of trapping
spam.
And yes, I have used all types of phone numbers for these things (as
mentioned off list). I've been around this list for some years now so
this really isn't a noob scenario.
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 19
Jo Rhett wrote:
I'm kindof hoping that there will be some way to get SA to re-read the
rules *WITHOUT* restarting the process.
Jonas Eckerman wrote:
Tell the daemon (or whatever) to reload the filter. The daemon creates
one or more new SA object without closing it's listening
socket/port
, especially outside of the US.
And fixed reverse IP information is common for T1 level service too.
You're thinking too small.
--
Jo Rhett
Network/Software Engineer
Net Consonance
than
milters for SA.
Before I respond, let's clarify context. Do you work with a company
that has a large array of mail servers? I do, and I've built more than
a dozen in the last 4 years.
And everything you're saying disagrees with all of my experience.
--
Jo Rhett
Network/Software Engineer
to accept, most servers would attempt a
redeliver, so no harm no foul.
Our 200,000/server is no where near the 500,000 reported on the list
earlier, but it is a respectable number. Oh, and automatic ALL_TRUSTED
works for us.
--
Jo Rhett
Network/Software Engineer
Net Consonance
/machine/day?
1,000,000/machine/day?
Jo Rhett wrote:
Respectable enough, but I'm not sure why you bother having that big of
an array with that small of a mail load. I've got single machines
handling loads several times larger, all doing Clamd, a commercial
scanner, SA and more on milter during
for the clueless people using
it out of the box. That's your real target audience.
On Oct 17, 2006, at 10:53 PM, Matt Kettler wrote:
Jo Rhett wrote:
On Oct 17, 2006, at 5:59 PM, Matt Kettler wrote:
Because there *HAS* to be a local. If there isn't, then the message
isn't at your server
for the
latter. The former generally don't read the docs, and I prefer to avoid
the mailing list noise.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Sorry, I should write a rule but no time today or tomorrow. This e-mail
has gotten past SA with no score on 4 different accounts nearly half a
dozen times today. The only change in the e-mail is the name used in
the From address, which is also reflected in the Subject line. It's
always
,
the amount of spam which reached the mailbox DID NOT CHANGE AT ALL.
In short, everything that greylisting stopped was also caught by
spamassassin.
Since the net effect of not using greylisting is 0, and the net effect
of using greylisting is delayed mail ... you do the math.
--
Jo Rhett
Network
On Tuesday 17 October 2006 19:33, Jo Rhett took the opportunity to say:
Send a bunch of spam with a single forged sender address to a lot of
sites that do sender verification. Watch their mail server fall down.
I can assure you that even with modern hardware, no e-mail MTA available
today can
are available.Is
it not correct that the 50 should NOT be tried until the 10 is
unavailable? Or do I have that backwards?
--
Jo Rhett
Network/Software Engineer
Net Consonance
more were caught by network checks.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Hm. I'm surprised on no answers. Can I persist? This topic is of real
interest to me...
Jo Rhett wrote:
Okay, there's no docs on this so I wanted to ask if someone has any
insights different than what I have observed.
SA-Update seems to require less configuration changes. In short, all I
well known
advantages or well known failures, etc.
--
Jo Rhett
Senior Network Engineer
Network Consonance
didn't bother, and used sa-update instead.
I'm wondering if there is anything I'm missing...
Jo Rhett wrote:
Okay, there's no docs on this so I wanted to ask if someone has
any insights different than what I have observed.
SA-Update seems to require less configuration changes. In short,
all I
this on freebsd? Many thanks.
On FreeBSD sa-update will put the files where SA expects them. That's
/var/lib/spamassassin/{version}/...
I think that the previous problem was someone overriding that and trying
to put the updates into his main rules directory.
--
Jo Rhett
Network/Software
.
So with your army of bot-machines and open relays, you start delivering
all over the planet with a single forged envelope sender.
Yes, it isn't a problem today. But if everyone turned on sender
authentication, it would be. Instantly.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Anders Norrbring wrote:
This type of image spam is getting more common, and is not detected.. At
least not here..
score SARE_GIF_STOX 2.5 2.5 2.5 2.5
That's all it took, and we don't see it any more.
--
Jo Rhett
Network/Software Engineer
Net Consonance
38,500 pixels?
--
Jo Rhett
Network/Software Engineer
Net Consonance
today can handle 20mb/sec of e-mail connections. The best I have
personally observed is commercial Sendmail handling 12mb/sec. (of
connections with no data transfer is a LOT of connections)
--
Jo Rhett
Network/Software Engineer
Net Consonance
. That was very modern hardware, and it happened just
a few weeks ago.
Think about it. It doesn't require you to stretch your brain to figure
out the math involved.
--
Jo Rhett
Network/Software Engineer
Net Consonance
not to accept
e-mail from sites which violate those policies.
--
Jo Rhett
Network/Software Engineer
Net Consonance
.
--
Jo Rhett
Network/Software Engineer
Net Consonance
.
This isn't the ARPAnet, and we no longer know the other 52 sites personally.
--
Jo Rhett
Network/Software Engineer
Net Consonance
.
Download any modern spam sending product. Take a look at it. Think
about it.
--
Jo Rhett
Network/Software Engineer
Net Consonance
: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 17, 2006 1:28 PM
To: Kelson
Cc: users@spamassassin.apache.org
Subject: Re: This image is turning frequent..
I think you guys are going down a much harder road. This only makes
sense if and when e-mail with only a GIF
, if you haven't Received: the message yet, how'd it get to SA?
Do your really expect SA to work on a message that doesn't even appear
to have been delivered to your domain yet?
Jo Rhett wrote:
As mentioned in my previous message, I have dozens of messages here
that have as many as 12 received headers
to be more accurate than
getifaddrs() ? Am I supposed to agree that this makes sense? Seriously...
--
Jo Rhett
Network/Software Engineer
Net Consonance
was discard eligible etc etc
You pretty much nailed it. The target is a DSL customer, so sending
100mb/sec is isn't enough to raise the eyebrows of any modern service
provider, but the DSL switch receiving that flood gets fairly unhappy
and the target is completely offline.
--
Jo Rhett
)
Sure. Use the ability to tag to a plussed address, then virtusertable
the plussed address to a local cyrus server with Squirrelmail, and route
the normal mail onward. This should only take about an hour to set up.
--
Jo Rhett
Network/Software Engineer
Net Consonance
, spamassassin *DOES* run.
Always. It's just whether or not it's doing anything useful. When it
can't talk to the sockets, it's dead in the water. This requires an
external test to determine.
--
Jo Rhett
Network/Software Engineer
Net Consonance
PROTECTED]
What? Who is talking about whitelist?
--
Jo Rhett
Network/Software Engineer
Net Consonance
Nice insult. Can we stick to fixing real problems, please?
jdow wrote:
You're the twit who reduced the required score. Fix it.
{^_^}
- Original Message - From: Jo Rhett [EMAIL PROTECTED]
Included below is a legitimate e-mail on a legitimate payment that I
did make.
I've looked
= (\$addr_extension_bad_header);
--
Jo Rhett
Network/Software Engineer
Net Consonance
of system implementations for you.
Without checking the local interface, how do you know what the network
is? Are you assuming that my 64.x address is a class-A network?
Seriously, auto detection can't possibly work if you're not checking the
local interface addresses.
--
Jo Rhett
Network
Jo Rhett wrote:
Oh. I get it. We're trusting headers to be more accurate than
getifaddrs() ? Am I supposed to agree that this makes sense?
Seriously...
Daryl C. W. O'Shea wrote:
Yeah, seriously. Especially when your cluster of 50+ SA machines don't
share the same interface as the other
Chris Santerre wrote:
I'm embarrassed to ask but, what cf file is that from?
[EMAIL PROTECTED] /usr/local/etc]$ find /var/lib/spamassassin -type f
-exec grep -l SARE_GIF_STOX {} \;
/var/lib/spamassassin/3.001004/70_sare_stocks_cf_sare_sa-update_dostech_net/200609222100.cf
--
Jo Rhett
) does it all very cleanly, and is
supported by the team. (sa-update is newer than rdj, so it's not really
rdj's fault)
Frankly, I subscribed to almost every single ruleset on the
rulesemporium page. If I skipped any that weren't do not use then I
don't know what they were.
--
Jo Rhett
running. Low limit is 2, upper limit is 10.
Load average is always 0 across the board. This system is bored.
--
Jo Rhett
Senior Network Engineer
Network Consonance
advantage to
RDJ?
And leading to my next point, given that sa-update is working fine --
isn't rdj going to be slimmed down to just the part that restarts the
process after running sa-update?
Why not?
--
Jo Rhett
Senior Network Engineer
Network Consonance
still does this in a long time.
Usually it's running on the MX hosts.
So given that scenario, what do you perceive as the problem?
--
Jo Rhett
Senior Network Engineer
Network Consonance
daemons, not SpamD daemons. So if
you're not using Amavis (which uses the SA object module) then YMWV
(...will vary...)
--
Jo Rhett
Senior Network Engineer
Network Consonance
something)
ranges from 2-7%. Load never breaks 0.
Amavisd, with amavisd-milter, clamd and all of the sare rulesets.
But Bayes is disabled -- maybe that's the difference?
--
Jo Rhett
Senior Network Engineer
Network Consonance
Jo Rhett wrote:
RIGHT. So why are they Trusted?
On Oct 17, 2006, at 5:59 PM, Matt Kettler wrote:
Because there *HAS* to be a local. If there isn't, then the message
isn't at your server.
This is the whole point. If the message hasn't been Received: by a
local
server, it is by definition
-
From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent:
dinsdag 17 oktober 2006 5:37
To: Matt Kettler
Cc: Jo Rhett; Magnus Holmgren; users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
As discovered today, Jo's milter isn't adding the required
received header for his
installed
instead if no freebsd ported versions are available. :(
So go make one :-) It's easy enough.
--
Jo Rhett
Network/Software Engineer
Net Consonance
, but they are compliant with the judgement
for all US users, which is all the US court has authority for.
--
Jo Rhett
Network/Software Engineer
Net Consonance
threaded in with the previous topic. On most days, I ignore
any such messages. The vast majority of other smart people do the same.
To start a new thread, use Compose Mail To or whatever your client
has...
--
Jo Rhett
Network/Software Engineer
Net Consonance
missed a smiley somewhere
that showed that you knew better.
--
Jo Rhett
Network/Software Engineer
Net Consonance
non-techy people. Only
recently was .us normalized so that it could be used by .us companies.
--
Jo Rhett
Network/Software Engineer
Net Consonance
and DKIM policies to tell other sites how to
interpret your mail. Right now, implementing both is good for 70% of
the backscatter.
--
Jo Rhett
Network/Software Engineer
Net Consonance
to that, or I might submit a patch eventually :-)
--
Jo Rhett
Network/Software Engineer
Net Consonance
not make it to the recipient !
I'm not a postfix user, so clue me in. Doesn't this prevent local
bounce messages from being delivered?
I also believe that the original post was about backscatter, not forged
postmaster mail.
--
Jo Rhett
Network/Software Engineer
Net Consonance
, or are all the dumb answers coming up today?
Or, perhaps, run spamassassin and don't worry about changing your e-mail
constantly? Duh?
--
Jo Rhett
Network/Software Engineer
Net Consonance
work unless you are behind a NAT. So a person who believes that without
testing won't realize that they're looking at the problem.
The autodetection is totally broken actually, and needs to be fixed.
I've added a comment to the Wiki to let people know about this.
--
Jo Rhett
Network/Software
I would trust the headers from a host, but wouldn't trust it for
bounces...
Also, I think (I don't have time to read the ruleset in detail right
now) that it seems a bit harsh. The goal would be to identify only
backscatter right? It seems likely to hit almost every bounce, yes?
--
Jo Rhett
a postmaster)
And John, there are metrics used to test this. Implement the testing
environment for yourself, and come up with real metrics before saying
this kind of absolute-statement-no-caveat nonsense.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Justin Mason wrote:
Jo Rhett writes:
Justin Mason wrote:
do you mean the one I posted about earlier, or the original?
Sorry, I haven't looked at it in a while and wouldn't remember.
Looking at yours - why don't use use the global parameters that specify
trusted header hosts instead
On Monday 16 October 2006 10:11, Jo Rhett wrote:
I got two HAM messages
with this set (but only this and not enough to filter on) and nearly
every spam either had this or was picked up by SPF or DKIM rules (was a
forged mail from a domain which had a postmaster)
John Andersen wrote:
Thanks
John D. Hardin wrote:
On Mon, 16 Oct 2006, Jo Rhett wrote:
I am convinced that spam (in all its forms) will continue to be a
problem until spammers start dying for what they are doing. That will
change the risk/benefit analysis rather strongly towards the negative.
So join WhackASpammer. You
of providing backscatter protection only
for the domains who are protecting others against their forgeries.
--
Jo Rhett
Network/Software Engineer
Net Consonance
who is trying to sell their mail services.
--
Jo Rhett
Network/Software Engineer
Net Consonance
RHETT*
For your account ending in *SNIP*
Add [EMAIL PROTECTED] to your address book to ensure delivery.
Dear JO RHETT,
This email confirms the following action(s) completed at Account Online
for your Citi Cards account ending in *SNIP*.
See detail(s) below:
# *Click-to-Pay Payment Confirmation
no idea their sysadmin is
braindead.
That makes sense. And that's why you can modify the scores locally.
The vast majority of spamassassin users feel otherwise, which is why it
is defaulted on.
--
Jo Rhett
Network/Software Engineer
Net Consonance
for working around this? Create a meta rule that negates
SARE_FORGED_CITI.
No, the real fix is for the rule to work. Don't add breakage to breakage.
--
Jo Rhett
Network/Software Engineer
Net Consonance
tempted to report them to SpamCop (who will accept those
complaints, I know, we get them on our colo customers all the time)
--
Jo Rhett
Network/Software Engineer
Net Consonance
Daryl C. W. O'Shea wrote:
Jo Rhett wrote:
Included below is a legitimate e-mail on a legitimate payment that I
did make.
I've looked at the rule, and I can't figure out why it failed.
After unwrapping the mail included in your message body, I can't
reproduce this under SA 3.1.8-r454679
confused you and Ted because you responded.
Apparently these are Ted's rules...
--
Jo Rhett
Network/Software Engineer
Net Consonance
the --lint and then restart
process a big more robust...
--
Jo Rhett
Network/Software Engineer
Net Consonance
with amavis getting upset when SA goes away suddenly, etc.
3.2.0 will include an improved lint process. Pending enough testing
(and me/somebody getting around to writing the code) it might show up
sooner.
I'd rather enable some sort of inline reconfig of the SA rulset...
--
Jo Rhett
Network
to it?
--
Jo Rhett
Network/Software Engineer
Net Consonance
can recreate on the command line by running the stop/start commands
quickly.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Matt Kettler wrote:
Jo Rhett wrote:
The autodetection is totally broken actually, and needs to be fixed.
How do you propose it be fixed?
This has been brought up a few dozen times, and really it boils down to
breaking people with NATed MX servers (as it is now), or breaking people
without
detection enabled that
doesn't have false hits. I was struggling with it until I went to have
a beer with friends and found out that *NOBODY* uses the autodetection
because they've all found it to be broken.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Jo Rhett wrote:
Auto detection is completely and utterly broken.
...
Seriously, show me a single site with auto detection enabled that
I just wanted to apologize for my pissy attitude. It wasn't you guys,
and you didn't deserve these responses.
(the rest of this e-mail is off
Matt Kettler wrote:
Jo Rhett wrote:
You're still babbling about NAT. I could care less about NAT. All
trusted breaks for EVERYONE, and EVERYONE ends up hardcoding
trusted_networks because auto detection is completely and utterly broken.
Fine.. We'll ignore NAT. It's not your problem, I get
201 - 277 of 277 matches
Mail list logo