Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-30-2006, 05:32 AM
|
#1
|
Member
Registered: Jun 2003
Location: Thames Valley, UK
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142
Rep:
|
Spamassassin security
Hi
Can someone confirm if spamassassin by default sends a copy of scanned email out from the server to somewhere where it is logged as spam or ham?
The reason I ask is that as I watch an internal mail being sent (which should never leave the building due to me setting our hostnames etc) there is internet activity before the message is flushed to the internal receipient.
I could be being paranoid here. I do not have pyzor or razor and my spamassassin conf has three checks:
hashcash
URIDNSBL
and SFF
I know that URIDNSBL could be the culprit as it will do a dns check on any url's present in the email (like our web address on our signature). - but I would like confirmation from someone much better than me!
|
|
|
11-30-2006, 06:22 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
If you're using remote databases like RBL's then outbound traffic (firewall logging rules, tcpdump, wireshark, router etc) will show the box first making a DNS request for these RBL hosts then do a HTTP query.
|
|
|
11-30-2006, 07:25 AM
|
#3
|
Member
Registered: Jun 2003
Location: Thames Valley, UK
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142
Original Poster
Rep:
|
Thanks - but that doesn't mean the content of our emails is going anywhere does it?
|
|
|
12-01-2006, 04:25 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
No, it doesn't: sniff your traffic and you'll see.
|
|
|
12-01-2006, 04:27 PM
|
#5
|
Member
Registered: Jun 2003
Location: Thames Valley, UK
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142
Original Poster
Rep:
|
Thanks. Not sure what I'm looking for and what tool to use. Ethereal?
Never done it before - so now's a good time to try.
I think I was getting a bit freaked out because I read about razor and pyzor - which send a copy of a suspected email onto a server somewhere for profiling. As I'm not using them but the bog-standard spamassassin setup, it won't be the same. If I'm wrong or confused, just put it down to having never done spam filtering before!
Just the network traffic that made me anxious
|
|
|
12-01-2006, 05:18 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
A wee bit of paranoia ain't bad. Keeps you alert. You could run tcpdump but Wireshark (the application formerly known as Ethereal) would do too. Difference is Tcpdump is low resource and console mode while Wireshark is more of a GUI tool. You could run tcpdump unattended and in the background for a while and use the "-w" switch to make it dump the packet captures to file which you can peruse at leisure later on with Wireshark.
|
|
|
12-02-2006, 06:54 AM
|
#7
|
Member
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299
Rep:
|
I think Razor and similar only send out hashes of you're E-mail
|
|
|
12-04-2006, 03:01 PM
|
#8
|
Member
Registered: Jun 2003
Location: Thames Valley, UK
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142
Original Poster
Rep:
|
This is good stuff. Thanks folks!
|
|
|
All times are GMT -5. The time now is 10:24 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|