m half the 'net!
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group [EMAIL PROTECTED]
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL
n't seen a case in a long time so it's not
going to make my to-do list.
I'd like to tell you how we diagnosed it but I can't remember--
sorry. Probably just eyeballing syslog.
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group
intenance, and have to pray that it never goes down or off the
network for any other reason? I don't see why this is good.
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group [EMAIL PROTECTED]
___
s is good. But it is widespread.
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group [EMAIL PROTECTED]
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL
more likely to
be spam than mail from hosts with PTR.
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group [EMAIL PROTECTED]
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMED
at another port, but try and
explain to users how to set a port using the email clients now
on the market.
SFP depends partly on email client design. I find configuring
clients now much harder and more obscure than it needs to be.
True, if big systems require SFP, things start to happen.
Jose
But I have another question (similar to first one):
Does it make sense to reject email if domain part of sender's address
doesn't have A or MX records?
Sendmail temp fails that now.
Joseph Brennan Columbia University in the City of New York
Academic Technolo
arg-Midoom $fname $type");
return action_bounce("Bad attachment");
}
This getting about 120 per minute here.
Make the md_graphdefang_log data and action_bounce text be the way you like
it.
Joseph Brennan
Columbia University, Academic Technologies Group
und after a day, or a week. On my site, I could tell it was a
bad idea
within an hour or two :-)
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedef
has a faked
sender.
-- except the one that tells you to remove jdbmgr.exe and forward the
warning
to your friends. That actually is sent by the person whose address is in
the
From: header line.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University
is usually not a file attachment.
It is interesting that Outlook and Exchange still default to LAN
behavior and have to be reset to do Internet Mail, as if sending
mail to and from non-Exchange users was an exceptional situation.
The developers' bosses don't seem to get out much
#x27;m afraid that might create some false
positives...
1em would be pointless for obfuscation purposes, as it would be
equivalent to no font-size setting at all. (In CSS, an em is the current
line height.)
1pt might be useful to look for, though.
I've seen spam with this:
That's
i.e if there are 100 words in the body, and 75% are misspelled, add it to
the score...
Misspelled in any language?
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit
Thread on news.admin.net-abuse.email, "Hashbusting using valid URLs
and HTML tags"
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://ww
is with nothing
to click on between the two, and logging its finds. So far it's got
only things that already scored pretty well as spam.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
_
The most obfuscated spam I have ever seen follows.
The "unencoded" message is at the end.
This was disabled by Mimedefang. We change '
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
This is a mul
e_header("X-Warning",
"$badtag by Columbia filter");
action_rebuild();
}
}
# ...
}
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
_
Would it be helpful to tweak the regex just a bit?
if ( /<(iframe|script|object)\b/i ) {
I like it.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit h
--On Friday, February 20, 2004 4:48 PM -0500 "Jon R. Kibler"
<[EMAIL PROTECTED]> wrote:
"Cormack, Ken" wrote:
if ($badtag) {
if ($io = $entity->open("w")) {
$io->print($bla);
$io->close;
}
if ($badtag) { $badtag .= "
--On Monday, February 23, 2004 11:03 AM -0500 "Cormack, Ken"
<[EMAIL PROTECTED]> wrote:
They're already in there. That's why I cant figure this out. They're in
access.db too:
Both as ...
198.83.130.15 OK
and...
[198.83.130.15] OK
If you want to allow relay,
eb
score CU_IMAGELINK_WEB 1.0
# Links to image from web, and that is the entire message
meta CU_IMAGELINK_ONLY CU_IMAGELINK_WEB && HTML_IMAGE_ONLY_02
describe CU_IMAGELINK_ONLY Click on an image on the web, and that's all
score CU_IMAGELINK_ONLY 4.0
Joseph Brennan
Academ
icrosoft Office Outlook" in headers
of mail sent with auth smtp, so I am sure it is real. I don't know
what specific Outlook product it is.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
don't read that. In fact you could say "do not send any mail to
this address" next to it, for the few humans who read page source.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the C
zingly
few complaints, from a 50,000-user community. We don't know yet
what the long-term plan will be. That stops bagle.
To stop most variants of netsky, refuse mail with pif files. We
did that many months ago. No complaints at all. Do it.
By refuse, I mean action_bounce().
Joseph B
--On Wednesday, March 3, 2004 1:11 PM -0600 Michael Sims
<[EMAIL PROTECTED]> wrote:
Joseph Brennan wrote:
We are currently refusing all mail with zip files. Amazingly
few complaints, from a 50,000-user community. We don't know yet
what the long-term plan will be. That stops ba
s exactly what we did. Thus, my unhappiness with not accepting
them now.
Besides, what will be next? hqx? sit? tar? I don't use Windows;
I wonder whether the other archive and compression formats are as
easy to open, or whether Microsoft will make them so if zip is
deprecated.
Joseph Brennan
es,
forget it.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PR
to what you get doing ftp as text. Anyway the binary does not
execute even after being renamed. I can't figure out how this exploit
would work.
Which virus was it? I'd like to see more on this.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia
I can't think of any reason an MUA should use a null envelope
Receipts.
It *is* annoying though when they doublebounce to postmaster.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New
45, and run setup.exe".
Same here.
One of my senior colleagues here, Frank da Cruz, told me he opposed
MIME at IETF when it was proposed. He told them it was bad to use
mail for file transfer. The big wheel is coming around, isn't it?
Joseph Brennan
Academic Technologies Group, Academic Info
at then did something else. This stuff does not belong in email.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MI
add our things
$hits += $SA_score_additions;
$names .= $SA_test_additions;
And then take whatever actions you take.
OK... the added $names are not in alphabetical order with the others.
They could be sorted if I cared.
Joseph Brennan
Academic Technologies Group, Academic Info
ve received spam from domains that mx to 127.0.0.1 and if I see
much more of it, I'd like to do just what that ISP is doing, to get
the clutter out of our mail queues.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia Universi
allow from localhost. Some Mimedefang procedures send mail, if you
happen to use those, and forwarding with .procmailrc sends a new
message from localhost.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New
ating these messages? It doesn't put its name
in the headers. It appears to be the problem.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefa
According to RFC 1341:
"The use of the multipart Content-Type with only a single body part may
be useful in certain contexts, and is explicitly permitted."
Well... you learn something new every day! Thanks
Joseph Brennan
Academic Technologies Group, Academic Information Sys
BJECT and SCRIPT html tags.
I posted code to do this recently. You have to open html parts and
rewrite them when they have the tags.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
am input. I didn't peak at Anomy HTML Cleaner yet
to see how they do it :-) And if you really want to do a lot of
HTML cleaning, well, they do it all-- more than we want to do.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in
;s the double-bounce situation. There is no one to send to.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing l
ively have any idea whether 40 is too low?
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang maili
patent an idea rather than a device,
so it might be weak. But imagine the dollars to be spent on lawyers to
establish that.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
100, mail starts tempfailing.
We are setting $MaxMIMEParts = 100; at this time, as an indirect way of
limiting recursion.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
> > What is a good value to use for MaxRecipientsPerMessage
> > (MAX_RCPTS_PER_MESSAGE) for sendmail?
100
We set it to 50 about a year ago to make some other host on campus
happy. Put it this way- I have not thought about it since.
Joseph Brennan
Academic Technologies Gro
md_graphdefang_log('modify',"$badtag Iframe/Object/Script tag(s)
deactivated by MIMEDefang using Columbia filter");
But please replace "Columbia filter" with whatever your site is!
That's there to clarify for us that our mail system did it.
Joseph
in here. I probably won't get
to this today. It is true that this test has run for almost a year
here without a problem that has been noticed.
b) Steffen, it sounds like you have a simpler way in mind to do the
changes and know whether to do the open("w"). What is it?
PS to Kevin- W
you use internal virus scanners, would it interfere with
their signature matching of the email?
Is this a feature that could be folded back into the default mimedefang?
Joseph Brennan said:
md_graphdefang_log('modify',"$badtag Iframe/Object/Script
tag(s)
deactivated by M
ybody feel that it is worthwhile enough to write it?
Only do it if you can distinguish cases of your users forwarding
mail in from their other addresses on other systems.
Oh wait, there's no way to do that, is there.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Colum
political issues with Columbia University, many Chinese sites
won't resolve for our IP space, and thus sometimes the spammer's
sites are unreachable from here. It doesn't really make me feel
any better but it is a small laff.
Joseph Brennan
Academic Technologies Group, Academic Informa
too:
define(`confMAX_MESSAGE_SIZE',1000)
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
l the owner of the infected PC, but there is
no way to determine who it is.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://w
ampaign_id=601">
cid:525l5v2694t7534y94158y600ls09p44";
align=baseline \
border=0>
... more, not quoted
This looks like a nice Spamassassin evasion technique. Just wait.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbi
600
This was in spam, but the kind that is sent through a hacked
Windows box. The lower two Received's are fake.
And I've seen this before. There's one that pretends the origin
is outblaze.com. Have you seen that one?
Joseph Brennan
Academic Technologies Group, Academic Information S
fully identify all the spam). Give it a 550 and
move on. We cannot waste human or computer time figuring out who
to notify. We don't have the resources to consider it. If we did,
I don't think it would make any difference.
Joseph Brennan
Academic Technologies Group, Academic Informatio
ave proven your machine is clean.
A large university in New York does the same thing!
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http
rom ISP lines to use your
smtp server (if you do smtp auth for example).
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.ca
ade filtering.
Possibly, convert img src tags so they have to be clicked on
instead of opening inline. It could raise some "what was that
in your mail" questions that deserve to be asked.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia U
rts using
HTML::Parser for the html and perl for the text/plain.
Any comments on this course of action?
or replace with
IMAGE
and leave the plain text alone. Almost the same thing.
I'd like to see this written out with HTML::Parser when you do it.
Joseph Brennan
Academic Technologies Group,
arget to click on.
Or, put $1$2 there to show what the URL is, but my guess is that
would look more ugly. If I get this set up on our test server I
think I would see how different things look.
HTML::Parser
Oh, I was hoping you didn't agree with my reaction! I always
like seeing examp
nd relies on the
smtp server to generate it. This includes both PC mail clients and
also some PC products that generate mail from databases. A host that
acts as smtp server needs to recognize any such permitted use-- perhaps
by IP address or by detecting use of smtp auth.
Joseph Brennan
Academic
MAIL PROTECTED] and it
appears to be one of our users sending mail from an ISP. Some clients
construct the Message-ID using the default domain name. This is an
important example but I have to admit it is the only one I can find
in this syslog file, so it appears to be unusual.
Joseph Brennan
Academ
some harebrained ideas
in under an hour by doing that!
This does sound like it has possibilities.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.or
.0 (produced by aberrateaccelerate 8.1)
MIME-Version: 1.0 (produced by allianceribonucleic 2.2)
It's the same spam product that inserts patternbusters with 1-pixel
characters, e.g.
Hel=
lo
de+a85r home o)wn!er,
Painfully, that's "Hello, dear howeowner"!
Joseph Brennan
Ac
andards.
Real qmail Message-IDs have only numbers and dots before the ".qmail@"
string. In fact the first eight chars are the date MMDD. Sober
puts letters in there.
Noticed because we got hit yesterday.
Joseph Brennan
Academic Technologies Group, Academic Information
ble. What happens?
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTE
ue. It
almost makes putting a code in the Subject look good, doesn't it?
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.ca
t mail
containing it?
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED
To effectively block, you'd need to block all links with graphic
extensions.
Cool!!!
Well, I don't think the user community here is ready... yet.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City o
e convoluted exceptions we agreed to deal with.
But we do subject this mail to some testing, so we don't do an
action_accept(). Instead we use $good to skip things with a
"unless ($good) { ... }" around those stanzas.
And one special case I don't fully trust gets "$goo
useless when we
reject the actual spam. Let 'em spin their wheels.
Of course I'll change my mind when we identify a solution.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City o
laying. I think you're seeing an example of the
problem right there-- rejecting mail from your own relay host.
I don't think it is of any value now except maybe to add a little
to a spam scoring system like Spamassassin.
Joseph Brennan
Academic Technologies Group, Academic Information Systems
t least, reject mail that
claims to be from your own hostname and IP.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.cani
that error message is in your Mimedefang filter you can
rewrite it to act differently. Mimedefang does what it is told.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
th a condition
on it, like if $RelayAddr is not server1 then action_delete_header.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.c
y standard in virus mail.
(The other two Received headers look pretty strange to me with
all those nonexistent hostnames-- but maybe they are normal.
I cannot explain those.)
So what about Mimedefang?
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University i
July 22 10:30:00 njmailserv vagated [23403]: Relaying denied for rcpt
[EMAIL PROTECTED]
You are gorave.net not gorav.net, right?
Are you sending to the wrong list? This one is about Mimedefang.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University
;re waiting for one that puts its junk in
an Outlook Express outgoing queue to be sent with smtp auth later.)
You can put any conditions you want around the call to Spamassassin.
We skip it:
if (defined($SendmailMacros{"auth_type"}))
if ($RelayAddr eq "127.0.0.1")
and also i
s from us it
gotta
be good");
}
return("CONTINUE","");
}
See what it says $mailip is.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
__
it is the address as given in the RCPT command.
It is not yet rewritten by sendmail rules or aliases or .forward file.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.m
That's pretty vague. If it is anything, it sounds like the addition
or subtraction of points on a scale like Spamassassin.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
_
We published SPF a month ago for columbia.edu and found a handful of
systems in Europe rejecting mail with it! We changed it to ~all in
an attempt to tell those guys it's not required yet.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University i
--On Thursday, August 5, 2004 11:37 AM -0700 [EMAIL PROTECTED]
wrote:
Joseph Brennan wrote:
We published SPF a month ago for columbia.edu and found a handful of
systems in Europe rejecting mail with it! We changed it to ~all in
an attempt to tell those guys it's not required yet.
So... so
record? ___
Yes those are different. An SPF record for acme.com would affect only
senders @acme.com and not senders @subdomain.acme.com.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New
OK with you for support.com to send mail as your domain,
then you include support.com's IPs in your SPF record and it works.
They don't need to be IPs you own and their hostnames do not matter.
The sender domain is matched to that domain's SPF record.
Joseph Brennan
Academic Techno
gain referrals would make it really
cheap to run mailing lists!!
The above looks pretty good. So RESPONSIBLE could be an alias or a
user's .forward file then, anything that causes authorized re-sending.
Bounces would go straight to the FROM, I assume?
So, all we do is change all the mail serve
$io->close;
}
md_graphdefang_log('modify',"$badtag tag deactivated by
Columbia fi\
lter");
action_change_header("X-Warning",
"$badtag tag modified by Columbia filter");
a
igured differently
it could cause more problems that just letting remote hosts re-try
to the regular mail server.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visi
ages must
be sent through their server but we want the 'From:' to be
his desktop address.
I think the wireless service is supposed to rewrite the envelope
sender to its own domain and leave the From: alone. Users should
not be expected to configure this.
Joseph Brennan
Academic Technol
th a message stating what the new address is-- for human senders.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefan
th the OSX Mail program
fail this test, quite a lot, maybe all the time.
I'm going to be looking into it. If anyone else is ahead of me on
a solution please say so.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in
uot;);
}
...so that we reject all messages with scr files.
So, is it my filter or is it Mimedefang generally? I'd appreciate
it if someone else would try sending that message through your
Mimedefang filter.
Beware: that part is a virus, in mail pretending to be from me.
Joseph
of messages,
never mind the 5xx responses.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAI
they go over 8.
Half are travel companies that send mail with free offers and
click here and html bugs.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit
mail server
just by receiving mail. This should be recognized, but probably
as in our case it does not get them anything they can't do anyway.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the
Immediately I think of two things:
Spam sent to DOS somebody else's web server, a/k/a Joe Jobs.
Spam with links to unrelated web servers in an attempt to look
legitimate. Some of our medical center web pages have appeared in
drug spam. Spamcop then tells us we're spammers. Ugh.
Jose
no clients are broken enough to try to interpret mime inside
a part labelled text/plain. If you control what is on the staff
desktops you only need to test that software.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
__
ot as good, since anyone might send mail with your domain in the
sender address, including spammers and viruses.
Something like this:
if ($RelayAddr =~ /66\.8\.25\./) {
# add that attachment
}
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia Univers
d always be *off* for Internet mail.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing
oftware" ... that's an average 250/day per user,
which is about ten times what we have per user.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimed
mail viruses in the two years or so since we implemented this.
Mimedefang made this possible.
Our only possible interest is in being able to accept zip files by
unpacking and scanning the contents. We might install Clam to do so.
I would like to use Mimedefang to insert a warning text on zip fi
--On Tuesday, March 22, 2005 14:29 -0500 "Kevin A. McGrail"
<[EMAIL PROTECTED]> wrote:
Since defang is a single user, you just need 1 license but 5 is the
minimum to purchase.
I never tried this one with vendors! They accept this?
Joseph Brennan
Academic Technologies
1 - 100 of 321 matches
Mail list logo
