Re: localhost spamc[5898]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused

[Benny Pedersen]

glibc have default ipv6 before ipv4, so your error is just that spamd binds 
to 127.0.0.1 and spamc use localhost with is ipv6 first, got it ?


to solve it is naerly a faq


On October 18, 2016 5:04:12 AM Chris  wrote:


It goes on in my syslog to say

Oct 17 12:45:18 localhost spamc[5898]: connect to spamd on ::1 failed,
retrying (#1 of 3): Connection refused
Oct 17 12:45:18 localhost spamd[3255]: spamd: connection from localhost
[127.0.0.1]:36312 to port 783, fd 5

This just started this afternoon at 12:45. It was fine at 11:42

Oct 17 11:42:01 localhost spamd[15511]: spamd: connection from ip6-
localhost [::1]:46178 to port 783, fd 5

I see there was a rules update today at 12:02pm any way that could have
caused this?

Chris

--
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
21:56:23 up 4 days, 10:39, 4 users, load average: 0.58, 0.36, 0.30
Ubuntu 16.04.1 LTS, kernel 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 
13:48:03 UTC 2016

localhost spamc[5898]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused

[Chris]

It goes on in my syslog to say

Oct 17 12:45:18 localhost spamc[5898]: connect to spamd on ::1 failed,
retrying (#1 of 3): Connection refused
Oct 17 12:45:18 localhost spamd[3255]: spamd: connection from localhost
[127.0.0.1]:36312 to port 783, fd 5

This just started this afternoon at 12:45. It was fine at 11:42

Oct 17 11:42:01 localhost spamd[15511]: spamd: connection from ip6-
localhost [::1]:46178 to port 783, fd 5

I see there was a rules update today at 12:02pm any way that could have
caused this?

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
21:56:23 up 4 days, 10:39, 4 users, load average: 0.58, 0.36, 0.30
Ubuntu 16.04.1 LTS, kernel 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 13:48:03 
UTC 2016


signature.asc
Description: This is a digitally signed message part

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On Mon, 17 Oct 2016 19:11:29 -0400
Ruga  wrote:

> rfc 822 (the actual standard):

Which as I mentioned is obsolete, but I'll play with you...

> authentic = "From" ":" mailbox ; Single author / ...
> mailbox = addr-spec ; simple address  / phrase route-addr
> addr-spec = local-part "@" domain

And you left out the BNF of "phrase", didn't you?  Tsk tsk!

You can't pick and choose pieces of RFCs, you know.  They come as a package
deal.

TL;DR, the header:

   From:  "Dianne Skoll " 

is absolutely compliant with RFC-822 and its successors, RFC-2822 and
RFC-5322.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On October 17, 2016 7:11:29 PM EDT, Ruga  wrote:
>rfc 822 (the actual standard):

Are you serious?  RFC 822 is decades obsolete, long since superseded by 2822 
and then by 5322.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Paul Stead]

On 17/10/16 23:52, Ruga wrote:

https://tools.ietf.org/html/rfc5322#section-3.6.2



  from=   "From:" mailbox-list CRLF

...
https://tools.ietf.org/html/rfc5322#section-3.4
...

---8<---
  mailbox =   name-addr / addr-spec

  name-addr   =   [display-name] angle-addr

  display-name=   phrase

  mailbox-list=   (mailbox *("," mailbox)) / obs-mbox-list


  Normally, a mailbox is composed of two parts: (1) an optional display
  name that indicates the name of the recipient (which can be a person
  or a system) that could be displayed to the user of a mail
  application, and (2) an addr-spec address enclosed in angle brackets
  ("<" and ">").  There is an alternate simple form of a mailbox where
  the addr-spec address appears alone, without the recipient's name or
  the angle brackets.  The Internet addr-spec address is described in
  section 3.4.1.

--
Paul Stead
Systems Engineer
Zen Internet

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

rfc 822 (the actual standard):

authentic = "From" ":" mailbox ; Single author / ...
mailbox = addr-spec ; simple address  / phrase route-addr
addr-spec = local-part "@" domain



On Tue, Oct 18, 2016 at 12:52 AM, Ruga <'r...@protonmail.com'> wrote:

https://tools.ietf.org/html/rfc5322#section-3.6.2




On Mon, Oct 17, 2016 at 2:18 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On Sun, 16 Oct 2016 18:08:20 -0400
Ruga  wrote:

> In my servers, the above string is not RFC compliant,
> and therefore the whole mail is automatically
> rejected as SPAM.

Your servers fail in RFC comprehension. The message header:

From: "Dianne Skoll " 

is absolutely 100% RFC-compliant.

If you feel it is not, please cite the RFC that's violated, including
the specific section being violated.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

https://tools.ietf.org/html/rfc5322#section-3.6.2




On Mon, Oct 17, 2016 at 2:18 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On Sun, 16 Oct 2016 18:08:20 -0400
Ruga  wrote:

> In my servers, the above string is not RFC compliant,
> and therefore the whole mail is automatically
> rejected as SPAM.

Your servers fail in RFC comprehension. The message header:

From: "Dianne Skoll " 

is absolutely 100% RFC-compliant.

If you feel it is not, please cite the RFC that's violated, including
the specific section being violated.

Regards,

Dianne.

RE: Assistance needed

[John Hardin]

On Mon, 17 Oct 2016, Sue Mey wrote:


Thank you for the help.


Please keep replies on-list so that others may benefit from the discussion 
and solution in the future.



I have a 'Special Offers' section on my website and have been using those
words and links for years without a problem. I do not use the word
'specialist' at all.

After reading about the word 'specialist' earlier today, I removed the words
'Special Offers' and replaced text with 'this page', although the link still
contains the words 'special offer'


"special offer" should not hit. The problem is the rule is looking for 
mangled "cialis" without considering word boundaries.


Were there any other problems reported? While that rule may hit, its score 
is currently 0.001 so it would not cause your email to be classified as 
spam.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 An operating system design that requires a system reboot in order to
 install a document viewing utility does not earn my respect.
---
 300 days since the first successful real return to launch site (SpaceX)

Re: Assistance needed

[John Hardin]

On Mon, 17 Oct 2016, Sue Mey wrote:


I did not find this question in FAQ

I am doing a newsletter in GetResponse and receive the following in Spam
check

BODY: Uses a mis-spelled version of cialis.

I am a woodworker and designer and I have no idea which word I am using that
could possibly be a miss spelt word for this drug!


Certain old rule sets could hit on "specialist" ...or, at least I 
*thought* they were old - that rule is apparently still live. I thought 
that had been fixed long ago. Even so, it's not scored at more than an 
advisory level.


Please post the message body you're trying to send, and if there are more 
details about the spam analysis than just that one line, please post that 
as well.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Windows Vista: Windows ME for the XP generation.
---
 300 days since the first successful real return to launch site (SpaceX)

Assistance needed

[Sue Mey]

I did not find this question in FAQ

 

I am doing a newsletter in GetResponse and receive the following in Spam
check

BODY: Uses a mis-spelled version of cialis.

 

I am a woodworker and designer and I have no idea which word I am using that
could possibly be a miss spelt word for this drug!

 

Any help will be appreciated

 

Best Regards

 

Sue Mey

 

Re: rbldnsd

[Antony Stone]

On Monday 17 October 2016 at 17:14:18, Bill Cole wrote:

> On 17 Oct 2016, at 9:04, Antony Stone wrote:
> > DNS runs over UDP, not TCP.
> 
> True AND false.

Agreed; thanks for the detailed clarification, however I was answering a 
question specifically about rbldnsd.

> A DNS server that does not speak TCP is not a complete DNS server. It
> may be adequate for purpose (a DNSBL may never have any answer larger
> than 512 bytes, for example) but that's a different thing.

Indeed.


Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.

Re: rbldnsd

[Bill Cole]

On 17 Oct 2016, at 9:04, Antony Stone wrote:


DNS runs over UDP, not TCP.


True AND false.

Most DNS queries can be answered in a single UDP packet and so most 
queries are tried over UDP first. Traditionally, DNS answers over UDP 
were limited to 512 bytes, although modern extensions typically allow 
responses that fill a traditional Ethernet frame (1500 bytes, possibly 
reduced by intermediary VLAN tags or other constraints). Some answers 
are too long for whatever limit is in effect and so are sent in 
truncated form with the DNS 'truncated' flag set. Usually a client will 
then retry the query via TCP to get a complete reliable answer. In 
addition, all zone transfers are done over TCP.


A DNS server that does not speak TCP is not a complete DNS server. It 
may be adequate for purpose (a DNSBL may never have any answer larger 
than 512 bytes, for example) but that's a different thing.

Re: The real spoofing issue

[RW]

On Mon, 17 Oct 2016 16:30:43 +0200
Ralph Seichter wrote:

> On 17.10.16 15:45, RW wrote:
> 
> > Most of what SpamAssassin targets is RFC compliant. It would be
> > perfectly legitimate to score bogus addresses in the display name
> > if it proved useful.  
> 
> With "useful" being open to interpretation.

As with everything, "useful" comes from rule QA and feedback.

> Some of my customers
> are willing to accept a much higher degree of potential spam than
> others, to ensure that legitimate mail is less likely to be weeded
> out. Still, as long as the default SA scores are zero (or close to
> zero) it might be feasible to check if the decoded From-Header
> contains mismatching e-mail addresses. It could be a spoof attempt,
> it could be misconfigured software, but it could also be legitimate.

I'm not saying that it should be done, in my experience spammers don't
usually put email addresses there. My point is that RFC compliance is
irrelevant.

Re: The real spoofing issue

[Ralph Seichter]

On 17.10.16 15:45, RW wrote:

> Most of what SpamAssassin targets is RFC compliant. It would be
> perfectly legitimate to score bogus addresses in the display name
> if it proved useful.

With "useful" being open to interpretation. ;-) Some of my customers are
willing to accept a much higher degree of potential spam than others, to
ensure that legitimate mail is less likely to be weeded out. Still, as
long as the default SA scores are zero (or close to zero) it might be
feasible to check if the decoded From-Header contains mismatching e-mail
addresses. It could be a spoof attempt, it could be misconfigured
software, but it could also be legitimate.

-Ralph

Re: The real spoofing issue

[Dianne Skoll]

On Mon, 17 Oct 2016 14:45:11 +0100
RW  wrote:

> On Mon, 17 Oct 2016 15:20:27 +0200
> Ralph Seichter wrote:

> >   From: "John Doe " 

> > is perfectly legitimate. 

> but an unusual and rather silly thing to do.

As I mentioned, Yahoo Groups did something like this last time I checked.
They did it in order not to break DMARC, but still make the original sender
address visible.

> Most of what SpamAssassin targets is RFC compliant. It would be
> perfectly legitimate to score bogus addresses in the display name if
> it proved useful.

Yes, and spammers would move on to something like:

From: =?UTF-8?Q?John=20Doe=20=3Cjohn=E2=80=8B=40=E2=80=8Bdoe.org=3E?= 


To answer the obvious question, (0xE2 0x80 0x8B) is UTF-8 for a
zero-width space, meaning the mail reader would display an apparent
email address but no sane parser would extract an email address.
Making a parser that could cope with all the tricks in the Unicode
toolbox would be very hard.

Regards,

Dianne.

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

[Bowie Bailey]

On 10/15/2016 12:53 PM, Matus UHLAR - fantomas wrote:


and immediately after implementing, those people and organizations 
would be

surprised they block mail they should not block (see above).


No, it wouldn't block mail.  It would add a bit to the score.  If there 
are other spam signs, it might be blocked or delivered to a spam 
folder.  That's how SA works.  SA assigns positive scores to lots of 
things that are RFC compliant, but are more commonly seen in spam than 
in ham.  You almost never mark mail as spam based on only one or two rules.


I've lost track of who was the OP, but the answer to you questions seems 
to boil down to this:  No, there is no SA rule or plugin that will do 
what you want.  And while it may be a bad idea, feel free to create a 
custom plugin and give it a try.  If you get positive results, let us know.


My personal feeling is that a plugin like this might work well for a 
small mailserver where the number of exceptions would be manageable.  It 
probably would not be workable for a large mailserver with a diverse 
group of users.


--
Bowie

Re: The real spoofing issue

[RW]

On Mon, 17 Oct 2016 15:20:27 +0200
Ralph Seichter wrote:

> On 17.10.16 02:38, Benny Pedersen wrote:
> 
> > one could argue if From:Name and From:Addr have differing domains
> > its forged ?  
> 
> Which RFC defines "From:Name" and "From:Addr" (I don't see the terms
> in RFC5322), and where does it say that domain names must match if
> they are present? The header line
> 
>   From: "John Doe " 
> 
> is perfectly legitimate. 

but an unusual and rather silly thing to do.

> Guessing whether or not domains are related
> is not something I'd like a piece of software to do.

Most of what SpamAssassin targets is RFC compliant. It would be
perfectly legitimate to score bogus addresses in the display name if
it proved useful.

Re: R: rbldnsd

[RW]

On Mon, 17 Oct 2016 13:18:23 +
Nicola Piazzi wrote:

> THX Antony
> Service works, but at now how can i address query to this server ?
> And the service name test how must be inserted in the query ?

There are plenty of examples in the stock rules.

Re: R: rbldnsd

[Axb]

This is OT on this list.


here is all the info:

http://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html

if you need more hand holding, pls use the rbdlsnd list




On 10/17/2016 03:18 PM, Nicola Piazzi wrote:

THX Antony
Service works, but at now how can i address query to this server ?
And the service name test how must be inserted in the query ?
usr/sbin/rbldnsd -n -b localhost/53 test:ip4tset:/rbldnsd/test.txt


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Antony Stone [mailto:antony.st...@spamassassin.open.source.it]
Inviato: lunedì 17 ottobre 2016 15:04
A: users@spamassassin.apache.org
Oggetto: Re: rbldnsd

On Monday 17 October 2016 at 15:00:08, Nicola Piazzi wrote:


Someone use dnsrbld to create personal rbl ?
I am unable to bind to port 53 (and other ports)


Oh?


I start and it tell that bind :

[root@EFALIST rbldnsd]# ./start.sh
rbldnsd: listening on ::1/53
rbldnsd: listening on 127.0.0.1/53


So, it's listening on port 53, both IPv4 and IPv6.


rbldnsd: ip4tset:/rbldnsd/test.txt: 20161017 101633: cnt=2
rbldnsd: zones reloaded, time 0.0e/0.0u sec, mem arena=284 free=131
mmap=0 Kb rbldnsd: rbldnsd version 0.998 (05 Dec 2015) started (2
socket(s), 1
zone(s))


Looks happy to me.


But when I ipscan this host I found open only ports that belongs to
other services and not 53 :

[root@EFALIST ~]#  nmap -sT -O localhost


Try U instead of T.

DNS runs over UDP, not TCP.


Antony.

--
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

Re: The real spoofing issue

[Ralph Seichter]

On 17.10.16 02:38, Benny Pedersen wrote:

> one could argue if From:Name and From:Addr have differing domains its
> forged ?

Which RFC defines "From:Name" and "From:Addr" (I don't see the terms in
RFC5322), and where does it say that domain names must match if they are
present? The header line

  From: "John Doe " 

is perfectly legitimate. Guessing whether or not domains are related is
not something I'd like a piece of software to do.

-Ralph

R: rbldnsd

[Nicola Piazzi]

THX Antony
Service works, but at now how can i address query to this server ?
And the service name test how must be inserted in the query ?
usr/sbin/rbldnsd -n -b localhost/53 test:ip4tset:/rbldnsd/test.txt


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Antony Stone [mailto:antony.st...@spamassassin.open.source.it] 
Inviato: lunedì 17 ottobre 2016 15:04
A: users@spamassassin.apache.org
Oggetto: Re: rbldnsd

On Monday 17 October 2016 at 15:00:08, Nicola Piazzi wrote:

> Someone use dnsrbld to create personal rbl ?
> I am unable to bind to port 53 (and other ports)

Oh?

> I start and it tell that bind :
> 
> [root@EFALIST rbldnsd]# ./start.sh
> rbldnsd: listening on ::1/53
> rbldnsd: listening on 127.0.0.1/53

So, it's listening on port 53, both IPv4 and IPv6.

> rbldnsd: ip4tset:/rbldnsd/test.txt: 20161017 101633: cnt=2
> rbldnsd: zones reloaded, time 0.0e/0.0u sec, mem arena=284 free=131 
> mmap=0 Kb rbldnsd: rbldnsd version 0.998 (05 Dec 2015) started (2 
> socket(s), 1
> zone(s))

Looks happy to me.

> But when I ipscan this host I found open only ports that belongs to 
> other services and not 53 :
> 
> [root@EFALIST ~]#  nmap -sT -O localhost

Try U instead of T.

DNS runs over UDP, not TCP.


Antony.

--
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

Re: rbldnsd

[Antony Stone]

On Monday 17 October 2016 at 15:00:08, Nicola Piazzi wrote:

> Someone use dnsrbld to create personal rbl ?
> I am unable to bind to port 53 (and other ports)

Oh?

> I start and it tell that bind :
> 
> [root@EFALIST rbldnsd]# ./start.sh
> rbldnsd: listening on ::1/53
> rbldnsd: listening on 127.0.0.1/53

So, it's listening on port 53, both IPv4 and IPv6.

> rbldnsd: ip4tset:/rbldnsd/test.txt: 20161017 101633: cnt=2
> rbldnsd: zones reloaded, time 0.0e/0.0u sec, mem arena=284 free=131 mmap=0
> Kb rbldnsd: rbldnsd version 0.998 (05 Dec 2015) started (2 socket(s), 1
> zone(s))

Looks happy to me.

> But when I ipscan this host I found open only ports that belongs to other
> services and not 53 :
> 
> [root@EFALIST ~]#  nmap -sT -O localhost

Try U instead of T.

DNS runs over UDP, not TCP.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

rbldnsd

[Nicola Piazzi]

Someone use dnsrbld to create personal rbl ?
I am unable to bind to port 53 (and other ports)

I start and it tell that bind :

[root@EFALIST rbldnsd]# ./start.sh
rbldnsd: listening on ::1/53
rbldnsd: listening on 127.0.0.1/53
rbldnsd: ip4tset:/rbldnsd/test.txt: 20161017 101633: cnt=2
rbldnsd: zones reloaded, time 0.0e/0.0u sec, mem arena=284 free=131 mmap=0 Kb
rbldnsd: rbldnsd version 0.998 (05 Dec 2015) started (2 socket(s), 1 zone(s))

But when I ipscan this host I found open only ports that belongs to other 
services and not 53 :

[root@EFALIST ~]#  nmap -sT -O localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-17 14:56 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.52s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
23/tcp open  telnet
25/tcp open  smtp
No exact OS matches for host (If you know what OS is running on it, see 
http://nmap.org/submit/ ).
TCP/IP fingerprint: