From MAILER-DAEMON Mon Jul 11 10:39:00 2011 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1QgHdT-0004Tr-Pg for mharc-spamass-milt-list@gnu.org; Mon, 11 Jul 2011 10:38:59 -0400 Received: from eggs.gnu.org ([140.186.70.92]:48238) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgHdQ-0004T1-4y for spamass-milt-list@nongnu.org; Mon, 11 Jul 2011 10:38:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QgHdN-0005QD-Gc for spamass-milt-list@nongnu.org; Mon, 11 Jul 2011 10:38:55 -0400 Received: from klunky.co.uk ([62.58.61.184]:49280) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgHdM-0005P5-Nc for spamass-milt-list@nongnu.org; Mon, 11 Jul 2011 10:38:53 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=klunky.co.uk; s=default; t=1310395126; bh=QumpOLF8RrbHXEYxLzLJUULcadw0dDLI7s+wb94VDBQ=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=LjzbTQfb+j49DfMMo9rl+tIWEHQ0zvh3EYZGJwnCNWFzs8y/VudhKm2Q945Rsz/9M 7xVw5rkevY+OrCBqw3heZ2g8/n9xJ5ckwJB1j0ap13Ob1zF9853Ip6tVTadh/MyI8m 2VQsRHPWlurp0zWo0AjrGCtYPtiO/0XCcfCasJqY= Message-ID: <4E1B0B05.4080107@klunky.co.uk> Date: Mon, 11 Jul 2011 16:39:01 +0200 From: J4K User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: spamass-milt-list@nongnu.org Subject: Spam evading milter Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 62.58.61.184 X-BeenThere: spamass-milt-list@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Spamassin Milter list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 14:38:58 -0000 Hi, * Spamass-milter is set to reject on 10. * Most email scoring >= 10 is correctly rejected. * Test messages fed into the milter are correctly rejected. * Some email is not rejected and passes through to the spamd back-end. Spamd then scores is as (for example) 11 or higher. * Bayes is enabled, yet high scoring spam has autolearn=no (see example Spam headers below) bayes_auto_learn_threshold_spam 13.0 (lets not focus on the Bayes, but the milter not rejecting) * Tested with milter_watch and all is well # /usr/local/bin/milter_watch local:/var/spool/postfix/spamass/spamass.sock I Milter properly allowed clean mail through I Milter blocked a spam/virus How could a message that scored greater than 10 on the SA backend, be scored lower on the milter, or perhaps not even processed? I am a little confused by this. Has anyone some ideas? Best regards, S. ------------------------------------ Spam headers follow ---------------------- System: SpamAssassin 3.3.1 Spamass-milter 0.3.1-10 Here is an example: X-Spam-Report Yes, score=16.5 required=5.0 tests=BAYES_99,FH_FROMEML_NOTLD, FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_IPADDR,RDNS_DYNAMIC,TO_NO_BRKTS_DYNIP, T_URIBL_BLACK_OVERLAP,UNPARSEABLE_RELAY,URIBL_BLACK,URIBL_DBL_SPAM, URIBL_WS_SURBL shortcircuit=no autolearn=no version=3.3.1 X-Spam-Status * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: totaljoblists.net] * 1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: totaljoblists.net] * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist * [URIs: totaljoblists.net] * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 1.0000] * 3.2 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d * 1.1 FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.) * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines * 1.7 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS * 0.0 T_URIBL_BLACK_OVERLAP T_URIBL_BLACK_OVERLAP * 2.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr * 1) * 0.0 TO_NO_BRKTS_DYNIP To: misformatted and dynamic rDNS Content-Type text/plain; charset="iso-8859-1" From MAILER-DAEMON Mon Jul 11 16:15:26 2011 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1QgMt3-0007xs-Nm for mharc-spamass-milt-list@gnu.org; Mon, 11 Jul 2011 16:15:25 -0400 Received: from eggs.gnu.org ([140.186.70.92]:45143) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgMsz-0007wo-SR for spamass-milt-list@nongnu.org; Mon, 11 Jul 2011 16:15:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QgMsw-0002k1-0D for spamass-milt-list@nongnu.org; Mon, 11 Jul 2011 16:15:20 -0400 Received: from amber.ccs.neu.edu ([129.10.116.51]:38400) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgMsv-0002ck-K8 for spamass-milt-list@nongnu.org; Mon, 11 Jul 2011 16:15:17 -0400 Received: from alumni-linux.ccs.neu.edu ([129.10.116.115] helo=[127.0.0.1]) by amber.ccs.neu.edu with esmtp (Exim 4.69) (envelope-from ) id 1QgMsU-0001e5-0z for spamass-milt-list@nongnu.org; Mon, 11 Jul 2011 16:14:50 -0400 Message-ID: <4E1B59B4.1000503@khopis.com> Date: Mon, 11 Jul 2011 13:14:44 -0700 From: Adam Katz User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110626 Lightning/1.0b2 Icedove/3.1.11 MIME-Version: 1.0 To: spamass-milt-list@nongnu.org Subject: Re: [SA-milter] Spam evading milter References: <4E1B0B05.4080107@klunky.co.uk> In-Reply-To: <4E1B0B05.4080107@klunky.co.uk> X-Enigmail-Version: 1.1.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigC8BD9F3099843BC94DB31AF3" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 129.10.116.51 X-BeenThere: spamass-milt-list@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Spamassin Milter list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 20:15:24 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC8BD9F3099843BC94DB31AF3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 07/11/2011 07:39 AM, J4K wrote: > How could a message that scored greater than 10 on the SA backend, be > scored lower on the milter, or perhaps not even processed? It's probably too large (>500kB) and was thus given a free pass. If that is the case, you can alter spamass-milter to call spamc with a higher max_size argument, like: spamass-milter ... -- --max-size -s 1050000 as noted on the spamass-milter and spamc man pages. (That's in bytes, fudged just above 1MB since spammers like to just barely exceed the max scan size threshold.) You should pick something that correlates to however much idle time is on your spam filtering server(s), e.g. if your load average is typically near zero, go nuts (3MB should do for a very large max size), but if you're already around one or higher, only bump it slightly. The default is either 500000 or 512000 bytes (the man page is ambiguous).= --------------enigC8BD9F3099843BC94DB31AF3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4bWbgACgkQjroVuvStkpJX0wCfRYxRAoh+w+dwHWB1b6KZQUVl rSwAoKYqZuCSSoFrham5kiE+10ILdsM/ =VL4B -----END PGP SIGNATURE----- --------------enigC8BD9F3099843BC94DB31AF3-- From MAILER-DAEMON Tue Jul 12 04:21:53 2011 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1QgYE4-00069q-RB for mharc-spamass-milt-list@gnu.org; Tue, 12 Jul 2011 04:21:53 -0400 Received: from eggs.gnu.org ([140.186.70.92]:49301) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgYE0-00069D-50 for spamass-milt-list@nongnu.org; Tue, 12 Jul 2011 04:21:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QgYDw-0006j4-BR for spamass-milt-list@nongnu.org; Tue, 12 Jul 2011 04:21:47 -0400 Received: from klunky.co.uk ([62.58.61.184]:56056) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgYDv-0006iu-RO for spamass-milt-list@nongnu.org; Tue, 12 Jul 2011 04:21:44 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=klunky.co.uk; s=default; t=1310458898; bh=WdYeb0UBxp3e6EQbj/BZJcsElbfP0MZ9q+65cwL03h4=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=dpSu7FyRiRUL1TvEsfn1RyTahWeHnybV5l8Kzul/EZ0kjkxx71KHn6L1yw/17G2Sx /qnxFjRX4Kt2vN0pkrgXEPHbmSEvlUORi1ViT7JouzXf8dYw19aSsuQ7VwoS1k//lY KrF41B+duw/HTNEjW3lr3QOFHV+odriDprOe21Yw= Message-ID: <4E1C0421.9090401@klunky.co.uk> Date: Tue, 12 Jul 2011 10:21:53 +0200 From: J4K User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: spamass-milt-list@nongnu.org Subject: Re: [SA-milter] Spam evading milter References: <4E1B0B05.4080107@klunky.co.uk> <4E1B59B4.1000503@khopis.com> In-Reply-To: <4E1B59B4.1000503@khopis.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 62.58.61.184 X-BeenThere: spamass-milt-list@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Spamassin Milter list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2011 08:21:50 -0000 On 07/11/2011 10:14 PM, Adam Katz wrote: > On 07/11/2011 07:39 AM, J4K wrote: >> How could a message that scored greater than 10 on the SA backend, be >> scored lower on the milter, or perhaps not even processed? > It's probably too large (>500kB) and was thus given a free pass. If > that is the case, you can alter spamass-milter to call spamc with a > higher max_size argument, like: > > spamass-milter ... -- --max-size -s 1050000 > > as noted on the spamass-milter and spamc man pages. (That's in bytes, > fudged just above 1MB since spammers like to just barely exceed the max > scan size threshold.) You should pick something that correlates to > however much idle time is on your spam filtering server(s), e.g. if your > load average is typically near zero, go nuts (3MB should do for a very > large max size), but if you're already around one or higher, only bump > it slightly. > > The default is either 500000 or 512000 bytes (the man page is ambiguous). > > > > _______________________________________________ > Spamass-milt-list mailing list > Spamass-milt-list@nongnu.org > https://lists.nongnu.org/mailman/listinfo/spamass-milt-list Hi Adam, Thank-you. I had not seen this option because there is no such .conf file nor man page on Debian Squeeze. I had suspected a size limit, but could not find the setting, and had not thought of passing options back to spamc. I added it: # /usr/sbin/spamass-milter -P /var/run/spamass/spamass.pid -f -p /var/spool/postfix/spamass/spamass.sock -u nobody -M -r 9 -i 127.0.0.1 -- -s 1050000 Many thanks and regards, S. From MAILER-DAEMON Tue Jul 12 08:07:38 2011 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1QgbkX-00062e-2F for mharc-spamass-milt-list@gnu.org; Tue, 12 Jul 2011 08:07:37 -0400 Received: from eggs.gnu.org ([140.186.70.92]:50081) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgbkS-00061h-T1 for spamass-milt-list@nongnu.org; Tue, 12 Jul 2011 08:07:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QgbkM-0005bR-Hv for spamass-milt-list@nongnu.org; Tue, 12 Jul 2011 08:07:32 -0400 Received: from klunky.co.uk ([62.58.61.184]:41253) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgbkL-0005ap-Sc for spamass-milt-list@nongnu.org; Tue, 12 Jul 2011 08:07:26 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=klunky.co.uk; s=default; t=1310472442; bh=cuP4oD41//FDGd1hPQQJRj+a5rt1thxeICliBVMPxk0=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Jv+7eIbNgiAHr0OpQf2LbrP4NketJZRhyouAhRv7SfTXLll7UBa6KtVyCbFySmdWv WPZc1wfxhgUgkIWtgmvRVpcnCgUQIc9PdJAov+spm0OH64rAWICel40KdfTVtwjmvh QlTn2oxjg3GM70rztISfKir/Gzs9yDR8qB+g3FC0= Message-ID: <4E1C3904.1040501@klunky.co.uk> Date: Tue, 12 Jul 2011 14:07:32 +0200 From: J4K User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: spamass-milt-list@nongnu.org Subject: Re: [SA-milter] Spam evading milter References: <4E1B0B05.4080107@klunky.co.uk> <4E1B59B4.1000503@khopis.com> <4E1C0421.9090401@klunky.co.uk> In-Reply-To: <4E1C0421.9090401@klunky.co.uk> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 62.58.61.184 X-BeenThere: spamass-milt-list@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Spamassin Milter list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2011 12:07:34 -0000 On 07/12/2011 10:21 AM, J4K wrote: > On 07/11/2011 10:14 PM, Adam Katz wrote: >> On 07/11/2011 07:39 AM, J4K wrote: >>> How could a message that scored greater than 10 on the SA backend, be >>> scored lower on the milter, or perhaps not even processed? >> It's probably too large (>500kB) and was thus given a free pass. If >> that is the case, you can alter spamass-milter to call spamc with a >> higher max_size argument, like: >> >> spamass-milter ... -- --max-size -s 1050000 >> >> as noted on the spamass-milter and spamc man pages. (That's in bytes, >> fudged just above 1MB since spammers like to just barely exceed the max >> scan size threshold.) You should pick something that correlates to >> however much idle time is on your spam filtering server(s), e.g. if your >> load average is typically near zero, go nuts (3MB should do for a very >> large max size), but if you're already around one or higher, only bump >> it slightly. >> >> The default is either 500000 or 512000 bytes (the man page is ambiguous). >> >> >> >> _______________________________________________ >> Spamass-milt-list mailing list >> Spamass-milt-list@nongnu.org >> https://lists.nongnu.org/mailman/listinfo/spamass-milt-list > Hi Adam, > > Thank-you. I had not seen this option because there is no such .conf > file nor man page on Debian Squeeze. I had suspected a size limit, but > could not find the setting, and had not thought of passing options back > to spamc. > > I added it: > > # /usr/sbin/spamass-milter -P /var/run/spamass/spamass.pid -f -p > /var/spool/postfix/spamass/spamass.sock -u nobody -M -r 9 -i 127.0.0.1 > -- -s 1050000 > > Many thanks and regards, S. > > _______________________________________________ > Spamass-milt-list mailing list > Spamass-milt-list@nongnu.org > https://lists.nongnu.org/mailman/listinfo/spamass-milt-list I looked at the file sizes of those that sneaked through, and saw that these are about 2kB in size. I don't think this is it. Is there someone else that I could look for? Regards, S From MAILER-DAEMON Wed Jul 13 06:24:40 2011 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1QgwcR-0004IL-Lk for mharc-spamass-milt-list@gnu.org; Wed, 13 Jul 2011 06:24:39 -0400 Received: from eggs.gnu.org ([140.186.70.92]:40729) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgwcL-0004Gp-1L for spamass-milt-list@nongnu.org; Wed, 13 Jul 2011 06:24:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QgwcG-00043V-Im for spamass-milt-list@nongnu.org; Wed, 13 Jul 2011 06:24:32 -0400 Received: from klunky.co.uk ([62.58.61.184]:41314) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QgwcF-00042y-MZ for spamass-milt-list@nongnu.org; Wed, 13 Jul 2011 06:24:28 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=klunky.co.uk; s=default; t=1310552662; bh=LkS8bSzcP1BHvpKd0SfFlxrhqPw6RbBWlUauqs5D09c=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=NZEHzlx3ikrbDNKe0urWen636KKcJ9AXoQ7NRbtMJU+8ljIImAqHm+UnA9eTuCC1k cWY3lMCFbSuKzbBj7Zuyc1WmUJct6EAEbb+itOtVoQEwgmC2k/PFpRKv7CWo9ccOJK 8zd95eNI7/TvX7IXWxh6Ea1FdZI9AHMGst5d4d0g= Message-ID: <4E1D7261.9050806@klunky.co.uk> Date: Wed, 13 Jul 2011 12:24:33 +0200 From: J4K User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: spamass-milt-list@nongnu.org Subject: Re: [SA-milter] Spam evading milter References: <4E1B0B05.4080107@klunky.co.uk> <4E1B59B4.1000503@khopis.com> <4E1C0421.9090401@klunky.co.uk> <4E1C3904.1040501@klunky.co.uk> In-Reply-To: <4E1C3904.1040501@klunky.co.uk> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 62.58.61.184 X-BeenThere: spamass-milt-list@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Spamassin Milter list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 10:24:38 -0000 On 07/12/2011 02:07 PM, J4K wrote: > [SNIP] >> I added it: >> >> # /usr/sbin/spamass-milter -P /var/run/spamass/spamass.pid -f -p >> /var/spool/postfix/spamass/spamass.sock -u nobody -M -r 9 -i 127.0.0.1 >> -- -s 1050000 >> >> Many thanks and regards, S. >> >> _______________________________________________ >> Spamass-milt-list mailing list >> Spamass-milt-list@nongnu.org >> https://lists.nongnu.org/mailman/listinfo/spamass-milt-list > I looked at the file sizes of those that sneaked through, and saw that > these are about 2kB in size. > I don't think this is it. Is there someone else that I could look for? > > Regards, S > > > Yep, the spam still gets a free ride :( The milter is happy to pass this through. What else could they use to trick it? Regards, S. Today's spam: X-Spam-Staus Yes, score=14.5 required=5.0 tests=BAYES_50,DKIM_ADSP_ALL, HELO_DYNAMIC_IPADDR2,HELO_DYNAMIC_SPLIT_IP,HTML_MESSAGE,MIME_HTML_ONLY, RCVD_ILLEGAL_IP,SPF_PASS,TVD_RCVD_IP,URIBL_BLACK shortcircuit=no autolearn=spam version=3.3.1 X-Spam_report * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: zolp.net] * 3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr * 2) * 3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split * IP) * 3.4 RCVD_ILLEGAL_IP Received: contains illegal IP address * 0.0 TVD_RCVD_IP TVD_RCVD_IP * 0.8 DKIM_ADSP_ALL No valid author signature, domain signs all mail * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts From MAILER-DAEMON Mon Jul 25 05:14:11 2011 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1QlHEp-0006w4-Ff for mharc-spamass-milt-list@gnu.org; Mon, 25 Jul 2011 05:14:11 -0400 Received: from eggs.gnu.org ([140.186.70.92]:49490) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QlHEm-0006v9-EL for spamass-milt-list@nongnu.org; Mon, 25 Jul 2011 05:14:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QlHEk-0006Td-Uq for spamass-milt-list@nongnu.org; Mon, 25 Jul 2011 05:14:08 -0400 Received: from klunky.co.uk ([62.58.61.184]:55356) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QlHEk-0006TG-MS for spamass-milt-list@nongnu.org; Mon, 25 Jul 2011 05:14:06 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=klunky.co.uk; s=default; t=1311585239; bh=fMl/am56aSgiCVT0ud1vI13Fr5U0kaDulY+LFgoQXPA=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=cK2zK7GVtMY+hkeV2r7mCn3dlyksKXhD6a7MV2Ku5qaLgpicorGiXjUvfqa//T+iO L+KYlYZZ6T92iXMwf2kq59goqOv4bG8FWdG43zJOiXmITXgO8t3gnH77g/W1nZbZTt V3N80I3GJp01SitPYCnsed8km6cqmSiFpQQ+2uhk= Message-ID: <4E2D33E5.4090907@klunky.co.uk> Date: Mon, 25 Jul 2011 11:14:13 +0200 From: J4K User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: spamass-milt-list@nongnu.org Subject: RFC3848 and ESMTPA in Receiver header Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 62.58.61.184 X-BeenThere: spamass-milt-list@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Spamassin Milter list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 09:14:09 -0000 Morning everyone, Whilst trying to debug a spammer, or potential misconfiguration in my SA/postfix set-up, I noticed this in the spam header: *Received: from 95.132.70.144(helo=xxx.co.uk) by xxx.co.uk with esmtpa (Exim 4.69) (envelope-from ) id 1MMY4Z-6815vh-KW for ; Mon, 25 Jul 2011 08:05:42 +020* The ESMTPA noted in the header stuck me as strange. 1) Does this mean that spammer authenticated with an smtp-auth username and password? 2) Is there an SA rule that would subtract points if this is seem in a header ( I didn't think so)? 3) Would the Spam-Assassin Milter give this a free ride? It would if it had the -I option, but mine does not. -I Ignores messages if the sender has authenticated via SMTP AUTH. Current programme called as: /usr/sbin/spamass-milter -P /var/run/spamass/spamass.pid -f -p /var/spool/postfix/spamass/spamass.sock -u nobody -e xxx.co.uk -M -r 12 -i 127.0.0.1 -- -s 1050000 Regards, S. >From http://www.ietf.org/rfc/rfc3848.txt 1. IANA Considerations As directed by SMTP [2], IANA maintains a registry [7] of "WITH protocol types" for use in the "with" clause of the Received header in an Internet message. This registry presently includes SMTP [6], and ESMTP [2]. This specification updates the registry as follows: o The new keyword "ESMTPA" indicates the use of ESMTP when the SMTP AUTH [3] extension is also used and authentication is successfully achieved. From MAILER-DAEMON Mon Jul 25 05:20:02 2011 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1QlHKU-00089f-Q1 for mharc-spamass-milt-list@gnu.org; Mon, 25 Jul 2011 05:20:02 -0400 Received: from eggs.gnu.org ([140.186.70.92]:57317) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QlHKR-00087b-Hb for spamass-milt-list@nongnu.org; Mon, 25 Jul 2011 05:20:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QlHKQ-0007YI-C5 for spamass-milt-list@nongnu.org; Mon, 25 Jul 2011 05:19:59 -0400 Received: from smtp.idnet.com ([212.69.40.133]:48969) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QlHKP-0007Y3-Te for spamass-milt-list@nongnu.org; Mon, 25 Jul 2011 05:19:58 -0400 Received: from localhost (unknown [127.0.0.1]) by smtp.idnet.com (Postfix) with ESMTP id 6734A9F914; Mon, 25 Jul 2011 09:19:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at example.com Received: from smtp.idnet.com ([127.0.0.1]) by localhost (smtp.idnet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id h9z3u75fnIoU; Mon, 25 Jul 2011 10:19:53 +0100 (BST) Received: from smtp.idnet.com (template [127.0.0.1]) by smtp.idnet.com (Postfix) with ESMTP id 6633A9F918; Mon, 25 Jul 2011 10:19:53 +0100 (BST) Received: from [192.168.1.56] (stytwo.spampig.org.uk [212.69.52.156]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: corpus.defero@idnet.com) by smtp.idnet.com (Postfix) with ESMTPSA id 7CAE89F914; Mon, 25 Jul 2011 10:19:51 +0100 (BST) Subject: Re: RFC3848 and ESMTPA in Receiver header From: Vaccus Spurcamen To: J4K In-Reply-To: <4E2D33E5.4090907@klunky.co.uk> References: <4E2D33E5.4090907@klunky.co.uk> Content-Type: text/plain; charset="UTF-8" Organization: vacuus.spurcamen@idnetfreemail.co.uk Date: Mon, 25 Jul 2011 10:19:48 +0100 Message-ID: <1311585588.3663.4.camel@testbed> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 212.69.40.133 Cc: spamass-milt-list@nongnu.org X-BeenThere: spamass-milt-list@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: vacuus.spurcamen@idnetfreemail.co.uk List-Id: Spamassin Milter list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 09:20:00 -0000 On Mon, 2011-07-25 at 11:14 +0200, J4K wrote: > Morning everyone, > > Whilst trying to debug a spammer, or potential misconfiguration in > my SA/postfix set-up, I noticed this in the spam header: > *Received: from 95.132.70.144(helo=xxx.co.uk) by xxx.co.uk with esmtpa > (Exim 4.69) (envelope-from ) id 1MMY4Z-6815vh-KW for ; > Mon, 25 Jul 2011 08:05:42 +020* > > The ESMTPA noted in the header stuck me as strange. 1) Does this mean > that spammer authenticated with an smtp-auth username and password? Suggests an authenticated user - nothing unusual in that, spammers hijack accounts all the time (assuming the header is, of course, genuine) > > 2) Is there an SA rule that would subtract points if this is seem in a > header ( I didn't think so)? You could always write one. > > 3) Would the Spam-Assassin Milter give this a free ride? It would if it > had the -I option, but mine does not. > -I Ignores messages if the sender has authenticated via SMTP AUTH. > > > Current programme called as: > /usr/sbin/spamass-milter -P /var/run/spamass/spamass.pid -f -p > /var/spool/postfix/spamass/spamass.sock -u nobody -e xxx.co.uk -M -r 12 > -i 127.0.0.1 -- -s 1050000 > > Regards, S. > > > >From http://www.ietf.org/rfc/rfc3848.txt > > 1. IANA Considerations > > As directed by SMTP [2], IANA maintains a registry [7] of "WITH > protocol types" for use in the "with" clause of the Received header > in an Internet message. This registry presently includes SMTP [6], > and ESMTP [2]. This specification updates the registry as follows: > > o The new keyword "ESMTPA" indicates the use of ESMTP when the SMTP > AUTH [3] extension is also used and authentication is successfully > achieved. > > > _______________________________________________ > Spamass-milt-list mailing list > Spamass-milt-list@nongnu.org > https://lists.nongnu.org/mailman/listinfo/spamass-milt-list From MAILER-DAEMON Mon Jul 25 05:28:27 2011 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1QlHSd-0001Ip-0t for mharc-spamass-milt-list@gnu.org; Mon, 25 Jul 2011 05:28:27 -0400 Received: from eggs.gnu.org ([140.186.70.92]:50725) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QlHSZ-0001IW-Td for spamass-milt-list@nongnu.org; Mon, 25 Jul 2011 05:28:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QlHSY-0000Zs-T5 for spamass-milt-list@nongnu.org; Mon, 25 Jul 2011 05:28:23 -0400 Received: from klunky.co.uk ([62.58.61.184]:59507) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QlHSY-0000Zl-FY for spamass-milt-list@nongnu.org; Mon, 25 Jul 2011 05:28:22 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=klunky.co.uk; s=default; t=1311586100; bh=xQW6WVJHYSs4VaNh/WUtwvonZxfjFFwWmiT2Ilm9lIc=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type; b=VYyJUixrp6MmctPDTz50Vj2g1oi6OXpt6dDnjuU60B8rHTDUKK8gljGZmgoLsludb AsDFeJgzMmHvE30KaghQYV2ngd+F4Aj7Rn+yJ4jV8eCKqTD9iTruqp/j4CZ/qStyeo 1ubq+ISwm5tc+8bqs7sWeUn6cLHD2giFAdRP8AhY= Message-ID: <4E2D3746.1090603@klunky.co.uk> Date: Mon, 25 Jul 2011 11:28:38 +0200 From: J4K User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: spamass-milt-list@nongnu.org Subject: Re: RFC3848 and ESMTPA in Receiver header References: <4E2D33E5.4090907@klunky.co.uk> <1311585588.3663.4.camel@testbed> In-Reply-To: <1311585588.3663.4.camel@testbed> Content-Type: multipart/alternative; boundary="------------020207020301050307040803" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 62.58.61.184 X-BeenThere: spamass-milt-list@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Spamassin Milter list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 09:28:24 -0000 This is a multi-part message in MIME format. --------------020207020301050307040803 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 07/25/2011 11:19 AM, Vaccus Spurcamen wrote: > On Mon, 2011-07-25 at 11:14 +0200, J4K wrote: >> Morning everyone, >> >> Whilst trying to debug a spammer, or potential misconfiguration in >> my SA/postfix set-up, I noticed this in the spam header: >> *Received: from 95.132.70.144(helo=xxx.co.uk) by xxx.co.uk with esmtpa >> (Exim 4.69) (envelope-from ) id 1MMY4Z-6815vh-KW for ; >> Mon, 25 Jul 2011 08:05:42 +020* >> >> The ESMTPA noted in the header stuck me as strange. 1) Does this mean >> that spammer authenticated with an smtp-auth username and password? > Suggests an authenticated user - nothing unusual in that, spammers > hijack accounts all the time (assuming the header is, of course, > genuine) Agreed. I don't know if the header is genuine. The milter, with its current calling parametres, should not give it a free ride. ( I do not know whether it is or not). The -I is not configured, so it shouldn't... >> 2) Is there an SA rule that would subtract points if this is seem in a >> header ( I didn't think so)? > You could always write one. Agreed, but there no reason at the moment to re-invent the wheel, if its already been written. --------------020207020301050307040803 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 07/25/2011 11:19 AM, Vaccus Spurcamen wrote:
On Mon, 2011-07-25 at 11:14 +0200, J4K wrote:
Morning everyone,

    Whilst trying to debug a spammer, or potential misconfiguration in
my SA/postfix set-up, I noticed this in the spam header:
*Received: from 95.132.70.144(helo=3Dxxx.co.uk) by xxx.co.uk with esmtpa
(Exim 4.69) (envelope-from ) id 1MMY4Z-6815vh-KW for <abc@xxx.co.uk>;
Mon, 25 Jul 2011 08:05:42 +020*

The ESMTPA noted in the header stuck me as strange.  1) Does this mean
that spammer authenticated with an smtp-auth username and password?
Suggests an authenticated user - nothing unusual in =
that, spammers
hijack accounts all the time (assuming the header is, of course,
genuine)
Agreed. I don't know if the header is genuine.=C2=A0

The milter, with its current calling parametres, should not give it a free ride. ( I do not know whether it is or not).=C2=A0 The -I is n= ot configured, so it shouldn't...

2) Is there an SA rule that would subtract points if this is seem in a
header ( I didn't think so)?
You could always write one.
Agreed, but there no reason at the moment to=C2=A0 re-invent the whee= l,=C2=A0 if its already been written.
--------------020207020301050307040803--