Heya folks First of all, sorry if this isn't the correct list, but yet, I think spam is a kind of network attack and should be treated as a security issue.. I run a working mail server using Postfix, MySQL, Courier-IMAP, SpamAssassin and ClamAV (amavisd-new) .. I've checked the configuration file for SpamAssassin, but yet I havn't find any good solution for spam.. Sure, spam will always be a problem and I guess it's impossible to filter 100% of all spam.. Currently, I've made a filter in my mail client which move all mails with a header containing "Spam-Level: ***" to a "spam" directory.. The last 2 months, spam and spam only has been triggered/filtered.. so I think it's quite useful.. yet, it does send the mail.. if it's triggered spam, why does it even send it to the mailbox instead of just blocking it? I assume that's because of a bad configuration made by myself.. Also, a lot of mail which is spam is not triggered as spam, is it possible to improve spamassassin to filter more mails? Like, the way a antivirus program works, (have ids for each virus), does spamassassin has any "spam ids" or something similar to make it filter new mails? Once again, sorry if this mail has been sent to the wrong list, and sorry for asking alot of questions which might already been documented. Regards, Jesper Wallin
Hi. To begin with this email should rather go to the ISP list. My advice is to run Exim on your email gateway. I've tested and ran postfix, messagewall, qmail+qmailscanner, mailscanner and exim is just the best stuff ever. Not only it's way faster than perl based messagewall, amavisd and mailscanner etc but it also has neat stuff like making connections back to the sender's MX checking for validity of the sender's email. Since most of the spam is sent with forged reply to address this is one heck of a anti-spam solution. Aditionally you should use RBLs to check your emails, and regular expressions to filter out certain attachement types. Spamassassin can use Bayesian classification to help you perform scanning more efficiently. Search for razor in the ports too. There are many howtos around about that. I personally run Exim on my email router/gw and postfix on my "real" email server. Cheers, YazzY On Thu, 13 May 2004 03:00:12 +0200 (CEST) "Jesper Wallin" <z3l3zt@hackunite.net> wrote:> Heya folks > > First of all, sorry if this isn't the correct list, but yet, I think spam is a kind of > network attack and should be treated as a security issue.. I run a working mail server > using Postfix, MySQL, Courier-IMAP, SpamAssassin and ClamAV (amavisd-new) .. > > I've checked the configuration file for SpamAssassin, but yet I havn't find any good > solution for spam.. Sure, spam will always be a problem and I guess it's impossible to > filter 100% of all spam.. > > Currently, I've made a filter in my mail client which move all mails with a header > containing "Spam-Level: ***" to a "spam" directory.. The last 2 months, spam and spam > only has been triggered/filtered.. so I think it's quite useful.. yet, it does send the > mail.. if it's triggered spam, why does it even send it to the mailbox instead of just > blocking it? I assume that's because of a bad configuration made by myself.. > > Also, a lot of mail which is spam is not triggered as spam, is it possible to improve > spamassassin to filter more mails? Like, the way a antivirus program works, (have ids > for each virus), does spamassassin has any "spam ids" or something similar to make it > filter new mails? > > Once again, sorry if this mail has been sent to the wrong list, and sorry for asking > alot of questions which might already been documented. > > > Regards, > Jesper Wallin > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
At 09:00 PM 05/12/04, Jesper Wallin wrote:>Heya folks > >First of all, sorry if this isn't the correct list, but yet, I think spam >is a kind of >network attack and should be treated as a security issue..A much better place to ask would be the spamassassin mailing list. Send mail to spamassassin-users-subscribe at incubator.apache.org to subscribe>I run a working mail server >using Postfix, MySQL, Courier-IMAP, SpamAssassin and ClamAV (amavisd-new) .. > >I've checked the configuration file for SpamAssassin, but yet I havn't >find any good >solution for spam.. Sure, spam will always be a problem and I guess it's >impossible to >filter 100% of all spam.. > >Currently, I've made a filter in my mail client which move all mails with >a header >containing "Spam-Level: ***" to a "spam" directory.. The last 2 months, >spam and spam >only has been triggered/filtered.. so I think it's quite useful.. yet, it >does send the >mail.. if it's triggered spam, why does it even send it to the mailbox >instead of just >blocking it? I assume that's because of a bad configuration made by myself..Fundamental misunderstanding of Spamassassin purpose. It is a filter that marks mail as spam it does not delete or "block it". Usually one uses something like procmail as a local delivery agent (or similar) that does the actual deleting or more usually directs it to a separate spam mailbox. Deleting all email marked as spam usually not considered wise because of the possibility of false positives. More common is to mark the lower scoring spam as SPAM and deliver,and only delete (or maybe archive for some time), the high scoring spam.>Also, a lot of mail which is spam is not triggered as spam, is it possible >to improve >spamassassin to filter more mails? Like, the way a antivirus program >works, (have ids >for each virus),Yes read the Spamassassin FAQ and Wiki (and the mailing list archives) and you will find ways. See http://www.spamassassin.org>does spamassassin has any "spam ids" or something similar to make it >filter new mails?Sort of see the FAQ and Wiki. Regards, Lyle Evans lyle@rackears.com rackmount brackets for many networking and ISP equipment chassises http://www.rackears.com
On Wed, 2004-05-12 at 21:00, Jesper Wallin wrote:> I've checked the configuration file for SpamAssassin, but yet I havn't find any good > solution for spam.. Sure, spam will always be a problem and I guess it's impossible to > filter 100% of all spam..Jesper: I recently switched from SpamAssassin to an open source program called DSPAM (http://www.nuclearelephant.com/projects/dspam/). It works differently than SpamAssassin in that it processes each message that comes in and creates a DSPAM Signature, which it puts in the header of each e-mail, along with headers specifying whether it thought the e-mail was spam or innocent, and the spam probability of the e-mail. DSPAM starts off without filtering out anything, but the way it works is through "training." You set up an e-mail alias for all your spam and false positives on your server, and you forward spam that wasn't marked as spam to the spam alias, the same for false positives. DSPAM then checks the e-mail for any existing DSPAM signature, matches it against a database, and records what you marked it as. It then uses the Bayes algorithm of probability to detect any incoming e-mail's likeliness of being considered spam based on your habits of marking spam. It works extremely well, but it takes a while to train. I've had mine up for three days now, and it is increasing in accuracy with each day. You just have to make sure that you forward all your e-mails to the spam alias when you receive them, and all false positives as well, or else it will be worthless. Check out the web site, maybe it will help explain it a bit more. One note - the documentation is not that good, so set up could be a bit of a hassle. James Stephenson
OpenBSD has a great tool called spamd. When used in conjunction with pf, you can redirect spammers to a spam proxy which uses very little of your memory and cpu time, but tries to use as much of theirs as possible. That way, spam from computers on RBLs is blocked directly instead of wasting your time and possibly bandwidth. Of course, if you have qualms about using RBLs (as I do, for instance), you'll have to let the mail deliver. I use a spam blocker called CRM114. It requires only 100K or so of training to achieve impressive filtering rates. It's been quite successful so far: I haven't seen real false positive in months, and the only spam to get through in that time was one new one I'd never seen before, and some of those one-line virus things (I can't afford to block .zip attachments wholesale). I'm considering taking Harvard off my whitelist and using it to filter out spam-like list submissions. My main reservation about recommending CRM114 is that its datafiles are rather large. Mine are 25 megabytes just for my account, although 2M/account is easily doable if you need space. Still, this would be infeasible for a large site. You can also share the datafiles, but this would be rather tricky to do well, especially as mail mixes tend to be unique to the user. The default is just to tag mail as spam, but as with SpamAssassin, you can setup .procmailrc or the like block it outright. It still uses your processor time and bandwidth, though. Mike Hamburg P.S. I use qmail, and I like it but I'm not a mailserver zealot. So long as it's not Sendmail :-) On May 12, 2004, at 9:00 PM, Jesper Wallin wrote:> Heya folks > > First of all, sorry if this isn't the correct list, but yet, I think > spam is a kind of > network attack and should be treated as a security issue.. I run a > working mail server > using Postfix, MySQL, Courier-IMAP, SpamAssassin and ClamAV > (amavisd-new) .. > > I've checked the configuration file for SpamAssassin, but yet I havn't > find any good > solution for spam.. Sure, spam will always be a problem and I guess > it's impossible to > filter 100% of all spam.. > > Currently, I've made a filter in my mail client which move all mails > with a header > containing "Spam-Level: ***" to a "spam" directory.. The last 2 > months, spam and spam > only has been triggered/filtered.. so I think it's quite useful.. yet, > it does send the > mail.. if it's triggered spam, why does it even send it to the mailbox > instead of just > blocking it? I assume that's because of a bad configuration made by > myself.. > > Also, a lot of mail which is spam is not triggered as spam, is it > possible to improve > spamassassin to filter more mails? Like, the way a antivirus program > works, (have ids > for each virus), does spamassassin has any "spam ids" or something > similar to make it > filter new mails? > > Once again, sorry if this mail has been sent to the wrong list, and > sorry for asking > alot of questions which might already been documented. > > > Regards, > Jesper Wallin > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >
take a look here : http://www.merchantsoverseas.com/wwwroot/gorilla then let's try the attached script and patch which may not be up to date. PS : I don't use it since my machine is too slow and this makes mimedefang to give up (timeout) to often. Cyrille Lefevre -- mailto:cyrille.lefevre@laposte.net -------------- next part -------------- A non-text attachment was scrubbed... Name: sa_rules.patch Type: text/x-patch Size: 9681 bytes Desc: Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040513/d9a18622/sa_rules.bin
> Heya folks > > First of all, sorry if this isn't the correct list, but yet, I think spam > is a kind of network attack and should be treated as a security issue.. > I run a working mail server using Postfix, MySQL, Courier-IMAP, >SpamAssassin and ClamAV (amavisd-new)...> Regards, > Jesper Wallin > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >I'm trying to solve the spam problem on my email server too. I'm glad to share my and your ideas on the topic. At the moment I can suggest the following: 1) use Realtime Black List (see http://spamhaus.org for example); 2) use Sender Policy Framework (see http://spf.pobox.com); 3) accept email only after the sender had confirmed your reply; 4) use spamassasin; N.B.: only 1,2 save your bandwidth as the SMTP transaction is blocked if necessary; Any comments are welcome, Regards, Roberto
I use postfix with mysql which forwards mail to a content filter ( amavisd-new ) which does the virus scanning and Spam detection. Using Spam assassin I have DCC, Razor, and Bayesian Learning. All mail is forwarded through unless its a virus --> onto Cyrus, then I have Sieve read the mail headers to filter all Spam into a junk folder. If Spam still comes through I just have all my customers forward the mail to report-spam@domain.tld <mailto:report-spam@domain.tld> . A cron job runs at 6am every morning to learn from these Spam emails and put them into the Bayesian database. I only use one RBL which is relays.ordb.org, I don't like RBL's really because they have some pretty idiotic polices not to mention they're so secretive. Spam really isn't a threat - its more annoying then anything else - some customers like to read through it sometimes - I cant stop them if they want to. Yet every two days, all mail that's in the junk folder is automatically purged. Regards, Patrick
It's half off topic, half not. Something has to be done, and it takes
technical skills and knowleged ppl to handle the issues.At least this is
how I rationate when deciding where to ask.
I started an anti-spam project on my own. At some point others offered to
help, but we all know boring real-life shuts down all the enthusiasm.
M.Jessa> Not only it's way faster than perl based messagewall, amavisd
and
M.Jessa> mailscanner etc but it also has neat stuff like making connections
M.Jessa> back to the sender's MX checking for validity of the
sender's
M.Jessa> email.
So far I can only release this code. It implements exactly what was
mentioned about exim. I use it with qmail because qmail I have, but can be
used with postfix/sendmail with ease. So now not only exim can do that hack.
I just wanted to make the code available so users can benefit from it
(hopefully).
PS - this is how i use it:
.qmail-file:
| /usr/local/bin/check /usr/local/bin/safecat /path/to/Maildir/tmp
/path/to/Maildir/new
#the above after | is on a single line.
Hope there are not many bugs.
Yours Sincerely,
--
Alin-Adrian Anton
Reversed Hell Networks
GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E)
gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E
-------------- next part --------------
/*
* The MX query routines are Copyrighted (C) 2004 by HL Combrinck and are
licensed under GPL (see below),
* and they provide "Sample C code to resolve MX records for an
address".
*
*
* This program is derivative work based on his original functions, and is
distributed under the following terms:
*
* LICENSE:
*
* The program provides functions for testing if an e-mail address was faked
by a spammer or it's real, and it's
* part of the L.A.U.R.A anti-spam project and campaign.
*
* Copyright (C) 2004 Anton Alin-Adrian aanton()reversedhell.net
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* END OF LICENSE
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/nameser.h>
#include <resolv.h>
#define PORT 25 /* SMTP default port */
#define MAXDATASIZE 1024 /* we don't need more */
/* !!!!!!!!!!!!!!!!!!!!!!!!!!!!! REPLACE WITH YOUR *REAL* DOMAIN & *FAKE*
E-MAIL USER !!!!!!!!!!!!!!!!!!!!!!! */
#define MY_VALID_MAIL_DOMAIN "INEXISTENT-USER-HERE@reversedhell.net"
/* replace user with something decent like 'antispamrobot' */
#define MY_VALID_DOMAIN "reversedhell.net" /* must be your real domain
you are connecting from */
struct mx
{
int pref;
char host[1024];
};
#ifndef HFIXEDSZ
# define HFIXEDSZ 12
#endif
#ifndef INT16SZ
# define INT16SZ sizeof(cit_int16_t)
#endif
#ifndef INT32SZ
# define INT32SZ sizeof(cit_int32_t)
#endif
int totalsize=0;
/*
* Compare the preference of two MX records. Check the actual
* number listed in the MX record - if they're the same, randomize.
*/
int mxcomp(int p1, int p2)
{
if (p1 > p2) return(1);
else if (p1 < p2) return(0);
else return(rand() % 2);
}
/*
* sort_mxrecs()
*
* Sort MX records
*
*/
void sort_mxrecs (struct mx *mxrecs, int nmx)
{
int a, b;
struct mx t1, t2;
if (nmx < 2) return;
for (a = nmx - 2; a >= 0; --a)
{
for (b = 0; b <= a; ++b)
{
if (mxcomp(mxrecs[b].pref,mxrecs[b+1].pref))
{
memcpy(&t1, &mxrecs[b], sizeof(struct mx));
memcpy(&t2, &mxrecs[b+1], sizeof(struct mx));
memcpy(&mxrecs[b], &t2, sizeof(struct mx));
memcpy(&mxrecs[b+1], &t1, sizeof(struct mx));
}
}
}
}
/*
* getmx()
*
* Get MX recs for an address.
*
* Upon success, it fills 'mxbuff' with one or more MX hosts, delimited
by
* ':' chars, and returns the number of hosts. 0 if none found.
*
*/
int getmx(char *mxbuff, char *dest, int maxbuffsz)
{
union
{
u_char bytes[1024];
HEADER header;
} ans;
int ret;
unsigned char *startptr, *endptr, *ptr;
char expanded_buf[1024];
unsigned short pref, type;
int n = 0;
int qdcount;
struct mx *mxrecs = NULL;
int nmx = 0;
ret = res_query (dest, C_IN, T_MX, (unsigned char *)ans.bytes,
sizeof(ans));
if (ret < 0)
{
mxrecs = malloc(sizeof(struct mx));
mxrecs[0].pref = 0;
strcpy(mxrecs[0].host, dest);
nmx = 0;
}
else
{
if (ret > sizeof(ans)) ret = sizeof(ans);
startptr = &ans.bytes[0];
endptr = &ans.bytes[ret];
ptr = startptr + HFIXEDSZ; /* skip header */
for (qdcount = ntohs(ans.header.qdcount); qdcount--;
ptr += ret + QFIXEDSZ)
{
if ((ret = dn_skipname(ptr, endptr)) < 0) return(0);
}
while(1)
{
memset (expanded_buf, 0, sizeof(expanded_buf));
ret = dn_expand (startptr, endptr, ptr, expanded_buf,
sizeof(expanded_buf));
if (ret < 0) break;
ptr += ret;
GETSHORT (type, ptr);
ptr += INT16SZ + INT32SZ;
GETSHORT (n, ptr);
if (type != T_MX) ptr += n;
else
{
GETSHORT(pref, ptr);
ret = dn_expand(startptr, endptr, ptr, expanded_buf,
sizeof(expanded_buf));
ptr += ret;
++nmx;
if (mxrecs == NULL)
mxrecs = malloc(sizeof(struct mx));
else
mxrecs = realloc (mxrecs, (sizeof(struct mx) * nmx));
mxrecs[nmx - 1].pref = pref;
strcpy(mxrecs[nmx - 1].host, expanded_buf);
}
}
}
/* sort by MX pref */
sort_mxrecs(mxrecs, nmx);
strcpy(mxbuff, "");
for (n=0; n<nmx; ++n)
{
if (strlen(mxbuff)+strlen(mxrecs[n].host) < maxbuffsz)
strcat(mxbuff, mxrecs[n].host);
else
break;
strcat(mxbuff, ":");
}
/* kill last ':' */
if (mxbuff[strlen(mxbuff)-1] == ':') mxbuff[strlen(mxbuff)-1] = 0;
free(mxrecs);
return(nmx);
}
int checkmail(char *addy,char *myhost)
{
int sockfd, numbytes;
char buf[MAXDATASIZE];
struct hostent *he;
struct sockaddr_in their_addr;
fd_set readfds;
if ((he=gethostbyname(myhost)) == NULL) {
//perror("gethostbyname");
return -2;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
return -1;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(PORT); // short, network byte order
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the
struct
if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct
sockaddr)) == -1) {
//perror("connect");
close(sockfd);
return -2;
}
if ((numbytes=recv(sockfd, buf, MAXDATASIZE-1, 0)) == -1) {
perror("recv");
close(sockfd);
return -1;
}
buf[3]='\0';
if (atoi(buf)!=220) {
close(sockfd);
return -1;
}
memset(buf,0x0,sizeof(buf));
snprintf(buf,sizeof(buf),"helo %s\r\n",MY_VALID_DOMAIN);
if (send(sockfd,buf,strlen(buf),0)==-1)
{
perror("send");
close(sockfd);
return -1;
}
memset(buf,0x0,sizeof(buf));
if ((numbytes=recv(sockfd, buf, MAXDATASIZE-1, 0)) == -1) {
perror("recv");
close(sockfd);
return -1;
}
buf[3]='\0';
if (atoi(buf)!=250) {
close(sockfd);
return -1;
}
memset(buf,0x0,sizeof(buf));
snprintf(buf,sizeof(buf),"MAIL
FROM:<%s>\r\n",MY_VALID_MAIL_DOMAIN);
if (send(sockfd,buf,strlen(buf),0)==-1)
{
perror("send");
close(sockfd);
return -1;
}
memset(buf,0x0,sizeof(buf));
if ((numbytes=recv(sockfd, buf, MAXDATASIZE-1, 0)) == -1) {
perror("recv");
close(sockfd);
return -1;
}
buf[3]='\0';
if (atoi(buf)!=250) {
close(sockfd);
return -1;
}
memset(buf,0x0,sizeof(buf));
snprintf(buf,sizeof(buf),"RCPT TO:<%s>\r\n",addy);
if (send(sockfd,buf,strlen(buf),0)==-1)
{
perror("send");
close(sockfd);
return -1;
}
memset(buf,0x0,sizeof(buf));
if ((numbytes=recv(sockfd, buf, MAXDATASIZE-1, 0)) == -1) {
perror("recv");
close(sockfd);
return -1;
}
buf[3]='\0';
if (atoi(buf)!=250) {
close(sockfd);
return -2;
}
return 0;
} // checkmail
int loopcheckmail(char *addy)
{
int n,ret;
char buf[1024], *ptr;
char *myhost;
myhost=(char *) malloc(strlen(addy)+1);
myhost=strchr(addy,'@')+1;
n = getmx (buf, myhost, sizeof(buf)-1);
if (!n)
{
ret=checkmail(addy,myhost);
}
else
{
ptr=strchr(buf,':');
if (ptr!=NULL) *ptr='\0';
ret=checkmail(addy,buf);
}
return ret;
}
char *read_mail_buffer(FILE *fp)
{
char c='\0';
int i=0;
long int size=1024+1;
int padder=1024;
char *ptr,*s;
if ((s=(char *) malloc((size_t)size))==NULL)
{
perror("malloc");
exit(EXIT_FAILURE);
}
memset(s,(char)0x0,(size_t) size);
ptr=s;
while ((c!=(char)EOF)){
c=(char) getc(fp);
if (i>=size-1)
{
size+=padder;
if ( (s=(char *)realloc(s,(size_t)size) ) == NULL) {
perror("realloc");
exit(EXIT_FAILURE);
}
ptr=s+i*sizeof(char);
if (totalsize > 700000) padder=padder*2;
}
i++;
*(ptr++)=c;
}
*(--ptr)='\0';
totalsize=size;
return (char *) s;
}
int filtervalidmail(char *s)
{
char *ptr;
char *addy;
char *left,*right;
int i,j,stop=0;
char c;
ptr = strcasestr(s,"From:");
if (ptr==NULL) return -1;
ptr+=5;
ptr=strchr(ptr,'@');
left=ptr;
right=ptr;
while (isalnum(*(--left)) )
{
c=*(--left);
ptr=strchr(ptr,'<')+1;
for (i=0;*(ptr++)!='>';i++);
addy=(char *) malloc((i+1)*sizeof(char));
memset(addy,0x0,i+1);
}
int main (int argc,char *argv[])
{
int ret;
char *bigbuf;
/*
if (argc < 2) {
fprintf(stderr,"What to check? Give me valid e-mail format.\n");
exit(EXIT_FAILURE);
}
ret=loopcheckmail(argv[1]);
switch (ret) {
case -1:
fprintf(stderr,"IRRELEVANT: Error..\n");
break;
case -2:
fprintf(stderr,"BLOCK!\n");
break;
case 0:
fprintf(stderr,"IRRELEVANT\n");
break;
}
*/
bigbuf=read_mail_buffer(stdin);
filtervalidmail(bigbuf);
return 0;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040516/75ef2db6/signature.bin