FP on blacklist hostkarma
http://ipadmin.junkemailfilter.com/remove.php?ip=80.245.199.162 I removed that IP now, in order to let pass mail through. But please check it. It seems you easily blacklist a host that connects to your tarbaby MX, but we had a network outage on our primary MX which redirected traffic to your tarbaby. Please, Marc, don't list hosts just because they connect several times to your tarbaby. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part.
Re: which free RBL do you use?
On fre 27 nov 2009 18:08:23 CET, Allen Chen wrote DNSBLs. We are non-profit organization and don't have too much email traffic. On 27.11.09 18:22, Benny Pedersen wrote: install bind, check spamhaus dnsbl in sendmail, add more internal spam tests in sendmail, dont add to much dnsbl in sendmail, and i have found spamcop is more for spamassassin not for mta, but imho zen is mta safe Imho, SpamCop is MTA-safe if you use it the recommended way and only use if for temporary rejection. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name.
Re: which free RBL do you use?
On fre 27 nov 2009 16:47:54 CET, rich...@buzzhost.co.uk wrote Matus, why are you once more sending me off list replies? Again, will you *please* keep your replies *ON LIST*. On 27.11.09 17:17, Benny Pedersen wrote: priceless reply-to Priceless? Bullshit. Useless and annoying. Breaks (or at least makes harder) possibility for private replies. I sometimes send private reply intentionally, when it is off-topic and/or something people in this list don't need to see. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: which free RBL do you use?
On Mon, 2009-11-30 at 10:56 +0100, Matus UHLAR - fantomas wrote: On fre 27 nov 2009 16:47:54 CET, rich...@buzzhost.co.uk wrote Matus, why are you once more sending me off list replies? Again, will you *please* keep your replies *ON LIST*. The obvious is to simply ignore such private mails which are obviously not really private - perhaps after reminding the other once. On 27.11.09 17:17, Benny Pedersen wrote: priceless reply-to Priceless? Bullshit. Useless and annoying. Breaks (or at least makes harder) ACK. see http://www.unicom.com/pw/reply-to-harmful.html for more. possibility for private replies. I even know of average users which developed the habit of abusing the subject to send a private (personal is probably the better name) mail via the ML. I sometimes send private reply intentionally, when it is off-topic and/or something people in this list don't need to see. Which is perfectly possible if one edits the To: header. But what if one forgets it? So Reply-To Munging is in general bad. Bernd -- Firmix Software GmbH http://www.firmix.at/ mobil: +43 664 4416156 fax: +43 1 7890849-55 Embedded Linux Development and Services
Re: Need help running SA in a (comparative) anti-spam test
On 29-Nov-2009, at 04:59, Jonas Eckerman wrote: I'd assume that a big ISP using SA (and wants the best from SA install) would pay to use the better DNSBLs. I've found pretty much the opposite; the larger the ISP, the worse job they do filtering spam for their customers. The only exception is gmail which does a pretty decent job. Though my mailserver does a much better job. -- the nasty little sound of a sword being unsheathed right behind one at just the point when one thought one had disposed of one's enemies [...] It was that kind of laugh. --Equal Rites
Re: Undisclosed recipients :; -- again
On 27.11.09 14:04, Philip A. Prindeville wrote: for the ruleset: header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/ just FYI, sendmail can be configured to do different things when To: is missing - there's sendmail option NoRecipientAction, configured by setting confNO_RCPT_ACTION m4 directive. The default value is none but e.g. Debian was setting it to add-to-undisclosed which causes MISSING_HEADERS not hitting (only from milter, which appears to be called before the headers are fixed). Maybe you should look at your MTA's configuratioon options if it doesn't cause different rules hitting/not hitting, e.g. sendmail adds Date: and Message-Id headers which cause MISSING_DATE and MISSING_MID. I was not able to find how disable this behaviour in sendmail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: which free RBL do you use?
Matus forgot to include this one he sent to me personally: On Fri, 2009-11-27 at 14:03 +0100, Matus UHLAR - fantomas wrote: Why do you tell me? Tell the OP, I just have used the same terminology. On 27.11.09 15:47, rich...@buzzhost.co.uk wrote: Matus, why are you once more sending me off list replies? Why do you send me any replies at all? Keep me out of your address list. Again, will you *please* keep your replies *ON LIST*. I pointed out that RBL is trademark just to be an anal pedant. I'm incredibility surprised that *you* missed the opportunity given your track record if *I* were to do it. Once again, stop being dickhead and keep off-list discussion off-list. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. Priceless.
Re: Unhindered Pharma Spam
On Sat, 2009-11-28 at 09:48 +, Arthur Dent wrote: I have had a couple of these sail into my my inbox untouched by SA with the exception of RDNS_NONE and Bayes. Score of -0.1! http://pastebin.com/m478c33ce Even after learning they still only score 3.6 Anything I can do? On 28.11.09 10:12, rich...@buzzhost.co.uk wrote: I got '5' for it, at a push... X-Spam-Level: * X-Spam-Status: Yes, score=5.1 required=5.0 tests=RDNS_NONE,RELAYCOUNTRY_FR X-Spam-RBL-Results: dns:140.123.254.62.dnsbl.sorbs.net [127.0.0.10] dns:server.opencompositing.org [195.114.19.35] X-Spam-Relay: GB ** GB ** FR X-Spam-Report: * 5.0 RELAYCOUNTRY_FR Relayed through France I think that this is going to have way too many FPs. * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: Unhindered Pharma Spam
On Mon, 2009-11-30 at 12:18 +0100, Matus UHLAR - fantomas wrote: On Sat, 2009-11-28 at 09:48 +, Arthur Dent wrote: I have had a couple of these sail into my my inbox untouched by SA with the exception of RDNS_NONE and Bayes. Score of -0.1! http://pastebin.com/m478c33ce Even after learning they still only score 3.6 Anything I can do? On 28.11.09 10:12, rich...@buzzhost.co.uk wrote: I got '5' for it, at a push... X-Spam-Level: * X-Spam-Status: Yes, score=5.1 required=5.0 tests=RDNS_NONE,RELAYCOUNTRY_FR X-Spam-RBL-Results: dns:140.123.254.62.dnsbl.sorbs.net [127.0.0.10] dns:server.opencompositing.org [195.114.19.35] X-Spam-Relay: GB ** GB ** FR X-Spam-Report: * 5.0 RELAYCOUNTRY_FR Relayed through France I think that this is going to have way too many FPs. * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS Taurus. Depends on context. I get nothing from France that I would ever want - but that may not suit people who deal with the French.
Re: Unhindered Pharma Spam
On 28.11.09 10:12, rich...@buzzhost.co.uk wrote: I got '5' for it, at a push... X-Spam-Report: * 5.0 RELAYCOUNTRY_FR Relayed through France On Mon, 2009-11-30 at 12:18 +0100, Matus UHLAR - fantomas wrote: I think that this is going to have way too many FPs. On 30.11.09 12:49, rich...@buzzhost.co.uk wrote: To: Matus UHLAR - fantomas uh...@fantomas.sk Cc: users@spamassassin.apache.org Taurus. Depends on context. I get nothing from France that I would ever want - but that may not suit people who deal with the French. Yes, but only if you have that tule in your personal user_prefs (or if only you receive mail on the site), and only until anyone from *.fr starts sending you mail. You apparently even will not notice that unless you check your spam regularly. I guess people here care not only about their mailboxes but about servers and server farms where this would not be globally acceptable. P.S. it's funny that you send me private copies for mail that DOES belong to the list, but you refuse private mail even if it's does NOT belong here. (and you even blocked mail from /16 myy server belong to, but that is apparently directly related to what I told you in last mail you seem to have received) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: Unhindered Pharma Spam
On Mon, 2009-11-30 at 13:57 +0100, Matus UHLAR - fantomas wrote: it's funny that you send me private copies for mail that DOES belong to the list, but you refuse private mail even if it's does NOT belong here. Well, I figured if you wanted to go on being an ignorant asshole and keep doing it, I would reply in kind. Have a nice day now :-)
Re: Unhindered Pharma Spam
On Mon, 2009-11-30 at 13:57 +0100, Matus UHLAR - fantomas wrote: On 28.11.09 10:12, rich...@buzzhost.co.uk wrote: I got '5' for it, at a push... X-Spam-Report: * 5.0 RELAYCOUNTRY_FR Relayed through France On Mon, 2009-11-30 at 12:18 +0100, Matus UHLAR - fantomas wrote: I think that this is going to have way too many FPs. On 30.11.09 12:49, rich...@buzzhost.co.uk wrote: To: Matus UHLAR - fantomas uh...@fantomas.sk Cc: users@spamassassin.apache.org Taurus. Depends on context. I get nothing from France that I would ever want - but that may not suit people who deal with the French. Yes, but only if you have that tule in your personal user_prefs (or if only you receive mail on the site), and only until anyone from *.fr starts sending you mail. You apparently even will not notice that unless you check your spam regularly. Repeat - we don't want or have any need for email from France. Hence the remark about 'context'. The last time I checked no two email systems, be they home, soho or enterprise, had to be the same. Unless, of course, you are now declaring that everyone should be set according to your opinion? I guess people here care not only about their mailboxes but about servers and server farms where this would not be globally acceptable. Again, depends on context. It may not be good for you, but it's great for us. P.S. it's funny that you send me private copies for mail that DOES belong to the list, but you refuse private mail even if it's does NOT belong here. You do it all the time, if you don't like it - don't do it to others. (and you even blocked mail from /16 myy server belong to, but that is apparently directly related to what I told you in last mail you seem to have received) Yep. I don't see anything but unsolicited harassment and crap from that /16. Please feel free to return the favour.
Re: FP on blacklist hostkarma
On Montag, 30. November 2009 Michael Monnerie wrote: http://ipadmin.junkemailfilter.com/remove.php?ip=80.245.199.162 I removed that IP now, in order to let pass mail through. But please check it. It seems you easily blacklist a host that connects to your tarbaby MX, but we had a network outage on our primary MX which redirected traffic to your tarbaby. Please, Marc, don't list hosts just because they connect several times to your tarbaby. mfg zmi 195.202.149.231 had the same issue. Seems your tarbaby is a bit harsh. Looks more like an unhappy woman than a baby ;-) I've had to drop the use of hostkarma now, way too many FPs. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part.
Re: Unhindered Pharma Spam
On 28.11.09 10:12, rich...@buzzhost.co.uk wrote: I got '5' for it, at a push... X-Spam-Report: * 5.0 RELAYCOUNTRY_FR Relayed through France On Mon, 2009-11-30 at 12:18 +0100, Matus UHLAR - fantomas wrote: I think that this is going to have way too many FPs. On 30.11.09 12:49, rich...@buzzhost.co.uk wrote: Taurus. Depends on context. I get nothing from France that I would ever want - but that may not suit people who deal with the French. On Mon, 2009-11-30 at 13:57 +0100, Matus UHLAR - fantomas wrote: Yes, but only if you have that tule in your personal user_prefs (or if only you receive mail on the site), and only until anyone from *.fr starts sending you mail. You apparently even will not notice that unless you check your spam regularly. On 30.11.09 13:07, rich...@buzzhost.co.uk wrote: Repeat - we don't want or have any need for email from France. Hence the remark about 'context'. The last time I checked no two email systems, be they home, soho or enterprise, had to be the same. Unless, of course, you are now declaring that everyone should be set according to your opinion? I am only commenting that what is good for you may be very bad for the others. If you know that, others may not. I guess people here care not only about their mailboxes but about servers and server farms where this would not be globally acceptable. Again, depends on context. It may not be good for you, but it's great for us. That it exactly what I wanted to point at. BTW, with proper BAYES database, RELAYCOUNTRY_FR and the mail body could both push score enough so you wouldn't need to set score to 5.0 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: Unhindered Pharma Spam
On Mon, 2009-11-30 at 14:14 +0100, Matus UHLAR - fantomas wrote: On 28.11.09 10:12, rich...@buzzhost.co.uk wrote: The last time I checked no two email systems, be they home, soho or enterprise, had to be the same. Unless, of course, you are now declaring that everyone should be set according to your opinion? I am only commenting that what is good for you may be very bad for the others. If you know that, others may not. And I am only commenting that what is good for you may be very bad for others. If you know that, others may not. So it looks like we are square or would you like to fight and abuse some more?
Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
I seem to be having more emails with NO_RELAYS than I normally see, and I'd like to havee spamd just refuse to process them. That way they'd get left in the queue, and I'd have something to debug. /Per Jessen, Zürich
NOT really about Unhindered Pharma Spam
On Mon, 30 Nov 2009, rich...@buzzhost.co.uk wrote: it's funny that you send me private copies for mail that DOES belong to the list, but you refuse private mail even if it's does NOT belong here. Well, I figured if you wanted to go on being an ignorant asshole and keep doing it, I would reply in kind. Have a nice day now :-) Oh, yes, this REALLY makes the list worth reading. I can sure fight Pharma spam with THIS information. Do us all a favor and label personal snipes with an obvious subject so that the rest of us can get on with locating the answers to problems? Thanks. PS. If I were a spammer I would be laughing my ass off at this waste of time. Every effort spent on fighting each other is less spent on them.
How was your holiday weekend spam traffic?
I'm just curious this morning. I see a dip in spam trapped, but a pretty big rise in blocking. I expected a lot worse over the long holiday weekend. Did someone get arrested or something? I'm not fully awake yet but it looks like my blocking numbers from RBLs tripled over weekend. --Chris
Re: NOT really about Unhindered Pharma Spam
On Mon, 2009-11-30 at 10:08 -0500, Charles Gregory wrote: PS. If I were a spammer I would be laughing my ass off at this waste of time. Every effort spent on fighting each other is less spent on them. Actually, it's reasonable to argue that you are worse - you've just contributed to an argument that you complain of, wasting bytes. I think that's 'hypocrisy' but I'm sure Mathus will enjoy your loving support ;-)
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
Quoting Per Jessen p...@computer.org: I seem to be having more emails with NO_RELAYS than I normally see, and I'd like to havee spamd just refuse to process them. That way they'd get left in the queue, and I'd have something to debug. NO_RELAYS indicates there are no Received headers: http://wiki.apache.org/spamassassin/Rules/NO_RELAYS Have you checked the headers of the messages to see if there are any?
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
d.h...@yournetplus.com wrote: Quoting Per Jessen p...@computer.org: I seem to be having more emails with NO_RELAYS than I normally see, and I'd like to havee spamd just refuse to process them. That way they'd get left in the queue, and I'd have something to debug. NO_RELAYS indicates there are no Received headers: http://wiki.apache.org/spamassassin/Rules/NO_RELAYS Have you checked the headers of the messages to see if there are any? I know for a fact there are some, yes. /Per Jessen, Zürich
Re: How was your holiday weekend spam traffic?
Quoting Chris Santerre csante...@merchantsoverseas.com: I'm just curious this morning. I see a dip in spam trapped, but a pretty big rise in blocking. I expected a lot worse over the long holiday weekend. Did someone get arrested or something? I'm not fully awake yet but it looks like my blocking numbers from RBLs tripled over weekend. Same here. I've seen an increase in the number of rejections based on greet_pause. Ironically, it was extensively discussed on the SPAM-L list over the holiday weekend.
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
Quoting Per Jessen p...@computer.org: d.h...@yournetplus.com wrote: Quoting Per Jessen p...@computer.org: I seem to be having more emails with NO_RELAYS than I normally see, and I'd like to havee spamd just refuse to process them. That way they'd get left in the queue, and I'd have something to debug. NO_RELAYS indicates there are no Received headers: http://wiki.apache.org/spamassassin/Rules/NO_RELAYS Have you checked the headers of the messages to see if there are any? I know for a fact there are some, yes. Post a message somewhere via pastebin or something that everyone can take a look at.
Re: How was your holiday weekend spam traffic?
Quoting d.h...@yournetplus.com: Quoting Chris Santerre csante...@merchantsoverseas.com: I'm just curious this morning. I see a dip in spam trapped, but a pretty big rise in blocking. I expected a lot worse over the long holiday weekend. Did someone get arrested or something? I'm not fully awake yet but it looks like my blocking numbers from RBLs tripled over weekend. Same here. I've seen an increase in the number of rejections based on greet_pause. Ironically, it was extensively discussed on the SPAM-L list over the holiday weekend. Sorry I didn't clarify. The *use* of greet_pause was extensively discussed.
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
d.h...@yournetplus.com wrote: Quoting Per Jessen p...@computer.org: d.h...@yournetplus.com wrote: Quoting Per Jessen p...@computer.org: I seem to be having more emails with NO_RELAYS than I normally see, and I'd like to havee spamd just refuse to process them. That way they'd get left in the queue, and I'd have something to debug. NO_RELAYS indicates there are no Received headers: http://wiki.apache.org/spamassassin/Rules/NO_RELAYS Have you checked the headers of the messages to see if there are any? I know for a fact there are some, yes. Post a message somewhere via pastebin or something that everyone can take a look at. I could, but it won't help - rest assured it has the headers. Anyway, how about a way to make spamd refuse to process a message when it appears to to have any? /Per Jessen, Zürich
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
d.h...@yournetplus.com wrote: Quoting Per Jessen p...@computer.org: d.h...@yournetplus.com wrote: Quoting Per Jessen p...@computer.org: I seem to be having more emails with NO_RELAYS than I normally see, and I'd like to havee spamd just refuse to process them. That way they'd get left in the queue, and I'd have something to debug. NO_RELAYS indicates there are no Received headers: http://wiki.apache.org/spamassassin/Rules/NO_RELAYS Have you checked the headers of the messages to see if there are any? I know for a fact there are some, yes. Post a message somewhere via pastebin or something that everyone can take a look at. On 30.11.09 16:41, Per Jessen wrote: I could, but it won't help - rest assured it has the headers. Anyway, how about a way to make spamd refuse to process a message when it appears to to have any? which MTA do you use? How do you plug SA in? where do those messages come from? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states.
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
Matus UHLAR - fantomas wrote: On 30.11.09 16:41, Per Jessen wrote: I could, but it won't help - rest assured it has the headers. Anyway, how about a way to make spamd refuse to process a message when it appears to to have any? which MTA do you use? How do you plug SA in? MTA is postfix, I call spamd directly using the spamc protocol (but not spamc). where do those messages come from? For instance a couple from msg.oleane.net, but it varies. /Per Jessen, Zürich
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
Per Jessen wrote: Matus UHLAR - fantomas wrote: On 30.11.09 16:41, Per Jessen wrote: I could, but it won't help - rest assured it has the headers. Anyway, how about a way to make spamd refuse to process a message when it appears to to have any? which MTA do you use? How do you plug SA in? MTA is postfix, I call spamd directly using the spamc protocol (but not spamc). where do those messages come from? For instance a couple from msg.oleane.net, but it varies. I forgot to add - when the mail is sent through and I later run it through spamassassin mnaually, everything works fine(!) - so something happens in spamd or before. That's why I want spamd to refuse processing such that the message will remain queued in postfix. /Per Jessen, Zürich
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
On 30.11.09 16:41, Per Jessen wrote: I could, but it won't help - rest assured it has the headers. Anyway, how about a way to make spamd refuse to process a message when it appears to to have any? Matus UHLAR - fantomas wrote: which MTA do you use? How do you plug SA in? On 30.11.09 17:06, Per Jessen wrote: MTA is postfix, I call spamd directly using the spamc protocol (but not spamc). directly from where? do you use spamd as SMTP filter? (can it be done?) where do those messages come from? For instance a couple from msg.oleane.net, but it varies. is that regular mail? Wouldn't it be better to exclude scanning mail that came from msg.oleane.net ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
Matus UHLAR - fantomas wrote: On 30.11.09 16:41, Per Jessen wrote: I could, but it won't help - rest assured it has the headers. Anyway, how about a way to make spamd refuse to process a message when it appears to to have any? Matus UHLAR - fantomas wrote: which MTA do you use? How do you plug SA in? On 30.11.09 17:06, Per Jessen wrote: MTA is postfix, I call spamd directly using the spamc protocol (but not spamc). directly from where? do you use spamd as SMTP filter? (can it be done?) Yes, it can be done - I have my own smtp proxy which calls spamd. (amongst other things). where do those messages come from? For instance a couple from msg.oleane.net, but it varies. is that regular mail? Wouldn't it be better to exclude scanning mail that came from msg.oleane.net ? Apart from very few internal exceptions, all mail is scanned - I whitelist based on origin, but everything is scanned. /Per Jessen, Zürich
Re: NOT really about Unhindered Pharma Spam
On Mon, 30 Nov 2009, rich...@buzzhost.co.uk wrote: PS. If I were a spammer I would be laughing my ass off at this waste of time. Every effort spent on fighting each other is less spent on them. Actually, it's reasonable to argue that you are worse - you've just contributed to an argument that you complain of, wasting bytes. I think that's 'hypocrisy' I did not 'contribute' to the argument. I described how useless it was to me and asked to have it 'relabelled' with a different subject. But yes, now that I'm answering you, I'm a hypocrite, and the spammers have reason to laugh again. :) - C
Re: NOT really about Unhindered Pharma Spam
On Nov 30, 2009, at 10:46 AM, Charles Gregory wrote: On Mon, 30 Nov 2009, rich...@buzzhost.co.uk wrote: PS. If I were a spammer I would be laughing my ass off at this waste of time. Every effort spent on fighting each other is less spent on them. Actually, it's reasonable to argue that you are worse - you've just contributed to an argument that you complain of, wasting bytes. I think that's 'hypocrisy' I did not 'contribute' to the argument. I described how useless it was to me and asked to have it 'relabelled' with a different subject. But yes, now that I'm answering you, I'm a hypocrite, and the spammers have reason to laugh again. :) Why anyone replies to this guy about anything is beyond me.Adding him to a kill file doesn't do much good when you still see the other half of the argument. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
OT: Re: NOT really about Unhindered Pharma Spam
Chris Owen wrote: Why anyone replies to this guy about anything is beyond me. Adding him to a kill file doesn't do much good when you still see the other half of the argument. +1 If you must feed the trolls, please at least don't quote them.
Re: OT: Re: NOT really about Unhindered Pharma Spam
On Mon, 2009-11-30 at 12:06 -0500, Matt Garretson wrote: Chris Owen wrote: Why anyone replies to this guy about anything is beyond me. Adding him to a kill file doesn't do much good when you still see the other half of the argument. +1 If you must feed the trolls, please at least don't quote them. You are just as bad Garretson. I have Chris Owen in my killfile and your reply means I've had to suffer his garbage quoted post. If you do wish to dance the 'troll' abuse line, go somewhere else with it because frankly, I find your input rather boring.
Re: [sa] Re: NOT really about Unhindered Pharma Spam
On Mon, 30 Nov 2009, Chris Owen wrote: Why anyone replies to this guy about anything is beyond me. Adding him to a kill file doesn't do much good when you still see the other half of the argument. Most e-mail clients insert a line of the form: On (date) (name) (address) wrote: So in theory a body check for his address would serve as a partial block. But my idea, if followed, would also help Sadly, now that we've (re-)introduced the idea that some people are not interested in having their 'witty' postings ignored, I realize the chances of this kind of cooperation have dropped somewhat (sigh) - C
Re: OT - NOT really about Unhindered Pharma Spam
On Mon, 30 Nov 2009, rich...@buzzhost.co.uk wrote: You are just as bad Garretson. I have Chris Owen in my killfile and your reply means I've had to suffer his garbage quoted post. If you do wish to dance the 'troll' abuse line, go somewhere else with it because frankly, I find your input rather boring. LOL - I shoulda known better than to make a 'reasonable' suggestion. Well, at least the subject line is changed. :) - C
Re: OT - NOT really about Unhindered Pharma Spam
On Nov 30, 2009, at 11:46 AM, Charles Gregory wrote: LOL - I shoulda known better than to make a 'reasonable' suggestion. Well, at least the subject line is changed. :) Reason plays no role here. There is nothing you can say that the troll won't feed on. Best to just ignore and move on. Seriously--after his performance the last couple of months just ignore him. Easiest way to make it stop. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
Re: How was your holiday weekend spam traffic?
Hi, I'm just curious this morning. I see a dip in spam trapped, but a pretty big rise in blocking. I expected a lot worse over the long holiday weekend. Did someone get arrested or something? I'm not fully awake yet but it looks like my blocking numbers from RBLs tripled over weekend. Can I ask how you are measuring that information? Is it a script or just a grep through your mail logs? It just implied that you had a history to compare with, and I was curious about that. Thanks, Alex
Re: FP on blacklist hostkarma
Hi, 195.202.149.231 had the same issue. Seems your tarbaby is a bit harsh. Looks more like an unhappy woman than a baby ;-) I've had to drop the use of hostkarma now, way too many FPs. I've been thinking the same thing for a while, but still have it enabled and scored low, particularly the whitelist. How do you think it compares with the Barracuda or Adam Katz lists? I have a small script that parses my mail log for JMF_BL, and so far today on one server it found: The rule RCVD_IN_JMF_BL fired 2707 times and tripped 433 times I can tell you that there aren't 2707 FPs every day, so it's hitting quite a bit of ham. Thankfully it's not enough to trigger it to spam. Thanks, Alex
Re: which free RBL do you use?
On man 30 nov 2009 10:56:47 CET, Matus UHLAR - fantomas wrote Priceless? Bullshit. Useless and annoying. Breaks (or at least makes harder) possibility for private replies. i wont solve all worlds problems, but seem reply-to is missused allot out there I sometimes send private reply intentionally, when it is off-topic and/or something people in this list don't need to see. reply to a public maillist in private ? -- xpoint
Re: How was your holiday weekend spam traffic?
On man 30 nov 2009 16:08:53 CET, Chris Santerre wrote I'm not fully awake yet but it looks like my blocking numbers from RBLs tripled over weekend. what RBLs are you on ? :) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: OT - NOT really about Unhindered Pharma Spam
On Mon, 30 Nov 2009, Chris Owen wrote: Reason plays no role here. There is nothing you can say that the troll won't feed on. Best to just ignore and move on. (nod) Seriously--after his performance the last couple of months just ignore him. Easiest way to make it stop. (nod again) Now that I think about it, I've probably fallen into the same pitfall mentioned earlier. I thought I had long since killfiled all the trolls, so I probably got caught up on replying to a reply :) - C
Re: HABEAS_ACCREDITED SPAMMER
On Nov 25, 2009, at 9:03 AM, Matus UHLAR - fantomas wrote: On 25.11.09 03:23, jdow wrote: Having a little help might help them maintain a better product. But (that bitter word), the basic concept is broken. If the spammer can make more money than it costs to get on the Habeas whitelist then they will pull the same trick I've seen here in California in the construction trades. Some time ago they used to sue spammers, according to discussion here they don't anymore. Maybe that's one of their biggest problems. Actually, the legal threat over the old X-Habeas header never accomplished anything. It's been much more effective to simply stop whitelisting anyone who is sending spam. -- J.D. Falk jdf...@returnpath.net Return Path Inc
Re: HABEAS_ACCREDITED SPAMMER
On Nov 25, 2009, at 3:57 AM, Hajdú Zoltán wrote: Then whos job? :) Habeas doesnt monitor Your Inbox. If You have the time to write here just for 'flaming' against a ~good concept... ...Maybe it would be a better idea to spend that time on supporting them with Your feedback. Thanks for the support, but there's no point. Some of the folks on this list are way too angry to ever do anything that might be helpful to others. -- J.D. Falk jdf...@returnpath.net Return Path Inc
Re: HABEAS_ACCREDITED SPAMMER
On 11/23/2009 4:37 PM, J.D. Falk wrote: On Nov 23, 2009, at 6:14 AM, Matus UHLAR - fantomas wrote: You should complain to ReturnPath. Iirc, HABEAS used to sue spammers misusing their technology. Don't know if ReturnPath continues prac ticing this. Actually, you're confusing Habeas's first technology (which involved suing misuse of their copywritten header, and was abandoned years ago) with their safe list whitelist product, which Return Path now operates. Rather than suing them, we'll simply kick 'em off the list if they don't meet our standards. http://wiki.apache.org/spamassassin/Rules/HABEAS_ACCREDITED_COI has some basic info, including an address to complain at if you're receiving spam from a safelisted IP. I'm more curious as to why those two rules get such high scores in a default SA setup. Why are they so heavy? HABEAS_ACCREDITED_COI 0 -8.0 0 -8.0 HABEAS_ACCREDITED_SOI 0 -4.3 0 -4.3 (I've turned them down drastically in our configuration to about 1/3 to 1/4 of their original values.)
Re: HABEAS_ACCREDITED SPAMMER
On Mon, 2009-11-30 at 12:19 -0700, J.D. Falk wrote: On Nov 25, 2009, at 3:57 AM, Hajdú Zoltán wrote: Then whos job? :) Habeas doesnt monitor Your Inbox. If You have the time to write here just for 'flaming' against a ~good concept... ...Maybe it would be a better idea to spend that time on supporting them with Your feedback. Thanks for the support, but there's no point. Some of the folks on this list are way too angry to ever do anything that might be helpful to others. -- J.D. Falk jdf...@returnpath.net Return Path Inc Perhaps that should read Some of the folks on this list are way too angry to ever do anything that might be helpful companies who try to pass off bulk mail in a white list JD, I appreciate your role is to grease the wheels for you 'legitimate' bulk mailers and make money, but don't take it personally when people don't want your rubbish - no matter how much you sex it up. I do note that the company concerned continues spamming on a daily basis and remains white listed: 80.75.69.201 sa-accredit.habeas.com list.dnswl.org So please, spare me the sob story about what a wonderful idea HABEAS is. Talk is cheap, action speaks louder than words.
Re: How was your holiday weekend spam traffic?
On 11/30/2009 10:08 AM, Chris Santerre wrote: I'm just curious this morning. I see a dip in spam trapped, but a pretty big rise in blocking. I expected a lot worse over the long holiday weekend. Did someone get arrested or something? I'm not fully awake yet but it looks like my blocking numbers from RBLs tripled over weekend. I haven't looked at what we blocked (we don't block on RBLs at SMTP time). We only block at SMTP time for SMTP servers with bogus or non-resolving HELOs. But looking at the amount of messages that made it past that and scored 8.0 or higher I'm not seeing much variation. Thursday was a bit light. Friday was about the same as the previous Friday. Saturday was the same as the previous Saturday. Sundays are always quiet (comparatively).
Re: FP on blacklist hostkarma
Michael Monnerie wrote: http://ipadmin.junkemailfilter.com/remove.php?ip=80.245.199.162 I removed that IP now, in order to let pass mail through. But please check it. It seems you easily blacklist a host that connects to your tarbaby MX, but we had a network outage on our primary MX which redirected traffic to your tarbaby. Please, Marc, don't list hosts just because they connect several times to your tarbaby. mfg zmi I'm investigating it further but what appears is that the IP also failed to close the connection with a QUIT.
RE: HABEAS_ACCREDITED SPAMMER
I do note that the company concerned continues spamming on a daily basis and remains white listed: 80.75.69.201 sa-accredit.habeas.com list.dnswl.org So please, spare me the sob story about what a wonderful idea HABEAS is. Talk is cheap, action speaks louder than words. +1 to that. I can't understand why anyone on this list would still be whitelisting Habeas to the tune of 4, or even 8 points after the discussions in here. There should be no option at all for spammers, and currently Habeas is an option for them. Surely if we (mail admins) wanted something that Habeas is pushing, we can enable our own whitelist rules, or whatever to get the mail through. We certainly don’t need to start whitelisting an outfit, out-of-the-box, that obviously many people don’t trust. Cheers, Mike
Re: FP on blacklist hostkarma
On Montag, 30. November 2009 Marc Perkel wrote: I'm investigating it further but what appears is that the IP also failed to close the connection with a QUIT. OK, but it really is a legitimate mail server, so shouldn't be listed. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part.
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
On Mon, 30 Nov 2009, Per Jessen wrote: On 30.11.09 16:41, Per Jessen wrote: Anyway, how about a way to make spamd refuse to process a message when it appears to to have any? MTA is postfix, I call spamd directly using the spamc protocol (but not spamc). I have my own smtp proxy which calls spamd. (amongst other things). Then that is where the decision to scan or not scan must be made. spamd will scan whetever is sent to it. That proxy shouldn't pass a message to spamd unless it has a Received: header, and I would suggest that it should not pass a message to spamd unless it has a Received header that was added by the local MTA; otherwise you will have to make your SMTP proxy add a fake local Received: header for spamd to interpret, including such data as the IP address of the client, its rDNS name, etc. - all the information that the _real_ MTA would put in the Received: header it adds. WAG for the cause: you're scanning a message that is direct sender-to-you before your local MTA has had a chance to put in the first Received: header; in other words your glue is too early. In the messages that fail in this manner is there only a single Received: header, for the local MTA hop? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The yardstick you should use when considering whether to support a given piece of legislation is what if my worst enemy is chosen to administer this law? --- 15 days until Bill of Rights day
Filter question
Hello, I'm looking at spamassassin for our compnay's spam solution. We receive emails from u...@theirdomain.com, where the domain in correct but the user would be for instance, Viagra, which does not exist. We needthe spam software to realize that this user does not exist and register the email as spam. Is there any way to do this with SpamAssassin? thanks! -- View this message in context: http://old.nabble.com/Filter-question-tp26581365p26581365.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Filter question
Hi, would be for instance, Viagra, which does not exist. We needthe spam software to realize that this user does not exist and register the email as spam. You don't need SpamAssassin to do this. Most modern mail servers (postfix, sendmail, Exchange) can do this by default. Remove the default forwarding of non-existent addresses from being delivered to a general postmaster account, and explicitly define all valid addresses that should receive mail. The rest will bounce. Regards, Alex
Re: Filter question
On 11/30/2009 3:32 PM, chucker8 wrote: Hello, I'm looking at spamassassin for our compnay's spam solution. We receive emails from u...@theirdomain.com, where the domain in correct but the user would be for instance, Viagra, which does not exist. We needthe spam software to realize that this user does not exist and register the email as spam. Is there any way to do this with SpamAssassin? In general... no. Unless the other company is willing to give you access to their internal list of valid email accounts. While the SMTP RFCs do support the VRFY command (which would technically let you check whether the FROM address exists), probably 99% of all servers have disabled that command to prevent spammers from abusing it to validate their mailing lists. (See RFC 5321 section 3.5.2 and 7.3.)
Re: Filter question
Hi, While the SMTP RFCs do support the VRFY command (which would technically let you check whether the FROM address exists), probably 99% of all servers have disabled that command to prevent spammers from abusing it to validate their mailing lists. (See RFC 5321 section 3.5.2 and 7.3.) I just have to ask Did you research that, or do you regularly recite sections from mail RFCs on a regular basis because you've read them so many times? :-) Regards, Alex
Re: Filter question
On 11/30/2009 4:00 PM, Alex wrote: Hi, While the SMTP RFCs do support the VRFY command (which would technically let you check whether the FROM address exists), probably 99% of all servers have disabled that command to prevent spammers from abusing it to validate their mailing lists. (See RFC 5321 section 3.5.2 and 7.3.) I just have to ask Did you research that, or do you regularly recite sections from mail RFCs on a regular basis because you've read them so many times? :-) Yes! When I type in RFC in the Firefox address bar, RFC 5321 pops up as the first choice. With a link to section 3.5.2 as the 2nd choice. So I guess that's a clue that I'm having to read them too many times. Most of the time, it's because I'm trying to get a postmaster to fix their broken HELO/EHLO address so we don't have to whitelist them anymore. Other times, I double-check the RFCs to see whether I'm (hopefully) understanding things correctly and haven't overlooked something. I've also been doing a lot of mail server tuning and configuration in the past month, so I have RFC 5321 on the brain.
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
John Hardin wrote: That proxy shouldn't pass a message to spamd unless it has a Received: header, and I would suggest that it should not pass a message to spamd unless it has a Received header that was added by the local MTA; A message will always have one of those. That is what is so mind-boggling. In the messages that fail in this manner is there only a single Received: header, for the local MTA hop? Yep. That's the one I'm absolutely certain must be present. /Per Jessen, Zürich
Re: How was your holiday weekend spam traffic?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Santerre wrote: I'm just curious this morning. I see a dip in spam trapped, but a pretty big rise in blocking. I expected a lot worse over the long holiday weekend. Did someone get arrested or something? Since last Wednesday I show about a 25% reduction in my spamtraps but a 30% increase in delivery attempts to my actual mail servers. First glance looks like the botnets slowed down but the snowshoe picked up. This might warrant further investigation... - --Blaine -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAksUSa8ACgkQLp9/dJH6k+PJegCfV8QgNYATDFaAsNczvkoJqg4m zh4An2DKNy8w7rXbkiNhs52+d6Jgrmoa =wmmv -END PGP SIGNATURE-
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
On Mon, 30 Nov 2009, Per Jessen wrote: John Hardin wrote: That proxy shouldn't pass a message to spamd unless it has a Received: header, and I would suggest that it should not pass a message to spamd unless it has a Received header that was added by the local MTA; A message will always have one of those. That is what is so mind-boggling. No, there are circumstances when it won't. The MUA generally does not add a Received: header when it composes the message headers for a new message, it's up to the MTAs to do that. So the message sent from the MUA to the first MTA will likely not have a Received: header (modulo forgery, of course, and things like webmail MUAs). What's odd here is it sounds like you're describing messages that have been received from a third-party MTA rather than an external MUA, so they _should_ have a Received: header added by that MTA. In the messages that fail in this manner is there only a single Received: header, for the local MTA hop? Yep. That's the one I'm absolutely certain must be present. Yes, but that one is only present _after_ your local MTA has added it. If you are intercepting inbound mail prior to your MTA (as it sounds like you're doing with your proxy) then it's very possible you will see messages without any Received: header. Seeing the headers from one of these would be helpful, can you post a sample? Body not needed. What I'm looking for is the presence of any Received: header not added by _your_ MTA. I would wager that the problematic messages when examined in your queue will only have one Received: header. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- 15 days until Bill of Rights day
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
On Mon, 30 Nov 2009, Per Jessen wrote:
John Hardin wrote:
That proxy shouldn't pass a message to spamd unless it has a Received:
header, and I would suggest that it should not pass a message to spamd
unless it has a Received header that was added by the local MTA;
A message will always have one of those. That is what is so
mind-boggling.
In the messages that fail in this manner is there only a single
Received: header, for the local MTA hop?
Yep. That's the one I'm absolutely certain must be present.
The sendmail 'milter' interface receives a copy of the raw incoming
message before the MTA adds any headers to it. So if you're using a
'milter' type mechanism to glue SA into your mail system, your milter
will need to explicitly synthesize and add a Received: header
to mimic the one that the MTA adds to the main message.
I don't know anything about the postfix smtp proxy that the OP
has so not sure if the above issue is involved in current situation.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: FP on blacklist hostkarma
Hi! I'm investigating it further but what appears is that the IP also failed to close the connection with a QUIT. OK, but it really is a legitimate mail server, so shouldn't be listed. So if you have a crappy connection towards your mailserver Marc you can get listed, thats rather funny, and annoying. Connections do break also when not running a botnet... pfff Bye, Raymond.
Re: HABEAS_ACCREDITED SPAMMER
From: rich...@buzzhost.co.uk
Sent: Monday, 2009/November/30 11:38
On Mon, 2009-11-30 at 12:19 -0700, J.D. Falk wrote:
On Nov 25, 2009, at 3:57 AM, Hajdú Zoltán wrote:
Then whos job? :) Habeas doesnt monitor Your Inbox.
If You have the time to write here just for 'flaming' against a ~good
concept...
...Maybe it would be a better idea to spend that time on supporting
them with Your feedback.
Thanks for the support, but there's no point. Some of the folks on this
list are way too angry to ever do anything that might be helpful to
others.
--
J.D. Falk jdf...@returnpath.net
Return Path Inc
Perhaps that should read Some of the folks on this list are way too
angry to ever do anything that might be helpful companies who try to
pass off bulk mail in a white list
JD, I appreciate your role is to grease the wheels for you 'legitimate'
bulk mailers and make money, but don't take it personally when people
don't want your rubbish - no matter how much you sex it up.
I do note that the company concerned continues spamming on a daily basis
and remains white listed:
80.75.69.201
sa-accredit.habeas.com
list.dnswl.org
So please, spare me the sob story about what a wonderful idea HABEAS is.
Talk is cheap, action speaks louder than words.
That seems to be my biggest problem with the whitelist concept. It's
reaction
time is too limited. Maybe what I should do is leave the whitelisting
enabled and
use a meta rule to cancel it out if any of the block lists hit.
Of course, a problem I've always admired those running ISP spam filters for
willingly and at least partially successfully facing is the simple fact that
one
person's spam is another person's ham. I've often found that whitelists are
far broader, for that reason, than I am.
{^_^}
Re: HABEAS_ACCREDITED SPAMMER
On Mon, 30 Nov 2009, jdow wrote:
I've often found that ... are far broader ... than I am.
{^_^}
... must ... resist ... straight ... line ... NNN!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
---
15 days until Bill of Rights day
Re: Filter question
On man 30 nov 2009 21:36:09 CET, Alex wrote You don't need SpamAssassin to do this. Most modern mail servers (postfix, sendmail, Exchange) can do this by default. Remove the default forwarding of non-existent addresses from being delivered to a general postmaster account, and explicitly define all valid addresses that should receive mail. The rest will bounce. i hope you meant REJECT ! -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Filter question
On man 30 nov 2009 21:54:37 CET, Thomas Harold wrote In general... no. Unless the other company is willing to give you access to their internal list of valid email accounts. well there is no point for spamassassin to know if a sender is valid recipient or not, whats counts for spamassassin is, is it spam, yes or no for mta that accepts catchall spammassassin just have more work to do While the SMTP RFCs do support the VRFY command (which would technically let you check whether the FROM address exists), probably 99% of all servers have disabled that command to prevent spammers from abusing it to validate their mailing lists. (See RFC 5321 section 3.5.2 and 7.3.) and what happend is spammers just send to random email addresses and discover user not found ?, nothing mta can do about this postfix reject_unverified_sender does a vrfy ?, if remote have vrfy disabled it try even harder to use rcpt to i am unsure if postfix really does it or not -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Filter question
Benny Pedersen wrote: postfix reject_unverified_sender does a vrfy Nope. It opens an SMTP connection and waits what the receiving MTA answers to RCPT TO Then it closes the connection. That is not vrfy. Hope this helps, wolfgang
Re: FP on blacklist hostkarma
On tir 01 dec 2009 00:51:38 CET, Raymond Dijkxhoorn wrote So if you have a crappy connection towards your mailserver Marc you can get listed, thats rather funny, and annoying. Connections do break also when not running a botnet... pfff maybe i am dump, but what do you mean by the above ? if my internet connection is down for 30 days i get listed for not being in service ?, how magical can my ip change when its static ? worst case of admins is ones that accept mail from localhost as not spam -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: FP on blacklist hostkarma
Quoting Benny Pedersen m...@junc.org: On tir 01 dec 2009 00:51:38 CET, Raymond Dijkxhoorn wrote So if you have a crappy connection towards your mailserver Marc you can get listed, thats rather funny, and annoying. Connections do break also when not running a botnet... pfff maybe i am dump, but what do you mean by the above ? if my internet connection is down for 30 days i get listed for not being in service ?, how magical can my ip change when its static ? worst case of admins is ones that accept mail from localhost as not spam I believe Raymond's response was addressing the fact a server connection could possibly be interrupted before it had a chance to issue the SMTP QUIT command. I would think being listed for that alone would be ridiculous.
Re: FP on blacklist hostkarma
On tir 01 dec 2009 02:16:04 CET, wrote I believe Raymond's response was addressing the fact a server connection could possibly be interrupted before it had a chance to issue the SMTP QUIT command. I would think being listed for that alone would be ridiculous. if its this i would agree, cant exim see diff in not sending quit or drop connection ? postfix have lost connection, spam sign ? -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Scoring for DATE_IN_FUTURE_96_XX
While looking at the scores in 50_scores.cf, I noticed the following: score DATE_IN_FUTURE_03_06 2.303 0.416 1.461 0.274 score DATE_IN_FUTURE_06_12 3.099 3.099 2.136 1.897 score DATE_IN_FUTURE_12_24 3.300 3.299 3.000 2.189 score DATE_IN_FUTURE_24_48 3.599 2.800 3.599 3.196 score DATE_IN_FUTURE_48_96 3.199 3.182 3.199 3.199 score DATE_IN_FUTURE_96_XX 3.899 3.899 2.598 1.439 Why does the 96+ hour rule score so much lower then the 48-96 hour test for the last two entries? (I'm also wondering if there should be an even higher score rule for stuff over 168 hours in the future or past.)
Re: Scoring for DATE_IN_FUTURE_96_XX
On 11/30/2009 9:27 PM, Thomas Harold wrote: While looking at the scores in 50_scores.cf, I noticed the following: score DATE_IN_FUTURE_03_06 2.303 0.416 1.461 0.274 score DATE_IN_FUTURE_06_12 3.099 3.099 2.136 1.897 score DATE_IN_FUTURE_12_24 3.300 3.299 3.000 2.189 score DATE_IN_FUTURE_24_48 3.599 2.800 3.599 3.196 score DATE_IN_FUTURE_48_96 3.199 3.182 3.199 3.199 score DATE_IN_FUTURE_96_XX 3.899 3.899 2.598 1.439 Why does the 96+ hour rule score so much lower then the 48-96 hour test for the last two entries? (I'm also wondering if there should be an even higher score rule for stuff over 168 hours in the future or past.) I did dig up the following thread from back in Oct '06... http://mail-archives.apache.org/mod_mbox/spamassassin-users/200611.mbox/browser I'm guessing that what it boils down to is contained in the wiki page? The spam is better off caught by another rule once network tests are allowed? http://wiki.apache.org/spamassassin/HowScoresAreAssigned
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
John Hardin wrote: On Mon, 30 Nov 2009, Per Jessen wrote: John Hardin wrote: That proxy shouldn't pass a message to spamd unless it has a Received: header, and I would suggest that it should not pass a message to spamd unless it has a Received header that was added by the local MTA; A message will always have one of those. That is what is so mind-boggling. No, there are circumstances when it won't. The MUA generally does not add a Received: header when it composes the message headers for a new message, it's up to the MTAs to do that. So the message sent from the MUA to the first MTA will likely not have a Received: header (modulo forgery, of course, and things like webmail MUAs). The MUA will start a conversation with my first smtpd - that will cause a Received: header to be added. The message is then queued, to be picked up by the smtp proxy which invokes spamd. In this situation, there will always be at least one Received: header. What's odd here is it sounds like you're describing messages that have been received from a third-party MTA rather than an external MUA, so they _should_ have a Received: header added by that MTA. Yes, most would be coming from a third-party MTA - except for most of the spam :-) In the messages that fail in this manner is there only a single Received: header, for the local MTA hop? Yep. That's the one I'm absolutely certain must be present. Yes, but that one is only present _after_ your local MTA has added it. Correct. If you are intercepting inbound mail prior to your MTA (as it sounds like you're doing with your proxy) then it's very possible you will see messages without any Received: header. No, the message is queued first, then passed to spamd. Seeing the headers from one of these would be helpful, can you post a sample? Body not needed. What I'm looking for is the presence of any Received: header not added by _your_ MTA. I would wager that the problematic messages when examined in your queue will only have one Received: header. Here is one example: http://jessen.ch/files/email77 The really weird thing is that when I run that through SA manually with spamassassin -t -x , there is no problem. That's why I'd like to have something like score NO_RELAYS die to make spamd quit processing it. /Per Jessen, Zürich
