Re: Trying out a new concept

[Duane Hill]

On Mon, 22 Sep 2008, Karl Pearson wrote:


On Mon, 22 Sep 2008, Marc Perkel wrote:




McDonald, Dan wrote:

On Mon, 2008-09-22 at 15:44 -0700, Marc Perkel wrote:


Ken A wrote:


Marc Perkel wrote:

I don't know how this will work but I'm building the data now. For 
those of you who are familiar with Day old bread lists to detect new 
domains, as you know there's a lag time in the data and they often 
don't have data from all the registries. So - here's a different 
solution.


What I'm thinking is to accumulate every domain name that interacts 
with my system and storing it in a list. Eventually after a week or so 
I should have a good list. Then the idea is to do a lookup to see if a 
new domain is NOT on the list. This will catch all really new domains, 
but will have some false positives. But - if it is mixed with other 
conditionals it might be a good way to detect and block spam from or 
linking to tasting domains.


So, If for years I send mail to hundreds of people in my county, but
never anything to your spamtraps or your legitimate mail, and then one
day I decide to send you a single piece of mail, you will blacklist me
as DOB?


No - that's not how it works. Being a stranger to the list doesn't get you 
blacklisted. It's just a factor that when combined with other factors 
indicates it's spam. And generally URI spam. I'm just using this as a way 
to discover new domains by what's not on a list as opposed to what is on a 
list.


And I don't yet know if it will work. I'm still building the list. I just 
wanted to throw the concept out there and see if it sparks innovation. It 
might turn out to be a dead end.


So, what about doing a whois query and 'grep' for the setup date? You 
theoretically could then just append that date to the domain name, and have 
something to cross-reference...


Most whois servers have restrictions on high-volume queries via 
automation. I've been blocked for doing whois queries via a Perl script 
for domains on our server just to verify if a domain has moved away 
without notifying us. Although it is for a relative short period of time, 
it is a nuisance.


-d

Re: Trying out a new concept

[Karl Pearson]

On Mon, 22 Sep 2008, Marc Perkel wrote:




McDonald, Dan wrote:

On Mon, 2008-09-22 at 15:44 -0700, Marc Perkel wrote:


Ken A wrote:


Marc Perkel wrote:

I don't know how this will work but I'm building the data now. For those 
of you who are familiar with Day old bread lists to detect new domains, 
as you know there's a lag time in the data and they often don't have 
data from all the registries. So - here's a different solution.


What I'm thinking is to accumulate every domain name that interacts with 
my system and storing it in a list. Eventually after a week or so I 
should have a good list. Then the idea is to do a lookup to see if a new 
domain is NOT on the list. This will catch all really new domains, but 
will have some false positives. But - if it is mixed with other 
conditionals it might be a good way to detect and block spam from or 
linking to tasting domains.





So, If for years I send mail to hundreds of people in my county, but
never anything to your spamtraps or your legitimate mail, and then one
day I decide to send you a single piece of mail, you will blacklist me
as DOB?




No - that's not how it works. Being a stranger to the list doesn't get you 
blacklisted. It's just a factor that when combined with other factors 
indicates it's spam. And generally URI spam. I'm just using this as a way to 
discover new domains by what's not on a list as opposed to what is on a list.


And I don't yet know if it will work. I'm still building the list. I just 
wanted to throw the concept out there and see if it sparks innovation. It 
might turn out to be a dead end.





So, what about doing a whois query and 'grep' for the setup date? You 
theoretically could then just append that date to the domain name, and 
have something to cross-reference...


---
 _/  _/  _/  _/_/_/      __o
_/ _/   _/  _/_/   _-\\<._
   _/_/_/  _/_/_/ (_)/ (_)
  _/ _/   _/  _/   ..
 _/   _/ arl _/_/_/  _/ earson[EMAIL PROTECTED]
---
http://consulting.ourldsfamily.com
---

RE: Trying out a new concept

[McDonald, Dan]

Sorry for the top-post, I'm using a brain-damaged web-mailer...

Actually, I think it is to uribl_gold list that is the real day-old-bread list. 
 You have to subscribe to a datafeed service to get the gold list.  


-Original Message-
From: John Hardin [mailto:[EMAIL PROTECTED]
Sent: Mon 22-Sep-08 20:45
To: Blaine Fleming
Cc: users@spamassassin.apache.org
Subject: Re: Trying out a new concept
 
On Mon, 2008-09-22 at 18:26 -0600, Blaine Fleming wrote:
> John Hardin wrote:
> >
> >> This is why I started processing all the TLDs I was able to obtain 
> >> access to.  There is lag but the most it could be is about 24 hours 
> >> and that assumes they register a new domain immediately after the TLD 
> >> dumps the zone.
> >
> > Does your data allow mapping domain name to registrar? If so, you 
> > might want to try implementing a URIBL for the Evil Registrars as has 
> > been discussed from time to time on the list...
> >
> 
> I've thought about doing that but it seems redundant since URIBL already 
> does.  At least they seem to have it published on their site so I'm 
> pretty sure it's included in their zones too.

...now that you mention it:

red.uribl.com - This list contains domains that actively show up in mail
flow, are not listed on URIBL black, and are either very young (domain
age via whois), or use whois privacy features to protect their identity.

-- 
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Obama? McCain? I'm so sick of our elections always being
  "choose the lesser of two evils."
---
 43 days until the Presidential Election

Re: Trying out a new concept

[John Hardin]

On Mon, 2008-09-22 at 18:26 -0600, Blaine Fleming wrote:
> John Hardin wrote:
> >
> >> This is why I started processing all the TLDs I was able to obtain 
> >> access to.  There is lag but the most it could be is about 24 hours 
> >> and that assumes they register a new domain immediately after the TLD 
> >> dumps the zone.
> >
> > Does your data allow mapping domain name to registrar? If so, you 
> > might want to try implementing a URIBL for the Evil Registrars as has 
> > been discussed from time to time on the list...
> >
> 
> I've thought about doing that but it seems redundant since URIBL already 
> does.  At least they seem to have it published on their site so I'm 
> pretty sure it's included in their zones too.

...now that you mention it:

red.uribl.com - This list contains domains that actively show up in mail
flow, are not listed on URIBL black, and are either very young (domain
age via whois), or use whois privacy features to protect their identity.

-- 
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Obama? McCain? I'm so sick of our elections always being
  "choose the lesser of two evils."
---
 43 days until the Presidential Election

Re: Trying out a new concept

[John Hardin]

On Mon, 2008-09-22 at 17:13 -0700, Marc Perkel wrote:

> Where I'm getting hits is on spam bots that link to these new domains. 
> Spambots are easy to detect because they never use the QUIT command to 
> clost the connection. So if a spambot message links to an "unfamliar" 
> domain (a domain NOT on my list) then that domain goes into my URIBL 
> list which I'm going to ship off to the folks at SURBL, which will 
> trickle down to you all here.
> 
> That is the plan - if it works. And it will get the offenders listed 
> quickly.

Best of luck with that. It will be interesting to see how it turns out.

-- 
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Obama? McCain? I'm so sick of our elections always being
  "choose the lesser of two evils."
---
 43 days until the Presidential Election

Re: SPF not matching

[Matt Kettler]

McDonald, Dan wrote:
> I'm having trouble with a correspondent who is using SPF, is sending
> from a host allowed in policy, but the SPF rule is not matching.
>
> Their spf record (obfuscated) is:
> example.com.  3600IN  TXT "v=spf1 mx ptr ip4:a.a.a.0/24 
> ip4:b.b.b.0/24 a:mailrelay a:exchange mx:male.example.com mx:femail -all"
>
> I realize that it is malformed - shouldn't have non FQDN's in the a: or
> mx: types, and male.example.com doesn't have an mx record (it is the mx
> for 'example.com').  But that being said, those ones that are valid
> ought to be recognized.
>   
Actually, as best I can tell, several popular SPF libraries will just
barf on invalid records.

ie: http://www.kitterman.com/spf/validate.html

Will barf, and refuse to generate a PASS.

(I tried the tester with "v=spf1 mx ptr ip4:1.1.1.0/24 ip4:2.2.2.0/24
a:mailrelay a:exchange mx:male.example.com mx:femail -all" and mail
being from:[EMAIL PROTECTED] ip: 1.1.1.11.

I guess the assumption is an invalid SPF record isn't trustworthy at
all, and quite likely created by a spammer, so it should only generate
an error.

Looking at Mail::SPF, it appears to generate an exception
"Mail::SPF::EJunkInRecord" for bad records.

Re: Trying out a new concept

[Blaine Fleming]

John Hardin wrote:


This is why I started processing all the TLDs I was able to obtain 
access to.  There is lag but the most it could be is about 24 hours 
and that assumes they register a new domain immediately after the TLD 
dumps the zone.


Does your data allow mapping domain name to registrar? If so, you 
might want to try implementing a URIBL for the Evil Registrars as has 
been discussed from time to time on the list...




I've thought about doing that but it seems redundant since URIBL already 
does.  At least they seem to have it published on their site so I'm 
pretty sure it's included in their zones too.


--Blaine

Re: Trying out a new concept

[Rob McEwen]

Blaine Fleming wrote:

John Hardin wrote:
Why is it so flippin' difficult to get a feed of newly-registered 
domain names?
Because the TLDs hate giving people access to the data and certainly 
won't provide a feed without a bunch of cash involved.  Even worse, 
all the ccTLDs pretty much refuse to even talk to you about access to 
the zones.  This is why I started processing all the TLDs I was able 
to obtain access to.  There is lag but the most it could be is about 
24 hours and that assumes they register a new domain immediately after 
the TLD dumps the zone.


Honestly, on my system I have less than 0.01% hits against a list of 
domains registered in the last five days so I've always considered the 
list a failure.  However, several others are reporting excellent hit 
rates on it.  I think it is because the test is so far after 
everything else though


To some extent, I like the concept. But I think the results are going to 
be somewhat limited because the sneakiest of spammers often allow their 
domains to "age" a bit for the very reason that "age of domain" is a 
common metric in the evaluation of domain reputation. Snowshoe spammers 
in particular have caught onto this fact in recent years/months. 
Therefore, the tendency will be for DOB lists to catch spam that was 
already well-caught, such as botnet-sent spams. (matching up with what 
Blaine said). Also, Marc is wise to consider combining this with other 
metrics because it is not that uncommon for some large and legit 
organization to blast out an e-mail to their members discussing some new 
web site which uses a domain name just bought a few days ago.


But, as someone else said, such a list might be effective for scoring 1 
point, or something like that. I'd be interested in putting such a list 
to use in my own spam filtering in such a manner.


--
Rob McEwen
http://dnsbl.invaluement.com/
[EMAIL PROTECTED]
+1 (478) 475-9032

Re: Trying out a new concept

[Blaine Fleming]

SM wrote:


Even if your traffic patterns are different, the hit rates shouldn't 
be that low.  There would be a difference if your MTA uses a DNSBL to 
reject or if you apply other pre-content filtering techniques.


It's not a matter of different traffic patterns as much as a matter of 
when I do the tests.  Incoming mail that is accepted is subjected to 
many tests before it is even checked against the new domains list.  If I 
put it closer to the front of the tests it would probably hit higher but 
I've never had much need to do so.


--Blaine

Re: Trying out a new concept

[John Hardin]

On Mon, 22 Sep 2008, Blaine Fleming wrote:


John Hardin wrote:

 Why is it so flippin' difficult to get a feed of newly-registered domain
 names?


Because the TLDs hate giving people access to the data and certainly 
won't provide a feed without a bunch of cash involved.  Even worse, all 
the ccTLDs pretty much refuse to even talk to you about access to the 
zones.


Note to self: remember, the answer to any question beginning "why" is 
always "money". :)


This is why I started processing all the TLDs I was able to obtain 
access to.  There is lag but the most it could be is about 24 hours and 
that assumes they register a new domain immediately after the TLD dumps 
the zone.


Does your data allow mapping domain name to registrar? If so, you might 
want to try implementing a URIBL for the Evil Registrars as has been 
discussed from time to time on the list...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Those in the media have donated to Obama at a 100:1 ratio compared
 to McCain. Are we to believe that this bias does not in any way
 taint their coverage of the campaign?
---
 43 days until the Presidential Election

Re: Trying out a new concept

[Marc Perkel]

Blaine Fleming wrote:

John Hardin wrote:
Why is it so flippin' difficult to get a feed of newly-registered 
domain names?


Because the TLDs hate giving people access to the data and certainly 
won't provide a feed without a bunch of cash involved.  Even worse, 
all the ccTLDs pretty much refuse to even talk to you about access to 
the zones.  This is why I started processing all the TLDs I was able 
to obtain access to.  There is lag but the most it could be is about 
24 hours and that assumes they register a new domain immediately after 
the TLD dumps the zone.


Honestly, on my system I have less than 0.01% hits against a list of 
domains registered in the last five days so I've always considered the 
list a failure.  However, several others are reporting excellent hit 
rates on it.  I think it is because the test is so far after 
everything else though.


--Blaine



Thanks Blaine,

John, the problem is that even if you have access to the data you have 
to compare gigabyts to the previous day so there's a big delay in even 
producing the lists. So my experiment is not to figure out how to get 
them listed, but detect them from not being listed. I'm also NOT testing 
this with SA. I'm using Exim rules and combining it with other sins to 
produce an RBL list that those of you using SA can use.


Where I'm getting hits is on spam bots that link to these new domains. 
Spambots are easy to detect because they never use the QUIT command to 
clost the connection. So if a spambot message links to an "unfamliar" 
domain (a domain NOT on my list) then that domain goes into my URIBL 
list which I'm going to ship off to the folks at SURBL, which will 
trickle down to you all here.


That is the plan - if it works. And it will get the offenders listed 
quickly.

Re: Trying out a new concept

[SM]

Hi Blaine,
At 17:00 22-09-2008, Blaine Fleming wrote:
Honestly, on my system I have less than 0.01% hits against a list of 
domains registered in the last five days so I've always considered 
the list a failure.  However, several others are reporting excellent 
hit rates on it.  I think it is because the test is so far after 
everything else though.


Even if your traffic patterns are different, the hit rates shouldn't 
be that low.  There would be a difference if your MTA uses a DNSBL to 
reject or if you apply other pre-content filtering techniques.


Regards,
-sm 

Re: Trying out a new concept

[Blaine Fleming]

John Hardin wrote:
Why is it so flippin' difficult to get a feed of newly-registered 
domain names?


Because the TLDs hate giving people access to the data and certainly 
won't provide a feed without a bunch of cash involved.  Even worse, all 
the ccTLDs pretty much refuse to even talk to you about access to the 
zones.  This is why I started processing all the TLDs I was able to 
obtain access to.  There is lag but the most it could be is about 24 
hours and that assumes they register a new domain immediately after the 
TLD dumps the zone.


Honestly, on my system I have less than 0.01% hits against a list of 
domains registered in the last five days so I've always considered the 
list a failure.  However, several others are reporting excellent hit 
rates on it.  I think it is because the test is so far after everything 
else though.


--Blaine

Re: Trying out a new concept

[John Hardin]

On Mon, 22 Sep 2008, Curtis LaMasters wrote:

Daniel, I think your missing the point, or I'm completely lost but I 
believe the point of the list is to tag domains with a registration date 
of a week or less when sending mail to you (prevent spam from newly 
registered domains).


Marc didn't say anything about registration dates. It sounds like he's 
trying to avoid depending on registrar data, which to me makes his 
solution extremely non-portable.


Why is it so flippin' difficult to get a feed of newly-registered domain 
names?



On Mon, Sep 22, 2008 at 5:52 PM, McDonald, Dan <
[EMAIL PROTECTED]> wrote:


On Mon, 2008-09-22 at 15:44 -0700, Marc Perkel wrote:


Ken A wrote:

Marc Perkel wrote:

I don't know how this will work but I'm building the data now. For
those of you who are familiar with Day old bread lists to detect new
domains, as you know there's a lag time in the data and they often
don't have data from all the registries. So - here's a different
solution.

What I'm thinking is to accumulate every domain name that interacts
with my system and storing it in a list. Eventually after a week or
so I should have a good list. Then the idea is to do a lookup to see
if a new domain is NOT on the list. This will catch all really new
domains, but will have some false positives. But - if it is mixed
with other conditionals it might be a good way to detect and block
spam from or linking to tasting domains.


So, If for years I send mail to hundreds of people in my county, but
never anything to your spamtraps or your legitimate mail, and then one
day I decide to send you a single piece of mail, you will blacklist me
as DOB?


I wouldn't say "blacklist", I'd say "add a point to the SA score".

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Obama is a three-year senator without a single important
 legislative achievement to his name, a former Illinois state
 senator who voted "present" nearly 130 times. As president of the
 Harvard Law Review, as law professor and as legislator, has he ever
 produced a single notable piece of scholarship? Written a single
 memorable article? His most memorable work is a biography of his
 favorite subject: himself.-- Charles Krauthammer
---
 43 days until the Presidential Election

Re: Trying out a new concept

[Marc Perkel]

McDonald, Dan wrote:

On Mon, 2008-09-22 at 15:44 -0700, Marc Perkel wrote:
  

Ken A wrote:


Marc Perkel wrote:
  
I don't know how this will work but I'm building the data now. For 
those of you who are familiar with Day old bread lists to detect new 
domains, as you know there's a lag time in the data and they often 
don't have data from all the registries. So - here's a different 
solution.


What I'm thinking is to accumulate every domain name that interacts 
with my system and storing it in a list. Eventually after a week or 
so I should have a good list. Then the idea is to do a lookup to see 
if a new domain is NOT on the list. This will catch all really new 
domains, but will have some false positives. But - if it is mixed 
with other conditionals it might be a good way to detect and block 
spam from or linking to tasting domains.





So, If for years I send mail to hundreds of people in my county, but
never anything to your spamtraps or your legitimate mail, and then one
day I decide to send you a single piece of mail, you will blacklist me
as DOB?

  


No - that's not how it works. Being a stranger to the list doesn't get 
you blacklisted. It's just a factor that when combined with other 
factors indicates it's spam. And generally URI spam. I'm just using this 
as a way to discover new domains by what's not on a list as opposed to 
what is on a list.


And I don't yet know if it will work. I'm still building the list. I 
just wanted to throw the concept out there and see if it sparks 
innovation. It might turn out to be a dead end.

Re: Trying out a new concept

[McDonald, Dan]

On Mon, 2008-09-22 at 18:17 -0500, Curtis LaMasters wrote:
> Daniel,  I think your missing the point, or I'm completely lost but I
> believe the point of the list is to tag domains with a registration
> date of a week or less when sending mail to you (prevent spam from
> newly registered domains).  I may be off but that's the way I
> understand DOB.

Right, but Mr. Perkel wants to recreate the data ex nihlo.

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



signature.asc
Description: This is a digitally signed message part

Re: Trying out a new concept

[Curtis LaMasters]

Daniel,  I think your missing the point, or I'm completely lost but I
believe the point of the list is to tag domains with a registration date of
a week or less when sending mail to you (prevent spam from newly registered
domains).  I may be off but that's the way I understand DOB.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com


On Mon, Sep 22, 2008 at 5:52 PM, McDonald, Dan <
[EMAIL PROTECTED]> wrote:

> On Mon, 2008-09-22 at 15:44 -0700, Marc Perkel wrote:
> >
> > Ken A wrote:
> > > Marc Perkel wrote:
> > >> I don't know how this will work but I'm building the data now. For
> > >> those of you who are familiar with Day old bread lists to detect new
> > >> domains, as you know there's a lag time in the data and they often
> > >> don't have data from all the registries. So - here's a different
> > >> solution.
> > >>
> > >> What I'm thinking is to accumulate every domain name that interacts
> > >> with my system and storing it in a list. Eventually after a week or
> > >> so I should have a good list. Then the idea is to do a lookup to see
> > >> if a new domain is NOT on the list. This will catch all really new
> > >> domains, but will have some false positives. But - if it is mixed
> > >> with other conditionals it might be a good way to detect and block
> > >> spam from or linking to tasting domains.
> > >>
>
> So, If for years I send mail to hundreds of people in my county, but
> never anything to your spamtraps or your legitimate mail, and then one
> day I decide to send you a single piece of mail, you will blacklist me
> as DOB?
>
>
> --
> Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
> Austin Energy
> http://www.austinenergy.com
>
>

Re: Trying out a new concept

[McDonald, Dan]

On Mon, 2008-09-22 at 15:44 -0700, Marc Perkel wrote:
> 
> Ken A wrote:
> > Marc Perkel wrote:
> >> I don't know how this will work but I'm building the data now. For 
> >> those of you who are familiar with Day old bread lists to detect new 
> >> domains, as you know there's a lag time in the data and they often 
> >> don't have data from all the registries. So - here's a different 
> >> solution.
> >>
> >> What I'm thinking is to accumulate every domain name that interacts 
> >> with my system and storing it in a list. Eventually after a week or 
> >> so I should have a good list. Then the idea is to do a lookup to see 
> >> if a new domain is NOT on the list. This will catch all really new 
> >> domains, but will have some false positives. But - if it is mixed 
> >> with other conditionals it might be a good way to detect and block 
> >> spam from or linking to tasting domains.
> >>

So, If for years I send mail to hundreds of people in my county, but
never anything to your spamtraps or your legitimate mail, and then one
day I decide to send you a single piece of mail, you will blacklist me
as DOB?


-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



signature.asc
Description: This is a digitally signed message part

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Marc Perkel]

McDonald, Dan wrote:

Henrik K wrote:


On Mon, Sep 22, 2008 at 09:23:45AM -0500, Daniel J McDonald wrote:
  

On Mon, 2008-09-22 at 10:14 -0400, Justin Piszcz wrote:


On Mon, 22 Sep 2008, Daniel J McDonald wrote:

  

On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:


We're trying it today.
  
Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail 
from them?  What is the RBL name?
  

Here are the rules I'm using:
# URL: http://www.barracudacentral.org/rbl/
header __RCVD_IN_BRBL   eval:check_rbl('brbl', 'b.barracudacentral.org')
describe __RCVD_IN_BRBL received via a relay in b.barracudacentral.org
header RCVD_IN_BRBL_RELAY   eval:check_rbl_sub('brbl', '127.0.0.2')
tflags RCVD_IN_BRBL_RELAY   net
describeRCVD_IN_BRBL_RELAY  received via a relay rated as poor by 
Barracuda
score   RCVD_IN_BRBL_RELAY  1.00


Note that this checks all Received headers, I'm seeing lots of FPs for
dynamic clients sending through ISP hosts etc. Try 'brbl-lastexternal' for
connecting clients only. If you keep on comparing hits, do tell which method
you are using.
  


Ok, using -lastexternal for about 5 hours
$ grep -P '^Sep 22 1[34567]' /var/log/mail/info | grep -P [^M][SPX]BL | grep -c 
-v BRBL
55  # on Zen not on BRBL
$ grep -P '^Sep 22 1[34567]' /var/log/mail/info | grep -v -P [^M][SPX]BL | grep 
-c BRBL
352 # on BRBL not on Zen
$ grep -P '^Sep 22 1[34567]' /var/log/mail/info | grep -P [^M][SPX]BL | grep -c 
BRBL
122 # on both


  


Hi Dan,

Can you throw my black list into the mix. I want to see how it scores.

hostkarma.junkemailfilter.com = 127.0.0.2 black
hostkarma.junkemailfilter.com = 127.0.0.1 white

Re: Trying out a new concept

[Marc Perkel]

Ken A wrote:

Marc Perkel wrote:
I don't know how this will work but I'm building the data now. For 
those of you who are familiar with Day old bread lists to detect new 
domains, as you know there's a lag time in the data and they often 
don't have data from all the registries. So - here's a different 
solution.


What I'm thinking is to accumulate every domain name that interacts 
with my system and storing it in a list. Eventually after a week or 
so I should have a good list. Then the idea is to do a lookup to see 
if a new domain is NOT on the list. This will catch all really new 
domains, but will have some false positives. But - if it is mixed 
with other conditionals it might be a good way to detect and block 
spam from or linking to tasting domains.


Thoughts?



How will you keep your list from being easily polluted?

Ken


I'm not dure what you mean. The idea is to detect what's NOT on the 
list. And also to track new entries for a week or so. I'm just in the 
data accumulation stage. I only have one day of data. But the idea is to 
detect new domains.

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[McDonald, Dan]

> Henrik K wrote:
> > On Mon, Sep 22, 2008 at 09:23:45AM -0500, Daniel J McDonald wrote:
> >> On Mon, 2008-09-22 at 10:14 -0400, Justin Piszcz wrote:
> >>> On Mon, 22 Sep 2008, Daniel J McDonald wrote:
> >>>
>  On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:
> > We're trying it today.
> >>> Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail 
> >>> from them?  What is the RBL name?
> >> Here are the rules I'm using:
> >> # URL: http://www.barracudacentral.org/rbl/
> >> header __RCVD_IN_BRBL   eval:check_rbl('brbl', 
> >> 'b.barracudacentral.org')
> >> describe __RCVD_IN_BRBL received via a relay in 
> >> b.barracudacentral.org
> >> header RCVD_IN_BRBL_RELAY   eval:check_rbl_sub('brbl', '127.0.0.2')
> >> tflags RCVD_IN_BRBL_RELAY   net
> >> describeRCVD_IN_BRBL_RELAY  received via a relay rated as poor 
> >> by Barracuda
> >> score   RCVD_IN_BRBL_RELAY  1.00
> > 
> > Note that this checks all Received headers, I'm seeing lots of FPs for
> > dynamic clients sending through ISP hosts etc. Try 'brbl-lastexternal' for
> > connecting clients only. If you keep on comparing hits, do tell which method
> > you are using.

Ok, using -lastexternal for about 5 hours
$ grep -P '^Sep 22 1[34567]' /var/log/mail/info | grep -P [^M][SPX]BL | grep -c 
-v BRBL
55  # on Zen not on BRBL
$ grep -P '^Sep 22 1[34567]' /var/log/mail/info | grep -v -P [^M][SPX]BL | grep 
-c BRBL
352 # on BRBL not on Zen
$ grep -P '^Sep 22 1[34567]' /var/log/mail/info | grep -P [^M][SPX]BL | grep -c 
BRBL
122 # on both


-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



signature.asc
Description: This is a digitally signed message part

Re: Trying out a new concept

[Ken A]

Marc Perkel wrote:
I don't know how this will work but I'm building the data now. For those 
of you who are familiar with Day old bread lists to detect new domains, 
as you know there's a lag time in the data and they often don't have 
data from all the registries. So - here's a different solution.


What I'm thinking is to accumulate every domain name that interacts with 
my system and storing it in a list. Eventually after a week or so I 
should have a good list. Then the idea is to do a lookup to see if a new 
domain is NOT on the list. This will catch all really new domains, but 
will have some false positives. But - if it is mixed with other 
conditionals it might be a good way to detect and block spam from or 
linking to tasting domains.


Thoughts?



How will you keep your list from being easily polluted?

Ken

--
Ken Anderson
Pacific.Net

Trying out a new concept

[Marc Perkel]

I don't know how this will work but I'm building the data now. For those 
of you who are familiar with Day old bread lists to detect new domains, 
as you know there's a lag time in the data and they often don't have 
data from all the registries. So - here's a different solution.


What I'm thinking is to accumulate every domain name that interacts with 
my system and storing it in a list. Eventually after a week or so I 
should have a good list. Then the idea is to do a lookup to see if a new 
domain is NOT on the list. This will catch all really new domains, but 
will have some false positives. But - if it is mixed with other 
conditionals it might be a good way to detect and block spam from or 
linking to tasting domains.


Thoughts?

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[mouss]

Joseph Brennan wrote:


Ralf Hildebrandt <[EMAIL PROTECTED]> wrote:

My top rejections for today are:


x28 smtp-out.orange.net[193.252.22.118]:



Orange is a major ISP.  Their mail-sending hosts are in 193.252.22 and
80.12.242.  Mail from Orange runs about 85 to 90% spam here.  The
minority remaining are legit users, some sending from cell phones.
Mail to abuse or postmaster is not answered.

http://openrbl.org/client/#193.252.22.118 shows it blacklisted only
on lists I'm not familiar with.  Blocking it will block legit mail,
if people in Europe send mail to your system.



orange have become a lot better than they were. since they started 
blocking port 25, I no more need to block their "residential" users. 
while I still get junk via their relay, it's less than before. not as we 
would like, but let's see. (their postmaster address is still a Dave 
Null...).

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[mouss]

Matt wrote:

I had the same issue and found that the system that's relaying
(216.129.105.40) those confirmation emails doesn't have a PTR record.
You'd think someone selling a antispam/email appliance would be familiar
with the RFCs.


That would explain why I got no confirmation, we do not accept email
from IP's without a PTR record.

I agree, if true this looks pretty bad for a so called antispam
company.

In fairness -- if you drop mail with no rDNS, you are dropping 3.6% of
legit email in general, going by the test results for our RDNS_NONE
rule... ;)


Everyone should block/defer ALL email with no reverse DNS.  Then maybe
those email admins would get a clue.



when you say "they", you mean who? there are N new domains every day. 
you think rejecting mail will affect the domains that will be created 
tomorrow?


If everybody blocks such mail, then I'd say let's do it. but I don't 
want to get an "everybody but you accepts our mail".


besides, this FcrDNS thing can hardly be applied to IPv6, which is 
apparently the future...


or to say it in another way: yes, there is a problem, but the solution 
is not in DNS.

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[mouss]

Henrik K wrote:

On Mon, Sep 22, 2008 at 09:23:45AM -0500, Daniel J McDonald wrote:

On Mon, 2008-09-22 at 10:14 -0400, Justin Piszcz wrote:

On Mon, 22 Sep 2008, Daniel J McDonald wrote:


On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:

We're trying it today.
Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail 
from them?  What is the RBL name?

Here are the rules I'm using:
# URL: http://www.barracudacentral.org/rbl/
header __RCVD_IN_BRBL   eval:check_rbl('brbl', 'b.barracudacentral.org')
describe __RCVD_IN_BRBL received via a relay in b.barracudacentral.org
header RCVD_IN_BRBL_RELAY   eval:check_rbl_sub('brbl', '127.0.0.2')
tflags RCVD_IN_BRBL_RELAY   net
describeRCVD_IN_BRBL_RELAY  received via a relay rated as poor by 
Barracuda
score   RCVD_IN_BRBL_RELAY  1.00


Note that this checks all Received headers, I'm seeing lots of FPs for
dynamic clients sending through ISP hosts etc. Try 'brbl-lastexternal' for
connecting clients only. If you keep on comparing hits, do tell which method
you are using.



I confirm tis. it seems like the brbl includes a "pbl" like list.

it's too bad Barracuda don't give nough infos and we have to dicover 
this by ourselves...

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Michael Scheidell]

 identify their netblock and never hear from them again.
> 
> Is this hypothetical or does this happen to you in real life?

Real life.  Some 'rbl testing' companies make money by monitoring rb's.
Some rbl testing software includes blocked.secnap.net
Seems to come in spurts.  Won't hear from anyone for months and months, then
for about two months will start getting emails and calls 'you are blocking
my email'.  And, yes, we get pretend lawyers call.  I assume pretend because
I can't imagine any lawyer actually taking the time to call about something
so stupid:

host -t a  131.70.175.193.blocked.secnap.net
131.70.175.193.blocked.secnap.net has address 127.0.0.2

 host -t txt 131.70.175.193.blocked.secnap.net
131.70.175.193.blocked.secnap.net descriptive text "Private list. secnap.com
use only Not licensed for public use. Anyone using this DNS zone as a
blacklist did not do their homework"


-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer


_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_

Re: where to report violations of RCVD_IN_BSP?

[Charlie Davidson]

Michael Scheidell wrote:
> 
> yes, I can set a positive score for RCVD_IN_BSP_TRUSTED rules (I have!) 
> Without it, lots of spam would get through with the default -4.3 score.
> 

I have also been unable to contact them and removed the default score of
-4.3.  In fact, I'm concerned that if nobody is looking for feedback, BSP
will be frequently used by spammers and I am now contemplating adding a
slightly positive score for this rule.
-- 
View this message in context: 
http://www.nabble.com/where-to-report-violations-of-RCVD_IN_BSP--tp19518524p19614580.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Ralf Hildebrandt]

* Michael Scheidell <[EMAIL PROTECTED]>:
> > * Michael Scheidell <[EMAIL PROTECTED]>:
> > 
> >> SOUNDS LIKE MY FREE BLACKLIST:  blocked.secnap.net (google for it), lists
> >> all ipv4 addresses in the world.
> >> (and for some reason, one of the perl maintainers used it)
> > 
> > Finally. No. More. Spam.
> 
> Now lets see how many idiots start using it.

:)

> For the next 6 months, I will get 'legal department' phone calls demanding I
> remove them from our blacklist.  I send the a zone transfer, ask them to
> identify their netblock and never hear from them again.

Is this hypothetical or does this happen to you in real life?

-- 
Ralf Hildebrandt (i.A. des GB IT)   [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF I'm looking for a job!

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Ralf Hildebrandt]

* SM <[EMAIL PROTECTED]>:
> At 08:58 22-09-2008, Matt wrote:
>> Everyone should block/defer ALL email with no reverse DNS.  Then maybe
>> those email admins would get a clue.
>
> Assuming you have signed up for that service, 

Service? Sign up? It's a simple setting in the MTA.

> would you whitelist the sending host or wait for the postmaster to get
> a clue?

I personally wait.

-- 
Ralf Hildebrandt (i.A. des GB IT)   [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF I'm looking for a job!

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Michael Scheidell]

> * Michael Scheidell <[EMAIL PROTECTED]>:
> 
>> SOUNDS LIKE MY FREE BLACKLIST:  blocked.secnap.net (google for it), lists
>> all ipv4 addresses in the world.
>> (and for some reason, one of the perl maintainers used it)
> 
> Finally. No. More. Spam.

Now lets see how many idiots start using it.

For the next 6 months, I will get 'legal department' phone calls demanding I
remove them from our blacklist.  I send the a zone transfer, ask them to
identify their netblock and never hear from them again.


-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer


_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[SM]

At 08:58 22-09-2008, Matt wrote:

Everyone should block/defer ALL email with no reverse DNS.  Then maybe
those email admins would get a clue.


Assuming you have signed up for that service, would you whitelist the 
sending host or wait for the postmaster to get a clue?


Regards,
-sm 

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[fchan]

You can set up Barracuda to not to reply to spam which is default 
behavior, which I hate. This is the backscatter we all experienced 
from Barracuda devices. I set one up for a friend but it does take 
awhile to look for the instructions and to get this setting correct 
which I don't understand why they do that.


Frank


On Sat, 2008-09-20 at 23:51 -0700, Jeff Chan wrote:

 Haven't tried it myself but thought it may be of interest.


I wonder if it will include the barracuda devices that are set to
backscatter?
--
-Andy

Philosophy is a battle against the bewitchment
of our intelligence by means of language.
  - Ludwig Wittgenstein

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Henrik K]

On Mon, Sep 22, 2008 at 09:23:45AM -0500, Daniel J McDonald wrote:
> On Mon, 2008-09-22 at 10:14 -0400, Justin Piszcz wrote:
> > 
> > On Mon, 22 Sep 2008, Daniel J McDonald wrote:
> > 
> > > On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:
> > >> We're trying it today.
> > >
> > 
> > Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail 
> > from them?  What is the RBL name?
> 
> Here are the rules I'm using:
> # URL: http://www.barracudacentral.org/rbl/
> header __RCVD_IN_BRBL   eval:check_rbl('brbl', 
> 'b.barracudacentral.org')
> describe __RCVD_IN_BRBL received via a relay in b.barracudacentral.org
> header RCVD_IN_BRBL_RELAY   eval:check_rbl_sub('brbl', '127.0.0.2')
> tflags RCVD_IN_BRBL_RELAY   net
> describeRCVD_IN_BRBL_RELAY  received via a relay rated as poor by 
> Barracuda
> score   RCVD_IN_BRBL_RELAY  1.00

Note that this checks all Received headers, I'm seeing lots of FPs for
dynamic clients sending through ISP hosts etc. Try 'brbl-lastexternal' for
connecting clients only. If you keep on comparing hits, do tell which method
you are using.

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Chris Hoogendyk]

Matt wrote:

I had the same issue and found that the system that's relaying
(216.129.105.40) those confirmation emails doesn't have a PTR record.
You'd think someone selling a antispam/email appliance would be familiar
with the RFCs.



That would explain why I got no confirmation, we do not accept email
from IP's without a PTR record.

I agree, if true this looks pretty bad for a so called antispam
company.
  

In fairness -- if you drop mail with no rDNS, you are dropping 3.6% of
legit email in general, going by the test results for our RDNS_NONE
rule... ;)



Everyone should block/defer ALL email with no reverse DNS.  Then maybe
those email admins would get a clue.


Unfortunately, they won't (get a clue).

There are too many of them, and some are major players. For example, we 
periodically have hassles with faculty and staff who have Verizon as 
their ISP at home. Verizon will mess up its configurations so that our 
server's paranoid settings start rejecting connections from our faculty 
and staff when they are at home. We get no end of complaints. Then 
Verizon will fix it. Then a few weeks later, it will be broken again.



--
---

Chris Hoogendyk

-
  O__   Systems Administrator
 c/ /'_ --- Biology & Geology Departments
(*) \(*) -- 140 Morrill Science Center
~~ - University of Massachusetts, Amherst 


<[EMAIL PROTECTED]>

--- 


Erdös 4

Re: Scoring

[Evan Platt]

Lars Ebeling wrote:

I would very much want to know how this mail is scored.
Umm.. Take a look at the headers? Or am I misunderstanding what you're 
asking?

Scoring

[Lars Ebeling]

I would very much want to know how this mail is scored.
--
Regards
Lars Ebeling

http://leopg9.no-ip.org
Hobbithobbyist

"I am not young enough to know everything."
-- Oscar Wilde

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Ralf Hildebrandt]

* Michael Scheidell <[EMAIL PROTECTED]>:

> SOUNDS LIKE MY FREE BLACKLIST:  blocked.secnap.net (google for it), lists
> all ipv4 addresses in the world.
> (and for some reason, one of the perl maintainers used it)

Finally. No. More. Spam.

-- 
Ralf Hildebrandt (i.A. des GB IT)   [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF I'm looking for a job!

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Ralf Hildebrandt]

* Matt <[EMAIL PROTECTED]>:

> > In fairness -- if you drop mail with no rDNS, you are dropping 3.6% of
> > legit email in general, going by the test results for our RDNS_NONE
> > rule... ;)
> 
> Everyone should block/defer ALL email with no reverse DNS.  Then maybe
> those email admins would get a clue.

AOL.com does just that. 

-- 
Ralf Hildebrandt (i.A. des GB IT)   [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF I'm looking for a job!

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Ralf Hildebrandt]

* Dave Koontz <[EMAIL PROTECTED]>:
> Rose, Bobby wrote ... (9/22/2008 10:24 AM):
> > I had the same issue and found that the system that's relaying
> > (216.129.105.40) those confirmation emails doesn't have a PTR record.
> > You'd think someone selling a antispam/email appliance would be familiar
> > with the RFCs.
> >   
> That would explain why I got no confirmation, we do not accept email
> from IP's without a PTR record.

Same here, never got a mail, but it worked anyway.

-- 
Ralf Hildebrandt (i.A. des GB IT)   [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF I'm looking for a job!

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Ralf Hildebrandt]

* Joseph Brennan <[EMAIL PROTECTED]>:
>
>
>> My top rejections for today are:
>>
>> % fgrep www.barracudanetworks.com/reputation /var/log/mail.log |
>>   awk '{print $10}' | sort  |uniq -c | sort -n | tail
>>
>>  18 mx35.ispgateway.de[80.67.29.41]:
> . . .
>>  21 mx20.ispgateway.de[80.67.18.53]:
>>  21 mx43.ispgateway.de[80.67.29.52]:
> . . .
>>  24 mx31.ispgateway.de[80.67.29.35]:
>
>
> We see those too.  Hosts in this domain are sending mail FROM:<>
> to recipients that do not exist, subject "Mail delivery failed:
> returning message to sender".

They send mail with fake senders to fake recipients here. So, that's
another point.

-- 
Ralf Hildebrandt (i.A. des GB IT)   [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF I'm looking for a job!

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Matt]

>> > I had the same issue and found that the system that's relaying
>> > (216.129.105.40) those confirmation emails doesn't have a PTR record.
>> > You'd think someone selling a antispam/email appliance would be familiar
>> > with the RFCs.
>> >
>> That would explain why I got no confirmation, we do not accept email
>> from IP's without a PTR record.
>>
>> I agree, if true this looks pretty bad for a so called antispam
>> company.
>
> In fairness -- if you drop mail with no rDNS, you are dropping 3.6% of
> legit email in general, going by the test results for our RDNS_NONE
> rule... ;)

Everyone should block/defer ALL email with no reverse DNS.  Then maybe
those email admins would get a clue.

Matt

Re: Score Hit Frequency in SA Corpus?

[Bob Proulx]

Justin Mason wrote:
> Joseph Brennan writes:
> > >> OVERALLSPAM% HAM% S/ORANK   SCORE  NAME
> > >>   1.116   1.5957   0.27050.855   0.512.08  SUBJ_ALL_CAPS
> > No, it's high.  Only 1.87% had all caps subject, but of those 85%
> > were spam: 1.60 / 1.87.
> > If I am reading correctly.
> 
> That's right.  

Ah...  That makes more sense to me now.  Thanks for the
clarification.

> The problem with SUBJ_ALL_CAPS is that it tends to catch really odd
> fraud spams, foreign-language spam etc. that the other rules fail to
> spot; this means that the GA likes it quite a lot, since despite 
> the occasional FP, it reduces FNs enough to make it "worth it".

Sure.  All is good here.

> it's hard to avoid this issue. :(

Let me stress that I wasn't unhappy with this rule.  It isn't scored
enough by itself anyway to create a FP.  It was just a part of several
things.  It is just something that people can affect by creating the
messages either one way or another.  So the visibility is because it
is such a simple thing that a sender can do to affect the result.

Thanks for the explanations of the hit ratios!

Bob

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Joseph Brennan]

Ralf Hildebrandt <[EMAIL PROTECTED]> wrote:

My top rejections for today are:


x28 smtp-out.orange.net[193.252.22.118]:



Orange is a major ISP.  Their mail-sending hosts are in 193.252.22 and
80.12.242.  Mail from Orange runs about 85 to 90% spam here.  The
minority remaining are legit users, some sending from cell phones.
Mail to abuse or postmaster is not answered.

http://openrbl.org/client/#193.252.22.118 shows it blacklisted only
on lists I'm not familiar with.  Blocking it will block legit mail,
if people in Europe send mail to your system.

Joseph Brennan
Columbia University Information Technology

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Joseph Brennan]

My top rejections for today are:

% fgrep www.barracudanetworks.com/reputation /var/log/mail.log |
  awk '{print $10}' | sort  |uniq -c | sort -n | tail

 18 mx35.ispgateway.de[80.67.29.41]:

. . .

 21 mx20.ispgateway.de[80.67.18.53]:
 21 mx43.ispgateway.de[80.67.29.52]:

. . .

 24 mx31.ispgateway.de[80.67.29.35]:



We see those too.  Hosts in this domain are sending mail FROM:<>
to recipients that do not exist, subject "Mail delivery failed:
returning message to sender".

It's ironic for Barracuda to blacklist hosts for backscatter.

Joseph Brennan
Columbia University Information Technology

Re: SPF not matching

[Martin Gregorie]

> I realize that it is malformed - shouldn't have non FQDN's in the a: or
> mx: types, and male.example.com doesn't have an mx record (it is the mx
> for 'example.com').  But that being said, those ones that are valid
> ought to be recognized.
> 
A gentle suggestion to the SPF owner to visit 

http://www.kitterman.com/spf/validate.html

to validate and fix his SPF record might help both him and you.


Martin

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Justin Mason]

Dave Koontz writes:
> Rose, Bobby wrote ... (9/22/2008 10:24 AM):
> > I had the same issue and found that the system that's relaying
> > (216.129.105.40) those confirmation emails doesn't have a PTR record.
> > You'd think someone selling a antispam/email appliance would be familiar
> > with the RFCs.
> >   
> That would explain why I got no confirmation, we do not accept email
> from IP's without a PTR record.
> 
> I agree, if true this looks pretty bad for a so called antispam
> company.

In fairness -- if you drop mail with no rDNS, you are dropping 3.6% of
legit email in general, going by the test results for our RDNS_NONE
rule... ;)

--j.

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Duane Hill]

On Mon, 22 Sep 2008, Dave Koontz wrote:


Rose, Bobby wrote ... (9/22/2008 10:24 AM):

I had the same issue and found that the system that's relaying
(216.129.105.40) those confirmation emails doesn't have a PTR record.
You'd think someone selling a antispam/email appliance would be familiar
with the RFCs.


That would explain why I got no confirmation, we do not accept email
from IP's without a PTR record.

I agree, if true this looks pretty bad for a so called antispam
company.  I will check our logs when I return from vacation and verify
what you are seeing.  Can anyone else confirm in the mean time?


Yep.

Sep 21 23:52:53 smtpgate postfix/smtpd[84422]: connect from 
unknown[216.129.105.40]:48748
Sep 21 23:52:53 smtpgate postfix/smtpd[84422]: NOQUEUE: reject: RCPT from 
unknown[216.129.105.40]:48748: 550 5.7.1 Client host rejected: cannot find your reverse hostname, 
[216.129.105.40]; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP 
helo=
Sep 21 23:52:53 smtpgate postfix/smtpd[84422]: disconnect from 
unknown[216.129.105.40]:48748

-d

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[mouss]

mouss wrote:

Justin Piszcz wrote:


Hmm I signed up for this 1-2 days ago but never got a confirmation 
e-mail from them?  What is the RBL name?





They send from an IP without rDNS.

Received: from barracudacentral.org (unknown [216.129.105.40])

you may have rejected or quarantined it.



and by the way, it hits

HTML_MESSAGE, MIME_HEADER_CTYPE_ONLY, MIME_HTML_ONLY

Re: sa-update with proxy

[Michael Scheidell]

> 
> 
> 
>  Hi, spamassassin.apache.org
> 
>  
> 
>   Now I try to update rule of spamassassin through proxy.
> 
>  
> 
> I inserted http://proxy:port   in /etc/wgetrc already but
> when I type command
> 
> don¹t know if sa-update uses wget.
> 
> on freebsd, we just set http_proxy environment variable.
> (yes, I submitted patches a while back for sa-update to directly support proxy
> command line options.. If its needed, google for them)
> 
> 
-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer



_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[mouss]

Justin Piszcz wrote:


Hmm I signed up for this 1-2 days ago but never got a confirmation 
e-mail from them?  What is the RBL name?





They send from an IP without rDNS.

Received: from barracudacentral.org (unknown [216.129.105.40])

you may have rejected or quarantined it.

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Michael Scheidell]

>> The problem is in false positives - you won't get any mail with it
> 
>  I've had servers listed on Barracuda before, despite 17 emails to their
> support systems we never had any response, and had to change a customers
> mail architecture to compensate.
> 
>  Very wary of them ..
> 
> Chris
> 
SOUNDS LIKE MY FREE BLACKLIST:  blocked.secnap.net (google for it), lists
all ipv4 addresses in the world.
(and for some reason, one of the perl maintainers used it)

-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer


_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Dave Koontz]

Rose, Bobby wrote ... (9/22/2008 10:24 AM):
> I had the same issue and found that the system that's relaying
> (216.129.105.40) those confirmation emails doesn't have a PTR record.
> You'd think someone selling a antispam/email appliance would be familiar
> with the RFCs.
>   
That would explain why I got no confirmation, we do not accept email
from IP's without a PTR record.

I agree, if true this looks pretty bad for a so called antispam
company.  I will check our logs when I return from vacation and verify
what you are seeing.  Can anyone else confirm in the mean time?

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Ken A]

Rose, Bobby wrote:

I had the same issue and found that the system that's relaying
(216.129.105.40) those confirmation emails doesn't have a PTR record.
You'd think someone selling a antispam/email appliance would be familiar
with the RFCs.

-Original Message-
From: Justin Piszcz [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 22, 2008 10:15 AM

To: Daniel J McDonald
Cc: users@spamassassin.apache.org
Subject: Re: New free blacklist: BRBL - Barracuda Reputation Block List



On Mon, 22 Sep 2008, Daniel J McDonald wrote:



Hmm I signed up for this 1-2 days ago but never got a confirmation
e-mail 
from them?  What is the RBL name?


Justin.



It hit botnet rules here too, just now.
Ken


--
Ken Anderson
Pacific.Net

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Robert LeBlanc]

Dave Koontz wrote:

Justin Piszcz wrote ... (9/22/2008 10:14 AM):

Hmm I signed up for this 1-2 days ago but never got a confirmation
e-mail from them?  What is the RBL name?

Justin.

Same here.  For those currently running this, how long did it take to
get confirmation email and setup?


I ran into that problem myself, but checking the logs I noticed that 
Barracuda was sending the confirmation mail from an IP address with no 
rDNS, so it was being rejected.  To receive the confirmation email, 
either whitelist 216.129.105.40 or disable your MTA's rDNS verification 
temporarily.


As an aside, if you're using the Barracuda RBL with SpamAssassin, I 
understand that it's not technically necessary to register your IPs with 
them, you just need to use a slightly different RBL address.  Instead of 
"b.barracudacentral.org", use "bb.barracudacentral.org", which has 
supposedly been reserved for SpamAssassin users.


--
Robert LeBlanc <[EMAIL PROTECTED]>
Renaissoft, Inc.
Maia Mailguard 

RE: New free blacklist: BRBL - Barracuda Reputation Block List

[Martin.Hepworth]

Dave

I got mine in seconds this morning.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: Dave Koontz [mailto:[EMAIL PROTECTED]
> Sent: 22 September 2008 15:30
> To: Justin Piszcz
> Cc: users@spamassassin.apache.org
> Subject: Re: New free blacklist: BRBL - Barracuda Reputation
> Block List
>
> Justin Piszcz wrote ... (9/22/2008 10:14 AM):
> > Hmm I signed up for this 1-2 days ago but never got a confirmation
> > e-mail from them?  What is the RBL name?
> >
> > Justin.
> Same here.  For those currently running this, how long did it
> take to get confirmation email and setup?
>
> ~ Sparky ~
>
>




**
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 
Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Curtis LaMasters]

About 10 minutes.  I've had it up and running for about 30 minutes now and
I've gotten 127 hits.  Pretty impressive.  Now we will need to see what
fallout occurs. :)

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Dave Koontz]

Justin Piszcz wrote ... (9/22/2008 10:14 AM):
> Hmm I signed up for this 1-2 days ago but never got a confirmation
> e-mail from them?  What is the RBL name?
>
> Justin.
Same here.  For those currently running this, how long did it take to
get confirmation email and setup?

~ Sparky ~

Re: SPF not matching

[McDonald, Dan]

On Mon, 2008-09-22 at 15:49 +0200, mouss wrote:
> McDonald, Dan wrote:
> > I'm having trouble with a correspondent who is using SPF, is sending
> > from a host allowed in policy, but the SPF rule is not matching.
> > 
> > Their spf record (obfuscated) is:
> > example.com.3600IN  TXT "v=spf1 mx ptr 
> > ip4:a.a.a.0/24 ip4:b.b.b.0/24 a:mailrelay a:exchange mx:male.example.com 
> > mx:femail -all"

> > Any clues?
> > 
> 
> sure. a.a.a.a is not allowed to send mail. IP addresses may not contain 
> letters.

as I said, I obfuscated it.  There are numbers there, but I didn't want
to publicly shame the offender.

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



signature.asc
Description: This is a digitally signed message part

RE: New free blacklist: BRBL - Barracuda Reputation Block List

[Rose, Bobby]

I had the same issue and found that the system that's relaying
(216.129.105.40) those confirmation emails doesn't have a PTR record.
You'd think someone selling a antispam/email appliance would be familiar
with the RFCs.

-Original Message-
From: Justin Piszcz [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 22, 2008 10:15 AM
To: Daniel J McDonald
Cc: users@spamassassin.apache.org
Subject: Re: New free blacklist: BRBL - Barracuda Reputation Block List



On Mon, 22 Sep 2008, Daniel J McDonald wrote:



Hmm I signed up for this 1-2 days ago but never got a confirmation
e-mail 
from them?  What is the RBL name?

Justin.

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Daniel J McDonald]

On Mon, 2008-09-22 at 10:14 -0400, Justin Piszcz wrote:
> 
> On Mon, 22 Sep 2008, Daniel J McDonald wrote:
> 
> > On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:
> >> We're trying it today.
> >
> 
> Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail 
> from them?  What is the RBL name?

Here are the rules I'm using:
# URL: http://www.barracudacentral.org/rbl/
header __RCVD_IN_BRBL   eval:check_rbl('brbl', 'b.barracudacentral.org')
describe __RCVD_IN_BRBL received via a relay in b.barracudacentral.org
header RCVD_IN_BRBL_RELAY   eval:check_rbl_sub('brbl', '127.0.0.2')
tflags RCVD_IN_BRBL_RELAY   net
describeRCVD_IN_BRBL_RELAY  received via a relay rated as poor by 
Barracuda
score   RCVD_IN_BRBL_RELAY  1.00


-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Justin Piszcz]

On Mon, 22 Sep 2008, Daniel J McDonald wrote:


On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:

We're trying it today.

For the same period of about 4.5 hours, zen had about 110 hits, while 
b.barracuda had about 165.


In about 26 hours I had 885 hits on b.barracuda,  and 309 hits on the
various zen lists.

Zen had only 18 unique hits,

$ grep -c BRBL /var/log/mail/info
885
$ grep -c XBL /var/log/mail/info
270
$ grep -c -P BRBL.+XBL /var/log/mail/info
260
$ grep -c PBL /var/log/mail/info
4
$ grep -c -P BRBL.+PBL /var/log/mail/info
4
$ grep -c SBL /var/log/mail/info
35
$ grep -c -P BRBL.+SBL /var/log/mail/info
27

The numbers might be slightly worse for zen, since I had a couple of
multiple-zen hits:
$ grep -c -P BRBL.+[PSX]BL.+[PSX]BL /var/log/mail/info
3

I'm currently scoring it a 1.00, if it really is accurate I would like
to increase it.
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail 
from them?  What is the RBL name?


Justin.

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Ralf Hildebrandt]

* Justin Mason <[EMAIL PROTECTED]>:

> The fact that there's a prominent removal-request link is a good
> sign, in my opinion ;)  Let's see how it goes.

My top rejections for today are:

% fgrep www.barracudanetworks.com/reputation /var/log/mail.log | 
  awk '{print $10}' | sort  |uniq -c | sort -n | tail

 18 mx35.ispgateway.de[80.67.29.41]:
x18 unknown[203.210.244.169]:
x18 unknown[62.64.92.218]:
x18 unknown[77.222.138.14]:
x19 unknown[194.186.250.230]:
 21 mx20.ispgateway.de[80.67.18.53]:
 21 mx43.ispgateway.de[80.67.29.52]:
x22 unknown[222.124.11.83]:
 24 mx31.ispgateway.de[80.67.29.35]:
x28 smtp-out.orange.net[193.252.22.118]:

The hosts marked x can be found in other RBLs (I used openrbl.org to
check).

-- 
Ralf Hildebrandt (i.A. des GB IT)   [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF I'm looking for a job!

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Ken A]

DAve wrote:

Jeff Chan wrote:

[Pardon the spam; thought this new blacklist might be worth at
least trying.]

Apparently Barracuda will be publishing a free-to-use sender
blacklist called BRBL:

  http://www.barracudacentral.org/rbl

Haven't tried it myself but thought it may be of interest.


We have a system in use for members of a specific group within the 
state. The system takes a list of ID numbers from an email and returns a 
result for each number back to the sender. It requires a paid membership 
and a manual verification by a human to sign up for the service. The 
result emails are very structured, no images, plain text, proper and 
complete headers. We have several clients who have the result emails 
captured by the Barracuda Reputation System, they cannot seem to get the 
result emails past their Barracuda. Other clients have no issues at all.


I have three other clients who we do spam filtering for, they have a 
Barracuda between our spam filtering server and their Exchange servers. 
They often trap their own intra office mail. Frank in LA emails Bob in 
Atlanta, the Atlanta Barracuda says "spam" and bounces the message back 
to Frank, then Frank's  Barracuda says "spam" and bounces the message 
back to Bob. They do not seem to be able to make it stop doing so and 
will not pay for a tech to come onsite and investigate. I have a special 
"slow" mail queue I dump their traffic into.


If the reputation is based on spam tagged from client managed systems I 
would think it not much to count on.


I hope that's not how it's managed! We regularly see barracudas bounce 
email with PBL listed IPs in the received headers (NOT the connecting 
server). MailMarshall does this too, if properly misconfigured. :-(

Ken



DAve





--
Ken Anderson
Pacific.Net

Re: SPF not matching

[mouss]

McDonald, Dan wrote:

I'm having trouble with a correspondent who is using SPF, is sending
from a host allowed in policy, but the SPF rule is not matching.

Their spf record (obfuscated) is:
example.com.3600IN  TXT "v=spf1 mx ptr ip4:a.a.a.0/24 
ip4:b.b.b.0/24 a:mailrelay a:exchange mx:male.example.com mx:femail -all"

I realize that it is malformed - shouldn't have non FQDN's in the a: or
mx: types, and male.example.com doesn't have an mx record (it is the mx
for 'example.com').  But that being said, those ones that are valid
ought to be recognized.

The message is being sent from a.a.a.11, so the ip4:a.a.a.0/24 record
should match.

I have both the old and new style SPF modules loaded:
[EMAIL PROTECTED] ~]$ rpm -qa | grep SPF
perl-Mail-SPF-Query-1.997-2mdk
perl-Mail-SPF-2.005-1.1.20060mlcs4


SPF works for other domains:
$ grep -c SPF_PASS /var/log/mail/info
11963
$ grep -c SPF_FAIL /var/log/mail/info
216
$ grep -c SPF_SOFTFAIL /var/log/mail/info
177

A total of 3710 distinct domains passed SPF, if my grep is correct
$ grep SPF_PASS /var/log/mail/info | grep -P -o '<.+?> ->' | cut -d @ -f
2 | cut -d \> -f 1 | sort | uniq | wc
   37103710   66125

Any clues?



sure. a.a.a.a is not allowed to send mail. IP addresses may not contain 
letters.

Re: Spamassassin Letting a Lot of Spams Through

[Danita Zanre]

  >>> Matus UHLAR - fantomas <[EMAIL PROTECTED]> 9/22/2008 3:26 AM >>> 
On 13.09.08 19:44, aladdin Sorry about the generic wrote:
> Sorry about the generic subject, but it is the only thing this newbie
knows to 
> describe the symptom.

I have used spamassassin for many years.  We use a number of add-ins
like Razor2, botnet checks, selective greylisting before hitting
spamassassin, etc., and we too have been seeing an increase in "leakage"
lately.  Just this weekend I increased our Bayes scores.  We had a slew
of mail in the 4.5-5.00 range (we block at 5.00) that was spam, but also
some real mail, so I did not want to lower the trigger score.  Changing
the 95% bayes to 4.5 from 3.5 has helped tremendously.  I don't see any
false positives in this, but we're blocking the majority of that 4.5-5.0
scored spam of course, because the vast majority of it was high bayes,
but very few other hits.

Danita

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Justin Mason]

SM writes:
> At 03:24 22-09-2008, Chris Russell wrote:
> >  I've had servers listed on Barracuda before, despite 17 emails to their
> >support systems we never had any response, and had to change a customers
> >mail architecture to compensate.
> 
> It's a free blacklist.  People will use it until they get listed and 
> find out that there is no way to get unlisted as the blacklist is 
> said to be accurate or there's no delisting policy.
> 
> This new free blacklist has not published its listing methodology 
> yet.  There is a removal request link.  I'll wait for someone to get 
> listed to find out whether that actually works.

The fact that there's a prominent removal-request link is a good
sign, in my opinion ;)  Let's see how it goes.

--j.

SPF not matching

[McDonald, Dan]

I'm having trouble with a correspondent who is using SPF, is sending
from a host allowed in policy, but the SPF rule is not matching.

Their spf record (obfuscated) is:
example.com.3600IN  TXT "v=spf1 mx ptr ip4:a.a.a.0/24 
ip4:b.b.b.0/24 a:mailrelay a:exchange mx:male.example.com mx:femail -all"

I realize that it is malformed - shouldn't have non FQDN's in the a: or
mx: types, and male.example.com doesn't have an mx record (it is the mx
for 'example.com').  But that being said, those ones that are valid
ought to be recognized.

The message is being sent from a.a.a.11, so the ip4:a.a.a.0/24 record
should match.

I have both the old and new style SPF modules loaded:
[EMAIL PROTECTED] ~]$ rpm -qa | grep SPF
perl-Mail-SPF-Query-1.997-2mdk
perl-Mail-SPF-2.005-1.1.20060mlcs4


SPF works for other domains:
$ grep -c SPF_PASS /var/log/mail/info
11963
$ grep -c SPF_FAIL /var/log/mail/info
216
$ grep -c SPF_SOFTFAIL /var/log/mail/info
177

A total of 3710 distinct domains passed SPF, if my grep is correct
$ grep SPF_PASS /var/log/mail/info | grep -P -o '<.+?> ->' | cut -d @ -f
2 | cut -d \> -f 1 | sort | uniq | wc
   37103710   66125

Any clues?

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



signature.asc
Description: This is a digitally signed message part

Re: Score Hit Frequency in SA Corpus?

[Justin Mason]

Joseph Brennan writes:
> 
> 
> --On Sunday, September 21, 2008 18:39 -0600 Bob Proulx <[EMAIL PROTECTED]> 
> wrote:
> 
> >> OVERALLSPAM% HAM% S/ORANK   SCORE  NAME
> >>   1.116   1.5957   0.27050.855   0.512.08  SUBJ_ALL_CAPS
> >
> > Am I reading that correctly to see that in spam all caps showed up in
> > 1.60% of the regression corpus and only in 0.27% of the non-spam?
> > Gosh that seems like a very small indicator.
> 
> 
> No, it's high.  Only 1.87% had all caps subject, but of those 85%
> were spam: 1.60 / 1.87.
> 
> If I am reading correctly.

That's right.  

The problem with SUBJ_ALL_CAPS is that it tends to catch really odd
fraud spams, foreign-language spam etc. that the other rules fail to
spot; this means that the GA likes it quite a lot, since despite 
the occasional FP, it reduces FNs enough to make it "worth it".

it's hard to avoid this issue. :(

--j.

RE: New free blacklist: BRBL - Barracuda Reputation Block List

[SM]

At 03:24 22-09-2008, Chris Russell wrote:

 I've had servers listed on Barracuda before, despite 17 emails to their
support systems we never had any response, and had to change a customers
mail architecture to compensate.


It's a free blacklist.  People will use it until they get listed and 
find out that there is no way to get unlisted as the blacklist is 
said to be accurate or there's no delisting policy.


This new free blacklist has not published its listing methodology 
yet.  There is a removal request link.  I'll wait for someone to get 
listed to find out whether that actually works.


Regards,
-sm 

Re: Score Hit Frequency in SA Corpus?

[Joseph Brennan]

--On Sunday, September 21, 2008 18:39 -0600 Bob Proulx <[EMAIL PROTECTED]> 
wrote:



OVERALLSPAM% HAM% S/ORANK   SCORE  NAME
  1.116   1.5957   0.27050.855   0.512.08  SUBJ_ALL_CAPS


Am I reading that correctly to see that in spam all caps showed up in
1.60% of the regression corpus and only in 0.27% of the non-spam?
Gosh that seems like a very small indicator.



No, it's high.  Only 1.87% had all caps subject, but of those 85%
were spam: 1.60 / 1.87.

If I am reading correctly.

Joseph Brennan
Columbia University Information Technology

Re: sa-update with proxy

[SM]

Hi Alangchang,
At 06:40 21-09-2008, Alangchang Zuuzuu wrote:

  Now I try to update rule of spamassassin through proxy.



I inserted http://proxy:port in /etc/wgetrc 
already but when I type command


#sa-update -D

I see this :


[snip]


[8931] dbg: channel: no MIRRORED.BY file available
[8931] dbg: http: GET request, spamassassin.apache.org/updates/MIRRORED.BY
[8931] dbg: http: request failed, retrying: 500 Can't connect to 
spamassassin.apache.org:80 (connect: timeout): 500 Can't connect to 
spamassassin.apache.org:80 (connect: timeout)


sa-update does not use wget to download updates.  From 
http://wiki.apache.org/spamassassin/RuleUpdates


sa-update uses the LWP::UserAgent module, which allows certain 
environment variables to be set so that requests use defined proxy 
servers. The main one of interest is "http_proxy", which should be 
set to an URL defining the proxy. ie: export 
http_proxy='http://proxy.example.com:8080/'


Regards,
-sm 

Re: sa-update with proxy

[Jonas Eckerman]

Alangchang Zuuzuu wrote:

I inserted _http://proxy:port_ in /etc/wgetrc already but when I type 
command


sa-update doesn't use wget.


*what should I do*


Try setting the environment variable "http_proxy" to whatever 
address your proxy uses before calling sa-update.



*Should I edit something in /usr/bin/sa-update???*


No. AFAICT sa-update (at least the one that came with the freebsd 
port of SA 3.2.5 here) enables LWP::UserAgenmt to fetch proxy 
settings from environment.


** 


?

Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[DAve]

Jeff Chan wrote:

[Pardon the spam; thought this new blacklist might be worth at
least trying.]

Apparently Barracuda will be publishing a free-to-use sender
blacklist called BRBL:

  http://www.barracudacentral.org/rbl

Haven't tried it myself but thought it may be of interest.


We have a system in use for members of a specific group within the 
state. The system takes a list of ID numbers from an email and returns a 
result for each number back to the sender. It requires a paid membership 
and a manual verification by a human to sign up for the service. The 
result emails are very structured, no images, plain text, proper and 
complete headers. We have several clients who have the result emails 
captured by the Barracuda Reputation System, they cannot seem to get the 
result emails past their Barracuda. Other clients have no issues at all.


I have three other clients who we do spam filtering for, they have a 
Barracuda between our spam filtering server and their Exchange servers. 
They often trap their own intra office mail. Frank in LA emails Bob in 
Atlanta, the Atlanta Barracuda says "spam" and bounces the message back 
to Frank, then Frank's  Barracuda says "spam" and bounces the message 
back to Bob. They do not seem to be able to make it stop doing so and 
will not pay for a tech to come onsite and investigate. I have a special 
"slow" mail queue I dump their traffic into.


If the reputation is based on spam tagged from client managed systems I 
would think it not much to count on.


DAve


--
Don't tell me I'm driving the cart!

Re: Problem implementing MySQL with SA

[Ian]

On 20 Sep 2008 at 5:21, J.J. Day wrote:  

> 
> Hi, 
> 
> I nstalled Sendmail  8.14.2, MIMEDefang-2.63, SpamAssassin 3.2.4, and
> MySQL  5.0.51a on FreeBSD 6.3. Normal messages (including  sample-spam.txt
> and  sample-nospam.txt) are processed properly and everything appears to
> work properly until I try to implement per-user settings with MySQL. When
> I test MySQL using spamd I get the following message: Tue Sep  2 20:47:57
> 2008 [41521] dbg: auto-whitelist: sql-based unable to connect to database
> (DBI:mysql:sa_data:localhost) : Can't connect to local MySQL server
> through socket '/var/run/mysql/socket=' (2) 
> 
> Does anyone recogize this problem and have a solution? (All of the
> remedies suggested by a Google search for the error message have not
> helped.) 
> 
> J.J. 

Hi,

To me it looks like there is a spurious equals sign in your config:

> (DBI:mysql:sa_data:localhost) : Can't connect to local MySQL server
> through socket '/var/run/mysql/socket=' (2)


If this is not the case then check if the MySQL server is running.  Can you 
connect to it 
using the credentials you supplied to spamd with the mysql command line client?

If server is running, is the socket file present?

It may help to look at the MySQL log files as well.

Regards

Ian
-- 


> 
> Possibly relevant additional information:
> 
> 1- MIMEDefang was stopped before running spamd, MySQL is running
> The MySQL configuration from /etc/my.cnf:
> <>
> # The following options will be passed to all MySQL clients
> [client]
> port= 3306
> socket  = /var/run/mysql/socket
> # The MySQL server
> [mysqld]
> port= 3306
> socket  = /var/run/mysql/socket
> pid-file=/var/run/mysql/mysql-server.pid
> skip-networking
> <>
> 
> A "ps" shows MySQL runnng. An "ls" shows the socket established. 
>   srwxrwxrwx  1 mysql  mysql0 Jun  1 08:42 socket=
> 
> 2 - from /usr/local/etc/mail/spamassassin/local.cf:
> #  auto-whitelisting
> #
> auto_whitelist_factory  Mail::SpamAssassin::SQLBasedAddrList
> user_awl_dsn  DBI:mysql:sa_data:localhost
> user_awl_sql_usernamespamassassin
> user_awl_sql_passwordspam_admin
> user_awl_sql_table   awl
> 
>  user scores and Bayesean processing are also specified.
> 
> 3 - A manual execution of MySQL specifying the identical instance, username 
> and PW connects properly and allows all of (and only) the functionality 
> specified by the grants.
> 
> 
> 
> _
> See how Windows connects the people, information, and fun that are part of 
> your life.
> http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Daniel J McDonald]

On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:
> We're trying it today.  
> 
> For the same period of about 4.5 hours, zen had about 110 hits, while 
> b.barracuda had about 165. 

In about 26 hours I had 885 hits on b.barracuda,  and 309 hits on the
various zen lists.

Zen had only 18 unique hits, 

$ grep -c BRBL /var/log/mail/info
885
$ grep -c XBL /var/log/mail/info
270
$ grep -c -P BRBL.+XBL /var/log/mail/info
260
$ grep -c PBL /var/log/mail/info
4
$ grep -c -P BRBL.+PBL /var/log/mail/info
4
$ grep -c SBL /var/log/mail/info
35
$ grep -c -P BRBL.+SBL /var/log/mail/info
27

The numbers might be slightly worse for zen, since I had a couple of
multiple-zen hits:
$ grep -c -P BRBL.+[PSX]BL.+[PSX]BL /var/log/mail/info
3

I'm currently scoring it a 1.00, if it really is accurate I would like
to increase it.
-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

sa-update with proxy

[Alangchang Zuuzuu]

 Hi, spamassassin.apache.org
 
  Now I try to update rule of spamassassin through proxy.
 
I inserted http://proxy:port in /etc/wgetrc already but when I type command 
#sa-update -D
I see this :
 
check: is spam? score=0 required=5[8931] dbg: check: tests=[8931] dbg: check: 
subtests=[8931] dbg: generic: lint check of site pre files succeeded, 
continuing with channel updates[8931] dbg: channel: no MIRRORED.BY file 
available[8931] dbg: http: GET request, 
spamassassin.apache.org/updates/MIRRORED.BY[8931] dbg: http: request failed, 
retrying: 500 Can't connect to spamassassin.apache.org:80 (connect: timeout): 
500 Can't connect to spamassassin.apache.org:80 (connect: timeout) 
http: request failed: 500 Can't connect to spamassassin.apache.org:80 (connect: 
timeout): 500 Can't connect to spamassassin.apache.org:80 (connect: timeout) 
error: no mirror data available for channel updates.spamassassin.orgchannel: 
MIRRORED.BY contents were missing, channel failed[8931] dbg: generic: cleaning 
up temporary directory/files[8931] dbg: diag: updates complete, exiting with 
code 4
 
-
[8931] dbg: channel: no MIRRORED.BY file available--->what should I do
[8931] dbg: http: request failed, retrying: 500 Can't connect to 
spamassassin.apache.org:80 --->what should I do
error: no mirror data available for channel updates.spamassassin.org--->what 
should I do
 
Should I edit something in /usr/bin/sa-update???
 
Thank you,
Alang Chang

   
 
 
 
 
All the best for the coming year & beyond
- alangchang - 
 
 o,o Let me think
 ( ';'),about that...
c(")(") love youI. - . - .   !  L 
",  ," UO " . "OV   E   Y

_
Connect to the next generation of MSN Messenger 
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline

Problem implementing MySQL with SA

[J.J. Day]

Hi,

I nstalled Sendmail  8.14.2, MIMEDefang-2.63, SpamAssassin 3.2.4, and MySQL  
5.0.51a on FreeBSD 6.3. Normal messages (including  sample-spam.txt and  
sample-nospam.txt) are processed properly and everything appears to work 
properly until I try to implement per-user settings with MySQL. When I test 
MySQL using spamd I get the following message:
 Tue Sep  2 20:47:57 2008 [41521] dbg: auto-whitelist: sql-based unable to 
connect to database (DBI:mysql:sa_data:localhost) : Can't connect to local 
MySQL server through socket '/var/run/mysql/socket=' (2)

Does anyone recogize this problem and have a solution? (All of the remedies 
suggested by a Google search for the error message have not helped.)

J.J.

Possibly relevant additional information:

1- MIMEDefang was stopped before running spamd, MySQL is running
The MySQL configuration from /etc/my.cnf:
<>
# The following options will be passed to all MySQL clients
[client]
port= 3306
socket  = /var/run/mysql/socket
# The MySQL server
[mysqld]
port= 3306
socket  = /var/run/mysql/socket
pid-file=/var/run/mysql/mysql-server.pid
skip-networking
<>

A "ps" shows MySQL runnng. An "ls" shows the socket established. 
  srwxrwxrwx  1 mysql  mysql0 Jun  1 08:42 socket=

2 - from /usr/local/etc/mail/spamassassin/local.cf:
#  auto-whitelisting
#
auto_whitelist_factory  Mail::SpamAssassin::SQLBasedAddrList
user_awl_dsn  DBI:mysql:sa_data:localhost
user_awl_sql_usernamespamassassin
user_awl_sql_passwordspam_admin
user_awl_sql_table   awl

 user scores and Bayesean processing are also specified.

3 - A manual execution of MySQL specifying the identical instance, username and 
PW connects properly and allows all of (and only) the functionality specified 
by the grants.



_
See how Windows connects the people, information, and fun that are part of your 
life.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/

RE: New free blacklist: BRBL - Barracuda Reputation Block List

[Chris Russell]

> The problem is in false positives - you won't get any mail with it

 I've had servers listed on Barracuda before, despite 17 emails to their
support systems we never had any response, and had to change a customers
mail architecture to compensate.

 Very wary of them ..

Chris

Re: New free blacklist: BRBL - Barracuda Reputation Block List

[Matus UHLAR - fantomas]

> >> For the same period of about 4.5 hours, zen had about 110 hits, while
> >> b.barracuda had about 165.
> >
> >What about overlap?  Were the barracuda hits only those that skipped by
> >zen?  Thanks.

On 21.09.08 21:14, Len Conrad wrote:
> for the same period, zen = 153 hits, barracuda = 226 hits

There's no problem in creating blacklist that will have 100% hitrate :)

The problem is in false positives - you won't get any mail with it

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse

Re: Spamassassin Letting a Lot of Spams Through

[Matus UHLAR - fantomas]

On 13.09.08 20:34, aladdin wrote:
> On Saturday 13 September 2008 20:20, aladdin wrote:
> > On Saturday 13 September 2008 20:00, Daryl C. W. O'Shea wrote:
> > > Check to make sure that network tests aren't disabled.  Many distro
> > > packages have network tests turned off my default.  Not sure where
> > > Debian would configure this, sorry.
> > >
> > > Daryl
> >
> > Thanks for the reply!
> >
> > Where would I check that and what would I look for?  Can you tell that from
> > either the header or the config file I posted?
> 
> According to what I found on the web, NOT having the -L or --local switch
> enables the network tests.  I DO NOT have this switch on my spamd command
> line.  And, as near as I can tell, the config files turn on all that stuff
> (razor, pyzor, etc.).

You mean those .pre files? You also need many additional packages (razor2,
pyzor, dcc-client etc) for them to work...

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller

Re: Spamassassin Letting a Lot of Spams Through

[Matus UHLAR - fantomas]

On 13.09.08 19:44, aladdin Sorry about the generic wrote:
> Sorry about the generic subject, but it is the only thing this newbie knows 
> to 
> describe the symptom.
> 
> Platform: Debian (Etch?)
> 
> Latest Spamassassin in apt (version 3.1.7-deb)

there's 3.2.3 in volatile archive, just FYI


-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.

Re: Score Hit Frequency in SA Corpus?

[Justin Mason]

Bob Proulx writes:
> Are the hit frequencies from the SpamAssassin corpus available on the
> web somewhere?  I looked through the docs and wiki but didn't see it
> if they were.
> 
> What is the hit frequency in the corpus of SUBJ_ALL_CAPS scoring 2.1?
> I wanted to know so that I could educate a sender that using all caps
> in a long subject makes it look significantly like spam but couldn't
> deduce the statistical numbers.

http://ruleqa.spamassassin.org/