MailScanner Digest, Vol 129, Issue 7

Robert Dellschau robert at dellschau.de
Sat Sep 10 12:10:39 UTC 2016


Yes, this is a good idea - i ll give it a try ... I didnt thought of postfix at All. 
Kind regards,
Robert
>From my Mobile..

Am 10. September 2016 14:00:01 MESZ, schrieb mailscanner-request at lists.mailscanner.info:
>Send MailScanner mailing list submissions to
>	mailscanner at lists.mailscanner.info
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	http://lists.mailscanner.info/mailman/listinfo/mailscanner
>or, via email, send a message with subject or body 'help' to
>	mailscanner-request at lists.mailscanner.info
>
>You can reach the person managing the list at
>	mailscanner-owner at lists.mailscanner.info
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of MailScanner digest..."
>
>
>Today's Topics:
>
>   1. Spoofing and SPF (Trond M. Markussen)
>   2. Get rid of stalkers (Fa. Dellschau Robert Dellschau)
>   3. Re: Get rid of stalkers (Jason Voorhees)
>   4. Re: Get rid of stalkers (Mark Sapiro)
>   5. Re: Get rid of stalkers (Mark Sapiro)
>   6. Re: Spoofing and SPF (Mark Sapiro)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Fri, 9 Sep 2016 14:15:09 +0200
>From: "Trond M. Markussen" <markussen at media24.no>
>To: <mailscanner at lists.mailscanner.info>
>Subject: Spoofing and SPF
>Message-ID: <06e401d20a93$d3853b40$7a8fb1c0$@media24.no>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Hi,
>
> 
>
>We have set up rules where the combination of FROM_CUSTOMERDOMAIN
>(customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to
>filter
>out spoofed spam emails.
>
> 
>
>However, some of these pass the SPF test for some reason. Any
>suggestions as
>to why and how to avoid these would be greatly appreciated..!
>
> 
>
>Regards,
>
> 
>
>Trond M. Markussen
>
> 
>
> 
>
> 
>
>Return-Path: <?g>
>
>Received: from stt-cha-ms1.vipowernet.net (mail.vipowernet.net
>[65.112.145.72])
>
>    by filtermx.media24.no (8.13.8/8.13.8) with ESMTP id u749VHwZ031985
>
>     for <bill at customerdomain.no>; Thu, 4 Aug 2016 11:31:18 +0200
>
>X-Default-Received-SPF: pass (skip=loggedin (res=PASS))
>x-ip-name=185.27.134.51;
>
>Date: Thu, 4 Aug 2016 05:31:39 -0400
>
>Return-Path: bob at customerdomain.no
>
>To: bill@ customerdomain.no
>
>From: "Bob Client," <bob at customerdomain.no>
>
>Reply-To: Bob Client <chair at owaprasident.ml>
>
>Subject: =?iso-8859-1?Q?bankoverf=F8ring?=
>
>Message-ID:
><c6dc9823992875aab8fda889a52c7c12 at cosiendocosiendo.byethost9.com>
>
>X-Priority: 3
>
>X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
>
>MIME-Version: 1.0
>
>Content-Transfer-Encoding: 8bit
>
>Content-Type: text/plain; charset="iso-8859-1"
>
>X-Authenticated-User: abbuncome at vipowernet.net  
>
>From: srs0+950v+7+customerdomain.no=bob at vipowernet.net [Add to
>Whitelist |
>Add to Blacklist] 
>
> 
>
>To: bill at customerdomain.no 
>
>Subject: bankoverf?ring 
>
>Size: 1.2Kb 
>
> 
>
> 
>
>Score Matching Rule Description 
>
>cached not   
>
> score=1.754   
>
>6 required   
>
>0.50 BOTNET_SERVERWORDS Hostname contains server-like substrings 
>
>-0.01 BOTNET_SOHO Relay might be a SOHO mail server 
>
>0.01 FROM_CUSTOMERDOMAIN   
>
>1.50 LOTS_OF_MONEY   
>
>-1.25 RP_MATCHES_RCVD   
>
>-0.00 SPF_PASS SPF: sender matches SPF record 
>
>1.00 XM_PHPMAILER_FORGED   
>
> 
>
> 
>
> 
>
> 
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160909/b3fc2f6f/attachment-0001.html>
>
>------------------------------
>
>Message: 2
>Date: Fri, 9 Sep 2016 14:32:38 +0200
>From: "Fa. Dellschau Robert Dellschau" <robert at dellschau.de>
>To: mailscanner at lists.mailscanner.info
>Subject: Get rid of stalkers
>Message-ID: <81bc6abc-ad2b-58ec-ddc2-7812695f7852 at dellschau.de>
>Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
>Hello @ list !
>I'm using mailscanner since .... 2003? 2005?
>
>But now there is a new "obstacle" I try to understand:
>I want to keep out emails from my stalking / hoovering ex-girlfriend.
>I tried to set her adress to the blacklist .... and yes, the are marked
>
>as highscored spam and delivered to quarantine
>but .. I want them to be deleted at first sight, so that I'm not in the
>
>risk of reading them the first moment.
>otherwise .... if I would like to announce her misbehavior to court,
>I'd 
>should have copies of all the rubbish, she sendt.
>
>My Idea is to set in the "scan.mail.rules" file a line with
>from: her at badlullaby.com  archive delete    --> would that archive & 
>delete all emails from her?
>
>any ideas ?
>
>Kind regards
>robert
>nearby cologne / germany.
>
>
>-- 
>Signatur
>------------------------------------------------------------------------
>RICHEL-Folienhallen 
><http://www.dellschau.de/richel-folienhallen-allzweckhallen-tierzuchthallen.html>-MULTIBLOC-BetonBlocksteine
>
><http://www.dellschau.de/multibloc-betonblocksteine.html>-Folienhallen-fuer-die-Industrie
>
><http://www.folienhallen-industrie.de/cms/>-Gebrauchte Technik 
><http://www.dellschau.de/gebrauchte-technik.html>
>
>_*/DELLSCHAU Bauhandel & Recyclingbedarf GmbH/*_*
>Brechen - Sieben- Sortieren - Baumaschinenhandel.
>*Professionelles f?r's Recycling - Aufbereitungstechnik - Consulting
>50129 Bergheim Glessen - Im Brauweiler Feld 6
>Tel : 02238 / 942074 Fax : 02238 / 942075
>www.dellschau.de <http://www.dellschau.de/> info at dellschau.de 
><mailto:info at dellschau.de>-- impressum 
><http://www.dellschau.de/impressum.html>
>Sitz der Gesellschaft: 50126 Bergheim, Handelsregister K?ln HRB 40328
>Gesch?ftsf?hrung : Dipl. Ing. R.Dellschau, J.M. Dellschau
>	.
>------------------------------------------------------------------------
>	
>
>
>
>
>
>---
>Diese E-Mail wurde von Avast Antivirus-Software auf Viren gepr?ft.
>https://www.avast.com/antivirus
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160909/06dc31c8/attachment-0001.html>
>-------------- next part --------------
>A non-text attachment was scrubbed...
>Name: DSLOGO.JPG
>Type: image/jpeg
>Size: 17070 bytes
>Desc: not available
>URL:
><http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160909/06dc31c8/attachment-0001.jpe>
>
>------------------------------
>
>Message: 3
>Date: Fri, 9 Sep 2016 11:19:22 -0500
>From: Jason Voorhees <jvoorhees1 at gmail.com>
>To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
>Subject: Re: Get rid of stalkers
>Message-ID:
>	<CABLXSUqWAHaYwVzR4gx52tM0xaiGXD7KN_m2NgCv5QbpLgkvhQ at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>You can do it at MTA level. If you're using postfix you could just do
>something like this:
>
>smtpd_recipient_restrictions =
>  check_sender_access hash:/etc/postfix/blacklist
>
>The contents of the /etc/postfix/blacklist file:
>
>her at badlullaby.com DISCARD
>
>You will only see a postfix log like this:
>
>Sep  9 11:10:49 mailserver postfix/smtpd[11981]: NOQUEUE: discard: RCPT
>from mail.badlullabies.com[69.69.69.69]:
><mail.badlullabies.com[69.69.69.69]>:
>Client host triggers DISCARD action; from=<her at badlullaby.com> to=<
>someone at yourdomain.com> proto=ESMTP helo=<mail.badlullabies.com>
>
>Does that make sense for you?
>
>
>On Fri, Sep 9, 2016 at 7:32 AM, Fa. Dellschau Robert Dellschau <
>robert at dellschau.de> wrote:
>
>> Hello @ list !
>> I'm using mailscanner since .... 2003? 2005?
>>
>> But now there is a new "obstacle" I try to understand:
>> I want to keep out emails from my stalking / hoovering ex-girlfriend.
>> I tried to set her adress to the blacklist .... and yes, the are
>marked as
>> highscored spam and delivered to quarantine
>> but .. I want them to be deleted at first sight, so that I'm not in
>the
>> risk of reading them the first moment.
>> otherwise .... if I would like to announce her misbehavior to court,
>I'd
>> should have copies of all the rubbish, she sendt.
>>
>> My Idea is to set in the "scan.mail.rules" file a line with
>> from:  her at badlullaby.com  archive delete    --> would that archive &
>> delete all emails from her?
>>
>> any ideas ?
>>
>> Kind regards
>> robert
>> nearby cologne / germany.
>>
>> --
>>
>> ------------------------------
>> RICHEL-Folienhallen
>>
><http://www.dellschau.de/richel-folienhallen-allzweckhallen-tierzuchthallen.html>
>> -MULTIBLOC-BetonBlocksteine
>>
><http://www.dellschau.de/multibloc-betonblocksteine.html>-Folienhallen-
>> fuer-die-Industrie
><http://www.folienhallen-industrie.de/cms/>-Gebrauchte
>> Technik <http://www.dellschau.de/gebrauchte-technik.html>
>> *DELLSCHAU Bauhandel & Recyclingbedarf GmbH*
>>
>> * Brechen - Sieben- Sortieren - Baumaschinenhandel. *Professionelles
>> f?r's Recycling - Aufbereitungstechnik - Consulting
>> 50129 Bergheim Glessen - Im Brauweiler Feld 6
>> Tel : 02238 / 942074 Fax : 02238 / 942075
>> www.dellschau.de info at dellschau.de -- impressum
>> <http://www.dellschau.de/impressum.html>
>> Sitz der Gesellschaft: 50126 Bergheim, Handelsregister K?ln HRB 40328
>> Gesch?ftsf?hrung : Dipl. Ing. R.Dellschau, J.M. Dellschau
>> [image: .]
>> ------------------------------
>>
>>
>>
>>
>>
>>
><https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>Virenfrei.
>> www.avast.com
>>
><https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160909/7584165e/attachment-0001.html>
>-------------- next part --------------
>A non-text attachment was scrubbed...
>Name: DSLOGO.JPG
>Type: image/jpeg
>Size: 17070 bytes
>Desc: not available
>URL:
><http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160909/7584165e/attachment-0001.jpe>
>
>------------------------------
>
>Message: 4
>Date: Fri, 9 Sep 2016 09:37:07 -0700
>From: Mark Sapiro <mark at msapiro.net>
>To: mailscanner at lists.mailscanner.info
>Subject: Re: Get rid of stalkers
>Message-ID: <a2ad9291-7357-e843-6fb6-0499d7585000 at msapiro.net>
>Content-Type: text/plain; charset=windows-1252
>
>On 09/09/2016 09:19 AM, Jason Voorhees wrote:
>> You can do it at MTA level. If you're using postfix you could just do
>> something like this:
>> 
>> smtpd_recipient_restrictions =
>>   check_sender_access hash:/etc/postfix/blacklist
>> 
>> The contents of the /etc/postfix/blacklist file:
>> 
>> her at badlullaby.com <mailto:her at badlullaby.com> DISCARD
>
>
>But he doesn't want to discard the mail. He wants to archive but not
>deliver it.
>
>-- 
>Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>San Francisco Bay Area, California    better use your sense - B. Dylan
>
>
>------------------------------
>
>Message: 5
>Date: Fri, 9 Sep 2016 10:11:18 -0700
>From: Mark Sapiro <mark at msapiro.net>
>To: mailscanner at lists.mailscanner.info
>Subject: Re: Get rid of stalkers
>Message-ID: <8251c2da-2681-3b56-0d1d-9e9680893f05 at msapiro.net>
>Content-Type: text/plain; charset=windows-1252
>
>On 09/09/2016 05:32 AM, Fa. Dellschau Robert Dellschau wrote:
>> 
>> My Idea is to set in the "scan.mail.rules" file a line with
>> from:  her at badlullaby.com  archive delete    --> would that archive &
>> delete all emails from her? 
>
>
>That won't work. Scan Messages doesn't accept 'actions'.
>
>There are multiple ways to do this, but I suggest making a SpamAssassin
>rule such as
>
>header   X_FROM_HER  From =~/her at badlullaby.com/i
>describe X_FROM_HER  Mail from her
>score    X_FROM_HER  1.0
>
>And then make a rule set for SpamAssassin Rule Actions containing
>
>X_FROM_HER=>store-/path/to/directory/,delete
>
>where /path/to/directory/ is an existing directory writable by
>MailScanner.
>
>-- 
>Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>San Francisco Bay Area, California    better use your sense - B. Dylan
>
>
>------------------------------
>
>Message: 6
>Date: Fri, 9 Sep 2016 12:35:04 -0700
>From: Mark Sapiro <mark at msapiro.net>
>To: mailscanner at lists.mailscanner.info
>Subject: Re: Spoofing and SPF
>Message-ID: <902117ab-d0b3-de2d-b7d8-ae7d320dae23 at msapiro.net>
>Content-Type: text/plain; charset=windows-1252
>
>On 09/09/2016 05:15 AM, Trond M. Markussen wrote:
>>  
>> 
>> We have set up rules where the combination of FROM_CUSTOMERDOMAIN
>> (customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to
>> filter out spoofed spam emails.
>
>
>How are you defining FROM_CUSTOMERDOMAIN? if you are basing it on the
>From: header, you won't necessarily detect an SPF failure on spoofed
>From: domains. SPF is based in the sending server (envelope from), not
>the From: domain.
>
>If you control outgoing mail from the domain, you could DKIM sign it
>and
>then base your test on a valid DKIM signature from the domain, but this
>depends on no mail passing through an email list or other process that
>will make a transformation that breaks the signature on its way from
>the
>originating server to you.
>
>In other words, you can do things such as are done in DMARC
><http://www.dmarc.org/> without necessarily publishing a DMARC policy,
>but see <https://wiki.list.org/DEV/DMARC> for some of the negatives of
>DMARC.
>
>-- 
>Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>San Francisco Bay Area, California    better use your sense - B. Dylan
>
>
>------------------------------
>
>Subject: Digest Footer
>
>
>
>-- 
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>------------------------------
>
>End of MailScanner Digest, Vol 129, Issue 7
>*******************************************

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160910/bdcbb413/attachment.html>


More information about the MailScanner mailing list