 |
Planetfurry BBS
Forums for Planetfurry Site Members and more
|
| View previous topic :: View next topic |
| Author |
Message |
Nameless
Site Owner
Joined: 06 Sep 2002
Posts: 1368
Location: Vienna, Austria
|
 Posted: Tue May 24, 2005 3:32 pm Post subject: Spam blocker a little overzealous |
 |
|
It seems the spamblocker is getting a little overzealous. The last "Raccoons Bookshelf News" was marked as spam as was a mail from my PF addy to another one (anthony).
Maybe there have been so many spam mails with spoofed PF addys that the domain is now on the blacklist?
_________________
I'm a nut, but there are those who appreciate me for it. |
|
| Back to top |
|
 |
Whip-lash
Kneel before me... for I am Root!
Joined: 20 Nov 2000
Posts: 573
|
| Posted: Wed May 25, 2005 11:35 pm Post subject: Re: Spam blocker a little overzealous |
|
|
| Nameless wrote: | It seems the spamblocker is getting a little overzealous. The last "Raccoons Bookshelf News" was marked as spam as was a mail from my PF addy to another one (anthony).
Maybe there have been so many spam mails with spoofed PF addys that the domain is now on the blacklist? |
It's very possible, though more than likely there was something in or about the message that caught SpamAssassin's attention. If the server marked the message as spam, and not a local spam filter, you should have seen a spam detection message, something like this:
| Code: | Spam detection software, running on the system "morbo.nc.planetfurry.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Are You Ready? We are accepting mortgage requests. You
don't have good credit history? That's not a problem! The approval
system it's very fast and simple. Go to the link below right now. [...]
Content analysis details: (6.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.1 BAYES_90 BODY: Bayesian spam probability is 90 to 99%
[score: 0.9586]
1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?200.120.179.220>]
2.6 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address
[200.120.179.220 listed in dnsbl.sorbs.net]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[200.120.179.220 listed in dnsbl.sorbs.net] |
The original message should be an attachment in the same message.
If you have this message, could you email me just the report? I likely will not need the original message, but I'll let you know if I do.
Once we are sure that SpamAssassin is likely the problem, the fix is relatively simple. On related accounts, we delete the individual user's SpamAssassin spam log. This resets the filter per user, causing SpamAssassin to relearn what would be spam and not spam, after passing through the various blacklists of course. |
|
| Back to top |
|
|
hikaru
Administrator
Joined: 20 Nov 2000
Posts: 1581
Location: Kansas City, KS, USA
|
| Posted: Thu May 26, 2005 12:55 am Post subject: |
|
|
I've started using multiple RBLSMTP black lists on my ISP's and it's cut down the spam by over 70%.... Really worked wonders.
You might think about implmienting them on PF instead of SpamAssassin.
Cheers
_________________
Read my comic: http://www.ImperialGelf.com
Read my stories at http://www.IC-Stories.com
http://katayamma.deviantart.com/
"Coming to you Live and Transcribed..." - TVDave |
|
| Back to top |
|
|
Whip-lash
Kneel before me... for I am Root!
Joined: 20 Nov 2000
Posts: 573
|
| Posted: Thu May 26, 2005 1:11 am Post subject: |
|
|
| hikaru wrote: | I've started using multiple RBLSMTP black lists on my ISP's and it's cut down the spam by over 70%.... Really worked wonders.
You might think about implmienting them on PF instead of SpamAssassin. |
PF uses multiple RBL lists, in addition to SpamAssassin. Spamhaus, SORBS, Spamcop, etc., though I adjust and tweak the RBLs as needed (accuracy, etc.). SpamAssassin provides Bayesian filtering, taking messages marked as spam (and ham) and learning the differences, what should be spam and what is not. It's not perfect, but it's very helpful.
Some links that may help with this issue:
http://wiki.apache.org/spamassassin/FalsePositives
http://wiki.apache.org/spamassassin/BayesInSpamAssassin
Another fix would be to retrain SpamAssassin (for the individual user) by running sa-learn against messages that are definately spam, and then against messages that are definately not spam. It may be better to reset the SpamAssassin settings and logs (for the individual user) by deleting the user's .spamassassin/ folder prior to this. |
|
| Back to top |
|
|
Nameless
Site Owner
Joined: 06 Sep 2002
Posts: 1368
Location: Vienna, Austria
|
| Posted: Thu May 26, 2005 10:11 am Post subject: |
|
|
The message had the added "[SPAM]" in the message header. It's likely that the subject "Business trip" helped to make it look like spam. That doesn't apply to the "Raccoons Bookshelf News" message that was also marked.
AFAIK most virus and spam bots use their own SMTP engine. Can't you whitelist messages that are sent directly from the PF SMTP server, rather than recived from another SMTP server?
_________________
I'm a nut, but there are those who appreciate me for it. |
|
| Back to top |
|
|
Whip-lash
Kneel before me... for I am Root!
Joined: 20 Nov 2000
Posts: 573
|
| Posted: Thu May 26, 2005 11:39 am Post subject: |
|
|
| Nameless wrote: | | The message had the added "[SPAM]" in the message header. It's likely that the subject "Business trip" helped to make it look like spam. That doesn't apply to the "Raccoons Bookshelf News" message that was also marked. |
And there wasn't any message stating it was marked as spam for any specific reasons? If not, could you forward the message with the headers intact to [email protected]? Best way to do this, in most cases, is to forward the original message as an attachment. If you need any assistance, please let me know.
| Quote: | | AFAIK most virus and spam bots use their own SMTP engine. Can't you whitelist messages that are sent directly from the PF SMTP server, rather than recived from another SMTP server? |
Some do, some don't. Viruses tend to use their own, but there are many that use your email client, for example Outlook or Outlook Express to send messages. Spammers can use valid accounts to try and bypass appearing as originating from open relays, non-existant addresses, etc.
Simply put, there is no good reason to trust traffic even originating from this server in that respect. That's just asking for problems. For example, someone with a domain on this server could very well spam another domain on the same server, without any spam scanning.
Both incoming and outgoing messages are treated the same, and are scanned regardless of their origination (with the exception of those who do not have spam filters enabled). Think of it as protecting your company's internal network from internal abuse. An employee could easily get into things that they should not have access to, etc. |
|
| Back to top |
|
|
Nameless
Site Owner
Joined: 06 Sep 2002
Posts: 1368
Location: Vienna, Austria
|
| Posted: Fri May 27, 2005 12:54 pm Post subject: |
|
|
How about blacklisting known-spoofed addresses? E.g. all @planetfurry.com addys that don't belong to a registered user.
_________________
I'm a nut, but there are those who appreciate me for it. |
|
| Back to top |
|
|
Nameless
Site Owner
Joined: 06 Sep 2002
Posts: 1368
Location: Vienna, Austria
|
| Posted: Sat May 28, 2005 3:05 am Post subject: |
|
|
| Mike Regan wrote: | | That may not help much. |
I have been getting a lot of fake "Your Account Has Been Suspended" or similar mails or spoofed return mails. Many of them (but not all) are marked as a virus.
Anyway, that would be a 100% surefire rule to delete some spam.
_________________
I'm a nut, but there are those who appreciate me for it. |
|
| Back to top |
|
|
Whip-lash
Kneel before me... for I am Root!
Joined: 20 Nov 2000
Posts: 573
|
| Posted: Sat May 28, 2005 5:03 pm Post subject: |
|
|
| Nameless wrote: | I have been getting a lot of fake "Your Account Has Been Suspended" or similar mails or spoofed return mails. Many of them (but not all) are marked as a virus.
Anyway, that would be a 100% surefire rule to delete some spam. |
You mean the ones "from" [email protected], [email protected], etc.? Yep, their fake, and classic examples of how easy it is to spoof email addresses. Looking through the logs, most of those that are hitting your account are viruses, like Worm.Mytob.BR and Worm.Mydoom.M.
Another thing you may want to try, is either increase the threshold for SpamAssassin to consider mail as spam (instructions below), or disable it entirely (not recommended, but it is an option).
To lower the threshold, go to http://planetfurry.com/user/ and log in. Once logged in, click on the Spam Filtering link in the System Menu. You should now be on the Configure Spam Options page. Here you can set the spam tolerance level, tell the system what to do if a message is identified as spam, etc.
On the top row of links you should see links to additional pages: Allowed Senders List and Blocked Senders List. On the Allowed Senders List page, you can list email from addresses that are will never be treated as spam, even if SpamAssassin rules or other RBLs determine it as such. On the Blocked Senders List page, you can list email from addresses that will always be treated as spam. |
|
| Back to top |
|
|
Whip-lash
Kneel before me... for I am Root!
Joined: 20 Nov 2000
Posts: 573
|
| Posted: Sat May 28, 2005 5:57 pm Post subject: |
|
|
{Dangerous Content?} is usually picked up by the virus scanner, not the spam scanner. The virus scanner is taking preventative measures against unknown viruses, scripts/forms embedded in messages used by spammers, etc. In this case, the message was quarantined because of a form and a rather harmless JavaScript. Unfortunately, the virus scanner can't always determine what is harmless and what is not in this case, so it errs for safety. I can put a copy of the message in your home directory, and you should be able to download it via FTP.
I would recommend sending an email to the webmaster of the site you received the email from, and highly recommend that they remove content from their emails that may be considered harmful, such as forms and scripts.
Forms and scripts really do not belong in emails, and allowing them to be included in emails accepted by this server is dangerous. If scripts were allowed, every time you view or preview the email the script is allowed to run, which may do things you hadn't intended the message on doing (popups, downloading viruses, notify the sender or 3rd party you opened the message, etc.). |
|
| Back to top |
|
|
Nameless
Site Owner
Joined: 06 Sep 2002
Posts: 1368
Location: Vienna, Austria
|
| Posted: Sun May 29, 2005 3:52 am Post subject: |
|
|
I'll have a look at the spam configuration. Is "[email protected]" the only valid adminstrative addy or are there others? So I know which ones I can add to the blacklist.
Too bad the spam configuration doesn't allow me to set more than one level of spam filtering. (e.g. mark messages with 5 and delete messages above 15).
_________________
I'm a nut, but there are those who appreciate me for it. |
|
| Back to top |
|
|
Whip-lash
Kneel before me... for I am Root!
Joined: 20 Nov 2000
Posts: 573
|
| Posted: Sun May 29, 2005 4:32 pm Post subject: |
|
|
| Nameless wrote: | | I'll have a look at the spam configuration. Is "[email protected]" the only valid adminstrative addy or are there others? So I know which ones I can add to the blacklist. |
That's the only admin email, yes, however there are other addresses used by services that should neither be blacklisted nor whitelisted: (to help prevent email scrapers, I've replaced the @ and . characters with spaces)
- bbs planetfurry com (used by the Planetfurry BBS notification mailer, notifications of topic replies, registrations, etc.)
- MAILER-DAEMON planetfurry com (used by the Mailer Delivery Subsystem, notification of bounces, etc.)
- postmaster planetfurry com (same as MAILER-DAEMON)
I would not add these to the blacklist since valid message are sent from these addresses, nor the whitelist since spammers may spoof messages from them.
| Quote: | | Too bad the spam configuration doesn't allow me to set more than one level of spam filtering. (e.g. mark messages with 5 and delete messages above 15). |
What you may want to try is having your email client check the X-Spam-Level or X-Spam-Status headers. In the X-Spam-Level header, the number of * characters signifies the spam score. The X-Spam-Status could also be used, since it has a numeric value. Depending on which method works better with your email client, you can define which message get deleted immediately if their spam score is above 15. |
|
| Back to top |
|
|
Nameless
Site Owner
Joined: 06 Sep 2002
Posts: 1368
Location: Vienna, Austria
|
| Posted: Mon May 30, 2005 12:31 am Post subject: |
|
|
| Whip-lash wrote: | | I would not add these to the blacklist since valid message are sent from these addresses, nor the whitelist since spammers may spoof messages from them. |
Isn't it possible to configure the email system so that these service addresses can only be sent by the respective demons, that is any message from the outside with these addys is considered to be spoofed?
I'lkl have to look at my email proggy to see if I can use these spam header entries for message filtering.
_________________
I'm a nut, but there are those who appreciate me for it. |
|
| Back to top |
|
|
Whip-lash
Kneel before me... for I am Root!
Joined: 20 Nov 2000
Posts: 573
|
| Posted: Mon May 30, 2005 10:44 pm Post subject: |
|
|
| Nameless wrote: | | Isn't it possible to configure the email system so that these service addresses can only be sent by the respective demons, that is any message from the outside with these addys is considered to be spoofed? |
Good question. I'm looking for an effective way to accomplish this right now. I remember having done this before, but it was with another email daemon.
| Quote: | | I'll have to look at my email proggy to see if I can use these spam header entries for message filtering. |
If I remember correctly, the email client you said you used allows advanced header filtering, and even regular expressions. It may depend on which version you're using, however. |
|
| Back to top |
|
|
Nameless
Site Owner
Joined: 06 Sep 2002
Posts: 1368
Location: Vienna, Austria
|
| Posted: Tue May 31, 2005 12:26 am Post subject: |
|
|
| Whip-lash wrote: | | Quote: | | I'll have to look at my email proggy to see if I can use these spam header entries for message filtering. |
If I remember correctly, the email client you said you used allows advanced header filtering, and even regular expressions. It may depend on which version you're using, however. |
I looked at this and I found a problem:
I can do regular expressions, but as far as the help file says, I can't escape the special characters. That is, I can't search for "*" because it is a wildcard character.
There is no handling for numbers in regular expressions, so it'll be a little complicated to try to make rules based on the numeric score. Probably possible, but it'll take several rules.
Is there a maximum spam level score?
_________________
I'm a nut, but there are those who appreciate me for it. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Usergroups
Donate
Register
Profile
Log in to check your private messages
Log in
