tom’s blog

RBLs - yes / no.. a big discussion always..
Right now, I can recommend zen.spamhaus.org & ix.dnsbl.manitu.net (<- especially for german MXs).
I’ve never seen a false positive on these lists ..

Nevertheless, use the lists for scoring (i.e. with spamassassin), not for instant blocking!

Nowadays, prosecuting “backscatter”, sender callouts, etc. seems to be a new trend - and it could be useful in future..
I’ve tested the only free list I know - backscatterer.org.
Don’t you use that one for immediate blocking!
Scoring can be ok, but even there - watch your logs!

Some “hits” (from a test run) to show what I found:
…
2008-03-04 17:17:42 H=lizzard.sbs.de [194.138.37.39] - possible backscatter
2008-03-04 17:21:59 H=mail.space.net [195.30.0.8] - possible backscatter
2008-03-04 17:25:33 H=relay4.ptmail.sapo.pt [212.55.154.24] - possible backscatter
2008-03-04 17:32:46 H=relay23.arbeitsagentur.de [212.204.77.151] - possible backscatter
2008-03-04 17:33:38 H=mout1.mail.vrmd.de [81.28.224.19] - possible backscatter
2008-03-04 17:48:33 H=dgate1.fujitsu-siemens.com [217.115.66.35] - possible backscatter
2008-03-04 17:50:05 H=mailout05.sul.t-online.de [194.25.134.82] - possible backscatter
2008-03-04 17:51:27 H=relay0-0.brigade.com [209.249.158.73] - possible backscatter
2008-03-04 18:04:42 H=mailout07.sul.t-online.de [194.25.134.83] - possible backscatter
2008-03-04 18:11:21 H=bay0-omc2-s24.bay0.hotmail.com [65.54.246.160] - possible backscatter
2008-03-04 18:13:37 H=mail.space.net [195.30.0.8] - possible backscatter
2008-03-04 18:13:42 H=smtp1.versatel.nl [62.58.50.88] - possible backscatter
2008-03-04 18:15:29 H=mailout09.sul.t-online.de [194.25.134.84] - possible backscatter
2008-03-04 18:16:33 H=ip17.be3a.com (be3a.com) [213.92.9.17] - possible backscatter
2008-03-04 18:18:12 H=gamwsm02.mwga.mailwatch.com [216.157.255.16] - possible backscatter
2008-03-04 18:20:15 H=aps67.muc.ec-messenger.com [195.140.186.67] - possible backscatter
2008-03-04 18:22:56 H=mout1.mail.vrmd.de [81.28.224.19] - possible backscatter
2008-03-04 18:25:46 H=mail.gmx.net [213.165.64.20] - possible backscatter
2008-03-04 18:27:56 H=mail004.thyssenkrupp.com [149.211.153.66] - possible backscatter
2008-03-04 18:30:43 H=mailout04.sul.t-online.de [194.25.134.18] - possible backscatter
2008-03-04 18:33:06 H=mailout03.sul.t-online.de [194.25.134.81] - possible backscatter
2008-03-04 18:39:33 H=mail.gmx.net [213.165.64.20] - possible backscatter
2008-03-04 18:45:20 H=mail.schule.bayern.de [194.95.207.92] - possible backscatter
2008-03-04 18:48:56 H=skibayf20.kirche-bayern.de [141.78.101.100] - possible backscatter
…

A lot of the BIG players (german companies in this example mainly) are found on the list ..
So don’t get yourself in trouble with users that complain all day long and think about what you’re blocking ..

Any suggestion/comment ist highly appreciated.

A little hack to remove mails for a specific recipient from the postfix mail queue:


mailq | tail +2 | awk 'BEGIN { RS = "" } \
/ user@example\.tld$/ { print $1 } \
' | tr -d '*!' | postsuper -d -


After installing suPHP a few days ago, I had the first problem with a xt:Commerce installation. That’s what happened on a SuSE 10.0 system:

When trying to access the pages, it stayed blank and there were some wierd errors in the apache logfile:
[Mon Apr 02 16:44:48 2007] [error] [client x.x.x.x] PHP Fatal error: %v%v() [<a href='function.require'>function.require</a>]: Failed opening required ‘DIR_WS_INCLUDESfilenames.php’ (include_path=’/usr/share/php5′) in /path/to/user/html/includes/application_top.php on line 57

Reason was found quite quick: The include path only had the default path and didn’t include the webroots any longer : (

Solution: change config in /etc/php5/cli/php.ini .
From:
include_path = "/usr/share/php5"
To:
include_path = ".:/usr/share/php5"

. = Homedir of webroot
: = next path

suPHP is a nice tool for executing PHP scripts with the permissions of their owners. It’s comparable to suexec (which is for perl scripts). When using this tool, you don’t need SafeMode any longer, etc…

Tested on: SuSE 10.0, openSuSE 10.1
Prerequisites: php5-fastcgi, autoconf, gcc

in openSuSE 10.1, I had to (soft)link some files:
ln -s /usr/include/apr-1/* /usr/include/apache2

configure in openSuSE 10.1:
./configure --with-apxs=/usr/sbin/apxs2 --with-php=/usr/bin/php5 \
--with-logfile=/var/log/apache2/suphp.log --with-min-uid=30 \
--with-min-gid=30 --with-apache-user=wwwrun \
--with-apr=/usr/bin/apr-1-config --with-setid-mode=owner \
--prefix=/usr --sysconfdir=/etc

configure in SuSE 10.0:
./configure --with-apxs=/usr/sbin/apxs2 --with-php=/usr/bin/php5 \
--with-logfile=/var/log/apache2/suphp.log --with-min-uid=30 \
--with-min -gid=30 --with-apache-user=wwwrun \
--with-apr=/usr/bin/apr-config --with-setid-mode=owner \
--prefix=/usr --sysconfdir=/etc

After that, usual way:
make; make install

Check your configuration at /etc/suphp.conf. For me, it looks someway like this:
[global]
logfile=/var/log/apache2/suphp.log
loglevel=info
webserver_user=wwwrun
docroot=/srv/www/htdocs
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
check_vhost_docroot=false
errors_to_browser=false
env_path=/bin:/usr/bin
umask=0022
min_uid=30
min_gid=30
;
[handlers]
;Handler for php-scripts
x-httpd-php=php:/srv/www/cgi-bin/php5
;Handler for CGI-scripts
x-suphp-cgi=execute:!self

Add suPHP module to your apache config (/etc/sysconfig/apache2):
APACHE_MODULES="access .... php5 suphp"

Create a new file to tell apache to use suPHP:
/etc/apache2/httpd.conf.local
<Directory "/srv/www/htdocs">
php_admin_value engine off
suPHP_Engine on
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
</Directory>

Include that in your apache configuration (/etc/sysconfig/apache2):
APACHE_CONF_INCLUDE_FILES="httpd.conf.local"

After restarting apache, it should be done ; )

I had greylisting running for a while with a little perl script, that only worked with ip-addresses. As spam is growing an growing, I wanted to use the whole triplet (ip/sender/recipient) for the filter.

As I did not want to use a database backend, the decision led to greylistd - an easy configurable daemon. I needed the packages for (open)SuSE, that can be found in openSuSE’s software repository.

After installing it and checking the basics at /etc/greylistd/config, you have to add a little code to your acls in exim.conf, i.e.:

defer message = greylisted $sender_host_address. please try again later
condition = ${readsocket{/var/run/greylistd/socket}\
{--grey $sender_host_address $sender_address $local_part@$domain} {5s}{}{false}}

That was all I had to do to get it working. It’s advisable to add some hosts, that are known for problems with greylisting, not to be checked. Therefor you have to extend your acl:

defer message = greylisted $sender_host_address. please try again later
!hosts = : ${if exists {/etc/greylistd/whitelist-hosts}\
{/etc/greylistd/whitelist-hosts}{}} : \
${if exists {/var/lib/greylistd/whitelist-hosts}\
{/var/lib/greylistd/whitelist-hosts}{}}
condition = ${readsocket{/var/run/greylistd/socket}\
{--grey $sender_host_address $sender_address $local_part@$domain} {5s}{}{false}}

Many thanks for the documentations from Arne Schirmacher and Ben Charlton.

Just a quick & dirty hack to delete frozen messages for a single / some recipient(s)…

#!/bin/bash
#
# what are we searching for?
# (part of the email-address)
SEARCH="anyrecipient.tld"
#
# exim-bin
EXIM=`which exim`
#
# execute (frozen messages only)..
$EXIM -Mrm $(mailq | grep $SEARCH -B1 | grep frozen |cut -c 11-27)

Thanks to Mark -> this can be done a lot of easier if you want to kill all frozen messages:

exiqgrep -z -i | xargs exim -Mrm

If you want to do this only for some domains / email-addresses, use the first example.

Enviroment:

• SuSE Linux 10.1
  • pam-0.99.3.0-29.3, pam-modules-10.1-7
  • postfix-2.2.9-10
  • mysql-5.0.18-20.8, mysql-client-5.0.18-16

I was trying to implement SASL-authentication via PAM (which is using a mysql-backend) in a postfix installation.
Output from maillog:

postfix/smtpd: warning: SASL authentication failure: Password verification failed
postfix/smtpd: warning: [x.x.x.x]: SASL PLAIN authentication failed

Checking the syslog:

saslauthd: pam_b1gmail: cannot connect to mysql database
(Access denied for user 'xx'@'localhost' (using password: YES))
saslauthd: DEBUG: auth_pam: pam_authenticate failed: Permission denied
saslauthd: do_auth : auth failure: [user=xx] [service=smtp]
[realm=domain.tld] [mech=pam] [reason=PAM auth error]

Reason:
The PAM module is using a deprecated way to connect to the MySQL-DB.

Solution:
Set the MySQL-Password to OLD_PASSWORD:

SET PASSWORD FOR user'@'localhost' = OLD_PASSWORD('password');

Today I’ve implemented a new tool in our anti-spam system:
FuzzyOCR (Dec 13, 2007: URL contains ads only now)

It’s an OCR software used as a plugin for SpamAssassin.
OCR means “optical character recognition” and describes the procedure to recognize characters and words from images. It’s quite useful when you try to catch so-called “Image Spam”, which uses normal text where the real message is hidden in images (inline gifs, etc.)

The results are quite good and I’m confident : )

Additionally to the packages described on the homepage of FuzzyOCR you’ll need another piece of software (at least with openSuSE 10.0): giflib-progs-4.1.3-7.i586.rpm
Read More »

A graph to show you how many UCE-Mails are filtered per week.
This is a statistic from one of my company’s mailservers.
From about 3000 mails per hour -> more than 90% of all traffic is spam, UCE or virus-infected mail!



Explanation:
wrong-syntax: Somebody tried to fake a mail-programm
too-many-conn.: Anybody tried to send a mass-mail
faked-sender: Tried to spoof sender
virus: recognized virus (which was not blocked by other filters)
spam: recognized spam (which was not blocked by other filters)
known-dialup: known dialup notwork; normally no mail from here
dynamic ip: dialup network or forgot to set proper dns-reverse entry
no-reverse-dns: still allowed, but reverse dns should be set
greylisted: mail is rejected first time; after that it should be ok
zen.spamhaus.org: the most reliable dns blacklist
clean mail: passed through and should be ok

I found a (new) software that finally helps to ban spam that is not blocked by various dns blacklists, greylisting, etc …

Have a look at:
http://tanaya.net/DynaStop/
and the forum:
http://www.exim-users.org/forums/forumdisplay.php?f=36

2007/05/08: Update of my personal DynaStop Whitelist

Here you’ll find a great piece of software, that filters incoming mail on the basis of whether a dynamic IP address is used. This reduces system load and resources in processing unwanted mail because all legitimate mail from mainly all ISPs will be sent from a proper mail exchange server (respectively the dns name). Over 350 million IP addresses were used in testing DynaStop for integrity and stability in identifying dynamic addresses and cross checked false positives.

Although the software is still in beta status, I use it in my company to kick out the rest of unwanted connections that are not recognized by RBLs (i.e. zen.spamhaus.org) or those that “survive” greylisting.

Result:

• System load is massive reduced because of less work for spamassassin and antivirus-software
• Connections that come back multiple times and overwit greylisting are banned without scanning the message
• Combined with a daily-report (to control false positives) of blocked networks it’s really a powerful software