From marc at merlins.org Sat Aug 2 23:25:58 2003 From: marc at merlins.org (Marc MERLIN) Date: Sat Aug 2 22:25:59 2003 Subject: [SA-exim] CVS version ready for sa-exim 3.1 release? Message-ID: <20030803052558.GH9151@merlins.org> I've had a few hours in and there and used them to incorporate your feedback, and a few other things. http://marc.merlins.org/linux/exim/sa.html lists: # Fixed SA: Action: teergrubed sender until full configured duration output # spamassassin.conf was renamed sa-exim.conf (bad initial name choice) # Changed teergrubing so that it works with exim 4.20 # Removed code that computes Message-Id, get it from exim # Added the much requested SARewriteBody option for SA 2.50's report_safe (courtesy of Richard Lithvall) # Added SAaddSAEheaderBeforeSA to deal with SARewriteBody and privacy # Added SAPrependArchiveWithFrom option (Richard Lithvall) # As announced in the previous version, SAStallSender was removed. Use Teergrubing instead # Message-Id is read directly from Exim now that the API allows for that (we used to parse the Message-Id header ourselves) Release debian packages are here: http://marc.merlins.org/linux/exim/files/debian/ I'm running this on my mail server obviously, and I also upgraded to exim 4.20 and SA 2.55, so I updated the docs to be up to date with newer SAs Please give it a shot, if I don't hear of any problems, I'll release 3.1 and work with Andreas Metzler to get this into debian unstable Thanks Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jknotzke at shampoo.ca Sun Aug 3 23:19:33 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Sun Aug 3 19:19:47 2003 Subject: [SA-exim] SAEximRunCond Question Message-ID: <20030804021933.GF23464@shampoo.ca> Hi, If a mail arrives from 198.73.180.252 which is mail that is .forwarded from another ISP, I do not want to run the sa-exim. Would the following modification to the SAEximRunCond work? SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1} } {!eq {$sender_host_address}{198.73.180.252} } {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}} SAEximRunCond: 0 Thanks J. -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From jvanasco at mastersofbranding.com Mon Aug 4 12:25:51 2003 From: jvanasco at mastersofbranding.com (jvanasco@mastersofbranding.com) Date: Mon Aug 4 08:26:57 2003 Subject: [SA-exim] disable for local users Message-ID: not to sound inept, although i am... is there a way to not scan mail for outgoing smtp? i'd imagine it would be some formula in SAEximRunCond -- but i haven't a clue what kind of expansion to put in there (as stuff would not be from 127.0.0.1) would this be an sa-exim thing, or would it be some expansion in exim to disably local_scan? From ssmeenk at freshdot.net Wed Aug 6 12:21:16 2003 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Wed Aug 6 02:21:30 2003 Subject: [SA-exim] SAEximRunCond Question In-Reply-To: <20030804021933.GF23464@shampoo.ca> References: <20030804021933.GF23464@shampoo.ca> Message-ID: <20030806092116.GB9091@freshdot.net> Quoting Justin F. Knotzke (jknotzke@shampoo.ca): > following modification to the SAEximRunCond work? > SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1} } {!eq {$sender_host_address}{198.73.180.252} } {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}} > SAEximRunCond: 0 Yes. But remove the second SAEximRunCond line. :) -- | Someone who thinks logically provides a nice contrast to the real world. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D From ssmeenk at freshdot.net Wed Aug 6 12:23:30 2003 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Wed Aug 6 02:23:35 2003 Subject: [SA-exim] disable for local users In-Reply-To: References: Message-ID: <20030806092330.GC9091@freshdot.net> Quoting jvanasco@mastersofbranding.com (jvanasco@mastersofbranding.com): > is there a way to not scan mail for outgoing smtp? exim-sa usually does that by default. That is, if the mail was received from localhost, and your /etc/hosts has localhost defined as 127.0.0.1, as it should ;) If your mail comes in from another IP, you should indeed change the SAEximRunCond expansion and add the IP address of the server you don't want to scan mail from. I just replied to a message where someone questioned if that was the correct way to do it. See there how to fix it ;) Sander. -- | Never hit a man with glasses, use a bat. It's more effective. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D From jvanasco at mastersofbranding.com Wed Aug 6 10:58:26 2003 From: jvanasco at mastersofbranding.com (jvanasco@mastersofbranding.com) Date: Wed Aug 6 07:00:10 2003 Subject: [SA-exim] disable for local users In-Reply-To: <20030806092330.GC9091@freshdot.net> Message-ID: <0D46BD2C-C816-11D7-98E4-000393863D5E@mastersofbranding.com> ah -- didn't think of throwing an ip in there its set for localhost now.. i'm just thinking about office ips i'm not too skilled on sa-exim -- would it be possible to have a list of ips in there instead -- like an lsearch;/path/to/file as in exim? or is chaining it the only option? i'm starting to think this was discussed a few months ago, and i might have brought it up then too. my memory isn't good lately. On Wednesday, August 6, 2003, at 05:23 AM, Sander Smeenk wrote: > Quoting jvanasco@mastersofbranding.com > (jvanasco@mastersofbranding.com): > >> is there a way to not scan mail for outgoing smtp? > > exim-sa usually does that by default. That is, if the mail was received > from localhost, and your /etc/hosts has localhost defined as 127.0.0.1, > as it should ;) > > If your mail comes in from another IP, you should indeed change the > SAEximRunCond expansion and add the IP address of the server you don't > want to scan mail from. > > I just replied to a message where someone questioned if that was the > correct way to do it. See there how to fix it ;) > > Sander. > -- > | Never hit a man with glasses, use a bat. It's more effective. > | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D > From Adam.Stephens at bristol.ac.uk Wed Aug 6 16:11:09 2003 From: Adam.Stephens at bristol.ac.uk (Adam Stephens) Date: Wed Aug 6 12:49:10 2003 Subject: [SA-exim] disable for local users In-Reply-To: <0D46BD2C-C816-11D7-98E4-000393863D5E@mastersofbranding.com> Message-ID: On Wed, 6 Aug 2003 jvanasco@mastersofbranding.com wrote: > ah -- didn't think of throwing an ip in there > > its set for localhost now.. i'm just thinking about office ips > > i'm not too skilled on sa-exim -- would it be possible to have a list > of ips in there instead -- like an lsearch;/path/to/file as in exim? You can use a subnet mask, like this : SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {${mask:$sender_host_address/24}}{10.0.0.0/24}} {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}} regards, Adam. -------------------------------- Adam Stephens Unix Administrator, ILRT adam.stephens@bristol.ac.uk From jknotzke at shampoo.ca Thu Aug 7 17:34:25 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Thu Aug 7 13:34:35 2003 Subject: [SA-exim] I think I got one ;-) Message-ID: <20030807203425.GW17961@shampoo.ca> Alright, After testing spamassassin for a few days and after doing a series of preinstallation checks, I installed sa-exim. After a few minutes, sa-exim appears to have whacked one: 2003-08-07 16:18:05 19krD3-0001LC-9P SA: Debug: SAEximRunCond expand returned: '1' 2003-08-07 16:18:05 19krD3-0001LC-9P SA: Debug: check succeeded, running spamc 2003-08-07 16:18:10 19krD3-0001LC-9P SA: Debug: SAEximRejCond expand returned: '1' 2003-08-07 16:18:10 19krD3-0001LC-9P SA: Debug: Writing message to /var/spool/exim/SApermreject/new/1060287490_28211-22003847195452656@xzapmail.com 2003-08-07 16:18:10 19krD3-0001LC-9P SA: Notice: creating maildir tree in /var/spool/exim/SApermreject 2003-08-07 16:18:10 19krD3-0001LC-9P SA: Action: permanently rejected message: hits=14.4 required=5.0 trigger=12.0 (scanned in 5/5 secs). From (host=wtwmmail01.xzapmail.com [195.188.22.73]) for jknotzke@shampoo.ca 2003-08-07 16:18:10 19krD3-0001LC-9P rejected by local_scan(): "Rejected" It was one of those Nigerian scams. Is there some way I can mimic what really happened to the spammer with this message by feeding the message in manually? I want to relive the experience all over again. ;-) J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From jknotzke at shampoo.ca Thu Aug 7 22:07:22 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Thu Aug 7 18:07:31 2003 Subject: [SA-exim] sa-exim before mailman Message-ID: <20030808010720.GC17961@shampoo.ca> Hi, Is there a way for sa-exim to kick in before exim4 sends mail destined for mailman? Right now exim4 appears to be sending mail directly to mailman before allowing sa-exim to do its job. Thanks J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From jknotzke at shampoo.ca Thu Aug 7 22:12:10 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Thu Aug 7 18:12:20 2003 Subject: [SA-exim] sa-exim before mailman In-Reply-To: <20030808010720.GC17961@shampoo.ca> References: <20030808010720.GC17961@shampoo.ca> Message-ID: <20030808011210.GD17961@shampoo.ca> > > Hi, > > Is there a way for sa-exim to kick in before exim4 sends mail > destined for mailman? > > Right now exim4 appears to be sending mail directly to mailman before > allowing sa-exim to do its job. Actually, that's not entirely true. The message was passed through sa-exim: 2003-08-07 19:58:06 19kudx-0001gL-Qx SA: Debug: SAEximRunCond expand returned: '1' 2003-08-07 19:58:06 19kudx-0001gL-Qx SA: Debug: check succeeded, running spamc 2003-08-07 19:58:09 19kudx-0001gL-Qx SA: Debug: SAEximRejCond expand returned: '1' 2003-08-07 19:58:09 19kudx-0001gL-Qx SA: Debug: Writing message to /var/spool/exim/SAspama ccept/new/1060300689_3043892.1060300610106.JavaMail.ahmedsanusi@gomailjtp05 2003-08-07 19:58:09 19kudx-0001gL-Qx SA: Action: flagged as Spam but accepted: Score hits= 9.0 required=4.3 (scanned in 3/3 secs) 2003-08-07 19:58:09 19kudx-0001gL-Qx <= mail@shampoo.ca H=mta07f.seamail.go.com [199.181.1 34.24] P=esmtp S=4558 id=3043892.1060300610106.JavaMail.ahmedsanusi@gomailjtp05 2003-08-07 19:58:10 19kudx-0001gL-Qx => vcom R=mailman_router T=mailman_ transport 2003-08-07 19:58:10 19kudx-0001gL-Qx Completed Maybe someone could explain to me why the message was sent to SAspamaccept and then to mailman instead of rejected. This message was clearly marked as spam by spamassassin with a score of 9/4.3 Thanks J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From jknotzke at shampoo.ca Thu Aug 7 22:16:37 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Thu Aug 7 18:16:45 2003 Subject: [SA-exim] sa-exim before mailman [SOLVED] In-Reply-To: <20030808011210.GD17961@shampoo.ca> References: <20030808010720.GC17961@shampoo.ca> <20030808011210.GD17961@shampoo.ca> Message-ID: <20030808011637.GE17961@shampoo.ca> > Maybe someone could explain to me why the message was sent to > SAspamaccept and then to mailman instead of rejected. This message was > clearly marked as spam by spamassassin with a score of 9/4.3 Nevermind. Its all explained in http://marc.merlins.org/linux/exim/files/sa-exim.conf Sorry for wasting bandwidth. J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From marc at merlins.org Thu Aug 7 19:17:34 2003 From: marc at merlins.org (Marc MERLIN) Date: Thu Aug 7 18:17:35 2003 Subject: [SA-exim] sa-exim before mailman In-Reply-To: <20030808011210.GD17961@shampoo.ca> References: <20030808010720.GC17961@shampoo.ca> <20030808011210.GD17961@shampoo.ca> Message-ID: <20030808011734.GG12111@merlins.org> On Thu, Aug 07, 2003 at 09:12:10PM -0400, Justin F. Knotzke wrote: > Maybe someone could explain to me why the message was sent to > SAspamaccept and then to mailman instead of rejected. This message was > clearly marked as spam by spamassassin with a score of 9/4.3 spamsaccept means that SA flagged the message as spam but that the score wasn't high enough to refuse the spam altogether. It's to let users know it's probably spam but that you weren't sure enough to reject it. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jknotzke at shampoo.ca Thu Aug 7 23:01:16 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Thu Aug 7 19:01:27 2003 Subject: [SA-exim] Question Message-ID: <20030808020116.GF17961@shampoo.ca> I am now able to reproduce teergrube using exim -bh and I witnessed the 451- "wait for more output". Rather cool. The question I have is teergrube assumes that the spammer will actually wait for the final 250 after a . is sent. Do they always? Could they not simply issue the . and then cut the connection? J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From marc at merlins.org Thu Aug 7 20:59:52 2003 From: marc at merlins.org (Marc MERLIN) Date: Thu Aug 7 19:59:54 2003 Subject: [SA-exim] Question In-Reply-To: <20030808020116.GF17961@shampoo.ca> References: <20030808020116.GF17961@shampoo.ca> Message-ID: <20030808025952.GI12111@merlins.org> On Thu, Aug 07, 2003 at 10:01:16PM -0400, Justin F. Knotzke wrote: > > I am now able to reproduce teergrube using exim -bh and I witnessed > the 451- "wait for more output". Rather cool. > > The question I have is teergrube assumes that the spammer will > actually wait for the final 250 after a . is sent. > > Do they always? In my experience, pretty much, yes > Could they not simply issue the . and then cut the > connection? They could, but then they wouldn't know that the spam got sent. If they cut the connection, my MTA could abandon the delivery and their spam gets dropped on the floor Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jknotzke at shampoo.ca Fri Aug 8 09:20:51 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Fri Aug 8 05:21:01 2003 Subject: [SA-exim] Mailman sa-exim Question Message-ID: <20030808122049.GK17961@shampoo.ca> Hi Sorry to be a pest again. I have a question concerning mailman and sa-exim. My mailman configuration uses: http://www.daa.com.au/~james/articles/mailman-spamassassin/ And the following happened: 2003-08-08 07:20:35 19l5IQ-0002Me-S4 SA: Debug: SAEximRunCond expand returned: '1' 2003-08-08 07:20:35 19l5IQ-0002Me-S4 SA: Debug: check succeeded, running spamc 2003-08-08 07:20:39 19l5IQ-0002Me-S4 SA: Debug: SAEximRejCond expand returned: '1' 2003-08-08 07:20:39 19l5IQ-0002Me-S4 SA: Debug: SAteergrubecond expand returned: '1' 2003-08-08 07:20:39 19l5IQ-0002Me-S4 SA: Debug: Writing message to /var/spool/exim/SAteergrube/new/yn10s8i2541w-q8-$2@ocd.g.z. 2o.oxd 2003-08-08 07:35:40 19l5IQ-0002Me-S4 SA: Action: teergrubed sender until full configured duration of 900 secs (hits=9.9 requir ed=4.3 trigger=5.0) 2003-08-08 07:35:40 19l5IQ-0002Me-S4 temporarily rejected by local_scan(): "Please try again later" Which of course is fine. The problem is that the message was forwarded to mailman and the spamassassin patch to mailman kicked in and had the message marked for approval. Is there a way to configure sa-exim to _not_ do this? If the message is teergrubed then I'd like the message dropped just as it does for a message destined to a regular user. Thanks J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From ssmeenk at freshdot.net Fri Aug 8 16:07:47 2003 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Fri Aug 8 06:07:59 2003 Subject: [SA-exim] Mailman sa-exim Question In-Reply-To: <20030808122049.GK17961@shampoo.ca> References: <20030808122049.GK17961@shampoo.ca> Message-ID: <20030808130747.GG28573@freshdot.net> Quoting Justin F. Knotzke (jknotzke@shampoo.ca): > I have a question concerning mailman and sa-exim. Ok. We'll just leave you to it then. Probably in a few hours you'll have solved it! Just kidding :) > My mailman configuration uses: > http://www.daa.com.au/~james/articles/mailman-spamassassin/ I don't know exactly, but if you have the sa-exim module in Exim, why would you want to integrate spamassassin in mailmain again? Wouldn't you rather have exim do the magic, and feed messages to mailman that need to go there? Personally, I used these[1] settings in my exim4.conf to play with mailman and it worked fine. Exim rejected spam, mailman didn't get it, etc. > 2003-08-08 07:20:39 19l5IQ-0002Me-S4 SA: Debug: SAEximRejCond expand > returned: '1' > 2003-08-08 07:20:39 19l5IQ-0002Me-S4 SA: Debug: SAteergrubecond expand > returned: '1' To my best knowledge, the message was dropped at this stage and never reached the delivery process of your exim. > The problem is that the message was forwarded to mailman and the > spamassassin patch to mailman kicked in and had the message marked for > approval. This is the weird part. Do you have a message to send to reproduce this behaviour? If you do, you should try to run exim4 in debug mode, and have the output redirected somewhere, and then do the delivery that triggers this behaviour. I strongly believe there's something weird in your setup ;) > Is there a way to configure sa-exim to _not_ do this? If the message > is teergrubed then I'd like the message dropped just as it does for a > message destined to a regular user. IMHO it does this already. Sander [1] http://dot.freshdot.net/~ssmeenk/tmp/mailman.exim4.txt -- | If you're too open-minded, your brains will fall out. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D From jknotzke at shampoo.ca Fri Aug 8 10:25:14 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Fri Aug 8 06:25:25 2003 Subject: [SA-exim] Mailman sa-exim Question In-Reply-To: <20030808130747.GG28573@freshdot.net> References: <20030808122049.GK17961@shampoo.ca> <20030808130747.GG28573@freshdot.net> Message-ID: <20030808132514.GA9700@shampoo.ca> > Quoting Justin F. Knotzke (jknotzke@shampoo.ca): > > > I have a question concerning mailman and sa-exim. > > Ok. We'll just leave you to it then. > Probably in a few hours you'll have solved it! LOL! I SO deserved that. ;-) > I don't know exactly, but if you have the sa-exim module in Exim, why > would you want to integrate spamassassin in mailmain again? Wouldn't you > rather have exim do the magic, and feed messages to mailman that need to > go there? Good point. I didn't bother to rid of the mailman patch because I figured sa-exim would never forward it. I am going to disable it and see what happens. > I strongly believe there's something weird in your setup ;) Yah think? ;-) Its not like I have some history or something.. I can't find the message in question. I'll turn off the mailman patch and see how sa-exim reacts. Stay tuned. ;-) Thanks J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From tonni at billy.demon.nl Fri Aug 8 16:25:33 2003 From: tonni at billy.demon.nl (Tony Earnshaw) Date: Fri Aug 8 07:05:38 2003 Subject: [SA-exim] Mailman sa-exim Question In-Reply-To: <20030808130747.GG28573@freshdot.net> References: <20030808122049.GK17961@shampoo.ca> <20030808130747.GG28573@freshdot.net> Message-ID: <3F33A4CD.2070409@billy.demon.nl> Sander Smeenk wrote: > Quoting Justin F. Knotzke (jknotzke@shampoo.ca): > >> I have a question concerning mailman and sa-exim. > > Ok. We'll just leave you to it then. > Probably in a few hours you'll have solved it! Well, I for one wouldn't try teergrubing stuff destined for a mailman list. Using SA (at least 2.60) with suitable extra rules should be good enough. But I'm not going to say that, when Justin is having such a good time. Tony -- Tony Earnshaw http://www.billy.demon.nl Mail: tonni@billy.demon.nl From jknotzke at shampoo.ca Fri Aug 8 11:10:40 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Fri Aug 8 07:10:59 2003 Subject: [SA-exim] Mailman sa-exim Question In-Reply-To: <20030808130747.GG28573@freshdot.net> References: <20030808122049.GK17961@shampoo.ca> <20030808130747.GG28573@freshdot.net> Message-ID: <20030808141040.GB9700@shampoo.ca> > To my best knowledge, the message was dropped at this stage and never > reached the delivery process of your exim. I did some more digging and it appears that because I had the spamassassin mailman Handler enabled, that patch was kicking in before sa-exim. I disabled the mailman/spamassassin Handler and ran a test mail through and it was rejected and mailman never saw it. The mistake I made in my original post was not reading the logs correctly. When a message is sent to mailman and mailman sends that message for approval, two messages are generated: the original and the message to the list-admin. My logs showed a message being sent to the list-admin for approval. Right above that was another message which had been teergrubed. I _assumed_ that message was the message that was sent to mailman for approval. Wrong. It was another SPAM message destined to another user. So, my running theory is that the mailman/spamassassin Handler kicks in before sa-exim can. Makes sense? J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From marc at merlins.org Fri Aug 8 10:06:00 2003 From: marc at merlins.org (Marc MERLIN) Date: Fri Aug 8 09:06:03 2003 Subject: [SA-exim] Mailman sa-exim Question In-Reply-To: <20030808141040.GB9700@shampoo.ca> References: <20030808122049.GK17961@shampoo.ca> <20030808130747.GG28573@freshdot.net> <20030808141040.GB9700@shampoo.ca> Message-ID: <20030808160600.GG19309@merlins.org> On Fri, Aug 08, 2003 at 10:10:40AM -0400, Justin F. Knotzke wrote: > > > > To my best knowledge, the message was dropped at this stage and never > > reached the delivery process of your exim. > > I did some more digging and it appears that because I had the > spamassassin mailman Handler enabled, that patch was kicking in before > sa-exim. That doesn't make a lot of sense, unless your routing is such that somehow mailman sees the spam before exim. In normal configurations, exim should get the mail first, reject it, and mailman would never see it. > So, my running theory is that the mailman/spamassassin Handler kicks > in before sa-exim can. > > Makes sense? No :-) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jknotzke at shampoo.ca Fri Aug 8 13:37:37 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Fri Aug 8 09:37:47 2003 Subject: [SA-exim] Mailman sa-exim Question In-Reply-To: <20030808160600.GG19309@merlins.org> References: <20030808122049.GK17961@shampoo.ca> <20030808130747.GG28573@freshdot.net> <20030808141040.GB9700@shampoo.ca> <20030808160600.GG19309@merlins.org> Message-ID: <20030808163736.GF9700@shampoo.ca> > No :-) Yah it doesn't. I just re-enabled the Spamassassin Handler and retested with known spam and sa-exim teergrubed and then dropped it. It never made it to Mailman. So, the mystery approval message remains. Stay tuned! J. -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From jknotzke at shampoo.ca Sun Aug 10 09:59:02 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Sun Aug 10 05:59:16 2003 Subject: [SA-exim] Bayes issues Message-ID: <20030810125900.GV9700@shampoo.ca> Hi, Me again. This is more of a Spamassassin problem then a sa-exim problem but I have yet to get a reply from the SA mailing list on this so I figured I'd try here. I am trying to get bayes to work with SA while using spamd/spamc. Bayes works perfectly while using spamassassin directly. I have 1800 SPAM and 700 ham trained. For simplicity sake I am running spamd as root with no local.cf. Everything is set to the default. When In rund spamc spamd gives the following debug: spamd[23553]: debug: bayes: 23553 untie-ing Aug 10 08:47:34 shampoo spamd[23553]: debug: bayes: 23553 tie-ing to DB file R/O /usr/local/var/spamassassin/bayes_toks Aug 10 08:47:34 shampoo spamd[23553]: Cannot open bayes_path /home/jknotzke/.spamassassin/bayes R/O: Aug 10 08:47:34 shampoo spamd[23553]: debug: Score set 1 chosen. Aug 10 08:47:34 shampoo spamd[23553]: logmsg: checking message for jknotzke:1009. Aug 10 08:47:34 shampoo spamd[23553]: checking message for jknotzke:1009. Aug 10 08:47:34 shampoo spamd[23553]: debug: debug: Only 0 spam(s) in Bayes DB < 200 Aug 10 08:47:34 shampoo spamd[23553]: debug: bayes: 23553 untie-ing Aug 10 08:47:34 shampoo spamd[23553]: debug: bayes: 23553 untie-ing db_toks If I run the same SPAM through spamassassin -r I get: debug: using "/home/jknotzke/.spamassassin" for user state dir debug: lock: 23606 created /home/jknotzke/.spamassassin/bayes.lock.shampoo.ca.23606 debug: lock: 23606 trying to get lock on /home/jknotzke/.spamassassin/bayes with 0 retries debug: lock: 23606 link to /home/jknotzke/.spamassassin/bayes.lock: link ok debug: bayes: 23606 tie-ing to DB file R/W /home/jknotzke/.spamassassin/bayes_toks debug: bayes: 23606 tie-ing to DB file R/W /home/jknotzke/.spamassassin/bayes_seen debug: E19lWZj-0008Js-00@hiruko.services.cam.org: already learnt as opposite, forgetting first debug: bayes: 23606 untie-ing debug: bayes: 23606 untie-ing db_toks debug: bayes: 23606 untie-ing db_seen debug: bayes: files locked, now unlocking lock debug: unlock: 23606 unlink /home/jknotzke/.spamassassin/bayes.lock spamc/spamd obviously give different rest results then spamassassin since spamassassin actually does a bayes check. Any ideas? Thanks J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From jknotzke at shampoo.ca Sun Aug 10 10:06:27 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Sun Aug 10 06:06:37 2003 Subject: [SA-exim] Bayes issues In-Reply-To: <20030810125900.GV9700@shampoo.ca> References: <20030810125900.GV9700@shampoo.ca> Message-ID: <20030810130627.GW9700@shampoo.ca> > Sorry, that should read: > spamd[23553]: debug: bayes: 23553 untie-ing > Aug 10 08:47:34 shampoo spamd[23553]: debug: bayes: 23553 tie-ing to DB > file R/O /home/jknotzke/.spamassassin/bayes_toks > Aug 10 08:47:34 shampoo spamd[23553]: Cannot open bayes_path > /home/jknotzke/.spamassassin/bayes R/O: > Aug 10 08:47:34 shampoo spamd[23553]: debug: Score set 1 chosen. > Aug 10 08:47:34 shampoo spamd[23553]: logmsg: checking message > for jknotzke:1009. > Aug 10 08:47:34 shampoo spamd[23553]: checking message > for jknotzke:1009. > Aug 10 08:47:34 shampoo spamd[23553]: debug: debug: Only 0 spam(s) in > Bayes DB < 200 > Aug 10 08:47:34 shampoo spamd[23553]: debug: bayes: 23553 untie-ing > Aug 10 08:47:34 shampoo spamd[23553]: debug: bayes: 23553 untie-ing > db_toks I was trying to move the bayes DB to different places thinking it was a permissions issue.. J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From ssmeenk at freshdot.net Sun Aug 10 16:15:18 2003 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Sun Aug 10 06:15:32 2003 Subject: [SA-exim] Bayes issues In-Reply-To: <20030810130627.GW9700@shampoo.ca> References: <20030810125900.GV9700@shampoo.ca> <20030810130627.GW9700@shampoo.ca> Message-ID: <20030810131518.GA22719@freshdot.net> Quoting Justin F. Knotzke (jknotzke@shampoo.ca): > Sorry, that should read: sa-exim invokes spamc as user 'nobody' or maybe 'mail', for security issues. That means spamd can't get to your homedirectory to read the bayesian stuff. You can however tell spamd to look for bayesian stuff in another directory, for example, /var/tmp or some directory you created especially for this purpose. You could then even copy your own current databases into that directory. In your local.cf, in /etc/spamassassin/ add: (directories based on Debian GNU/Linux) | # Bayes basefilename. This file must be readable for user mail | # spamc/spamd will add _toks and _journal to this path... | bayes_path /var/tmp/exim4-bayes/bayes | # Use 'hapaxes' to increase hit-rates with larger databases | bayes_use_hapaxes 1 Sander. -- | If you must choose between two evils, pick the one you've never tried before. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D From jknotzke at shampoo.ca Wed Aug 13 13:00:37 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Wed Aug 13 09:01:07 2003 Subject: [SA-exim] Bizaare Dates Message-ID: <20030813160037.GK31246@shampoo.ca> Hi, All of my teerbrubed mails have: >From mail@shampoo.ca Wed Dec 31 23:59:59 UTC 1969 Not sure what is putting that false date at the top but I'm quite sure it didn't arrive in 1969. ;) I like to append all of my teergrubbed mails into a SPAM folder in case I need to regenerate the bayes DB. mutt goes into convulsions when it reads this date. Any idea what is putting it there? Thanks J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From marc at merlins.org Wed Aug 13 10:07:00 2003 From: marc at merlins.org (Marc MERLIN) Date: Wed Aug 13 09:07:02 2003 Subject: [SA-exim] Bizaare Dates In-Reply-To: <20030813160037.GK31246@shampoo.ca> References: <20030813160037.GK31246@shampoo.ca> Message-ID: <20030813160700.GK9751@merlins.org> On Wed, Aug 13, 2003 at 12:00:37PM -0400, Justin F. Knotzke wrote: > > Hi, > > All of my teerbrubed mails have: > > >From mail@shampoo.ca Wed Dec 31 23:59:59 UTC 1969 > > Not sure what is putting that false date at the top but I'm quite > sure it didn't arrive in 1969. ;) That's the whole idea, it's to make it clear that the date is fake. > I like to append all of my teergrubbed mails into a SPAM folder in case I > need to regenerate the bayes DB. > mutt goes into convulsions when it reads this date. Mine doesn't, never has. What problem(s) are you seeing? > Any idea what is putting it there? sa-exim, as it saves the mails. It just generates a fake From line when it saves the mail to make mail readers that can't do maildir, happy Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jknotzke at shampoo.ca Wed Aug 13 13:13:51 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Wed Aug 13 09:13:56 2003 Subject: [SA-exim] Bizaare Dates In-Reply-To: <20030813160700.GK9751@merlins.org> References: <20030813160037.GK31246@shampoo.ca> <20030813160700.GK9751@merlins.org> Message-ID: <20030813161351.GL31246@shampoo.ca> > Mine doesn't, never has. What problem(s) are you seeing? For every message with the fake date mutt complains with a: Unable to parse internal date: 31-Dec-1969 23:59:59-UTC But it continues to work. J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From marc at merlins.org Wed Aug 13 10:19:10 2003 From: marc at merlins.org (Marc MERLIN) Date: Wed Aug 13 09:19:12 2003 Subject: [SA-exim] Bizaare Dates In-Reply-To: <20030813161351.GL31246@shampoo.ca> References: <20030813160037.GK31246@shampoo.ca> <20030813160700.GK9751@merlins.org> <20030813161351.GL31246@shampoo.ca> Message-ID: <20030813161910.GL9751@merlins.org> On Wed, Aug 13, 2003 at 12:13:51PM -0400, Justin F. Knotzke wrote: > > > > Mine doesn't, never has. What problem(s) are you seeing? > > For every message with the fake date mutt complains with a: > > Unable to parse internal date: 31-Dec-1969 23:59:59-UTC > > But it continues to work. Mmh, it didn't use to do that. I'll add one second to the date, 01-Jan-1970 00:00:00-UTC should make it happy. Please change the string by hand and confirm that it is the case. Thanks Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jknotzke at shampoo.ca Wed Aug 13 14:05:18 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Wed Aug 13 10:05:23 2003 Subject: [SA-exim] Bizaare Dates In-Reply-To: <20030813161910.GL9751@merlins.org> References: <20030813160037.GK31246@shampoo.ca> <20030813160700.GK9751@merlins.org> <20030813161351.GL31246@shampoo.ca> <20030813161910.GL9751@merlins.org> Message-ID: <20030813170516.GA1005@shampoo.ca> > 01-Jan-1970 00:00:00-UTC should make it > Please change the string by hand and confirm that it is the case. That fixed it. J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From christian_stuellenberg at web.de Thu Aug 14 10:05:16 2003 From: christian_stuellenberg at web.de (Christian Stuellenberg) Date: Thu Aug 14 00:06:49 2003 Subject: [SA-exim] X-SA-Do-Not-Rej Message-ID: <16187.13484.293634.782122@tower.cgs.condor.local> Hello all, What about a mail that already comes with an header X-SA-Do-Not-Rej: Yes and an SAEximRejCond: ${if !eq {$h_X-SA-Do-Not-Rej:}{Yes} {1}{0}} in spamassassin.conf? Normally X-SA-Do-Not-Rej should only be set in exim's check_rcpt-acl, but what if an spammer would already have set this flag? If tried it, and the spam comes through. :( Am I misunderstanding or missing something here? Regards, Christian From christian_stuellenberg at web.de Thu Aug 14 11:45:32 2003 From: christian_stuellenberg at web.de (Christian Stuellenberg) Date: Thu Aug 14 01:46:57 2003 Subject: [SA-exim] Distinct sender_host_address for SA scores? Message-ID: <16187.19500.553408.261222@tower.cgs.condor.local> Hello, Would'nt it be nice to be able to have different SA scores for different sender_hosts? What I intend is to be able to return a permanent error for spam that gets forwarded from some well known mailserver, so that these servers do not waste their bandwidth with my server, but the others still get teergrubed. Regards, Christian From tonni at billy.demon.nl Thu Aug 14 11:27:58 2003 From: tonni at billy.demon.nl (Tony Earnshaw) Date: Thu Aug 14 04:00:59 2003 Subject: [SA-exim] X-SA-Do-Not-Rej In-Reply-To: <16187.13484.293634.782122@tower.cgs.condor.local> References: <16187.13484.293634.782122@tower.cgs.condor.local> Message-ID: <3F3B480E.2010609@billy.demon.nl> Christian Stuellenberg wrote: > What about a mail that already comes with an header > X-SA-Do-Not-Rej: Yes > and an > SAEximRejCond: ${if !eq {$h_X-SA-Do-Not-Rej:}{Yes} {1}{0}} > in spamassassin.conf? > > Normally X-SA-Do-Not-Rej should only be set in exim's check_rcpt-acl, > but what if an spammer would already have set this flag? If tried it, > and the spam comes through. :( > > Am I misunderstanding or missing something here? AFAIR we've had this before and the (Tim Jacksons?) remedy was to set the SA code and ACL to something a spammer wouldn't reckon with. Like X-Wibble-Wobble or whatever. However, as long as I've been following this list, no-ones ever mentioned any spammer actually having done this. Their spam software (up to now) simply isn't made for every eventuality in every anti-spam utility. Best, Tony -- Tony Earnshaw Looking backwards is always easy with hindsight http://www.billy.demon.nl Mail: tonni@billy.demon.nl From tonni at billy.demon.nl Thu Aug 14 14:35:31 2003 From: tonni at billy.demon.nl (Tony Earnshaw) Date: Thu Aug 14 05:04:39 2003 Subject: [SA-exim] Distinct sender_host_address for SA scores? In-Reply-To: <16187.19500.553408.261222@tower.cgs.condor.local> References: <16187.19500.553408.261222@tower.cgs.condor.local> Message-ID: <3F3B7403.3090503@billy.demon.nl> Christian Stuellenberg wrote: > Would'nt it be nice to be able to have different SA scores for > different sender_hosts? > > What I intend is to be able to return a permanent error for spam that > gets forwarded from some well known mailserver, so that these servers > do not waste their bandwidth with my server, but the others still get > teergrubed. You can do this with Exim itself before SA_Exim - but only at the helo stage and by forcing a lookup on the helo given. After that it's all envelope stuff until the actual data, which can then be checked line by line. Whilst it's perfectly possible to reject a helo for any reason you want, doing so might not be what you want in practice. Best, Tony -- Tony Earnshaw Looking backwards is always easy with hindsight http://www.billy.demon.nl Mail: tonni@billy.demon.nl From sdickenson at keyschool.org Thu Aug 14 09:15:27 2003 From: sdickenson at keyschool.org (Dickenson, Steven) Date: Thu Aug 14 05:15:36 2003 Subject: [SA-exim] X-SA-Do-Not-Rej Message-ID: <1DBA7B491604E94BBCCE5133069A5BB20DE018@mail.keyschool.org> > What about a mail that already comes with an header > X-SA-Do-Not-Rej: Yes This easiest way to solve this problem is to get X-SA-Do-Not-Rej to some unique value for your site, and then check if it's set to that value. For example, my ACL in Exim could look like this... # Don't reject messages for postmaster warn message = X-SA-Do-Not-Rej: Beeblebrox local_parts = postmaster I would then check for that in the condition in sa-exim.conf SAEximRejCond: $(if !eq ($h_X-SA-Do-Not-Rej:}{Beeblebrox} {1}{0}} Just remember to strip these headers for any messages leaving your site. You can do this in a remote_smtp transport like so... # This line strips the SA-Exim headers from outgoing messages, # so that clever spammers can't figure out how to get around # SpamAssassin. headers_remove = "X-SA-Do-Not-Rej:X-SA-Do-Not-Run:X-SA-Exim-Scanned" HTH, Steven --- Steven Dickenson Network Administrator The Key School, Annapolis Maryland From Terry.Shows at csstn.com Thu Aug 14 12:26:42 2003 From: Terry.Shows at csstn.com (Terry Shows) Date: Thu Aug 14 09:27:42 2003 Subject: [SA-exim] Using Mcafee uvscan Message-ID: Has anyone tried using uvscan from Mcafee with exiscan? I picked up a copy with the latest dat files. It is a "free" port from mcafee, but doesn't come with any documentation to speak of. If you have, do you have any pointers that may help. I am currently using clam for now, but in running tests, clam doesn't seem to catch all of the virus tests I have sent it. Thank You Terry Shows Computer Software Specialists LLC terry.shows@csstn.com From sdickenson at keyschool.org Thu Aug 14 15:04:41 2003 From: sdickenson at keyschool.org (Dickenson, Steven) Date: Thu Aug 14 11:06:11 2003 Subject: [SA-exim] Using Mcafee uvscan Message-ID: <1DBA7B491604E94BBCCE5133069A5BB20DE01B@mail.keyschool.org> No. Note - This is not the exiscan list. You'll probably get better help over there... Steven --- Steven Dickenson Network Administrator The Key School, Annapolis Maryland -----Original Message----- From: Terry Shows [mailto:Terry.Shows@csstn.com] Sent: Thursday, August 14, 2003 12:27 PM To: sa-exim@lists.merlins.org Subject: [SA-exim] Using Mcafee uvscan Has anyone tried using uvscan from Mcafee with exiscan? I picked up a copy with the latest dat files. It is a "free" port from mcafee, but doesn't come with any documentation to speak of. If you have, do you have any pointers that may help. I am currently using clam for now, but in running tests, clam doesn't seem to catch all of the virus tests I have sent it. Thank You Terry Shows Computer Software Specialists LLC terry.shows@csstn.com _______________________________________________ SA-Exim mailing list SA-Exim@lists.merlins.org http://lists.merlins.org/lists/listinfo/sa-exim From Terry.Shows at csstn.com Thu Aug 14 14:14:16 2003 From: Terry.Shows at csstn.com (Terry Shows) Date: Thu Aug 14 11:14:43 2003 Subject: [SA-exim] Using Mcafee uvscan In-Reply-To: <1DBA7B491604E94BBCCE5133069A5BB20DE01B@mail.keyschool.org> Message-ID: forgive the interruption. I sent this to the wrong list by mistake. Terry -----Original Message----- From: Dickenson, Steven [mailto:sdickenson@keyschool.org] Sent: Thursday, August 14, 2003 1:05 PM To: 'Terry Shows'; sa-exim@lists.merlins.org Subject: RE: [SA-exim] Using Mcafee uvscan No. Note - This is not the exiscan list. You'll probably get better help over there... Steven --- Steven Dickenson Network Administrator The Key School, Annapolis Maryland -----Original Message----- From: Terry Shows [mailto:Terry.Shows@csstn.com] Sent: Thursday, August 14, 2003 12:27 PM To: sa-exim@lists.merlins.org Subject: [SA-exim] Using Mcafee uvscan Has anyone tried using uvscan from Mcafee with exiscan? I picked up a copy with the latest dat files. It is a "free" port from mcafee, but doesn't come with any documentation to speak of. If you have, do you have any pointers that may help. I am currently using clam for now, but in running tests, clam doesn't seem to catch all of the virus tests I have sent it. Thank You Terry Shows Computer Software Specialists LLC terry.shows@csstn.com _______________________________________________ SA-Exim mailing list SA-Exim@lists.merlins.org http://lists.merlins.org/lists/listinfo/sa-exim From christian_stuellenberg at web.de Fri Aug 15 07:55:52 2003 From: christian_stuellenberg at web.de (Christian Stuellenberg) Date: Thu Aug 14 21:57:09 2003 Subject: [SA-exim] Re[2]: X-SA-Do-Not-Rej In-Reply-To: <3F3B480E.2010609@billy.demon.nl> References: <16187.13484.293634.782122@tower.cgs.condor.local> <3F3B480E.2010609@billy.demon.nl> Message-ID: <16188.26584.697909.738920@tower.cgs.condor.local> >>>>> "Tony" == Tony Earnshaw writes: Tony> Christian Stuellenberg wrote: >> What about a mail that already comes with an header >> X-SA-Do-Not-Rej: Yes and an SAEximRejCond: ${if !eq >> {$h_X-SA-Do-Not-Rej:}{Yes} {1}{0}} in spamassassin.conf? >> >> Normally X-SA-Do-Not-Rej should only be set in exim's >> check_rcpt-acl, but what if an spammer would already have set >> this flag? If tried it, and the spam comes through. :( >> >> Am I misunderstanding or missing something here? Tony> AFAIR we've had this before and the (Tim Jacksons?) remedy Tony> was to set the SA code and ACL to something a spammer Tony> wouldn't reckon with. Like X-Wibble-Wobble or whatever. That's a good idea. It will keep the secret on the server. I just didn't even thought about this easy thing and didn't get the point in the last mails. Tony> However, as long as I've been following this list, no-ones Tony> ever mentioned any spammer actually having done this. Their Tony> spam software (up to now) simply isn't made for every Tony> eventuality in every anti-spam utility. Yes, that's true, but if some spammer read about this default value, he will possibly include it in his spam, so it is clever to use something differnt. Thnx. Christian From christian_stuellenberg at web.de Fri Aug 15 07:57:22 2003 From: christian_stuellenberg at web.de (Christian Stuellenberg) Date: Thu Aug 14 21:58:35 2003 Subject: [SA-exim] Re[3]: X-SA-Do-Not-Rej In-Reply-To: <1DBA7B491604E94BBCCE5133069A5BB20DE018@mail.keyschool.org> References: <1DBA7B491604E94BBCCE5133069A5BB20DE018@mail.keyschool.org> Message-ID: <16188.26674.622267.146099@tower.cgs.condor.local> >>>>> "Stefen" == Dickenson, Steven writes: Hello, >> What about a mail that already comes with an header >> X-SA-Do-Not-Rej: Yes Stefen> This easiest way to solve this problem is to get Stefen> X-SA-Do-Not-Rej to some unique value for your site, and Stefen> then check if it's set to that value. For example, my ACL Stefen> in Exim could look like this... Stefen> # Don't reject messages for postmaster warn message = Stefen> X-SA-Do-Not-Rej: Beeblebrox local_parts = postmaster Stefen> I would then check for that in the condition in Stefen> sa-exim.conf Stefen> SAEximRejCond: $(if !eq Stefen> ($h_X-SA-Do-Not-Rej:}{Beeblebrox} {1}{0}} Stefen> Just remember to strip these headers for any messages Stefen> leaving your site. You can do this in a remote_smtp Stefen> transport like so... Stefen> # This line strips the SA-Exim headers from outgoing Stefen> messages, # so that clever spammers can't figure out how Stefen> to get around # SpamAssassin. headers_remove = Stefen> "X-SA-Do-Not-Rej:X-SA-Do-Not-Run:X-SA-Exim-Scanned" That's what I was missing. Thnx. Christian From christian_stuellenberg at web.de Fri Aug 15 08:02:31 2003 From: christian_stuellenberg at web.de (Christian Stuellenberg) Date: Thu Aug 14 22:03:44 2003 Subject: [SA-exim] Re: Distinct sender_host_address for SA scores? In-Reply-To: <3F3B7403.3090503@billy.demon.nl> References: <16187.19500.553408.261222@tower.cgs.condor.local> <3F3B7403.3090503@billy.demon.nl> Message-ID: <16188.26983.106611.817869@tower.cgs.condor.local> >>>>> "Tony" == Tony Earnshaw writes: Hello, Tony> Christian Stuellenberg wrote: >> Would'nt it be nice to be able to have different SA scores for >> different sender_hosts? >> >> What I intend is to be able to return a permanent error for >> spam that gets forwarded from some well known mailserver, so >> that these servers do not waste their bandwidth with my server, >> but the others still get teergrubed. Tony> You can do this with Exim itself before SA_Exim - but only Tony> at the helo stage and by forcing a lookup on the helo Tony> given. After that it's all envelope stuff until the actual Tony> data, which can then be checked line by line. Tony> Whilst it's perfectly possible to reject a helo for any Tony> reason you want, doing so might not be what you want in Tony> practice. What I want is, that if a spam mail comes from specified hosts they get rejected (with a 5xx) and if the same spam has come from any other host, they get normally teergrubed (or whatever SA score has been reached). So I does not want to reject all mails from these specified hosts, but only the spam mails. Christian From samuel.roberts at hants.gov.uk Fri Aug 15 12:43:18 2003 From: samuel.roberts at hants.gov.uk (Roberts, Samuel) Date: Fri Aug 15 03:43:25 2003 Subject: [SA-exim] Need more logging! Message-ID: <0EA4D1323141774897427FCFDAAAC023710D46@EXVSRV09.it2000.hants.gov.uk> Hello, I'm fairly new to this SpamAssassin stuff. I've got SA running with Exim (Using SA-Exim) but would like more information in the logs about the tests each mail scored. We're getting information for perm rejected mail but would like the same or similar for accepted mail. If possible, we don't want this info going to the users in the mail headers. I know this will significantly increase the size of the logs, it is a temporary measure while I sort out a few teething problems. I'm running:- Spam-Assassin 2.55 Exim 4.20 SA-Exim 3.0 Can anyone help? Thanks in advance Sam Roberts -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.merlins.org/archives/sa-exim/attachments/20030815/aa6c105e/attachment.html From marc at merlins.org Fri Aug 15 08:23:40 2003 From: marc at merlins.org (Marc MERLIN) Date: Fri Aug 15 07:23:42 2003 Subject: [SA-exim] Need more logging! In-Reply-To: <0EA4D1323141774897427FCFDAAAC023710D46@EXVSRV09.it2000.hants.gov.uk> References: <0EA4D1323141774897427FCFDAAAC023710D46@EXVSRV09.it2000.hants.gov.uk> Message-ID: <20030815142340.GT9751@merlins.org> On Fri, Aug 15, 2003 at 11:43:18AM +0100, Roberts, Samuel wrote: > Hello, > > I'm fairly new to this SpamAssassin stuff. I've got SA running with Exim > (Using SA-Exim) but would like more information in the logs about the > tests each mail scored. We're getting information for perm rejected mail > but would like the same or similar for accepted mail. If possible, we > don't want this info going to the users in the mail headers. I know this > will significantly increase the size of the logs, it is a temporary > measure while I sort out a few teething problems. This is already logged in rejectlog If you don't want it to go to the users, you can use remove_headers in your exim transport Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From marc at merlins.org Fri Aug 15 08:25:13 2003 From: marc at merlins.org (Marc MERLIN) Date: Fri Aug 15 07:25:15 2003 Subject: [SA-exim] Need more logging! In-Reply-To: <20030815142340.GT9751@merlins.org> References: <0EA4D1323141774897427FCFDAAAC023710D46@EXVSRV09.it2000.hants.gov.uk> <20030815142340.GT9751@merlins.org> Message-ID: <20030815142513.GU9751@merlins.org> On Fri, Aug 15, 2003 at 07:23:40AM -0700, Marc MERLIN wrote: > This is already logged in rejectlog Mmmh, actually, spam that is accepted doesn't have its headers logged. Just use the system_filter to save the headers of all incoming mails Here's a sample you can modify: if $header_message-id matches "<[^>]+@>" then logfile /var/log/exim/nullmesgidbouncedemail.log 0600 logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($send er_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count ) subject=$header_subject\n$message_headers" save /var/spool/exim/rejects/nullmesgidbouncedemail 0644 if not error_message then fail text "Sorry, but your message-ID is broken, apparently because your\n\ hostname isn't set right\n\ You need to fix this before you can send us mail.\n" endif seen finish endif Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From tonni at billy.demon.nl Fri Aug 15 17:27:14 2003 From: tonni at billy.demon.nl (Tony Earnshaw) Date: Fri Aug 15 07:44:40 2003 Subject: [SA-exim] Need more logging! In-Reply-To: <0EA4D1323141774897427FCFDAAAC023710D46@EXVSRV09.it2000.hants.gov.uk> References: <0EA4D1323141774897427FCFDAAAC023710D46@EXVSRV09.it2000.hants.gov.uk> Message-ID: <3F3CEDC2.5070703@billy.demon.nl> Roberts, Samuel wrote: > I'm fairly new to this SpamAssassin stuff. I've got SA running with Exim > (Using SA-Exim) but would like more information in the logs about the > tests each mail scored. We're getting information for perm rejected mail > but would like the same or similar for accepted mail. If possible, we > don't want this info going to the users in the mail headers. I know this > will significantly increase the size of the logs, it is a temporary > measure while I sort out a few teething problems. > > I'm running:- > Spam-Assassin 2.55 > Exim 4.20 > SA-Exim 3.0 > > Can anyone help? Sam, Have you read section 44.15 in the Exim spec.txt file? Does it help? If not, why not? Tony -- Tony Earnshaw Looking backwards is always easy with hindsight http://www.billy.demon.nl Mail: tonni@billy.demon.nl From tdmlinux4 at yahoo.com Sun Aug 17 08:30:25 2003 From: tdmlinux4 at yahoo.com (Tom Murphy) Date: Sun Aug 17 07:30:43 2003 Subject: [SA-exim] Problems building sa-exim (both 3.0 and CVS) with Exim v4.21 Message-ID: <20030817143025.33385.qmail@web41904.mail.yahoo.com> Hi all, I'm having problems trying to build Exim after patching the local_scan.c. I downloaded the CVS sa-exim and patched with the "localscan_dlopen_exim_4.20_or_better.patch": patching file src/EDITME Hunk #1 succeeded at 404 (offset 16 lines). patching file src/config.h.defaults patching file src/globals.c Hunk #1 succeeded at 104 (offset 1 line). patching file src/globals.h Hunk #1 succeeded at 68 (offset 1 line). patching file src/local_scan.c patching file src/readconf.c Hunk #1 succeeded at 217 (offset 35 lines). So far so good.. but when I compile Exim v4.21 (and I enabled LOCAL_SCAN_HAS_OPTIONS=yes in the Local/Makefile), I get: readconf.o: In function `readconf_print': readconf.o(.text+0x29b7): undefined reference to `local_scan_options' readconf.o(.text+0x29bc): undefined reference to `local_scan_options_count' readconf.o(.text+0x29c8): undefined reference to `local_scan_options' readconf.o(.text+0x29d9): undefined reference to `local_scan_options' readconf.o(.text+0x29ef): undefined reference to `local_scan_options_count' readconf.o(.text+0x29f9): undefined reference to `local_scan_options' readconf.o: In function `local_scan_init': readconf.o(.text+0x463c): undefined reference to `local_scan_options_count' readconf.o(.text+0x4641): undefined reference to `local_scan_options' collect2: ld returned 1 exit status make[1]: *** [exim] Error 1 Is there something I am doing wrong? Thanks, Tom __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From marc at merlins.org Mon Aug 18 00:29:25 2003 From: marc at merlins.org (Marc MERLIN) Date: Sun Aug 17 23:29:27 2003 Subject: [SA-exim] Problems building sa-exim (both 3.0 and CVS) with Exim v4.21 In-Reply-To: <20030817143025.33385.qmail@web41904.mail.yahoo.com> References: <20030817143025.33385.qmail@web41904.mail.yahoo.com> Message-ID: <20030818062925.GB16761@merlins.org> On Sun, Aug 17, 2003 at 07:30:25AM -0700, Tom Murphy wrote: > So far so good.. but when I compile Exim v4.21 > (and I enabled LOCAL_SCAN_HAS_OPTIONS=yes in the > Local/Makefile), I get: That's the problem. Don't do that, it causes exactly the problem you describe > readconf.o: In function `readconf_print': > readconf.o(.text+0x29b7): undefined reference to > `local_scan_options' Did anything in the documentation hint that you should set LOCAL_SCAN_HAS_OPTIONS=yes ? I'll make it clear in the docs that you should not enable this Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From marc at merlins.org Mon Aug 18 09:42:37 2003 From: marc at merlins.org (Marc MERLIN) Date: Mon Aug 18 08:42:40 2003 Subject: [SA-exim] updated sa-exim cvs Message-ID: <20030818154237.GF23946@merlins.org> I know I made some noises about releasing 3.1 a couple of weeks ago, but found a bug right before that. It was suggested that I use exim's Message-Id instead of the one from the message headers, but that turned out to be a bad idea because the Message-Id from exim is really unique and it caused saved messages on temp rejects to be saved under different filenames every time they came back (since the filename is the Message-ID) So, I fixed that, and also improved logging some more to output the mailinfo (last part in the log line) for all Action log entries (not just spam), and I also added the header Message-Id in the logs as it really helps when you want to find a spam in a mailbox later or compare with an SA timelog entry (which also uses the header Message-Id) So, log lines now look like this: 2003-08-18 08:31:01 19olyD-0004l9-PO SA: Action: scanned but message isn't spam: hits=-22.9 required=7.0 (scanned in 3/3 secs | Message-Id: 474F8E4B2022BD45B0DEFFAFD2286576AC33@exch2k1.ida.org). From (host=exim-colo-01.whoc.theplanet.co.uk [195.92.249.251]) for exim-users-local at merlins.org The cvs code is obviously stable since it's been running on my mail server for at least 17 minutes :) and if nothing explodes and I get a little time at home this week when I'm not actually sleeping, I'll release 3.1 from the current cvs code. http://sourceforge.net/cvs/?group_id=56124 Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From Terry.Shows at csstn.com Mon Aug 18 14:09:27 2003 From: Terry.Shows at csstn.com (Terry Shows) Date: Mon Aug 18 11:10:08 2003 Subject: [SA-exim] Need setting for SAEximRunCond Message-ID: I need a new setting for SAEximRunCond. My problem is this. My backup mail server is managed by someone else, who doesn't keep the latest version of spamassassin on it. So his spamassassin checks, says that it isn't spam, then marks X-SA-Do-Not-Run positive. When the email gets to my server eventually, my sa-exim doesn't check it for spam, and let's it go through. Is there any way to check to see if the email was checked by my host originally, then remove SA headers and perform spam detection on it? Right now, I have -------------------------------- clip ------------------------------ SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{1 27.0.0.1}} {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}} ------------------------------- end clip ------------------------------- in my sa-exim.conf file. Thank You Terry Shows From marc at merlins.org Tue Aug 19 11:22:55 2003 From: marc at merlins.org (Marc MERLIN) Date: Tue Aug 19 10:22:57 2003 Subject: [SA-exim] SA-Exim 3.1 released Message-ID: <20030819172255.GE755@merlins.org> Thank you for your patience, it's finally there. The changelist is here: 2003/08/18 - v3.1 * Fixed SA: Action: teergrubed sender until full configured duration output * spamassassin.conf was renamed sa-exim.conf (bad initial name choice) * Changed teergrubing so that it works with exim 4.20 and above * Added the much requested SARewriteBody option for SA 2.50's report_safe (courtesy of Richard Lithvall) * Added SAaddSAEheaderBeforeSA to deal with SARewriteBody and privacy * Added SAPrependArchiveWithFrom option (Richard Lithvall) * As announced in the previous version, SAStallSender was removed. Use Teergrubing instead * Message-Id is read directly from Exim now that the API allows for that (we used to parse the Message-Id header ourselves) -> except that we don't use this for logging or saving messages: as soon as we can read the real Message-Id from the headers, we use that Message-Id for logging (this is to facilitate tracking of messages from the logs and correlating with something like SA timelog files) * Logging improved some more: Message-Id is added to log entries, as well as the full mailinfo whether the message is spam or not As usual, it's here: http://marc.merlins.org/linux/exim/sa.html http://sourceforge.net/projects/sa-exim/ Deb package is here: http://marc.merlins.org/linux/exim/files/debian/ Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jknotzke at shampoo.ca Tue Aug 19 23:01:18 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Tue Aug 19 19:01:30 2003 Subject: [SA-exim] A couple of questions Message-ID: <20030820020118.GB1269@shampoo.ca> Hi, I've been using SA-Exim now for a few weeks and its working very well indeed. Checking my rejectlogs daily and I notice that most of my SPAMS are caught by Exim's callout and verify before SA-Exim is ever called. Is this the case for most people? My next question concerns whitelists. I googled Marc's site lists.merlins.org and I found lots of references to per user whitelist but I would like to know how I can create a global whitelist. I specifically do not want to teergrub mails from debian.org. Thanks J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From marc at merlins.org Tue Aug 19 20:50:05 2003 From: marc at merlins.org (Marc MERLIN) Date: Tue Aug 19 19:50:06 2003 Subject: [SA-exim] A couple of questions In-Reply-To: <20030820020118.GB1269@shampoo.ca> References: <20030820020118.GB1269@shampoo.ca> Message-ID: <20030820025005.GI755@merlins.org> On Tue, Aug 19, 2003 at 10:01:18PM -0400, Justin F. Knotzke wrote: > I've been using SA-Exim now for a few weeks and its working very well > indeed. > > Checking my rejectlogs daily and I notice that most of my SPAMS are > caught by Exim's callout and verify before SA-Exim is ever called. > > Is this the case for most people? Yes. Callouts still catch a boatload of spam (and a semi legit mail from time to time too) > My next question concerns whitelists. I googled Marc's site > lists.merlins.org and I found lots of references to per user whitelist > but I would like to know how I can create a global whitelist. I > specifically do not want to teergrub mails from debian.org. That's not hard. Look for SAteergrubecond in sa-exim.conf You can do tests on the envelope or header sender domain, or $sender_host_address which is the IP of the mail server sending you mail That said, for mailing lists and so forth, I usually whitelist them in /etc/spamassassin/local.cf as in: more_spam_to exim-users@exim.org Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From marc at merlins.org Tue Aug 19 21:03:43 2003 From: marc at merlins.org (Marc MERLIN) Date: Tue Aug 19 20:03:46 2003 Subject: [SA-exim] Need setting for SAEximRunCond In-Reply-To: References: Message-ID: <20030820030343.GM755@merlins.org> On Tue, Aug 19, 2003 at 04:42:33PM -0700, Chirik wrote: > On Mon, 18 Aug 2003, Terry Shows wrote: > > > Is there any way to check to see if the email was checked by my host > > originally, then remove SA headers and perform spam detection on it? > > I use the acl variables - doesn't use a header at all. I think using the > headers is kinda a kludge, personally, but it's still the example setup. Right. ACLs are better, but I use headers because it lets receipients know why the mail was or wasn't scanned (and it works with older exims) Otherwise, they don't really know. It's a matter of preference I guess. That said, I should bundle your example too Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From wash at wananchi.com Wed Aug 20 09:39:47 2003 From: wash at wananchi.com (ODHIAMBO Washington) Date: Tue Aug 19 22:40:16 2003 Subject: [SA-exim] FEATURE REQUEST - Line continuations in sa-exim.conf Message-ID: <20030820053947.GA1673@ns2.wananchi.com> Hi Marc, Would it be too much work for you if you were to adjust the parser to allow for line continuations in sa-exim.conf? If not, then please place this on your TODO list. I believe it will make the file look more readable. Right now every config option (expecially the ones that take expansion conditions) demand that everything be on one single line. It would be nice to have: SAexim-some-condition: ${ { {cond1} \ {cond2} \ } {1}{0}} Thank you in advance. -Wash -- Odhiambo Washington "The box said 'Requires Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,' Tel: +254 2 313985-9 +254 2 313922 so I installed FreeBSD." GSM: +254 72 743223 +254 733 744121 This sig is McQ! :-) There are many intelligent species in the universe. They all own cats. From marc at merlins.org Tue Aug 19 23:46:12 2003 From: marc at merlins.org (Marc MERLIN) Date: Tue Aug 19 22:46:14 2003 Subject: [SA-exim] FEATURE REQUEST - Line continuations in sa-exim.conf In-Reply-To: <20030820053947.GA1673@ns2.wananchi.com> References: <20030820053947.GA1673@ns2.wananchi.com> Message-ID: <20030820054612.GO755@merlins.org> On Wed, Aug 20, 2003 at 08:39:47AM +0300, ODHIAMBO Washington wrote: > Hi Marc, > > Would it be too much work for you if you were to adjust the parser > to allow for line continuations in sa-exim.conf? If not, then please > place this on your TODO list. I believe it will make the file look > more readable. I'm sorry but this is not something I'm planning to do. > Right now every config option (expecially the ones that take expansion > conditions) demand that everything be on one single line. Yep. I'll be honest: I'm a sysadmin and I work with high level languages every day. Having to write the gory details of a correct parser in C is not something I want to do, especially because it's so low level and it has been done so many times already, so I'd have to waste my time to write my own or adapt a current parser, and it would probably add 100 lines of code or more (if it's not several hundred lines) Really, what I should have done is used the exim parser and put the sa-exim options in exim.conf itself, unfortunately, you couldn't do that when I started sa-exim, and I'd break everyone's install if I did that. I think I would still take a patch to make sa-exim optionally read its options from exim.conf, but I have too little time and interest to do this myself. Sorry :-) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From coax at cornernet.com Wed Aug 20 01:50:46 2003 From: coax at cornernet.com (Coax) Date: Tue Aug 19 22:51:03 2003 Subject: [SA-exim] FEATURE REQUEST - Line continuations in sa-exim.conf In-Reply-To: <20030820054612.GO755@merlins.org> Message-ID: > been done so many times already, so I'd have to waste my time to write my > own or adapt a current parser, and it would probably add 100 lines of code > or more (if it's not several hundred lines) marc, just gotta look for a \ as you parse your line. if you find one, read the next line. if you dont find a complete command at the end of it, spew an error and bomb. I'm assuming you read the config line by line (or byte by byte, looking for \n) already, so it probably would take about 30 lines of code (in my estimation) to accomplish the task. Maybe these kind folks could step up and add the code for you? :) Chad From marc at merlins.org Tue Aug 19 23:58:45 2003 From: marc at merlins.org (Marc MERLIN) Date: Tue Aug 19 22:58:47 2003 Subject: [SA-exim] FEATURE REQUEST - Line continuations in sa-exim.conf In-Reply-To: References: <20030820054612.GO755@merlins.org> Message-ID: <20030820055845.GP755@merlins.org> On Wed, Aug 20, 2003 at 12:50:46AM -0500, Coax wrote: > > been done so many times already, so I'd have to waste my time to write my > > own or adapt a current parser, and it would probably add 100 lines of code > > or more (if it's not several hundred lines) > > marc, just gotta look for a \ as you parse your line. if you find one, > read the next line. if you dont find a complete command at the end of it, > spew an error and bomb. > > I'm assuming you read the config line by line (or byte by byte, looking > for \n) already, so it probably would take about 30 lines of code (in my > estimation) to accomplish the task. It's not just that. My parser really really sucks because I purposely didn't try. Look at the code and you'll see :) It should accept multiple spaces before and after, and tabs and so forth. It does none of that > Maybe these kind folks could step up and add the code for you? :) I still think that a half decent parser would actually increase the code size by quite a bit and that it makes more sense to interface with exim's parser and use local_scan_has_options Eh Chad, you used to be a C coder, when can I expect your patch? :-) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From lololuy at freegates.be Wed Aug 20 17:59:13 2003 From: lololuy at freegates.be (Laurent Luyckx) Date: Wed Aug 20 07:59:39 2003 Subject: [SA-exim] sobig.f Message-ID: <1061391553.2126.16.camel@poseidon> [sorry if it's off-topic] Hi, Does anybody have seen sobig.f infected mails without attachement? Cheers. Laurent From jknotzke at shampoo.ca Wed Aug 20 13:25:17 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Wed Aug 20 09:25:26 2003 Subject: [SA-exim] A couple of questions In-Reply-To: <20030820025005.GI755@merlins.org> References: <20030820020118.GB1269@shampoo.ca> <20030820025005.GI755@merlins.org> Message-ID: <20030820162517.GE6424@shampoo.ca> > That said, for mailing lists and so forth, I usually whitelist them in > /etc/spamassassin/local.cf as in: > more_spam_to exim-users@exim.org Well. I did the following in /etc/spamassassin/local.cf: more_spam_to exim-users@exim.org more_spam_to debian-security@lists.debian.org Mail was able to come in, however for some reason, this broke mailman. Mailman got the message (or so says the logs) but never delivered. I checked the archives of my mailman server and the message in question was there. I checked this for two lists on my mailman server and same results: no delivery. I didn't try to send a non mailman message BTW.. I took out the more_spam_to and everything worked OK. Are the more_spam_to lists comma delimated? J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From coax at cornernet.com Thu Aug 21 00:35:29 2003 From: coax at cornernet.com (Coax) Date: Wed Aug 20 21:35:53 2003 Subject: [SA-exim] FEATURE REQUEST - Line continuations in sa-exim.conf In-Reply-To: <20030820055845.GP755@merlins.org> Message-ID: > Eh Chad, you used to be a C coder, when can I expect your patch? :-) Right here, of course. :) This is a patch against sa-exim.c from the sa-exim 3.1 package. (not sure if its compatible with the CVS tail if its newer, but i'm sure you can figure it out. :) This is an absolute BRUTE HACK. It merely combines lines if the last character before \n on the line is a '\'. If you add a space after it, it won't parse it correctly. Feel free to futz with that if you like. it would be easy to write a little algorithm to deal with this a little better; i just don't have the time. This patch makes the following work: SAEximDebug: \ 3 I haven't tested anything else. Lotsa luck. :) Chad -------------- next part -------------- --- sa-exim-3.1/sa-exim.c Mon Aug 18 10:34:39 2003 +++ sa-exim-3.1-chad/sa-exim.c Wed Aug 20 23:28:10 2003 @@ -563,6 +563,9 @@ char *xspamprevcontenttransferencoding=NULL; char *xspamreport=NULL; + int buflen = 0; + int firstround = 1; + int offset = 0; /* Any error can write the faulty message to mesgfn, so we need to give it a value right now. We'll replace it with the real Message-ID later */ @@ -592,18 +595,34 @@ readfh=fdopen(ret, "r"); CHECKERR(readfh,"fdopen",__LINE__); - while ((fgets((char *)buffer, sizeof(buffera), (FILE *)readfh)) != NULL) + while ((fgets((char *)buffer+offset, sizeof(buffera)-offset, (FILE *)readfh)) != NULL) { - if (*buffer == '#' || *buffer == '\n' ) - { - continue; - } + + if (firstround) { + if (*buffer == '#' || *buffer == '\n' ) { + continue; + } - if (*buffer != 'S' || *(buffer+1) != 'A') - { - log_write(0, LOG_MAIN, "SA: Warning: error while reading configuration file %s. Line does not begin with a SA directive: '%s', ignoring", conffile, buffer); - continue; - } + if (*buffer != 'S' || *(buffer+1) != 'A') { + log_write(0, LOG_MAIN, "SA: Warning: error while reading configuration file %s. Line does not begin with a SA directive: '%s', ignoring", conffile, buffer); + continue; + } + } + + + buflen = strlen(buffer); + //log_write (0, LOG_MAIN, "buffer = %s\n",buffer); + + if ( *(buffer+(buflen-2)) == '\\') { + //log_write(0, LOG_MAIN, "SA: Debug: Command not finished! Lets do it again!\n"); + offset = offset + buflen-2; + firstround = 0; + continue; + } else { + firstround = 1; + offset = 0; + } + #define M_CHECKFORVAR(VAR, TYPE) \ if (strstr(buffer, #VAR ": ") == buffer) \ From marc at merlins.org Thu Aug 21 09:47:36 2003 From: marc at merlins.org (Marc MERLIN) Date: Thu Aug 21 08:47:40 2003 Subject: [SA-exim] Re: sa-exim and temp reject... In-Reply-To: <1061475006.13830.59.camel@hades.cambridge.redhat.com> References: <1061475006.13830.59.camel@hades.cambridge.redhat.com> Message-ID: <20030821154736.GI16955@merlins.org> [Cc sa-exim, since both the question and answer should be interesting] On Thu, Aug 21, 2003 at 03:10:06PM +0100, David Woodhouse wrote: > Feature request... I'd like to temporarily reject mail with a medium > SpamAssassin score, but keep a week's worth of message-ids of mails > which were temporarily rejected, and _allow_ the same mail if it's > retried. I see what you're trying to do. BTW, I heard from a friend in the anti-spam field that this scheme doesn't work nearily as well as it used to, but it's still ok. Let's look at implementations. 1) Lower your sa-exim tempreject score to let's say 2 or 3 2a) modify SA to touch /var/spool/samesgid/ (done in /usr/share/perl5/Mail/SpamAssassin.pm, see my timelog function there and steal from it) 3a) Add a simple SA check to stat /var/spool/samesgid/ and add a score of -5 or such if it's there. 2b) modify sa-exim to touch /var/spool/samesgid/ before issuing a tempreject (this is effectively already done if you use the save temp rejected messages feature) 3b) for each message, before running SA, stat /var/spool/samesgid/ if the stat succeeds, add a X-SA-Exim-Already-Seen: secret value header 4b) write a trivial SA rule to lower score by 5 if X-SA-Exim-Already-Seen is there with the right value 5b) strip X-SA-Exim-Already-Seen in system_filter Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jvanasco at mastersofbranding.com Thu Aug 21 14:19:22 2003 From: jvanasco at mastersofbranding.com (jvanasco@mastersofbranding.com) Date: Thu Aug 21 10:20:58 2003 Subject: [SA-exim] teergrubing Message-ID: <9B5E6316-D3FB-11D7-B3DF-000393863D5E@mastersofbranding.com> someone mentioned a while back that teergrubing spammers is pointless, as the machines that send the spam are often hacked anyone have info on the machines that spammers host their shoppingcarts on though? i've been thinking of doing something similar, but with the .html pages that are advertised. From sdickenson at keyschool.org Thu Aug 21 15:08:57 2003 From: sdickenson at keyschool.org (Dickenson, Steven) Date: Thu Aug 21 11:10:27 2003 Subject: [SA-exim] teergrubing Message-ID: <1DBA7B491604E94BBCCE5133069A5BB20DE041@mail.keyschool.org> Not a good idea. This could be construed as a DoS attack. While teergrubing happens because of a connection originated by the spammer (and there's nothing wrong with our end taking a really long time), your idea would be self-initiated, and would essentially have to flood the website with HTTP requests. A classic DoS. Plus, is it really worth your time? Steven --- Steven Dickenson Network Administrator The Key School, Annapolis Maryland -----Original Message----- From: jvanasco@mastersofbranding.com [mailto:jvanasco@mastersofbranding.com] Sent: Thursday, August 21, 2003 1:19 PM To: sa-exim@lists.merlins.org Subject: [SA-exim] teergrubing someone mentioned a while back that teergrubing spammers is pointless, as the machines that send the spam are often hacked anyone have info on the machines that spammers host their shoppingcarts on though? i've been thinking of doing something similar, but with the .html pages that are advertised. _______________________________________________ SA-Exim mailing list SA-Exim@lists.merlins.org http://lists.merlins.org/lists/listinfo/sa-exim From tonni at billy.demon.nl Thu Aug 21 21:28:45 2003 From: tonni at billy.demon.nl (Tony Earnshaw) Date: Thu Aug 21 11:30:24 2003 Subject: [SA-exim] teergrubing In-Reply-To: <9B5E6316-D3FB-11D7-B3DF-000393863D5E@mastersofbranding.com> References: <9B5E6316-D3FB-11D7-B3DF-000393863D5E@mastersofbranding.com> Message-ID: <3F450F5D.7050004@billy.demon.nl> jvanasco@mastersofbranding.com wrote: > someone mentioned a while back that teergrubing spammers is pointless, > as the machines that send the spam are often hacked They aren't necessarily hacked, they're just run by ninnies. > anyone have info on the machines that spammers host their shoppingcarts > on though? Let me guess :o) You want to become a spammer and want to set up a shopping cart site. You want info from us all over the hardware on which to set that up. Then you're asking us all on the list not to teergrube your spammer sites, right? > i've been thinking of doing something similar, but with the .html > pages that are advertised. I reckon you better could ask http://www.netcraft.co.uk/cgi-bin/Survey/whats . That site has exact info on each spammer's site and their OS, at any rate. Or what do you really want? Tony -- Tony Earnshaw Looking backwards is always easy with hindsight http://www.billy.demon.nl Mail: tonni@billy.demon.nl From jvanasco at mastersofbranding.com Thu Aug 21 15:40:27 2003 From: jvanasco at mastersofbranding.com (jvanasco@mastersofbranding.com) Date: Thu Aug 21 11:42:07 2003 Subject: [SA-exim] teergrubing In-Reply-To: <3F450F5D.7050004@billy.demon.nl> Message-ID: On Thursday, August 21, 2003, at 02:28 PM, Tony Earnshaw wrote: >> anyone have info on the machines that spammers host their >> shoppingcarts on though? > > Let me guess :o) You want to become a spammer and want to set up a > shopping cart site. You want info from us all over the hardware on > which to set that up. Totally. I want to spam you, your mom, and your mother's religion. If spammers are mailing their shit from hacked machines, it makes me think that *possibly* they are hosting their shopping cart sites on hacked machines too. If that is a high probability, I don't want to up the bandwidth of people too dumb to configure a server securely. If most spammers sell their wares off of their own websites though -- I have no problems with the idea of upping their bandwidth bills. Their business model depends on low overhead. They count on nearly every person they spam trashing the message. But what if every person they spammed visited their website? Multiple times? Bandwidth is cheap -- but not that cheap. From merlins.org at paulm.com Thu Aug 21 21:07:51 2003 From: merlins.org at paulm.com (Paul Makepeace) Date: Thu Aug 21 12:08:24 2003 Subject: [SA-exim] teergrubing In-Reply-To: References: <3F450F5D.7050004@billy.demon.nl> Message-ID: <20030821190751.GB16368@mythix.realprogrammers.com> Je 2003-08-21 19:40:27 +0100, jvanasco@mastersofbranding. com skribis: > If that is a high probability, I don't want to up the bandwidth of > people too dumb to configure a server securely. If most spammers sell > their wares off of their own websites though -- I have no problems with > the idea of upping their bandwidth bills. I realize this is drifting off topic but you might find this thread amusing, http://london.pm.org/pipermail/london.pm/Week-of-Mon-20030804/020566.html ..especially the follow-up, http://london.pm.org/pipermail/london.pm/Week-of-Mon-20030804/020634.html Cheers, Paul -- Paul Makepeace ....................................... http://paulm.com/ "If it can be squeezed in before noon, then set your head on fire." -- http://paulm.com/toys/surrealism/ From tonni at billy.demon.nl Thu Aug 21 22:21:24 2003 From: tonni at billy.demon.nl (Tony Earnshaw) Date: Thu Aug 21 12:22:55 2003 Subject: [SA-exim] teergrubing In-Reply-To: References: Message-ID: <3F451BB4.2030509@billy.demon.nl> jvanasco@mastersofbranding.com wrote: >>> anyone have info on the machines that spammers host their >>> shoppingcarts on though? >> >> Let me guess :o) You want to become a spammer and want to set up a >> shopping cart site. You want info from us all over the hardware on >> which to set that up. > > Totally. I want to spam you, your mom, and your mother's religion. I use SpamAssassin. My mother's been dead for many years. > If spammers are mailing their shit from hacked machines, it makes me > think that *possibly* they are hosting their shopping cart sites on > hacked machines too. Point is, that those machines are not hacked. Or very few of them. They don't have to be. Those machines have been configured by people (sysadmins, ordinary people who bought a machine at the computer store, you name it) who have no idea. There are millions of such machines on the Internet. They are badly configured MTAs, http proxies (Windows of all kinds, Apache), socks5 proxies and even other server types. > If that is a high probability, I don't want to up the bandwidth of > people too dumb to configure a server securely. If most spammers sell > their wares off of their own websites though -- I have no problems with > the idea of upping their bandwidth bills. They're fly-by-nights, most of them at any rate. Today they are one place, tomorrow another. If a new on comes in their place, who cares? You do an (illegal) DoS attack on one site one day, tomorrow it's someone else's property and legal. And how would you mount a DoS attack anyway, technically? > Their business model depends on low overhead. They count on nearly > every person they spam trashing the message. But what if every person > they spammed visited their website? Multiple times? Bandwidth is cheap You have to be be joking. Though it's possible - www.ilovetheirakiminiinformationminister.com was forced to its knees for a few days, through everybody visiting it. Not any more though. Ganging up on some temporary Viagra or penis growth site isn't going to work. Unless you invent some new trojan to bomb them with. Odds are I'll be reading about you in SANS or somewhere, if you try, though. Tony -- Tony Earnshaw Looking backwards is always easy with hindsight http://www.billy.demon.nl Mail: tonni@billy.demon.nl From jvanasco at mastersofbranding.com Thu Aug 21 16:47:40 2003 From: jvanasco at mastersofbranding.com (jvanasco@mastersofbranding.com) Date: Thu Aug 21 12:49:18 2003 Subject: [SA-exim] teergrubing In-Reply-To: <3F451BB4.2030509@billy.demon.nl> Message-ID: <531D6B32-D410-11D7-B3DF-000393863D5E@mastersofbranding.com> The idea isn't to DOS -- the idea, is to have a clickthrough for every=20= recipient. Mr.Spammer sends out 5,000,000 emails. 5,000,000 x 1k isn't much=20 bandwidth. He only needs 5 people to buy his wares to turn a profit on=20= the mailing =96 and he doesn't expect more than 200 people or so to = click=20 through to his website. His website though, if you visit and click around, is over 200k with=20 images and html. Every 2,500 visits to that site will cost him as=20 much as emailing 5,000,000. 10,000 people using a plugin in their email app that downloads the=20 contents of a spammers website drives his costs up 500%. Its not a DOS attack. Its not illegal. It is a simple response to an=20= advertising callout. "Buy my stuff: click here for info". A plugin=20 automatically clicks the links for you and saves them to disk. If 100,000 people used the plugin then, possibly, it could have the=20 same effect as a DDOS -- but technically, and legally, it wouldn't be, On Thursday, August 21, 2003, at 03:21 PM, Tony Earnshaw wrote: > jvanasco@mastersofbranding.com wrote: > >>>> anyone have info on the machines that spammers host their=20 >>>> shoppingcarts on though? >>> >>> Let me guess :o) You want to become a spammer and want to set up a=20= >>> shopping cart site. You want info from us all over the hardware on=20= >>> which to set that up. >> Totally. I want to spam you, your mom, and your mother's religion. > > I use SpamAssassin. My mother's been dead for many years. > >> If spammers are mailing their shit from hacked machines, it makes me=20= >> think that *possibly* they are hosting their shopping cart sites on=20= >> hacked machines too. > > Point is, that those machines are not hacked. Or very few of them.=20 > They don't have to be. Those machines have been configured by people=20= > (sysadmins, ordinary people who bought a machine at the computer=20 > store, you name it) who have no idea. There are millions of such=20 > machines on the Internet. They are badly configured MTAs, http proxies=20= > (Windows of all kinds, Apache), socks5 proxies and even other server=20= > types. > >> If that is a high probability, I don't want to up the bandwidth of=20 >> people too dumb to configure a server securely. If most spammers=20 >> sell their wares off of their own websites though -- I have no=20 >> problems with the idea of upping their bandwidth bills. > > They're fly-by-nights, most of them at any rate. Today they are one=20 > place, tomorrow another. If a new on comes in their place, who cares?=20= > You do an (illegal) DoS attack on one site one day, tomorrow it's=20 > someone else's property and legal. And how would you mount a DoS=20 > attack anyway, technically? > >> Their business model depends on low overhead. They count on nearly=20= >> every person they spam trashing the message. But what if every=20 >> person they spammed visited their website? Multiple times? =20 >> Bandwidth is cheap > > You have to be be joking. Though it's possible -=20 > www.ilovetheirakiminiinformationminister.com was forced to its knees=20= > for a few days, through everybody visiting it. Not any more though.=20 > Ganging up on some temporary Viagra or penis growth site isn't going=20= > to work. Unless you invent some new trojan to bomb them with. Odds are=20= > I'll be reading about you in SANS or somewhere, if you try, though. > > Tony > > --=20 > Tony Earnshaw > > Looking backwards is always easy with hindsight > > http://www.billy.demon.nl > Mail: tonni@billy.demon.nl > From Nigel.Metheringham at dev.InTechnology.co.uk Fri Aug 22 10:27:15 2003 From: Nigel.Metheringham at dev.InTechnology.co.uk (Nigel Metheringham) Date: Fri Aug 22 01:27:23 2003 Subject: [SA-exim] teergrubing In-Reply-To: <531D6B32-D410-11D7-B3DF-000393863D5E@mastersofbranding.com> References: <531D6B32-D410-11D7-B3DF-000393863D5E@mastersofbranding.com> Message-ID: <1061540835.6115.9.camel@angua.localnet> On Thu, 2003-08-21 at 20:47, jvanasco@mastersofbranding.com wrote: > The idea isn't to DOS -- the idea, is to have a clickthrough for every > recipient. This is an interesting idea, but I think you have the economics wrong in that you assume that the spammer runs the website and the spammer's aim is to get final sales. > Mr.Spammer sends out 5,000,000 emails. 5,000,000 x 1k isn't much > bandwidth. He only needs 5 people to buy his wares to turn a profit on > the mailing ??? and he doesn't expect more than 200 people or so to click > through to his website. There were a couple of articles around a week or so back regarding financial spamming. Spammers were paid on click through rates so... If you have *every* single victim click through then the spammer gets lots and lots of money. This might not seem like a good result, but the people *buying* the spamming services are paying out lots more money for no return. You have just broken the economic model - they have to fix it. An ideal next phase would be to feed them duff additional information - ideally give them all each others phone numbers :-) Nigel. -- [ Nigel Metheringham Nigel.Metheringham@InTechnology.co.uk ] [ - Comments in this message are my own and not ITO opinion/policy - ] From tonni at billy.demon.nl Fri Aug 22 10:58:21 2003 From: tonni at billy.demon.nl (Tony Earnshaw) Date: Fri Aug 22 04:00:55 2003 Subject: [SA-exim] teergrubing In-Reply-To: <531D6B32-D410-11D7-B3DF-000393863D5E@mastersofbranding.com> References: <531D6B32-D410-11D7-B3DF-000393863D5E@mastersofbranding.com> Message-ID: <3F45CD1D.5070109@billy.demon.nl> jvanasco@mastersofbranding.com wrote: > The idea isn't to DOS -- the idea, is to have a clickthrough for every=20 > recipient. >=20 > Mr.Spammer sends out 5,000,000 emails. 5,000,000 x 1k isn't much=20 > bandwidth. He only needs 5 people to buy his wares to turn a profit on= =20 > the mailing =96 and he doesn't expect more than 200 people or so to cli= ck=20 > through to his website. >=20 > His website though, if you visit and click around, is over 200k with=20 > images and html. Every 2,500 visits to that site will cost him as muc= h=20 > as emailing 5,000,000. >=20 > 10,000 people using a plugin in their email app that downloads the=20 > contents of a spammers website drives his costs up 500%. >=20 > Its not a DOS attack. Its not illegal. It is a simple response to an=20 > advertising callout. "Buy my stuff: click here for info". A plugin=20 > automatically clicks the links for you and saves them to disk. >=20 > If 100,000 people used the plugin then, possibly, it could have the sam= e=20 > effect as a DDOS -- but technically, and legally, it wouldn't be, "Well", he said lamely "it doesn't seem a good idea to me". BTW it seems that Windows machines (by the hundred) are in fact getting=20 trojan-hacked to send spam. In the end, it's the ISP who's going to have=20 to do the combating. Tony --=20 Tony Earnshaw Looking backwards is always easy with hindsight http://www.billy.demon.nl Mail: tonni@billy.demon.nl From jvanasco at mastersofbranding.com Fri Aug 22 10:49:04 2003 From: jvanasco at mastersofbranding.com (jvanasco@mastersofbranding.com) Date: Fri Aug 22 06:50:43 2003 Subject: [SA-exim] teergrubing In-Reply-To: <1061540835.6115.9.camel@angua.localnet> Message-ID: <64FB59A0-D4A7-11D7-B3DF-000393863D5E@mastersofbranding.com> That is an excellent point. On Friday, August 22, 2003, at 04:27 AM, Nigel Metheringham wrote: > On Thu, 2003-08-21 at 20:47, jvanasco@mastersofbranding.com wrote: >> The idea isn't to DOS -- the idea, is to have a clickthrough for = every >> recipient. > > This is an interesting idea, but I think you have the economics wrong=20= > in > that you assume that the spammer runs the website and the spammer's = aim > is to get final sales. > >> Mr.Spammer sends out 5,000,000 emails. 5,000,000 x 1k isn't much >> bandwidth. He only needs 5 people to buy his wares to turn a profit=20= >> on >> the mailing =E2=80=93 and he doesn't expect more than 200 people or = so to=20 >> click >> through to his website. > > There were a couple of articles around a week or so back regarding > financial spamming. Spammers were paid on click through rates so... > > If you have *every* single victim click through then the spammer gets > lots and lots of money. This might not seem like a good result, but=20= > the > people *buying* the spamming services are paying out lots more money=20= > for > no return. You have just broken the economic model - they have to fix > it. An ideal next phase would be to feed them duff additional > information - ideally give them all each others phone numbers :-) > > Nigel. > > --=20 > [ Nigel Metheringham Nigel.Metheringham@InTechnology.co.uk ] > [ - Comments in this message are my own and not ITO opinion/policy - ] > > > _______________________________________________ > SA-Exim mailing list > SA-Exim@lists.merlins.org > http://lists.merlins.org/lists/listinfo/sa-exim > From jvanasco at mastersofbranding.com Fri Aug 22 11:23:17 2003 From: jvanasco at mastersofbranding.com (jvanasco@mastersofbranding.com) Date: Fri Aug 22 07:24:54 2003 Subject: [SA-exim] feature request? change default sa-exim.conf location Message-ID: <2CAEA210-D4AC-11D7-B3DF-000393863D5E@mastersofbranding.com> I dunno if this is even possible - but what do you (marc) think of instead of the current default, throwing it into the same directory as the exim configuration file (though i don't even know if it would even be possible to do that) right now, its defaulting to /etc/exim4/sa-exim.conf but exim defaults to /usr/exim/configure it would be neat is sa-exim automagically did {directory that exim's configure file is in}/sa-exim.conf -- instead of modding it by hand just an idea though From marc at merlins.org Fri Aug 22 09:43:20 2003 From: marc at merlins.org (Marc MERLIN) Date: Fri Aug 22 08:43:22 2003 Subject: [SA-exim] feature request? change default sa-exim.conf location In-Reply-To: <2CAEA210-D4AC-11D7-B3DF-000393863D5E@mastersofbranding.com> References: <2CAEA210-D4AC-11D7-B3DF-000393863D5E@mastersofbranding.com> Message-ID: <20030822154320.GE28155@merlins.org> On Fri, Aug 22, 2003 at 10:23:17AM -0400, jvanasco@mastersofbranding.com wrote: > I dunno if this is even possible - but what do you (marc) think of > instead of the current default, throwing it into the same directory as > the exim configuration file That's where it is, at least on systems that put exim ocnfig files in /etc/exim4 (Debian) :) It's a compilation option, so you can change it. > right now, its defaulting to /etc/exim4/sa-exim.conf > but exim defaults to /usr/exim/configure Yours does, but I is that really the default? (if it really is, I never seen any exim install where that default was being used) > it would be neat is sa-exim automagically did {directory that exim's > configure file is in}/sa-exim.conf -- instead of modding it by hand You can do some tricks to get that I suppose (exim4 -bV), but: - is it exim, exim4? - what if you build inside the exim source on a system without exim running, or the wrong one and I configure with the wrong path? Most of it is solvable, but I don't think I'm going to switch to a configure like system just for that, and then deal with the bug reports of people for whom it didn't autodetect right. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From tonni at billy.demon.nl Fri Aug 22 19:50:54 2003 From: tonni at billy.demon.nl (Tony Earnshaw) Date: Fri Aug 22 10:12:42 2003 Subject: [SA-exim] feature request? change default sa-exim.conf location In-Reply-To: <20030822154320.GE28155@merlins.org> References: <2CAEA210-D4AC-11D7-B3DF-000393863D5E@mastersofbranding.com> <20030822154320.GE28155@merlins.org> Message-ID: <3F4649EE.5030605@billy.demon.nl> Marc MERLIN wrote: > That's where it is, at least on systems that put exim ocnfig files in /etc/exim4 > (Debian) :) > It's a compilation option, so you can change it. I haven't divulged this to this list yet, but I compiled Exim 4.22 and SA-Exim 3.1. Did it on highly modified RH Linux 7.2. Everything works beautifully. To do so, I had to follow (more or less exactly and to the letter, before even starting,) Marc's SA-Exim README and INSTALL. I really also had to have a wealth of experience in compiling and installing Exim/eximon at all. I found that I had to patch Exim 4.22 src with Marc's dlopen patch, 'diff -u', check and patch my previous Exim Local/Makefile with my new EDITME, check the new Exim Makefile, edit the SA-Exim Makefile and change the default locations, change file names and more. I also had to 'diff -u', check and patch my old spamassassin.conf with my new sa-exim.conf.patch. The thing is, Unix should not expect things to happen "automagically". GNU spoils people with autoconfig, libtools etc. Unix expects that Unix people should know what they are doing. Hard but true. There are always courses: LPI for Debian people, Red Hat for Red Hat people, Sun for Solaris people, (SCO used to have courses for SCO people but SCO blew it,) etc. Marc is already doing his essing best. If one does what he writes/recommends, everything ought to work. Ha det, --Tonni -- Tony Earnshaw Looking backwards is always easy with hindsight http://www.billy.demon.nl Mail: tonni@billy.demon.nl From tor at slett.net Fri Aug 22 18:39:09 2003 From: tor at slett.net (Tor Slettnes) Date: Fri Aug 22 17:39:50 2003 Subject: [SA-exim] teergrubing pointless? In-Reply-To: <9B5E6316-D3FB-11D7-B3DF-000393863D5E@mastersofbranding.com> Message-ID: <35AADCA8-D502-11D7-99D8-0030655A4806@slett.net> On Thursday, Aug 21, 2003, at 10:19 US/Pacific, jvanasco@mastersofbranding.com wrote: > someone mentioned a while back that teergrubing spammers is pointless, > as the machines that send the spam are often hacked The point is not really whether they are hacked [sic] or not. A sender / relay machine that originates large amounts of e-mail will (in theory) be slowed down by teergrubing, whether it is a cracked machine or not. However, teergrubing seems a little pointless nowadays for another reason. According to my EXIM 'mainlog' and 'rejectlog', it seems that machines that originate spam mostly run modified SMTP clients/senders, that basically disconnect after 20 or 30 seconds of teergrubing. The only mail clients that stick around for the fully configured 900 seconds of teergrubing are properly designed MTAs such as ISP relays (open or not). Teergrubing such relays, especially if they are not generally open, is sortof pointless. In the case where some amount of a certain person's spam reaches me via a given relay, other recipients may not receive the mail through the same route. (For instance, my ISP is Comcast, the spammer is also a Comcast subscriber, and I receive the spam through Comcast STMP servers). > anyone have info on the machines that spammers host their > shoppingcarts on though? I believe a final solution to spam will definitely involve banks and credit cards. (1) outlaw the practice, through international treaties. (2) make banks / credit card vendors not honor payments tendered in response to spam. -tor From tor at slett.net Fri Aug 22 18:39:09 2003 From: tor at slett.net (Tor Slettnes) Date: Mon Aug 25 11:09:18 2003 Subject: [SA-exim] teergrubing pointless? In-Reply-To: <9B5E6316-D3FB-11D7-B3DF-000393863D5E@mastersofbranding.com> Message-ID: <35AADCA8-D502-11D7-99D8-0030655A4806@slett.net> On Thursday, Aug 21, 2003, at 10:19 US/Pacific, jvanasco@mastersofbranding.com wrote: > someone mentioned a while back that teergrubing spammers is pointless, > as the machines that send the spam are often hacked The point is not really whether they are hacked [sic] or not. A sender / relay machine that originates large amounts of e-mail will (in theory) be slowed down by teergrubing, whether it is a cracked machine or not. However, teergrubing seems a little pointless nowadays for another reason. According to my EXIM 'mainlog' and 'rejectlog', it seems that machines that originate spam mostly run modified SMTP clients/senders, that basically disconnect after 20 or 30 seconds of teergrubing. The only mail clients that stick around for the fully configured 900 seconds of teergrubing are properly designed MTAs such as ISP relays (open or not). Teergrubing such relays, especially if they are not generally open, is sortof pointless. In the case where some amount of a certain person's spam reaches me via a given relay, other recipients may not receive the mail through the same route. (For instance, my ISP is Comcast, the spammer is also a Comcast subscriber, and I receive the spam through Comcast STMP servers). > anyone have info on the machines that spammers host their > shoppingcarts on though? I believe a final solution to spam will definitely involve banks and credit cards. (1) outlaw the practice, through international treaties. (2) make banks / credit card vendors not honor payments tendered in response to spam. -tor From jknotzke at shampoo.ca Sat Aug 30 12:00:08 2003 From: jknotzke at shampoo.ca (Justin F. Knotzke) Date: Sat Aug 30 08:00:28 2003 Subject: [SA-exim] Anyone install from Debs? Message-ID: <20030830150008.GH18838@shampoo.ca> Hi, I have two questions. I installed exim-4.20 from source and rewrote local_scan.c with sa-exim.c and that works fine. However, doing apt-get dist-upgrade causes apt to want to install exim, which of course I do not want. That leaves me with a few solutions. I grabbed Debian's sources for exim-4.22 and built that and created the .debs for it. Installing those .debs throws me for a loop in that I can't quite figure out where the config files are (i put in blanks during the curses config screens). Has anyone built exim-4.2x from source for Debian and installed sa-exim with it? My next question is OT but somewhat related. Assuming I decide to just go with my from source install without created debs, is there a way to tell apt-get to ignore the install of exim? I know how to hold back a package for upgrade but is there a way to hold back a package for installation? Thanks J -- Justin F. Knotzke jknotzke@shampoo.ca http://www.shampoo.ca From hackel at walkingfish.com Sat Aug 30 16:01:13 2003 From: hackel at walkingfish.com (Ryan Hayle) Date: Sat Aug 30 12:59:33 2003 Subject: [SA-exim] SAEximRunCond with fetchmail Message-ID: <20030830150113.34e07ef4.hackel@walkingfish.com> I currently use fetchmail to retrieve mail from remote imap and pop servers and deliver it to my user account. When this happenes, however, the mail is delivered from host 127.0.0.1 and so sa-exim is not run based on the default SAEximRunCond. As a result I have to specify SAEximRunCond=1, which causes outgoing mail to be scanned and is slow and annoying. Any ideas on how to modify this so that mail from fetchmail IS scanned, but outgoing, local SMTP mail is not? Thanks, Ryan -- Ryan Hayle From tonni at billy.demon.nl Sat Aug 30 23:48:15 2003 From: tonni at billy.demon.nl (Tony Earnshaw) Date: Sat Aug 30 13:50:14 2003 Subject: [SA-exim] SAEximRunCond with fetchmail In-Reply-To: References: Message-ID: <3F510D8F.2050807@billy.demon.nl> Chirik wrote: > You could also use '-s localhost/port' and tell exim to listen to a different > port (ie: 10025) and always scan messages that come in on that port for > spam, no matter what. You probably mean the other way around ;) What would SA-Exim's (presumably single) SAEximRunCond look like then? I was going to write an answer to this but desisted, since my Exim's a little rusty at present (I'm heavily into petting with "The Other MTA") and it's either the one or the other. 2 separate mindsets. > You could probably do some other things, too. Like jumping through hoops. --Tonni -- Tony Earnshaw Looking backwards is always easy with hindsight http://www.billy.demon.nl Mail: tonni@billy.demon.nl From marc at merlins.org Sat Aug 30 16:25:11 2003 From: marc at merlins.org (Marc MERLIN) Date: Sat Aug 30 15:30:36 2003 Subject: [SA-exim] SAEximRunCond with fetchmail In-Reply-To: <3F510D8F.2050807@billy.demon.nl> References: <3F510D8F.2050807@billy.demon.nl> Message-ID: <20030830222506.GA14910@merlins.org> On Sat, Aug 30, 2003 at 10:48:15PM +0200, Tony Earnshaw wrote: > Chirik wrote: > > > You could also use '-s localhost/port' and tell exim to listen to a > > different > >port (ie: 10025) and always scan messages that come in on that port for > >spam, no matter what. > > You probably mean the other way around ;) > > What would SA-Exim's (presumably single) SAEximRunCond look like then? > > I was going to write an answer to this but desisted, since my Exim's a > little rusty at present (I'm heavily into petting with "The Other MTA") > and it's either the one or the other. 2 separate mindsets. To be quite honest, I don't think this is a good use for SA-Exim, I would simply pass on the mail from fetchmail to SpamAssassin Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key