Spamassassin - ZeroSource

Tag Archives: Spamassassin

CNN.com Daily Top 10 – Virus Alert!

Posted on August 7, 2008 by zerolove

Recently I wrote about the “UPS, FedEx, and US Customs Email Virus” today I want to tell you about the CNN.Com Daily Top 10 email going out. I’m seeing this from allot of different sources and it is pretty heavy out in the wild. I’m sure you have probably already seen it somewhere. The interesting points of this one, the virus payload is not in the email but from the links in the email. This allows it to by pass most virus scanners. It is NOT From: user@cnn.com but from a randomly generated or infected users email address. The links in the email take you to sites, not cnn.com, that want to show you a video but says you have the wrong flash player installed. Other points:

The URL’s are not cnn.com
The writing is poor (even worst then mine)
It ask you to install Flash Player 0
The ActiveX installer does not seem like a standard ActiveX installer
It is not digitally signed.

cnnvirus 300x2951 CNN.com Daily Top 10 Virus Alert!

CNN Daily Top 10

Categories: Nerdology | Tags: cnn.com, spam, Spamassassin, top 10, virus

Whitelisting should be last resort!

Posted on May 11, 2008 by zerolove

1 comment

I get tired of people trying to sell their spam filtering and all they do is turn up every filter so that all email is marked/quarantined as spam and they expect you to whitelist everything you want to get.

So what is whitelisting? Well it is a list of accepted items, in this case email address or domains. When whitelisted an emails skip the filtering so that they are delivered. If I wanted to make sure that any email from z3r010v3@gmail.com would get delivered to me I could whitelist the whole email or I could whitelist @gmail.com and then it would always get to me. This is not the way to do it, I believe whitelists should be a last resort.

With computers being infected with viruses that allow spammers to send emails from them, and email servers configured wrong allowing for open relays there is always a chance a domain you have whitelisted will spam you. To top it off most whitelist use the “From” address and this is easy to bypass. I had a client for example that whitelisted *@*.gov so that all emails from anything ending in .gov would get through. That is fine till you have a person complaining at the clients office because they are getting spam from not.a.real.host.gov. Then you have spammers that are smart and figure out what email address to use based on the company. For example here in Alabama lawyers always want to whitelist alacourt.gov, yea didn’t take spammers long to figure out they could spam any law office in Alabama if they just used the alacourt domain for their email address.

The same that goes here for whitelisting also applies to blacklist. I have had clients inadvertently blacklist everyone at aol.com or gmail.com. So the same goes here for blacklisting.

If you do not trust your rules and filters work at them more. Don’t just start whitelisting every tom, dick, and harry.com

Technorati Tags: email,spamassassin,spam

Categories: Nerdology | Tags: email, spam, Spamassassin

Stop the Backscatter, er Joe Jobs!

Posted on May 10, 2008 by zerolove

No comments

Vbounce is the weapon!

What ever you are going to call it as some call it backscatter and some call it Joe Jobs, well it is annoying. People where complaining, it was an direct attack of this junk. No fear tho, I have added to my Ninja weapons. This time, I have activated…. vbounce. It was really that easy since it comes with Spamassassin 3.2.x and you are using that version right? Well you should be.

Configure

/etc/mail/spamassassin/v320.pre

Change:

# VBounce – anti-bounce-message rules, see rules/20_vbounce.cf
#
#loadplugin Mail::SpamAssassin::Plugin::VBounce

# VBounce – anti-bounce-message rules, see rules/20_vbounce.cf
#
loadplugin Mail::SpamAssassin::Plugin::VBounce

and then turn on if you have not shortcircuit see Justin Mason’s entry at the Spamassassin Wiki here.

Then in /etc/mail/spamassassin/local.cf add
whitelist_bounce_relays myrelay.myhost.net you should add every server that sends email on your behalf. You must enable this or none of this will work correctly. Now also in /etc/mail/spamassassin/local.cf add score BOUNCE_MESSAGE 5.0.

What it does

So now when backscatter comes in, we are going to check and see if it came from one of our servers. If it does then we are going to mark it with vbounce and send it on in. Now if it is not from one of our servers it is going to hit BOUNCE_MESSAGE and get marked spam. I have enabled this on all my servers and have not yet got another complaint. This is one of those tools I think are going to be very important.

Technorati Tags: Linux,Spamassassin,backscatter,email,howto

Categories: Nerdology | Tags: email, linux, Spamassassin, Work

Systems Part 2

Posted on October 20, 2007 by zerolove

No comments

While last time we talked about the mail hub, this time I’m going to talk about our Spam and Virus pass through server. This server also runs qmail but has no local mailboxes. With qmail we use smtp routes to deliver mail to clients that have their own mail server. This lets us be their front end to the internet and spam and virus scan. It is like a gateway spam and virus filter. Except it is on a larger scale. It will also allows all the clients with exchange servers to take their server down, and we will hold the mail for a time.

Incoming email is handled by magic mail smtpd. With this we are able to maintain a list of valid users and keep from just accepting email for any address. Once this is done it is handed off to qmail-scanner-queue.pl. This runs ClamAV and Spamassassin on the message. We quarantine virus and mark spam in the subject.

Why do we only mark spam? Well because all email must be delivered. While on the previous server we maintain the mailbox and can create a .Spam folder that is not downloaded via pop3 we can’t do that with this server. All our servers are designed to fail open. To always give the client their email. With clients like law firms, financial institutes, and engineers we do not want to stop any email from getting to them.

Some clients are just to big to do this, or they have special circumstances and need a whole server by themselves. I also have several of these and I will in a later post go into detail as to what some of the custom setups.

I know your waiting on the configurations, and that is coming up. So hang in there.

Categories: Nerdology | Tags: email, spam, Spamassassin, Work

Systems

Posted on October 17, 2007 by zerolove

2 comments

So at work I maintain at the moment 4 Spam and Virus scanning servers. They run both ClamAV and SpamAssassin. Starting with our mail hub, i’m going to do a couple of post on what they do, what I use and why. If you have any questions feel free to email me or post a comment.

The first system is our mail hub, it runs Qmail and host mail for clients that check their E-Mail via Pop and or Imap. We use Vpopmail for this system so that we can host many domains. We have an base install of Qmail-Rocks but with some of our own changes. Currently the SMTP server is running Magic Mail but i’m wanting to switch over to John Simpsons Qmail Combined Patch Set. It does everything that Magic Mail does, but is still Qmail-Smtpd. I also like the SMTP Auth parts in his patch. This system is a hoss and does alot of work.

We do the scanning on this system at the very first part of the connection. Using valid user checking in Magic Mail we are able to drop many of the dictionary type attacks at the start. So what is a dictionary attack. Well this is when an spammer known from here on as a idiot tries to send an email to a domain using random letters, numbers, and words from a dictionary. This can also be taken care of with Jon Simpson’s validrcpto patch. Once we do this we scan using a custom mailfilter. If the user wants spam and virus checking, and not everyone does. Yea I know that is weird but we have some travel agencies that sign up for every spam sight on the internet. We link a copy of our custom mailfilter into the domain or home directory and use it to do the scanning. First using another custom script, it uses clamav to scan the message and if it finds a virus it moves it to a virus quarantine. Then it hits spamassassin and runs against it. We only mark the subject with spam and then send it either to the users inbox or to a .Spam folder.

This server handles about 100,000 emails a day on a slow day. The sad part still is that %90 of it is spam or viruses.

Next time.. settings

Categories: Nerdology | Tags: linux, spam, Spamassassin, Work