Are you the ISP for the IP address, or the client/user?
According to SORBS, requests for removal from the DUHL should come
from the ISP that owns the IP space, not the end user that rents it.
See: http://www.au.sorbs.net/faq/dul.shtml
End users (non ISP staff): SORBS support staff may ask you
Having full rDNS isn't the issue.
What probably happened was something like this:
1) your ISP reported their dynamic addresses to SORBS, or SORBS
inferred them via various means.
2) SORBS listed those addresses in DUL
3) Your ISP ran low on static addresses, and allocated to you one of
the
On Mon, Mar 22, 2010 at 07:51, micah anderson mi...@riseup.net wrote:
From a user who has unfortunately been saddled with a dynamic IP that
previously was used by a spammer. No amount of explanation to these
users about this is going to assuage their feelings, and there isn't
really anything
Botnet. But, there are still plenty of things coming
from that class of hosts, so if you don't use one, I'd definitely
recommend using the other.
John Rudd
On Wed, Mar 17, 2010 at 14:34, Micah Anderson mi...@riseup.net wrote:
Hi,
I've been using the Botnet plugin version 0.8 for some time
On Tue, Mar 9, 2010 at 08:03, Kai Schaetzl mailli...@conactive.com wrote:
Charles, just a quick answer as we are really OT.
It all simply boils down to (quoting me):
avoid unnecessary processing and avoid unncessary traffic.
and I might add now: with the least disadvantages on both sides.
yeah, RW pretty much hit this one on the head. You're going to need
to exempt it by IP, not by domain name.
On Thu, Nov 5, 2009 at 19:56, RW rwmailli...@googlemail.com wrote:
On Fri, 6 Nov 2009 03:28:40 +
RW rwmailli...@googlemail.com wrote:
The
On Tue, Oct 27, 2009 at 05:42, rich...@buzzhost.co.uk
rich...@buzzhost.co.uk wrote:
On Tue, 2009-10-27 at 05:08 -0600, LuKreme wrote:
On 27-Oct-2009, at 04:53, Mike Cardwell wrote:
Why have any geocities specific rules any more if geocities doesn't
exist? It's not as if spammers can host
On Tue, Oct 27, 2009 at 06:06, rich...@buzzhost.co.uk
rich...@buzzhost.co.uk wrote:
On Tue, 2009-10-27 at 05:50 -0700, John Rudd wrote:
On Tue, Oct 27, 2009 at 05:42, rich...@buzzhost.co.uk
rich...@buzzhost.co.uk wrote:
On Tue, 2009-10-27 at 05:08 -0600, LuKreme wrote:
On 27-Oct-2009, at 04
heheh. I was about to make the same reply... without the eyes.
On Mon, Oct 26, 2009 at 18:22, jdow j...@earthlink.net wrote:
No, I didn't get your email.
{O,o}}
- Original Message - From: Lars Ebeling
lars.ebel...@leopg9.no-ip.org
Sent: Monday, 2009/October/26 06:53
Or am I
All:
_IS_ there a Thunderbird plugin for SA? That would seem to be quite useful.
1) install perl for your platform (amadis: the perl language
interpreter is required for Spam Assassin)
2) install SA
3) install the (hypothetical) Thunderbird plugin
Then you can use SA to augment Thunderbird's
On Sat, Oct 17, 2009 at 06:24, rich...@buzzhost.co.uk
rich...@buzzhost.co.uk wrote:
Remember, if the
sender was really clean, their would be zero need for CC.
Absolute unadulterated BS.
This is equivalent to saying all of those lay-people who just get
gmail or yahoo or hotmail accounts -- if
UCSC uses them for various announcement messages as well (I think
they're mostly in-bound (ie. sending to UCSC addresses), but I don't
know if that's 100% true).
So, while I can't speak to whether or not they send spam, I can vouch
that they are sometimes used to send ham.
JRudd
On Fri, Oct
On Fri, Oct 16, 2009 at 11:07, R-Elists list...@abbacomm.net wrote:
So, even though I cringe when I hear a name like Constant
Contact, it does serve a legitimate business need.
says who?
Me. I work for one of their clients (a University). One or two of
our divisions use them for large
On Fri, Oct 16, 2009 at 13:29, John Hardin jhar...@impsec.org wrote:
On Fri, 16 Oct 2009, John Rudd wrote:
Me. I work for one of their clients (a University). One or two of
our divisions use them for large mailings to our internal users.
How is Constant Contact better than (say) GNU
On Sat, Oct 10, 2009 at 16:44, Warren Togami wtog...@redhat.com wrote:
Given that zen.spamhaus.org is a combination of XBL and PBL, this
data seems to confirm the good reputation of Spamhaus.
Er.. Zen is a combination of SBL, XBL, and PBL. Not just the XBL and PBL.
On Sat, Oct 3, 2009 at 11:06, Warren Togami wtog...@redhat.com wrote:
# 8-letter .cn domain, per Warren Togami
uri CN_EIGHT m;^https?://(?:[^./]+\.)*[^./]{8}\.cn/;
describe CN_EIGHT .CN uri with eight-letter domain name
score CN_EIGHT
On Sat, Oct 3, 2009 at 15:55, John Hardin jhar...@impsec.org wrote:
On Sat, 3 Oct 2009, John Rudd wrote:
On Sat, Oct 3, 2009 at 11:06, Warren Togami wtog...@redhat.com wrote:
# 8-letter .cn domain, per Warren Togami
uri CN_EIGHT
m;^https?://(?:[^./]+\.)*[^./]{8}\.cn/;
describe
On Fri, Jul 31, 2009 at 12:37, LuKremekrem...@kreme.com wrote:
On Jul 31, 2009, at 1:33 PM, jdow wrote:
Given that profanity is the effort of a small mind to express itself
I have a feeling he's going to receive his third and final warning any
time now, Matt
Given that nothing that richard
On Thu, Jul 30, 2009 at 14:01, ktnj_engl...@kawasaki-tn.com wrote:
Actually I think Nabble is great for those of us who can't handle the traffic
of the whole mailing list.
If you're an RSS reader, I'd suggest getting an RSS feed from gmane.
You can pick 4 types of feed:
1) full articles, 1
On Thu, Jul 30, 2009 at 17:54, Aaron Wolfeaawo...@gmail.com wrote:
On Thu, Jul 30, 2009 at 5:01 PM, ktnj_engl...@kawasaki-tn.com wrote:
Actually I think Nabble is great for those of us who can't handle the traffic
of the whole mailing list.
This list generates less than 50 messages per day
View this message in context:
http://www.nabble.com/Any-one-interested-in-using-a-proper-forum--tp24697144p24697144.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
He's clearly using Nabble, and thinks that's the primary interface for
the list ...
So, Peter, if
On Tue, Jul 28, 2009 at 06:29, McDonald,
Dandan.mcdon...@austinenergy.com wrote:
On Tue, 2009-07-28 at 06:16 -0700, John Rudd wrote:
Though ... it'd be nice if there was a direct RSS feed for the users
list. Hopefully Nabble isn't my only choice for an RSS feed :-}
(esp. since it posts 1 RSS
On Tue, Jul 28, 2009 at 06:29, McDonald,
Dandan.mcdon...@austinenergy.com wrote:
On Tue, 2009-07-28 at 06:16 -0700, John Rudd wrote:
Though ... it'd be nice if there was a direct RSS feed for the users
list. Hopefully Nabble isn't my only choice for an RSS feed :-}
(esp. since it posts 1 RSS
On Tue, Jul 28, 2009 at 07:09, RWrwmailli...@googlemail.com wrote:
On Tue, 28 Jul 2009 06:16:38 -0700
John Rudd jr...@ucsc.edu wrote:
Personally, when I'm so lightly involved in a message stream that I
don't want to be subscribed to the entire list, I prefer to use the
RSS interface
On Fri, Jun 26, 2009 at 15:23, LuKremekrem...@kreme.com wrote:
On 26-Jun-2009, at 14:54, Charles Gregory wrote:
I don't care. It's the *meaning* that matters. Not the *word*.
Fine, then, the meaning. Your meaning is *wanted* and my meaning is mail
from a verifiable source with a verifiable
2009/6/25 Ned Slider n...@unixmail.co.uk:
Karsten Bräckelmann wrote:
On Thu, 2009-06-25 at 13:20 +0200, Jan P. Kessler wrote:
Henrik K schrieb:
SA is trying to be too supportive for the money it receives. ;-) If you
ask
me, just ditch this and all other old baggage for 3.3. If you are not
On Thu, Jun 25, 2009 at 07:11, Per Jessenp...@computer.org wrote:
John Rudd wrote:
I've seen LOTS of so-focused-on-stability if it ain't broke, don't
upgrade it type shops in the Solaris arena ...
You'll likely find that in any production environment that is concerned
about uptime
On Thu, Jun 25, 2009 at 10:09, Chris Hoogendykhoogen...@bio.umass.edu wrote:
Gone are the days when you totally avoided upgrades because of the time,
hassle and risk involved.
Time and hassle, maybe. Risk, no. Risk is not a binary, it's a
balancing act. Live updates don't remove risk, they
On Thu, Jun 25, 2009 at 14:41, moussmo...@ml.netoyen.net wrote:
James Wilkinson a écrit :
If you mean “IP address that should not have been in the PBL but was”,
that’s one thing. It’s a consistent definition, but not very useful for
stopping spam.
yes, the PBL may list blocks that contain
On Mon, Jun 22, 2009 at 15:06, Arvid Picciania...@exys.org wrote:
Jeremy Morton wrote:
You then have to pay their tithe money to get people to start receiving
your e-mail again.
sorbs doesn't charge for delisting.
Actually no trustworthy bl does.
Technically correct, but not literally.
On Mon, Jun 22, 2009 at 18:07, Resr...@ausics.net wrote:
On Tue, 23 Jun 2009, mouss wrote:
payment were only needed for spam, not for dul
not really :) despite what their site said/says.. its kind of a detterent i
think sunno we never paid
I think it's fair to hold/criticize/ridicule
On Mon, Jun 15, 2009 at 15:43, Jason Haarjason.h...@trimble.co.nz wrote:
Theo Van Dinter wrote:
SpamAssassin is not a porn filter, whatever the variety.
Yes it is. If it's unsolicited - then it's spam.
I believe Theo's point is that: Just because it's porn doesn't mean
it's unsolicited. The
Botnet seems to have caught that just fine (it's listed in the rules
which were triggered). The problem is either that you're running it
at a lower score (which you could also do for Botnet0.8 if you wanted
to upgrade -- their default scores are exactly the same), or you need
other rules/configs
On Sat, Jun 13, 2009 at 18:47, MySQL Studentmysqlstud...@gmail.com wrote:
Hi John,
Botnet seems to have caught that just fine (it's listed in the rules
which were triggered). The problem is either that you're running it
at a lower score (which you could also do for Botnet0.8 if you wanted
On Sat, Jun 13, 2009 at 18:56, MySQL Studentmysqlstud...@gmail.com wrote:
I also see BOTNET_NORDNS in Botnet.cf, but it isn't being triggered. It's
also weighted at 0.0. Is there a reason for this?
There's two ways to use Botnet:
1) one big rule (BOTNET) that rolls up all of the sub-rule
On Thu, Jun 11, 2009 at 06:46, Bill Landryb...@inetmsg.com wrote:
McDonald, Dan wrote:
On Wed, 2009-06-10 at 21:40 -0700, John Rudd wrote:
On Wed, Jun 10, 2009 at 21:11, Bill Landryb...@inetmsg.com wrote:
Jake Maul wrote:
Interesting that I'm just now running into this... I've been using
On Thu, Jun 11, 2009 at 12:45, Charles Gregorycgreg...@hwcn.org wrote:
With respect, your concerns about
required testing are at the least, exaggerated. The testing has been
done by everyone who uses the patch.
a) thank you for your well worded thoughts
b) my statement about the time it
had provided John Rudd with a nice, neat patch
for botnet.pm well over a year ago to resolve this issue, John has not
opted to take the 5 minutes that is necessary to fix botnet by applying
the patch. He is no longer maintaining botnet, and it has become an
orphaned plugin that is in serious need
On Mon, Jun 8, 2009 at 09:55, Jari Fredrikssonja...@iki.fi wrote:
The BOTNET plugin isn't covered in the CustomPlugins wiki
page. When I Googled it I found this:
http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
but it's a bit old. Is there a later version?
That's 0.8 which is AFAIK
On Mon, Jun 8, 2009 at 16:31, alexusale...@gmail.com wrote:
whats botnet plugin?
It's a SpamAssassin plugin looks at DNS configurations and attempts to
identify hosts that are probably actually clients that are sending
email directly to your server, instead of through their own mail
server.
Different people run botnet at different score levels, depending on
what they want the rule to do. The default is 5 because 5 is the
common point where people set messages aside for review (remove them
from their regular mail stream). That's what botnet is saying about
such messages: this
On Thu, Jun 4, 2009 at 16:32, Adam Katzantis...@khopis.com wrote:
John Rudd wrote:
That seems to be an important distinction for
strict/rigorous/theoretical discussions of what is full circle
reverse DNS, and things along those lines... but I'm not sure if
it really is an important
On Sat, Jun 6, 2009 at 13:38, Rich Shepardrshep...@appl-ecosys.com wrote:
On Sat, 6 Jun 2009, John Rudd wrote:
The thing thing to do to fix messages from given locations is lean,
heavily, upon the sender to get their sending environment fixed. What
botnet finds are sites with bad DNS
On Thu, Jun 4, 2009 at 13:57, Adam Katz antis...@khopis.com wrote:
John Hardin wrote:
So that data comes from /etc/hosts. How does that materially affect the
FCrDNS sanity test?
By definition, FCrDNS uses DNS lookups. Unless you're using dnsmasq,
the entries in /etc/hosts are ignored during
On Sun, Apr 26, 2009 at 14:01, Adam Katz antis...@khopis.com wrote:
Charles Gregory wrote:
On Fri, 24 Apr 2009, Adam Katz wrote:
The more pressing point (since fixing the one you mentioned is pretty
simple) is that when you use a call to a sender's MX record and either
use SMTP's VRFY
On Thu, Apr 9, 2009 at 08:31, Kai Schaetzl mailli...@conactive.com wrote:
John Rudd wrote on Wed, 8 Apr 2009 12:44:29 -0700:
1) Does anyone know of a convenient command line tool (perl library
being ideal) that lets you give it an IP address, and it tells you the
country and/or continent
I know there used to be a nice convenient set of RBL's based upon
countries, such that you could easily track an IP address back to
which country it came from. But, IIRC, that RBL went under.
1) Does anyone know of a convenient command line tool (perl library
being ideal) that lets you give it
There are some interesting thoughts here about how to solve email's
problems ... but I'd like to put forward some thoughts...
I believe it was Cantor, of Cantor and Siegel, the first big and
_well_known_ spammer of Usenet and the Internet (but not the first
outright spammer of the internet), who
On Tue, Mar 31, 2009 at 11:17, Rik hlug090...@buzzhost.co.uk wrote:
[drivel about Spamhaus snipped]
Use the Barracuda list - it's pretty aggressive [...] USE:
b.barracudacentral.org.
What rate of false positives does it get?
What is the basis of being listed?
Does it have sub-lists to
Is that your own webmail server (run by you, or run by a service you
use/trust/contract-with/etc.)? Because, a webmail transaction
shouldn't go to the generic internet anymore than a desktop client
should, IMO ... so they're in the same boat as everyone else.
That host should go to their local
I'll incorporate this into the next version. Thanks :-)
On Thu, Jan 15, 2009 at 12:47, Jonas Eckerman jo...@fsdb.org wrote:
Hello!
Here's a small patch for the Botnet plugin.
The difference from the original is that it doesn't treat a timeout or DNS
error the same as a not found answer.
On Thu, Jan 15, 2009 at 09:06, Mark Martinec mark.martinec...@ijs.si wrote:
Jonas,
I just found one reason for FPs in the Botnet plugin. It doesn't
make a difference between timeouts (and other DNS errors) and
negative answers. So if your DNS server/proxy is overloaded (or
slow for some
How's it working for you, so far?
On Wed, Jan 14, 2009 at 06:12, Paul Griffith pa...@cse.yorku.ca wrote:
On Tue, 13 Jan 2009 05:28:42 -0500, si g_b...@yahoo.co.uk wrote:
Guys,
I'm sure you're as sad as I am re- temporary suspension of the brilliant
services offered by Steve Basford and is
On Wed, Jan 14, 2009 at 06:59, Rob McEwen r...@invaluement.com wrote:
Regarding using the Botnet Plugin as a replacement for SaneSecurity... I
found that the _best_ part about SaneSecurity was its assistance with
catching spam that could NOT ever be caught using _any_ kind of DNSBL.
Botnet
-- Forwarded message --
From: Bret Miller bret.mil...@wcg.org
To: John Rudd jr...@ucsc.edu
Date: Tue, 21 Aug 2007 13:08:06 -0700
Subject: RE: BOTNET Exceptions for Today
Bret Miller wrote:
Maybe these aren't false positives because botnet is identifying them for
what
On Wed, Jan 14, 2009 at 13:06, Dave Pooser dave...@pooserville.com wrote:
None of my friends are on
services that are that poorly configured
No friends on Verizon? Their @#$% mail servers are 70% of my FPs.
Heh. Guess not :-)
On Tue, Dec 2, 2008 at 12:02, Aaron Wolfe [EMAIL PROTECTED] wrote:
You could try to use
callouts to the primary to establish whether a user account is valid
before accepting the message, but then you arent much of a backup when
the primary goes down.
Unless you're caching the results of those
If the legitimate sender (even ones not on any whitelists) wont
receive a notification of a message that didn't go through due to
unknown recipient, recipient over quota, and similar mechanisms ...
then I wouldn't touch your service with a 10' pole.
On Tue, Dec 2, 2008 at 12:59, Marc Perkel
Difference in Spam getting through Spamhaus-Zen and ClamAV signatures
(which include ClamAV, SaneSecurity, MBL, and one other)?
No, delivered spam is about the same # of messages as before.
Difference in number of messages getting bounced by Spamhaus-Zen and
ClamAV? Down about about 40-50%.
SM wrote:
At 10:06 24-04-2008, Johnson, S wrote:
Thanks for the input. I'm using:
Postfix (I drop a ton of connections before the mail is even allowed
in to my filters)
- 6 RBLs
- malformed email tests
Spamassassin
mimedefang
razor2
dcc
pyzor
bayes lists
Mailscanner
If you have
SM wrote:
At 08:03 25-04-2008, John Rudd wrote:
I believe he's calling SpamAssassin during the SMTP session, using
mimedefang (a milter). Mailscanner doesn't let you do that (at least,
not the last time I used it; it didn't have milter bindings).
He's using Mailscanner as well
Mark,
Thanks, I'll try to work that into 0.9.
John
Mark Martinec wrote:
Jan-Peter,
I just noticed BotNet (0.8) causing SA timeouts
Then it just hangs for quite some time and finally runs into the
timeout. Any idea?
A known problem, it uses a default timeout of Net::DNS,
which is
mouss wrote:
ajx wrote:
It seems your logic is fundamentally flawed for several reasons. By
returning false positives, you're breaking mail gateways that use this
once
useful service. On the contrary, the best way would be to simply return a
DNS host not found error or a connection refused
Aaron Wolfe wrote:
On Tue, Mar 25, 2008 at 11:50 PM, John Rudd [EMAIL PROTECTED] wrote:
mouss wrote:
ajx wrote:
It seems your logic is fundamentally flawed for several reasons. By
returning false positives, you're breaking mail gateways that use this
once
useful service
Ralf Hildebrandt wrote:
* SM [EMAIL PROTECTED]:
Time to blacklist google.
The users may complain if you do that.
To [EMAIL PROTECTED] Problem solved!
No. Your users may complain to you that they're unable to receive email
from colleagues/friends/etc. who use google.
Though, depending
Per Jessen wrote:
John D. Hardin wrote:
On Mon, 17 Dec 2007, Per Jessen wrote:
Does anyone have a current status for blackholes.us ? The rsync'ed
data is about 18months old.
I had an email rejected earlier today due to a server
being blacklisted by germany.blackholes.us
Well, if the
Theo Van Dinter wrote:
On Thu, Dec 06, 2007 at 09:30:34AM +, Justin Mason wrote:
if that doesn't work, it's a bug; please report it at the Bugzilla.
... assuming that the local.cf file is actually being read and doesn't have an
error causing the parsing of the file to fail. :)
That
In the past, turning off a rule was supposed to be as simple as setting
its score to zero. Is that no longer the case? I set a rule to zero,
and it's still showing up in my logs (but it looks like the value is
correctly being recorded as zero, so it's not affecting my scores; I'm
just
Daryl C. W. O'Shea wrote:
On 11/23/2007 6:15 PM, John Rudd wrote:
Ever since upgrading in the last 2 months, I've been getting a lot
more false positive complaints, and one of the most frequent rules to
show up in my false positives is:
2.8 BASE64_LENGTH_79_INF BODY
Ever since upgrading in the last 2 months, I've been getting a lot more
false positive complaints, and one of the most frequent rules to show up
in my false positives is:
2.8 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF
That rule description is COMPLETELY useless.
So, here are my
mouss wrote:
Marcin Praczko wrote:
It is possible add some text to Subject: For example [SPLIST] - to make easier
set up filter for emails?
List managers (and other software) should not alter email unless
absolutely necessary.
List sysadmins should do whatever they want with email that
[EMAIL PROTECTED] wrote:
Hi,
I cannot seem to find any useful documentation on this.
Specifically, I need to disable spamhaus RBLs in all forms (DNS, URI,
etc.). The lookups are slowing down spamassassin too much, and the mail
backs up by the thousand, while the CPUs are mostly idle.
I
Daryl C. W. O'Shea wrote:
Mark Martinec wrote:
An alternative workaround: to SA 3.2.3 apply a patch in:
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5589
then you can specify per-zone timeouts, e.g.:
rbl_timeout 1.5 spamhaus.org
Doesn't disable DNS, but at least limits the time
Bart Schaefer wrote:
On 10/17/07, Tom Ray [EMAIL PROTECTED] wrote:
I just thought if anyone hasn't read it yet, this article might be
interesting to many of you. According to this report SPAM has now
reached being 95% of all email.
This is hyperbole.
What it really means is that 95% of the
IMO, one of the best and _easiest_ things any site can do to show love
to any blacklist service is: run a local mirror. Even better is to run
a publicly accessible mirror ... but a local mirror lessens your impact
on the service you're consuming. Ask them when and often you can pull
the
Matt Kettler wrote:
Rick Macdougall wrote:
Hi,
Anyone ever hear of or use them?
www.mipspace.org
Looks like they block commercial senders.
Aye, looks like their goal is to list all commercial senders, legit,
semi-legit, or otherwise. Which I could see being useful in some
environments.
Matus UHLAR - fantomas wrote:
On 08.10.07 14:56, John Rudd wrote:
I see in another thread a discussion about what people want to see in SA
RBL support. I thought I'd throw in my $.02.
I want a non-binary setting for use RBLs or not.
I want:
use_rblszen.spamhaus.org list.dsbl.org
R.Smits wrote:
Hello,
Which spam blacklists do you use in your MTA config. (postfix)
smptd_client_restrictions
Currently we only use : reject_rbl_client list.dsbl.org
We let spamassassin fight the rest of the spam. But the load of spam is
getting to high for our organisation. Wich list is
I see in another thread a discussion about what people want to see in SA
RBL support. I thought I'd throw in my $.02.
I want a non-binary setting for use RBLs or not.
The all or nothing approach that has been used, where you set it to
use RBLs or skip them, and then you have to track down
Loren Wilton wrote:
As far as I have understood it Botnet checks the first IP not being in
your trusted networks.
botnet probably does such checks based on trusted_networks and
internal_networks settings: doesn't check IP in trusted_networks, but
continues on next IP when current one is in
hanz wrote:
I believe if botnet.pm is checking all the path the mail went thru like how
dnsbl is used, botnet will get more accurate.
No, it would throw a lot more false-positives. Every end user
(corporate, home, etc.) on a dynamic IP address would suddenly get their
email flagged by
Per Jessen wrote:
Perhaps someone can turn this into a rule for SA to add some points.
The mail-server that detects the missing QUIT could easily add a header
which SA would then pick up on. But it might depend on what
those other factors are.
Part of the problem here is that a
Tuc at T-B-O-H.NET wrote:
Tuc at T-B-O-H wrote:
That's as much detail as I'm going to go into here. But the result is
that I have 720,000 IP addresses of virus infected computers and I'm
fiultering about 1600 domains and I'm not getting any more than the
normal few false positive complaints.
Matus UHLAR - fantomas wrote:
Bret Miller wrote:
Received: from [206.74.184.2] (HELO [206.74.184.2])
by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
...
Meaning that there was no RDNS for 206.74.184.2 and when it said helo, it
said HELO [206.74.184.2]. However, SA is not parsing it that
Bret Miller wrote:
Received: from [206.74.184.2] (HELO [206.74.184.2])
by mail.wcg.org (CommuniGate Pro SMTP 5.1.11)
...
Meaning that there was no RDNS for 206.74.184.2
Actually, CommuniGate sometimes does that even when RDNS _is_ available.
For example:
Received: from
Loren Wilton wrote:
the last byte of the return is a number from 1-255. This is the hosts
1 means not only have we never seen ham come from this host, it has
all kinds of danger signals that indicate you shouldn't ever trust
them to do anything useful.
You probably really need one bit
Marc Perkel wrote:
John Rudd wrote:
Loren Wilton wrote:
the last byte of the return is a number from 1-255. This is the hosts
1 means not only have we never seen ham come from this host, it has
all kinds of danger signals that indicate you shouldn't ever trust
them to do anything useful
Bret Miller wrote:
Before you look at this as just another blacklist - the real
power is in the white and yellow lists. First - an overview.
My list returns these codes:
* 127.0.0.1 - whilelist - trusted nonspam
* 127.0.0.2 - blacklist - block spam
* 127.0.0.3 - yellowlist - mix of spam
mouss wrote:
Kai Schaetzl wrote:
Rense Buijen wrote on Wed, 22 Aug 2007 16:43:19 +0200:
I didn't know that a backup MX can lead to more trouble then having
just one
Unfortunately, backup MXes attract spammers :-(. You could at least
add some more backup MXs (that don't exist) on top
Duane Hill wrote:
On Sat, 25 Aug 2007 at 13:08 -0700, [EMAIL PROTECTED] confabulated:
Further, how does check_sender_mx_access differ from Sender Address
Verification (SAV)? (where SAV is an INCREDIBLY bad idea, and a blight
upon the internet)
(meaning: if check_sender_mx_access is just the
Nikolay Shopik wrote:
On 8/26/2007 12:08 AM, John Rudd wrote:
mouss wrote:
Kai Schaetzl wrote:
Rense Buijen wrote on Wed, 22 Aug 2007 16:43:19 +0200:
I didn't know that a backup MX can lead to more trouble then having
just one
Unfortunately, backup MXes attract spammers :-(. You
Robert Fitzpatrick wrote:
On Wed, 2007-08-22 at 08:58 +0100, Martin.Hepworth wrote:
Botnet 0.8 is a lot better than 0.7 - please upgrade if you don't already.
How do you tell what version you have? I cannot find it anywhere in the
files, so I downloaded 0.8 and diff'd the pm against what I
Bret Miller wrote:
Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
86, and others. All similarly resolve to
Andy Sutton wrote:
On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote:
When I see on the list that many people run botnet with ZERO false
positives, I have to ask myself, how?
Anyone who claims that isn't really looking at the email they are
blocking, or don't believe borked DNS qualify as
SM wrote:
The
server.nch.com.au case is an interesting one. Technically, there isn't
anything wrong with that setup. But I digress as we are talking about
antispam here.
Technically, there is a problem with it: it violates best practices
asserted by RFC 1912, section 2.1, which warns that
Nix wrote:
On 21 Aug 2007, Kai Schaetzl said:
Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100:
It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but
also hosts with e.g. the string `adsl' in its rDNS, even if that host happens
to have a static assignment.
Well, if it's
René Berber wrote:
Bret Miller wrote:
I keep saying that I have false positives with botnet, but haven't
substantiated that to date. So, today I'm spending a little time making
exceptions since I would like this to work. Here are todays:
[snip]
meridiencancun.com.mx, sent from IP , resolves
Jari Fredriksson wrote:
Jari Fredriksson wrote on Fri, 17 Aug 2007 01:11:37 +0300:
But if I were an ISP I could not use it. Impossible.
Totally impossible.
because ... ?
Kai
Because there is always some friends of some customers using a local linux with
a local mail server without smart
Henrik Krohns wrote:
If you want a simple solution, you can try http://sa.hege.li/ for BadRelay
plugin.
BadRelay makes a fairly fatal assumption: The MTA put the rdns into the
Received header. I know of 2 MTAs that don't do that (they just put the
IP address in, without the rdns name).
Kai Schaetzl wrote:
Robert Fitzpatrick wrote on Fri, 17 Aug 2007 08:56:33 -0400:
Well, like I said, we had big problems using anything in Botnet except
nordns.
That's why everything except the main BOTNET is set to 0 I guess ;-) You
have to check for yourself if it fits or not. I just
1 - 100 of 466 matches
Mail list logo