Ah, of course, the DNS response was already cached by pdnsd, and I
can't figure out from the man page how to use tcpflow's udp options
anyway.
But more importantly, for my second question,
http://www.ezmlm.org/ezman/ezman1.html says after long research,
To temporarily leave an ezmlm list, just
-Original Message-
From: John D. Hardin [mailto:[EMAIL PROTECTED]
Sent: Monday, August 20, 2007 7:14 PM
To: Chris
Cc: users@spamassassin.apache.org
Subject: Re: Bouncing emails from certain countries
On Mon, 20 Aug 2007, Chris wrote:
Does anyone know of a way, that whenever someone
On 18 Aug 2007, Magnus Holmgren said:
On Saturday 18 August 2007 16:14, Nix wrote:
On 17 Aug 2007, Robert Fitzpatrick verbalised:
ISP's are blocking port 25 from anything but their own stuff, especially
dial-up.
Mine blocks until you prove you're competent (or post a bond: I did the
On 18 Aug 2007, Kai Schaetzl stated:
Nix wrote on Sat, 18 Aug 2007 17:35:20 +0100:
Competent ISPs give you rDNS. (Really good ones delegate your rDNS to
you.)
So, your ISP is not competent? How would they give specific rDNS to
dynamic IP addresses, anyway?
It's not dynamic, but Botnet
John Thompson wrote on Mon, 20 Aug 2007 21:36:51 -0500:
Indeed. But some people have a religious objection to all things google,
so I hesitate to recommend it as a universal solution.
Misunderstanding. I meant to say that you do not need a Google Mail account
for this. That is why it is an
Matt Kettler wrote:
yossim wrote:
Hi forum, I am running MailScanner integrated with SA sendmail based.
I would like to add a new header to SA report, so the next stage of
spam filtering which is the trend micro will always forward the email
the outlook junk mail. The header is as follows:
Just need to proxy POP3 through SpamAssassin. There are a number of ways to
do that and some commercial products/services out there.
On 8/20/07, Patman [EMAIL PROTECTED] wrote:
Hello,
New to the forum.
Question, what I would like to do, is filter incoming traffic on port 110,
with a
-Original Message-
From: Robert Fitzpatrick [mailto:[EMAIL PROTECTED]
Sent: Saturday, 18 August 2007 1:24
To: users@spamassassin.apache.org
Subject: Re: Suggested botnet rule scores
On Fri, 2007-08-17 at 16:31 +0200, Kai Schaetzl wrote:
Robert Fitzpatrick wrote on Fri, 17 Aug
Also, Robert, take a look at this page:
http://www.stearns.org/doc/spamassassin-setup.current.html
local.cf has TONS of options, many of which are lightly documented. Pay
close attention to
bayes_path
auto_whitelist_path
Scalix is also a bit of an oddity when it comes to using spamass-milter
Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100:
It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but
also hosts with e.g. the string `adsl' in its rDNS, even if that host happens
to have a static assignment.
Well, if it's static they can give you rDNS and you can use a
Nix wrote on Tue, 21 Aug 2007 09:27:11 +0100:
If anybody is really so stupid as to unconditionally block mail from
hosts merely because of string matching in their rDNS, I'm not sure they
*deserve* to see any email...
No, it's stupid to send mail from adsl named ranges if you want to get
On 18.08.07 10:38, Marc Perkel wrote:
I have what I call a yellow list which is a list of IP addresses of
hosts like yahoo, google, hotmail, aol, etc that send a mix of spam and
nonspam. The idea being that if you are yellow listed then don't check
any other list because if it was listed it
On Tue, 21 Aug 2007, Chris wrote:
Hi John, Many thanks for the input on this - it's
appreciated.
John, whereabouts *precisely* do I input the text below
please and is that all that needs to be done ?
describe BL_COUNTRY_CN_1 Mail client in China
header BL_COUNTRY_CN_1
On 19.08.07 12:18, Leon Kolchinsky wrote:
After an upgrade to SA3.2.2 I've noticed that I've started to get FP's from
e-mail accounts originating at walla.com
I can see that it may be wise to adjust some scores to make these FP get thru
my system:
score DNS_FROM_OPENWHOIS 0
score
-Original Message-
From: John D. Hardin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 21, 2007 3:24 PM
To: Chris
Cc: users@spamassassin.apache.org
Subject: RE: Bouncing emails from certain countries
On Tue, 21 Aug 2007, Chris wrote:
Hi John, Many thanks for the input on this -
Steve Freegard wrote:
How about:
Spam Actions = deliver header X-TM-AS-Product-Ver:
SMEX-7.0.0.1557-5.0.1021-15334.002
That should do what you need.
Interesting. I didn't know MailScanner could do that.. and I use it.
Thanks for correcting me Steve, I'll try to file that factoid in my
Out of curiosity (as this is a feature that I would like to have as well for
a couple of speficic countries), is there a reason that a couple of SA
plugins cant be used:
http://wiki.apache.org/spamassassin/URICountryPlugin
Or
http://wiki.apache.org/spamassassin/RelayCountryPlugin
I am not
[EMAIL PROTECTED] wrote:
How does sa-update know if to update or not without going over the
network?
channel: attempting channel updates.spamassassin.org
channel: update directory
/home/jidanni/var/spamassassin/3.002003/updates_spamassassin_org
channel: channel cf file
On 8/20/07, Robert Fitzpatrick [EMAIL PROTECTED] wrote:
The plugins page at SARE says this is 0.8, but is it? The pm file looks
fine.
http://www.rulesemporium.com/plugins/pdfinfo.cf
You probably want to be looking at:
http://www.rulesemporium.com/plugins/PDFInfo.pm
not the .cf file. It
I have seen this once or twice, but still very rarely - spamd will fail
to restart after receiving a SIGHUP. It stops, but does not restart.
There's nothing in the log to indicate why. Has anyone seen the same?
/Per Jessen, Zürich
On Tue, 21 Aug 2007 at 09:33 -0500, [EMAIL PROTECTED] confabulated:
You're doing a LOT better than I am with it. Makes me wonder if I have
something set up wrong. My main SA server has a fast dual core Athlon
and 8 gigs of ram and it can get bogged down rather quickly. I wonder if
I'm doing
On Tue, 21 Aug 2007, Chris wrote:
Hi John, How do I find that file please ? I look at my
SA in Cpanel and can't see where to input the text
below?
describe BL_COUNTRY_CN_1 Mail client in China
header BL_COUNTRY_CN_1 eval:check_rbl('china',
'cn.countries.nerd.dk')
score
On Tue, 21 Aug 2007, Skip Brott wrote:
Out of curiosity (as this is a feature that I would like to have
as well for a couple of speficic countries), is there a reason
that a couple of SA plugins cant be used:
http://wiki.apache.org/spamassassin/URICountryPlugin
Or
Hello,
It must been asked before, but I couldn't find any suitable, will be glad if
you point me somewhere...
In our company we have the (mailer-exchange - spam-scanner - customers
with their own mail servers) topology.
We relay mail to them but some of them don't have the spam service with us
Hello,
It must been asked before, but I couldn't find any
suitable, will be glad if you point me somewhere...
In our company we have the (mailer-exchange -
spam-scanner - customers with their own mail servers)
topology.
We relay mail to them but some of them don't have the
spam
On Aug 21, 2007, at 8:28 AM, Duane Hill wrote:
I have seen the suggestion recently in this thread to run SA from a
ram drive. I am going to experiment with that over the course of
this next weekend. I'm not quiet sure how much increase in speed I
will get. All of our userprefs, AWL and
Really the only way to solve this properly is to stop providing relay
service. Relay service is a non-op in the current spam war. If you
do what you are trying to do here, then legitimate bounce messages
will also be dropped and thus you'll be decreasing the quality of
their service.
On Aug 21, 2007, at 11:17 AM, Duane Hill wrote:
On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED]
confabulated:
It seems to mostly help when it drops the message into a file for
clamav to scan.
Is that using the ClamAV plugin or outside of SA completely? I am
currently using the
On Tue, 21 Aug 2007 at 11:31 -0700, [EMAIL PROTECTED] confabulated:
On Aug 21, 2007, at 11:17 AM, Duane Hill wrote:
On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED] confabulated:
It seems to mostly help when it drops the message into a file for clamav
to scan.
Is that using the ClamAV
Hi there:
This should be a fairly simple question for the experts out there ...
everything I'm receiving is being blacklisted, and the reports indicate
that all these messages are flagged as USER_IN_BLACKLIST. Where? I
don't have a user_prefs, and my global is really simple:
# These
I keep saying that I have false positives with botnet, but haven't
substantiated that to date. So, today I'm spending a little time making
exceptions since I would like this to work. Here are todays:
Americanpayroll.org, sent from IP 67.106.104.135, resolves to
67.106.106.135.ptr.us.xo.net #OK,
Bret Miller wrote:
Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
86, and others. All similarly resolve to
Bret Miller wrote:
Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
204.92.135.90, resolves to smtp22.enews.webbuyersguide.com
#not sure why
this got a BOTNET=1 flag, but it did. Also find hosts 92,
75, 70, 74, 93,
86, and others. All similarly resolve to
At 12:36 21-08-2007, John Rudd wrote:
# nslookup www2mail.wordreference.com
Non-authoritative answer:
Name: www2mail.wordreference.com
Address: 75.126.29.11
baddns.
There's an authoritative answer for www2mail.wordreference.com.
# nslookup server.nch.com.au
Non-authoritative answer:
At 12:36 21-08-2007, John Rudd wrote:
# nslookup www2mail.wordreference.com
Non-authoritative answer:
Name: www2mail.wordreference.com
Address: 75.126.29.11
baddns.
There's an authoritative answer for www2mail.wordreference.com.
# nslookup server.nch.com.au
Non-authoritative
On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote:
When I see on the list that many people run botnet with ZERO false
positives, I have to ask myself, how?
Anyone who claims that isn't really looking at the email they are
blocking, or don't believe borked DNS qualify as a FP.
we can't
Michael Chapman wrote on Tue, 21 Aug 2007 12:10:08 -0700:
Is there a way I can reset the blacklist?
There is no auto blacklist. It's your blacklist entries. For a quick
diagnosis disable all of them and check if it persists.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive
Bret Miller wrote on Tue, 21 Aug 2007 12:15:27 -0700:
Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
86, and others. All
Jo Rhett wrote:
On Aug 21, 2007, at 11:17 AM, Duane Hill wrote:
On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED]
confabulated:
It seems to mostly help when it drops the message into a file for
clamav to scan.
Is that using the ClamAV plugin or outside of SA completely? I am
currently
Andy Sutton wrote:
On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote:
When I see on the list that many people run botnet with ZERO false
positives, I have to ask myself, how?
Anyone who claims that isn't really looking at the email they are
blocking, or don't believe borked DNS qualify as
At 13:08 21-08-2007, Bret Miller wrote:
When I see on the list that many people run botnet with ZERO false
positives, I have to ask myself, how? And why is our setup here so
different? Perhaps they already block email with invalid rdns at the MTA
Your setup is different as your users
OK ... after diving back into my spam to get responses to this message,
I turned off AWL in v310.pre and removed all blacklist items from
local.cf and user_prefs. Still no joy. Everything is still getting
flagged as before! What is going on?
Thanks for all of your help so far, gang!
Michael Chapman wrote:
Hi there:
This should be a fairly simple question for the experts out there ...
everything I'm receiving is being blacklisted, and the reports
indicate that all these messages are flagged as USER_IN_BLACKLIST.
Where? I don't have a user_prefs, and my global is really
Thanks ... I can certainly take care of the whitelist items. The
country codes are all remarked out, as I used the the ok_languages as
you indicated.
How will changing the whitelist entries prevent my incoming mail as
being blacklisted?
Thanks again!
Michael
I would set the following
I'd like to get some people to take an idea that I'm been using
successfully for a long time that I would like to see implemented in SA.
I'm doing it mostly with Exim rules and generating these lists in some
unusual ways. But if this were done right it would make SA a lot faster
and more
SM wrote:
The
server.nch.com.au case is an interesting one. Technically, there isn't
anything wrong with that setup. But I digress as we are talking about
antispam here.
Technically, there is a problem with it: it violates best practices
asserted by RFC 1912, section 2.1, which warns that
Marc Perkel wrote:
Jo Rhett wrote:
On Aug 21, 2007, at 11:17 AM, Duane Hill wrote:
On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED]
confabulated:
It seems to mostly help when it drops the message into a file for
clamav to scan.
Is that using the ClamAV plugin or outside of SA
Bret Miller wrote on Tue, 21 Aug 2007 13:08:06 -0700:
When I see on the list that many people run botnet with ZERO false
positives, I have to ask myself, how? And why is our setup here so
different? Perhaps they already block email with invalid rdns at the MTA
level, so none of this ever gets
I don't know, but botnet hits a significant amount
of legitimate email here, regardless of how badly configured the sending
servers are.
I set botnet to score two, and I flag as spam at four. Every time I've
had a false positive botnet hit, other rules have been enough to keep
the score
Well, nothing has worked so far ... every message that I have coming in
(except for the specifically white-listed messages from this mailing
list) have USER_IN_BLACKLIST flagged. Where on earth is it getting
this? You've seen my local.cf, I don't have a user_prefs anymore (blew
it away in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael Chapman schrieb:
Well, nothing has worked so far ... every message that I have coming in
(except for the specifically white-listed messages from this mailing
list) have USER_IN_BLACKLIST flagged. Where on earth is it getting
this?
On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote:
b) Botnet gets 0% false positives at one of my services (not just
borked DNS == bad, as you're suggesting, but actual everything that
triggered botnet was actually spam). And, yes, I actually check
I never suggested that. My thoughts were
Oh, and yes, I did restart SA. That's not a silly question, Andy! :)
I had to dive back into spam to get your message though.
Michael Chapman wrote:
Well, nothing has worked so far ... every message that I have coming
in (except for the specifically white-listed messages from this
mailing
On 21 Aug 2007, Kai Schaetzl said:
Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100:
It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but
also hosts with e.g. the string `adsl' in its rDNS, even if that host happens
to have a static assignment.
Well, if it's static they
On 21 Aug 2007, Kai Schaetzl outgrape:
Nix wrote on Tue, 21 Aug 2007 09:27:11 +0100:
If anybody is really so stupid as to unconditionally block mail from
hosts merely because of string matching in their rDNS, I'm not sure they
*deserve* to see any email...
No, it's stupid to send mail from
Oh, and yes, I did restart SA. That's not a silly question, Andy! :)
I had to dive back into spam to get your message though.
Michael Chapman wrote:
Well, nothing has worked so far ... every message that I have coming in
(except for the specifically white-listed messages from this mailing
At 14:08 21-08-2007, John Rudd wrote:
Technically, there is a problem with it: it violates best practices
asserted by RFC 1912, section 2.1, which warns that not having
matching PTR and A records can cause a loss/denial of internet services.
You're right.
Regards,
-sm
I had to dive back into spam to get your message though.
Michael Chapman wrote:
Well, nothing has worked so far ... every message that I have coming in
(except for the specifically white-listed messages from this mailing
list) have USER_IN_BLACKLIST flagged. Where on earth is it getting this?
Maybe you don't have a user_prefs, but then maybe you are not the user
calling SpamAssassin.
find / -name user_prefs | xargs grep -i blacklist_from
find / -name local.cf | xargs grep -i blacklist_from
Gary V
or (better)
find / -name user_prefs | xargs grep -i blacklist_
find / -name
Bret Miller wrote:
I keep saying that I have false positives with botnet, but haven't
substantiated that to date. So, today I'm spending a little time making
exceptions since I would like this to work. Here are todays:
[snip]
meridiencancun.com.mx, sent from IP , resolves to
Nix wrote on Tue, 21 Aug 2007 23:24:23 +0100:
(Personally I'd prefer that *no* single rule could push a mail more than
halfway towards spamminess...)
Absolutely agreed, with a few exceptions, like Bayes_99 :-)
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services:
On Aug 21, 2007, at 11:48 AM, Duane Hill wrote:
Ok. I just examined the clamav.pm plugin and it does appear to pass
the message text directly to the ClamAV daemon through the use of
the File::Scan::ClamAV perl module. Therefore, it doesn't sound
like a temp file is created.
Read the code
On Aug 21, 2007, at 1:42 PM, Marc Perkel wrote:
I've been using Clam but I've heard of Amavisd - do I want it? What
all does it do?
amavisd-new provides a nice front-end for virus and spamassassin
scanning. It's like using spamd, but a lot more featurefull. In my
case it was the easiest
No need for these settings if you have the above ok_languages en
I think you are correct if you assume that emails coming from *.ru (for
example), are written in something other than English, which is rarely the
case. Much of the spam I see from *.ru and *.su is in English.
- Skip
-- Forwarded message --
From: Daniel Aquino [EMAIL PROTECTED]
Date: Aug 21, 2007 9:51 PM
Subject: Re: Bouncing emails from certain countries
To: John D. Hardin [EMAIL PROTECTED]
I used IP::Country::Fast to block everything except canada and usa...
I've only had to add one
I used IP::Country::Fast to block everything except canada and usa...
I've only had to add one company to an allow list because they are in Italy...
I don't think its that bad of a solution,
depending on where your companies customers are located..
On 8/21/07, Skip Brott [EMAIL PROTECTED]
On Tue, 21 Aug 2007 16:56:27 -0500
Andy Sutton [EMAIL PROTECTED] wrote:
On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote:
b) Botnet gets 0% false positives at one of my services (not just
borked DNS == bad, as you're suggesting, but actual everything
that triggered botnet was actually
This would work fine if you expect emails only from those countries. Our
company does business in Central South America as well (which also means
allowing lots of Spanish Portuguese). We do not do business in Europe or
Asia and I see quite a bit of spam from from *.ru and *.su. I do not have
Michael Chapman wrote:
Hi there:
This should be a fairly simple question for the experts out there ...
everything I'm receiving is being blacklisted, and the reports
indicate that all these messages are flagged as USER_IN_BLACKLIST.
Where? I don't have a user_prefs, and my global is really
On Tue, 21 Aug 2007 at 17:43 -0700, [EMAIL PROTECTED] confabulated:
On Aug 21, 2007, at 11:48 AM, Duane Hill wrote:
Ok. I just examined the clamav.pm plugin and it does appear to pass the
message text directly to the ClamAV daemon through the use of the
File::Scan::ClamAV perl module.
On Monday 20 August 2007, Rob McEwen wrote:
In one of these cases, the message contains ONLY letters and numbers... all
other spaces, line breaks, and punctuation has been removed. Even
underscores are removed.
Have you considered the opposite?
Removing all letters, numbers and spaces, leaving
Nix wrote:
On 21 Aug 2007, Kai Schaetzl said:
Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100:
It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but
also hosts with e.g. the string `adsl' in its rDNS, even if that host happens
to have a static assignment.
Well, if it's
René Berber wrote:
Bret Miller wrote:
I keep saying that I have false positives with botnet, but haven't
substantiated that to date. So, today I'm spending a little time making
exceptions since I would like this to work. Here are todays:
[snip]
meridiencancun.com.mx, sent from IP , resolves
73 matches
Mail list logo