Re: whitelist_from questions
Le 26/07/2009 04:00, McDonald, Dan a écrit : From: Robert [mailto:list...@abbacomm.net] There are no doubt lots of ways, but how about: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 what is this supposed to do? select all of your whitelist_from entries, parse out the domain part, dig the TXT record for each domain, then display only the ones that have a v=spf1 notation. That would give you a list of all of the domains in your whitelist_from that could be migrated to whitelist_from_spf ... provided, as Matus pointed out, all your whitelist_from entries are nicely formatted one address per line, and provided you don't have any domain wildcards. If those two conditions aren't met then you'll have to do some extra mangling to extract the domains properly. It also only looks for TXT RRs, so if any of the target domains are using only SPF RRs it won't find them. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: whitelist_from questions
Hi, I'm looking an email that appears to be one of the users from the whitelist, but instead was from: From probesqt...@segunitb1.freeserve.co.uk Mon Jul 27 19:49:19 2009 Why can't a comparison be made between the From: info and the actual sender? Is this because of virtual domains and/or users? Thanks, Alex
Re: whitelist_from questions
MySQL Student wrote: Hi, I'm looking an email that appears to be one of the users from the whitelist, but instead was from: From probesqt...@segunitb1.freeserve.co.uk Mon Jul 27 19:49:19 2009 Why can't a comparison be made between the From: info and the actual sender? Is this because of virtual domains and/or users? It's not done because this mismatch happens for nearly every mailing list in existence (including this one). Every message you get from this mailing list is From: the poster, but the envelope is from the apache list server's bounce handler. The To: header and Rcpt to: mismatch for similar reasons (To: will be the list, but RCPT TO will be your mailbox).
Re: whitelist_from questions
On 25.07.09 01:25, jida...@jidanni.org wrote: Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country we still have def_whitelist_* with score of -15. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
RE: whitelist_from questions
There are no doubt lots of ways, but how about: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 John. john, what is this supposed to do? - rh
RE: whitelist_from questions
From: Robert [mailto:list...@abbacomm.net] There are no doubt lots of ways, but how about: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 what is this supposed to do? select all of your whitelist_from entries, parse out the domain part, dig the TXT record for each domain, then display only the ones that have a v=spf1 notation. That would give you a list of all of the domains in your whitelist_from that could be migrated to whitelist_from_spf
Re: whitelist_from questions
Le 24/07/2009 04:09, MySQL Student a écrit : I don't doubt that if we removed a substantial amount of them that SA would do what's right, but there doesn't seem to be any scientific way to do that successfully. Can't you just look at the scores that the whitelisted messages are getting and see whether any would be close to being considered as spam without the -100 of the whitelist? [How best to do that depends on how you've integrated spamassassin into your mail setup, but grepping through logs ought to do it in most cases]. And perhaps a few carefully-chosen negative-scoring rules (for words or phrases common to your customer's business) might be a far more effective way of handling the rest. Is there a way to script that for the 1000 or so entries, to see which have SPF records? There are no doubt lots of ways, but how about: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: whitelist_from questions
Le 24/07/2009 04:09, MySQL Student a écrit : I don't doubt that if we removed a substantial amount of them that SA would do what's right, but there doesn't seem to be any scientific way to do that successfully. Can't you just look at the scores that the whitelisted messages are getting and see whether any would be close to being considered as spam without the -100 of the whitelist? [How best to do that depends on how you've integrated spamassassin into your mail setup, but grepping through logs ought to do it in most cases]. And perhaps a few carefully-chosen negative-scoring rules (for words or phrases common to your customer's business) might be a far more effective way of handling the rest. Is there a way to script that for the 1000 or so entries, to see which have SPF records? There are no doubt lots of ways, but how about: On 24.07.09 08:58, John Wilcock wrote: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 well - addresses can contain wildcards - more addresses can be at one line - SPF records should be checked before TXT the first issue is hard to avoid by scripting, others can be solved. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: whitelist_from questions
Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country
Re: whitelist_from questions
jida...@jidanni.org writes: Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. pgp3aDYuXaIPC.pgp Description: PGP signature
Re: whitelist_from questions
On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 13 days since a sunspot last seen - EPA blames CO2 emissions
Re: whitelist_from questions
John Hardin jhar...@impsec.org writes: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 It does, but doesn't it require allowing user rules? Plus, it's two lines for each whitelist_from_score entry, with a magic regexp. pgpMetL9X7grj.pgp Description: PGP signature
Re: whitelist_from questions
On Fri, 24 Jul 2009, Greg Troxel wrote: John Hardin jhar...@impsec.org writes: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 It does, but doesn't it require allowing user rules? Yeah, but that requirement wasn't specified. Sorry. Plus, it's two lines for each whitelist_from_score entry, with a magic regexp. Yeah, the whitelist_* do a lot of magic in the background. This would get hard to manage for more than a few entries. I was assuming you only wanted to do a few. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 13 days since a sunspot last seen - EPA blames CO2 emissions
Re: whitelist_from questions
On Fri, 2009-07-24 at 11:57 -0700, John Hardin wrote: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. First of all -- I don't like the term whitelist in this context. What's being discussed is a small, almost marginal adjustment to the score. Using whitelist for anything that low (even -1 has been mentioned previously) is just watering down the definition. That said, something like the above might be useful in some cases. Not that I ever felt the need for it, but still. Also, there are custom plugins [1] out there, which provide similar or related functionality -- and even are *much* easier to maintain for *users*, than the user_prefs. See the Addressbook and LDAPfilter plugins. The latter even mentions support for per-domain listings. However, I strongly agree with a note in the Addressbook plugin's description. This doesn't really work for all addresses (unless rcvd or auth constrained, sic!). It is a common spammer pattern to send From forged address A, to Recipient A, B and C at the same domain. Thus, giving negative scores to your family, friends or co-workers is in some cases likely to result in FNs. Anyway, I hope everyone who really needs and uses whitelisting, also has the ShortCircuit plugin enabled. If you deliberately WHITE-list, why waste more cycles on the mail? [1] http://wiki.apache.org/spamassassin/CustomPlugins -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from questions
On Fri, July 24, 2009 20:10, John Hardin wrote: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 another example: whitelist_from_spf f...@bar -3.0 only give -3.0 if spf pass or whitelist_from_dkim f...@bar -3.0 same for dkim or both whitelist_from_auth f...@bar -3.0 i still wonder why so many dont care more about forged senders :( good such bad plugin does not exists, its bad enough that whitelist_from does -- xpoint
Re: whitelist_from questions
Le 22/07/2009 17:48, MySQL Student a écrit : So, forever I have been using whitelist_from and have probably a thousand entries. Firstly, before you convert all these to whitelist_from_rcvd, perhaps you ought to ask yourself whether you really need 1000 entries on your whitelist. Does mail from these addresses actually get miscategorised as spam, or would SA get it right without the whitelist? Secondly, don't forget about whitelist_from_spf. If a domain has an SPF record, this is a better solution than whitelist_from_rcvd as it avoids the need for *you* to work out which are the outgoing servers. Lastly, if you do use whitelist_from_rcvd, remember that there may be multiple outgoing servers for a given domain, and worse they may change over time. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: whitelist_from questions
Hi, Firstly, before you convert all these to whitelist_from_rcvd, perhaps you ought to ask yourself whether you really need 1000 entries on your whitelist. I'm surprised you were the first to make that very comment, so thanks. Does mail from these addresses actually get miscategorised as spam, or would SA get it right without the whitelist? Mail was being tagged as spam, and the organization became concerned that others would be tagged, so it seemed anytime there was a high-profile external business contact that they couldn't risk being tagged, they had it added to the whitelist. The list used to be much larger until we spent quite a while (months and months) going through it with them to prune it. I don't doubt that if we removed a substantial amount of them that SA would do what's right, but there doesn't seem to be any scientific way to do that successfully. Secondly, don't forget about whitelist_from_spf. If a domain has an SPF record, this is a better solution than whitelist_from_rcvd as it avoids the need for *you* to work out which are the outgoing servers. Is there a way to script that for the 1000 or so entries, to see which have SPF records? Lastly, if you do use whitelist_from_rcvd, remember that there may be multiple outgoing servers for a given domain, and worse they may change over time. Yeah, I thought of that too, so it doesn't sound like that's going to work well here. Thanks, Alex
Re: whitelist_from questions
MySQL Student wrote: Hi all, Some time ago someone had mentioned to never use whitelist_from but instead use whitelist_from_rcvd. Where is whitelist_from_rcvd documented? It doesn't appear in the SA docs in the same place that whitelist_from is listed. So, forever I have been using whitelist_from and have probably a thousand entries. Given that it doesn't appear to be well documented, Is it okay to do a one-to-one translation of my whitelist_from rules to whitelist_from_rcvd? Do these entries have to be in local.cf, or can I create a whitelist_from.cf file to place them in? Thanks, Alex It is documented on the Mail::SpamAssassin::Conf man page just like whitelist_from. -- whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. This string is matched against the reverse DNS lookup used during the handover from the internet to your internal network’s mail exchangers. It can either be the full hostname, or the domain component of that hostname. In other words, if the host that connected to your MX had an IP address that mapped to ’sendinghost.spamassassin.org’, you should specify send- inghost.spamassassin.org or just spamassassin.org here. Note that this requires that internal_networks be correct. For simple cases, it will be, but for a complex network you may get better results by setting that parameter. It also requires that your mail exchangers be configured to perform DNS reverse lookups on the connecting host’s IP address, and to record the result in the generated Received: header. e.g. whitelist_from_rcvd j...@example.com example.com whitelist_from_rcvd *...@axkit.org sergeant.org -- You can't just do a simple switch from one to another. You have to look at each address and determine where the mail will be coming from. This way you are only whitelisting mail from that address if it comes from the correct servers. You can also use whitelist_auth (described a bit further down on the same man page) to whitelist addresses from domains that use SPF, Domain Keys, or DKIM, assuming you have the SPF and DKIM Perl modules installed (I'm too lazy to look up the module names at the moment). -- Bowie
Re: whitelist_from questions
It is documented on the Mail::SpamAssassin::Conf man page just like whitelist_from. Ugh, thanks. whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. Okay, so for example if I was going to whitelist j...@orbitz.com, the appropriate line would be: whitelist_from_rcvd j...@orbitz.com psmtp.com psmtp.com is the domain that controls mail for orbitz, according to the MX records. Thanks, Alex
Re: whitelist_from questions
It is documented on the Mail::SpamAssassin::Conf man page just like whitelist_from. Ugh, thanks. whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. Okay, so for example if I was going to whitelist j...@orbitz.com, the appropriate line would be: whitelist_from_rcvd j...@orbitz.com psmtp.com psmtp.com is the domain that controls mail for orbitz, according to the MX records. psmtp.com may well, or may not handle their outgoing mail. MX records to not tell that. Of they are the same, but not necessarily always. You ought to look at the headers of a received email and see where it came from.