Milter-greylist

To milter-greylist admins:  have you tried p2pwl?  is it useful?

To milter-greylist developers (manu):  does this look worthwhile to
implement?  given the "peer" option, this is already mostly written.

Adam Katz <yegsa-yahoo@...> wrote:

> To milter-greylist developers (manu):  does this look worthwhile to
> implement?  given the "peer" option, this is already mostly written.

What is it?

And by the way, I'm a bit tired of implementing stuff for which there is
no feedback at all (DKIM, p0f)...

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hi Emmanuel,

> Adam Katz <yegsa-yahoo@...> wrote:
> 
> > To milter-greylist developers (manu):  does this look worthwhile to
> > implement?  given the "peer" option, this is already mostly written.
> 
> What is it?
> 
> And by the way, I'm a bit tired of implementing stuff for which 
> there is no feedback at all (DKIM, p0f)...

I'm the DKIM culprit (requester) there so if I've annoyed you I do apologise. 

I was meaning to assist in testing the DKIM implementation you did but I have
just not had the chance unfortunately. When I did try on weekend, I couldn't
really figure out how to compile the dkim library and when delving more into
it my UPS at home went down so ended up hunting for new batteries, then my
notebook doesn't boot into the OS any more (hardware fault) which I'm
currently working out with HP (it's under warranty but still, takes time to go
through their process). So I've had little opportunity to tackle these things. 

The DKIM request was to tackle spam from yahoo.tld's, who use Sender ID.

However I would like to say thank you for milter-greylist, for your quick
responses, support and for your implementations. milter-greylist and it's
"additional features" (SPF, rdnsbl, etc) have made such a difference to spam
getting into the environment for me, it's now the most important spam fighting
tool I have in my arsenal. Without it things would be terrible.

Thanks.

Michael.

> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
> 
> ------------------------------------
> 
> Yahoo! Groups Links
> 
> 
>

Greg Troxel <gdt@...> wrote:

> Not quite true on p0f :-) Certainly you should only do what you want,
> but as a user I can say it takes a while for me to have a few hours that
> I feel I can enable something like that on my mail system.  Currently
> I'm not enabling p0f, but I hope to have cycles to try again in the next
> few weeks.

I've been trying it a bit, but I'm still looking for the right usage for
it.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Michael Mansour <mic@...> wrote:

> I'm the DKIM culprit (requester) there so if I've annoyed you I do apologise.

No problem, it's just a bit disapointing to work on it and have no idea
if I can enable it for my own setup (in order to test that, one need to
send mail from a yahoo account, and I don't have one)

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

I have a yahoo account I'm about to part with.

If you need some emails sent I can send them.

Bill

(also known as yidbill@...)

On Sep 22, 2008, at 8:51 PM, manu@... wrote:

> Michael Mansour <mic@...> wrote:
>
>> I'm the DKIM culprit (requester) there so if I've annoyed you I do  
>> apologise.
>
> No problem, it's just a bit disapointing to work on it and have no  
> idea
> if I can enable it for my own setup (in order to test that, one need  
> to
> send mail from a yahoo account, and I don't have one)
>
> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>

Le mar. 23/09/2008 \ufffd 05:51, manu@... a \ufffdcrit :
> Michael Mansour <mic@...> wrote:
> 
> > I'm the DKIM culprit (requester) there so if I've annoyed you I do
> apologise.
> 
> No problem, it's just a bit disapointing to work on it and have no
> idea
> if I can enable it for my own setup (in order to test that, one need
> to
> send mail from a yahoo account, and I don't have one)
> 

All gmail.com (google.com) messages (users and lists) are both signed
with DKIM and Domainkey.
Some others sign DKIM (some email marketing  and newsletters for
example). Yahoo signs Domainkey. So you just have to open a gmail
account  for testing ... or just wait for mail from gmail.com. 

I do not use milter-greylist with DKIM verification still.
With dkim-milter (another milter used to sign and/or verify DKIM and
Domainkey) and for a week I have ~3000 messages DKIM signed (among
~40000 accepted and ~300000 rejected). 



> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
> 
> 
> 
>  
-- 
Christian P\ufffdlissier
Office National d'\ufffdtudes et de Recherches A\ufffdrospatiales
BP 72 92322 Chatillon
Tel: 33 1 46 73 44 19, Fax: 33 1 46 73 41 50

Christian PELISSIER wrote:
> Le mar. 23/09/2008 \ufffd 05:51, manu@... a \ufffdcrit :
>> Michael Mansour <mic@...> wrote:
>>
>>> I'm the DKIM culprit (requester) there so if I've annoyed you I do
>> apologise.
>>
>> No problem, it's just a bit disapointing to work on it and have no
>> idea
>> if I can enable it for my own setup (in order to test that, one need
>> to
>> send mail from a yahoo account, and I don't have one)
>>
> 
> All gmail.com (google.com) messages (users and lists) are both signed
> with DKIM and Domainkey.
> Some others sign DKIM (some email marketing  and newsletters for
> example). Yahoo signs Domainkey. So you just have to open a gmail
> account  for testing ... or just wait for mail from gmail.com. 

  And the fact that gmail/yahoo signs their messages proves what?

On Tue, Sep 23, 2008 at 12:22:48AM -0700, Brian W. Antoine wrote:
>   And the fact that gmail/yahoo signs their messages proves what?

It proves that the spam you get is from Gmail farms, and therefore that
it is pointless to greylist it.

-- 
Emmanuel Dreyfus
manu@...

Emmanuel Dreyfus wrote:
> On Tue, Sep 23, 2008 at 12:22:48AM -0700, Brian W. Antoine wrote:
>>   And the fact that gmail/yahoo signs their messages proves what?
> 
> It proves that the spam you get is from Gmail farms, and therefore that
> it is pointless to greylist it.

  Exactly :)

Le mar. 23/09/2008 \ufffd 09:22, Brian W. Antoine a \ufffdcrit :

>   And the fact that gmail/yahoo signs their messages proves what?

Just that mail comes from gmail. DKIM is another way to skip
greylisting, same as SPF or DNSWL, stronger than SPF and just depending
from the DNS DKIM public-key record of the sender domain.
It can also be used to score (adding headers) message.

> ------------------------------------
> 
> Yahoo! Groups Links
> 
> 
> 
Christian P\ufffdlissier
Office National d'\ufffdtudes et de Recherches A\ufffdrospatiales
BP 72 92322 Chatillon
Tel: 33 1 46 73 44 19, Fax: 33 1 46 73 41 50

Hi Emmanuel,

> On Tue, Sep 23, 2008 at 12:22:48AM -0700, Brian W. Antoine wrote:
> >   And the fact that gmail/yahoo signs their messages proves what?
> 
> It proves that the spam you get is from Gmail farms, and therefore that
> it is pointless to greylist it.

True, but there are very good reasons to verify these signatures via
milter-greylist:

* blacklist the forged sender addresses that say they are coming from gmail,
yahoo, etc when they are not

* when the spam actually comes from gmail/yahoo/etc farms, then it's easy to
report to gmail via reporting sites like spamcop, knujon, etc who report those
spams to gmail/yahoo/etc and get those accounts closed.

I report all my high scoring spams and real spams that a "normal" scoring via
these methods.

Regards,

Michael.

> -- 
> Emmanuel Dreyfus
> manu@...
> 
> ------------------------------------
> 
> Yahoo! Groups Links
> 
> 
>

Hi Brian,

> Emmanuel Dreyfus wrote:
> > On Tue, Sep 23, 2008 at 12:22:48AM -0700, Brian W. Antoine wrote:
> >>   And the fact that gmail/yahoo signs their messages proves what?
> > 
> > It proves that the spam you get is from Gmail farms, and therefore that
> > it is pointless to greylist it.
> 
>   Exactly :)

What exactly do you do with your spam? You should be reporting it to spam
authorities so that spammers get their accounts banned and cancelled. 

Network operators, ISP's, ASP's etc all have strict policies in place for
network abuse. If you just delete your spam without reporting it you're not
hitting the spammers where it hurts.

If you want reporting tips I can send you some links to opensource software
which help with this.

Regards,

Michael.

On Tue, Sep 23, 2008 at 08:19:52PM +1100, Michael Mansour wrote:
> What exactly do you do with your spam?

I invite them for diner because I have no social life :-)

Seriously, repoting spam activity with RCPT-stage greylisting is a 
bit difficult, since you never get the message itself...

-- 
Emmanuel Dreyfus
manu@...

Hi Emmanuel,

> On Tue, Sep 23, 2008 at 08:19:52PM +1100, Michael Mansour wrote:
> > What exactly do you do with your spam?
> 
> I invite them for diner because I have no social life :-)
> 
> Seriously, repoting spam activity with RCPT-stage greylisting is a 
> bit difficult, since you never get the message itself...

I have other tools and systems in place to both automatically and manually
report the spam.

For example, I setup a specific reporting account within my domain where high
scoring spam gets "copied" to as the original email, it then uses procmail
rules to go through and report to pyzor, razor, spamcop, etc all automatically.

There's many other things I do to tackle spammers but just doing this I know
I've been responsible for hundreds of accounts being closed by Network
operators. I sometimes get them emailing me back thanking me for the reports,
other times letting me know what's happening with my reports - warnings, sent,
etc.

They all have Acceptable Usage Policies and use those against spammers on
their networks.

Regards,

Michael.

> -- 
> Emmanuel Dreyfus
> manu@...
> 
> ------------------------------------
> 
> Yahoo! Groups Links
> 
> 
>

Christian PELISSIER wrote:
> Le mar. 23/09/2008 \ufffd 09:22, Brian W. Antoine a \ufffdcrit :
> 
>>   And the fact that gmail/yahoo signs their messages proves what?
> 
> Just that mail comes from gmail. DKIM is another way to skip
> greylisting, same as SPF or DNSWL, stronger than SPF and just depending
> from the DNS DKIM public-key record of the sender domain.
> It can also be used to score (adding headers) message.

  Checking that signature also places a higher load on your mail
server, whitelisting their server ranges is a better solution.

Quoting manu@...:

> Adam Katz <yegsa-yahoo@...> wrote:
>
>> To milter-greylist developers (manu):  does this look worthwhile to
>> implement?  given the "peer" option, this is already mostly written.
>
> What is it?
>
> And by the way, I'm a bit tired of implementing stuff for which there is
> no feedback at all (DKIM, p0f)...

I'm attempting to test it, got it compiled, but it's still segfaulting  
for me on freebsd.

Michael Mansour wrote:
> Hi Brian,
> 
>> Emmanuel Dreyfus wrote:
>>> On Tue, Sep 23, 2008 at 12:22:48AM -0700, Brian W. Antoine wrote:
>>>>   And the fact that gmail/yahoo signs their messages proves what?
>>> It proves that the spam you get is from Gmail farms, and therefore that
>>> it is pointless to greylist it.
>>   Exactly :)
> 
> What exactly do you do with your spam? You should be reporting it to spam
> authorities so that spammers get their accounts banned and cancelled.

  Unless those authorities have demonstrated they can't, or won't, deal
with the spam coming out of their server farms.

  That wasn't the point of my question though.

  If you're going to accept email from a server farm, then simply keep
an eye on your log files and whitelist the ranges they use, it's a lot
less of a load on your servers.

manu@... wrote:
> And by the way, I'm a bit tired of implementing stuff for which
> there is no feedback at all (DKIM, p0f)...

Emmanuel:  We are all grateful for milter-greylist.  Your devotion to
adding new features is a great boon for everybody.  I often proudly
talk about my use of milter-greylist.  It is extremely robust, easy to
use, and the features are extremely extensive, especially with the
recent additions of DKIM and p0f.  Thank you.


I see greylisting as having two main merits:  evading zombies (and
other non-SMTP compliant servers) and delaying possible spam.
Delaying mail lets others receive and report it first, so it hits the
RBLs and similar online databases before I check the content.  SPF and
DKIM do not appear to do either of those two things, but p0f does - it
allows me to specifically delay Windows servers since they're more
likely to be zombies.  SPF and DKIM come into my spam-fighting picture
later, when SpamAssassin is unleashed on the message.

I plan to give p0f a whirl very soon.  I was the original requester,
though I think it was somebody else's second round of prodding that
got it implemented.


Getting back on topic to P2PWL:

>> To milter-greylist developers (manu):  does this look worthwhile
>> to implement? given the "peer" option, this is already mostly
>> written.
> 
> What is it?

p2pwl is an auto-whitelist sharing mechanism for greylisting hosts.
It would allow users to share the servers who pass, thus creating a
web-of-trust concept to better facilitate a more unilateral system for
dealing with grey lists.

Like p0f (actually, more than p0f), p2pwl is a tool for greylisting,
devised to help greylisting servers be more effective.  Currently, it
appears that only postgrey works with p2pwl.

I think p2pwl is a good idea, expanding on an idea already implemented
for milter-greylist.  This latter fact should make implementation
pretty easy (says a non-developer), especially since the more
complicated stages of p2pwl's development (which offer features not
yet exhibited by milter-greylist) have not yet been finalized.

p2pwl's full power is still in draft form, so perhaps my request is a
bit early.  Stage I, the only completed stage, has manual peer
selection, which is identical to milter-greylist's peer configuration
option.  (See http://oc-co.org/p2pwl/#stages for detail.)

By implementing p2pwl's sharing mechanism instead of a protocol
exclusive to milter-greylist, you open the software to the ability to
share with similar products, perhaps gaining visibility for the
project and maybe even some converts, plus you make the ability to add
those later stages of p2pwl's master plan more possible.


Let's back up and re-visit my original email -- I wanted to know if
anybody had already used p2pwl, and/or if it seems like a good idea.

-Adam

Quoting Adam Katz <yegsa-yahoo@...>:

> manu@... wrote:
>> And by the way, I'm a bit tired of implementing stuff for which
>> there is no feedback at all (DKIM, p0f)...
>
> Emmanuel:  We are all grateful for milter-greylist.  Your devotion to
> adding new features is a great boon for everybody.  I often proudly
> talk about my use of milter-greylist.  It is extremely robust, easy to
> use, and the features are extremely extensive, especially with the
> recent additions of DKIM and p0f.  Thank you.


Got mine working now, something with the spf and dkim libs was causing  
it to segfault. but I can live without them. p0f is working good, and  
dnsrbl's.

I started a whitelist/blacklist based on greylisting cause greylisting  
was overloading the server (not milter-greylist, a different one).  
It's worked out well, it's not 100% clean anymore, cause I also keep  
stats on ip's and what level of spam they push at me, and will  
blacklist some whitelisted ones cause of that. Have been thinking  
about pushing out to public usage, but just lazy and haven't gotten  
around to it, and dunno if my boss would like that.

Patrick Domack <patrickdk@...> wrote:

> I'm attempting to test it, got it compiled, but it's still segfaulting
> for me on freebsd.

Do you have a backtrace? (run in gdb, and type bt when it crashes)

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Brian W. Antoine <briana@...> wrote:

>   Checking that signature also places a higher load on your mail
> server, whitelisting their server ranges is a better solution.

But you need to have the server ranges. SPF is usefull here, with
something like this:

list "trusted-spf" domain {
        /gmail\.com$/
        /hotmail\.com$/
}
racl whitelist spf pass list "trusted-spf"
racl blacklist spf fail

Unfortunately, some mail provider do not publish SPF records (yahoo.com
for instance).

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Patrick Domack <patrickdk@...> wrote:

> Got mine working now, something with the spf and dkim libs was causing
> it to segfault. but I can live without them. p0f is working good, and
> dnsrbl's.

Any news on the DKIM front? Does it works?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

I'll have to see what I can do.
I played around and it's libdkim that is causing it to segfault for me.

Have p0f, dnsrbl, and spf all playing happily though.

Quoting manu@...:

> Patrick Domack <patrickdk@patrickdk.com> wrote:
>
>> Got mine working now, something with the spf and dkim libs was causing
>> it to segfault. but I can live without them. p0f is working good, and
>> dnsrbl's.
>
> Any news on the DKIM front? Does it works?
>
> --
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>
>