X-Spam-Report
Hello, Is there a directive to change the way X-Spam-Report formats in the header of mail? Currently I get a single X-Spam-Report line wrapped; X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header But I have seen other mail (and would like to get) line breaking X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header Is this easy to do someplace? Jet
Re: Parallelizing Spam Assassin
It's an American thing. Things that are normal speech for UK blokes, get Americans all disturbed. Funny, used to be the other way around...but well...times change. Justin Mason wrote: On Fri, Jul 31, 2009 at 09:32, rich...@buzzhost.co.ukrich...@buzzhost.co.uk wrote: Imagine what Barracuda Networks could do with that if they did not fill their gay little boxes with hardware rubbish from the floors of MSI and supermicro. Jesus, try and process that many messages with a $30,000 Barracuda and watch support bitch 'You are fully scanning to much mail and making our rubbish hardware wet the bed.' LOL. Richard -- please watch your language. This is a public mailing list, and offensive language here is inappropriate.
Re: Parallelizing Spam Assassin
* Linda Walsh sa-u...@tlinx.org: It's an American thing. Things that are normal speech for UK blokes, get Americans all disturbed. Sloppy language is sloppy language everywhere! I took offense in the message, too and I am neither American nor am I from the UK. But what annoys me the most is that the comments were simply off-topic. I can go and meet some friends and I can happily spend the whole night cracking one joke after another - pc or not pc. There's a place of everything. This is the place for SpamAssassin. I wish we could get back to what this thread was all about: Parallelizing SpamAssassin. p...@rick Funny, used to be the other way around...but well...times change. Justin Mason wrote: On Fri, Jul 31, 2009 at 09:32, rich...@buzzhost.co.ukrich...@buzzhost.co.uk wrote: Imagine what Barracuda Networks could do with that if they did not fill their gay little boxes with hardware rubbish from the floors of MSI and supermicro. Jesus, try and process that many messages with a $30,000 Barracuda and watch support bitch 'You are fully scanning to much mail and making our rubbish hardware wet the bed.' LOL. Richard -- please watch your language. This is a public mailing list, and offensive language here is inappropriate. -- state of mind Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563
Re: Parallelizing Spam Assassin
May I point out, that while you may find the language crude -- it isn't language that would violate FTC standards in that in used any of the 7 or so 'unmentionable words'... People -- these standards of 'crude language' really need to be strongly held 'in check' -- the US is 'supposed' to be the society of 'free speech' unless it is obscene or threatening. I don't think his posting was either (BTW, I've never even 'heard' or seen his name before this post. All I saw was his 'uk' addr -- and I've known a few 'uk' types, and many of them sound very crude to an American ear these days. So in addition to applying strictures in a conservative manner, we must, hopefully, try to be sensitive to different cultural backgrounds. If I was talking with a black teen from downtown SF/Oakland, I'd have to translate from Eubonics -- which can sound rather crude and might contain and F-word every other sentence. I just apply my linguistic filter and attempt to get the meaning. I hardly thing this list is aimed at an young audience -- and kid 13+ is going to have heard quite an ear-full of 'colorful explicatives' from ST4:Voyage home (a family movie), to everyday peer talk. Yes -- it sounded crude...more than I, normally hear in America -- but not more than I'd hear in London. Just my 2-cents on cultural sensitivity, and the ability to be amused at cultural differences (rather than choosing to be offended by them). p.s. - Most Commercial vendor products are Bantha Poodoo -- especially for Virus/Security and Spam protection, but NOT all. Usually the highest advertised profile are the worst -- they put more budget into advertising than engineering. Yeah, I still thing SA is a bit slow, but I put much of that up to it being written in an interpretive language and it's wide flexibility and extensibility with plug-ins. Whatcha gonna do? Maybe we should rewrite it in Forth? *grin*...
Re: Parallelizing Spam Assassin
Well -- it's not just the cores -- what was the usage of the cores that were being used? were 3 out the 8 'pegged'? Are these 'real' cores, or HT cores? In the Core2 and P4 archs, HT's actually slowed down a good many workloads unless they were tightly constructed to work on the same data in cache. Else, those HT's did just enough extra work to block cache contents more than anything else. What's the disk I/O look like? I mean don't just focus on idle cores -- if the wait is on disk, maybe the cores can't get the data fast enough. If the network is involved, well, that's a drag on any message checking. I'm seeing times of .3msgs/sec, but I think that's with networking turned on. Pretty Ugly. poifgh wrote: Henrik K wrote: Yeah, given that my 4x3Ghz box masscheck peaks at 22 msgs/sec, without Net/AWL/Bayes. But that's the 3.3 SVN ruleset.. wonder what version was used and any nondefault rules/settings? Certainly sounds strange that 1 core could top out the same. Anyone else have figures? Maybe I've borked something myself.. The problem is not with 22 being a low number, but when we have other free cores to run different SA parallely why doesnt the throughput scale linearly .. I expect for 8 cores with 8 SA running simultaneously the number to be 150+ msgs/sec but it is 1/3rd at 50 msgs/sec
Re: Parallelizing Spam Assassin
On Fri, 2009-07-31 at 23:40 -0700, Linda Walsh wrote: It's an American thing. Things that are normal speech for UK blokes, get Americans all disturbed. I'm sure that is mostly it, Linda. They don't seem to 'get' it. Two things I observe in this whole 'barracuda-gate' posting; 1. Being 'offended' is not terminal, it does not kill, disable or have any side effects. Can you image going to a doctor and saying You've got to treat me Doctor, I got offended, my feelings are hurt. 2. Cultural differences exist. If I am expected to respect the 'diversity' that has people jumping up and down about the use of 'gay' because *they* have a different meaning for it, it is not unreasonable to expect *them* to respect my diversity in using it in it's original context. I'm tired of being told not to offend or upset people who don't show my views and beliefs equal respect. Anyway, it's all OT and pointless in any context of processing spam - the point I made was factual love it or hate it. That was poor hardware spec used in a well known retail anti-spam appliance = 6-8 MPS 'fully scanned'.
Re: Parallelizing Spam Assassin
On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote: Well -- it's not just the cores -- what was the usage of the cores that were being used? were 3 out the 8 'pegged'? Are these 'real' cores, or HT cores? In the Core2 and P4 archs, HT's actually slowed down a good many workloads unless they were tightly constructed to work on the same data in cache. Else, those HT's did just enough extra work to block cache contents more than anything else. I really doubt there's HT involved in a recent looking 8 core 16GB machine.. What's the disk I/O look like? I mean don't just focus on idle cores -- if the wait is on disk, maybe the cores can't get the data fast enough. As we already guessed, AWL (BerkeleyDB) caused disk I/O and slowness. For heavy loads you need to use SQL (or maybe the better BDB plugin in 3.3 if we get it working). If the network is involved, well, that's a drag on any message checking. I'm seeing times of .3msgs/sec, but I think that's with networking turned on. Pretty Ugly. It affects single messages, but not total throughput. With network checks you just dedicate a lot more childs. Waiting for network responses takes no CPU time, thus you can process more messages simultaneously.
Re: Parallelizing Spam Assassin
Henrik K wrote: On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote: Well -- it's not just the cores -- what was the usage of the cores that were being used? were 3 out the 8 'pegged'? Are these 'real' cores, or HT cores? In the Core2 and P4 archs, HT's actually slowed down a good many workloads unless they were tightly constructed to work on the same data in cache. Else, those HT's did just enough extra work to block cache contents more than anything else. I really doubt there's HT involved in a recent looking 8 core 16GB machine.. Why not? I have a couple of brandnew Intel Core i7 (Nehalem) systems with 8Gb RAM - they have 1 physical CPU with 4 cores and HT = 8 cores. And they've got room for more RAM :-) /Per Jessen, Zürich
Re: X-Spam-Report
On 01.08.09 07:01, router backup wrote: Is there a directive to change the way X-Spam-Report formats in the header of mail? Currently I get a single X-Spam-Report line wrapped; X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header But I have seen other mail (and would like to get) line breaking X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header Is this easy to do someplace? https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6104 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Re: Parallelizing Spam Assassin
On Sat, Aug 1, 2009 at 10:04, Henrik Kh...@hege.li wrote: On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote: Well -- it's not just the cores -- what was the usage of the cores that were being used? were 3 out the 8 'pegged'? Are these 'real' cores, or HT cores? In the Core2 and P4 archs, HT's actually slowed down a good many workloads unless they were tightly constructed to work on the same data in cache. Else, those HT's did just enough extra work to block cache contents more than anything else. I really doubt there's HT involved in a recent looking 8 core 16GB machine.. What's the disk I/O look like? I mean don't just focus on idle cores -- if the wait is on disk, maybe the cores can't get the data fast enough. As we already guessed, AWL (BerkeleyDB) caused disk I/O and slowness. For heavy loads you need to use SQL (or maybe the better BDB plugin in 3.3 if we get it working). If the network is involved, well, that's a drag on any message checking. I'm seeing times of .3msgs/sec, but I think that's with networking turned on. Pretty Ugly. It affects single messages, but not total throughput. With network checks you just dedicate a lot more childs. Waiting for network responses takes no CPU time, thus you can process more messages simultaneously. although you will also need to allocate more memory, as well, to ensure that no swapping takes place. -- --j.
Re: Parallelizing Spam Assassin
On Sat, Aug 01, 2009 at 11:46:57AM +0200, Per Jessen wrote: Henrik K wrote: On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote: Well -- it's not just the cores -- what was the usage of the cores that were being used? were 3 out the 8 'pegged'? Are these 'real' cores, or HT cores? In the Core2 and P4 archs, HT's actually slowed down a good many workloads unless they were tightly constructed to work on the same data in cache. Else, those HT's did just enough extra work to block cache contents more than anything else. I really doubt there's HT involved in a recent looking 8 core 16GB machine.. Why not? I have a couple of brandnew Intel Core i7 (Nehalem) systems with 8Gb RAM - they have 1 physical CPU with 4 cores and HT = 8 cores. And they've got room for more RAM :-) Ah a comeback.. I guess it's atleast better than the P4 stuff? That reminds me, gotta test how SA runs on a Sun T5240 with 16 core 128 cores..
Re: Parallelizing Spam Assassin
Henrik K wrote: On Sat, Aug 01, 2009 at 11:46:57AM +0200, Per Jessen wrote: Henrik K wrote: On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote: Well -- it's not just the cores -- what was the usage of the cores that were being used? were 3 out the 8 'pegged'? Are these 'real' cores, or HT cores? In the Core2 and P4 archs, HT's actually slowed down a good many workloads unless they were tightly constructed to work on the same data in cache. Else, those HT's did just enough extra work to block cache contents more than anything else. I really doubt there's HT involved in a recent looking 8 core 16GB machine.. Why not? I have a couple of brandnew Intel Core i7 (Nehalem) systems with 8Gb RAM - they have 1 physical CPU with 4 cores and HT = 8 cores. And they've got room for more RAM :-) Ah a comeback.. I guess it's atleast better than the P4 stuff? Not sure about that - AFAICT, it's exactly the same technology. (I haven't done in exhaustive tests though). /Per Jessen, Zürich
Re: X-Spam-Report
2009/8/1 Matus UHLAR - fantomas uh...@fantomas.sk: On 01.08.09 07:01, router backup wrote: Is there a directive to change the way X-Spam-Report formats in the header of mail? Currently I get a single X-Spam-Report line wrapped; X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header But I have seen other mail (and would like to get) line breaking X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header Is this easy to do someplace? https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6104 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. Thank you. Mine does not even wrap at 80 characters, it appears as you see it, so I am not sure it is the bug? Do you know if there is a way to make even non spam show the report so I can make observations?
Re: X-Spam-Report
On 01.08.09 07:01, router backup wrote: Is there a directive to change the way X-Spam-Report formats in the header of mail? Currently I get a single X-Spam-Report line wrapped; X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header But I have seen other mail (and would like to get) line breaking X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header Is this easy to do someplace? 2009/8/1 Matus UHLAR - fantomas uh...@fantomas.sk: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6104 On 01.08.09 11:51, router backup wrote: Thank you. Mine does not even wrap at 80 characters, it appears as you see it, so I am not sure it is the bug? Do you know if there is a way to make even non spam show the report so I can make observations? it's possible that someone other re-wraps the line. Some mail delivery agents, filters, or your MUA. How is your mail delivered do the SA/mailbox? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages.
Reply to:
So what makes a spammer want to use a valid email address as a return or reply-to address to catch all the undeliverable, failure and bounced email that occures when sending UBE spam. Is there some legitimacy with spam detection on an email that contains a valid reply-to email address? To me, spam is one thing, but loading a mailbox with literally several thousands of bounced emails is abusive. I'm lucky as I have the option to click one button and remove them all on the server, but for a user to have to delete individually or as a group after downloading them all is just wrong. Any ideas on preventing or minimizing this type of spam? Thanks. Wes
blacklisting a forger
I have received many emails in the last hour which were undeliverable, NOT sent by me. It seems someone is forging usernames in my domain Real-World-Systems.com as the from: and the return-path: . Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but no response. How does an MTA get blacklisted??
Re: X-Spam-Report
Is there a directive to change the way X-Spam-Report formats in the header of mail? Currently I get a single X-Spam-Report line wrapped; X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header I bet that's your MUA re-flowing multi-line headers. Have a look at the *raw* message -- if need be leaving out your MUA entirely, peeking at the raw, underlying mail store. But I have seen other mail (and would like to get) line breaking X-Spam-Report: * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser * 1.3 MISSING_SUBJECT Missing Subject: header Is this easy to do someplace? This actually is how SA formats the Report. (Minus leading tabs for the continuation lines. ;) https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6104 This is not the bug. The wrapping shown above is not due to SA. In a nutshell, this bug is about SA actually correctly line wrapping at 78 chars IIRC. Alas, with a \t being one char, which it is -- not taking into account it would be displayed 8 chars wide. Matus, when you first posted this to the list, I replied with a detailed code-tracked report of the issue and assumptions, explaining it. Seems I didn't copy that to your bug report. Now where's the thread again? Thank you. Mine does not even wrap at 80 characters, it appears as you see it, so I am not sure it is the bug? It isn't. :) Do you know if there is a way to make even non spam show the report so I can make observations? add_header all Report _REPORT_ As I already posted quite a few times, and apparently keep responding on this list. However, keep in mind that's the *detailed* Report, including individual rules' scores and the verbose description. IMHO the Status header featuring the rules should be sufficient for ham. Optionally even including the rules' scores, if you want that. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Spam Humor
Awesome, just received a German spam, obviously *trying* to advertise a porn site. The way they blew up really made me laugh -- loud. :) Im World Wide Web unter www.example.com kannst du dir alles ansehen, dabei deinen Schw[...] Yes, they really did use *that* URI. Identified spam, all I'm missing are URI DNSBL hits. guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: blacklisting a forger
I have received many emails in the last hour which were undeliverable, NOT sent by me. It seems someone is forging usernames in my domain Real-World-Systems.com as the from: and the return-path: . Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but no response. How does an MTA get blacklisted?? You'll probably never get a response, and even if you do, nothing will happen. The easiest thing to do is configure your mail server use an RBL, which would have stopped this before you received it. http://www.mxtoolbox.com/blacklists.aspx Terry
Re: Parallelizing Spam Assassin
On Fri, 2009-07-31 at 23:56 -0700, Linda Walsh wrote: May I point out, that while you may find the language crude -- it isn't language that would violate FTC standards in that in used any of the 7 or so 'unmentionable words'... It's not about words on their own -- it's about how they are being used, and their meaning in context. BTW, I've never even 'heard' or seen his name before this post. Must have been a warm and cozy place, the rock you've been hiding under. ;) You missed a 3 digit figure of posts and uncalled-for off-topic rants within a few weeks. If I was talking with [...] I just apply my linguistic filter and attempt to get the meaning. Sic. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Any one interested in using a proper forum?
On Tue, 28 Jul 2009, Curtis LaMasters wrote: ...I can't tell you how frustrating it is to have to click on each email in a thread to read its content. This caught my eye, and I wonder if there may be a correlation to user preference. I avoid using the mouse wherever possible, preferring keyboard-typed commands in CLI apps and keyboard shortcuts in GUI apps. I spend most of my online time using text-based news and mail clients, as I'm interested in word content and have optimized use of the keyboard for my particular clients. I can understand how clicking on every message would be tiresome. Maybe those who prefer a forum type of interface tend to prefer use of the mouse? Of the two who have seemed positive toward a forum, Curtis has implied preference for a mouse (e.g., even in MS Outlook I use strictly keyboard commands to read e-mail). I wonder if Peter might also prefer mouse use. -- Theodore (Ted) Heise t...@heise.nu Bloomington, IN, USA
Re: blacklisting a forger
On Sat, 1 Aug 2009 10:02:54 -0400 Terry Carmen te...@cnysupport.com wrote: I have received many emails in the last hour which were undeliverable, NOT sent by me. It seems someone is forging usernames in my domain Real-World-Systems.com as the from: and the return-path: . Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but no response. How does an MTA get blacklisted?? You'll probably never get a response, and even if you do, nothing will happen. The easiest thing to do is configure your mail server use an RBL, which would have stopped this before you received it. No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost certainly an infected PC, and the backscatter is coming from third-party servers.
Re: blacklisting a forger
On Sat, 1 Aug 2009 10:02:54 -0400 Terry Carmen te...@cnysupport.com wrote: I have received many emails in the last hour which were undeliverable, NOT sent by me. It seems someone is forging usernames in my domain Real-World-Systems.com as the from: and the return-path: . Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but no response. How does an MTA get blacklisted?? You'll probably never get a response, and even if you do, nothing will happen. The easiest thing to do is configure your mail server use an RBL, which would have stopped this before you received it. No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost certainly an infected PC, and the backscatter is coming from third-party servers. The IP address is listed on almost two dozen RBLs. Terry'
Re: blacklisting a forger
On Sat, August 1, 2009 14:19, Dennis German wrote: I have received many emails in the last hour which were undeliverable, NOT sent by me. backscattering, block this ip, and send a mail to the postmaster, whois ip might say what email there system accept non existsing users, or some other bad lda that bounce when mta have accepted it It seems someone is forging usernames in my domain Real-World-Systems.com as the from: and the return-path: . http://old.openspf.org/wizard.html?mydomain=Real-World-Systems.comsubmit=Go! change all to -all (softfail vs fail) also see the later part for how to add zones to bind/djbdns Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but no response. block the client ip then check that the ip is not in dnswl or dnsbl lists already How does an MTA get blacklisted?? start accepting emails and setup sieve to reject (dovecot sieve have this bug) temporary i have disabled reject in my sieve to not do this -- xpoint
Re: blacklisting a forger
On Sat, 1 Aug 2009 11:04:35 -0400 Terry Carmen te...@cnysupport.com wrote: On Sat, 1 Aug 2009 10:02:54 -0400 Terry Carmen te...@cnysupport.com wrote: I have received many emails in the last hour which were undeliverable, NOT sent by me. It seems someone is forging usernames in my domain Real-World-Systems.com as the from: and the return-path: . Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but no response. How does an MTA get blacklisted?? You'll probably never get a response, and even if you do, nothing will happen. The easiest thing to do is configure your mail server use an RBL, which would have stopped this before you received it. No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost certainly an infected PC, and the backscatter is coming from third-party servers. The IP address is listed on almost two dozen RBLs. sure, but the original poster wrote: I have received many emails in the last hour which were undeliverable, NOT sent by me. It seems someone is forging usernames in my domain In other words he is receiving backscatter. And Received-From-MTA is a standard DSN field set by the MTA generating the DSN.
Re: OT: Nehelam's New HT ability....
Per Jessen wrote: Not sure about that - AFAICT, it's exactly the same technology. (I haven't done in exhaustive tests though). Supposedly 'Very' different (I hope)... 1) You can't turn it off in the BIOS 2) claim of benefit from increased cache (FALSE), (have older 2x2 Dual Core machine with 4MBxL2 Cache/Dual core. If you only use 1 Core/CPU, that 4MB L2 cache/Core) New machine with 1 Quad core (Dual core CPU's are too slow to use memory faster than 800MHz -- only Quad cores go up to Quick Connect Speeds that will support fastest memory of 1333MHz (even if you only have 1 CPU). So you are 'encouraged' to go with Quad over 2x2Dual. Quad has 8MB L3 Cache, w/256K dedicated L2/Core. So with HT 128K/thread. To get 2 Cores, they'll get 256K-L2 ea, + 8MB L3 shared. So about 3.125%more memory! WOW ea!...(though the bandwidth for the fast core processors to main memory can be 2x faster). 3) Here's possible benefit: they've added more parallel resources to each core -- so each thread can possibly get more done than the old threads -- but this is only a maybe depending on workload. The biggest cool thing about Nehelam is power savings -- they implemented Celeron's power-step tech in a big way. Quiescent cores crank down their clocks independently to about 60% of top speed and have efficient sleep states (I think some cores can be halted, but not sure). Some of their processors have a 'turbo mode', which will some small amount faster speed than the speed on the chip label (does that mean the turbo chips are really faster rated chips...you tell me), BUT if fewer cores are used -- say only 2/4, the turbo boost can be a small amount greater (don't have access (don't know if any is published). If one was to go from their marketing graphs (HAHAHAHAHA), Turbo for 4 cores is about 10 more, and if only 2/4 cores are running, it's an additional 10%. So marketing hype/reality, might mean 1-3% faster? I will say this much -- @ idle, w/8 disks (it's a server, so built-in GPU with 8MB shared memory, if you aren't going headless) -- with dual/redundant PS, it uses 157W. (1-PS, slightly more efficient at 146W). Major power savings with possible big increases in speed. But you can't turn off HT as in previous machines (at least not in the one I've had access to). That power consumption is less than half their older Workstation model (though an idle graphics card still sucks quite a bit of useless ergs (stupid Nvidia).. Oblig SA content: When I ran 100 msgs through my filters (that connect to spamd, but that uses net), the MHz immediately jumped from ~1596 up to 2300 on each of the '8' HT cores...so might be perfect for a server that gets sporadic loads! ;-) -linda
Re: Parallelizing Spam Assassin
Um, Linda.. I'm pretty positive Justin is Irish, not American. Linda Walsh wrote: It's an American thing. Things that are normal speech for UK blokes, get Americans all disturbed. Funny, used to be the other way around...but well...times change. Justin Mason wrote: On Fri, Jul 31, 2009 at 09:32, rich...@buzzhost.co.ukrich...@buzzhost.co.uk wrote: Imagine what Barracuda Networks could do with that if they did not fill their gay little boxes with hardware rubbish from the floors of MSI and supermicro. Jesus, try and process that many messages with a $30,000 Barracuda and watch support bitch 'You are fully scanning to much mail and making our rubbish hardware wet the bed.' LOL. Richard -- please watch your language. This is a public mailing list, and offensive language here is inappropriate.
Re: Reply to:
twofers a écrit : So what makes a spammer want to use a valid email address as a return or reply-to address to catch all the undeliverable, failure and bounced email that occures when sending UBE spam. this is to beat those who use sender verification/sender callout/(whatever you name it). Is there some legitimacy with spam detection on an email that contains a valid reply-to email address? To me, spam is one thing, but loading a mailbox with literally several thousands of bounced emails is abusive. I'm lucky as I have the option to click one button and remove them all on the server, but for a user to have to delete individually or as a group after downloading them all is just wrong. Any ideas on preventing or minimizing this type of spam? you mean the stupid bounces? well, the solution is to have sites fix their broken setup and not return a bounce if the recipient doesn't exist (they should validate recipients at smtp time) nor if the message is detected as undesired (spam, malware, whatever). until then, the only thing you can do is limit the impact. SA has vbounce.pm. depending on your MTA, you can also block some the outscatter at smtp time. google for backscatter.
SA-learn (spamassassin)
Hello, I found out the following information: my SPAMD daemon is running under root. But I have in master.cf(postfix configuration file) the following lines: Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: man 5 master). # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd -o content_filter=spamfilter:dummy == == # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe( delivery # agent. See the pipe( man page for information about ${recipient} # and other message envelope options. # == == spamfilter unix - n n - - pipe flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter -f ${sender} -- ${recipient} Spamfilter is user for spamassassin(spamd)(but for me is strange that spamd is running under root). I configured master.cf according to h-t-t-p://onetforum.com/fourm/viewtopic.php?p=27]Kalinga's]Kalinga's Community Support Forum bull; View topic - Integrating Spam Assassin with Postfix(h-t-t-p replace by http) It is recomended by spamassassin original www pages. In local.cf I have: bayes_path /home/spamfilter/.spamassassin/bayes. And now when I send mail(for example at 21:00 oclock) which spamassassin mark like autolearn= spam and I show to the /home/spamfilter/.spamassassin/bayes so I can see that files bayes_tooks nad bayes_seen was modified in 21:00 but their size didnt change? How is it possible - when spamssassin changes the files so they have to increase their size...When I type command sa-learn --dump magic so I can see that in row nspam increase his value +1. This is confirmation that autolearn works.(but the database dont increase his size). My second problem: I get mail with sign autolearn=ham. I take the mail and I use the following command: sa-learn --spam --file mail (at 21:55 oclock)l. When type sa-learn --dump magic so I can see that nspam was increased +1 its OK. But when I look to the /home/spamfilter/.spamassassin I can see that database file was change but their size didnt change. Its normal??? And the last problem: When I get mail with sign autolearn=ham so I tried type sa-learn --spam --file mail. When I got the same mail so spamassassin mark the mail again autolearn=ham. How is it possible when I learn bayes by hand (sa-learn --spam --file mail) that this mail is spam? I have explicit set in local.cf bayes_min_spam_num 1. This means that for bayes is sufficient one mail for learning(according to me). But it dosesnt work. Thanks for advise(I need it necessary). Sorry for my terrible english. -- View this message in context: http://www.nabble.com/SA-learn-%28spamassassin%29-tp24773517p24773517.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Razor, spamassassin - network test
On Sat, 2009-08-01 at 16:10 -0700, an anonymous Nabble user wrote: Hi I need help with antispam. I use spamassassin with razor. And when I test spamassassin --lint -D razor2 then I get result that razor2 : test local only, skipping razor. I need test razor in connection to the internet. I dont know how it do. Can you advise me? Lint checking disables network tests. That's why you see this. What you need to do is to use debugging and feed it a message... I find out from spamassassin web the following: How to turn on network tests Edit your spamd start-up script, or start-up options file (depending on which OS you're running, these may be different). There should be a -L or --local switch in that file. Remove it to enable network tests. But i cant find the file with the switch -L. I use CentOS... When I type the folowing: spamassassin -t -D razor2 /tmp/spam Like this. Don't use --lint for that type of check. Use debugging only. Apparently, it works if you do that. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: blacklisting a forger
On Sat, 1 Aug 2009 11:04:35 -0400 Terry Carmen te...@cnysupport.com wrote: On Sat, 1 Aug 2009 10:02:54 -0400 Terry Carmen te...@cnysupport.com wrote: I have received many emails in the last hour which were undeliverable, NOT sent by me. It seems someone is forging usernames in my domain Real-World-Systems.com as the from: and the return-path: . Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but no response. How does an MTA get blacklisted?? You'll probably never get a response, and even if you do, nothing will happen. The easiest thing to do is configure your mail server use an RBL, which would have stopped this before you received it. No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost certainly an infected PC, and the backscatter is coming from third-party servers. The IP address is listed on almost two dozen RBLs. sure, but the original poster wrote: I have received many emails in the last hour which were undeliverable, NOT sent by me. It seems someone is forging usernames in my domain The backscatter would not have been received, since the sender is on a number of RBLs. Terry In other words he is receiving backscatter. And Received-From-MTA is a standard DSN field set by the MTA generating the DSN. -- CNY Support, LLC Web. Database. Business http://www.cnysupport.com
Re: Razor, spamassassin - network test
I tried it without --lint just spamassassin --lint -D razor2 so the command line freeze(dont work). When I use spamassassin -t -D razor2 /tmp/spam so I dont get the hash and so on but content analysis details...bayes clasification and so on. I expected message like : debug: Razor is available debug: Razor Agents 1.20, protocol version 2. debug: Read server list from /home/jgb/.razor.lst debug: 72636 seconds before closest server discovery debug: Closest server is 209.204.62.150 debug: Connecting to 209.204.62.150... debug: Connection established debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b debug: Server version: 1.11, protocol version 2 debug: Server response: Negative 48e74b8496877ba45072b201b41eebed7038186b debug: Message 1 NOT found in the catalogue Can you type accurate command for using razor. I want test the mail... Create hash ...send it to the server ang get the answer(is spam or ham). -- View this message in context: http://www.nabble.com/Razor%2C-spamassassin---network-test-tp24773506p24773657.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SA-learn (spamassassin)
On Sat, 2009-08-01 at 16:13 -0700, an anonymous Nabble user wrote: And the last problem: When I get mail with sign autolearn=ham so I tried type sa-learn --spam --file mail. When I got the same mail so spamassassin mark the mail again autolearn=ham. How is it possible when I learn bayes by hand (sa-learn --spam --file mail) that this mail is spam? I have explicit set in local.cf bayes_min_spam_num 1. This means that for bayes is sufficient one mail for learning(according to me). But it dosesnt work. Do NOT do that. Unless you *really* understand the implications. Which you don't. It's a default for a reason. It's a counter-measure against bad learning, to force at least some MINIMAL manual training, before auto-learning kicks in. You just side- stepped that. You should read some docs on Bayes, before messing with its settings. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Razor, spamassassin - network test
Back on-list. I'm not a personal help-line. On Sat, 2009-08-01 at 16:40 -0700, an anonymous Nabble user wrote privately: I tried it without --lint just spamassassin --lint -D razor2 so the ^^^^ You did not. command line freeze(dont work). Or maybe you did, despite your command given. The --lint option creates an internal test message. With real debugging, that means NO --lint option, but usually -D, you need to pipe it a message. Otherwise, it apparently freezes, waiting for input (on STDIN). When I use spamassassin -t -D razor2 /tmp/spam so I dont get the hash and so on but content analysis details...bayes clasification and so on. I expected message like : Despite the quote indentation, I did not write that. Anyway, something like that should do... debug: Razor is available debug: Razor Agents 1.20, protocol version 2. debug: Read server list from /home/jgb/.razor.lst debug: 72636 seconds before closest server discovery debug: Closest server is 209.204.62.150 debug: Connecting to 209.204.62.150... debug: Connection established debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b debug: Server version: 1.11, protocol version 2 debug: Server response: Negative 48e74b8496877ba45072b201b41eebed7038186b debug: Message 1 NOT found in the catalogue Can you type accurate command for using razor. I want test the mail... Create hash ...send it to the server ang get the answer(is spam or ham). -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: blacklisting a forger
On Sat, 1 Aug 2009 19:33:40 -0400 Terry Carmen te...@cnysupport.com wrote: The backscatter would not have been received, since the sender is on a number of RBLs. It's the IP address of the botnet PC that's on the RBLs, the backscatter doesn't come from there, it comes from the recipients of the spam. See: http://en.wikipedia.org/wiki/Backscatter_(e-mail)
Re: blacklisting a forger
On Sat, 1 Aug 2009 19:33:40 -0400 Terry Carmen te...@cnysupport.com wrote: The backscatter would not have been received, since the sender is on a number of RBLs. It's the IP address of the botnet PC that's on the RBLs, the backscatter doesn't come from there, it comes from the recipients of the spam. See: http://en.wikipedia.org/wiki/Backscatter_(e-mail) Regardless of whether or not the message was backscatter, The sending system (triband-mum-59.184.51.13.mtnl.net.in) is blacklisted, Terry
Re: SA-learn (spamassassin)
On Sun, 02 Aug 2009 01:42:21 +0200 Karsten Bräckelmann guent...@rudersport.de wrote: On Sat, 2009-08-01 at 16:13 -0700, an anonymous Nabble user wrote: And the last problem: When I get mail with sign autolearn=ham so I tried type sa-learn --spam --file mail. When I got the same mail so spamassassin mark the mail again autolearn=ham.How is it possible It's not the same spam, it'll have different headers. when I learn bayes by hand (sa-learn --spam --file mail) that this mail is spam? I have explicit set in local.cf bayes_min_spam_num 1. This means that for bayes is sufficient one mail for learning(according to me). But it dosesnt work. It's not like pyzor where you set a threshold, it's a statistical filter, you have to feed it hundreds of mails before it produces reliable results, hence the 200 spam minimum. Do NOT do that. Unless you *really* understand the implications. Which you don't. It's a default for a reason. It's a counter-measure against bad learning, to force at least some MINIMAL manual training, before auto-learning kicks in. You just side- stepped that. AFAIK it doesn't affect autoleaning at all, bayes_min_spam_num bayes_min_ham_num control when scoring starts.
Re: blacklisting a forger
On Sat, 1 Aug 2009 20:44:27 -0400 Terry Carmen te...@cnysupport.com wrote: On Sat, 1 Aug 2009 19:33:40 -0400 Terry Carmen te...@cnysupport.com wrote: The backscatter would not have been received, since the sender is on a number of RBLs. It's the IP address of the botnet PC that's on the RBLs, the backscatter doesn't come from there, it comes from the recipients of the spam. See: http://en.wikipedia.org/wiki/Backscatter_(e-mail) Regardless of whether or not the message was backscatter, The sending system (triband-mum-59.184.51.13.mtnl.net.in) is blacklisted, Of course it's blacklisted, but would you care to explain how rejecting mail from 59.184.51.13 helps, when the backscatter doesn't come from there?
Re: Network Tests / Rule Files Directories
I have tried adding the appropriate lines, which I believe should be score DCC_CHECK 5.0 if I want all emails which pass the DCC-Check to get 5 points. Unfortunately this is not working, neither for DCC nor for Razor. Yes, that should do it. Evidence that it's not working? Show us some SA headers. In this case, a spam sample that triggered DCC, cause the Report header does show the rule's score. Here is an example with Razor2, but I guess the underlying problem is the same. http://www.pagan.mynetcologne.de/example-email I have the following rules in my user_prefs score DCC_CHECK 5.0 score RAZOR2_CECK 5.0 score PYZOR_CHECK 5.0 As you can see, the message only gets a score of 2.2. In the beginning I believed that I made some embarrassing mistake with the rules concerning the network checks, but if you say these are okay the problem most likely lies somewhere else. Btw: I have greped my mailboxes for hits with DCC, Razor2 and Pyzor and have found that DCC identifies the most spam, Razor about half as much and Pyzor close to nothing. Is its database just that small or is there some configuration option that can be tweaked for better performance? Bye Stefan -- View this message in context: http://www.nabble.com/Network-Tests---Rule-Files-Directories-tp24750149p24774136.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Network Tests / Rule Files Directories
score RAZOR2_CECK 5.0 Yes, I have seen my mistake (after sending the email). But the problem with DCC persists and in that case I was even able to spell a simple three-word-rule correctly. I am going to post another example with DCC as soon as possible. Bye Stefan -- View this message in context: http://www.nabble.com/Network-Tests---Rule-Files-Directories-tp24750149p24774184.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: blacklisting a forger
On Sat, 1 Aug 2009 21:34:04 -0400 Terry Carmen te...@cnysupport.com wrote: Of course it's blacklisted, but would you care to explain how rejecting mail from 59.184.51.13 helps, when the backscatter doesn't come from there? According to the OP, that's the IP he received the message from. No, he quoted the following: Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in as I already said: Received-From-MTA is a standard DSN field set by the MTA generating the DSN. The DSN could have come from anywhere *except* triband-mum-59.184.51.13.mtnl.net.in
Re: Reply to:
On 1-Aug-2009, at 06:14, twofers wrote: Any ideas on preventing or minimizing this type of spam? Yep, I reduced the number of emails being processed on my mail server by about 40% by enabling a backscatter RBL. postfix/main.cf: smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, check_sender_access hash:$config_directory/backscatter permit postfix/backscatter: reject_rbl_client ips.backscatterer.org, reject_rbl_client bl.spamcannibal.org -- Rincewind had always been happy to think of himself as a racist. The One Hundred Meters, the Mile, the Marathon -- he'd run them all.
Some benchmarks (Re: Parallelizing Spam Assassin)
On Sat, Aug 01, 2009 at 01:34:34PM +0300, Henrik K wrote: That reminds me, gotta test how SA runs on a Sun T5240 with 16 core 128 cores.. Well not that impressive for SA, price/speed wise.. T2+ 2x8x1.4Ghz, 144 msgs/sec @ 128 processes AMD X4 4x3Ghz, 43 msgs/sec @ 4 processes Note that this is 3.3 SVN with all the rulesrc included, perl 5.10. I saved the used stuff at http://sa.hege.li/bench/ to be able to make real comparisons, if someone has interesting servers. And this is as scientific as I can bother. :)