LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-30-2006, 05:32 AM   #1
mazzo
Member
 
Registered: Jun 2003
Location: Thames Valley, UK
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142

Rep: Reputation: 15
Spamassassin security


Hi

Can someone confirm if spamassassin by default sends a copy of scanned email out from the server to somewhere where it is logged as spam or ham?

The reason I ask is that as I watch an internal mail being sent (which should never leave the building due to me setting our hostnames etc) there is internet activity before the message is flushed to the internal receipient.

I could be being paranoid here. I do not have pyzor or razor and my spamassassin conf has three checks:

hashcash
URIDNSBL
and SFF

I know that URIDNSBL could be the culprit as it will do a dns check on any url's present in the email (like our web address on our signature). - but I would like confirmation from someone much better than me!
 
Old 11-30-2006, 06:22 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If you're using remote databases like RBL's then outbound traffic (firewall logging rules, tcpdump, wireshark, router etc) will show the box first making a DNS request for these RBL hosts then do a HTTP query.
 
Old 11-30-2006, 07:25 AM   #3
mazzo
Member
 
Registered: Jun 2003
Location: Thames Valley, UK
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142

Original Poster
Rep: Reputation: 15
Thanks - but that doesn't mean the content of our emails is going anywhere does it?
 
Old 12-01-2006, 04:25 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
No, it doesn't: sniff your traffic and you'll see.
 
Old 12-01-2006, 04:27 PM   #5
mazzo
Member
 
Registered: Jun 2003
Location: Thames Valley, UK
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142

Original Poster
Rep: Reputation: 15
Thanks. Not sure what I'm looking for and what tool to use. Ethereal?

Never done it before - so now's a good time to try.

I think I was getting a bit freaked out because I read about razor and pyzor - which send a copy of a suspected email onto a server somewhere for profiling. As I'm not using them but the bog-standard spamassassin setup, it won't be the same. If I'm wrong or confused, just put it down to having never done spam filtering before!

Just the network traffic that made me anxious
 
Old 12-01-2006, 05:18 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
A wee bit of paranoia ain't bad. Keeps you alert. You could run tcpdump but Wireshark (the application formerly known as Ethereal) would do too. Difference is Tcpdump is low resource and console mode while Wireshark is more of a GUI tool. You could run tcpdump unattended and in the background for a while and use the "-w" switch to make it dump the packet captures to file which you can peruse at leisure later on with Wireshark.
 
Old 12-02-2006, 06:54 AM   #7
Tortanick
Member
 
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299

Rep: Reputation: 30
I think Razor and similar only send out hashes of you're E-mail
 
Old 12-04-2006, 03:01 PM   #8
mazzo
Member
 
Registered: Jun 2003
Location: Thames Valley, UK
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142

Original Poster
Rep: Reputation: 15
This is good stuff. Thanks folks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Firefox security (Really Windows Security or Lack Thereof - ED) LXer Syndicated Linux News 1 10-18-2008 09:32 PM
[Security Questions] Last Login, how good is this feature for security breach info? t3gah Linux - Security 2 06-14-2005 01:02 AM
spamassassin w/ procmail vs. spamassassin w/sendmail bleunuit Linux - Networking 1 08-01-2004 07:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration