RE: [Declude.JunkMail] PERCENT test confusion
Will, Just to make sure, your Imail is passing on mail to another server and therefore acting as a gateway that is why you are using OUTBOUND actions correct? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Wednesday, April 20, 2005 9:22 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] PERCENT test confusion I'm trying to understand why my mail server is sending so many messages to the quarantine folders instead of just marking the headers. In fact, the vast majority of my SPAM is going to the spool/spam folder since updating all the declude rules. The only test I have set to HOLD is the PERCENT test and when I look at the messages being quarantined, none of them have a percent symbol in the To: line. Since there are so many messages failing this test, I am concerned that there is legitimate content I am missing, though I have yet to find one from the hundred thousand messages it caught just yesterday. Should I be concerned and does anyone have good insight about how the PERCENT test works? It seems too good to be true that such a simple test would catch so much SPAM. I'm running Imail 8.15 on 2003. Below is a copy of my declude test actions: # RBL IP4R TESTS OUTBOUND BLITZEDALL WARN CBL WARN DSBLWARN ORDBWARN MXRATE-ALLOWWARN MXRATE-BLOCKWARN MXRATE-SUSPICIOUS WARN SBL WARN SORBS-HTTP WARN SORBS-SOCKS WARN SORBS-MISC WARN SORBS-SMTP WARN SORBS-SPAM WARN SORBS-WEB WARN SORBS-BLOCK WARN SORBS-ZOMBIEWARN SORBS-DUHL WARN SPAMCOP WARN BONDEDSENDERWARN # ADDITIONAL RBL IP4R TESTS OUTBOUND #MTLDB WARN CSMA-SBLWARN INTERSILWARN SPAMBAG WARN FIVETENSRC WARN JAMMDNSBL WARN # RHBSL TESTS OUTBOUND DSN WARN NOABUSE WARN NOPOSTMASTERWARN MAILPOLICE-BULK WARN MAILPOLICE-PORN WARN MAILPOLICE-FRAUDWARN # OTHER TESTS OUTBOUND BADHEADERS WARN BASE64 WARN BCC WARN CMDSPACEWARN COMMENTSWARN DYNHELO WARN ENCODEDURL WARN HELOBOGUS WARN IPURL WARN MAILFROMWARN PERCENT HOLD REVDNS WARN ROUTING WARN SPAMHEADERS WARN SPFFAIL WARN SPFPASS WARN SUBJECTSPACES WARN SUBJECTCHARSWARN #NONENGLISH WARN # FILTERS OUTBOUND #SUBJECTWARN #WORD WARN # 3RD PARTY OUTBOUND #SNIFFERWARN #SPAMCHKWARN #INV-URIBL WARN # TRIGGERS OUTBOUND WEIGHT10WARN WEIGHT14WARN WEIGHT20WARN --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. __ NOD32 1.1072 (20050420) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PERCENT test confusion
Gah! No, I'm not scanning outbound... My mistake, I wasn't even looking at the $default$.junkmail config file. Now it all makes sense. :) Thanks for the kick. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, April 20, 2005 8:29 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] PERCENT test confusion Will, Just to make sure, your Imail is passing on mail to another server and therefore acting as a gateway that is why you are using OUTBOUND actions correct? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Wednesday, April 20, 2005 9:22 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] PERCENT test confusion I'm trying to understand why my mail server is sending so many messages to the quarantine folders instead of just marking the headers. In fact, the vast majority of my SPAM is going to the spool/spam folder since updating all the declude rules. The only test I have set to HOLD is the PERCENT test and when I look at the messages being quarantined, none of them have a percent symbol in the To: line. Since there are so many messages failing this test, I am concerned that there is legitimate content I am missing, though I have yet to find one from the hundred thousand messages it caught just yesterday. Should I be concerned and does anyone have good insight about how the PERCENT test works? It seems too good to be true that such a simple test would catch so much SPAM. I'm running Imail 8.15 on 2003. Below is a copy of my declude test actions: # RBL IP4R TESTS OUTBOUND BLITZEDALL WARN CBL WARN DSBLWARN ORDBWARN MXRATE-ALLOWWARN MXRATE-BLOCKWARN MXRATE-SUSPICIOUS WARN SBL WARN SORBS-HTTP WARN SORBS-SOCKS WARN SORBS-MISC WARN SORBS-SMTP WARN SORBS-SPAM WARN SORBS-WEB WARN SORBS-BLOCK WARN SORBS-ZOMBIEWARN SORBS-DUHL WARN SPAMCOP WARN BONDEDSENDERWARN # ADDITIONAL RBL IP4R TESTS OUTBOUND #MTLDB WARN CSMA-SBLWARN INTERSILWARN SPAMBAG WARN FIVETENSRC WARN JAMMDNSBL WARN # RHBSL TESTS OUTBOUND DSN WARN NOABUSE WARN NOPOSTMASTERWARN MAILPOLICE-BULK WARN MAILPOLICE-PORN WARN MAILPOLICE-FRAUDWARN # OTHER TESTS OUTBOUND BADHEADERS WARN BASE64 WARN BCC WARN CMDSPACEWARN COMMENTSWARN DYNHELO WARN ENCODEDURL WARN HELOBOGUS WARN IPURL WARN MAILFROMWARN PERCENT HOLD REVDNS WARN ROUTING WARN SPAMHEADERS WARN SPFFAIL WARN SPFPASS WARN SUBJECTSPACES WARN SUBJECTCHARSWARN #NONENGLISH WARN # FILTERS OUTBOUND #SUBJECTWARN #WORD WARN # 3RD PARTY OUTBOUND #SNIFFERWARN #SPAMCHKWARN #INV-URIBL WARN # TRIGGERS OUTBOUND WEIGHT10WARN WEIGHT14WARN WEIGHT20WARN --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. __ NOD32 1.1072 (20050420) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Percent symbols in the beginning of a URL
Mike, There are other filters there, but I have yet to put up an interface for downloading them and I haven't yet put together the changes in the last two weeks from the feedback that I have received. I'll post new links soon :) Until then, there are links to what is available from the following post along with and explanation of one of them: http://www.mail-archive.com/[EMAIL PROTECTED]/msg11240.html Matt Mike Gable wrote: Thanks very much Matt. Maybe I missed the boat in an earlier discussion, but are there other filters at your site? -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew Bramble Sent: Thursday, September 25, 2003 7:14 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Percent symbols in the beginning of a URL Mike, That issue with PayPal is a scripting error on their part, and it is an invalid link in HTML. I have only seen one semi-legit outfit using obfuscation in URL's, but this was a contest opt-in site that would then turn around and sell your address (that was their business) so I don't care if they get blocked. I wrote a good filter for this that won't trigger on that PayPal thing, but will catch a lot of other uses of this technique in URL's and in the body of messages to obscure text from filters. You can download it at the following link: http://www.mailpure.com/decludefilters/obfuscation/Obfuscation_09-14-2003c.t xt Matt Mike Gable wrote: I've been filtering on supposed HTTP links that start with something like this: HTTP://%W%/ But I understand now that there is some encoding going on, but I don't know why anyone would use such a URL, so I block it. However, I notice companies like PayPal and eBay have links like this in the body of their messages: http://%3%/images/pixel.gif Could somebody please explain what this amounts to and if I should filter it? Thank you. -Mike
Re: [Declude.JunkMail] Percent symbols in the beginning of a URL
Mike, That issue with PayPal is a scripting error on their part, and it is an invalid link in HTML. I have only seen one semi-legit outfit using obfuscation in URL's, but this was a contest opt-in site that would then turn around and sell your address (that was their business) so I don't care if they get blocked. I wrote a good filter for this that won't trigger on that PayPal thing, but will catch a lot of other uses of this technique in URL's and in the body of messages to obscure text from filters. You can download it at the following link: http://www.mailpure.com/decludefilters/obfuscation/Obfuscation_09-14-2003c.txt Matt Mike Gable wrote: I've been filtering on supposed HTTP links that start with something like this: HTTP://%W%/ But I understand now that there is some encoding going on, but I don't know why anyone would use such a URL, so I block it. However, I notice companies like PayPal and eBay have links like this in the body of their messages: http://%3%/images/pixel.gif Could somebody please explain what this amounts to and if I should filter it? Thank you. -Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PERCENT test
Ok, thank you Sanford and Terry for the information. How can I test relaying trough my servers using the %piggyback address? [EMAIL PROTECTED] should be the correct format. This will not work. What can Scott mean by writing IMail does normally check for this, but there is a report of it not catching this type of mail under certain circumstances. ? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PERCENT test
Markus, Monday, January 27, 2003 you wrote: MG How can I test relaying trough my servers using the %piggyback address? MG [EMAIL PROTECTED] should be the correct format. MG This will not work. You have 2 mail servers, example.com, which is an IMAIL server, and example.net. Example.net lives on a different network, backs up example.com, and may or may not be an IMAIL server. I will discuss below how to relay mail to a third domain, example.org, using the %piggyback technique: Example.net is a backup for example.com. The Admin who runs example.com mistakenly entered the IP address of example.net in his allowed to relay ACL. Or perhaps he runs both servers and has each backup the other. So send a message addressed to [EMAIL PROTECTED] through the example.net server (the backup server for example.com). Since example.net is a backup for example.com it inspects the message and correctly accepts it for delivery to example.com which is the correct domain parsed from the address. The message is queued and sent on to example.com. When example.com, our IMAIL server, receives the message it checks to see if example.net is authorized to relay. If it is then IMAIL parses the address in such a way that the % sign is changed to an @ character and delivery is attempted to [EMAIL PROTECTED] In part this is because the % sign (and other characters can be used as a domain delimiter. In fact neither server has done anything really wrong. But the effect of the process is that you will be listed as an open relay if you are tested in this way. The obvious solution is to make certain you do not allow relaying for any backup mail servers. And if that is not possible then you have to rely on Declude's PERCENT test. MG What can Scott mean by writing IMail does normally check for this, but MG there is a report of it not catching this type of mail under certain MG circumstances. ? Just exactly what it says. IMAIL and other mail servers can be set to use other domain delimiters besides the @ character. There are actually valid uses for this phenomenon, too. It dates back to early sendmail or perhaps even earlier. hth Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PERCENT test
Wow. What an explanation. Thank you! If I understand right a problem can ocur if one of our clients mailservers (most of them exchange servers) become a open relay because the admin has changed something. If this server has set our Imail-Server as smarthost and uses SMTP-Auth to deliver the messages a percent hack can use our server to relay. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Smart Business Lists Sent: Monday, January 27, 2003 12:12 PM To: Markus Gufler Subject: Re: [Declude.JunkMail] PERCENT test Markus, Monday, January 27, 2003 you wrote: MG How can I test relaying trough my servers using the %piggyback MG address? [EMAIL PROTECTED] should be the MG correct format. This will not work. You have 2 mail servers, example.com, which is an IMAIL server, and example.net. Example.net lives on a different network, backs up example.com, and may or may not be an IMAIL server. I will discuss below how to relay mail to a third domain, example.org, using the %piggyback technique: Example.net is a backup for example.com. The Admin who runs example.com mistakenly entered the IP address of example.net in his allowed to relay ACL. Or perhaps he runs both servers and has each backup the other. So send a message addressed to [EMAIL PROTECTED] through the example.net server (the backup server for example.com). Since example.net is a backup for example.com it inspects the message and correctly accepts it for delivery to example.com which is the correct domain parsed from the address. The message is queued and sent on to example.com. When example.com, our IMAIL server, receives the message it checks to see if example.net is authorized to relay. If it is then IMAIL parses the address in such a way that the % sign is changed to an @ character and delivery is attempted to [EMAIL PROTECTED] In part this is because the % sign (and other characters can be used as a domain delimiter. In fact neither server has done anything really wrong. But the effect of the process is that you will be listed as an open relay if you are tested in this way. The obvious solution is to make certain you do not allow relaying for any backup mail servers. And if that is not possible then you have to rely on Declude's PERCENT test. MG What can Scott mean by writing IMail does normally check for this, MG but there is a report of it not catching this type of mail under MG certain circumstances. ? Just exactly what it says. IMAIL and other mail servers can be set to use other domain delimiters besides the @ character. There are actually valid uses for this phenomenon, too. It dates back to early sendmail or perhaps even earlier. hth Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PERCENT test
Monday, January 27, 2003 you wrote: MG If I understand right a problem can ocur if one of our clients MG mailservers (most of them exchange servers) become a open relay because MG the admin has changed something. If this server has set our Imail-Server MG as smarthost and uses SMTP-Auth to deliver the messages a percent hack MG can use our server to relay. Generally, I don't think this is a valid example because your server is a smart host and it is going to relay for these servers period. So anything coming from the servers is being relayed. The case where this is a vulnerability has rather specific requirements: 1) The first server has to accept messages for a 2nd domain such as a backup mail server might do for a primary. 2) The 2nd domain mail server must relay for the first server So it is only where those 2 conditions exist that this is a vulnerability. The solution is: 1) do not allow IMAIL to relay for its backups 2) or do not allow any server that can relay to be a backup 3) use Declude and the PERCENT test As has been discussed this is fortunately not a vulnerability that is used by spammers. So the exposure is really in becoming blacklisted. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PERCENT test
Markus, the crux of the issue for you is whether or not you allow relaying for your client servers. If you do, then the percent hack is a legitimate method for their server to request the relay from your server. The IMail security regarding the percent hack is not to *prevent* the percent hack, it is to *notice* that a relay is being requested; IMail would then check its relay restrictions for the server or user that sent the message. I have seen zero spammers use the percent hack in the last 3 years; I suspect that SMTP software has gotten good enough and is secure by default, so the spammers moved to other techniques to take advantage of open relays. Here is my Declude JunkMail configuration regarding the percent test: #Dec-03-2002 AC This is an ancient convention for relaying; from what we've # seen, only legitimate Lotus users now use it to get out # of their own network! PERCENT percent x x 2 0 PERCENT WARN Andrew 8) MG If I understand right a problem can ocur if one of our clients MG mailservers (most of them exchange servers) become a open relay because MG the admin has changed something. If this server has set our Imail-Server MG as smarthost and uses SMTP-Auth to deliver the messages a percent hack MG can use our server to relay. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PERCENT test
The question: Why PERCENT should be a sign for spam that recieve 50% of the hold action in your default config file? Have I missed something? It would be very rare that a sender HAS to use source-routing such as the % method, so the assumption is that anyone doing so is either deliberately trying to relay mail through your server or using a broken client that defaults to this kind of outdated notation (another sign of the poor programming that seems, luckily for us, to often coincide with spamming). However, there is nothing *definitively* malicious or fully RFC-illegal about using the %, so someone MIGHT have an opt-in database or strange server configuration that spits out this kind of address. In 99.999% of cases in which it is used without malice, it is still probably unnecessary, but I'm sure you know the problems of trying to get clients' clients to change their systems. I don't use the PERCENT test at all, for the record. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PERCENT test
Markus, Sunday, January 26, 2003 you wrote: MG Why PERCENT should be a sign for spam that recieve 50% of MG the hold action in your default config file? MG Have I missed something? The PERCENT test was never to catch spam as I recall. IMAIL, and other mail servers for that matter, can be made to relay by sending a piggybacked %address via a trusted backup server. Since this test is still used by many of the open relay testers then failing it can get one blacklisted as an open relay. Interestingly I have seen only one attempt by a spammer to use this method on our servers but I see 2 or 3 open relay tests per month. As an example you might have 2 IMAIL servers backing up each other or you might have a MS SMTP server as a backup MX in your list of accepted IP's to an IMAIL server. In either case it may be possible to relay using the %piggyback address. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Percent
What is the entry which goes in global.cfg for the Percent test? It should be PERCENT percent x x 10. Then, in the $default$.JunkMail file, you can use PERCENT HOLD or whatever you like. -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .