How do I stop spamassassin from checking email twice
Hi, I have two mail servers one with domain aaa.com, second bbb.com. Both have spamassassin installed. Most distribution lists on aaa.com routes emails to bbb.com. So email gets checked twice. Adding whitelist_to aaa.com in bbb spamassassin configuration is not a solution because it overwrites result by first spamassassin check. How can I skip spam checking on bbb.com if email originated from aaa.com ? Software: debian 5.0 spamass-milter 0.3.1-2 spamassassin3.2.3-0.volatile1 sendmail 8.13.8-3 (on bbb.com, can be replaced by postfix if solution requires it) postfix 2.5.5-1.1 (on aaa.com) -- View this message in context: http://www.nabble.com/How-do-I-stop-spamassassin-from-checking-email-twice-tp26006130p26006130.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
How can i block blank messeage mail
i find SA will not scan a mail if messeage is blank . so ,i want score all of blank messeages mails is 6.00 how can i do? my SA version is 3.17 thanks -- View this message in context: http://www.nabble.com/How-can-i-block-blank-messeage-mail-tp26006293p26006293.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I stop spamassassin from checking email twice
On Thu, 2009-10-22 at 01:42 -0700, Karolis wrote: Hi, I have two mail servers one with domain aaa.com, second bbb.com. Both have spamassassin installed. Most distribution lists on aaa.com routes emails to bbb.com. So email gets checked twice. Adding whitelist_to aaa.com in bbb spamassassin configuration is not a solution because it overwrites result by first spamassassin check. How can I skip spam checking on bbb.com if email originated from aaa.com ? The general method is to listen on a separate port on bbb.com, and only allow mail from aaa.com to send to that port. Then, simply configure your MDA to deliver without a milter for traffic that originated on that port. Implementation is left as an exercise for the reader. Software: debian 5.0 spamass-milter 0.3.1-2 spamassassin3.2.3-0.volatile1 sendmail 8.13.8-3 (on bbb.com, can be replaced by postfix if solution requires it) postfix 2.5.5-1.1 (on aaa.com) -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: Is there a WANTS_MY_INFO rule?
Hi;
Marc Perkel wrote:
To catch this:
In order to confirm you Web-Mail identity, you are to provide the
following data;
snip
I have a generic phishing rule to reduce the incidence of customers
giving out their data. It could be easily modified to hit your example.
I got the basic idea from a post on here, so many thanks to that poster,
whoever they are :-)
Any improvements would be welcome.
This is site specific so change Example to your domain and watch out for
line wrapping.
## Some of these words overlap between tests, this is a feature
## hello there
body __SITE_PH_DEAR
/(\W|^)(Dear\s+(\W{0,2}Example(.com)?|Value|Customer|Account|E\-?mail
Account|Web\-?mail|user)|Att(entio)?n|Account User)/i
body __SITE_PH_START /(inform you)/i
## there is a problem with
body __SITE_PH_SERVICE
/(webmail|email|e-mail|account|mail|Internet|network|systems|database)/i
## we need your
body __SITE_PH_NAME
/Sur|Fore?|Christian|First|Last|User)\s*)?Names?)|AccessID)/i
body __SITE_PH_AGE /(Your\s+)?(age|date\s+(of\s+)?birth|DOB)/i
body __SITE_PH_EMAIL
/((your\s+(\w+\s+)?e\-?mail|E\-?mail\s+Address)|username|User
Name|login|logon|identity|id|reply\s+to)/i
## and especially
body __SITE_PH_PASS
/(Pass\s*word|Passwd|Pass\s*Phrase|Ident(ification)?|your\s+details)/i
## because we are fixing
body __SITE_PH_UPGRADE
/(upgrad(e|ing|ed)|updat(e|ing|ed)|security|sc?heduled|maintainence|maintenance|activation|data\s+base)/i
## obey or bad thing will happen
body __SITE_PH_BADTHING
/(error|interuption|failure|interupted|disruption|delet(e|ing)|de\-?activat(ed|ing|e)|remov(e|ed)|suspended|damage|shutting|terminat(e|i
ng|ed)|Technical\s+Support|un\-?authorised|in\-?active)/i
meta MYSITE_PHISH_M4 ((__SITE_PH_DEAR || __SITE_PH_START)
__SITE_PH_SERVICE (__SITE_PH_NAME ||__SITE_PH_AGE || __SITE_PH_EMAIL)
__SITE_PH_PASS __SIT
E_PH_UPGRADE __SITE_PH_BADTHING)
score MYSITE_PHISH_M4 0.1
Seems to get a few hits on the mail below.
dbg: rules: ran body rule __SITE_PH_NAME == got hit: First Name
dbg: rules: ran body rule __SITE_PH_PASS == got hit: ident
dbg: rules: ran body rule __SITE_PH_SERVICE == got hit: mail
dbg: rules: ran body rule __SITE_PH_AGE == got hit: Date of Birth
dbg: rules: ran body rule __SITE_PH_EMAIL == got hit: identity
If you meta this with a network check like BOTNET, DCC, RAZOR etc you
can increase accuracy.
Rgds
N
Marc Perkel wrote:
To catch this:
In order to confirm you Web-Mail identity, you are to provide the
following data;
First Name: Last Name: Username/ID: Password: Date of Birth:
Affirm your willingness and cooperation please, by replying me
stating your FULL NAME, DATE OF BIRTH, TELEPHONE NUMBER, FAX NUMBER,
and CONTACT ADDRESS.
Feel Free To Call: +44 703-592-2805 Provide the following under
listed information 1.Full Name:2.Full
Address:3.Nationality:4.Age/Sex:5.Mobile Contact:6.Occupation:7.Job
Description:
Re: How do I stop spamassassin from checking email twice
Thanks for a fast feedback. I was considering this method myself. But had a hope there is a more elegant solution. McDonald, Dan wrote: On Thu, 2009-10-22 at 01:42 -0700, Karolis wrote: Hi, I have two mail servers one with domain aaa.com, second bbb.com. Both have spamassassin installed. Most distribution lists on aaa.com routes emails to bbb.com. So email gets checked twice. Adding whitelist_to aaa.com in bbb spamassassin configuration is not a solution because it overwrites result by first spamassassin check. How can I skip spam checking on bbb.com if email originated from aaa.com ? The general method is to listen on a separate port on bbb.com, and only allow mail from aaa.com to send to that port. Then, simply configure your MDA to deliver without a milter for traffic that originated on that port. Implementation is left as an exercise for the reader. Software: debian 5.0 spamass-milter 0.3.1-2 spamassassin3.2.3-0.volatile1 sendmail 8.13.8-3 (on bbb.com, can be replaced by postfix if solution requires it) postfix 2.5.5-1.1 (on aaa.com) -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com -- View this message in context: http://www.nabble.com/How-do-I-stop-spamassassin-from-checking-email-twice-tp26006130p26008940.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How can i block blank messeage mail
cofe2003 wrote: i find SA will not scan a mail if messeage is blank . so ,i want score all of blank messeages mails is 6.00 how can i do? my SA version is 3.17 thanks That's odd. SA should scan it, unless it is so blank there aren't even any headers. How have you integrated SA into your system? Something like this should work for the scoring: rawbody MSG_BODY_EMPTY !~ /./ describe MSG_BODY_EMPTY Message has no body text score MSG_BODY_EMPTY 6.0
Re: specified setup
LuKreme wrote: On 21-Oct-2009, at 14:31, Bowie Bailey wrote: If you can do the spam and virus scanning during the original smtp transaction, you can reject viruses and high-scoring spam with a 5xx error at that point, but once your server accepts the mail, your choices are to deliver it (to the inbox or a spam folder) or delete it. And if you are accepting mail for other people, think long and hard before you delete it. You are much better off tagging it and delivering it to a spam mailbox and letting the user either delete it, recover it, or ignore it. You could do something like delete all messages in the Spam folder after 7 days, or 21 days; but once you accept an email for someone else, you had probably best deliver it to them, regardless of how sure you are it's unwanted because sure enough, at some point you'll be wrong and it will, of course, be the most important email your client ever got and they have to have it right now or they will lose a $15,000,000 deal and what the hell are you going to do about it and who cares if it scored 42.9 in SpamAssassin? True. I only delete spam for customers who have serious spam problems and only then after having a discussion with them regarding the possibility of lost mail. I scan and add the SA headers to everything that passes through my server. It is then up to the customer to configure their MUA to sort out the spam. For customers that get lots of spam we do a combination of delivering low-scoring spam to their POP mailbox, holding higher-scoring spam on the server for two weeks, and (optionally) deleting spam with the highest scores. The score ranges are determined on a case-by-case basis, but are generally something like 5-10, 10-20, and 20+. This is in addition to an MTA block on the Zen blacklist (which I have yet to have any complaints about). -- Bowie
Re: How can i block blank messeage mail
On Thu, 2009-10-22 at 09:15 -0400, Matt Kettler wrote:
cofe2003 wrote:
i find SA will not scan a mail if messeage is blank .
so ,i want score all of blank messeages mails is 6.00
Confusing. If SA indeed des not scan blank mail on your system (which
effectively means the glue doesn't pass it on to SA), how do you expect
SA to score it at all?
Do you actually mean blank messages are not marked as spam?
how can i do?
my SA version is 3.17
3.1.7, dots do make a difference with numbers, and it is *ancient*.
That's odd. SA should scan it, unless it is so blank there aren't even
any headers.
SA doesn't care, it does its job regardless.
echo -n | spamassassin
That's not even a newline. spamc however is /slightly/ more picky, and
at least demands /some/ input, the trailing newline.
echo | spamc
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Elena wants an iron cast oven
If you have any old portable oven and in case you don't use it anymore, we will be very grateful to you if you can donate it to us and organize transport of this oven to our address (200km from Moscow). This ovens are different, usually they made from cast iron. Dozens of these for months already... What's the business model of this scam? I can't believe they really want millions of iron cast ovens from all around the world. Maybe I should answer and ask directly ;D -- http://www.iki.fi/jarif/ So you're back... about time... signature.asc Description: OpenPGP digital signature
RE: Elena wants an iron cast oven
Jari Fredriksson wrote: If you have any old portable oven and in case you don't use it anymore, we will be very grateful to you if you can donate it to us and organize transport of this oven to our address (200km from Moscow). This ovens are different, usually they made from cast iron. Dozens of these for months already... What's the business model of this scam? I can't believe they really want millions of iron cast ovens from all around the world. Maybe I should answer and ask directly ;D Business model? I'd guess their either cleaning their lists via NDR bounces or they're selling the ovens as scrap iron to augment their income... ...Kevin -- Kevin MillerRegistered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801fax: (907 586-4500
Re: Elena wants an iron cast oven
On Thu, 2009-10-22 at 21:19 +0300, Jari Fredriksson wrote:
If you have any old portable oven and in case you don't use it anymore,
we will be very grateful to you if you can donate it to us and organize
transport of this oven to our address (200km from Moscow). This ovens
are different, usually they made from cast iron.
Dozens of these for months already...
What's the business model of this scam? I can't believe they really want
millions of iron cast ovens from all around the world. Maybe I should
answer and ask directly ;D
Long time since I've last seen one of these...
My impression was, they want money of course. The victim falling for it
sure is much more likely to help the poor people by sending over some
money -- rather than organizing transport of an oven. The shipping [1]
costs would exceed the amount of money they'd send anyway.
IIRC some variants even outright mentioned the alternative of money.
[1] Ever sent a crate of beer from Germany to the USA?
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Elena wants an iron cast oven
Hi, What's the business model of this scam? I can't believe they really want millions of iron cast ovens from all around the world. Maybe I should answer and ask directly ;D Long time since I've last seen one of these... My impression was, they want money of course. The victim falling for it Yes, follow the money. It's always about the money. The oven ploy is just weird enough to attract your attention in hopes of garnering a response. Regards, Alex
Re: Elena wants an iron cast oven
On Thu, 22 Oct 2009, Jari Fredriksson wrote: What's the business model of this scam? I can't believe they really want millions of iron cast ovens from all around the world. Maybe I should answer and ask directly ;D Was the from address something like @dhl.com ? :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 13 days since President Obama won the Nobel Not George W. Bush prize
Re: Elena wants an iron cast oven
22.10.2009 22:26, John Hardin kirjoitti: On Thu, 22 Oct 2009, Jari Fredriksson wrote: What's the business model of this scam? I can't believe they really want millions of iron cast ovens from all around the world. Maybe I should answer and ask directly ;D Was the from address something like @dhl.com ? :) Nope. dhl.com send malware, but this Elena always sends from ele...@*.ru in order to look genuine ;) The message does not have any attachments, it is a plain text from a poor woman in Russia. -- http://www.iki.fi/jarif/ Q: What do Winnie the Pooh and John the Baptist have in common? A: The same middle name. signature.asc Description: OpenPGP digital signature
Re: Elena wants an iron cast oven
Jari Fredriksson wrote: If you have any old portable oven and in case you don't use it anymore, we will be very grateful to you if you can donate it to us and organize transport of this oven to our address (200km from Moscow). This ovens are different, usually they made from cast iron. they own a shipping company :-) or they just want you to email them back and validate your email address. _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: Elena wants an iron cast oven
On tor 22 okt 2009 21:37:28 CEST, Jari Fredriksson wrote The message does not have any attachments, it is a plain text from a poor woman in Russia. how do you know ?, was there picture in the mail ?, if so how can you be sure its hir picture ? oh well never mind :) -- xpoint
Re: Elena wants an iron cast oven
22.10.2009 23:24, Michael Scheidell kirjoitti: Jari Fredriksson wrote: If you have any old portable oven and in case you don't use it anymore, we will be very grateful to you if you can donate it to us and organize transport of this oven to our address (200km from Moscow). This ovens are different, usually they made from cast iron. they own a shipping company :-) or they just want you to email them back and validate your email address. This thread probably poisons our bayes (which I'm truly sorry) but as I checked, the typical mail gets so many points from other rules too, so that it should not make a difference... Hope so. -- http://www.iki.fi/jarif/ One of the most striking differences between a cat and a lie is that a cat has only nine lives. -- Mark Twain, Pudd'nhead Wilson's Calendar signature.asc Description: OpenPGP digital signature
Re: Elena wants an iron cast oven
22.10.2009 23:39, Benny Pedersen kirjoitti: On tor 22 okt 2009 21:37:28 CEST, Jari Fredriksson wrote The message does not have any attachments, it is a plain text from a poor woman in Russia. how do you know ?, was there picture in the mail ?, if so how can you be sure its hir picture ? I just know. I'm just about to book a flight and marry her. Trust me, when I'm serious. -- http://www.iki.fi/jarif/ One of the most striking differences between a cat and a lie is that a cat has only nine lives. -- Mark Twain, Pudd'nhead Wilson's Calendar signature.asc Description: OpenPGP digital signature
Re: Elena wants an iron cast oven
Benny Pedersen wrote: On tor 22 okt 2009 21:37:28 CEST, Jari Fredriksson wrote The message does not have any attachments, it is a plain text from a poor woman in Russia. how do you know ?, was there picture in the mail ?, if so how can you be sure its hir picture ? She left nothing to the imagination. ;-) Tell here to go here: http://englishrussia.com/?p=2137 plenty of abandoned scrap metal already in Russia. Ted
Re: Elena wants an iron cast oven
On Thu, 22 Oct 2009, Ted Mittelstaedt wrote: http://englishrussia.com/?p=2137 plenty of abandoned scrap metal already in Russia. Cool. I can just hear the announcer in my head: ...in the epic battle between Man and the swamp, the swamp won. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows and its users got mentioned at home today, after my wife the psych major brought up Seligman's theory of learned helplessness. -- Dan Birchall in a.s.r --- 13 days since President Obama won the Nobel Not George W. Bush prize
Re: Elena wants an iron cast oven
Hi, http://englishrussia.com/?p=2137 plenty of abandoned scrap metal already in Russia. Maybe they could blow it up like the brain surgeons did to that dead whale that was littering the beach in Oregon? # The Infamous Exploding Whale http://www.youtube.com/watch?v=8Vmnq5dBF7Y Alex
Spamassassin not tagging some emails
Hi, I am wondering if anyone has encountered a similar problem or has a solution for this. I have enabled spamassassin on my mail server. Spamassassin is correctly tagging most of the email but some of the emails are not. The correctly tagged emails has the following in the email headers: Return-Path: supp...@3idea.com X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on titanium.3idea.com X-Spam-Level: X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=ham version=3.2.5 Received: from inspiron1505 (titanium [127.0.0.1]) by titanium.3idea.com (8.13.8/8.13.8) with ESMTP id n9N031fU015203 for postmas...@austingrahaminc.com; Thu, 22 Oct 2009 17:03:01 -0700 Reply-To: supp...@3idea.com From: supp...@3idea supp...@3idea.com To: postmas...@austingrahaminc.com References: 000d01ca536e$1d77aa10$6400a...@pedicuringp In-Reply-To: 000d01ca536e$1d77aa10$6400a...@pedicuringp Subject: RE: You've received a postcard test Date: Thu, 22 Oct 2009 17:03:00 -0700 Message-ID: 00fe01ca5374$2f27ce10$8d776a...@com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcpTbjaJ1YZhm8cFRkyZRJYCPUdxZwABfEow Content-Language: en-us The emails that has not been tagged at all: Return-Path: angus.d...@3idea.com Received: from inspiron1505 (titanium [127.0.0.1]) by titanium.3idea.com (8.13.8/8.13.8) with ESMTP id n9MNutNS014287 for supp...@3idea.com; Thu, 22 Oct 2009 16:56:55 -0700 Reply-To: angus.d...@3idea.com From: Angus - 3idea angus.d...@3idea.com To: supp...@3idea.com Subject: FW: You've received a postcard test Date: Thu, 22 Oct 2009 16:56:54 -0700 Message-ID: 00e401ca5373$54c76aa0$fe563f...@dunn@3idea.com MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_00E5_01CA5338.A86892A0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcpTbqcxbSi7uMYrQ6yvYdA8pD9mWwABKQzQ Content-Language: en-us I have confirmed that spamassassin is running all the time. It seems like all emails with attachment are passing straight through and not evaluate by spamassassin. The emails that are not tagged has an attachment ecard.zm9 which is a spam email. The IP of the spam email is from a blacklisted mail server. Does anyone know why spamassassin is not tagging the email with attachment? I am using the following: Spamassassin 3.2.5 Sendmail 8.13.8-2 Centos 5.1 If there is additional info i need to provide, please let me know. I really appreciated your help! Thanks, Angus -- View this message in context: http://www.nabble.com/Spamassassin-not-tagging-some-emails-tp26019435p26019435.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spamassassin not tagging some emails
Hi, On the message that should have been scanned: The emails that has not been tagged at all: [...] From: Angus - 3idea angus.d...@3idea.com To: supp...@3idea.com Are you forwarding this spam from your internal account to this other internal supp...@3idea.com account? It also looked like there was no external mail server involved. If so, I would think that SA trusts your internal network, and therefore is just passing the message through without even evaluating it. If you want your internal mail to also be scanned, remove your mail server from trusted_networks and internal_networks. I think that should fix it. Regards, Alex
hostkarma/uribl_black disparity
Hi, Over the past few days I have been investigating more closely email that wasn't tagged that I thought should have been, and vice-versa, using various factors, such as URIBL_BLACK and JMF_W. I'm very surprised that obvious hosts are on the URIBL_BLACK list, like receiveeweek.com. Even more interesting is a bunch of FNs that contain both URIBL_BLACK and JMF_W. I'm not sure which is correct in many cases, because they are not always so cut-and-dried. For example, there was a Citi Bank email (whitelisted) that happened to use an image server (csnimages.com) that is in URIBL_BLACK. While I don't think that particular email should have been tagged as spam, it's only an example, and I hoped someone would be interested enough to check out a list I created with these types of disparities I've had over the last day or so. It's too long to include here, so I've created a pastebin for it: http://pastebin.com/m4a1561b5 I realize this type of thing could happen for many reasons, not the least of which is an otherwise-legitimate host that has been compromised and now used to send spam. However, many on my list are quite persistent, like blr-events.com and eturbonews.com, which I have no idea whether it is legitimate or bogus. Whatever the case, there are definitely mistakes, and I'd like to help correct them. Ideas appreciated. I'd be glad to gather more info if necessary. Thanks Alex
