Mailing List Archive

On Thu, 5 Feb 2004, Jens Benecke wrote:

> So: I want to whitelist users who use SMTP AUTH on my server to send their
> mail. Otherwise, they will get punished by SA because they are
> (legitimately) sending from a DUL (because they don't have a NOC in their
> basement).
>
> Unfortunately, qmail doesn't really mark the useage of SMTP AUTH in the
> headers.
>
> Any ideas?

Modify your MTA. If the user is connecting via SMTP AUTH you know
who they are. Use some kind of algorithm to hash their user-id &
IP address and put the hashed value into the Received: header.
That way you have that information for later audit/debugging
needs and the world doesn't need to know the exact details of
how they got that message to your server. (clearly need to use
a reversable hash, more of some kind of crypt).

Dave


--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

On Thu, 5 Feb 2004, Jens Benecke wrote:

> Yes. And if the first IP is listed as an open relay, it gets tagged as SPAM.
> Even if the user that has the IP is no open relay, but a _different_ user
> that _had_ the (dynamic) IP a couple weeks ago _was_.
>
> That is my problem. It can only be fixed (IMHO) by seperating open relay
> lists on dynamic and static IPs.

For your own site you can fix this, create a meta-rule that says:
if RBL_DUL && RBL_PROXY-RELAY then give a negative score to adjust things.

> > Additionally, even if qmail did indicate that the transaction was via SMTP
> > AUTH, SpamAssassin really couldn't trust that information in the Received
> > line. A spammer could simply inject a fake Received line with the AUTH
> > markup. SA really can't trust any headers other than those that the end
> > MTA (or any configured trusted servers) have added, right?
>
> Yup.
>
> I need a way to find whether my header is the _first_ Received: header. But
> then I'd punish people who have their SMTP local server configured to relay
> via mine (which can be perfectly legitimate if they have an account).

Just customize your MTA to add a private locally unique header for
SMTP-AUTH connections and either bypass your SA filtering in that case
or trigger a local whitelist score.

If you were using sendmail & milter it would be pretty easy to do, as
the AUTH information is avalable to the milter.


--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

>> "JB" == Jens Benecke <jens-sender-8130a1@spamfreemail.de> writes:

JB> I'm complaining about DUL IPs being stuck in "open relay" lists
JB> FOR MONTHS, although it only hurts legitimate customers: the
JB> spammer just hangs up, dials in again, gets a new IP and goes on
JB> spamming, once his IP is listed.

Personally I believe that a lot of the dialup IPs that spam are just
used without their owners knowledge by being infected by a trojan that
lets someone else relay through them. I have a hard time believing
that the ratio of this compared to people who intentionally spam from
their own dialup account (or someone elses abused account ofcourse) is
very high.

But still, the problem is the same. :)

/ahnberg.

That's the point. If the origination is a dialup it's either a spammer, a zombie or some person not following their ISP AUP. Spammers not zombies use the ISP SMTP server. As such, we allow those.

Relay everything to the ISP and your good. Even SBC allows that. Some Earthlink dialup's ranges require you to use their outgoing SMTP as they intentionally block outgoing SMTP. I learned that after spending 30 minutes trying to configure my mom's email one night to send through one of my servers. I couldn't telnet to the server on port 25 but I could ping it. The ISP tech support says (which others including myself have already said) to use the Earthlink server. Earthlink's explanation was simlpe. Most of the viruses don't use relays so they were protecting the net from virus based emails.

To the original author of this thread, you should call your ISP and see what they say.

BTW, people running zombies tend to take months to find out that they have a virus, by which time they have already dialed the net 2 donzen times polluting the whole range of IP's.

on 2/5/2004 we rejected 11421 emails based on IP's because they we're RBL'ed. I'll almost best 99.9% of them were actually spammers. Most of them were dialup's. Here's a snapshot of why I use RBL's...

Feb 5 04:00:29 vjo-lxutil-06 postfix/smtpd[18962]: 261042071D1: reject: RCPT from unknown[218.64.164.117]: 554 Service unavailable; Client host [218.64.164.117] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?218.64.164.117; from=<fosterrutherford_wr@bemyvalentine.co.uk> to=<removed...> proto=ESMTP helo=<cfs.nrcan.gc.ca>

from spamcop.net

Since SpamCop started counting, this system has been reported about 740 times by about 150 users. It has been sending mail consistently for at least 30.8 days. In the past 30.1 days, it has been listed 5 times for a total of 26.5 days

In the past week, this system has:
* Been reported as a source of spam about 10 times
* Been detected sending mail to spam traps
* Been witnessed sending mail about 420 times

Other hosts in this "neighborhood" with spam reports:
* 218.64.164.30
* 218.64.164.78
* 218.64.164.103
* 218.64.164.104
* 218.64.164.107
* 218.64.164.197



Gary Smith

-----Original Message-----
From: Mattias Ahnberg [mailto:mattias@ahnberg.pp.se]
Sent: Fri 2/6/2004 9:51 AM
To: spamassassin-users@incubator.apache.org
Cc:
Subject: Re: Lost of FPs because of IPs listed in DUL + "open Proxy"



>> "JB" == Jens Benecke <jens-sender-8130a1@spamfreemail.de> writes:

JB> I'm complaining about DUL IPs being stuck in "open relay" lists
JB> FOR MONTHS, although it only hurts legitimate customers: the
JB> spammer just hangs up, dials in again, gets a new IP and goes on
JB> spamming, once his IP is listed.

Personally I believe that a lot of the dialup IPs that spam are just
used without their owners knowledge by being infected by a trojan that
lets someone else relay through them. I have a hard time believing
that the ratio of this compared to people who intentionally spam from
their own dialup account (or someone elses abused account ofcourse) is
very high.

But still, the problem is the same. :)

/ahnberg.

Hi Bobby,

please fix your mail client to use In-Reply-To or References. Thanks.

Rose, Bobby wrote:

> If you replied to Jens message, you'd be greating by that verification
> message that you sent the message. Using something like that makes me
> wonder why their using Spamassassin if they're using a email
> verification system.

Simple. Because TMDA is supposed to catch only the non-obvious stuff, and
for my customers it's optional. We use

- obvious RBLs (confirmed non-DUL open proxies etc) at the SMTP level
- badmailto/badmailfrom at the SMTP level
- obvious viruses (signature in mail) at the SMTP level

then

- qmail-scanner with a generic executable blocker in the mail queue
- SA in the queue

and THEN - for those who want it - TMDA.

So obvious spam mails never get caught in your TMDA pending queue, which
users can look into and whitelist/blacklist users and set up their own
config.

> Respond to just the list instead of the person.

Yup. Don't CC me. And please again, fix your mail client. Thanks.

--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic