Re: Valid mail from blacklisted dynamic IPs
Hi, I also don't understand how SPF_SOFTFAIL could happen when there wasn't any SPF record to test to begin with. http://www.openspf.org/ i have no spf either http://old.openspf.org/wizard.html?mydomain=junc.orgsubmit=Go! :) But it's sent from cron, so the host is localhost. I definitely have to read more to learn why SPF would fail without an SPF record. Maybe that's the whole point. what is the sender domain ?, why do users need to be sending to a pop_before_smtp ? They are mostly on laptops or home connections with dynamic IPs. Roadwarriors. remember that ip could as very well be one single user ? (NAT and friend) have there isp forbid them to not being allowed to send mail ? No, they haven't, and that's perhaps the best suggestion is to just have them use their own ISPs mail server in the first place. Thanks so much. Great suggestions. Best, Alex
Re: Valid mail from blacklisted dynamic IPs
Hi, I have a set of users that are authorized to use the mail server via pop-before-smtp, but SA catches the mail they send through the system as spam because they are on blacklisted Verizon or Comcast IPs: why are they not using smtp authentication? I think you're referring to SASL? Some time ago we had used it, but the implementation was so buggy and was such a security nightmare that we removed it, not thinking it would become so intrinsic to email on the Internet in the future. Kind of like the security fears people had about bind-4 back then. Thanks, Alex
Re: Valid mail from blacklisted dynamic IPs
I have a set of users that are authorized to use the mail server via pop-before-smtp, but SA catches the mail they send through the system as spam because they are on blacklisted Verizon or Comcast IPs: why are they not using smtp authentication? On 10.10.09 10:59, MySQL Student wrote: I think you're referring to SASL? Some time ago we had used it, but the implementation was so buggy and was such a security nightmare that we removed it, not thinking it would become so intrinsic to email on the Internet in the future. Kind of like the security fears people had about bind-4 back then. aha... I haven't seen problems with those last few years, I recomment you switch back to it. Makes things much easier even for remote sites.. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut.
Re: Valid mail from blacklisted dynamic IPs
On fre 09 okt 2009 03:07:53 CEST, MySQL Student wrote I also don't understand how SPF_SOFTFAIL could happen when there wasn't any SPF record to test to begin with. http://www.openspf.org/ i have no spf either http://old.openspf.org/wizard.html?mydomain=junc.orgsubmit=Go! :) did you ask the page about the problem ? what is the sender domain ?, why do users need to be sending to a pop_before_smtp ? remember that ip could as very well be one single user ? (NAT and friend) have there isp forbid them to not being allowed to send mail ? do users send to you with isp domain as sender ? now you have properly more answers to the problem :) -- xpoint
Re: Valid mail from blacklisted dynamic IPs
On fre 09 okt 2009 06:34:40 CEST, John Hardin wrote Use SSL or TLS with authentication, if possible. Postfix can handle it, and all modern mail clients should be able to. does this not reguire windows 7 ? :) /me hiddes -- xpoint
Re: Valid mail from blacklisted dynamic IPs
On 08.10.09 21:07, MySQL Student wrote: I have a set of users that are authorized to use the mail server via pop-before-smtp, but SA catches the mail they send through the system as spam because they are on blacklisted Verizon or Comcast IPs: why are they not using smtp authentication? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Valid mail from blacklisted dynamic IPs
Hi, I have a set of users that are authorized to use the mail server via pop-before-smtp, but SA catches the mail they send through the system as spam because they are on blacklisted Verizon or Comcast IPs: X-Spam-Status: Yes, hits=5.4 tag1=-300.0 tag2=5.0 kill=5.0 use_bayes=1 tests=BAYES_50, BOTNET, FH_HOST_EQ_VERIZON_P, RCVD_IN_PBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, RELAYCOUNTRY_US, SPF_SOFTFAIL I also don't understand how SPF_SOFTFAIL could happen when there wasn't any SPF record to test to begin with. One of the Comcast users: X-Spam-Status: Yes, hits=6.4 tag1=-300.0 tag2=5.0 kill=5.0 use_bayes=1 tests=BAYES_50, BOTNET, DYN_RDNS_SHORT_HELO_HTML, HTML_MESSAGE, RCVD_IN_PBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, RELAYCOUNTRY_US, SPF_SOFTFAIL, SUBJ_ALL_CAPS We are working on better Bayes training, but sans that problem, what is the right way to address this, through a rule that whitelists their specific IP? Another mail that I'm dealing with is one sent by Marriott that hit SARE_HTML_URI_REFID, DCC_CHECK, and AE_DETAILS_WITH_MONEY, among being whitelisted by JMF/HOSTKARMA. I don't know how it hit DCC when there are details in there specific to the user, including account numbers, user names, etc. How should I go about allowing this type of mail without disrupting its ability to block mail that should be blocked with these rules? I'm sure I can add a rule subtracting points if it hits these and comes from Marriott, but I thought there might be something that could address the more general problem rather than this specific one from Marriott. Perhaps I'm making it too hard. Thanks, Alex
Re: Valid mail from blacklisted dynamic IPs
MySQL Student wrote: Hi, I have a set of users that are authorized to use the mail server via pop-before-smtp, but SA catches the mail they send through the system as spam because they are on blacklisted Verizon or Comcast IPs: X-Spam-Status: Yes, hits=5.4 tag1=-300.0 tag2=5.0 kill=5.0 use_bayes=1 tests=BAYES_50, BOTNET, FH_HOST_EQ_VERIZON_P, RCVD_IN_PBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, RELAYCOUNTRY_US, SPF_SOFTFAIL Does your pop-before-smtp method cause your MTA to indicate they've been authed in the Received: header? I also don't understand how SPF_SOFTFAIL could happen when there wasn't any SPF record to test to begin with. Are you sure? What was the envelope from domain for the message? (keep in mind, this checks the envelope from, not the from header..) One of the Comcast users: X-Spam-Status: Yes, hits=6.4 tag1=-300.0 tag2=5.0 kill=5.0 use_bayes=1 tests=BAYES_50, BOTNET, DYN_RDNS_SHORT_HELO_HTML, HTML_MESSAGE, RCVD_IN_PBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, RELAYCOUNTRY_US, SPF_SOFTFAIL, SUBJ_ALL_CAPS We are working on better Bayes training, but sans that problem, what is the right way to address this, through a rule that whitelists their specific IP? Another mail that I'm dealing with is one sent by Marriott that hit SARE_HTML_URI_REFID, DCC_CHECK, and AE_DETAILS_WITH_MONEY, among being whitelisted by JMF/HOSTKARMA. I don't know how it hit DCC when there are details in there specific to the user, including account numbers, user names, etc. Some of DCC's signatures are fuzzy, thus will match similar messages with minor differences. This is done to avoid spammers bypassing by simply adding a text counter to the message, or some other similar bit to make each one unique. Combine that with DCC being strictly a measure of bulkiness not spamminess, and you most likely have your answer. You could run it through dccproc to see which of DCC's signatures matched. As for dealing with it: whitelist Marriott at the SA level (as you suggest) whitelist Marriott at the dcc level remove or severely cut back the score of AE_DETAILS_WITH_MONEY, if you ever actually expect to get important email about traveling to the UAE. Personally I strongly recommend the third option if you're likely to get emails about travel to the UAE. That rule (with the IMO overly strong 3.0 score that floats around) is really designed for people who would never travel there, but get hammered with spam offering trips there. For folks that might actually do so, maybe 0.5 is more appropriate. How should I go about allowing this type of mail without disrupting its ability to block mail that should be blocked with these rules? I'm sure I can add a rule subtracting points if it hits these and comes from Marriott, but I thought there might be something that could address the more general problem rather than this specific one from Marriott. Perhaps I'm making it too hard. Thanks, Alex
Re: Valid mail from blacklisted dynamic IPs
Hi, Does your pop-before-smtp method cause your MTA to indicate they've been authed in the Received: header? I don't believe so. There doesn't appear to be anything additional in the header relating to pop-b4-smtp. I'm using postfix. Perhaps off-topic, but ideas on how to do this, if you think it would be the right approach? I also don't understand how SPF_SOFTFAIL could happen when there wasn't any SPF record to test to begin with. Are you sure? What was the envelope from domain for the message? (keep in mind, this checks the envelope from, not the from header..) No, I'm not sure. I just don't see anything relating to SPF in the message at all. Some of DCC's signatures are fuzzy, thus will match similar messages with minor differences. This is done to avoid spammers bypassing by Yes, understood. The fuz1 and fuz2 max settings are 99, which I assume is the max possible, set by the previous admin. As for dealing with it: whitelist Marriott at the SA level (as you suggest) whitelist Marriott at the dcc level remove or severely cut back the score of AE_DETAILS_WITH_MONEY, if you ever actually expect to get important email about traveling to the UAE. I've whitelisted the Marriott address. I also actually removed the rule entirely, and just relying on John's excellent lotsa and fillform rules. Thanks very much. Best, Alex
Re: Valid mail from blacklisted dynamic IPs
On Thu, 8 Oct 2009, MySQL Student wrote: Does your pop-before-smtp method cause your MTA to indicate they've been authed in the Received: header? I don't believe so. There doesn't appear to be anything additional in the header relating to pop-b4-smtp. I'm using postfix. Perhaps off-topic, but ideas on how to do this, if you think it would be the right approach? Use SSL or TLS with authentication, if possible. Postfix can handle it, and all modern mail clients should be able to. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Phobias should not be the basis for laws. --- 7 days since a sunspot last seen - EPA blames CO2 emissions
