Re: [spamdyke-users] can't block envelope sender
Yup! That would be great. I just think it would be useful to know it is happening, and where to look, sort of thing. From: spamdyke-users [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf Of Sam Clippinger via spamdyke-users Sent: 25 July 2016 14:50 To: spamdyke users Subject: Re: [spamdyke-users] can't block envelope sender Could probably do that. Or maybe print the matching file/line in the "reason" field, the same way it already does for blacklist matches? -- Sam Clippinger ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] can't block envelope sender
Could probably do that. Or maybe print the matching file/line in the "reason" field, the same way it already does for blacklist matches? -- Sam Clippinger On Jul 22, 2016, at 11:37 AM, Faris Raouf wrote: > Hi Sam, > > I just had a chance to have a go with the tests, and just as you expected it > was down to the rDNS of the sender being whitelisted. > I don’t know how many times I’d checked, and missed seeing it J > > Unfortunately I can’t remember why I whitelisted it L It belongs to an ESP. > If they are sending stuff that can’t pass SD’s filters, it doesn’t belong in > anybody’s mailbox. But obviously I needed to whitelist it for some reason at > some point. I will have to have a think about this. > > But this situation inspires me to ask you to consider adding something to the > wishlist: > > When a messages is allowed to pass as a result of being whitelisted, could > there be an option to change the logging so that instead of just ALLOWED it > shows ALLOWED_WL_[type] or maybe WHITELIST_[type] or something along those > lines? > > > > If you can login to ms2 at the command line, you could also try running > spamdyke by hand so you can see more verbose output without flooding your > logs. > ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] can't block envelope sender
Hi Sam, I just had a chance to have a go with the tests, and just as you expected it was down to the rDNS of the sender being whitelisted. I don't know how many times I'd checked, and missed seeing it :) Unfortunately I can't remember why I whitelisted it :( It belongs to an ESP. If they are sending stuff that can't pass SD's filters, it doesn't belong in anybody's mailbox. But obviously I needed to whitelist it for some reason at some point. I will have to have a think about this. But this situation inspires me to ask you to consider adding something to the wishlist: When a messages is allowed to pass as a result of being whitelisted, could there be an option to change the logging so that instead of just ALLOWED it shows ALLOWED_WL_[type] or maybe WHITELIST_[type] or something along those lines? If you can login to ms2 at the command line, you could also try running spamdyke by hand so you can see more verbose output without flooding your logs. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] can't block envelope sender
Thanks Sam. That's brilliant and hugely helpful. I'll try to do this this evening, and failing that over the weekend. I will also check the whitelists again in case I missed something. Yes, ms2 is the edge server and that's where the sender is backlisted, although I've just added it to the ip147 one as well for good measure :) From: spamdyke-users [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf Of Sam Clippinger via spamdyke-users Sent: 21 July 2016 14:14 To: spamdyke users Subject: Re: [spamdyke-users] can't block envelope sender >From what I can see, spamdyke should be blocking those messages. This could be a bug, but first I'd suggest carefully checking your whitelists. In almost every case I've seen like this where a blacklist simply will not work, it turns out to be a whitelist entry that's overriding it. You mentioned your email flows through several different servers before it reaches the user's mailbox... from the message headers, it looks like ms2 is your edge server, is that where the blacklist entry is set? If you can login to ms2 at the command line, you could also try running spamdyke by hand so you can see more verbose output without flooding your logs. You don't need to stop your mail server for this; it won't interfere with any normal operations. First, set an environment variable so spamdyke will think it's getting a connection from a remote server: export TCPREMOTEIP=94.143.105.188 Next create a very small spamdyke config file (can be anywhere, doesn't have to be in /etc) with two options: log-target=stderr log-level=excessive Then find the command line spamdyke is started with (in your "run" file) and run it the same way, but add another "-f" for the new config file AFTER your real config file. (If you're curious why, it's because config options are applied in the order they are read. We want to override those two options for this run, so they need to be read last.) For example, on my server I would run this: spamdyke -f /etc/spamdyke.d/spamdyke.conf -f /tmp/testing.conf -- /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true You should see the SMTP greeting banner just like a mail client does (possibly delayed a few seconds by spamdyke) plus debug messages that would normally go in the logs. Type in these SMTP commands to imitate a client and test the blacklist: EHLO cloudtengroup1.mta.dotmailer.com <http://cloudtengroup1.mta.dotmailer.com> MAIL FROM:mailto:bo-3ueb-2dqy-yto27-c0...@tooplemail.com> > RCPT TO:mailto:redac...@redacted.tld> > At that point, you should see either a 250 response if the message is accepted or a 500 response if it is blocked, plus tons of debugging output from spamdyke to show what it's thinking. You can type QUIT or ctrl-C to exit. Hopefully that'll show what's happening. If you can't spot the issue or have trouble deciphering the output, feel free to email it to me privately and I'll take a look. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] can't block envelope sender
From what I can see, spamdyke should be blocking those messages. This could be a bug, but first I'd suggest carefully checking your whitelists. In almost every case I've seen like this where a blacklist simply will not work, it turns out to be a whitelist entry that's overriding it. You mentioned your email flows through several different servers before it reaches the user's mailbox... from the message headers, it looks like ms2 is your edge server, is that where the blacklist entry is set? If you can login to ms2 at the command line, you could also try running spamdyke by hand so you can see more verbose output without flooding your logs. You don't need to stop your mail server for this; it won't interfere with any normal operations. First, set an environment variable so spamdyke will think it's getting a connection from a remote server: export TCPREMOTEIP=94.143.105.188 Next create a very small spamdyke config file (can be anywhere, doesn't have to be in /etc) with two options: log-target=stderr log-level=excessive Then find the command line spamdyke is started with (in your "run" file) and run it the same way, but add another "-f" for the new config file AFTER your real config file. (If you're curious why, it's because config options are applied in the order they are read. We want to override those two options for this run, so they need to be read last.) For example, on my server I would run this: spamdyke -f /etc/spamdyke.d/spamdyke.conf -f /tmp/testing.conf -- /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true You should see the SMTP greeting banner just like a mail client does (possibly delayed a few seconds by spamdyke) plus debug messages that would normally go in the logs. Type in these SMTP commands to imitate a client and test the blacklist: EHLO cloudtengroup1.mta.dotmailer.com MAIL FROM: RCPT TO: At that point, you should see either a 250 response if the message is accepted or a 500 response if it is blocked, plus tons of debugging output from spamdyke to show what it's thinking. You can type QUIT or ctrl-C to exit. Hopefully that'll show what's happening. If you can't spot the issue or have trouble deciphering the output, feel free to email it to me privately and I'll take a look. -- Sam Clippinger On Jul 21, 2016, at 6:39 AM, Faris Raouf via spamdyke-users wrote: > Dear all, > > I'm having a bit of an issue trying to block messages based on the envelope > sender. Basically it doesn't seem to work at all, so I'm obviously doing > something wrong. > > All the other types of blacklists and whitelists seem to work just fine. > > I understand the difference between the "From" and the envelope sender, and > that TLS can be an issue. > > But as far as I'm aware it is the envelope sender that I'm targeting, and in > this case my qmail installation doesn't support TLS so spamdyke is set to > handle the TLS and should be able to read the contents of the message. > > I'm using SpamDyke 5.01 > > Please could someone kindly take a quick look at my log/config/header of an > example email, to see what I'm doing wrong? > > In the example below, the envelope sender I'm trying to block has > (some-reference-or-other)@tooplemail.com as the envelope sender so I'm using > @tooplemail.com in my blacklist_sender file. > > > *** > > Maillog extract: > > Jul 21 10:32:55 ms2 spamd[30006]: spamd: checking message > <2dqy.87yto274c.20160721093145...@tooplemail.com> for qscand:500 > > Jul 21 10:32:57 ms2 spamd[30006]: spamd: result: Y 4 - > BAYES_00,DIGEST_MULTIPLE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREE_QUOTE_INS > TANT,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_1 > 00,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS > scantime=1.9,size=55241,user=qscand,uid=500,required_score=3.0,rhost=localho > st,raddr=127.0.0.1,rport=53794,mid=<2DQY.87YTO274C.20160721093145243@tooplem > ail.com>,bayes=0.00,autolearn=no > > Jul 21 10:32:57 ms2 qmail-scanner-queue.pl: qmail-scanner[25272]: > Clear:RC:0(94.143.105.188):SA:1(4.3/3.0): 2.092064 55184 > bo-3ueb-2dqy-yto27-c0...@tooplemail.com redac...@redacted.tld > Why_is_Toople.com_different_to_the_rest? > <2dqy.87yto274c.20160721093145...@tooplemail.com> > 1469093575.25274-0.ms2.redac...@redacted.tld:3611 > orig-ms2.redacted.tld146909357479725272:55184 > 1469093575.25274-1.ms2.redacted.tld:46150 > > Jul 21 10:32:57 ms2 spamdyke[25257]: ALLOWED from: > bo-3ueb-2dqy-yto27-c0...@tooplemail.com to: redac...@redacted.tld origin_ip: > 94.143.105.188 origin_rdns: cloudtengroup1.mta.dotmailer.com auth: (unknown) > encryption: TLS reason: 250_ok_1469093577_qp_25272 > > ** > > > ** > Spamdyke config file: > > log-level=verbose > idle-timeout-secs=60 > greeting-delay-secs=11 > policy-url=http://www.redacted.tld/email.html > > graylist-dir=/var/qmail/graylist > graylist-level=none > graylist-min
[spamdyke-users] can't block envelope sender
Dear all, I'm having a bit of an issue trying to block messages based on the envelope sender. Basically it doesn't seem to work at all, so I'm obviously doing something wrong. All the other types of blacklists and whitelists seem to work just fine. I understand the difference between the "From" and the envelope sender, and that TLS can be an issue. But as far as I'm aware it is the envelope sender that I'm targeting, and in this case my qmail installation doesn't support TLS so spamdyke is set to handle the TLS and should be able to read the contents of the message. I'm using SpamDyke 5.01 Please could someone kindly take a quick look at my log/config/header of an example email, to see what I'm doing wrong? In the example below, the envelope sender I'm trying to block has (some-reference-or-other)@tooplemail.com as the envelope sender so I'm using @tooplemail.com in my blacklist_sender file. *** Maillog extract: Jul 21 10:32:55 ms2 spamd[30006]: spamd: checking message <2dqy.87yto274c.20160721093145...@tooplemail.com> for qscand:500 Jul 21 10:32:57 ms2 spamd[30006]: spamd: result: Y 4 - BAYES_00,DIGEST_MULTIPLE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREE_QUOTE_INS TANT,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_1 00,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS scantime=1.9,size=55241,user=qscand,uid=500,required_score=3.0,rhost=localho st,raddr=127.0.0.1,rport=53794,mid=<2DQY.87YTO274C.20160721093145243@tooplem ail.com>,bayes=0.00,autolearn=no Jul 21 10:32:57 ms2 qmail-scanner-queue.pl: qmail-scanner[25272]: Clear:RC:0(94.143.105.188):SA:1(4.3/3.0): 2.092064 55184 bo-3ueb-2dqy-yto27-c0...@tooplemail.com redac...@redacted.tld Why_is_Toople.com_different_to_the_rest? <2dqy.87yto274c.20160721093145...@tooplemail.com> 1469093575.25274-0.ms2.redac...@redacted.tld:3611 orig-ms2.redacted.tld146909357479725272:55184 1469093575.25274-1.ms2.redacted.tld:46150 Jul 21 10:32:57 ms2 spamdyke[25257]: ALLOWED from: bo-3ueb-2dqy-yto27-c0...@tooplemail.com to: redac...@redacted.tld origin_ip: 94.143.105.188 origin_rdns: cloudtengroup1.mta.dotmailer.com auth: (unknown) encryption: TLS reason: 250_ok_1469093577_qp_25272 ** ** Spamdyke config file: log-level=verbose idle-timeout-secs=60 greeting-delay-secs=11 policy-url=http://www.redacted.tld/email.html graylist-dir=/var/qmail/graylist graylist-level=none graylist-min-secs=300 graylist-max-secs=1814400 ip-blacklist-file=/etc/spamdyke.d/blacklist_ip sender-blacklist-file=/etc/spamdyke.d/blacklist_sender rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient ip-whitelist-file=/etc/spamdyke.d/whitelist_ip rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient sender-whitelist-file=/etc/spamdyke.d/whitelist_sender tls-certificate-file=/ssl/c1org1516.pem tls-level=smtp-no-passthrough #(Blacklists redacted) reject-empty-rdns ** ** /etc/spamdyke.d/blacklist_sender contains: @tooplemail.com ** ** EXAMPLE EMAIL HEADER (Slightly complicated because it goes through two qmail-scanner/spamdyke servers, ms2.redacted.tld and 147.redacted.tld, each with different spamassassin configs (hence the odd subject modification!), to get to the mailbox) Received: (qmail 25508 invoked by uid 2523); 21 Jul 2016 10:33:11 +0100 X-Qmail-Scanner-Diagnostics: from ms2.redacted.tld by ip147.redacted.tld (envelope-from , uid 2020) with qmail-scanner-2.10st (clamdscan: 0.99.2/21940. mhr: 1.0. spamassassin: 3.3.2. perlscan: 2.10st. Clear:RC:0(178.62.199.136):SA:1(3.6/3.0):. Processed in 2.510301 secs); 21 Jul 2016 09:33:11 - X-Spam-Status: Yes, hits=3.6 required=3.0 X-Spam-Level: +++ Received: from ms2.redacted.tld (redacted) by ip147.redacted.tld with SMTP; 21 Jul 2016 10:33:08 +0100 Received: (qmail 25293 invoked by uid 500); 21 Jul 2016 09:32:57 - X-Qmail-Scanner-Diagnostics: from cloudtengroup1.mta.dotmailer.com by ms2.redacted.tld (envelope-from , uid 496) with qmail-scanner-2.10st (clamdscan: 0.99.2/21940. mhr: 1.0. spamassassin: 3.3.2. perlscan: 2.10st. Clear:RC:0(94.143.105.188):SA:1(4.3/3.0):. Processed in 2.094403 secs); 21 Jul 2016 09:32:57 - X-Qmail-Scanner-MOVED-X-Spam-Status: Yes, hits=4.3 required=3.0 X-Qmail-Scanner-MOVED-X-Spam-Level: Received: from cloudtengroup1.mta.dotmailer.com (94.143.105.188) by ms2.redacted.tld with SMTP; 21 Jul 2016 09:32:54 - DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim1024; d=tooplemail.com; h=From:To:Subject:MIME-Version:Content-Type:Date:List-Unsubscribe:Reply-To:M essage-ID; i=daniel.clem...@tooplemail.com; bh=l80qAnWoe07RouX288jDc7eGwnI=; b=eKFZ6Hdnf2Y6CSyjmyGiZVhZ0sLTRBhdvTW6lTPSBXcSi4sN1cOahISl7yHYH+6e3C5BVWZhZR Ac I8K4/ou8t07mvwjo5l/aHP2GCUZ1+tIw/ApSNwsjep7ZHL2FGV9M/uJKEY+yx/pzIB3QSnJ1cj4v RttFGlwSie1pPu7twYA= From: