How would you provide a 554 rejection notice for spam?

I've recently put SpamAssassin in front of my Exchange server as an SMTP proxy.  Our previous spam filter would provide a 554 rejection notice for anything that was identified as spam.  This meant that any FP would be notified so that email would not get silently ignored.  Although a rejection notice was sent, we still retained the spam.  This meant that when our users got a call from their customer about the rejected spam, they could quickly locate the message without it having to be resent.

I would like to continue doing this with the new SA/Exchange setup.  Right now I use spampd but I would like to change to Sendmail just because it is part of the default install for Redhat.

How would you go about providing a 554 rejection notice?  Would you do it on the SMTP proxy?  On Exchange?  Would you use Sendmail?  Postfix?  Something else?

If you're running sendmail, then spamass-milter is the way to go.

On Sun, 29 Jul 2007, dalchri wrote:

--
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew@...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

dalchri wrote: a milter from sendmail, provided you wish to stick with sendmail.

mimedefang springs to mind, but I have no experience with it.

Any idea for qmail?

On 7/30/2007 1:25 AM, Spamassassin List wrote:
> Any idea for qmail?


use simscan.  http://www.inter7.com/simcsan


--

Jeremy Kister
http://jeremy.kister.net./

On 7/30/2007 1:30 AM, I wrote:
> use simscan.  http://www.inter7.com/simcsan

oops, that's http://www.inter7.com/simscan



--

Jeremy Kister
http://jeremy.kister.net./

Spamassassin List wrote:
>
> Any idea for qmail?
Look on www.qmail.org for links - e.g. Qmail-Scanner allows you the
option of generating the bounce - or SMTP-level rejecting it as
mentioned in this thread.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

On 30.07.07 13:25, Spamassassin List wrote:
> Any idea for qmail?

if you excuse a big of irony, I'd say: drop it. There are many better
MTA's than qmail. There's imho much less worse solutions...
--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Matus UHLAR - fantomas wrote:
> On 30.07.07 13:25, Spamassassin List wrote:
>> Any idea for qmail?
>
> if you excuse a big of irony, I'd say: drop it. There are many better
> MTA's than qmail. There's imho much less worse solutions...

According to who, you?

He asked for a solution for qmail.  If you do not know, it would be
better to just not respond than to suggest he swap out his whole setup.

Thanks anyway.

Jim Maul escribió:
LoL. qmail rocks.

That said, I use qmail -> simscan -> spamassassin.
Although in my case I silently drop spam at smtp time, simscan can be
configured to reject and return the spam mail to the sender with an
error message, which can be customized.


/regards

> >>On 30.07.07 13:25, Spamassassin List wrote:
> >>>Any idea for qmail?

> >Matus UHLAR - fantomas wrote:
> >>if you excuse a big of irony, I'd say: drop it. There are many better
> >>MTA's than qmail. There's imho much less worse solutions...

> Jim Maul escribió:
> >According to who, you?
> >
> >He asked for a solution for qmail.  If you do not know, it would be
> >better to just not respond than to suggest he swap out his whole setup.

That's why asked for excusing a bit of irony.
Btw. courier mail server is in configuration very close to qmail.

With qmail you have to patch/replace most of its content to get features
that are in most of MTAs, and you will still have some unwelcome features...

On 30.07.07 14:10, Diego Pomatta wrote:
> LoL. qmail rocks.

yes, google for "qmail bugs and withlist" for more info.

> That said, I use qmail -> simscan -> spamassassin.
> Although in my case I silently drop spam at smtp time, simscan can be
> configured to reject and return the spam mail to the sender with an
> error message, which can be customized.

return to who? reject message at SMTP time? Or return to "From:" or "mail
from:" address, which is in 99.9% fake?

That's why it's unwelcome to "return" spam. Btw, can simscan drop the spam
verbosely? I mean, will your users report their mail rejected because of
"550 spam refused" or it just won't come to its destination?

--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

Matus UHLAR - fantomas escribió:
> On 30.07.07 14:10, Diego Pomatta wrote:
>  
>> LoL. qmail rocks.
>>    
>
> yes, google for "qmail bugs and withlist" for more info.
>
>  
No problems here whatsoever.
And... I don't understand the point. Every piece of software has bugs.
Even the e-mail client you used to create your msg.-

>> That said, I use qmail -> simscan -> spamassassin.
>> Although in my case I silently drop spam at smtp time, simscan can be
>> configured to reject and return the spam mail to the sender with an
>> error message, which can be customized.
>>    
>
> return to who? reject message at SMTP time? Or return to "From:" or "mail
> from:" address, which is in 99.9% fake?
> That's why it's unwelcome to "return" spam.
That's why I don't do it. :)
It's pointless IMO.

>  Btw, can simscan drop the spam
> verbosely? I mean, will your users report their mail rejected because of
> "550 spam refused" or it just won't come to its destination?
>
>  
I don't know if you mean mail addressed to my users, or mail my users
want to send out.
If you mean incoming, IN MY CASE I drop spam without further notice to
the sender or the recipient. I deal with the false possitives
personally, and configure SA accordingly. Only 2 false possitives since
SA is in effect, though. And it was actually mail I would consider spam,
but the user in question wanted to receive it anyway.

But it can, afaik, be set to reject spam with the msg type you mentioned.

/Regards

Diego Pomatta wrote:
That sounds more like "bounce and return" than "reject".  If you reject,
the only chance you get to send an error is in the 1 line SMTP 5xx
response code.  If you really do mean "bounce and return" (accept the
message with SMTP 2xx code, craft a new message in response, send it to
the sender) ... that's bad, and shouldn't be used.

John Rudd wrote:
> Diego Pomatta wrote:
>
> That sounds more like "bounce and return" than "reject".  If you reject,
> the only chance you get to send an error is in the 1 line SMTP 5xx
> response code.  If you really do mean "bounce and return" (accept the
> message with SMTP 2xx code, craft a new message in response, send it to
> the sender) ... that's bad, and shouldn't be used.

simscan correctly uses an SMTP REJECT (55x code during the smtp
conversation) and it is also possible to use custom reject messages with
simscan so the sender, if any, knows exactly why the message was rejected.

I have yet to see a good implementation of this in Postfix or Sendmail,
and is one of the reasons I stick with Qmail.

Having to /dev/null spam and/or viruses to the end user is even worse
IMHO (as an ISP, it might be acceptable in an office env where you can
train the users to look at spam or virus folders).

Regards,

Rick

Rick Macdougall wrote:
If you mean "custom reject message" like:

550 Appears to be extreme spam content ($score)

or

550 High Spam Probability, see http://some.url.addr/

Then that's trivial in sendmail, when using a milter.  Mimedefang makes
it easy-peasy.  (I do the former at home, and the latter at work)


> Having to /dev/null spam and/or viruses to the end user is even worse
> IMHO (as an ISP, it might be acceptable in an office env where you can
> train the users to look at spam or virus folders).

IMO, there's only four acceptable actions:

1) SMTP 5xx reject
2) SMTP 4xx tempfail (ex: greylisting or actual programatic error)
3) quarantine, and some form of quarantine notification to recipient
4) deliver (with possibly adding headers, and/or subject marks, so
recipients filters can take appropriate action)


Sending an email back to the sender isn't appropriate, due to the high
likelihood that the message was a forgery.  That's backscatter ... which
is bad.

Dropping, Discarding, or "/dev/null"ing a message are all showing an
amazingly inappropriate level of trust in the false positive rate of ANY
process.  It's just irresponsible for a sysadmin to do that with a
user's email based on spam scores.

On 30.07.07 17:49, Diego Pomatta wrote:
> No problems here whatsoever.
> And... I don't understand the point. Every piece of software has bugs.
> Even the e-mail client you used to create your msg.-

of course. but qmail has too much of them, some of them are really annoying
(at least for some people, perhaps not for qmail users)
and there are pretty replacements for it :)

> Matus UHLAR - fantomas escribió:
> > Btw, can simscan drop the spam
> >verbosely? I mean, will your users report their mail rejected because of
> >"550 spam refused" or it just won't come to its destination?

> I don't know if you mean mail addressed to my users, or mail my users
> want to send out.
> If you mean incoming, IN MY CASE I drop spam without further notice to
> the sender or the recipient. I deal with the false possitives
> personally, and configure SA accordingly. Only 2 false possitives since
> SA is in effect, though. And it was actually mail I would consider spam,
> but the user in question wanted to receive it anyway.

when we ran qmail, we had false positives, and we did not like the fact we
could not tell sender what the problem was...

> But it can, afaik, be set to reject spam with the msg type you mentioned.

That was somethint we were not able to manage. Maybe the fault was on our
side, but since thwew were other problems, we replacet it with courier-mta
and we're quite happy with it.

--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.

On Sun, 29 Jul 2007, dalchri wrote:

| Although a rejection notice was sent, we still retained the spam.  This
| meant that when our users got a call from their customer about the
| rejected spam, they could quickly locate the message without it having
| to be resent.

Hi,

So you want to return 5xx after DATA, *and* keep the message content itself ?

Exim can do this with it's "fakereject" feature.

Matus UHLAR - fantomas escribió:
> when we ran qmail, we had false positives, and we did not like the fact we
> could not tell sender what the problem was...
>
>  
But is not qmail's job to detect spam or tell the sender what the
problem was; qmail is just the MTA, and a damn fine one imho.
A filter/scanner/anti-spam tool has to do that.

>> But it can, afaik, be set to reject spam with the msg type you mentioned.
>>    
>
> That was somethint we were not able to manage. Maybe the fault was on our
> side, but since thwew were other problems, we replacet it with courier-mta
> and we're quite happy with it.
>
>  
You have achieved happiness. All else has become irrelevant. ;)

/Regards

Well, I setup MIMEDefang.  Everything is working as I want except that the (fake) rejected mail does not make it through the milter to Exchange.  I used action_bounce to reject the message in mimedefang-filter.

Is there a way to send the rejection code but still get the message through the milter?

I think I might be leaning towards Exim for it's fake reject feature if I can't get this to work.

Thanks for all the feedback!

dalchri wrote:
You should probably ask that question on the mimedefang mailing list.