to my experience on this list) appears to be a lack of reading. I got the impression most of them just blindly whitelist_from their own domain to be on the safe side, without any prior investigation and usually without any need. Agreed, and if they aren't reading the documentation carefully enough to see the warnings about using whitelist_from, then they probably aren't running a lint either... However, if emitting a warning in lint saves having some why are spams hitting USER_IN_WHITELIST?? messages sent to the list, it's probably worth doing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 2 days until Halloween
Re: whitelist_from not working
On Wed, 2008-10-29 at 11:15 -0700, John Hardin wrote:
On Wed, 29 Oct 2008, Karsten Bräckelmann wrote:
The thing with noobs and whitelist_from (according to my experience on
this list) appears to be a lack of reading. I got the impression most of
them just blindly whitelist_from their own domain to be on the safe
side, without any prior investigation and usually without any need.
Agreed, and if they aren't reading the documentation carefully enough to
see the warnings about using whitelist_from, then they probably aren't
running a lint either...
However, if emitting a warning in lint saves having some why are spams
hitting USER_IN_WHITELIST?? messages sent to the list, it's probably
worth doing.
I'm not convinced this would help much, for the reason you mention in
your first paragraph. ;) Also, this would be rather annoying for those
who use it legitimately [1] and know what they are doing.
What I am really wondering about is, *why* they set it in the first
place, and where they found out about this, without actually reading
much documentation.
The funny thing is, that quite a lot of the recent threads regarding
whitelist_from are not asking about spam slipping through, but the
opposite -- they are claiming that whitelisting does *not* work, despite
the setting.
guenther
[1] Meh, this one was exceptionally hard to spell correctly. ;)
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from not working
On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote: I'm going to suggest again that, given how much pain it causes noobs, perhaps the use of whitelist_from should generate a lint _warning_ that it should only be used if no other whitelist method will work... On Wed, 29 Oct 2008, Karsten Br�ckelmann wrote: The thing with noobs and whitelist_from (according to my experience on this list) appears to be a lack of reading. I got the impression most of them just blindly whitelist_from their own domain to be on the safe side, without any prior investigation and usually without any need. On 29.10.08 11:15, John Hardin wrote: Agreed, and if they aren't reading the documentation carefully enough to see the warnings about using whitelist_from, then they probably aren't running a lint either... However, if emitting a warning in lint saves having some why are spams hitting USER_IN_WHITELIST?? messages sent to the list, it's probably worth doing. Actually, it's completely safe to whitelist some domains, if your MTA does the SPF check for you, and you expect no fails to pass fotr those domains... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: Whitelist_from dont work at all
mathiasadsl wrote: Hi, I'm trying hard to make my whitelist_from work. I want to whitelist my own domain (i know... it can be dangerous but it's for testing purpose). This is an example of unormaly tagged email: unormaly ? If you're trying to say your example isn't being whitelisted... It is. X-Spam-Status: No, score=-96.7 required=5.0 tests=AWL,DNS_FROM_SECURITYSAGE, DRUGS_STOCK_MIMEOLE,HTML_MESSAGE,RDNS_NONE, USER_IN_WHITELIST It scored -96.7. Where's the problem?
Re: Whitelist_from dont work at all
On Thu, 2008-10-23 at 10:27 -0700, mathiasadsl wrote:
I'm trying hard to make my whitelist_from work.
I want to whitelist my own domain (i know... it can be dangerous but it's
for testing purpose).
Yes, for production you should use whitelist_from_rcvd instead, if there
is a need for white-listing at all. Spammers like to pretend they are
you.
http://wiki.apache.org/spamassassin/WhitelistingEverybody
Also have a look here:
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
This is my local.cf :
# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
^
It's user_prefs actually.
# (see spamassassin(1) for details)
# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.
required_hits 5
report_safe 0
rewrite_header subject [SPAM]
report_safe 0
header DAEMON Subject =~ /DAEMON/
score DAEMON 5
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from *.lnxgw.group-riget.com
I forward (througt postfix, every SPAM tagged email in a specific mailbox
spambox, it's working perfecly).
Looks like it doesn't. :) Rather than filtering based on the Subject,
I'd use a more reliable header added by SpamAssassin.
This is an example of unormaly tagged email:
Return-Path: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
lnxgw.group-riget.com
X-Spam-Level:
X-Spam-Status: No, score=-96.7 required=5.0 tests=AWL,DNS_FROM_SECURITYSAGE,
^
That RBL is in-operational for a while. They list the universe so that
people stop querying their zones. You'll get that hit for each and every
message.
Since you're using 3.2.3, this tells me you are not using sa-update.
This rule has been removed. I strongly suggest you update your rules.
http://wiki.apache.org/spamassassin/RuleUpdates
DRUGS_STOCK_MIMEOLE,HTML_MESSAGE,RDNS_NONE,USER_IN_WHITELIST autolearn=no
^
Obviously, your whitelist_from setting DOES work.
version=3.2.3
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from pc1469 (unknown [192.9.203.23])
by lnxgw.group-riget.com (Postfix) with ESMTP id 8F835DA4997
for [EMAIL PROTECTED]; Thu, 23 Oct 2008 10:49:16
+0200 (CEST)
From: Slicra [EMAIL PROTECTED]
To: 'Jerome claveyrolas' [EMAIL PROTECTED]
Subject: TR: [SPAM] Devis
What's wrong with my whitelist
Even if i add only one address ([EMAIL PROTECTED]), spamassassin tag it!
Hmm, no -- I don't use that ghastly Subject munging, but I am rather
positive that the above is NOT done by YOUR SpamAssassin. Have a look at
the Subject header. The tag is pre-pended by some strange TR:. This
has not been added by your SpamAssassin.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from/whitelist_auth and custom score
On Wed, 2008-07-02 at 11:12 +0200, Helmut Schneider wrote: I would like to do some whitelisting for an external mailing list. I found whitelist_from and whitelist_auth but they automatically score -100. Is there a way to use whitelist_* or something similiar with a custom score? amavisd-new provides soft-whitelisting where you can put in a custom score per recipient. I changed the default score for one of my whitelists: score USER_IN_SPF_WHITELIST -10.000 Seems I have to use whitelist_to, does it check To:, or envelope-to:?
Re: whitelist_from/whitelist_auth and custom score
On Wed, 2008-07-02 at 11:12 +0200, Helmut Schneider wrote: Hi, I would like to do some whitelisting for an external mailing list. I found whitelist_from and whitelist_auth but they automatically score -100. Is there a way to use whitelist_* or something similiar with a custom score? amavisd-new provides soft-whitelisting where you can put in a custom score per recipient. I changed the default score for one of my whitelists: score USER_IN_SPF_WHITELIST -10.000 The default whitelist scores are found in 50_scores: $ grep WHITELIST /var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf score USER_IN_WHITELIST -100.000 score USER_IN_DEF_WHITELIST -15.000 score USER_IN_WHITELIST_TO -6.000 score SUBJECT_IN_WHITELIST -100 score USER_IN_DKIM_WHITELIST -100.000 score USER_IN_DK_WHITELIST -100.000 score USER_IN_SPF_WHITELIST -100.000 -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: whitelist_from/whitelist_auth and custom score
On 02.07.08 11:12, Helmut Schneider wrote: I would like to do some whitelisting for an external mailing list. I found whitelist_from and whitelist_auth but they automatically score -100. Is there a way to use whitelist_* or something similiar with a custom score? you can use def_whitelist_* or create custom score for the list... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: whitelist_from question
Leonardo Rodrigues Magalhães wrote: Would it be possible to make some changes and having whitelist_from to NOT consider the From header ??? Sure, but you'll have to rewrite some of the code to do it, or make your own plugin. . ie: no, there's no default support for this kind of thing, you'd have to make your own.
Re: whitelist_from with multiple recips not firing?
Daryl C. W. O'Shea [EMAIL PROTECTED] 7/19/2007 4:51 PM You would have to get the calling software to pass as the username either (i) something like @example.com; or (ii) a non-existent account at the domain. Get it to do that and you'll see the results you want. SA will be happy with it... I do the same in my own milter. Oddly enough, global and domain-wide preferences apply just fine. For example, a message addressed to [EMAIL PROTECTED] from [EMAIL PROTECTED] will be whitelisted if the username domain.com contains a whitelist_from [EMAIL PROTECTED] So there's the domain-wide setting. Same goes for the global as well. It only ignores the site-wide preference (and user-specific, for that matter) when an incoming message has multiple recipients. It still uses the global, however, and that's how I've been able to get around this problem thus far, even though I'd rather not kludge it like that. I am using qmail-scanner 1.25st. Do you think its related to how q-s calls SA and how it breaks out multi-recipient messages to the scanner? ¤#/srv/gw/mvndom/wptemp/43ccc243.qm8
[Solution] Re: whitelist_from with multiple recips not firing?
Matthew Yette [EMAIL PROTECTED] 7/20/2007 8:24 AM Daryl C. W. O'Shea [EMAIL PROTECTED] 7/19/2007 4:51 PM You would have to get the calling software to pass as the username either (i) something like @example.com; or (ii) a non-existent account at the domain. Get it to do that and you'll see the results you want. SA will be happy with it... I do the same in my own milter. Twas a qmail-scanner setting. # st: Enable or diasable scanner per domain (1/0) my $settings_pd='1'; Need to make sure that's set to 1. Then run qmail-scanner-queue.pl -p Thanks gang! ¤#/srv/gw/mvndom/wptemp/43ccc243.qm8
Re: whitelist_from with multiple recips not firing?
Matthew Yette [EMAIL PROTECTED] 7/19/2007 2:13 PM
I am using SA 3.2.0 using SQL backend userprefs. There is a sending address
that is whitelisted for an entire domain, as well as specific users on that
domain. However, on the messages that come in from this whitelisted address for
multiple recipients (in this case 2), the USER_IN_WHITELIST rule does not fire,
and the message gets hit as spam. Is there something special that needs to be
done to have it apply to multiple-recipient messages? This is my custom SQL
userprefs query:
SELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username =
'@GLOBAL' OR username = _DOMAIN_ ORDER BY username ASC
Thanks!
Matt Yette
---
One other point - in my SQL prefs database, I am only using domain.com as the
username for domain-wide preferences, and not %domain.com and SELECT
preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username =
'@GLOBAL' OR username = CONCAT('%',_DOMAIN_) ORDER BY username ASC as Dallas
calls for in his SQL docs. Would this have a negative impact in terms of
applying rules on multiple-recipient mail?
( mailto:[EMAIL PROTECTED] )
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for
the sole use of the intended recipients(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure, or
distribution is prohibited. If you are not the intended recipient(s), please
contact the sender by return e-mail and destroy all copies of the original
message. Thank you.
¤#/srv/gw/mvndom/wptemp/43ccc243.qm8
Re: whitelist_from with multiple recips not firing?
After further testing, it most definitely has to do with a message hacing
multiple recipients (I've tried changing around my custom SQL query to no
avail). qmail-queue.log log entry w/ debug on:
Thu, 19 Jul 2007 15:10:20 EDT:16677: g_e_h: return-path is [EMAIL PROTECTED],
recips is [EMAIL PROTECTED],[EMAIL PROTECTED]
Thu, 19 Jul 2007 15:10:20 EDT:16677: from=Matthew Yette [EMAIL
PROTECTED],subj=test ( mailto:[EMAIL PROTECTED] ),
x-qmail-scanner-message-id=[EMAIL PROTECTED] via SMTP from 64.9.116.126
Thu, 19 Jul 2007 15:10:20 EDT:16677: ini_sc: start scanning
Thu, 19 Jul 2007 15:10:20 EDT:16677: ini_sc: recursively scan the directory
/var/spool/qmailscan/tmp/mail.integrityhosting.org118487221972216677/
Thu, 19 Jul 2007 15:10:20 EDT:16677: scanloop: starting scan of directory
/var/spool/qmailscan/tmp/mail.integrityhosting.org118487221972216677...
Thu, 19 Jul 2007 15:10:20 EDT:16677: scanloop:
scanner=spamassassin,plain_text_msg=0
Thu, 19 Jul 2007 15:10:20 EDT:16677: SA: REPORT hits = -2.6/4.0
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.]
0.0 HTML_MESSAGE BODY: HTML included in message
Thu, 19 Jul 2007 15:10:20 EDT:16677: SA: required_hits 4.0 / sa_quarantine +0 /
sa_delete +0.9
Thu, 19 Jul 2007 15:10:20 EDT:16677: SA: finished scan of dir
/var/spool/qmailscan/tmp/mail.integrityhosting.org118487221972216677 in 0.715
secs - hits=-2.6/4.0
As you can see, recips is [EMAIL PROTECTED],[EMAIL PROTECTED] and
USER_IN_WHITELIST does NOT fire, even though it's in my SQL database as
username = mattyette.com, preference is whitelist_from and value is [EMAIL
PROTECTED]
This has to be something that's cropped up before, I'm hoping it's a quick and
easy solution. :)
Thanks again,
Matt
Matthew Yette [EMAIL PROTECTED] 7/19/2007 2:24 PM
Matthew Yette [EMAIL PROTECTED] 7/19/2007 2:13 PM
I am using SA 3.2.0 using SQL backend userprefs. There is a sending address
that is whitelisted for an entire domain, as well as specific users on that
domain. However, on the messages that come in from this whitelisted address for
multiple recipients (in this case 2), the USER_IN_WHITELIST rule does not fire,
and the message gets hit as spam. Is there something special that needs to be
done to have it apply to multiple-recipient messages? This is my custom SQL
userprefs query:
SELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username =
'@GLOBAL' OR username = _DOMAIN_ ORDER BY username ASC
Thanks!
Matt Yette
---
One other point - in my SQL prefs database, I am only using domain.com as the
username for domain-wide preferences, and not %domain.com and SELECT
preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username =
'@GLOBAL' OR username = CONCAT('%',_DOMAIN_) ORDER BY username ASC as Dallas
calls for in his SQL docs. Would this have a negative impact in terms of
applying rules on multiple-recipient mail?
( mailto:[EMAIL PROTECTED] )
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for
the sole use of the intended recipients(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure, or
distribution is prohibited. If you are not the intended recipient(s), please
contact the sender by return e-mail and destroy all copies of the original
message. Thank you.
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for
the sole use of the intended recipients(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure, or
distribution is prohibited. If you are not the intended recipient(s), please
contact the sender by return e-mail and destroy all copies of the original
message. Thank you.
¤#/srv/gw/mvndom/wptemp/43ccc243.qm8
Re: whitelist_from with multiple recips not firing?
On Thu, 19 Jul 2007 at 15:14 -0400, [EMAIL PROTECTED] confabulated: After further testing, it most definitely has to do with a message hacing multiple recipients (I've tried changing around my custom SQL query to no avail). qmail-queue.log log entry w/ debug on: Thu, 19 Jul 2007 15:10:20 EDT:16677: g_e_h: return-path is [EMAIL PROTECTED], recips is [EMAIL PROTECTED],[EMAIL PROTECTED] Thu, 19 Jul 2007 15:10:20 EDT:16677: from=Matthew Yette [EMAIL PROTECTED],subj=test ( mailto:[EMAIL PROTECTED] ), x-qmail-scanner-message-id=[EMAIL PROTECTED] via SMTP from 64.9.116.126 Thu, 19 Jul 2007 15:10:20 EDT:16677: ini_sc: start scanning Thu, 19 Jul 2007 15:10:20 EDT:16677: ini_sc: recursively scan the directory /var/spool/qmailscan/tmp/mail.integrityhosting.org118487221972216677/ Thu, 19 Jul 2007 15:10:20 EDT:16677: scanloop: starting scan of directory /var/spool/qmailscan/tmp/mail.integrityhosting.org118487221972216677... Thu, 19 Jul 2007 15:10:20 EDT:16677: scanloop: scanner=spamassassin,plain_text_msg=0 Thu, 19 Jul 2007 15:10:20 EDT:16677: SA: REPORT hits = -2.6/4.0 -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.0 HTML_MESSAGE BODY: HTML included in message Thu, 19 Jul 2007 15:10:20 EDT:16677: SA: required_hits 4.0 / sa_quarantine +0 / sa_delete +0.9 Thu, 19 Jul 2007 15:10:20 EDT:16677: SA: finished scan of dir /var/spool/qmailscan/tmp/mail.integrityhosting.org118487221972216677 in 0.715 secs - hits=-2.6/4.0 As you can see, recips is [EMAIL PROTECTED],[EMAIL PROTECTED] and USER_IN_WHITELIST does NOT fire, even though it's in my SQL database as username = mattyette.com, preference is whitelist_from and value is [EMAIL PROTECTED] This has to be something that's cropped up before, I'm hoping it's a quick and easy solution. :) I don't know that SA has a way for running messages through for each individual recipient. I don't believe you can specify multiple username paramenters using spamc and/or spamassassin. Here we use Postfix and I instruct Postfix to send the message through SA for each recipient. It works like a charm. Perhaps whatever you are using in qmail can do the same. --- _|_ (_| |
Re: whitelist_from with multiple recips not firing?
I don't know that SA has a way for running messages through for each individual recipient. I don't believe you can specify multiple username paramenters using spamc and/or spamassassin. Here we use Postfix and I instruct Postfix to send the message through SA for each recipient. It works like a charm. Perhaps whatever you are using in qmail can do the same. Thanks for the response, Duane. I would think that, even if SA has trouble dealing w/ pulling rules on messages w/ multiple recips, it would at least grab a domain-wide value? ¤#/srv/gw/mvndom/wptemp/43ccc243.qm8
Re: whitelist_from with multiple recips not firing?
On Thu, 19 Jul 2007 at 15:44 -0400, [EMAIL PROTECTED] confabulated:
I don't know that SA has a way for running messages through for each
individual recipient. I don't believe you can specify multiple username
paramenters using spamc and/or spamassassin.
Here we use Postfix and I instruct Postfix to send the message through SA
for each recipient. It works like a charm. Perhaps whatever you are using
in qmail can do the same.
Thanks for the response, Duane. I would think that, even if SA has trouble
dealing w/ pulling rules on messages w/ multiple recips, it would at least grab
a domain-wide value?
Someone would have to correct me if I'm wrong. I believe SA, without any
extraneous development, can operate as site-wide or at the user level.
Operating as site-wide eliminates the ability at the domain and user
levels. Operating at the user level, you can have domain wide rules. This
also means the message is either going into its final route to the
individual recipient (SA being executed within a proc mail or something
similar within that account), or the message is being fed into SA for each
recipient from the MTA or other source.
As I stated before, I can tell Postfix to feed the message through one
recipient at a time and can use:
/usr/local/bin/spamc -u ${recipient}
to tell spamc what user it will run as. Then, the SQL query works like it
should. I have multiple global, domain and user settings in our user level
set up.
---
_|_
(_| |
Re: whitelist_from with multiple recips not firing?
Matthew Yette wrote: I don't know that SA has a way for running messages through for each individual recipient. I don't believe you can specify multiple username paramenters using spamc and/or spamassassin. Here we use Postfix and I instruct Postfix to send the message through SA for each recipient. It works like a charm. Perhaps whatever you are using in qmail can do the same. Thanks for the response, Duane. I would think that, even if SA has trouble dealing w/ pulling rules on messages w/ multiple recips, it would at least grab a domain-wide value? You would have to get the calling software to pass as the username either (i) something like @example.com; or (ii) a non-existent account at the domain. Get it to do that and you'll see the results you want. SA will be happy with it... I do the same in my own milter. Daryl
Re: whitelist_from with multiple recips not firing?
At 13:43 19-07-2007, Duane Hill wrote:
As I stated before, I can tell Postfix to feed the message through
one recipient at a time and can use:
/usr/local/bin/spamc -u ${recipient}
to tell spamc what user it will run as. Then, the SQL query works
like it should. I have multiple global, domain and user settings in
our user level set up.
For a site-wide setup you would be scanning the same message multiple
times. How about using the domain part of the address for
scanning? Once you get the score, determine the score threshold for
each of the recipients and deliver or reject as appropriate. From a
SMTP perspective, it would be accept or reject all though.
Regards,
-sm
Re: whitelist_from with multiple recips not firing?
On Thu, 19 Jul 2007 at 15:19 -0700, [EMAIL PROTECTED] confabulated:
At 13:43 19-07-2007, Duane Hill wrote:
As I stated before, I can tell Postfix to feed the message through one
recipient at a time and can use:
/usr/local/bin/spamc -u ${recipient}
to tell spamc what user it will run as. Then, the SQL query works like it
should. I have multiple global, domain and user settings in our user level
set up.
For a site-wide setup you would be scanning the same message multiple times.
How about using the domain part of the address for scanning? Once you get
the score, determine the score threshold for each of the recipients and
deliver or reject as appropriate. From a SMTP perspective, it would be
accept or reject all though.
If I wanted a site-wide setup, I would just remove the recipient
restriction and the username switch and let spamc use the default username
of 'spamd'.
---
_|_
(_| |
Re: whitelist_from ip_range
Benny Pedersen wrote: On Tue, April 17, 2007 01:57, Duane Hill wrote: http://wiki.apache.org/spamassassin/TrustPath to me a bit hardcore to read, but it have all ip that is known forwards mails to me as trusted_networks even if its still not my servers, and have maked the complete rfc1918 in trusted_networks and internal_networks added to this i have my own wan ip's in both should be it :-) trusted_networks 10.0.0.0/8 trusted_networks 172.16.0.0/12 trusted_networks 192.168.0.0/16 trusted_networks 127.0.0.0/8 internal_networks 10.0.0.0/8 internal_networks 172.16.0.0/12 internal_networks 192.168.0.0/16 internal_networks 127.0.0.0/8 and last my wan ips as trusted_networks and internal_networks after this all known forward ips as trusted_networks Given the number of ISP's that don't have rDNS configured, whitelist_from_rcvd should probably be extended to support IP/CIDR addresses as well... Let's not overload the meanings of trusted_networks and internal_networks. These latter two are already confusing enough for most newbies without having them take on additional unintended meanings. -Philip
Re: whitelist_from ip_range
On Thu, April 19, 2007 21:20, Philip Prindeville wrote: Given the number of ISP's that don't have rDNS configured, i reject them, atleast spf can help them whitelist_from_rcvd should probably be extended to support IP/CIDR addresses as well... why not spf ? Let's not overload the meanings of trusted_networks and internal_networks. These latter two are already confusing enough for most newbies without having them take on additional unintended meanings. there can be better ways of deailing with it yes, so far i have not seen side effects of managed trusted_networks and or internal_networks that works -- This message was sent using 100% recycled spam mails.
Re: whitelist_from ip_range
On Tue, April 17, 2007 01:57, Duane Hill wrote: http://wiki.apache.org/spamassassin/TrustPath to me a bit hardcore to read, but it have all ip that is known forwards mails to me as trusted_networks even if its still not my servers, and have maked the complete rfc1918 in trusted_networks and internal_networks added to this i have my own wan ip's in both should be it :-) trusted_networks 10.0.0.0/8 trusted_networks 172.16.0.0/12 trusted_networks 192.168.0.0/16 trusted_networks 127.0.0.0/8 internal_networks 10.0.0.0/8 internal_networks 172.16.0.0/12 internal_networks 192.168.0.0/16 internal_networks 127.0.0.0/8 and last my wan ips as trusted_networks and internal_networks after this all known forward ips as trusted_networks -- This message was sent using 100% recycled spam mails.
Re: whitelist_from ip_range
On Tue, April 17, 2007 01:26, Kelson wrote: That won't do what you think. trusted_networks is for IPs that you trust to provide honest header information, not IPs that you trust not to send spam. correct, all my known forwarders pass spam when user want to have it forwarded -- This message was sent using 100% recycled spam mails.
Re: whitelist_from ip_range
Benny Pedersen wrote: On Sat, April 14, 2007 10:31, Wael Shahin wrote: whitelist_from 172.16.0.0/16 trusted_networks 172.16.0.0/16 whitelist_from is for email not for ip :-) That won't do what you think. trusted_networks is for IPs that you trust to provide honest header information, not IPs that you trust not to send spam. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: whitelist_from ip_range
On Mon, 16 Apr 2007, Kelson wrote: Benny Pedersen wrote: On Sat, April 14, 2007 10:31, Wael Shahin wrote: whitelist_from 172.16.0.0/16 trusted_networks 172.16.0.0/16 whitelist_from is for email not for ip :-) That won't do what you think. trusted_networks is for IPs that you trust to provide honest header information, not IPs that you trust not to send spam. A more concise definition from the wiki: http://wiki.apache.org/spamassassin/TrustPath Trusted Networks Generally you want trusted_networks set to contain all the mailservers you control that add Received: headers, and nothing else. Internal Networks Set 'internal_networks' to include the hosts that act as MX for your domains, or that may deliver mail internally in your organisation. Set 'trusted_networks' to include the same hosts and networks as 'internal_networks', with the addition of some hosts that are external to your organisation which you trust to not be under the control of spammers. For example, very high-volume mail relays at other ISPs, or mailing list servers. Note that it doesn't matter if the server relays spam to you from other hosts; that still means you trust the server not to originate spam, which is what 'trusted_networks' specifies.
Re: whitelist_from ip_range
On Sat, April 14, 2007 10:31, Wael Shahin wrote: whitelist_from 172.16.0.0/16 trusted_networks 172.16.0.0/16 whitelist_from is for email not for ip :-) -- This message was sent using 100% recycled spam mails.
Re: whitelist_from ip_range
Opps, looks like i totally messed up thaks Benny - Original Message - From: Benny Pedersen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 14, 2007 1:17 PM Subject: Re: whitelist_from ip_range On Sat, April 14, 2007 10:31, Wael Shahin wrote: whitelist_from 172.16.0.0/16 trusted_networks 172.16.0.0/16 whitelist_from is for email not for ip :-) -- This message was sent using 100% recycled spam mails.
Re: whitelist_from and whitelist_from_rcvd not working
Hi Thanks for your mail, On Mon, Dec 04, 2006 at 02:58:56PM -0500, Robert Swan wrote: I had a similar problem with SA not reading a specific .cf file. I basically created a new greylist.cf file and copied the test over and it worked, and of coarse make sure it is in the right folder... Might be worth a try I have done this, but the issue is still occurring. Has anyone else seen this or have any suggestions? Robert Regards, Mark Peace he would say instead of goodbyepeace my brother. -Original Message- From: Mark Adams [mailto:[EMAIL PROTECTED] Sent: Monday, December 04, 2006 12:56 PM To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: whitelist_from and whitelist_from_rcvd not working On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote: Mark Adams wrote: Hi All, Spamassassin 3.1.4-1 Currently have entries like the following in the local.cf file whitelist_from [EMAIL PROTECTED] and whitelist_from [EMAIL PROTECTED] But mail is still picked up as spam for the [EMAIL PROTECTED] Have also tried the following; whitelist_from_rcvd [EMAIL PROTECTED] domain.com and whitelist_from_rcvd [EMAIL PROTECTED] domain.com But nothing seems to work? has anyone got any advice on this? do you have always_trust_envelope_sender 1 ? No I don't have this setting
RE: whitelist_from and whitelist_from_rcvd not working
I had a similar problem with SA not reading a specific .cf file. I basically created a new greylist.cf file and copied the test over and it worked, and of coarse make sure it is in the right folder... Might be worth a try Robert Peace he would say instead of goodbyepeace my brother. -Original Message- From: Mark Adams [mailto:[EMAIL PROTECTED] Sent: Monday, December 04, 2006 12:56 PM To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: whitelist_from and whitelist_from_rcvd not working On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote: Mark Adams wrote: Hi All, Spamassassin 3.1.4-1 Currently have entries like the following in the local.cf file whitelist_from [EMAIL PROTECTED] and whitelist_from [EMAIL PROTECTED] But mail is still picked up as spam for the [EMAIL PROTECTED] Have also tried the following; whitelist_from_rcvd [EMAIL PROTECTED] domain.com and whitelist_from_rcvd [EMAIL PROTECTED] domain.com But nothing seems to work? has anyone got any advice on this? do you have always_trust_envelope_sender 1 ? No I don't have this setting
Re: whitelist_from and whitelist_from_rcvd not working
Mark Adams wrote: Hi All, Spamassassin 3.1.4-1 Currently have entries like the following in the local.cf file whitelist_from [EMAIL PROTECTED] and whitelist_from [EMAIL PROTECTED] But mail is still picked up as spam for the [EMAIL PROTECTED] Have also tried the following; whitelist_from_rcvd [EMAIL PROTECTED] domain.com and whitelist_from_rcvd [EMAIL PROTECTED] domain.com But nothing seems to work? has anyone got any advice on this? do you have always_trust_envelope_sender 1 ?
Re: whitelist_from not working with milter
Rainer Sokoll wrote:
Hi,
sendmail 8.13.7, Dan Nelson's spamss-milter 0.3.1, SA 3.1.5.
whitelist_from is ignored entirely, no matter if I put it into local.cf
or some other .cf. If I run SA in test mode (-t), SA honors
whitelist_from.
By digging into milter's source, I see this snipplet from line 911 on (I am
not a
programmer):
/* Send the envelope headers as X-Envelope-From: and
X-Envelope-To: so that SpamAssassin can use them in its
whitelist checks. Also forge as complete a dummy
Received: header as possible because SA gets a lot of
info from it.
HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
$.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}
(version=${tls_version} cipher=${cipher} bits=${cipher_bits}
verify=${verify})$.$?u
for $u; $|;
$.$b$?g
(envelope-from $g)$.
*/
As you can see, this function is commented out.
Is this the reason for my problem? And if so: What will happen if I
comment it in?
No, that would cause it to match the envelope senders. If you're trying
to match the From: header itself, this won't matter.
However, does spamass-milter use spamd/spamc? If so, did you restart spamd?
The .cf files are all only parsed when spamd starts, or when it's sent a
SIGHUP. Otherwise, all the spamd children use a copy of the pre-parsed
rules from the parent spamd.
Re: whitelist_from not working with milter
BTW, some versions of spamass-milter have had problems with recent versions of SA. I don't know if that has been fixed or not, since I don't use it. It it hasn't been fixed (at least in the version you have) it may be part of your problem. Loren
RE: Whitelist_from clarification
Soomail from myspace has been getting tagged as spam...been trying to halt that on a domain basis. Here's what I've tried (and seen online): .*myspace.com @myspace.com *myspace.com [EMAIL PROTECTED] Can someone tell me which is the correct format? Thanks! whitelist_from [EMAIL PROTECTED] If your server correctly inserts a received header before calling SA, you might be able to use something like: Whitelist_from_rcvd [EMAIL PROTECTED] servername Bret
Re: Whitelist_from clarification
On Wed, 2006-06-07 at 07:03 -0600, James Lay wrote: Hey all! Soomail from myspace has been getting tagged as spam...been trying to halt that on a domain basis. Here's what I've tried (and seen online): .*myspace.com @myspace.com *myspace.com [EMAIL PROTECTED] Can someone tell me which is the correct format? Thanks! James Oops Now spammers know how to spam you, just forge the from address. :-)
