Mailing List Archive: SpamAssassin: users

My Mad Plan's Achillies heel?

Index | Next | Previous | View Threaded

joea at j4computers

Mar 28, 2012, 2:55 PM

Post #1 of 8 (315 views)
Permalink

My Mad Plan's Achillies heel?

Continuing my learning curve with spamassassin, I find a fly in the ointment.

Some SPAM continues to slip thru. I thought, oh well, I'll just block by IP.

Hmm, I use fetchmail to grab mail from various accounts. Soooo . . . the actual source or "IP of interest" will not be the connection IP.

So, best course? These emails all have the same format, but cover a range of subjects. I'd have thought that Bayes would have learned, by now, as I have submitted close to a dozen via spamassassin -r < text.file

michael.scheidell at secnap

Mar 28, 2012, 8:56 PM

Post #2 of 8 (297 views)
Permalink

Re: My Mad Plan's Achillies heel? [In reply to]

On 3/28/12 5:55 PM, joea [at] j4computers wrote:
> Continuing my learning curve with spamassassin, I find a fly in the ointment.
>
> Some SPAM continues to slip thru. I thought, oh well, I'll just block by IP.
>
> Hmm, I use fetchmail to grab mail from various accounts.
add the ip address (last received) from each account to trusted_networks
in local.cf.

> Soooo . . . the actual source or "IP of interest" will not be the connection IP.
>
> So, best course? These emails all have the same format, but cover a range of subjects. I'd have thought that Bayes would have learned, by now, as I have submitted close to a dozen via spamassassin -r< text.file
>
>
>

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________

joea at j4computers

Mar 29, 2012, 3:55 AM

Post #3 of 8 (297 views)
Permalink

Re: My Mad Plan's Achillies heel? [In reply to]

>> Hmm, I use fetchmail to grab mail from various accounts.
> add the ip address (last received) from each account to trusted_networks
> in local.cf.
>
>
>> Soooo . . . the actual source or "IP of interest" will not be the
> connection IP.
>

Thanks, but the "last received" will always be the same ones, as I fetch mail
from various accounts and "drop" them into the spamassassin box.

The IP of the actual source of the message is far down the list of IP's. To block by
IP, in this case, I would have to implement that at the ISP's server. I was dis satisfied
with their SPAM solutions so went with SA. The ISP continues to accept mail for my
accounts and I fetch them, and feed them to SA, then it gets delivered to my mail
system.

jhardin at impsec

Mar 29, 2012, 3:34 PM

Post #4 of 8 (296 views)
Permalink

Re: My Mad Plan's Achillies heel? [In reply to]

On Thu, 29 Mar 2012, joea [at] j4computers wrote:

>>> Hmm, I use fetchmail to grab mail from various accounts.
>> add the ip address (last received) from each account to trusted_networks
>> in local.cf.
>>
>>> Soooo . . . the actual source or "IP of interest" will not be the
>> connection IP.
>
> Thanks, but the "last received" will always be the same ones, as I fetch mail
> from various accounts and "drop" them into the spamassassin box.
>
> The IP of the actual source of the message is far down the list of IP's. To block by
> IP, in this case, I would have to implement that at the ISP's server. I was dis satisfied
> with their SPAM solutions so went with SA. The ISP continues to accept mail for my
> accounts and I fetch them, and feed them to SA, then it gets delivered to my mail
> system.

If you trust those ISPs to not forge headers, then add them to the trusted
list too, and that will push the checking boundary back to where they
received the message from.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The ["assault weapons"] ban is the moral equivalent of banning red
cars because they look too fast. -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
3 days until April Fools' day

joea at j4computers

Mar 29, 2012, 4:17 PM

Post #5 of 8 (296 views)
Permalink

Re: My Mad Plan's Achillies heel? [In reply to]

> If you trust those ISPs to not forge headers, then add them to the trusted
> list too, and that will push the checking boundary back to where they
> received the message from.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------

Truly? Very Interesting. And just as I was having so much "fun" coming up with custom rules.

joea at j4computers

Mar 29, 2012, 4:27 PM

Post #6 of 8 (299 views)
Permalink

Re: My Mad Plan's Achillies heel? [In reply to]

>>> On 3/29/2012 at 7:17 PM, "joea [at] j4computers" <joea [at] j4computers> wrote:
>> If you trust those ISPs to not forge headers, then add them to the trusted
>> list too, and that will push the checking boundary back to where they
>> received the message from.
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>> jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>> -----------------------------------------------------------------------
>
> Truly? Very Interesting. And just as I was having so much "fun" coming up
> with custom rules.

How far can this go?

The "last hop" is my own local network address, the box that fetches the mail and feeds it to
spamassassin. The "next to last" would the the "ISP" (misnomer, this is actually a mail host provider, not my
connectivity provider). The "third" down the line would be the "source" (the IP that sent it to my "mailbox"
that I fetch from).

jhardin at impsec

Mar 29, 2012, 4:46 PM

Post #7 of 8 (295 views)
Permalink

Re: My Mad Plan's Achillies heel? [In reply to]

On Thu, 29 Mar 2012, joea [at] j4computers wrote:

>>>> On 3/29/2012 at 7:17 PM, "joea [at] j4computers" <joea [at] j4computers> wrote:
>>> If you trust those ISPs to not forge headers, then add them to the trusted
>>> list too, and that will push the checking boundary back to where they
>>> received the message from.
>>
>> Truly? Very Interesting. And just as I was having so much "fun" coming up
>> with custom rules.
>
> How far can this go?
>
> The "last hop" is my own local network address, the box that fetches the
> mail and feeds it to spamassassin. The "next to last" would the the
> "ISP" (misnomer, this is actually a mail host provider, not my
> connectivity provider). The "third" down the line would be the "source"
> (the IP that sent it to my "mailbox" that I fetch from).

You'd stop at the MSP as you want to check the IPs they are receiving mail
from, and you trust them to not forge headers on mail received on your
behalf.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim XXXVII: There is no 'overkill.' There is only 'open fire' and
'time to reload.'
-----------------------------------------------------------------------
3 days until April Fools' day

me at junc

Mar 29, 2012, 10:56 PM

Post #8 of 8 (299 views)
Permalink

Re: My Mad Plan's Achillies heel? [In reply to]

Den 2012-03-30 01:17, joea [at] j4computers skrev:
>> If you trust those ISPs to not forge headers, then add them to the
>> trusted
>> list too, and that will push the checking boundary back to where
>> they
>> received the message from.

> Truly? Very Interesting. And just as I was having so much "fun"
> coming up with custom rules.

same is true for forwarded spf mails from static known ips, thoes who
say forwarding breaks spf just miss to add the forwarding from ip into
trusted_networks

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads