Re: Elusive spam
- John Hardin jhar...@impsec.org wrote:
On Wed, 2009-08-12 at 16:20 -0700, Ted Mittelstaedt wrote:
Maybe this will sound dumb but wouldn't it be perfectly
safe to blacklist example.com after all, that isn't a
domain your ever going to get mail from.
Ted
That is there because Alex likely wishes to keep his real domain
private. Note that the envelope TO address is @example.com, which
would
never be delivered, unless Alex really _does_ own the example.com
domain...
MySQL Student wrote:
I'm having trouble catching a particular type of spam, and hoped
someone had some time to take a look:
http://pastebin.com/d57336542
It doesn't match RAZOR2, or any of the URI lists, and it's only
BAYES_50. I have a pretty well-established BAYES db, so I'm
surprised
it's only BAYES_50. What can I do to block spam like this in the
future?
Thanks,
Alex
Alex, there's likely not much you can do. On a spam that short
there's
not a lot to work with.
You could increase the score for URI_HEX.
If the form of the URI is consistent, perhaps something like this
would
help:
uri URI_NUMERIC_CCTLD m,^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/,i
This is really suspicious:
X-Mailer: Gentoo
Gentoo is an OS, not a MUA. Is that at all consistent? If so:
header GENTOO_MUA X-Mailer =~ /^Gentoo$/
Or perhaps this:
header MUA_ONE_WORD X-Mailer =~ /^[a-z]+$/i
(all untested, sorry)
Alex,
Ran it through myself and got a pretty decent score so it seems to depend on
whether you are checking any of the other RBLs ?
Content analysis details: (20.0 points, 5.0 required)
pts rule name description
-- --
3.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL
[74.86.146.6 listed in b.barracudacentral.org]
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see http://www.spamcop.net/bl.shtml?74.86.146.6]
3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[74.86.146.6 listed in zen.spamhaus.org]
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[74.86.146.6 listed in dnsbl.sorbs.net]
2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: 888098.tk]
5.0 RCVD_IN_IVMSIP RBL: listed on ivmSIP found at invaluement.com
[74.86.146.6 listed in sip.invaluement.com]
4.0 URIBL_IVMURI Contains a URL listed on ivmURI found at
invaluement.com
[URIs: 888098.tk]
0.0 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
0.4 URI_HEXURI: URI hostname has long hexadecimal sequence
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4553]
Best Regards,
--
This message has been scanned for viruses and
dangerous content and is believed to be clean.
SplatNIX IT Services :: Innovation through collaboration
Re: Bayes training
On 12.08.09 11:32, Luis Daniel Lucio Quiroz wrote: Talking about bayes trying, I did setup bayes/SQL and i see all tokens in my db. How ever I dont know if my db has reach the minimun 200 tokens to let bayes testing work. Is there a SQL query to know this number? sa-learn --dumpdb should do that if you have correct parameters for the DB... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Re: Bayes training
On Thu, 13 Aug 2009 09:09:59 +0200, Matus UHLAR - fantomas uh...@fantomas.sk wrote: How ever I dont know if my db has reach the minimun 200 tokens to let bayes testing work. Is there a SQL query to know this number? sa-learn --dumpdb should do that if you have correct parameters for the DB... magic -- Benny Pedersen
Re: Ahh! What's all this SPAM?!?!?
On Wed, 2009-08-12 at 20:36 -0600, LuKreme wrote: I find my users almost never look at the SPAM mailbox On 13.08.09 06:30, rich...@buzzhost.co.uk wrote: There is an easy fix for that - take that facility away :-) do you mean, take away spam filtering or the possibility to look at false positives? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete
whitelist_from_dkim not whitelisting ?
My ruleset contains lines like this: ifplugin Mail::Spamassassin::Plugin::DKIM whitelist_from_dkim *...@example.com endif I see DKIM_VERIFIED hit in mails from example.com, but the whitelisting doesn't happen for some reason. What am I doing wrong? /Per Jessen, Zürich
Re: whitelist_from_dkim not whitelisting ?
On Thu, 13 Aug 2009 10:41:51 +0200, Per Jessen p...@computer.org wrote: My ruleset contains lines like this: ifplugin Mail::Spamassassin::Plugin::DKIM whitelist_from_dkim *...@example.com endif i would use def_whitelist_from_dkim with wildcard user, just me, but imho better in other words: whitelist_from_dkim u...@example.com def_whitelist_from_dkim *...@example.net and adjust scores for this 2 sets until you get the best results I see DKIM_VERIFIED hit in mails from example.com, but the whitelisting doesn't happen for some reason. What am I doing wrong? this should not happend, check spamassassin --lint output from spamassassin 21 --lint -D | less any errors ? -- Benny Pedersen
Re: Ahh! What's all this SPAM?!?!?
LuKreme wrote: Got quite a few emails today from users complaining about the huge onslaught of SPAM into their mailboxes. One user in particular is used to getting 2-5 email messages a day and logged in this morning to over 250 in the last 12 hours. So, I investigated. Ooops, I restarted spamd last night and forgot to check it had come up clean. 12 hours of no spamd running was an experience for my users. OTOH, several users' reactions oh, Oh my god, I had no idea there was that much spam (I find my users almost never look at the SPAM mailbox) has certainly elevated me in their eyes. Might not be a bad reminder every year or 18 months to 'accidently' stop spamd for a few hours! You have two options when SpamAssassin fails, until you fix it: 1.) Accept all mail including spam 2.) Defer all mail delivery I tend to go for number 2. My MTA just responds with a temporary error if it can't speak to SpamAssassin. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Re: whitelist_from_dkim not whitelisting ?
Benny Pedersen wrote: I see DKIM_VERIFIED hit in mails from example.com, but the whitelisting doesn't happen for some reason. What am I doing wrong? this should not happend, check spamassassin --lint Yep, I always do before loading a new ruleset, shows no problems. output from spamassassin 21 --lint -D | less any errors ? Looks like I'm trying to load DKIM twice, but that can't be the cause: http://jessen.ch/files/sa-lint-debug.txt /Per Jessen, Zürich
Re: whitelist_from_dkim not whitelisting ?
Per, I see DKIM_VERIFIED hit in mails from example.com, but the whitelisting doesn't happen for some reason. What am I doing wrong? this should not happend, check spamassassin --lint Yep, I always do before loading a new ruleset, shows no problems. output from spamassassin 21 --lint -D | less any errors ? Looks like I'm trying to load DKIM twice, but that can't be the cause: http://jessen.ch/files/sa-lint-debug.txt I don't see any DKIM_VERIFIED triggered in your log, you have DNS disabled: [12951] dbg: dns: is DNS available? 0 Mark
Re: whitelist_from_dkim not whitelisting ?
Mark Martinec wrote: Per, I see DKIM_VERIFIED hit in mails from example.com, but the whitelisting doesn't happen for some reason. What am I doing wrong? this should not happend, check spamassassin --lint Yep, I always do before loading a new ruleset, shows no problems. output from spamassassin 21 --lint -D | less any errors ? Looks like I'm trying to load DKIM twice, but that can't be the cause: http://jessen.ch/files/sa-lint-debug.txt I don't see any DKIM_VERIFIED triggered in your log, you have DNS disabled: [12951] dbg: dns: is DNS available? 0 The lint test-message presumably wouldn't cause DKIM_VERIFIED to hit anyway, but DNS is most definitely enabled. Is DNS perhaps disabled by default during a lint check? /Per Jessen, Zürich
Re: whitelist_from_dkim not whitelisting ?
Per, The lint test-message presumably wouldn't cause DKIM_VERIFIED to hit anyway, but DNS is most definitely enabled. Please send the debug output on a real signed message run, e.g.: spamassassin -D -t test.msg test.log 21 Mark
Re: Ahh! What's all this SPAM?!?!?
On 12-Aug-2009, at 23:30, rich...@buzzhost.co.uk wrote: On Wed, 2009-08-12 at 20:36 -0600, LuKreme wrote: I find my users almost never look at the SPAM mailbox There is an easy fix for that - take that facility away :-) I am tempted. the various SPAM folders are more than half the mail storage. And since everything is backed-up... but yeah, it would be a bad idea and increase my workload. I can just throw more storage at the burgeoning Spam problem (and I do auto-delete after 7 days, so it's not nearly as bad as it once was.) -- The hippo of recollection stirred in the muddy waters of the mind.
Re: whitelist_from_dkim not whitelisting ?
Mark Martinec wrote: Per, The lint test-message presumably wouldn't cause DKIM_VERIFIED to hit anyway, but DNS is most definitely enabled. Please send the debug output on a real signed message run, e.g.: spamassassin -D -t test.msg test.log 21 Just ran a test like that - http://jessen.ch/files/belo-news-dkim-testmsg.output One very suspicious line is: dkim: no wl entries match author pen...@belo-news.com, no need to verify sigs Despite my config: ifplugin Mail::Spamassassin::Plugin::DKIM whitelist_from_dkim *...@belo-news.com endif /Per Jessen, Zürich
Re: Elusive spam
On 12-Aug-2009, at 21:09, Ted Mittelstaedt wrote: Furthermore, since you may want to munge more than 2 pieces of dissimilar data in a spam, your going to rapidly runout of example.*. Further, example.com is only good for alpha data munging and is useless for numeric data munging, ie: IP addresses. You ignored example.org -- Did they get you to trade your heroes for ghosts? Hot ashes for trees? Hot air for a cool breeze? Cold comfort for change?
Re: MIME::lite
On 12-Aug-2009, at 23:40, rich...@buzzhost.co.uk wrote:
The other day I recall someone mentioning they routinely block
anything
where the mailer is MIME::Lite. I don't do this myself as any self
respecting spammer with more than a quarter of a brain cell is not
going
to make a slip like that {a script kiddie may - but that is another
story}.
That doesn't seem at all like a spam-signed based on a trawl through
my own mailspools this morning.
--
Once again I teeter at the precipice of the generation gap.
Re: whitelist_from_dkim not whitelisting ?
Per Jessen wrote: One very suspicious line is: dkim: no wl entries match author pen...@belo-news.com, no need to verify sigs Despite my config: ifplugin Mail::Spamassassin::Plugin::DKIM whitelist_from_dkim *...@belo-news.com endif I've done a few more tests - AFAICT, the whitelist_from_dkim from above isn't being accepted when the config is read in. If I remove the ifplugin condition, it works fine. Is something wrong with my ifplugin? /Per Jessen, Zürich
Re: whitelist_from_dkim not whitelisting ?
Per Jessen wrote: Per Jessen wrote: One very suspicious line is: dkim: no wl entries match author pen...@belo-news.com, no need to verify sigs Despite my config: ifplugin Mail::Spamassassin::Plugin::DKIM whitelist_from_dkim *...@belo-news.com endif I've done a few more tests - AFAICT, the whitelist_from_dkim from above isn't being accepted when the config is read in. If I remove the ifplugin condition, it works fine. Is something wrong with my ifplugin? It seems like the DKIM is at first loaded fine, but then later it disappears - I've added some debug output in Conf/Parser.pm::cond_clause_plugin_loaded() : http://jessen.ch/files/belo-news-dkim-testmsg.output3 Notice: # grep cond_clause.*DKIM /tmp/belo-news-dkim-testmsg.output3 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= The '1' or nothing is what the method returns. /Per Jessen, Zürich
spamd dying
I am starting spamd (/usr/local/etc/rc.d/sa-spamd start or spamd -d - r /var/run/spamd.pid -c -s /var/log/spamd) and then a few seconds later it is dying without an error. all I get in /var/log/spamd is: -- A ship should not ride on a single anchor, nor life on a single hope
spamd dying
I am starting spamd (/usr/local/etc/rc.d/sa-spamd start or spamd -d - r /var/run/spamd.pid -c -s /var/log/spamd) and then a few seconds later it is dying without an error. [Never mind, spamassassin --lint was dying with a core dump. I removed the spear-fishing rules and all is back right with the world] -- A ship should not ride on a single anchor, nor life on a single hope
Re: Ahh! What's all this SPAM?!?!?
On 12-Aug-2009, at 23:30, rich...@buzzhost.co.uk wrote: On Wed, 2009-08-12 at 20:36 -0600, LuKreme wrote: I find my users almost never look at the SPAM mailbox There is an easy fix for that - take that facility away :-) On 13.08.09 05:18, LuKreme wrote: I am tempted. the various SPAM folders are more than half the mail storage. And since everything is backed-up... but yeah, it would be a bad idea and increase my workload. I can just throw more storage at the burgeoning Spam problem (and I do auto-delete after 7 days, so it's not nearly as bad as it once was.) 7 days is imho not enough. IF users forget to look at it, I'd give them at leaast a month... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: spamd dying
On Thursday 13 August 2009 14:13:33 LuKreme wrote: I am starting spamd (/usr/local/etc/rc.d/sa-spamd start or spamd -d - r /var/run/spamd.pid -c -s /var/log/spamd) and then a few seconds later it is dying without an error. [Never mind, spamassassin --lint was dying with a core dump. I removed the spear-fishing rules and all is back right with the world] If the spear-fishing rules are extensive, you may have hit the stack size limit during rules compilation. You may want to try with the new 3.3.0-alpha2 if the problem goes away using the same set of extra rules. The 3.3.0 should be (upwards and downward) compatible with existing 3.2.5 environment. Mark
Re: whitelist_from_dkim not whitelisting ? [SOLVED]
Per Jessen wrote: http://jessen.ch/files/belo-news-dkim-testmsg.output3 Notice: # grep cond_clause.*DKIM /tmp/belo-news-dkim-testmsg.output3 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1 dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= dbg: cond_clause_plugin_loaded: Mail::Spamassassin::Plugin::DKIM= I guess I had to find this myself - SpamAssassin vs. Spamassassin. Duh. /Per Jessen, Zürich
Re: [sa] Re: Slightly OT - Spam opprortunities in SMTP-AUTH
On Wed, 12 Aug 2009, LuKreme wrote: Is it a custom webmail interface you wrote yourself? The front end is custom, wrapping a standard client. Any spammer who personally visited my site would be able to hack it in seconds (with a stolen password, of course). But any existing canned scripts would (hopefully) trip over the customizations... :) - Charles
Re: [sa] Re: Slightly OT - Spam opprortunities in SMTP-AUTH
On Thu, 13 Aug 2009, Benny Pedersen wrote: you belive that email sent from webmail is harder to spam scan then submitted email from remote ? No, my statement was that I believe spammers, like the rest of us, follow the 20/80 rule, and hack the 80 percent of vulnerabilities that require only 20 percent effort, and don't bother trying to customize their software to fit every last system. The argument is basically a variation on the old 'security through obscurity' with all its pros and cons - C
Re: whitelist_from_dkim not whitelisting ?
On Thu, 13 Aug 2009 12:01:09 +0200, Per Jessen p...@computer.org wrote: http://jessen.ch/files/sa-lint-debug.txt old Mail::DKIM (0.32) (0.36 latest) and warn on netset Mail::Domainkeys is not needed, check that you dont load it in pre files -- Benny Pedersen
Re: MIME::lite
On Aug 13, 2009, at 12:40 AM, rich...@buzzhost.co.uk wrote: I noticed this morning that Hampshire County Council use it, and I expect it is part of a 'solution' that many County Councils and Government Bodies use in the UK: X-Mailer: MIME::Lite 3.021 (F2.74; T1.21; A1.77; B3.07; Q3.07) Date: Thu, 30 Jul 2009 14:12:19 +0100 From: ...@hants.gov.uk So beware if you are blocking on Mailer Type MIME::lite ! We use MIME:lite for all sorts of web apps. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
Is RCVD_NUMERIC_HELO meant to match helo=2xx.2.2xx.62.fix.example.com ?
I was just wondering - RCVD_NUMERIC_HELO will match helo=2xx4.2.2xx.62.fix.example.com - but is that intentional? It's not exactly a numeric helo? /Per Jessen, Zürich
Re: Is RCVD_NUMERIC_HELO meant to match helo=2xx.2.2xx.62.fix.example.com ?
Per Jessen wrote: I was just wondering - RCVD_NUMERIC_HELO will match helo=2xx4.2.2xx.62.fix.example.com - but is that intentional? It's not exactly a numeric helo? That should have read helo=2xx.2.2xx.62.fix.example.com. /Per Jessen, Zürich
Re: Is RCVD_NUMERIC_HELO meant to match helo=2xx.2.2xx.62.fix.example.com ?
Per Jessen,
Per Jessen wrote:
I was just wondering -
RCVD_NUMERIC_HELO will match helo=2xx4.2.2xx.62.fix.example.com -
but is that intentional? It's not exactly a numeric helo?
That should have read helo=2xx.2.2xx.62.fix.example.com.
Bug 5878
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5878
Try the following patch:
Index: lib/Mail/SpamAssassin/Plugin/RelayEval.pm
===
--- lib/Mail/SpamAssassin/Plugin/RelayEval.pm (revision 803926)
+++ lib/Mail/SpamAssassin/Plugin/RelayEval.pm (working copy)
@@ -87,7 +87,9 @@
if ($rcvd) {
my $IP_ADDRESS = IPV4_ADDRESS;
my $IP_PRIVATE = IP_PRIVATE;
-if ($rcvd =~ /helo=($IP_ADDRESS)\b/i $1 !~ /$IP_PRIVATE/) {
+local $1;
+if ($rcvd =~ /\bhelo=($IP_ADDRESS)(?=[\000-\040,;\[()]|\z)/i # Bug 5878
+ $1 !~ /$IP_PRIVATE/) {
return 1;
}
}
Mark
Re: Is RCVD_NUMERIC_HELO meant to match helo=2xx.2.2xx.62.fix.example.com ?
Mark Martinec wrote: Per Jessen, Per Jessen wrote: I was just wondering - RCVD_NUMERIC_HELO will match helo=2xx4.2.2xx.62.fix.example.com - but is that intentional? It's not exactly a numeric helo? That should have read helo=2xx.2.2xx.62.fix.example.com. Bug 5878 https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5878 Try the following patch: Thanks Mark. /Per Jessen, Zürich
DKIM-Reputation list
Hi, I was looking at some kind of open-source DKIM-signing piece of code, and fall into this site: http://www.dkim-reputation.org/ It has nothing to do with what I'm looking for, nevertheless it seemed interesting to me and I wanted to give it a try. Unfortunately, the software they propose would replace the actual Mail::SpamAssassin::Plugin::DKIM file with their one, which seems extending the former. I didn't yet decided for it. Wouldn't it be interesting to merge their version of the DKIM plugin into the SA main branch? Besides, I see they are publishing their code under the very same Apache license SA adopts. Also, I see they sent to SA some patch to the DKIM plugin in 2007 or the like. Why their code didn't get in the main branch? Thanks, Giampaolo
Re: DKIM-Reputation list
Giampaolo, I was looking at some kind of open-source DKIM-signing piece of code, and fall into this site: http://www.dkim-reputation.org/ It has nothing to do with what I'm looking for, nevertheless it seemed interesting to me and I wanted to give it a try. Unfortunately, the software they propose would replace the actual Mail::SpamAssassin::Plugin::DKIM file with their one, which seems extending the former. I didn't yet decided for it. Wouldn't it be interesting to merge their version of the DKIM plugin into the SA main branch? Besides, I see they are publishing their code under the very same Apache license SA adopts. Also, I see they sent to SA some patch to the DKIM plugin in 2007 or the like. Why their code didn't get in the main branch? Back in April (2009) I send to Florian Sager my version of the plugin, based on his work. Unlike the original suggestion (of modifying the DKIM plugin), my suggestion was to leave the DKIM.pm as it is, and add a separate plugin DKIMrep.pm to deal with reputations. Don't know how/if the project has progressed meanwhile. If anyone is interested, I can send him the DKIMrep.pm. Mark
Re: DKIM-Reputation list
On Thu, 13 Aug 2009 18:04:04 +0200, Mark Martinec mark.martinec...@ijs.si wrote: Don't know how/if the project has progressed meanwhile. If anyone is interested, I can send him the DKIMrep.pm. i like to try it -- Benny Pedersen
Re: DKIM-Reputation list
Don't know how/if the project has progressed meanwhile. If anyone is interested, I can send him the DKIMrep.pm. i like to try it Sent off-list. Mark
Postgresql operator does not exist: character = bytea at character 148
Good Day Im having problems with Spamassassin Bayes using Postgresql as Backend. SA perfectly learns HamSpam as you can see: bayesstore=# select count(*) from bayes_seen; count --- 2669 Debugging output seems fine too: spamassassin -D ~/some_allready_learned.eml Returns: [91874] dbg: bayes: using username: amavis [91874] dbg: bayes: database connection established [91874] dbg: bayes: found bayes db version 3 [91874] dbg: bayes: Using userid: 6 Loaded the bayes_store_module in local.cf: bayes_store_module Mail::SpamAssassin::BayesStore::PgSQL I first thought that it maybe is an Encoding Problem so I tried SQL_ASCII, LATIN1, UTF8 but got the same results. So im kinda out of Ideas now, only gotta say that I haven't used Postgresql for years, was only using Mysql but now I switched again, so I bet I've been overlooking Stuff. To create the Schema Ive used http://svn.apache.org/viewvc/spamassassin/trunk/sql/bayes_pg.sql?revision=579680pathrev=579680 These are the error messages I get flooded with: http://pastebin.com/m1c8d0321 http://pastebin.com/f528752f9 Cheers -- Tobias Lott
RE: DKIM-Reputation list
-Original Message- From: Mark Martinec [mailto:mark.martinec...@ijs.si] Sent: Thursday, August 13, 2009 6:04 PM To: users@spamassassin.apache.org Subject: Re: DKIM-Reputation list Giampaolo, ...omissis... Back in April (2009) I send to Florian Sager my version of the plugin, based on his work. Unlike the original suggestion (of modifying the DKIM plugin), my suggestion was to leave the DKIM.pm as it is, and add a separate plugin DKIMrep.pm to deal with reputations. It sounds better to me too. Don't know how/if the project has progressed meanwhile. If anyone is interested, I can send him the DKIMrep.pm. Mark Hi Mark. Nice to see I'm not the only one tickled by the DKIM-reputation idea... I see you sent the DKIMrep.pm offlist. Greylisting permitting, I'll let a try to it and, of course, let you know. Thank you very much, Giampaolo PS: I'm running SA 3.2.4. Is it ok with your DKIMrep or is it demanding for the latest, bleeding-edge SA version?
New image spams
I'm sure I'm not the first to see them but I hadn't seen a post here. The pharma image spams are back after a long break: http://pastebin.com/mb1876f6 Like the others they are fairly easily blocked but just thought I'd pass on what I'd seen. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
Re: DKIM-Reputation list
On Thu, 13 Aug 2009 18:13:31 +0200 Mark Martinec mark.martinec...@ijs.si wrote: Don't know how/if the project has progressed meanwhile. If anyone is interested, I can send him the DKIMrep.pm. i like to try it Sent off-list. Mark I'm interested too, thanks in advance -- Tobias Lott
Re: Ahh! What's all this SPAM?!?!?
On 13-Aug-2009, at 06:15, Matus UHLAR - fantomas wrote: 7 days is imho not enough. IF users forget to look at it, I'd give them at leaast a month... 7 days seems to work pretty well. If users are desperate and willing to contact an admin, the entire mailspool is duplicated and stored for at least 10 weeks, but recovering mail from that backup spool is rather more difficult and takes intervention. -- You try to shape the world to what you want the world to be. Carving your name a thousand times won't bring you back to me. Oh no, no I might as well go and tell it to the trees. Go and tell it to the trees, yeah.
Re: spamd dying
On 13-Aug-2009, at 06:43, Mark Martinec wrote: On Thursday 13 August 2009 14:13:33 LuKreme wrote: I am starting spamd (/usr/local/etc/rc.d/sa-spamd start or spamd -d - r /var/run/spamd.pid -c -s /var/log/spamd) and then a few seconds later it is dying without an error. [Never mind, spamassassin --lint was dying with a core dump. I removed the spear-fishing rules and all is back right with the world] If the spear-fishing rules are extensive, you may have hit the stack size limit during rules compilation. You may want to try with the new 3.3.0-alpha2 if the problem goes away using the same set of extra rules. The 3.3.0 should be (upwards and downward) compatible with existing 3.2.5 environment. I'm considering 3.3, and am currently trying to overcome my aversion to things labeled 'alpha'. Since I can't read the core dump, I have no idea what it is about the rules that causes the crash--and nothing is logged. -- Boy, it sure would be nice if we had some grenades, don'tcha think?
SPF warning?
Have noticed these errors in the log today: warn: spf: lookup failed: Can't locate object method new_from_string via package Mail::SPF::Mech::IP4 at /usr/local/lib/perl5/site_perl/ 5.10.0/Mail/SPF/Record.pm line 225. Googled for: Can't locate object method new_from_string via package Mail::SPF::Mech::IP4 and got a googlewhack. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491345 Anything I can do about it? -- I don't want to sell anything, buy anything, or process anything as a career. I don't want to sell anything bought or processed, or buy anything sold or processed, or process anything sold, bought, or processed, or repair anything sold, bought, or processed. You know, as a career, I don't want to do that.
Re: spamd dying
LuKreme, I'm considering 3.3, and am currently trying to overcome my aversion to things labeled 'alpha'. Understood. It is mainly labeled as alpha because some new things are not finished (like the new bayesbdb backend to Bayes), and it would be nice to close some stale problem reports (almost all of them applicable to 3.2.5 too). Also the release notes still need to be written, and some packaging details polished. Old and proven (3.2.5-compatible) stuff should work just fine. The code is used in production at several sites. If you get in trouble, you can always get 3.2.5 back in place (no databases or similar have changed in a way that would prohibit a rollback). Since I can't read the core dump, I have no idea what it is about the rules that causes the crash--and nothing is logged. I was referring to: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6060 (which I came across due to using many rules), although your problem may well be different. Still worth a try with 3.3.0. Mark
Re: Elusive spam
LuKreme wrote: On 12-Aug-2009, at 21:09, Ted Mittelstaedt wrote: Furthermore, since you may want to munge more than 2 pieces of dissimilar data in a spam, your going to rapidly runout of example.*. Further, example.com is only good for alpha data munging and is useless for numeric data munging, ie: IP addresses. You ignored example.org example.* matches to example.org as well as example.net, example.com, etc. Ted
Re: DKIM-Reputation list
Tobias, Giampaolo, Bill, and others I'm interested too, thanks in advance I've place it on the web page: http://www.ijs.si/software/amavisd/DKIMrep.pm http://www.ijs.si/software/amavisd/effectiveTLDs.pm (the effectiveTLDs.pm is exactly the same as in the Florian's package, the DKIMrep.pm is mostly Floarian's code, but extracted from his original all-in-one plugin, with my adaptation of the interfacing glue). - Place DKIMrep.pm and effectiveTLDs.pm somewhere where perl+SpamAssassin will be able to find them (perhaps where other SA plugins reside), e.g. in /usr/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/Plugin/ - add the following to your local.pre or wherever you load your extra plugins from: loadplugin Mail::SpamAssassin::Plugin::DKIMrep - add the following to local.cf: ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIMrep full DKIM_REPUT eval:check_dkim_reputation() tflags DKIM_REPUT net scoreDKIM_REPUT 0.1 describe DKIM_REPUT Signing domain reputation according to dkim-reputation.org priority DKIM_REPUT 200 dkimrep_maxspamscore 0.5 dkimrep_maxhamscore -0.5 endif endif Its debug log area is 'dkimrep', so you can turn its logging on by selecting this SA log area in your spamd or spamassassin or amavisd, e.g.: spamd --debug=noall,dkimrep [...] amavisd -d noall,dkimrep(SA logging will show at log level 3) I tested it with 3.3.0 and 3.2.5. Not that the DKIMrep plugin only has effect on messages with valid DKIM signatures, as verified by the existing DKIM plugin. Mark
RE: DKIM-Reputation list
Tobias, Giampaolo, Bill, and others I'm interested too, thanks in advance I've place it on the web page: http://www.ijs.si/software/amavisd/DKIMrep.pm http://www.ijs.si/software/amavisd/effectiveTLDs.pm Aaaah! Surfing time! ...omissis... (albeit interesting) I tested it with 3.3.0 and 3.2.5. Not that the DKIMrep plugin only has effect on messages with valid DKIM signatures, as verified by the existing DKIM plugin. Hope 3.2.4 is fine enough, then... I'll test it and let you know. Thanks, Giampaolo Mark
Re: [sa] Re: Slightly OT - Spam opprortunities in SMTP-AUTH
Charles Gregory wrote: On Thu, 13 Aug 2009, Benny Pedersen wrote: you belive that email sent from webmail is harder to spam scan then submitted email from remote ? No, my statement was that I believe spammers, like the rest of us, follow the 20/80 rule, and hack the 80 percent of vulnerabilities that require only 20 percent effort, and don't bother trying to customize their software to fit every last system. Agreed. The argument is basically a variation on the old 'security through obscurity' with all its pros and cons - C I disagree here that a cost/benefit decision is a variation o security through obscurity. While in some cases it can be, most of the time security through obscurity is just ignorant people too lazy to spend the time learning how to do it right. Spammers by their nature operate off cost/benefit, that is where they are most vulnerable to attack. It's important to keep in mind that spammers are not crackers. They are criminals that use cracking techniques - but they just don't do stuff that has no monetary profit in it. Crackers by contrast are motivated by things other than money - fame, publicity, ego, whatever. A cracker is thus far, far more dangerous a criminal because they are completely unpredictable. Spammers by contrast, like most criminals, are very predictable. IMHO, because of this, the custom-written webmail interface is going to be pretty secure against spammers, even though it may be full of programming errors that make it trivial for a real cracker to exploit. At least, that's been my own experience. YMMV. Ted
Re: DKIM-Reputation list
On Thu, 13 Aug 2009 20:06:01 +0200, Mark Martinec mark.martinec...@ijs.si wrote: I've place it on the web page: http://www.ijs.si/software/amavisd/DKIMrep.pm http://www.ijs.si/software/amavisd/effectiveTLDs.pm this file seams buggy, not all lines begins with a ' and others dont end with } but }} hope its just me that cant read perl :) -- Benny Pedersen
Re: DKIM-Reputation list
Benny, http://www.ijs.si/software/amavisd/effectiveTLDs.pm this file seams buggy, not all lines begins with a ' and others dont end with } but }} hope its just me that cant read perl :) ??? Does perl complain? $ perl effectiveTLDs.pm Mark
giftcardsurveys.us.com
I've done really good with blocking spam up until this one... It looks like a legitimate e-mailer from both the system perspective and the system perspective. When I look at my logs, the servers are reporting their domains correctly so their mailserver looks ok when attacking to my server. Each email seems to be coming from numerous different servers so I can't block on server address... They say don't do spamming but the area in the email that contains the link to remove yourself/unsubscribe is an image so you can't click on it, instead you have to type it in by hand. I normally don't proceed down that path but I decided to try it anyway. When I put in the email address of the user that was being sent these survey offers for gift cards I got a message stating please allow 10 days for removal which makes me think they are not legit. The question is... Since everything is configured on their servers ok and the messages don't contain words I can really create a rule on.. It's not just home depot, it's KFC, Macy's and numerous other retailers. Anyone have any ideas on how to block these? The poor user is getting about 10 / day. Thanks, Scott From: Home Improvement Survey Center [mailto:dgrib...@stockfundetfscreener.com] Sent: Thursday, August 13, 2009 9:17 AM To: Lastname, FirstName Subject: Home Depot Customer Survey for usersaddr...@domain.com http://stockfundetfscreener.com/k/1585442/4pzuutrmz:fzomvvuvqTCKbpuwvyx 1zUCKhvpstUCKZw3wSCKdsqsuzz5 http://stockfundetfscreener.com/k/1585442/4pzuutrmz:fzomvvuvqTCKbpuwvyx 1zUCKhvpstUCKZw3wSCKdsqsuzz5 http://stockfundetfscreener.com/k/1585442/4pzuutrmz:fzomvvuvqTCKbpuwvyx 1zUCKhvpstUCKZw3wSCKdsqsuzz5 http://stockfundetfscreener.com/k/1585442/4pzuutrmz:fzomvvuvqTCKbpuwvyx 1zUCKhvpstUCKZw3wSCKdsqsuzz5 http://stockfundetfscreener.com/k/1585442/4pzuutrmz:fzomvvuvqTCKbpuwvyx 1zUCKhvpstUCKZw3wSCKdsqsuzz5 Thanks for responding ! Re: Home Depot gift card for u...@domain.com mailto:home%20depot%20gift%20card%20for%20u...@domain.com This week you've been chosen to participate in our short Home Depot Retail Survey http://stockfundetfscreener.com/k/1585442/4pzuutrmz:fzomvvuvqTCKbpuwvyx 1zUCKhvpstUCKZw3wSCKdsqsuzz5 for $50 to spend at any Home Depot store. (Participation required. See below for details.) We just need a few minutes of your time. Simply 1) choose which Home Depot department is your favorite http://stockfundetfscreener.com/k/1585442/4pzuutrmz:fzomvvuvqTCKbpuwvyx 1zUCKhvpstUCKZw3wSCKdsqsuzz5 ; and 2) verify your email address http://stockfundetfscreener.com/k/1585442/4pzuutrmz:fzomvvuvqTCKbpuwvyx 1zUCKhvpstUCKZw3wSCKdsqsuzz5 ; then 3) follow our simple website instructions http://stockfundetfscreener.com/k/1585442/4pzuutrmz:fzomvvuvqTCKbpuwvyx 1zUCKhvpstUCKZw3wSCKdsqsuzz5 . Your participation is greatly appreciated! Sincerely, GiftCardSurveys image001.gifimage006.jpgimage007.gifimage008.gifimage009.gif
Re: DKIM-Reputation list
On Thu, 13 Aug 2009 21:36:28 +0200, Mark Martinec
mark.martinec...@ijs.si
wrote:
Does perl complain?
$ perl effectiveTLDs.pm
no errors
so
'bar' = {},
foo' = {},
'bar' = {},
is valid for perl ?
example in line around 2106
but perl accept it, imho this does not mean that there is no errors
--
Benny Pedersen
Re: DKIM-Reputation list
Benny Pedersen wrote:
On Thu, 13 Aug 2009 21:36:28 +0200, Mark Martinec
mark.martinec...@ijs.si
wrote:
Does perl complain?
$ perl effectiveTLDs.pm
no errors
so
'bar' = {},
foo' = {},
'bar' = {},
is valid for perl ?
example in line around 2106
but perl accept it, imho this does not mean that there is no errors
I don't see anything like that. As far as I can tell all of the lines
after the start of that section start with a single quote character. I
searched for lines that did not and found nothing.
The duplicated braces on some lines that you asked about previously are
grouping those lines together. Some extra line breaks and indentation
would make it more clear.
'bar' = { 'foo' = {},
'bat' = {}},
is equivelent to:
'bar = {
'foo' = {},
'bat' = {}
},
--
Bowie
Re: giftcardsurveys.us.com
Johnson, S wrote: It looks like a “legitimate” e-mailer from both the system perspective and the system perspective. Er..? Think you meant something other than system perspective somewhere there. g When I look at my logs, the servers are reporting their domains correctly so their mailserver looks ok when attacking to my server. Each email seems to be coming from numerous different servers so I can’t block on server address… Not one at a time, no, but collect enough and you'll start seeing hits in the same netblocks over and over. The DNS entries may be coherent and correctly matched to themselves... but they usually point to a domain that looks spammy. URI rules should tag quite a few of this class of spam - often the From:, envelope-from, and URLs in the message are very similar but don't actually match. They say don’t do “spamming” but the area in the email that contains the link to remove yourself/unsubscribe is an image so you can’t click on it, instead you have to type it in by hand. Hmm. Most of the ones I've seen have a clickable image. I normally don’t proceed down that path but I decided to try it anyway. When I put in the email address of the user that was being sent these survey offers for gift cards I got a message stating please allow 10 days for removal which makes me think they are not legit. Mmm. IMO anything taking more than a few hours is bad practice at the very *best*, but this was brought up in another thread recently and there *were* legitimate reasons brought up why it might well take a few days to process an electronic unsubscribe. :/ The question is… Since everything is configured on their servers ok and the messages don’t contain words I can really create a rule on.. It’s not just home depot, it’s KFC, Macy’s and numerous other retailers. Anyone have any ideas on how to block these? The poor user is getting about 10 / day. Recently I've been collecting relay IPs and dropping them in a local blacklist (scored in SA, not at the MTA level). Over time, as I get more spam reports, more than n IPs in a /m-sized block gets another bit flipped for *all* IPs in that block (I have specific rules for that threshold that depend on the size of the block), and an additional score in SA. Some blocks' WHOIS data matches closely enough with the physical address in the image that I've set yet another bit on all blocks associated with that owner, for more score in SA. If you look at the clickable URLs in the message, you'll see they point somewhere that usually looks pretty spammy just based on the domain name; I've been collecting those, too. When compared with another SA install that I don't have these local URI and relay-IP blacklisting rules on (my own personal server), it's keeping the overall SA effectiveness somewhere over 90% for most customers. If you can post a more complete example on Pastebin we can all try passing it through our own SA setups; inline messages can only show us so much. -kgd
Re: giftcardsurveys.us.com
Johnson, S wrote: The question is… Since everything is configured on their servers ok and the messages don’t contain words I can really create a rule on.. This is one of the few cases where I might well create a local rule for something short: body BAD_SURVEYS/\bGiftCardSurveys\b/ I've yet to see anything like this in any legitimate email (Complete a survey and Win A Gift Card!), but I've seen plenty of Complete a survey and win a something! in spam. -kgd
Re: New image spams
On Thu, 13 Aug 2009 11:38:19 -0500 Chris Owen ow...@hubris.net wrote: I'm sure I'm not the first to see them but I hadn't seen a post here. The pharma image spams are back after a long break: http://pastebin.com/mb1876f6 Like the others they are fairly easily blocked but just thought I'd pass on what I'd seen. Unlike the last batch, this scored nothing on FuzzyOCR.
whitelist_from_rcvd and short circuit
It appears as though I don't understand how this is supposed to work. I have a file in /etc/mail/spamassassin called my-whitelist.cf. In it I have entries such as: whitelist_from_rcvd serv...@freenet.de freenet.de whitelist_from_rcvd harley-requ...@the-hed.net the-hed.net In my local.cf I have: # slower, network-based whitelisting meta SC_NET_HAM (USER_IN_DKIM_WHITELIST||USER_IN_DK_WHITELIST|| USER_IN_SPF_WHITELIST||USER_IN_DEF_DK_WL||USER_IN_DEF_DKIM_WL|| USER_IN_DEF_SPF_WL||USER_IN_WHITELIST||USER_IN_DEF_WHITELIST) priority SC_NET_HAM -500 shortcircuit SC_NET_HAM ham score SC_NET_HAM -20 A message from the first address above came in yesterday and was promptly shortcircuited: Return-Path: X-spam-checker-version: SpamAssassin 3.2.5 (2008-06-10) on localhost.localdomain X-spam-status: No, score=-100.0 required=5.0 tests=USER_IN_WHITELIST=-100 USER_IN_WHITELIST shortcircuit=ham autolearn=disabled version=3.2.5 however, a message from the 2nd address doesn't hit the USER_IN_WHITELIST for some reason: Return-path: harley-requ...@the-hed.net X-spam-checker-version: SpamAssassin 3.2.5 (2008-06-10) on localhost.localdomain X-spam-status: No, score=-4.9 required=5.0 tests=AWL=0.445,BAYES_00=-6.4, DCC_CHECK_NEGATIVE=-0.0001,KHOP_NO_FULL_NAME=0.259,RDNS_NONE=0.1, SPF_NEUTRAL=0.686,UNPARSEABLE_RELAY=0.001 AWL,BAYES_00,DCC_CHECK_NEGATIVE, KHOP_NO_FULL_NAME,RDNS_NONE,SPF_NEUTRAL,UNPARSEABLE_RELAY shortcircuit=no autolearn=disabled version=3.2.5 Complete headers of both posts are here: http://pastebin.com/m1d1d5e07 60_shortcircuit.cf shows: default: strongly-whitelisted mails are *really* whitelisted now, if the # shortcircuiting plugin is active, causing early exit to save CPU load shortcircuit USER_IN_WHITELIST on shortcircuit USER_IN_DEF_WHITELIST on shortcircuit USER_IN_ALL_SPAM_TO on shortcircuit SUBJECT_IN_WHITELISTon As shown in the first msg above, shortcircuit is active. So, what am I doing wrong here? Thanks for any advice Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: giftcardsurveys.us.com
Johnson, S wrote: I’ve done really good with blocking spam up until this one… It looks like a “legitimate” e-mailer from both the system perspective and the system perspective. When I look at my logs, the servers are reporting their domains correctly so their mailserver looks ok when attacking to my server. Each email seems to be coming from numerous different servers so I can’t block on server address… They say don’t do “spamming” but the area in the email that contains the link to remove yourself/unsubscribe is an image so you can’t click on it, instead you have to type it in by hand. I normally don’t proceed down that path but I decided to try it anyway. When I put in the email address of the user that was being sent these survey offers for gift cards I got a message stating please allow 10 days for removal which makes me think they are not legit. The question is… Since everything is configured on their servers ok and the messages don’t contain words I can really create a rule on.. It’s not just home depot, it’s KFC, Macy’s and numerous other retailers. Anyone have any ideas on how to block these? The poor user is getting about 10 / day. Thanks, Scott Welcome to snowshoe spam. The only effective defense I've seen against this is to have a greylist with more than an hour temp fail time so each new spam run has time to hopefully show up in DCC and possibly RAZOR/Pyzor/Spamcop/URIBL. The content really can't be matched against since the URIs are old enough to not be in something like DOB, haven't been used before so aren't in the URIBLs, and look like real rebate/coupon mail so BAYES/phrase matching is useless unless you want to nuke or manually whitelist the legit stuff. The websites are of course a CC scam/PI phish. You can block the servers, a class C or whois allocation at a time, if you're willing to deal with the occasional why am I not getting mail from ABC who's decided to host with sleazy hosting XYZ if the space ever gets reassigned.
Re: whitelist_from_rcvd and short circuit
Chris wrote: It appears as though I don't understand how this is supposed to work. I have a file in /etc/mail/spamassassin called my-whitelist.cf. In it I have entries such as: snip whitelist_from_rcvd harley-requ...@the-hed.net the-hed.net snip however, a message from the 2nd address doesn't hit the USER_IN_WHITELIST for some reason: Return-path: harley-requ...@the-hed.net X-spam-checker-version: SpamAssassin 3.2.5 (2008-06-10) on localhost.localdomain X-spam-status: No, score=-4.9 required=5.0 tests=AWL=0.445,BAYES_00=-6.4, DCC_CHECK_NEGATIVE=-0.0001,KHOP_NO_FULL_NAME=0.259,RDNS_NONE=0.1, SPF_NEUTRAL=0.686,UNPARSEABLE_RELAY=0.001 AWL,BAYES_00,DCC_CHECK_NEGATIVE, KHOP_NO_FULL_NAME,RDNS_NONE,SPF_NEUTRAL,UNPARSEABLE_RELAY shortcircuit=no autolearn=disabled version=3.2.5 Complete headers of both posts are here: http://pastebin.com/m1d1d5e07 snip So, what am I doing wrong here? Two problems with that message: First, there's an unparsable Received: header, which appears to be the one created by your fetchmail. That's breaking SA's trust path, and preventing any hosts from being trusted, making whitelist_from_rcvd impossible. I'm not sure what's throwing it off, but the (single-drop) bit looks a bit odd to me. You need to get SA to understand the Received: headers for any Received-based mechanisms to work. You'll also need it to trust all the servers at your isp/esp/whatever relationship you have with embarqmail.com and synacor.com. Second, the message from harley-requ...@the-hed.net is not relayed to your site from a server using the-hed.net as it's reverse DNS. In fact, the-hed.net is not used as the domain of *ANY* server in the received headers of that message. The server they appear to be using is kyoto.hostforweb.net, so hostforweb.net should be the second parameter in your whitelist_from_rcvd, not the-hed.net.
