date:20090801


It's an American thing.  Things that are normal speech for UK blokes, get
Americans all disturbed.

Funny, used to be the other way around...but well...times change.



Justin Mason wrote:

On Fri, Jul 31, 2009 at 09:32,
rich...@buzzhost.co.ukrich...@buzzhost.co.uk wrote:

Imagine what Barracuda Networks could do with that if they did not fill
their gay little boxes with hardware rubbish from the floors of MSI and
supermicro. Jesus, try and process that many messages with a $30,000
Barracuda and watch support bitch 'You are fully scanning to much mail
and making our rubbish hardware wet the bed.' LOL.


Richard -- please watch your language.   This is a public mailing
list, and offensive language here is inappropriate.

Re: Parallelizing Spam Assassin

2009-08-01 Thread Patrick Ben Koetter

* Linda Walsh sa-u...@tlinx.org:
 It's an American thing.  Things that are normal speech for UK blokes, get
 Americans all disturbed.

Sloppy language is sloppy language everywhere! I took offense in the message,
too and I am neither American nor am I from the UK.

But what annoys me the most is that the comments were simply off-topic. I can
go and meet some friends and I can happily spend the whole night cracking one
joke after another - pc or not pc.

There's a place of everything. This is the place for SpamAssassin. I wish we
could get back to what this thread was all about: Parallelizing
SpamAssassin.

p...@rick

 Funny, used to be the other way around...but well...times change.
 
 Justin Mason wrote:
 On Fri, Jul 31, 2009 at 09:32,
 rich...@buzzhost.co.ukrich...@buzzhost.co.uk wrote:
 Imagine what Barracuda Networks could do with that if they did not fill
 their gay little boxes with hardware rubbish from the floors of MSI and
 supermicro. Jesus, try and process that many messages with a $30,000
 Barracuda and watch support bitch 'You are fully scanning to much mail
 and making our rubbish hardware wet the bed.' LOL.
 
 Richard -- please watch your language.   This is a public mailing
 list, and offensive language here is inappropriate.
 

-- 
state of mind
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15  Telefon +49 89 3090 4664
81669 München  Telefax +49 89 3090 4666

Amtsgericht MünchenPartnerschaftsregister PR 563

Re: Parallelizing Spam Assassin

May I point out, that while you may find the language crude -- it isn't
language that would violate FTC standards in that in used any of the
7 or so 'unmentionable words'...

People -- these standards of 'crude language' really need to be strongly
held 'in check' -- the US is 'supposed' to be the society of 'free speech'
unless it is obscene or threatening.

I don't think his posting was either (BTW, I've never even 'heard' or seen
his name before this post. All I saw was his 'uk' addr -- and I've known
a few 'uk' types, and many of them sound very crude to an American ear
these days.

So in addition to applying strictures in a conservative manner, we must,
hopefully, try to be sensitive to different cultural backgrounds.

If I was talking with a black teen from downtown SF/Oakland, I'd have to
translate from Eubonics -- which can sound rather crude and might contain
and F-word every other sentence. I just apply my linguistic filter and
attempt to get the meaning. I hardly thing this list is aimed at an young
audience -- and kid 13+ is going to have heard quite an ear-full of 'colorful
explicatives' from ST4:Voyage home (a family movie), to everyday peer talk.

Yes -- it sounded crude...more than I, normally hear in America -- but not more than I'd hear in London.

Just my 2-cents on cultural sensitivity, and the ability to be amused at
cultural differences (rather than choosing to be offended by them).

p.s. - Most Commercial vendor products are Bantha Poodoo -- especially for
Virus/Security and Spam protection, but NOT all. Usually the highest
advertised profile are the worst -- they put more budget into advertising than
engineering.

Yeah, I still thing SA is a bit slow, but I put much of that up to it being
written in an interpretive language and it's wide flexibility and extensibility
with plug-ins. Whatcha gonna do? Maybe we should rewrite it in Forth?
*grin*...

Re: Parallelizing Spam Assassin


Well -- it's not just the cores -- what was the usage of the cores that
were being used?  were 3 out the 8 'pegged'?  Are these 'real' cores, or
HT cores?  In the Core2 and P4 archs, HT's actually slowed down a good 
many workloads unless they were tightly constructed to work on the same

data in cache.  Else, those HT's did just enough extra work to block cache
contents more than anything else.

What's the disk I/O look like?  I mean don't just focus on idle cores --
if the wait is on disk, maybe the cores can't get the data fast enough.

If the network is involved, well, that's a drag on any message checking.
I'm seeing times of .3msgs/sec, but I think that's with networking turned
on.  Pretty Ugly.



poifgh wrote:



Henrik K wrote:

Yeah, given that my 4x3Ghz box masscheck peaks at 22 msgs/sec, without
Net/AWL/Bayes. But that's the 3.3 SVN ruleset.. wonder what version was
used
and any nondefault rules/settings? Certainly sounds strange that 1 core
could top out the same. Anyone else have figures? Maybe I've borked
something myself..



The problem is not with 22 being a low number, but when we have other free
cores to run different SA parallely why doesnt the throughput scale linearly
.. I expect for 8 cores with 8 SA running simultaneously the number to be
150+ msgs/sec but it is 1/3rd at 50 msgs/sec

Re: Parallelizing Spam Assassin

2009-08-01 Thread rich...@buzzhost.co.uk

On Fri, 2009-07-31 at 23:40 -0700, Linda Walsh wrote:
 It's an American thing.  Things that are normal speech for UK blokes, get
 Americans all disturbed.

I'm sure that is mostly it, Linda. They don't seem to 'get' it.
Two things I observe in this whole 'barracuda-gate' posting;

1. Being 'offended' is not terminal, it does not kill, disable or have any side 
effects.
Can you image going to a doctor and saying You've got to treat me Doctor, I 
got offended,
my feelings are hurt.

2. Cultural differences exist. If I am expected to respect the 'diversity' that 
has people 
jumping up and down about the use of 'gay' because *they* have a different 
meaning for it,
it is not unreasonable to expect *them* to respect my diversity in using it in 
it's original context.
I'm tired of being told not to offend or upset people who don't show my views 
and beliefs equal respect.

Anyway, it's all OT and pointless in any context of processing spam - the point 
I made was factual love it or hate it.
That was poor hardware spec used in a well known retail anti-spam appliance = 
6-8 MPS 'fully scanned'.

Re: Parallelizing Spam Assassin

2009-08-01 Thread Henrik K


On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote:
 Well -- it's not just the cores -- what was the usage of the cores that
 were being used?  were 3 out the 8 'pegged'?  Are these 'real' cores, or
 HT cores?  In the Core2 and P4 archs, HT's actually slowed down a good  
 many workloads unless they were tightly constructed to work on the same
 data in cache.  Else, those HT's did just enough extra work to block cache
 contents more than anything else.

I really doubt there's HT involved in a recent looking 8 core 16GB machine..

 What's the disk I/O look like?  I mean don't just focus on idle cores --
 if the wait is on disk, maybe the cores can't get the data fast enough.

As we already guessed, AWL (BerkeleyDB) caused disk I/O and slowness. For
heavy loads you need to use SQL (or maybe the better BDB plugin in 3.3 if we
get it working).

 If the network is involved, well, that's a drag on any message checking.
 I'm seeing times of .3msgs/sec, but I think that's with networking turned
 on.  Pretty Ugly.

It affects single messages, but not total throughput. With network checks
you just dedicate a lot more childs. Waiting for network responses takes no
CPU time, thus you can process more messages simultaneously.

Re: Parallelizing Spam Assassin

2009-08-01 Thread Per Jessen

Henrik K wrote:

 On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote:
 Well -- it's not just the cores -- what was the usage of the cores
 that
 were being used?  were 3 out the 8 'pegged'?  Are these 'real' cores,
 or
 HT cores?  In the Core2 and P4 archs, HT's actually slowed down a
 good many workloads unless they were tightly constructed to work on
 the same
 data in cache.  Else, those HT's did just enough extra work to block
 cache contents more than anything else.
 
 I really doubt there's HT involved in a recent looking 8 core 16GB
 machine..

Why not?  I have a couple of brandnew Intel Core i7 (Nehalem) systems
with 8Gb RAM - they have 1 physical CPU with 4 cores and HT =
8 cores.  And they've got room for more RAM :-)


/Per Jessen, Zürich

Re: X-Spam-Report

2009-08-01 Thread Matus UHLAR - fantomas

On 01.08.09 07:01, router backup wrote:
 Is there a directive to change the way X-Spam-Report formats in the
 header of mail?
 Currently I get a single X-Spam-Report line wrapped;
 
 X-Spam-Report:  * -1.4 ALL_TRUSTED Passed through trusted hosts only via
  SMTP *  2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser *  1.3
  MISSING_SUBJECT Missing Subject: header
 
 But I have seen other mail (and would like to get) line breaking
 X-Spam-Report:
 * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
 *  2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser
 *  1.3 MISSING_SUBJECT Missing Subject: header
 
 Is this easy to do someplace?

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6104

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Re: Parallelizing Spam Assassin

2009-08-01 Thread Justin Mason

On Sat, Aug 1, 2009 at 10:04, Henrik Kh...@hege.li wrote:

 On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote:
 Well -- it's not just the cores -- what was the usage of the cores that
 were being used?  were 3 out the 8 'pegged'?  Are these 'real' cores, or
 HT cores?  In the Core2 and P4 archs, HT's actually slowed down a good
 many workloads unless they were tightly constructed to work on the same
 data in cache.  Else, those HT's did just enough extra work to block cache
 contents more than anything else.

 I really doubt there's HT involved in a recent looking 8 core 16GB machine..

 What's the disk I/O look like?  I mean don't just focus on idle cores --
 if the wait is on disk, maybe the cores can't get the data fast enough.

 As we already guessed, AWL (BerkeleyDB) caused disk I/O and slowness. For
 heavy loads you need to use SQL (or maybe the better BDB plugin in 3.3 if we
 get it working).

 If the network is involved, well, that's a drag on any message checking.
 I'm seeing times of .3msgs/sec, but I think that's with networking turned
 on.  Pretty Ugly.

 It affects single messages, but not total throughput. With network checks
 you just dedicate a lot more childs. Waiting for network responses takes no
 CPU time, thus you can process more messages simultaneously.

although you will also need to allocate more memory, as well, to
ensure that no swapping takes place.

-- 
--j.

Re: Parallelizing Spam Assassin

2009-08-01 Thread Henrik K

On Sat, Aug 01, 2009 at 11:46:57AM +0200, Per Jessen wrote:
 Henrik K wrote:
 
  On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote:
  Well -- it's not just the cores -- what was the usage of the cores
  that
  were being used?  were 3 out the 8 'pegged'?  Are these 'real' cores,
  or
  HT cores?  In the Core2 and P4 archs, HT's actually slowed down a
  good many workloads unless they were tightly constructed to work on
  the same
  data in cache.  Else, those HT's did just enough extra work to block
  cache contents more than anything else.
  
  I really doubt there's HT involved in a recent looking 8 core 16GB
  machine..
 
 Why not?  I have a couple of brandnew Intel Core i7 (Nehalem) systems
 with 8Gb RAM - they have 1 physical CPU with 4 cores and HT =
 8 cores.  And they've got room for more RAM :-)

Ah a comeback.. I guess it's atleast better than the P4 stuff? That reminds
me, gotta test how SA runs on a Sun T5240 with 16 core 128 cores..

Re: Parallelizing Spam Assassin

2009-08-01 Thread Per Jessen

Henrik K wrote:

 On Sat, Aug 01, 2009 at 11:46:57AM +0200, Per Jessen wrote:
 Henrik K wrote:
 
  On Sat, Aug 01, 2009 at 12:04:08AM -0700, Linda Walsh wrote:
  Well -- it's not just the cores -- what was the usage of the cores
  that
  were being used?  were 3 out the 8 'pegged'?  Are these 'real'
  cores, or
  HT cores?  In the Core2 and P4 archs, HT's actually slowed down a
  good many workloads unless they were tightly constructed to work
  on the same
  data in cache.  Else, those HT's did just enough extra work to
  block cache contents more than anything else.
  
  I really doubt there's HT involved in a recent looking 8 core 16GB
  machine..
 
 Why not?  I have a couple of brandnew Intel Core i7 (Nehalem) systems
 with 8Gb RAM - they have 1 physical CPU with 4 cores and HT =
 8 cores.  And they've got room for more RAM :-)
 
 Ah a comeback.. I guess it's atleast better than the P4 stuff?  

Not sure about that - AFAICT, it's exactly the same technology. (I
haven't done in exhaustive tests though).  


/Per Jessen, Zürich

Re: X-Spam-Report

2009-08-01 Thread router backup

2009/8/1 Matus UHLAR - fantomas uh...@fantomas.sk:
 On 01.08.09 07:01, router backup wrote:
 Is there a directive to change the way X-Spam-Report formats in the
 header of mail?
 Currently I get a single X-Spam-Report line wrapped;

 X-Spam-Report:  * -1.4 ALL_TRUSTED Passed through trusted hosts only via
  SMTP *  2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser *  1.3
  MISSING_SUBJECT Missing Subject: header

 But I have seen other mail (and would like to get) line breaking
 X-Spam-Report:
 * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
 *  2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser
 *  1.3 MISSING_SUBJECT Missing Subject: header

 Is this easy to do someplace?

 https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6104

 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Chernobyl was an Windows 95 beta test site.


Thank you. Mine does not even wrap at 80 characters, it appears as you
see it, so I am not sure it is the bug?
Do you know if there is a way to make even non spam show the report so
I can make observations?

Re: X-Spam-Report

2009-08-01 Thread Matus UHLAR - fantomas

  On 01.08.09 07:01, router backup wrote:
  Is there a directive to change the way X-Spam-Report formats in the
  header of mail?
  Currently I get a single X-Spam-Report line wrapped;
 
  X-Spam-Report:  * -1.4 ALL_TRUSTED Passed through trusted hosts only via
   SMTP *  2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser *  1.3
   MISSING_SUBJECT Missing Subject: header
 
  But I have seen other mail (and would like to get) line breaking
  X-Spam-Report:
  * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
  *  2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser
  *  1.3 MISSING_SUBJECT Missing Subject: header
 
  Is this easy to do someplace?

 2009/8/1 Matus UHLAR - fantomas uh...@fantomas.sk:
  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6104

On 01.08.09 11:51, router backup wrote:
 Thank you. Mine does not even wrap at 80 characters, it appears as you
 see it, so I am not sure it is the bug?
 Do you know if there is a way to make even non spam show the report so
 I can make observations?

it's possible that someone other re-wraps the line. Some mail delivery
agents, filters, or your MUA. How is your mail delivered do the SA/mailbox?
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #9: Out of error messages.

Reply to:

2009-08-01 Thread twofers

So what makes a spammer want to use a valid email address as a return or 
reply-to address to catch all the undeliverable, failure and bounced email that 
occures when sending UBE spam.
 
Is there some legitimacy with spam detection on an email that contains a valid 
reply-to email address?
 
To me, spam is one thing, but loading a mailbox with literally several 
thousands of bounced emails is abusive. I'm lucky as I have the option to click 
one button and remove them all on the server, but for a user to have to delete 
individually or as a group after downloading them all is just wrong.
 
Any ideas on preventing or minimizing this type of spam?
 
Thanks.
 
Wes

blacklisting a forger

2009-08-01 Thread Dennis German


I have received  many emails in the last hour which were undeliverable,
NOT sent by me.
It seems someone is forging usernames in my domain Real-World-Systems.com
as the from: and the return-path: .

Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in


I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but 
no response.


How does an MTA get blacklisted??

Re: X-Spam-Report

   Is there a directive to change the way X-Spam-Report formats in the
   header of mail?
   Currently I get a single X-Spam-Report line wrapped;
  
   X-Spam-Report:  * -1.4 ALL_TRUSTED Passed through trusted hosts only via
SMTP *  2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser *  
   1.3
MISSING_SUBJECT Missing Subject: header

I bet that's your MUA re-flowing multi-line headers. Have a look at the
*raw* message -- if need be leaving out your MUA entirely, peeking at
the raw, underlying mail store.

   But I have seen other mail (and would like to get) line breaking
   X-Spam-Report:
   * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
   *  2.2 HIDE_WIN_STATUS RAW: Javascript to hide URLs in browser
   *  1.3 MISSING_SUBJECT Missing Subject: header
  
   Is this easy to do someplace?

This actually is how SA formats the Report. (Minus leading tabs for the
continuation lines. ;)


  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6104

This is not the bug. The wrapping shown above is not due to SA.

In a nutshell, this bug is about SA actually correctly line wrapping at
78 chars IIRC. Alas, with a \t being one char, which it is -- not taking
into account it would be displayed 8 chars wide.

Matus, when you first posted this to the list, I replied with a detailed
code-tracked report of the issue and assumptions, explaining it. Seems I
didn't copy that to your bug report. Now where's the thread again?


 Thank you. Mine does not even wrap at 80 characters, it appears as you
 see it, so I am not sure it is the bug?

It isn't. :)

 Do you know if there is a way to make even non spam show the report so
 I can make observations?

add_header all Report _REPORT_

As I already posted quite a few times, and apparently keep responding on
this list. However, keep in mind that's the *detailed* Report, including
individual rules' scores and the verbose description. IMHO the Status
header featuring the rules should be sufficient for ham. Optionally even
including the rules' scores, if you want that.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Spam Humor

Awesome,

just received a German spam, obviously *trying* to advertise a porn
site. The way they blew up really made me laugh -- loud. :)

 Im World Wide Web unter www.example.com kannst du dir
  alles ansehen, dabei deinen Schw[...]

Yes, they really did use *that* URI.  Identified spam, all I'm missing
are URI DNSBL hits.

  guenther

-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: blacklisting a forger


 I have received  many emails in the last hour which were undeliverable,
 NOT sent by me.
 It seems someone is forging usernames in my domain Real-World-Systems.com
 as the from: and the return-path: .

 Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in


 I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but
 no response.

 How does an MTA get blacklisted??

You'll probably never get a response, and even if you do, nothing will happen.

The easiest thing to do is configure your mail server use an RBL, which would
have stopped this before you received it.

http://www.mxtoolbox.com/blacklists.aspx

Terry

Re: Parallelizing Spam Assassin

On Fri, 2009-07-31 at 23:56 -0700, Linda Walsh wrote:
 May I point out, that while you may find the language crude -- it isn't
 language that would violate FTC standards in that in used any of the 
 7 or so 'unmentionable words'...

It's not about words on their own -- it's about how they are being used,
and their meaning in context.

 BTW, I've never even 'heard' or seen his name before this post.

Must have been a warm and cozy place, the rock you've been hiding
under. ;)  You missed a 3 digit figure of posts and uncalled-for
off-topic rants within a few weeks.

 If I was talking with [...]  I just apply my linguistic filter and
 attempt to get the meaning.

Sic.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Any one interested in using a proper forum?

2009-08-01 Thread Theodore Heise




On Tue, 28 Jul 2009, Curtis LaMasters wrote:

   ...I can't tell you how frustrating it is to have to 
click on each email in a thread to read its content.


This caught my eye, and I wonder if there may be a correlation to 
user preference.


I avoid using the mouse wherever possible, preferring keyboard-typed 
commands in CLI apps and keyboard shortcuts in GUI apps.  I spend 
most of my online time using text-based news and mail clients, as 
I'm interested in word content and have optimized use of the 
keyboard for my particular clients.  I can understand how clicking 
on every message would be tiresome.


Maybe those who prefer a forum type of interface tend to prefer use 
of the mouse?  Of the two who have seemed positive toward a forum, 
Curtis has implied preference for a mouse (e.g., even in MS Outlook 
I use strictly keyboard commands to read e-mail).  I wonder if Peter 
might also prefer mouse use.


--
Theodore (Ted) Heise t...@heise.nu Bloomington, IN, USA

Re: blacklisting a forger

On Sat, 1 Aug 2009 10:02:54 -0400
Terry Carmen te...@cnysupport.com wrote:

 
  I have received  many emails in the last hour which were
  undeliverable, NOT sent by me.
  It seems someone is forging usernames in my domain
  Real-World-Systems.com as the from: and the return-path: .
 
  Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in
 
 
  I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in
  but no response.
 
  How does an MTA get blacklisted??
 
 You'll probably never get a response, and even if you do, nothing
 will happen.
 
 The easiest thing to do is configure your mail server use an RBL,
 which would have stopped this before you received it.

No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost
certainly an infected PC, and the backscatter is coming from
third-party servers.

Re: blacklisting a forger


 On Sat, 1 Aug 2009 10:02:54 -0400
 Terry Carmen te...@cnysupport.com wrote:


  I have received  many emails in the last hour which were
  undeliverable, NOT sent by me.
  It seems someone is forging usernames in my domain
  Real-World-Systems.com as the from: and the return-path: .
 
  Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in
 
 
  I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in
  but no response.
 
  How does an MTA get blacklisted??

 You'll probably never get a response, and even if you do, nothing
 will happen.

 The easiest thing to do is configure your mail server use an RBL,
 which would have stopped this before you received it.

 No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost
 certainly an infected PC, and the backscatter is coming from
 third-party servers.


The IP address is listed on almost two dozen RBLs.

Terry'

Re: blacklisting a forger

2009-08-01 Thread Benny Pedersen


On Sat, August 1, 2009 14:19, Dennis German wrote:
 I have received  many emails in the last hour which were undeliverable,
 NOT sent by me.

backscattering, block this ip, and send a mail to the postmaster, whois ip 
might say what email

there system accept non existsing users, or some other bad lda that bounce when 
mta have
accepted it

 It seems someone is forging usernames in my domain Real-World-Systems.com
 as the from: and the return-path: .

http://old.openspf.org/wizard.html?mydomain=Real-World-Systems.comsubmit=Go!

change all to -all (softfail vs fail)

also see the later part for how to add zones to bind/djbdns

 Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in
 I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but
 no response.

block the client ip then

check that the ip is not in dnswl or dnsbl lists already

 How does an MTA get blacklisted??

start accepting emails and setup sieve to reject (dovecot sieve have this bug)

temporary i have disabled reject in my sieve to not do this

-- 
xpoint

Re: blacklisting a forger

On Sat, 1 Aug 2009 11:04:35 -0400
Terry Carmen te...@cnysupport.com wrote:

 
  On Sat, 1 Aug 2009 10:02:54 -0400
  Terry Carmen te...@cnysupport.com wrote:
 
 
   I have received  many emails in the last hour which were
   undeliverable, NOT sent by me.
   It seems someone is forging usernames in my domain
   Real-World-Systems.com as the from: and the return-path: .
  
   Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in
  
  
   I have sent a message to ab...@mntl.net.in and
   helpd...@mtnl.net.in but no response.
  
   How does an MTA get blacklisted??
 
  You'll probably never get a response, and even if you do, nothing
  will happen.
 
  The easiest thing to do is configure your mail server use an RBL,
  which would have stopped this before you received it.
 
  No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost
  certainly an infected PC, and the backscatter is coming from
  third-party servers.
 
 
 The IP address is listed on almost two dozen RBLs.

sure, but the original poster wrote:

I have received  many emails in the last hour which were
undeliverable, NOT sent by me. It seems someone is forging usernames in
my domain 

In other words he is receiving backscatter. And Received-From-MTA
is a standard DSN field set by the MTA generating the DSN.

Re: OT: Nehelam's New HT ability....

Per Jessen wrote:

Not sure about that - AFAICT, it's exactly the same technology. (I
haven't done in exhaustive tests though).

Supposedly 'Very' different (I hope)...
1) You can't turn it off in the BIOS
2) claim of benefit from increased cache (FALSE),
(have older 2x2 Dual Core machine with 4MBxL2 Cache/Dual core.

If you only use 1 Core/CPU, that 4MB L2 cache/Core)

New machine with 1 Quad core (Dual core CPU's are too slow
to use memory faster than 800MHz -- only Quad cores go up to Quick
Connect Speeds that will support fastest memory of 1333MHz (even if
you only have 1 CPU). So you are 'encouraged' to go with Quad over

2x2Dual. Quad has 8MB L3 Cache, w/256K dedicated L2/Core. So
with HT 128K/thread. To get 2 Cores, they'll get 256K-L2 ea, +
8MB L3 shared. So about 3.125%more memory! WOW ea!...(though the
bandwidth for the fast core processors to main memory can be 2x faster).
3) Here's possible benefit: they've added more parallel resources to
each core -- so each thread can possibly get more done than the
old threads -- but this is only a maybe depending on workload.

The biggest cool thing about Nehelam is power savings -- they implemented
Celeron's power-step tech in a big way. Quiescent cores crank down their
clocks independently to about 60% of top speed and have efficient sleep
states (I think some cores can be halted, but not sure). Some of their
processors have a 'turbo mode', which will some small amount faster speed

than the speed on the chip label (does that mean the turbo chips are really
faster rated chips...you tell me), BUT if fewer cores are used -- say only
2/4, the turbo boost can be a small amount greater (don't have access

(don't know if any is published). If one was to go from their marketing
graphs (HAHAHAHAHA), Turbo for 4 cores is about 10 more, and if only 2/4
cores are running, it's an additional 10%. So marketing hype/reality,
might mean 1-3% faster?

I will say this much -- @ idle, w/8 disks (it's a server, so built-in GPU
with 8MB shared memory, if you aren't going headless) -- with dual/redundant
PS, it uses 157W. (1-PS, slightly more efficient at 146W). Major power
savings with possible big increases in speed. But you can't turn off HT
as in previous machines (at least not in the one I've had access to).

That power consumption is less than half their older Workstation model (though an idle graphics card still sucks quite a bit of useless ergs
(stupid Nvidia)..

Oblig SA content: When I ran 100 msgs through my filters (that connect to
spamd, but that uses net), the MHz immediately jumped from ~1596 up to 2300 on
each of the '8' HT cores...so might be perfect for a server that gets sporadic
loads! ;-)

-linda

Re: Parallelizing Spam Assassin

2009-08-01 Thread Matt Kettler

Um, Linda.. I'm pretty positive Justin is Irish, not American.

Linda Walsh wrote:
 It's an American thing.  Things that are normal speech for UK blokes, get
 Americans all disturbed.

 Funny, used to be the other way around...but well...times change.



 Justin Mason wrote:
 On Fri, Jul 31, 2009 at 09:32,
 rich...@buzzhost.co.ukrich...@buzzhost.co.uk wrote:
 Imagine what Barracuda Networks could do with that if they did not fill
 their gay little boxes with hardware rubbish from the floors of MSI and
 supermicro. Jesus, try and process that many messages with a $30,000
 Barracuda and watch support bitch 'You are fully scanning to much mail
 and making our rubbish hardware wet the bed.' LOL.

 Richard -- please watch your language.   This is a public mailing
 list, and offensive language here is inappropriate.

Re: Reply to:

2009-08-01 Thread mouss

twofers a écrit :
 So what makes a spammer want to use a valid email address as a return or
 reply-to address to catch all the undeliverable, failure and bounced
 email that occures when sending UBE spam.
  

this is to beat those who use sender verification/sender
callout/(whatever you name it).

 Is there some legitimacy with spam detection on an email that contains a
 valid reply-to email address?
  
 To me, spam is one thing, but loading a mailbox with literally several
 thousands of bounced emails is abusive. I'm lucky as I have the option
 to click one button and remove them all on the server, but for a user to
 have to delete individually or as a group after downloading them all is
 just wrong.
  
 Any ideas on preventing or minimizing this type of spam?
  

you mean the stupid bounces?
well, the solution is to have sites fix their broken setup and not
return a bounce if the recipient doesn't exist (they should validate
recipients at smtp time) nor if the message is detected as undesired
(spam, malware, whatever).

until then, the only thing you can do is limit the impact. SA has
vbounce.pm. depending on your MTA, you can also block some the
outscatter at smtp time. google for backscatter.

SA-learn (spamassassin)

2009-08-01 Thread monolit


Hello, I found out the following information:
my SPAMD daemon is running under root. But I have in master.cf(postfix
configuration file) the following lines:

Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: man 5 master).
#
# ==

# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==

smtp inet n - n - - smtpd
-o content_filter=spamfilter:dummy


== ==
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe( delivery
# agent. See the pipe( man page for information about ${recipient}
# and other message envelope options.
# == ==

spamfilter unix - n n - - pipe
flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter -f ${sender} --
${recipient}

Spamfilter is user for spamassassin(spamd)(but for me is strange that spamd
is running under root). I configured master.cf according to
h-t-t-p://onetforum.com/fourm/viewtopic.php?p=27]Kalinga's]Kalinga's
Community Support Forum bull; View topic - Integrating Spam Assassin with
Postfix(h-t-t-p replace by http)
It is recomended by spamassassin original www pages.


In local.cf I have: bayes_path /home/spamfilter/.spamassassin/bayes.

And now when I send mail(for example at 21:00 oclock) which spamassassin
mark like autolearn= spam and I show to the
/home/spamfilter/.spamassassin/bayes so I can see that files bayes_tooks nad
bayes_seen was modified in 21:00 but their size didnt change? How is it
possible - when spamssassin changes the files so they have to increase their
size...When I type command sa-learn --dump magic so I can see that in row
nspam increase his value +1. This is confirmation that autolearn works.(but
the database dont increase his size).

My second problem: I get mail with sign autolearn=ham. I take the mail and I
use the following command: sa-learn --spam --file mail (at 21:55 oclock)l.
When type sa-learn --dump magic so I can see that nspam was increased +1 its
OK. But when I look to the /home/spamfilter/.spamassassin I can see that
database file was change but their size didnt change. Its normal???

And the last problem: When I get mail with sign autolearn=ham so I tried
type sa-learn --spam --file mail. When I got the same mail so spamassassin
mark the mail again autolearn=ham. How is it possible when I learn bayes by
hand (sa-learn --spam --file mail) that this mail is spam? I have explicit
set in local.cf bayes_min_spam_num 1. This means that for bayes is
sufficient one mail for learning(according to me). But it dosesnt work.

Thanks for advise(I need it necessary).




Sorry for my terrible english.
-- 
View this message in context: 
http://www.nabble.com/SA-learn-%28spamassassin%29-tp24773517p24773517.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Razor, spamassassin - network test

On Sat, 2009-08-01 at 16:10 -0700, an anonymous Nabble user wrote:
 Hi I need help with antispam. I use spamassassin with razor. And when I test
 spamassassin --lint -D razor2 then I get result that razor2 : test local
 only, skipping razor. I need test razor in connection to the internet. I
 dont know how it do. Can you advise me?

Lint checking disables network tests. That's why you see this. What you
need to do is to use debugging and feed it a message...

 I find out from spamassassin web the following:
 
 How to turn on network tests
 
 Edit your spamd start-up script, or start-up options file (depending on
 which OS you're running, these may be different). There should be a -L or
 --local switch in that file. Remove it to enable network tests.
 
 But i cant find the file with the switch -L. I use CentOS...
 When I type the folowing: spamassassin -t -D razor2  /tmp/spam

Like this.  Don't use --lint for that type of check. Use debugging only.
Apparently, it works if you do that.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: blacklisting a forger


 On Sat, 1 Aug 2009 11:04:35 -0400
 Terry Carmen te...@cnysupport.com wrote:


  On Sat, 1 Aug 2009 10:02:54 -0400
  Terry Carmen te...@cnysupport.com wrote:
 
 
   I have received  many emails in the last hour which were
   undeliverable, NOT sent by me.
   It seems someone is forging usernames in my domain
   Real-World-Systems.com as the from: and the return-path: .
  
   Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in
  
  
   I have sent a message to ab...@mntl.net.in and
   helpd...@mtnl.net.in but no response.
  
   How does an MTA get blacklisted??
 
  You'll probably never get a response, and even if you do, nothing
  will happen.
 
  The easiest thing to do is configure your mail server use an RBL,
  which would have stopped this before you received it.
 
  No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost
  certainly an infected PC, and the backscatter is coming from
  third-party servers.


 The IP address is listed on almost two dozen RBLs.

 sure, but the original poster wrote:

 I have received  many emails in the last hour which were
 undeliverable, NOT sent by me. It seems someone is forging usernames in
 my domain

The backscatter would not have been received, since the sender is on a number
of RBLs.

Terry


 In other words he is receiving backscatter. And Received-From-MTA
 is a standard DSN field set by the MTA generating the DSN.



-- 
CNY Support, LLC
Web. Database. Business
http://www.cnysupport.com

Re: Razor, spamassassin - network test

2009-08-01 Thread monolit




I tried it without --lint just spamassassin --lint -D razor2 so the
command line freeze(dont work).

 When I use spamassassin -t -D razor2  /tmp/spam
 so I dont get the hash and so on but content analysis details...bayes
 clasification and so on. I expected message like :
debug: Razor is available
 debug: Razor Agents 1.20, protocol version 2.
 debug: Read server list from /home/jgb/.razor.lst
 debug: 72636 seconds before closest server discovery
 debug: Closest server is 209.204.62.150
 debug: Connecting to 209.204.62.150...
 debug: Connection established
 debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b
 debug: Server version: 1.11, protocol version 2
 debug: Server response: Negative
 48e74b8496877ba45072b201b41eebed7038186b
 debug: Message 1 NOT found in the catalogue

Can you type accurate command for using razor. I want test the mail...
Create hash ...send it to the server ang get the answer(is spam or ham).
-- 
View this message in context: 
http://www.nabble.com/Razor%2C-spamassassin---network-test-tp24773506p24773657.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: SA-learn (spamassassin)

On Sat, 2009-08-01 at 16:13 -0700, an anonymous Nabble user wrote:
 And the last problem: When I get mail with sign autolearn=ham so I tried
 type sa-learn --spam --file mail. When I got the same mail so spamassassin
 mark the mail again autolearn=ham. How is it possible when I learn bayes by
 hand (sa-learn --spam --file mail) that this mail is spam? I have explicit
 set in local.cf bayes_min_spam_num 1. This means that for bayes is
 sufficient one mail for learning(according to me). But it dosesnt work.

Do NOT do that.

Unless you *really* understand the implications. Which you don't. It's a
default for a reason.

It's a counter-measure against bad learning, to force at least some
MINIMAL manual training, before auto-learning kicks in. You just side-
stepped that.

You should read some docs on Bayes, before messing with its settings.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Razor, spamassassin - network test

Back on-list.  I'm not a personal help-line.

On Sat, 2009-08-01 at 16:40 -0700, an anonymous Nabble user wrote privately:
 I tried it without --lint just spamassassin --lint -D razor2 so the
 ^^^^
You did not.

 command line freeze(dont work).

Or maybe you did, despite your command given.

The --lint option creates an internal test message. With real debugging,
that means NO --lint option, but usually -D, you need to pipe it a
message. Otherwise, it apparently freezes, waiting for input (on STDIN).

  When I use spamassassin -t -D razor2  /tmp/spam
  so I dont get the hash and so on but content analysis
  details...bayes clasification and so on. I expected message like :

Despite the quote indentation, I did not write that.

Anyway, something like that should do...

 debug: Razor is available
  debug: Razor Agents 1.20, protocol version 2.
  debug: Read server list from /home/jgb/.razor.lst
  debug: 72636 seconds before closest server discovery
  debug: Closest server is 209.204.62.150
  debug: Connecting to 209.204.62.150...
  debug: Connection established
  debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b
  debug: Server version: 1.11, protocol version 2
  debug: Server response: Negative
  48e74b8496877ba45072b201b41eebed7038186b
  debug: Message 1 NOT found in the catalogue
 
 Can you type accurate command for using razor. I want test the mail...
 Create hash ...send it to the server ang get the answer(is spam or
 ham).

-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: blacklisting a forger

On Sat, 1 Aug 2009 19:33:40 -0400
Terry Carmen te...@cnysupport.com wrote:

 The backscatter would not have been received, since the sender is on
 a number of RBLs.

It's the IP address of the botnet PC that's on the RBLs, the backscatter
doesn't come from there, it comes from the recipients of the spam.

See:  http://en.wikipedia.org/wiki/Backscatter_(e-mail)

Re: blacklisting a forger


 On Sat, 1 Aug 2009 19:33:40 -0400
 Terry Carmen te...@cnysupport.com wrote:

 The backscatter would not have been received, since the sender is on
 a number of RBLs.

 It's the IP address of the botnet PC that's on the RBLs, the backscatter
 doesn't come from there, it comes from the recipients of the spam.

 See:  http://en.wikipedia.org/wiki/Backscatter_(e-mail)

Regardless of whether or not the message was backscatter, The sending system
(triband-mum-59.184.51.13.mtnl.net.in) is blacklisted,

Terry

Re: SA-learn (spamassassin)

On Sun, 02 Aug 2009 01:42:21 +0200
Karsten Bräckelmann guent...@rudersport.de wrote:

 On Sat, 2009-08-01 at 16:13 -0700, an anonymous Nabble user wrote:
  And the last problem: When I get mail with sign autolearn=ham so I
  tried type sa-learn --spam --file mail. When I got the same mail so
  spamassassin mark the mail again autolearn=ham.How is it possible

It's not the same spam, it'll have different headers.

  when I learn bayes by hand (sa-learn --spam --file mail) that this
  mail is spam? I have explicit set in local.cf bayes_min_spam_num 1.
  This means that for bayes is sufficient one mail for
  learning(according to me). But it dosesnt work.

It's not like pyzor where you set a threshold, it's a statistical
filter, you have to feed it hundreds of mails before it produces
reliable results, hence the 200 spam minimum.

 Do NOT do that.
 
 Unless you *really* understand the implications. Which you don't.
 It's a default for a reason.
 
 It's a counter-measure against bad learning, to force at least some
 MINIMAL manual training, before auto-learning kicks in. You just side-
 stepped that.

AFAIK it doesn't affect autoleaning at all, bayes_min_spam_num 
bayes_min_ham_num control when scoring starts.

Re: blacklisting a forger

On Sat, 1 Aug 2009 20:44:27 -0400
Terry Carmen te...@cnysupport.com wrote:

 
  On Sat, 1 Aug 2009 19:33:40 -0400
  Terry Carmen te...@cnysupport.com wrote:
 
  The backscatter would not have been received, since the sender is
  on a number of RBLs.
 
  It's the IP address of the botnet PC that's on the RBLs, the
  backscatter doesn't come from there, it comes from the recipients
  of the spam.
 
  See:  http://en.wikipedia.org/wiki/Backscatter_(e-mail)
 
 Regardless of whether or not the message was backscatter, The sending
 system (triband-mum-59.184.51.13.mtnl.net.in) is blacklisted,

Of course it's blacklisted, but would you care to explain how rejecting
mail from 59.184.51.13 helps, when the backscatter doesn't come from
there?

Re: Network Tests / Rule Files Directories

2009-08-01 Thread Stefan Malte Schumacher


 I have tried adding the appropriate lines, which I believe should be
 score DCC_CHECK 5.0 if I want all emails which pass the DCC-Check
 to get 5 points. Unfortunately this is not working, neither for DCC
 nor for Razor.

Yes, that should do it.

Evidence that it's not working? Show us some SA headers. In this case, a
spam sample that triggered DCC, cause the Report header does show the
rule's score.

Here is an example with Razor2, but I guess the underlying problem is the
same. 

http://www.pagan.mynetcologne.de/example-email

I have the following rules in my user_prefs

score DCC_CHECK 5.0
score RAZOR2_CECK 5.0
score PYZOR_CHECK 5.0

As you can see, the message only gets a score of 2.2. In the beginning I
believed that I made some embarrassing mistake with the rules concerning the
network checks, but if you say these are okay the problem most likely lies
somewhere else. 

Btw: I have greped my mailboxes for hits with DCC, Razor2 and Pyzor and have
found that DCC identifies the most spam, Razor about half as much and Pyzor
close to nothing. Is its database just that small or is there some
configuration option that can be tweaked for better performance?

Bye
Stefan
-- 
View this message in context: 
http://www.nabble.com/Network-Tests---Rule-Files-Directories-tp24750149p24774136.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Network Tests / Rule Files Directories

2009-08-01 Thread Stefan Malte Schumacher


 score RAZOR2_CECK 5.0

Yes, I have seen my mistake (after sending the email). But the problem with
DCC persists and in that case I was even able to spell a simple
three-word-rule correctly. I am going to post another example with DCC as
soon as possible.

Bye
Stefan 


-- 
View this message in context: 
http://www.nabble.com/Network-Tests---Rule-Files-Directories-tp24750149p24774184.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: blacklisting a forger