Re: Is spam volume really down
Ned Slider schrieb: > fchan wrote: >> "Their back..." the quote form Carol Anne Freeling from the movie >> Poltergeist II. >> I don't know about you but I seen these spikes in spam today which is >> inline what spamcop.net sees: >> http://www.spamcop.net/spamgraph.shtml?spamstats >> http://www.spamcop.net/spamgraph.shtml?spamweek >> http://www.spamcop.net/spamgraph.shtml?spammonth >> >> I knew that shutting them down on one colo site will only prevent them >> from sending spam for a short time. Now they appear to have found a >> new location somewhere... in hell. >> >>> I noticed the size of my black list dropped by more that 1/3 this >>> last week. >> >> > > I've not seen any real uptick in spam volume today per se. What I have > seen is a rise in virus attachments today - spambot viruses, probably > the latest edition set for the new C&C infrastructure where ever they've > moved that to. I've not analysed any samples so I'm not sure which > spambot it is or where the new C&C infrastructure is located. To me it > looks like they're starting to rebuild their botnets. > > What's clear is that they will learn from this. They had a weakness - a > single point of failure and they will now build in redundancy so taking > out one host in future will unlikely result in the precipitous drop in > productivity again that we've seen this time around. Look at why Storm > was so successful for so long. > > in fact bots were used to make a ddos attack, now they are back on their normal spam jobs, this weekend had the lowest spam amount since years look here sorry no english http://www.heise.de/newsticker/Spam-faellt-auf-Jahrestief--/meldung/119321 but the image will show whats happend -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Is spam volume really down
fchan wrote: "Their back..." the quote form Carol Anne Freeling from the movie Poltergeist II. I don't know about you but I seen these spikes in spam today which is inline what spamcop.net sees: http://www.spamcop.net/spamgraph.shtml?spamstats http://www.spamcop.net/spamgraph.shtml?spamweek http://www.spamcop.net/spamgraph.shtml?spammonth I knew that shutting them down on one colo site will only prevent them from sending spam for a short time. Now they appear to have found a new location somewhere... in hell. I noticed the size of my black list dropped by more that 1/3 this last week. I've not seen any real uptick in spam volume today per se. What I have seen is a rise in virus attachments today - spambot viruses, probably the latest edition set for the new C&C infrastructure where ever they've moved that to. I've not analysed any samples so I'm not sure which spambot it is or where the new C&C infrastructure is located. To me it looks like they're starting to rebuild their botnets. What's clear is that they will learn from this. They had a weakness - a single point of failure and they will now build in redundancy so taking out one host in future will unlikely result in the precipitous drop in productivity again that we've seen this time around. Look at why Storm was so successful for so long.
Re: Is spam volume really down
"Their back..." the quote form Carol Anne Freeling from the movie Poltergeist II. I don't know about you but I seen these spikes in spam today which is inline what spamcop.net sees: http://www.spamcop.net/spamgraph.shtml?spamstats http://www.spamcop.net/spamgraph.shtml?spamweek http://www.spamcop.net/spamgraph.shtml?spammonth I knew that shutting them down on one colo site will only prevent them from sending spam for a short time. Now they appear to have found a new location somewhere... in hell. I noticed the size of my black list dropped by more that 1/3 this last week.
Re: Single URI spam not checked against URIBLs
Bill Landry wrote: > mouss wrote: >> Bill Landry wrote: >>> I've posted a short pharma spam message to: >>> >>> http://www.inetmsg.com/spam.txt >>> >>> and debug output to: >>> >>> http://www.inetmsg.com/sa-debug.txt >>> >>> It displays a single URI linked line in an e-mail client that only >>> displays: "Please visit our shop." There seems to be something about >>> the URI in the message that allows it to bypass all URIBL testing by >>> SpamAssassin. >>> >>> The domain is listed in the following URIBLs: >>> >>> URIBL_JP_SURBL >>> URIBL_OB_SURBL >>> >>> dig canadiansitetable.com.multi.surbl.org +short >>> 127.0.0.80 >>> >>> and URIBL_BLACK >>> >>> dig canadiansitetable.com.multi.uribl.com +short >>> 127.0.0.2 >>> >>> Yet there were no URIBL hits. The message scored high and was tagged as >>> spam, but I'm just curious as to what it is about this message that >>> allowed it to bypass all SA URIBL tests? >>> >>> I'm running spamassassin -V >>> SpamAssassin version 3.2.5 >>> running on Perl version 5.8.8 >>> >>> And in case you're wondering, I'm not using the shortcircuit plugin. >>> >> looks like a bug. it looks like in >> ' http://uri' >> the uri isn't detected (aka quoted-string). >> >> In the message, the URI is insisde quoted (the one in "You'll" and the >> one in "don't"). if you remove one of the quotes or if you break the >> line so that they aren't in the same line, the URI is detected. > > Thanks, I've opened up a bug report: Bug 6017. > > Bill This issue has been resolved. Thanks to Justin Mason and Gisle Aas (HTML::Parser guy) for finding the fix. The resolution is to update HTML::Parser to the latest version and then restart SA. Regards, Bill
Re: exempt a few ids from spam check
On Mon, 2008-11-24 at 17:37 +0530, Vikram Goyal wrote: > Hello, > > I want to exempt a few ids from spam check. How may I do it? Depends on your MTA and how you have integrated SpamAssassin. For example, using amavisd-new, I can just add the users to @spam-lovers-map, or if I just want to remove the blatant spam, add them to @more-spam-to-map Other, more native SpamAssassin techniques would involve the use of whitelist_to, perhaps with a shortcircuit rule. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
exempt a few ids from spam check
Hello, I want to exempt a few ids from spam check. How may I do it? Thanks!
Re: bayes_journal mysteriously disappears - nevermind, foundit
David C. McCall wrote: > DOH! I didn't include --sync in periodic sa-learn runs > > > slaps his forehead and returns into cave. > > > :-( > You shouldn't need --sync, unless you want to force the journal to be synced and deleted when you run sa-learn. In general it will decide if it needs to be synced on its own. It's also redundant if you have --force-expire, as SA always syncs the journal prior to doing expiry. In general, the journal disappearing is normal. It's just a "holding tank" for atime updates (and tokens if you have learn to journal enabled), It periodically gets dumped into the main database and deleted during the expiry checks. So, don't be concerned about it disappearing, that just means it's been synced and hasn't been recreated by mail scanning.
Re: Location of Spam folder
On Saturday 22 November 2008 13:12:12 mlun wrote: > Thanks Martin, but I am a bit confused now. This text is taken directly > from Spamassassins setup in cpanel: > > "Spam Box > > This feature allows emails you missed two significant points here. First of all spamassasin doesnt have any gui, so we cant help you with whatever you have there. spamassasin is a server and a client which you see on the commandline by typing spam. THAT is spamassasin. The second thing is that spamassasin works by passing messges to it in stdin and it will output the messasge to stdout, modified to show if it is spam or not. you can try that by for example typing "spamc" in the commandline, then writing a mail with rfc headers and pressind ctrl+d. spamassasin has no knowlege of any kind of mailboxes. In most setups it receives a mail via pipe from your MRA (mail receive agent) such as postfix, exim, qmail, etc. only your mra knows what to do with those mails after spamassasin has flagged it as spam. hence, this is unfortunatly the wrong list for your question. -- best regards Arvid Ephraim Picciani Lead Software Engineer Asgaard Technologies
Re: hostkarma junkemailfilter
mouss schrieb: Micah Anderson a écrit : "Benny Pedersen" <[EMAIL PROTECTED]> writes: On Tue, November 18, 2008 22:16, Henrik K wrote: postfwd and trusted_networks msa_networks is what i do use here, then minimal dns lookups is needed olso, facebook have random helo so need to be whitelisted hard in postfwd and in spamassassin, i have contacted facebook about it, but the problem might still be there i like your postfwd config Where is this postfwd config you refer to? I would like to see this. he probably meant http://hege.li/howto/spam/etc/postfwd/postfwd.conf "A real-world configuration by Henrik Krohns" on http://postfwd.org.
Re: spamc and extra rules
> Karsten =?ISO-8859-1?Q?Br=E4ckelmann?= writes: > > Exactly as Theo just mentioned. Use allow_user_rules 1 and place the > > rules in each user's user_prefs file. > > > > Another possibility is to include the rules in your site config with > > scores set to 0 -- thus disabling them by default. Each user then can > > enable the rules in their user_prefs by simply assigning a different > > score. This has the advantage to define rules in a central place only, > > not expose the system to potential security issues, and even supports > > plugins (which the first option does not). On 24.11.08 10:19, Justin Mason wrote: > It's also a good deal faster -- user rules need to be recompiled each > time a mail is scanned :( actually, there could be an optimization for them, but there isn't any I'd say... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft]
Re: spamc and extra rules
Karsten =?ISO-8859-1?Q?Br=E4ckelmann?= writes: > > > No, spamc has no impact on rules. You could look at putting the rules in > > > the > > > user's user_prefs file, but you'd have to then also set "allow_user_rules > > > 1" > > > in local.cf to allow user preferences to include rules. Be sure to think > > > about the security aspects to this before doing so. If you're the only > > > user, > > > I'd recommend just using local.cf, of course. :) > > > > > I am the only user with any kind of access to the system so there > > shouldn't be a security issue. The users I refer to are in reality > > just mailboxes so I should have said that I want a particular mailbox > > to have some extra rules. Given I'm calling spamc from a .procmail > > file within each user's directory how can I add rules to just one of > > them? > > Exactly as Theo just mentioned. Use allow_user_rules 1 and place the > rules in each user's user_prefs file. > > Another possibility is to include the rules in your site config with > scores set to 0 -- thus disabling them by default. Each user then can > enable the rules in their user_prefs by simply assigning a different > score. This has the advantage to define rules in a central place only, > not expose the system to potential security issues, and even supports > plugins (which the first option does not). It's also a good deal faster -- user rules need to be recompiled each time a mail is scanned :( --j.
Re: updates
On 23.11.08 15:46, bernier wrote: > i have a debian server with spammassassin 3.03. i guess this has never > been updated upgrade the server, 3.0.3 was default afaik in sarge, which is obsolete and unsupported. Is not possible, there was newer version in volatile and even newer in volatile-sloppy, seems it's still there. > do i just use the cmd > > sa-update && service spamassassin restart sa-update is supported since SA 3.1. I don't have "service" on my debian system and use "/etc/init.d/spamassassin reload" instead. > how often should i update after it is updated? whenever an update comes out. Some people try it daily. > can it be scheduled to be automatic? yes. > will i loose any configuration on the system? no. > are the updates primarly for improving what and how SA detects spam? yes. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
