On Mon, 2009-05-11 at 06:56 -0700, an anonymous Nabble user wrote: > THE PROBLEM: I'm signed up to over 300 forums, shops, sites etc, so there's > no way I could make an email address box for all of those "pseudoaddresses", > as it were. So I can't turn the catchall off.
Sure can, why not? Just alias them to a real address... You'll notice that you'll get *much* less spam, once you disabled the catch-all. > SO...time to turn the whitelist and verification on, and the > Spamassassin/boxtrapper combo looked perfect for this. Boxtrapper is one of those pesky challenge / response sender- verification tools, asking the "sender" to confirm he really sent that mail. The problem is with the design itself. Only the real sender can and will confirm. The challenge to the *forged* sender of spam will not be responded to. Good for you, bad for everyone else. You are sending backscatter! Spammers are using the very same addresses the are spamming as the sender. Thus your glorious solution to finally end the spam once and forever is SENDING SPAM to innocent humans, bystanders, mirroring your spam to them. Seems to explain why you're using Nabble instead of subscribing to the mailing list. You do not want my email. I seriously hope you're not getting much help on integrating such a horribly C/R backscatter beast. If, instead, you are willing to drop boxtrapper and need help with SA, we'd be glad to assist. > I want all messages (wherever they were originally sent to), which are > marked as spam, to go to a mailbox on which boxtrapper is active. > BUT it appears that only mail ADDRESSED to spamtrap...@mydomain.com is > activating the "please confirm" message. This is a "limitation" of boxtrapper, not a SA issue. Actually IMHO it's a *blessing* rather than a limitation. Automatic challenge response verification is bad as is -- imagining that for a catch-all gives me the creeps. > I then found a "user_prefs" file in /home/myaccount/.spamassassin/user_prefs > > I followed the documentation here: > required_score 5 > rewrite_header TO spamt...@mydomain.com Just tested, never used it before, works as advertised for me. > However, this "to" header is not being rewritten. This is driving me crazy - > all I want to do is get box-trapper to act against ALL incoming mail, > whoever addressed to, if it's been tagged as spam. If it isn't for you, it's probably an issue to take out with the cpanel support and how exactly they integrate SA. Some third-party glue simply ignores all SA markup and changes, and adds their own instead. However, do note that the rewrite_header option does NOT work as you intend it. Specifically, it adds a comment (a real name, so to speak) and keeps the original email address. See section Basic Message Tagging Options in the docs [1] you cited yourself. > And while I'm here, how come there's a large and rapidly growing binary > file in /home/myaccount/.spamassassin/auto-whitelist which currently > has 5mb of spammy addresses I've never emailed? It's the AWL, a historical score averager [2] for the senders addresses. > Thanks, and apology for the length of this, but over the 1.5 months I've > been battling this, I've built up quite some info! Unfortunately, that info didn't include some real hints about the challenge response sender-verification pest, and why it is BAD. Please, do NOT use challenge response sender-verification, do NOT use boxtrapper. guenther -- tried hard to keep the rants to a minimum [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html [2] http://wiki.apache.org/spamassassin/AutoWhitelist -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
