Re: SA checking of authenticated users' messages
* Daniel McDonald dan.mcdon...@austinenergy.com: I just need to clarify one thing that's not clear to me in re-reading our thread from the other day: Is there a work-around for this? Usually, you listen for end-users on the submission port, and don't filter it for spam, just auth. I recommend using the submission port AND filter, but not too strict. The rationale is to ensure deliverablity by checking for spamminess on your own side before someone else would reject the message. p...@rick -- state of mind Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563
Re: SA checking of authenticated users' messages
On 07/07/10 23:26, Greg Troxel wrote: Louis Guillaume lo...@zabrico.com writes: I just need to clarify one thing that's not clear to me in re-reading our thread from the other day: Is there a work-around for this? My users are getting restless. Everytime their ISP changes their IP address I have to whitelist them! I think there are currently only two viable approaches: arrange not to pass authenticated mail to spamass-milter change postfix and/or spamass-milter to insert a line in the pseudoheader saying the mail was authenticated, so the ALL_TRUSTED test fires and not the RBL checks. This is some twitchy code to write, but I suspect it isn't really that hard. I don't think Louis has said what MTA is involved, but if it's Postfix 2.3 or later, you just add the following line to main.cf: smtpd_sasl_authenticated_header = yes And SA should then put all relays in X-Spam-Relays-Trusted and add ALL_TRUSTED (about -1.8 points) and not do any RBL checks. It's the RBL checks that could be the major problem because client IPs are naturally listed in DULs, and look like dynablocks. However, some other checks may still run with ALL_TRUSTED and I found the following kind of thing helped: ifplugin Mail::SpamAssassin::Plugin::Shortcircuit meta TRUST_SHORTCIRCUIT (ALL_TRUSTED) score TRUST_SHORTCIRCUIT-5.0 tflags TRUST_SHORTCIRCUIT nice priority TRUST_SHORTCIRCUIT -1000 shortcircuit TRUST_SHORTCIRCUIT on endif So you don't necessarily need to separate inbound and outbound ports or IP addresses, although if you're designing a system from scratch you probably would. If some people are using pop-before-smtp there's the POPAuth plugin which adds the authenticated client IP addresses to trusted_networks (although in that case be careful of mail 2 web services like Google and now Hotmail). Were you using amavis with a single MX, an alternative is a postfix kludge to separate incoming and authenticated mail to run different amavis policy banks (e.g. authenticated virus check and DKIM signing; incoming virus and spam check). See http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-postfix-dual-path I don't know about doing this in MTAs other than postfix. HTH C
Re: upgrade 3.2.1 to 3.2.5: dcc not working, headers not being added
I've upgraded from 3.2.1 to 3.2.5 on gentoo. It appears that dcc is broken. My messages no longer get the dcc header: First, did you know that 3.3.1 was released? Otherwise, why stop at 3.2.5? On 04.07.10 07:24, Robert S wrote: 3.3.1 is still marked as unstable by gentoo. I've downgraded back to 3.2.1 (which was working very well) and will probably wait until 3.3.* is marked as stable. I'd like to avoid these types of issues. I'm using 3.3.1 on gentoo. While I waited some time for upgrading from 3.2.5 (also marked as unstable that time, is it still?), I don't care much about gentoo port maintaner's opinion on this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer.
Re: How not to implement SPF (nationwide.co.uk)
On Wed, 30 Jun 2010 20:19:43 +0100 Ned Slidern...@unixmail.co.uk wrote: so they have no SPF policy? Wrong, they do, but it's on their email.barclays.co.uk subdomain as presumably that's the domain they send mail from - but how are you supposed to know that if they don't tell you? On 6/30/2010 2:25 PM, RW wrote: I suppose they are being realistic about spf - that it's only really useful for whitelisting purposes. On 04.07.10 23:57, Marc Perkel wrote: It's not even useful for white listing as spammers can set up SPF too. Marc, please stop bullshitting about SPF, finally. We already know you don't understand how it works. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: SA checking of authenticated users' messages
Cedric Knight ced...@gn.apc.org writes: On 07/07/10 23:26, Greg Troxel wrote: Louis Guillaume lo...@zabrico.com writes: I just need to clarify one thing that's not clear to me in re-reading our thread from the other day: Is there a work-around for this? My users are getting restless. Everytime their ISP changes their IP address I have to whitelist them! I think there are currently only two viable approaches: arrange not to pass authenticated mail to spamass-milter change postfix and/or spamass-milter to insert a line in the pseudoheader saying the mail was authenticated, so the ALL_TRUSTED test fires and not the RBL checks. This is some twitchy code to write, but I suspect it isn't really that hard. I don't think Louis has said what MTA is involved, but if it's Postfix 2.3 or later, you just add the following line to main.cf: smtpd_sasl_authenticated_header = yes And SA should then put all relays in X-Spam-Relays-Trusted and add ALL_TRUSTED (about -1.8 points) and not do any RBL checks. It's the RBL checks that could be the major problem because client IPs are naturally listed in DULs, and look like dynablocks. I have that, and that indeed causes postfix to put in the authenticated-user header and SA processes it. The problem is with spamass-milter. spamass-milter generates a synthetic Received: line for the message arriving, trying to be similar to the Received: line that the MTA will add when the message is actually received, so that SA can process the message normally. The synthetic Received: line just needs to be similar to what postfix inserts with smtpd_sasl_authenticated_header=yes. This isn't wicked hard - it's just that no one has written the code, plus spamass-milter upstream seems to be dead. pgpc80EeGnlUD.pgp Description: PGP signature
Re: upgrade 3.2.1 to 3.2.5: dcc not working, headers not being added
I've upgraded from 3.2.1 to 3.2.5 on gentoo. It appears that dcc is broken. My messages no longer get the dcc header: First, did you know that 3.3.1 was released? Otherwise, why stop at 3.2.5? On 04.07.10 07:24, Robert S wrote: 3.3.1 is still marked as unstable by gentoo. I've downgraded back to 3.2.1 (which was working very well) and will probably wait until 3.3.* is marked as stable. I'd like to avoid these types of issues. I'm using 3.3.1 on gentoo. While I waited some time for upgrading from 3.2.5 (also marked as unstable that time, is it still?), I don't care much about gentoo port maintaner's opinion on this. I'm beginning to see what you mean - I installed 3.2.5 a few days ago and it seems to be working well. 3.2.5 (gentoo) looks like a dud.
Re: SA checking of authenticated users' messages
On Wed, 7 Jul 2010, Louis Guillaume wrote: (spamass-milter doesn't tell SA about auth) == [ rbl checks run against authenticated user's IP address lack of ALL_TRUSTED for authenticated user's mail That last one seems to be my problem. Does the patch fix this? I'll try updating and see what happens. Hi Again! I just need to clarify one thing that's not clear to me in re-reading our thread from the other day: Is there a work-around for this? My users are getting restless. Everytime their ISP changes their IP address I have to whitelist them! Uh, I missed the original thread, so maybe this was explained, but why aren't the users sending mail through their ISP's SMTP server? Presuming there is a good answer for this, then, have you considered just whitelisting based on the user's From: header? There's a trick to it: 90% of the time, spammers have a harvested address, but *don't* have the NAME portion of the user's From: header. So build a rule that matches their WHOLE 'From:' header, like this: header LOC_FROMOURUSER From =~ /^User Name theiraddr...@example.com/ Notice the absence of the coomnly usd 'i' flag on the regex. If they have quotes around their name, include them in the regex. The entire line shuold *exactly* match what the user's MUA generates. The only thing that messes this up is when users have the annoying habit of changing their 'name' on their mail Naturally, there is a small risk of having a spammer send a message with exactly that header, but really, how many of those will there be? - Charles
Re: SA checking of authenticated users' messages
(spamass-milter doesn't tell SA about auth) == [ rbl checks run against authenticated user's IP address lack of ALL_TRUSTED for authenticated user's mail That last one seems to be my problem. Does the patch fix this? I'll try updating and see what happens. On Wed, 7 Jul 2010, Louis Guillaume wrote: I just need to clarify one thing that's not clear to me in re-reading our thread from the other day: Is there a work-around for this? My users are getting restless. Everytime their ISP changes their IP address I have to whitelist them! On 08.07.10 10:21, Charles Gregory wrote: Uh, I missed the original thread, so maybe this was explained, but why aren't the users sending mail through their ISP's SMTP server? apparently they are his (louis') customers and use mail address directed to his mailserver. In that case they should also use his SMTP server for outgoing mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Flagged as spam but accepted
2010-07-08 09:05:01 1OWqmi-0005N3-JU /*SA: Action: flagged as Spam but accepted: score=4.0 required=4.0 */(scanned in 0/0 secs | Message-Id: 20100708130436.52c7d1cb1...@mail.microton.com.br). From care...@habitat.com (host=NULL [189.26.124.122]) for a...@plexicomm.net The above is a line from my Exim log file. Does anyone know under what conditions a message can be flagged as spam but accepted? Thanks, Adam
Re: Flagged as spam but accepted
On 7/8/2010 10:52 AM, Adam Moffett wrote: 2010-07-08 09:05:01 1OWqmi-0005N3-JU /*SA: Action: flagged as Spam but accepted: score=4.0 required=4.0 */(scanned in 0/0 secs | Message-Id: 20100708130436.52c7d1cb1...@mail.microton.com.br). From care...@habitat.com (host=NULL [189.26.124.122]) for a...@plexicomm.net The above is a line from my Exim log file. Does anyone know under what conditions a message can be flagged as spam but accepted? That message did not come from SpamAssassin, but from some program that integrates SA with Exim. Most spam filtering systems have two thresholds. Spam that crosses the first threshold (generally 5 points with SA), is accepted, but marked as spam in the subject line and/or the headers. These messages are generally sorted into a Spam folder for the user to reference if they are missing some expected mail. The second threshold is higher (usually 10-15 points) and causes the message to be rejected completely. Note that SA only scores and marks up the message. It is up to your MTA or whatever glue program you are using to handle rejecting the message or delivering to a spam folder. -- Bowie
Rescue spam mail
Hi, when arrived SPAM mail in log file I have, ie: Jul 8 16:46:24 mail amavis[32426]: (32426-08) SPAM, offertereg...@dominio.it - m.altam...@mydomain.com, Yes, hits=10.22 tag=1 tag2=5 kill=5 tests=AWL=1.163, BAYES_99=3.5, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.001, HS_INDEX_PARAM=0.001, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, quarantine spam-149393 (maia-spam-quarantine) now if for me this mail isn't spam and I would rescue this mail from offertereg...@dominio.it for sending to m.altam...@mydomain.com. On another mail server I can do this operation with Maiamailguard interface but on this mail server I haven't this chance. Thanks. -- Salvatore.
Re: Rescue spam mail
On 08.07.10 17:11, Sasa wrote: Hi, when arrived SPAM mail in log file I have, ie: Jul 8 16:46:24 mail amavis[32426]: (32426-08) SPAM, offertereg...@dominio.it - m.altam...@mydomain.com, Yes, hits=10.22 tag=1 tag2=5 kill=5 tests=AWL=1.163, BAYES_99=3.5, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.001, HS_INDEX_PARAM=0.001, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, quarantine spam-149393 (maia-spam-quarantine) now if for me this mail isn't spam and I would rescue this mail from offertereg...@dominio.it for sending to m.altam...@mydomain.com. On another mail server I can do this operation with Maiamailguard interface but on this mail server I haven't this chance. Thanks. well, this has completely nothing to do with spamassassin. it's amavis or tyour MTA's issue. Spamassassin is only responsible for checking if the mail is spam, and here amavis plugs between SA and MTA only to call some spamassassin functions. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: Rescue spam mail
Matus UHLAR - fantomas wrote: well, this has completely nothing to do with spamassassin. it's amavis or tyour MTA's issue. Spamassassin is only responsible for checking if the mail is spam, and here amavis plugs between SA and MTA only to call some spamassassin functions. therefore I must use amavisd-new functions for to rescue an spam mail ? Thanks. -- Salvatore.
Re: Rescue spam mail
On 08/07/10 16:44, Matus UHLAR - fantomas wrote: On 08.07.10 17:11, Sasa wrote: Hi, when arrived SPAM mail in log file I have, ie: Jul 8 16:46:24 mail amavis[32426]: (32426-08) SPAM, offertereg...@dominio.it - m.altam...@mydomain.com, Yes, hits=10.22 tag=1 tag2=5 kill=5 tests=AWL=1.163, BAYES_99=3.5, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.001, HS_INDEX_PARAM=0.001, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, quarantine spam-149393 (maia-spam-quarantine) now if for me this mail isn't spam and I would rescue this mail from offertereg...@dominio.it for sending tom.altam...@mydomain.com. On another mail server I can do this operation with Maiamailguard interface but on this mail server I haven't this chance. Thanks. well, this has completely nothing to do with spamassassin. it's amavis or tyour MTA's issue. Spamassassin is only responsible for checking if the mail is spam, and here amavis plugs between SA and MTA only to call some spamassassin functions. If it is amavis, then you can use the amavisd-release comand to release mail from the amavisd quarantine for delivery. But as Matus said, this isn't a SpamAssassin issue so you should really direct your question to the amavisd-new or Maiamailguard support channels.
Re: Rescue spam mail
On tor 08 jul 2010 17:54:30 CEST, Sasa wrote therefore I must use amavisd-new functions for to rescue an spam mail ? google mailzu-ng -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Rescue spam mail
or check http://www.artica.fr that include spamassassin+amavis+end-user mgmt On 08/07/2010 23:28, Benny Pedersen wrote: On tor 08 jul 2010 17:54:30 CEST, Sasa wrote therefore I must use amavisd-new functions for to rescue an spam mail ? google mailzu-ng