RE: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Nah... (and admittedly I didn't know this before! - I am not a regex guru) ^ contained inside [] denotes the inverse of the character set... the * after it says many... so a set containing any character that is NOT ) - basically skip every character until ) ( which is what the \) that follows the * is for... Gordon says (and I've heard this before) that .* in a regex makes it slower - so this more explicit repeat until pattern is more efficient. m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mirko Zeibig Sent: Thursday, January 08, 2004 12:17 AM To: [EMAIL PROTECTED] Cc: Mitch (WebCob) Subject: Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message? I guess you have to escape the parenthese in the square brackets as well: \(AUTH: [^\)]*\) Regards Mirko --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Thanks Mirko - I don't want to embarass my sorry regular expression handicapped self, but I'm still confused: Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Thu, 08 Jan 2004 00:04:43 + AND if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by/) ) - /Received: .*\(AUTH: [^)]*\) *by/ So the first .* catches all characters up to the escaped (AUTH: What's the [^)]* do in this case? I thought ^ was the start of a line? I tried rewriting it as: if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: .*\) *by/) ) AND if ( $i == 1 ( ! $MATCH =~ /Received: .*/) ) But that doesn't seem to match anything - is the Received line converted back to a single line prior to this processing? I would think so, maybe the problem is the if syntax and not the pattern? Any further ideas appreciated. Thanks. m/ -Original Message- From: Mirko Zeibig [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 12:17 AM To: [EMAIL PROTECTED] Cc: Mitch (WebCob) Subject: Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message? Mitch (WebCob) said the following on 01/08/2004 01:37 AM: Ok - thanks - that works better for a number of reasons - (I'll post the running verison once I play with it) - by making sure I am testing the first header, I don't need to care about example.com (which is good, cause then I can put the rule in my maildroprc where I call spamassassin from. When I use your original example I get Syntax error after =. # if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) I guess you have to escape the parenthese in the square brackets as well: \(AUTH: [^\)]*\) Regards Mirko --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) wrote: Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Thu, 08 Jan 2004 00:04:43 + ... if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by/) ) ... So the first .* catches all characters up to the escaped (AUTH: Yes. What's the [^)]* do in this case? I thought ^ was the start of a line? When ^ appears as the first character inside [], it means characters not in that set. '[^)]' means characters which are not a ')'. I tried rewriting it as: if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: .*\) *by/) ) That'll usually accomplish the same, but it'll take longer. It's key to writing fast regexs that you avoid .* as often as you can. But that doesn't seem to match anything - is the Received line converted back to a single line prior to this processing? Should be. The pattern works for me, though the rest of my conditional is different. I would think so, maybe the problem is the if syntax and not the pattern? It's probalby related to the !. You may need an additional set of parens around the $MATCH =! //. Either that, or MATCH doesn't have the whole line, and what you really need is foreach /Received: .*/. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) said the following on 01/08/2004 01:37 AM: Ok - thanks - that works better for a number of reasons - (I'll post the running verison once I play with it) - by making sure I am testing the first header, I don't need to care about example.com (which is good, cause then I can put the rule in my maildroprc where I call spamassassin from. When I use your original example I get Syntax error after =. # if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) I guess you have to escape the parenthese in the square brackets as well: \(AUTH: [^\)]*\) Regards Mirko --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Good idea, but is it really that simple? I would only want to do this for the top Received header - if I test all headers a spoofed auth header can bypass spamassassin. Is there a way to make the pattern match only the first Received and then check it for AUTH? I realize by adding the example.com test we are narrowing it down to at least a targetted spoof - but why not shoot for perfection eh? Thanks Gord! m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gordon Messmer Sent: Tuesday, January 06, 2004 6:06 PM To: [EMAIL PROTECTED] Subject: Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message? Mitch (WebCob) wrote: My first concern is that apparently due to the differences in courier's vs sendmails Received header formats, the first courier header is not always detected. Secondly, if I am sending to another user in my own system via authenticated SMTP, the rule still triggers - even though my authentication on the server should allow me some sort of whitelist like status (my humble opinion). Configure maildrop not to pass messages that were AUTH'd to spamassassin: if( ! ( /Received: .*\(AUTH: [^)]*\) *by [:alnum:]*.example.com/ ) ) { xfilter /usr/bin/spamc } --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) wrote: Good idea, but is it really that simple? Yeah, why not? I would only want to do this for the top Received header - if I test all headers a spoofed auth header can bypass spamassassin. If you're really that paranoid about it, you can probably flesh this out: i=1 foreach /Received: / { if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by \ [:alnum:]*.example.com/) ) { xfilter /usr/bin/spamc } i=$i + 1 } There's probalby something wrong with that. I didn't test it. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Ok - thanks - that works better for a number of reasons - (I'll post the running verison once I play with it) - by making sure I am testing the first header, I don't need to care about example.com (which is good, cause then I can put the rule in my maildroprc where I call spamassassin from. When I use your original example I get Syntax error after =. # if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by \ # [:alnum:]*.SOMEDOMAIN.com/) ) I'm NO maildrop guru - I started with what you sent, trying to get rid of the domain check - The part that seems to give me trouble is: ( ! $MATCH =~ /Received: .*\(CRAP\) *by/) Keeping in mind that the original header looks like this (below) could the multiline format of the header cause the match to fail or is it something else?: Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Thu, 08 Jan 2004 00:04:43 + The whole snippit for context: if ( $SIZE 512000 ) { i=1 foreach /Received: / { # if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by/) ) # if ( $i == 1 ( ! $MATCH =~ /Received: .*\(CRAP\) *by/) ) #THIS WORKS: if ( $i == 1 ) { xfilter /usr/bin/spamc -U /var/run/spamassassin.sock -u $UI_Email } i=$i+1 } } Thanks! m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gordon Messmer Sent: Wednesday, January 07, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message? Mitch (WebCob) wrote: Good idea, but is it really that simple? Yeah, why not? I would only want to do this for the top Received header - if I test all headers a spoofed auth header can bypass spamassassin. If you're really that paranoid about it, you can probably flesh this out: i=1 foreach /Received: / { if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by \ [:alnum:]*.example.com/) ) { xfilter /usr/bin/spamc } i=$i + 1 } There's probalby something wrong with that. I didn't test it. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
I'm cross posting this message here just to keep other courier users in the loop. I'm a long time courier user but not quite as long time SpamAssassin user. I noticed a problem with false positives related to the default settings in SA. Messages sent from my home machine to myself were being detected as spam due to a score on the RCVD_IN_DYNABLOCK test which is supposed to trip when the top received header indicates the mail was received from an address in a dynamic pool - like a cable modem / etc. My first concern is that apparently due to the differences in courier's vs sendmails Received header formats, the first courier header is not always detected. Secondly, if I am sending to another user in my own system via authenticated SMTP, the rule still triggers - even though my authentication on the server should allow me some sort of whitelist like status (my humble opinion). I'm assuming that someone on the SA side can fix the failure to detect the first header, and hopefuly the authentication issue as well (when the first Received header shows (AUTH: ...). As this pertains courier specifically, and it may be causing false positives I thought I'd share it here. Hope it helps - I'll post the resolution as well assuming there is one. cheers. Original message from SAtalk follows. m/ With the help of Shane Williams (who received a message and showed me how it passed his SA ok) I figured out the following: Courier formats it's received lines like this (this trips RCVD_IN_DYNABLOCK): Received: from bigass1.XXX.com ([66.199.X.X]) by slim1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 + Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 + Shane I presume (by version numbers) is running sendmail - which has a different Received format and DOESN'T trip RCVD_IN_DYNABLOCK: Received: from bigass1.XXX.com (ns1.XXX.com [66.199.X.X]) by fiat.XXX.edu (8.12.10/8.12.10) with ESMTP id i06MBJ6U020255 for [EMAIL PROTECTED]; Tue, 6 Jan 2004 16:11:19 -0600 Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 22:09:53 + So for starters, the -notfirsthop option seems to be missing my first header. And for seconds... I will still have a problem when my first header is AUTHENTICATED. If I send mail to myself, my ONLY received header looks like: Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 + Which I think should be ignored - although headers can be forged, the first header can't - right? And if it says authenticated, I shouldn't be penalized for sending mail to myself - right? So now what - do I file a bug report ? or have I already put the info in the right place? Thanks a bunch for the tool - glad to do my bit - I imagine that this problem affects all courier users. Unless I'm missing something? Thanks! m/ -Original Message- From: Brian Sneddon [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 4:55 AM To: 'Mitch (WebCob)'; [EMAIL PROTECTED] Subject: RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message? Hi, Mitch. Could you please provide more information regarding the mail server which is running SpamAssassin? Information such as which MTA it's using, how you're calling SpamAssassin (procmail, milter, etc.), and whether the machine is on a private NATed address will be helpful in troubleshooting your problem. Thanks. Brian --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) wrote: My first concern is that apparently due to the differences in courier's vs sendmails Received header formats, the first courier header is not always detected. Secondly, if I am sending to another user in my own system via authenticated SMTP, the rule still triggers - even though my authentication on the server should allow me some sort of whitelist like status (my humble opinion). Configure maildrop not to pass messages that were AUTH'd to spamassassin: if( ! ( /Received: .*\(AUTH: [^)]*\) *by [:alnum:]*.example.com/ ) ) { xfilter /usr/bin/spamc } --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users