[Dspam-user] Reclassify --error "OK" with "properly" classified mail?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Dspam-user] Reclassify --error "OK" with "properly" classified mail?

Jeff Kletsky

Over the years I've ended up with some email addresses that are heavily spammed and no longer in use.

I'd like to take advantage of them as a honeypot for inoculation, with the knowledge that they only receive spam.

I run Postfix and use dspam as a post-queue filter, as described at http://www.postfix.org/FILTER_README.html#advanced_filter

As a result, all mail gets classified before I know the final recipient, as local aliases haven't been evaluated yet.

I'd like to "deliver" mail for these destinations by routing all of it through something like

        | dspam --client --user <user> --source=error --class=spam

without having to first determine if it was improperly classified as non-spam.

Reading DSPAM(1) reveals

    You should use error only when DSPAM has made an error in  clas-
    sifying  the message, and should present the modified version of
    the message with the DSPAM signature when doing so.

Does this mean that if the message was originally classified as spam that the token and message counts
are "blindly" incremented each time it is called,
or does dspam check to see the classification of the message ID before incrementing the counts?

As easy as it would be to grep for 'X-DSPAM-Result: Innocent', it starts getting messy
since I also either need the full message or the signature (another grep pass) to pass to dspam.


If I can't just feed the message into the reclassify dspam call, are there any "elegant" approaches to this?


Thanks!


Jeff



------------------------------------------------------------------------------

_______________________________________________
Dspam-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/dspam-user
Reply | Threaded
Open this post in threaded view
|

Re: [Dspam-user] Reclassify --error "OK" with "properly" classified mail?

L. Jankok

Hi,

 

It really boils down how you have implemented dspam with postfix.

You can create two transports, one for learning and one for inoculation.

Next all mails to heavily spammed e-mail address goes directly to inoculate.

Why should you first go to learn and then go to inoculate if your assumption is that the mail is spam anyways?

 

Regards,

 

LJ

 

On 18/11/2016, 22:14, "Jeff Kletsky" <[hidden email]> wrote:

 

Over the years I've ended up with some email addresses that are heavily spammed and no longer in use.

I'd like to take advantage of them as a honeypot for inoculation, with the knowledge that they only receive spam.

I run Postfix and use dspam as a post-queue filter, as described at http://www.postfix.org/FILTER_README.html#advanced_filter

As a result, all mail gets classified before I know the final recipient, as local aliases haven't been evaluated yet.

I'd like to "deliver" mail for these destinations by routing all of it through something like

        | dspam --client --user <user> --source=error --class=spam

without having to first determine if it was improperly classified as non-spam.

Reading DSPAM(1) reveals

    You should use error only when DSPAM has made an error in  clas-
    sifying  the message, and should present the modified version of
    the message with the DSPAM signature when doing so.

Does this mean that if the message was originally classified as spam that the token and message counts
are "blindly" incremented each time it is called,
or does dspam check to see the classification of the message ID before incrementing the counts?

As easy as it would be to grep for 'X-DSPAM-Result: Innocent', it starts getting messy
since I also either need the full message or the signature (another grep pass) to pass to dspam.

 

If I can't just feed the message into the reclassify dspam call, are there any "elegant" approaches to this?

 

Thanks!

 

Jeff

 

------------------------------------------------------------------------------ _______________________________________________ Dspam-user mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/dspam-user


------------------------------------------------------------------------------

_______________________________________________
Dspam-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/dspam-user
Reply | Threaded
Open this post in threaded view
|

Re: [Dspam-user] Reclassify --error "OK" with "properly" classified mail?

Jeff Kletsky

For anyone reading this that knows, I'm still curious about the effect of multiple "--source=error" invocations of dspam for the same message/signature.

Thanks LJ!

The reasoning behind the "fix-up" approach is that I process the mail with dspam _before_ local address rewriting is done,
so that each (virtual) user gets its own set of tokens in dspam. I was hoping that I'd only have to maintain the virtual alias table for the known-spam users and not have to replicate that elsewhere, such as an access(5) or transport(5) table.

You've got me thinking though, as I do use another SMTP instance as a public-facing relay. Since it doesn't maintain its own aliases for the served domains, I should be able to do something like setting up a virtual alias for the multiple known-spam addresses to a single [hidden email] address and then a simple transport(5) to redirect just the [hidden email] address to another instance of smtpd running on a different port the same server as dspam. That smptd would "simply" have it delivered to dspam for innoculation.

Thanks for getting me thinking in another direction!

Jeff




On 11/18/16 1:59 PM, L. Jankok wrote:

Hi,

 

It really boils down how you have implemented dspam with postfix.

You can create two transports, one for learning and one for inoculation.

Next all mails to heavily spammed e-mail address goes directly to inoculate.

Why should you first go to learn and then go to inoculate if your assumption is that the mail is spam anyways?

 

Regards,

 

LJ

 

On 18/11/2016, 22:14, "Jeff Kletsky" <[hidden email]> wrote:

 

Over the years I've ended up with some email addresses that are heavily spammed and no longer in use.

I'd like to take advantage of them as a honeypot for inoculation, with the knowledge that they only receive spam.

I run Postfix and use dspam as a post-queue filter, as described at http://www.postfix.org/FILTER_README.html#advanced_filter

As a result, all mail gets classified before I know the final recipient, as local aliases haven't been evaluated yet.

I'd like to "deliver" mail for these destinations by routing all of it through something like

        | dspam --client --user <user> --source=error --class=spam

without having to first determine if it was improperly classified as non-spam.

Reading DSPAM(1) reveals

    You should use error only when DSPAM has made an error in  clas-
    sifying  the message, and should present the modified version of
    the message with the DSPAM signature when doing so.

Does this mean that if the message was originally classified as spam that the token and message counts
are "blindly" incremented each time it is called,
or does dspam check to see the classification of the message ID before incrementing the counts?

As easy as it would be to grep for 'X-DSPAM-Result: Innocent', it starts getting messy
since I also either need the full message or the signature (another grep pass) to pass to dspam.

 

If I can't just feed the message into the reclassify dspam call, are there any "elegant" approaches to this?

 

Thanks!

 

Jeff

 

------------------------------------------------------------------------------ _______________________________________________ Dspam-user mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/dspam-user



------------------------------------------------------------------------------


_______________________________________________
Dspam-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/dspam-user


------------------------------------------------------------------------------

_______________________________________________
Dspam-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/dspam-user
Reply | Threaded
Open this post in threaded view
|

Re: [Dspam-user] Reclassify --error "OK" with "properly" classified mail?

L. Jankok

Hi Jeff,

 

It is indeed a design issue.

 

Would the following also serves your purpose?

 

smtpd_recipient_restrictions =

….

check_recipient_access lmdb:/etc/postfix/tables/domain_filter

….

 

Next you could combine the two approaches;

·         Have your aggregation done on your external facing mail server

·         Have your internal mail server decides on the basis of domain or specific addresses where to send the mail

o    For domains to be processed by dspam it sends to a certain port

o    For specific addressed for inoculation it sends to another port

 

Using this combined solution, you will have reached more flexibility in your setup.

 

Regards,

 

LJ

 

 

On 19/11/2016, 00:48, "Jeff Kletsky" <[hidden email]> wrote:

 

For anyone reading this that knows, I'm still curious about the effect of multiple "--source=error" invocations of dspam for the same message/signature.

Thanks LJ!

The reasoning behind the "fix-up" approach is that I process the mail with dspam _before_ local address rewriting is done,
so that each (virtual) user gets its own set of tokens in dspam. I was hoping that I'd only have to maintain the virtual alias table for the known-spam users and not have to replicate that elsewhere, such as an access(5) or transport(5) table.

You've got me thinking though, as I do use another SMTP instance as a public-facing relay. Since it doesn't maintain its own aliases for the served domains, I should be able to do something like setting up a virtual alias for the multiple known-spam addresses to a single [hidden email] address and then a simple transport(5) to redirect just the [hidden email] address to another instance of smtpd running on a different port the same server as dspam. That smptd would "simply" have it delivered to dspam for innoculation.

Thanks for getting me thinking in another direction!

Jeff

 

 

 

On 11/18/16 1:59 PM, L. Jankok wrote:

Hi,

 

It really boils down how you have implemented dspam with postfix.

You can create two transports, one for learning and one for inoculation.

Next all mails to heavily spammed e-mail address goes directly to inoculate.

Why should you first go to learn and then go to inoculate if your assumption is that the mail is spam anyways?

 

Regards,

 

LJ

 

On 18/11/2016, 22:14, "Jeff Kletsky" <[hidden email]> wrote:

 

Over the years I've ended up with some email addresses that are heavily spammed and no longer in use.

I'd like to take advantage of them as a honeypot for inoculation, with the knowledge that they only receive spam.

I run Postfix and use dspam as a post-queue filter, as described at http://www.postfix.org/FILTER_README.html#advanced_filter

As a result, all mail gets classified before I know the final recipient, as local aliases haven't been evaluated yet.

I'd like to "deliver" mail for these destinations by routing all of it through something like

        | dspam --client --user <user> --source=error --class=spam

without having to first determine if it was improperly classified as non-spam.

Reading DSPAM(1) reveals

    You should use error only when DSPAM has made an error in  clas-
    sifying  the message, and should present the modified version of
    the message with the DSPAM signature when doing so.

Does this mean that if the message was originally classified as spam that the token and message counts
are "blindly" incremented each time it is called,
or does dspam check to see the classification of the message ID before incrementing the counts?

As easy as it would be to grep for 'X-DSPAM-Result: Innocent', it starts getting messy
since I also either need the full message or the signature (another grep pass) to pass to dspam.

 

If I can't just feed the message into the reclassify dspam call, are there any "elegant" approaches to this?

 

Thanks!

 

Jeff

 

------------------------------------------------------------------------------ _______________________________________________ Dspam-user mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/dspam-user




------------------------------------------------------------------------------




_______________________________________________
Dspam-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/dspam-user


------------------------------------------------------------------------------ _______________________________________________ Dspam-user mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/dspam-user


------------------------------------------------------------------------------

_______________________________________________
Dspam-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/dspam-user