|

»

»

»

SpamAssassin - Users

Being Buried In Returned Email - Need To Mark Certain IPs

View: New views

17 Messages — Rating Filter: Alert me

	Being Buried In Returned Email - Need To Mark Certain IPs by thadcoco () :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi All, My server, CentOS 4, Sendmail, MailScanner (SA & ClamAV) is being buried by spoofed emails that are bounced back to my domain by the recipient's servers. Virtually all these emails are being sent from a zombie at a single IP. i.e.: All the messages contain the following line somewhere within: Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) I can't figure out how to mark any messages that originally sourced from that IP so that they can be dropped by Procmail (that approach would appears to be my only hope, as junk is arriving faster than my mail client can pull it off the server. I have tried to write a rule that would mark any message with that particular IP, but nothing seems to work. An example that doesn't work (but does --lint just fine) is: header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam score ANNOYING_SPAMMER 15 Does SA only scan the most recent Received Header line? If so, the "Header - Received" syntax wouldn't work because the bad IP is in the original Received line. In case that was the problem, I also tried the Rawbody operator to no avail. Note that other than this issue, SA appears to be doing everything else just fine. So I am desperate and would be grateful for any suggestions. For reference, here are my full procmailrc and local.cf files for reference. /etc/procmailrc ----------------- DROPPRIVS=yes :0fw * < 256000 \| /usr/bin/spamc -f :0 * ^X-Spam-Level: \\\\\\\\\\\\\\\* /dev/null ---------------- /etc/mail/spamassassin/local.cf ----------------- # Change the subject of suspected spam rewrite_header subject ***SPAM*** # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam score ANNOYING_SPAMMER 15 ---------------
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by Nigel Frankcom-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, 29 Jun 2008 07:07:58 -0700 (PDT), thadcoco <thadco21@...> wrote: > >Hi All, > >My server CentOS 4, Sendmail, MailScanner (SA & ClamAV) is being buried by >spoofed emails that are bounced back to my domain by the recipient's >servers. Virtually all these emails are being sent from a zombie at a single >IP. > >i.e.: All the messages contain the following line somewhere within: >Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) > >I can't figure out how to mark any messages that originally sourced from >that IP so that that can be dropped by Procmail (that approach would appears >to be my only hope, as junk is arriving faster than my mail client can pull >it off the server. > >I have tried to write a rule that would mark any message with that >particular IP, but nothing seems to work. > >An example that doesn't work (but does --lint just fine) is: > >header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ >describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam >score ANNOYING_SPAMMER 15 > >Does SA only scan the most recent Received Header line? If so, the "Header - >Received" syntax wouldn't work because the bad IP is in the original >Received line. In case that was the problem, I also tried the Rawbody >operator to no avail. > >Note that other than this issue, SA appears to be doing everything else just >fine. > >So I am desperate and would be grateful for any suggestions. For reference, >here are my full procmailrc and local.cf files for reference. > >/etc/procmailrc >----------------- >DROPPRIVS=yes >:0fw >* < 256000 >\| /usr/bin/spamc -f > >:0 >* ^X-Spam-Level: \\\\\\\\\\\\\\\* >/dev/null >---------------- > >/etc/mail/spamassassin/local.cf >----------------- ># Change the subject of suspected spam >rewrite_header subject ***SPAM*** > ># Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) >report_safe 0 > ># Enable the Bayes system >use_bayes 1 > ># Enable Bayes auto-learning >bayes_auto_learn 1 > ># Enable or disable network checks >skip_rbl_checks 0 >use_razor2 1 >#use_dcc 1 >use_pyzor 1 > >header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ >describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam >score ANNOYING_SPAMMER 15 >--------------- Can you not block them at your router or firewall? Then they are not taking up threads either. It's how I deal with heavy hitters. Nigel
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by Jari Fredriksson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message > On Sun, 29 Jun 2008 07:07:58 -0700 (PDT), thadcoco > <thadco21@...> wrote: > > > Can you not block them at your router or firewall? Then > they are not taking up threads either. It's how I deal > with heavy hitters. > > Nigel I understood that the d04m-89-83-98-193.d4.club-internet.fr was the original source, not the source of this backscatter he gets.
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by Joseph Brennan :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message --On Sunday, June 29, 2008 7:07 AM -0700 thadcoco <thadco21@...> wrote: > > i.e.: All the messages contain the following line somewhere within: > Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) > > I can't figure out how to mark any messages that originally sourced from > that IP so that that can be dropped by Procmail Why not just tell procmail to drop them? : 0 * ^Received: .* 89.83.98.193 /dev/null Joseph Brennan Columbia University Information Technology
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by thadcoco :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Nigel Frankcom-2 wrote: Can you not block them at your router or firewall? Then they are not taking up threads either. It's how I deal with heavy hitters. Nigel No, I wish I could, but these bounced emails are not coming To Me from a single IP. It goes like this: 1. Some doofus' spambot in France at the previously referenced IP is sending out spam with spoofed return addresses which just happens to be one of my domains. 2. Because the spambot is randomly generating the To addresses, most of the final destination servers end up bouncing the mail to the supposed sender (my legitimate domain). 3. Therefore I am receiving the bounced mails from those non-existent recipient mail servers (which are just whichever unlucky MX record that got stuck having to reject the spam). So the IPs of mail server connecting to my network are almost always different based upon a random To address. Only the original source IP, which is buried in the headers, has any consistency which I could use to establish a "Rule." I suspect that further complicating matters is that when these messages get bounced, they get wrapped by the bouncing MTA, possibly masking the headers from SA which then makes my rules all fail. I had even considered killing any and all email that are bounces, but then no one on my server would ever know if a legit email they sent got bounced... Thanks! Thad
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by Raymond Dijkxhoorn :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi! > i.e.: All the messages contain the following line somewhere within: > Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) > > I can't figure out how to mark any messages that originally sourced from > that IP so that that can be dropped by Procmail (that approach would appears > to be my only hope, as junk is arriving faster than my mail client can pull > it off the server. > > I have tried to write a rule that would mark any message with that > particular IP, but nothing seems to work. > > An example that doesn't work (but does --lint just fine) is: > > header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ > describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam > score ANNOYING_SPAMMER 15 And exactly why dont you block those on your MTA? Bit waste on CPU cycles like this... first process then, and then trash it anyway. Bye, Raymond.
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by thadcoco :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Joseph Brennan wrote: Why not just tell procmail to drop them? : 0 * ^Received: .* 89.83.98.193 /dev/null Joseph Brennan Columbia University Information Technology I just tried, but it doesn't work either. Recall that the nasty IP is wrapped as part of an attachment. I need to be able to scan the entire raw message with either SA or I suppose procmail. While if I can make this work at the procmail level, I would think it would be better to use SA, because rules can be tested more easily using --lint. Thoughts?
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by thadcoco :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Raymond Dijkxhoorn wrote: Hi! And exactly why dont you block those on your MTA? Bit waste on CPU cycles like this... first process then, and then trash it anyway. Bye, Raymond. Well, mostly because I don't have any idea how to do so at the MTA level and also I would think it would be harder to add other offending IPs in the future.
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by Raymond Dijkxhoorn :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi! >> And exactly why dont you block those on your MTA? Bit waste on CPU cycles >> like this... first process then, and then trash it anyway. > Well, mostly because I don't have any idea how to do so at the MTA level > and also I would think it would be harder to add other offending IPs in > the future. Not at all ... You can even drop the IP with a route command. Do: route add -host <ip> reject Easy as that. Bye, Raymond.
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by mouss-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message thadcoco wrote: > Hi All, > > My server CentOS 4, Sendmail, MailScanner (SA & ClamAV) is being buried by > spoofed emails that are bounced back to my domain by the recipient's > servers. Virtually all these emails are being sent from a zombie at a single > IP. > > i.e.: All the messages contain the following line somewhere within: > Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) > > I can't figure out how to mark any messages that originally sourced from > that IP so that that can be dropped by Procmail (that approach would appears > to be my only hope, as junk is arriving faster than my mail client can pull > it off the server. > > I have tried to write a rule that would mark any message with that > particular IP, but nothing seems to work. > > An example that doesn't work (but does --lint just fine) is: > > header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ > describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam > score ANNOYING_SPAMMER 15 > > header rules only look at headers. unless the bounce came from the said client, they won't help. as a general recommendation, when rules do not catch a message and you think they should, it is nice to show a sample (full headers and body, unaltered by your mta/mua so that we can see the original headers and body. it's ok if your mat/mua adds headers, but not ok if it reformats the message or remove headers... etc).
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by John Hardin :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, 2008-06-29 at 10:55 -0700, thadcoco wrote: > While if I can make this work at the procmail level, I would think it would > be better to use SA, because rules can be tested more easily using --lint. > Thoughts? Where you do it depends on what tool chain you're using. Since you want to discard the message, you should do it as early as possible with the lightest-weight tool possible. SA can certainly add points for the message, but DA is a rather heavy tool for doing this. If procmail launches SA, then the logical place to deal with these messages is in a procmail rule before SA is invoked. Another alternative if you're using sendmail is to use milter-regex to look for that IP in a Received: header and reject the message with a 550 at SMTP time. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhardin@... FALaholic #11174 pgpk -a jhardin@... key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson ----------------------------------------------------------------------- 5 days until the 232nd anniversary of the Declaration of Independence
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by John Hardin :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, 2008-06-29 at 20:44 +0200, Raymond Dijkxhoorn wrote: > >> And exactly why dont you block those on your MTA? Bit waste on CPU cycles > >> like this... first process then, and then trash it anyway. > > > Well, mostly because I don't have any idea how to do so at the MTA level > > and also I would think it would be harder to add other offending IPs in > > the future. > > Not at all ... > > You can even drop the IP with a route command. > > Do: route add -host <ip> reject Not if the IP address you want to block is several MTA relay hops removed from you. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhardin@... FALaholic #11174 pgpk -a jhardin@... key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson ----------------------------------------------------------------------- 5 days until the 232nd anniversary of the Declaration of Independence
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by Raymond Dijkxhoorn :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi! >> You can even drop the IP with a route command. >> >> Do: route add -host <ip> reject > Not if the IP address you want to block is several MTA relay hops > removed from you. Ok. I think i missed that ;) Bye, Raymond.
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by thadcoco :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message John Hardin wrote: Another alternative if you're using sendmail is to use milter-regex to look for that IP in a Received: header and reject the message with a 550 at SMTP time. -- That would certainly appear to be the best solution so far. However, I can't get milter-regex to make on CentOS 4.6, nor can I find a suitible RPM. Any suggestions would be greatly appreciated. From what I can gather, I'm banging into an old version on glibc, but updating that is another mess. And yes, I know I'm starting to sound like a total Newb ;) Thanks! Thad
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by jdow :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message body TEMP_BLOCKADE /Received: from d04m-89-83-98-193\.d4\.club-internet\.fr \(\[89\.83\.98\.193\]\)/ describe TEMP_BLOCKADE Temporary blockade of club-internet.fr joe job score TEMP_BLOCKADE 15 This might be enough to be unambiguous. body TEMP_BLOCKADE /Received: from d04m-89-83-98-193\./ {^_^} ----- Original Message ----- From: "thadcoco" <thadco21@...> Sent: Sunday, 2008, June 29 07:07 > > Hi All, > > My server CentOS 4, Sendmail, MailScanner (SA & ClamAV) is being buried by > spoofed emails that are bounced back to my domain by the recipient's > servers. Virtually all these emails are being sent from a zombie at a > single > IP. > > i.e.: All the messages contain the following line somewhere within: > Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) > > I can't figure out how to mark any messages that originally sourced from > that IP so that that can be dropped by Procmail (that approach would > appears > to be my only hope, as junk is arriving faster than my mail client can > pull > it off the server. > > I have tried to write a rule that would mark any message with that > particular IP, but nothing seems to work. > > An example that doesn't work (but does --lint just fine) is: > > header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ > describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam > score ANNOYING_SPAMMER 15 > > Does SA only scan the most recent Received Header line? If so, the > "Header - > Received" syntax wouldn't work because the bad IP is in the original > Received line. In case that was the problem, I also tried the Rawbody > operator to no avail. > > Note that other than this issue, SA appears to be doing everything else > just > fine. > > So I am desperate and would be grateful for any suggestions. For > reference, > here are my full procmailrc and local.cf files for reference. > > /etc/procmailrc > ----------------- > DROPPRIVS=yes > :0fw > * < 256000 > \| /usr/bin/spamc -f > > :0 > * ^X-Spam-Level: \\\\\\\\\\\\\\\* > /dev/null > ---------------- > > /etc/mail/spamassassin/local.cf > ----------------- > # Change the subject of suspected spam > rewrite_header subject ***SPAM*** > > # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) > report_safe 0 > > # Enable the Bayes system > use_bayes 1 > > # Enable Bayes auto-learning > bayes_auto_learn 1 > > # Enable or disable network checks > skip_rbl_checks 0 > use_razor2 1 > #use_dcc 1 > use_pyzor 1 > > header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ > describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam > score ANNOYING_SPAMMER 15 > --------------- > -- > View this message in context: > http://www.nabble.com/Being-Buried-In-Returned-Email---Need-To-Mark-Certain-IPs-tp18181167p18181167.html > Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by Michelle Konzack-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Am 2008-06-29 07:07:58, schrieb thadcoco: > servers. Virtually all these emails are being sent from a zombie at a single > IP. OK > i.e.: All the messages contain the following line somewhere within: > Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) > > I can't figure out how to mark any messages that originally sourced from > that IP so that that can be dropped by Procmail (that approach would appears > to be my only hope, as junk is arriving faster than my mail client can pull > it off the server. Procmail? :0 * ^Received:.d04m-89-83-98-193.d4.club-internet.fr /dev/null No spamassassin needed if it is REALY every time the same IP/FQDN. And yes, I have a list of arround 200 of them in my cache, since the $USER (Club Internet, Free, Alice) have a fixed IP which never change. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### Michelle Konzack Apt. 917 ICQ #328449886 +49/177/9351947 50, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp* (196 bytes) Download Attachment
	Re: Being Buried In Returned Email - Need To Mark Certain IPs by Michelle Konzack-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Am 2008-06-29 10:55:19, schrieb thadcoco: > I just tried, but it doesn't work either. Recall that the nasty IP is > wrapped as part of an attachment. I need to be able to scan the entire raw > message with either SA or I suppose procmail. Don't be to complicate and EGREP the BODY for it: :0B * Received: .89.83.98.193 /dev/null and this is definitivly faster then spamassassin. or you can use: BODY=`formail -I ""` :0 ? echo -e "${BODY}" \|egrep --file=/path/to/your/regexp.file /dev/null where you can put ANY arbitary RegExp pattern in the file and the body will be EGREPed for it. If it MATCH, egrep return TRUE and the messages filtered in the special folder /dev/null Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### Michelle Konzack Apt. 917 ICQ #328449886 +49/177/9351947 50, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp (196 bytes) Download Attachment

LightInTheBox - Buy quality products at wholesale price