Christoph Kuhle (Expat Email Ltd) wrote: > I have spamdyke, with Atomic Secured Linux as well, protecting a server, and > it works well generally, stopping about 50% of emails (I note that some > people have reported 90+% Spam statistics). I have just run a DNSStuff > Anti-Spam Filtering Test. It got through: > > "This is a test message that was sent to you because you or someone you know > visited the DNSstuff Mail Server Test Center and ran an anti-spam test > against this email address. > This email message contains a forged received header with with a blacklisted > IP Address. > If you received this message without a spam warning or notification, we > recommend you perform the following steps: > 1. Contact your email administrator. > 2. If you are the email administrator, review your current anti-spam > settings, and insure that the latest updates are applied and that your spam > filtering software is enabled." > > Because it has a forged received header and a blacklisted IP address, I > would like it to be rejected, naturally. maillog said: > Aug 26 08:09:29 plesk2 spamdyke[20992]: ALLOWED from: > emailavt...@dnsstuff.com to: m...@mydomain.com origin_ip: 75.125.82.251 > origin_rdns: gold.dnsstuff.com auth: (unknown) > > and the email header says: > > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > plesk2.ourdomain.co.uk > X-Spam-Level: > X-Spam-Status: No, score=-1.0 required=4.0 tests=BAYES_00,HTML_MESSAGE, > HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_MID autolearn=no > version=3.2.5 > Received: (qmail 21000 invoked from network); 26 Aug 2009 08:09:30 +0100 > Received: from gold.dnsstuff.com (HELO main) (75.125.82.251) > by plesk2.ourdomain.co.uk with SMTP; 26 Aug 2009 08:09:29 +0100 > Received-SPF: pass (plesk2.ourdomain.co.uk: SPF record at dnsstuff.com > designates 75.125.82.251 as permitted sender) > Received: from forgedsnd.example.com ([127.0.0.2]) by forgedrcv.example.com > with fakesvc; Thu, 13 Aug 2009 07:30:02 > To: m...@mydomain.com > From: "DNSstuff Mail Server Test Center" <sa...@dnsstuff.com> > Subject: DNSstuff Mail Server Test Center - Anti-Spam Test Message > Date: Wed, 26 Aug 2009 07:09:14 +0000 > MIME-Version: 1.0 > Content-Type: text/html; charset="US-ASCII" > Content-Disposition: inline
Spamdyke is doing exactly what it should be doing, it's the test that's flawed. RBL checks should only ever be done against the connecting IP, not against any other IPs further up the Received chain. Checking against any other IPs would result in false positives. For example, you use zen.spamhaus.org which contains dynamic IP ranges, because you don't want to accept mail directly from dynamic IPs, but you still do want to receive mail legitimately sent from those users via their ISP's mail server. Have a look a few mail headers, you'll see plenty that have private IP space and all kinds of other stuff in the Received headers due to the internal processing of people's mail systems. To say that a mail should be blocked just because it has "127.0.0.2" in a Received header is just plain wrong. > My spamdyke config file is: > [r...@plesk2 ~]# cat /etc/spamdyke.conf > #Plesk-Addon > #use log-level=verbose to see which dnsrbls triggered. use info for normal > level. use debug ## for loads of stuff. > log-level=info > #idle-timeout-secs=180 > local-domains-file=/var/qmail/control/rcpthosts > tls-certificate-file=/var/qmail/control/servercert.pem > #AUTH FROM xinetd-conf > smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true > /var/qmail/bin/cmd5checkpw /bin/true > smtp-auth-level=ondemand-encrypted > ## the following url gets put in all rejection messages so people who get > false positives > ## know where to go for help: > policy-url=http://emailitis.com/index_files/spam_rejection.html > > graylist-level=always > graylist-dir=/var/qmail/spamdyke/greylist > #GREYLIST MINIMUM = 5 Min > graylist-min-secs=300 > #GREYLIST MAX = 3 Months > graylist-max-secs=1814400 > sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders > recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients > ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords > ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip > rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns > ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip > sender-whitelist-file=/var/qmail/spamdyke/whitelist_senders > greeting-delay-secs=5 > #RBL BLOCKLISTS > dns-blacklist-entry=zen.spamhaus.org > dns-blacklist-entry=bl.spamcop.net > dns-blacklist-entry=bogons.cymru.com > reject-missing-sender-mx > reject-empty-rdns > reject-unresolvable-rdns > [r...@plesk2 ~]# > > Listening to these posts, I guess that there are a LOT more complex settings > that I could or should have in my config. Can anyone advise what setting(s) > might prevent similar emails from getting through next time? That config looks pretty tight to me, I wouldn't worry. Cheers, Dave _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
