Re: emailreg.org - tainted white list
Last week the blackhats that make up the '$pamAssassin PMC' sought to silence people who object to paid whitelists appearing in the core program which seek to give advantage to certain ESP's. vocal in the odd behaviour of the program. Namely those listed in whitelist 'Habeas' (a river flowing back to Return Path) are given a negative score to grease the wheels for the delivery of their UCE. Now that the dust has settled the Barracuda Marketing Machine (who appear to have some financial connection with Apache - {citation: http://www.barracudanetworks.com/ns/company/open-source.php} and probably have people sitting on the PMC) takes the chance to rear it's ugly arse and begin redo the spin out it's own pay to spam whitelist emailreg.org. emailreg.org may form part of a discussion in a spam list, but it is off topic for the Spamassassin list. Whilst Bob O Brian @ Barracuda trying to distance Barracuda from a direct connection may fool some, sensible people involved in anti-spam know full well this is a Barracuda product thinly garnished as something else. Sensible people also know that the Barracuda owner Micheal Perone is claimed to be a known former spammer: (citation: http://www.rhyolite.com/anti-spam/objections/mperone.shtml) Barracuda Spam 'and virus' Firewall hardware (a cobbled together mix of free open source software and largely free rules/virus definitions) by default passes emailreg.org registered mail. There is *no* facility for the owner of the Barracuda to disable this without calling Barracuda Support. Contrast this to the Barracuda Whitelist, which has a check box to turn it on/off. It is fair to suggest this obmission is because Barracuda *don't want* users turning off emailreg.org. The Barracuda White List from Decemeber 2009 is posted elsewhere if you are interested in a 'who's who': http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/a9f757e7a2ee38d5# http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/2745f741838c23ea# http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/ce79b2349a83a2d5# The Barracuda machine is now trying to suggest that emailreg.org is of the calibre of Habeas. It is not. It is a pay to spam service and deserves no place in the Spamassassin ruleset OTHER than to INCREASE the score of mail. Whilst some halfbread moron has suggested giving emailreg.org a -100 score (compared to -4 for Habeas) the better rule is posted below. PEOPLE READING THIS LIST BE VERY AWARE DARK FORCES ARE AT WORK HERE TO DISCREDIT AND STRIKE VIEWS THAT EFFECT REVENUE. SPAMASSASSIN IS AS MUCH ABOUT MAKING MONEY AS IT IS ABOUT BLOCKING SPAM - KEEP YOUR EYES OPEN TO THE DARK FORCES THAT USE SPAMASSASSIN TO FACILITATE THE DELIVERY OF PAID FOR, JUNK COMMERCIAL MAIL. DON'T BE BLIND TO THE POWER WEILDED BY RETURN PATH, BARRACUDA AND OTHERS IN WINING AND DINING Daryl C. W. O'Shea. Suggested sensible Spamassassin Rule for emailreg.org: header __RCVD_IN_EMAILREG eval:check_rbl('emailreg-trusted', 'resl.emailreg.org.') header RCVD_IN_EMAILREG_0 eval:check_rbl_sub('emailreg-trusted', '127.0.\d+.0') describe RCVD_IN_EMAILREG_0 Sender in emailreg.org pay to spam list tflags RCVD_IN_EMAILREG_0 black hat header RCVD_IN_EMAILREG_1 eval:check_rbl_sub('emailreg-trusted', '127.0.\d+.1') describe RCVD_IN_EMAILREG_1 Sender in emailreg.org pay to spam list tflags RCVD_IN_EMAILREG_1 black hat score RCVD_IN_EMAILREG_0 30 score RCVD_IN_EMAILREG_1 30 -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: emailreg.org - permission to spamassassin masscheck?
Warren Togami wrote: I'm pretty sure this only queries only by IP address. IP address and domain name combined can be significantly more fine grained on some mail providers, so we might be better off waiting until spamassassin is capable of querying in their preferred manner before adding it to masschecks. Apparently you can't query the list until you've registered the IP address of your DNS resolvers with them. This means, it can't be included as standard in SpamAssassin. However, I can't figure out how to do that... On http://www.emailreg.org/index.cgi?p=policy it says: The Registered Email Sender List is available to everyone that would like to utilize it. In order to obtain access you need to register a domain. Once you have registered a domain you will be able to specify the IP addresses that you would like to have query the RESL. So you have to register a domain before you can register your IPs... It then goes on to say: Note that there is no charge for USE of the RESL data via this DNS query system. If you would like to use the RESL without registering a domain you may do so by registering HERE. So you don't have to register a domain before you can register your IPs... Which is it? Do I have to register a domain, or don't I? So I signed up for an account and all I see is an option to register my domains with them, and that costs money... I see no option for registering the IPs of my resolvers. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/ Technical Blog: https://secure.grepular.com/blog/
Re: emailreg.org - tainted white list
Christian Brel, AKA rich...@buzzhost.co.uk (among other aliases), is back... Bill
Setting Up Additional User with SA
I've read the FAQ and Wiki without seeing an answer to my question. The answer may very well be in a document I've not examined; if it is, please point me to it. Here's the situation: SpamAssassin-3.2.5 is installed here and works well for me with our postfix MTA. We have two users here: me and my wife. I read mail on the server/workstation using alpine and she reads it on her laptop using seamonkey. When spam gets through to my inbox I save it in 'spam-uncaught' and once a week run 'sa-learn' with those messages as '--spam.' Works well for me. My question is what I need to do to set up the equivalent abilities on my wife's laptop (running xubuntu-9.10). Do I need to install SA on her machine, too, or is there a way to filter her mail through the server's installation? Pointers, guidance, and suggestions are needed. TIA, Rich
Re: emailreg.org - tainted white list
On 14-Dec-2009, at 07:59, Bill Landry wrote: Christian Brel, AKA rich...@buzzhost.co.uk (among other aliases), is back… Ah, that explains the tone and typo pattern of that email. While I am suspicious of emailreg.org and Barracuda's ties to each other I am not moving to a shack in Montana because of it, if you know what I mean. Personally, I am not going to waste the processor cycles checking emailreg AT ALL, so I am not going to score up emails on the whitelist either. Now, if other more … levelheaded users of this list find that a slight positive nudge is worthwhile I'm certainly willing to reconsider. Thirty points in one rule? Do I look like I'm wearing a tinfoil hat? DARK FORCES indeed. -- Well boys, we got three engines out, we got more holes in us than a horse trader's mule, the radio is gone and we're leaking fuel and if we was flying any lower why we'd need sleigh bells on this thing... but we got one little budge on those Roosskies. At this height why they might harpoon us but they dang sure ain't gonna spot us on no radar screen!
Re: emailreg.org - tainted white list
Christian Brel wrote: Last week the blackhats that make up the '$pamAssassin PMC' sought to silence people who object to paid whitelists appearing in the core program which seek to give advantage to certain ESP's. vocal in the odd behaviour of the program. Namely those listed in whitelist 'Habeas' (a river flowing back to Return Path) are given a negative score to grease the wheels for the delivery of their UCE. Now that the dust has settled the Barracuda Marketing Machine (who appear to have some financial connection with Apache - {citation: http://www.barracudanetworks.com/ns/company/open-source.php} and probably have people sitting on the PMC) takes the chance to rear it's ugly arse and begin redo the spin out it's own pay to spam whitelist emailreg.org. emailreg.org may form part of a discussion in a spam list, but it is off topic for the Spamassassin list. Whilst Bob O Brian @ Barracuda trying to distance Barracuda from a direct connection may fool some, sensible people involved in anti-spam know full well this is a Barracuda product thinly garnished as something else. Sensible people also know that the Barracuda owner Micheal Perone is claimed to be a known former spammer: (citation: http://www.rhyolite.com/anti-spam/objections/mperone.shtml) Barracuda Spam 'and virus' Firewall hardware (a cobbled together mix of free open source software and largely free rules/virus definitions) by default passes emailreg.org registered mail. There is *no* facility for the owner of the Barracuda to disable this without calling Barracuda Support. Contrast this to the Barracuda Whitelist, which has a check box to turn it on/off. It is fair to suggest this obmission is because Barracuda *don't want* users turning off emailreg.org. The Barracuda White List from Decemeber 2009 is posted elsewhere if you are interested in a 'who's who': http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/a9f757e7a2ee38d5# http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/2745f741838c23ea# http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/ce79b2349a83a2d5# The Barracuda machine is now trying to suggest that emailreg.org is of the calibre of Habeas. It is not. It is a pay to spam service and deserves no place in the Spamassassin ruleset OTHER than to INCREASE the score of mail. Whilst some halfbread moron has suggested giving emailreg.org a -100 score (compared to -4 for Habeas) the better rule is posted below. PEOPLE READING THIS LIST BE VERY AWARE DARK FORCES ARE AT WORK HERE TO DISCREDIT AND STRIKE VIEWS THAT EFFECT REVENUE. SPAMASSASSIN IS AS MUCH ABOUT MAKING MONEY AS IT IS ABOUT BLOCKING SPAM - KEEP YOUR EYES OPEN TO THE DARK FORCES THAT USE SPAMASSASSIN TO FACILITATE THE DELIVERY OF PAID FOR, JUNK COMMERCIAL MAIL. DON'T BE BLIND TO THE POWER WEILDED BY RETURN PATH, BARRACUDA AND OTHERS IN WINING AND DINING Daryl C. W. O'Shea. Well, I started the emailreg thread and I'm technically a competitor of Barracuda's so I'm not part of the machine. I would also point out that SA allows you to assign scores however you want. So if you want to pass spam and block ham SA can do that. Personally I'm interested in blocking spam and keeping my customers happy. Although I can appreciate the slippery slope argument the way I see it if if anyone starts selling white listed to spammers then that would taint their list and no one would use their white list anymore. We (and I really mean me) use only that which actually works. So if people sold out to spammers then their list would stop working and would come out of my rule set. As to your published list of some Barracuda data, that a rather small list. Looks like something that would pass my white list too. So I don't see your point in publishing it in that it doesn't make your point. I think everyone knows that emailreg is linked to Barracuda. In my opinion that's a good thing because that have a vast network of spam filtering servers and can instantly detect if a spammer has bought into their emailreg and instantly remove them and keep the $20 of the bad guys money. But - regardless of the politics and religion, I started the thread to discuss technical issues and looking for some technical response. And - in closing - SA focuses too much on detecting spam and not enough on detecting ham. One of the ways I got my false positives down to almost nothing is by actively detecting ham. And in many cases this is easier because those sending nothing but ham are not trying to be evasive and are fairly easy to discover.
Re: Setting Up Additional User with SA
Rich Shepard wrote: I've read the FAQ and Wiki without seeing an answer to my question. The answer may very well be in a document I've not examined; if it is, please point me to it. Here's the situation: SpamAssassin-3.2.5 is installed here and works well for me with our postfix MTA. We have two users here: me and my wife. I read mail on the server/workstation using alpine and she reads it on her laptop using seamonkey. When spam gets through to my inbox I save it in 'spam-uncaught' and once a week run 'sa-learn' with those messages as '--spam.' Works well for me. My question is what I need to do to set up the equivalent abilities on my wife's laptop (running xubuntu-9.10). Do I need to install SA on her machine, too, or is there a way to filter her mail through the server's installation? That depends on how she is getting the mail. If she is using IMAP, then you can just set up a folder and it will work just like yours does since everything remains on the server with IMAP. If she is using POP3, then you'll have to get more creative. I would be tempted to create a folder for her to use and then add a script to cron to copy the emails over to the server on a regular basis so they can be learned. -- Bowie
Re: emailreg.org - tainted white list
LuKreme wrote: On 14-Dec-2009, at 07:59, Bill Landry wrote: Christian Brel, AKA "rich...@buzzhost.co.uk" (among other aliases), is back… Ah, that explains the tone and typo pattern of that email. While I am suspicious of emailreg.org and Barracuda's ties to each other I am not moving to a shack in Montana because of it, if you know what I mean. Personally, I am not going to waste the processor cycles checking emailreg AT ALL, so I am not going to score up emails on the whitelist either. Now, if other more … levelheaded users of this list find that a slight positive nudge is worthwhile I'm certainly willing to reconsider. Thirty points in one rule? Do I look like I'm wearing a tinfoil hat? DARK FORCES indeed. If you think about it, if Barracuda, a spam filtering company, started selling access to spammers, how long do you think Barracuda would stay in business. Their customers who got the spam would move elsewhere. So I really don't think that Barracuda is going to sell out their main business to make $20 off of a few spammers.
Re: emailreg.org - tainted white list
On Mon, 14 Dec 2009 07:28:22 -0800 Marc Perkel m...@perkel.com wrote: If you think about it, if Barracuda, a spam filtering company, started selling access to spammers, how long do you think Barracuda would stay in business. To quote Dean Drako of Barracuda on a 2008 visit to the UK Just sell them anything and we will worry about it afterwards Draw your own conclusions. Their customers who got the spam would move elsewhere. So I really don't think that Barracuda is going to sell out their main business to make $20 off of a few spammers. If it's so clear cut, why is the option for the owner of the said Barracuda spam device *not* able to disable emailreg.org, but they *can* disable the Barracuda whitelist 'proper'? When asked on this point Justin O Brien of Barracuda said 'We don't want them switching it off'. Why? Possibly because it is a paid to spam, pay to bypass Barracuda list??? If you expand that into Spamassassin then that really is going to look corrupt. Please at least try and disguise it a little bit better than that, FFS. Don't underestimate those $20 payments. The last time I looked scale of economy was alive and well given sufficient market. Drako, Perone et al don't do anything unless there is more than the price of a cup of tea in it for them. I'm sorry if people take offence to that, but it has foundations in reality. A place that seems to scare some people. -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: Setting Up Additional User with SA
On Mon, 14 Dec 2009, Bowie Bailey wrote: That depends on how she is getting the mail. If she is using IMAP, then you can just set up a folder and it will work just like yours does since everything remains on the server with IMAP. If she is using POP3, then you'll have to get more creative. I would be tempted to create a folder for her to use and then add a script to cron to copy the emails over to the server on a regular basis so they can be learned. Bowie, We use POP3 here (qpopper, in fact). If I correctly understand your suggestion, I add a subdirectory to her ~/ called, like mine 'spam-uncaught'. She saves spam messages there, then cron will scp that file to the server where I can run sa-learn on them (or have cron do that, too). That'll work. Many thanks, Rich
Re: emailreg.org - tainted white list
-1 /dev/null? Let's see if he earns it. {^_^} - Original Message - From: Christian Brel brel.spamassassin091...@copperproductions.co.uk To: users@spamassassin.apache.org Sent: Monday, 2009/December/14 01:54 Subject: Re: emailreg.org - tainted white list Last week the blackhats that make up the '$pamAssassin PMC' sought to silence people who object to paid whitelists appearing in the core program which seek to give advantage to certain ESP's. vocal in the odd behaviour of the program. Namely those listed in whitelist 'Habeas' (a river flowing back to Return Path) are given a negative score to grease the wheels for the delivery of their UCE. Now that the dust has settled the Barracuda Marketing Machine (who appear to have some financial connection with Apache - {citation: http://www.barracudanetworks.com/ns/company/open-source.php} and probably have people sitting on the PMC) takes the chance to rear it's ugly arse and begin redo the spin out it's own pay to spam whitelist emailreg.org. emailreg.org may form part of a discussion in a spam list, but it is off topic for the Spamassassin list. Whilst Bob O Brian @ Barracuda trying to distance Barracuda from a direct connection may fool some, sensible people involved in anti-spam know full well this is a Barracuda product thinly garnished as something else. Sensible people also know that the Barracuda owner Micheal Perone is claimed to be a known former spammer: (citation: http://www.rhyolite.com/anti-spam/objections/mperone.shtml) Barracuda Spam 'and virus' Firewall hardware (a cobbled together mix of free open source software and largely free rules/virus definitions) by default passes emailreg.org registered mail. There is *no* facility for the owner of the Barracuda to disable this without calling Barracuda Support. Contrast this to the Barracuda Whitelist, which has a check box to turn it on/off. It is fair to suggest this obmission is because Barracuda *don't want* users turning off emailreg.org. The Barracuda White List from Decemeber 2009 is posted elsewhere if you are interested in a 'who's who': http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/a9f757e7a2ee38d5# http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/2745f741838c23ea# http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/ce79b2349a83a2d5# The Barracuda machine is now trying to suggest that emailreg.org is of the calibre of Habeas. It is not. It is a pay to spam service and deserves no place in the Spamassassin ruleset OTHER than to INCREASE the score of mail. Whilst some halfbread moron has suggested giving emailreg.org a -100 score (compared to -4 for Habeas) the better rule is posted below. PEOPLE READING THIS LIST BE VERY AWARE DARK FORCES ARE AT WORK HERE TO DISCREDIT AND STRIKE VIEWS THAT EFFECT REVENUE. SPAMASSASSIN IS AS MUCH ABOUT MAKING MONEY AS IT IS ABOUT BLOCKING SPAM - KEEP YOUR EYES OPEN TO THE DARK FORCES THAT USE SPAMASSASSIN TO FACILITATE THE DELIVERY OF PAID FOR, JUNK COMMERCIAL MAIL. DON'T BE BLIND TO THE POWER WEILDED BY RETURN PATH, BARRACUDA AND OTHERS IN WINING AND DINING Daryl C. W. O'Shea. Suggested sensible Spamassassin Rule for emailreg.org: header __RCVD_IN_EMAILREG eval:check_rbl('emailreg-trusted', 'resl.emailreg.org.') header RCVD_IN_EMAILREG_0 eval:check_rbl_sub('emailreg-trusted', '127.0.\d+.0') describe RCVD_IN_EMAILREG_0 Sender in emailreg.org pay to spam list tflags RCVD_IN_EMAILREG_0 black hat header RCVD_IN_EMAILREG_1 eval:check_rbl_sub('emailreg-trusted', '127.0.\d+.1') describe RCVD_IN_EMAILREG_1 Sender in emailreg.org pay to spam list tflags RCVD_IN_EMAILREG_1 black hat score RCVD_IN_EMAILREG_0 30 score RCVD_IN_EMAILREG_1 30 -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: Setting Up Additional User with SA
Rich Shepard wrote: We use POP3 here (qpopper, in fact). If I correctly understand your suggestion, I add a subdirectory to her ~/ called, like mine 'spam-uncaught'. She saves spam messages there, then cron will scp that file to the server where I can run sa-learn on them (or have cron do that, too). Exactly. That'll work. Many thanks, Glad to help. -- Bowie
Re: emailreg.org - tainted white list
From: Marc Perkel m...@perkel.com Sent: Monday, 2009/December/14 07:28 LuKreme wrote: On 14-Dec-2009, at 07:59, Bill Landry wrote: Christian Brel, AKA rich...@buzzhost.co.uk (among other aliases), is back… Ah, that explains the tone and typo pattern of that email. While I am suspicious of emailreg.org and Barracuda's ties to each other I am not moving to a shack in Montana because of it, if you know what I mean. Personally, I am not going to waste the processor cycles checking emailreg AT ALL, so I am not going to score up emails on the whitelist either. Now, if other more … levelheaded users of this list find that a slight positive nudge is worthwhile I'm certainly willing to reconsider. Thirty points in one rule? Do I look like I'm wearing a tinfoil hat? DARK FORCES indeed. If you think about it, if Barracuda, a spam filtering company, started selling access to spammers, how long do you think Barracuda would stay in business. Their customers who got the spam would move elsewhere. So I really don't think that Barracuda is going to sell out their main business to make $20 off of a few spammers. Marc, I am admiring a nice pattern I see here. My mental Bayes algorithm has ticked over. Is rich...@bizzhost.co.uk a spammer trying to derail the effective tools? He's certainly acting like it. {^_^}
Re: emailreg.org - tainted white list
On Mon, 2009-12-14 at 16:09 +, Christian Brel wrote: If it's so clear cut, why is the option for the owner of the said Barracuda spam device *not* able to disable emailreg.org, but they *can* disable the Barracuda whitelist 'proper'? Not germane to the spamassassin list. Please redirect followups to alt.flame.bararacuda.bork.bork.bork This e-mail and any attachments may form pure opinion and may not have any factual foundation. Good to know. I'd hate to read an email full of facts. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations. Hereby requested that you not pass *any* information to any partner organisation. Or any partner organization. Or to any competitor. Or even to yourself. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: emailreg.org - tainted white list
On Mon, 14 Dec 2009 08:37:02 -0800 jdow j...@earthlink.net wrote: Yup - he's a spammer. {enter stage left the name calling} That's what I heard about you JD, ain't that a blast! I better get my $20 out and trot over to barracuda.spam.for.mo...@emailreg.org then, so I can grease the wheels and make it official. Can I use your discount referal code seeing as your qualified in this area? -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: emailreg.org - pretty good white list
Marc Perkel wrote: Been using emailreg.org for several months now and it seems like a really good white list. Anyone else using it? I'm not using it, but why would people list themselves there instead of just publishing an SPF record? The approach is roughly the same: From emailreg.org: We provide a list of registered domains and IP addresses that are authorized to send email for those domains. Why would anyone pay USD20 to register with emailreg.org instead of publishing an SPF record for free? /Per Jessen, Zürich
Re: emailreg.org - pretty good white list
On Mon, 14 Dec 2009, Per Jessen wrote: Why would anyone pay USD20 to register with emailreg.org instead of publishing an SPF record for free? To keep the pointy-haired managers happy. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- Tomorrow: Bill of Rights day
Re: emailreg.org - pretty good white list
John Hardin wrote: On Mon, 14 Dec 2009, Per Jessen wrote: Why would anyone pay USD20 to register with emailreg.org instead of publishing an SPF record for free? To keep the pointy-haired managers happy. I had the distinct feeling it was something like that. /Per Jessen, Zürich
Re: emailreg.org - pretty good white list
On Dec 14, 2009, at 12:45 PM, John Hardin jhar...@impsec.org wrote: On Mon, 14 Dec 2009, Per Jessen wrote: Why would anyone pay USD20 to register with emailreg.org instead of publishing an SPF record for free? To keep the pointy-haired managers happy. Bingo. Name calling aside, this is really the crux of it.
Re: emailreg.org - tainted white list
If I ever do anything questionable, or not ethical, or even illegal, I hope that Richard is the one to call me out on it publicly because once he's confused issues with his personal insults and his best Art Bell impression, I'll then come out smelling like a rose. If he can ever stay banned, I won't miss the personal insults, I won't miss his holier than thou/us against them/all-or-none positions attitudes, and I certainly won't miss the endless argumentative threads he inspired about seemingly nothing (imo). But I will miss (a) the entertainment value of some of his posts (his dark forces one from earlier today was a classic) --AND-- last but not least--I will miss his willingness to break through the political correctness and bring up various points that few others were willing (or brave enough?) to point out. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: [sa] Re: emailreg.org - pretty good white list
On Mon, 14 Dec 2009, John Hardin wrote: On Mon, 14 Dec 2009, Per Jessen wrote: Why would anyone pay USD20 to register with emailreg.org instead of publishing an SPF record for free? To keep the pointy-haired managers happy. Meow! :) - C
Re: emailreg.org - permission to spamassassin masscheck?
Mike Cardwell wrote: So you don't have to register a domain before you can register your IPs... Which is it? Do I have to register a domain, or don't I? So I signed up for an account and all I see is an option to register my domains with them, and that costs money... I see no option for registering the IPs of my resolvers. I don't know for sure whether my own access account is typical or not, but once you are logged into your free account, you should be able to choose My Domains from the top menu, and then Edit RESL Access IPs from the navigation panel on the left. If that doesn't work, email me directly if you wish. Given some specifics, I can encourage the emailreg folks to improve the user interface. Bob --
RE: emailreg.org - tainted white list
But I will miss (a) the entertainment value of some of his posts (his dark forces one from earlier today was a classic) --AND-- last but not least--I will miss his willingness to break through the political correctness and bring up various points that few others were willing (or brave enough?) to point out. If everyone could ignore the taunting, and just carry on, there wouldn't be an issue. I agree that the entertainment value is good, but your last point is best of all. I re-quote: I will miss his willingness to break through the political correctness and bring up various points that few others were willing (or brave enough?) to point out. Me too. Someone has to stir the pot occasionally, and it doesn't hurt to have someone around that makes you think outside the square. My 2cents. Cheers, Mike
Re: emailreg.org - permission to spamassassin masscheck?
On 12/14/2009 05:06 AM, Mike Cardwell wrote: Warren Togami wrote: I'm pretty sure this only queries only by IP address. IP address and domain name combined can be significantly more fine grained on some mail providers, so we might be better off waiting until spamassassin is capable of querying in their preferred manner before adding it to masschecks. Apparently you can't query the list until you've registered the IP address of your DNS resolvers with them. This means, it can't be included as standard in SpamAssassin. However, I can't figure out how to do that... On http://www.emailreg.org/index.cgi?p=policy it says: The Registered Email Sender List is available to everyone that would like to utilize it. In order to obtain access you need to register a domain. Once you have registered a domain you will be able to specify the IP addresses that you would like to have query the RESL. So you have to register a domain before you can register your IPs... It then goes on to say: Note that there is no charge for USE of the RESL data via this DNS query system. If you would like to use the RESL without registering a domain you may do so by registering HERE. So you don't have to register a domain before you can register your IPs... Which is it? Do I have to register a domain, or don't I? So I signed up for an account and all I see is an option to register my domains with them, and that costs money... I see no option for registering the IPs of my resolvers. Good point. spamassassin masschecks can happen on arbitrary hosts on the Internet. If they require registration for DNS lookups, then emailreg.org cannot be tested by weekly masscheck. I personally am against adding anything to spamassassin that cannot be tested. Warren Togami wtog...@redhat.com
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009, Michael Hutchinson wrote: If everyone could ignore the taunting, and just carry on, there wouldn't be an issue. The taunting *is* the issue. The rest of the arguments, about design and defaults, are carried on by numerous individuals in a quite civilized manner. But when someone starts throwing arond stupid accusations, then the person attacked focuses their efforts on 'defending' themselves, rather than on a fair unbiased review of what *should* be the 'issue'. To make a point requires nothing more than well-established facts. But name-calling and mindless accusations are an ego-driven thing. Once someone invests their arguments with ego, you cannot count on anything they say being accurate to any degree. They will literally say anything to advance their 'cause' and 'win' whatever argument they have joined. Someone has to stir the pot occasionally, and it doesn't hurt to have someone around that makes you think outside the square. Interestingly enough, *I* have stirred this same pot a couple of times, with very little effect. So while it is a reasonable argument that being offensive and abusive fails to achieve results, I have to admit that being quiet and deferring in tone also has little effect. So I wonder, what *does* it take for the 'amateurs' (that would be folks like me! *grin*) to bring a possible issue to the attention of the people in the 'know', and have it discussed? I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? - Charles
Re: [sa] RE: emailreg.org - tainted white list
Charles Gregory wrote: I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? To my knowledge, such a correlation has not yet been observed. Which is different from asserting that it hasn't happened, but I think for the purposes of your question it does indicate that there is not currently a serious issue as you put it. I can mostly just offer opinion, and that would be that whitelisting is not (yet) in wide enough use to have become a sufficiently attractive target. Bob --
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 14 Dec 2009, Bob O'Brien wrote: I can mostly just offer opinion, and that would be that whitelisting is not (yet) in wide enough use to have become a sufficiently attractive target. Which brings us back to the 'rational version' of the discussion about SA weighing whitelists favorably by default. I'm *presuming* that the whitelists are seen on more ham than spam, but I only *see* the spam, that's the nature of my watchdog role. (smile) I've not heard any further comment on what has happened with that 'datetheuk' spam. Was it accidental? A hack? Mismanagment of the whitelist? The silence is deafening. I'd like to think we're not going to just drop the issue because *someone* unpopular was talking about it... :) - C
Re: [sa] RE: emailreg.org - tainted white list
May I suggest that handling whitelist or blacklist rules and any associated plugins by packaging them as separately installable modules may be of benefit to SA maintainers. The idea is to reduce the SA dev workload by handing off responsibility for maintaining and bugfixing such modules to external developers. These may, as at present, be the person who independently develops the module or the people who are responsible for the resources it queries. Here's a little more detail: - exclude the modules from the default SA configuration and from SA updates. - create a library of downloadable modules, one for each external resource. Each module consists of: - a .cf file and a .pm file, if required, that should be installed by putting both in /etc/mail/spamassassin - version info - installation and configuration instructions - attributions: author, the author's affiliations, etc - a disclaimer saying that SA distributes the module as is and without liability or responsibility for its correctness - anybody, including whitelist owners, can supply a module and will be solely responsible for maintaining it. - modules MUST be accompanied by regression test data in the form of messages that demonstrate hits, misses and corner tests. - SA devs should review the documentation and verify module operation using the supplied test data to show that the module does what it says on the tin and doesn't crash SA or interfere with other rules/plugins before accepting a module for publication. - the modules should be included in regression tests for new SA versions. If a module fails a regression test it is excluded from the library and its author notified. This way unmaintained modules will eventually disappear with minimal work from SA devs apart from removing the model from the distribution library and adding it to a list of no longer supported modules. There may be problems with this approach that I'm not aware of, but I'm floating it because AFAIK nobody else has suggested it and it may defang some of the discussions around whitelists, etc. by making the use of such rules and modules independent of the SA project. Martin
Re: [sa] RE: emailreg.org - tainted white list
On 12/14/2009 10:23 PM, Martin Gregorie wrote: May I suggest that handling whitelist or blacklist rules and any associated plugins by packaging them as separately installable modules may be of benefit to SA maintainers. The idea is to reduce the SA dev workload by handing off responsibility for maintaining and bugfixing such modules to external developers. These may, as at present, be the person who independently develops the module or the people who are responsible for the resources it queries. Here's a little more detail: - exclude the modules from the default SA configuration and from SA updates. - create a library of downloadable modules, one for each external resource. Each module consists of: - a .cf file and a .pm file, if required, that should be installed by putting both in /etc/mail/spamassassin - version info - installation and configuration instructions - attributions: author, the author's affiliations, etc - a disclaimer saying that SA distributes the module as is and without liability or responsibility for its correctness - anybody, including whitelist owners, can supply a module and will be solely responsible for maintaining it. - modules MUST be accompanied by regression test data in the form of messages that demonstrate hits, misses and corner tests. - SA devs should review the documentation and verify module operation using the supplied test data to show that the module does what it says on the tin and doesn't crash SA or interfere with other rules/plugins before accepting a module for publication. - the modules should be included in regression tests for new SA versions. If a module fails a regression test it is excluded from the library and its author notified. This way unmaintained modules will eventually disappear with minimal work from SA devs apart from removing the model from the distribution library and adding it to a list of no longer supported modules. There may be problems with this approach that I'm not aware of, but I'm floating it because AFAIK nobody else has suggested it and it may defang some of the discussions around whitelists, etc. by making the use of such rules and modules independent of the SA project. your modules are all there already and much of it is already managed as you suggest: they're called rules.. you can even switch them on or off, or add your own modules /plugins/modules. SA provides an Open Source FRAMEWORK which caters to many millions of systems - if it doesn't fit your needs, use as you wish and/or fork out. Many do that with the ruleset - many don't SA devs are volunteers. What's stopping you from actively contributing to the development? Get familiar with the Wiki, checkout SVN, look at the masscheck code, bath in the Wiki. Following a comprehensive set of standards, anybody can contribute patches/fixes/etc. h2h Axb
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 21:23 +, Martin Gregorie wrote: May I suggest that handling whitelist or blacklist rules and any associated plugins by packaging them as separately installable modules may be of benefit to SA maintainers. The idea is to reduce the SA dev workload by handing off responsibility for maintaining and bugfixing such modules to external developers. These may, as at present, be the person who independently develops the module or the people who are responsible for the resources it queries. Here's a little more detail: The problem is scoring. masschecks are going to shape scores so that whitelists get a little boost if they are mediocre, and a large boost if they are good. Ditto for blacklists. And they two sets of scores will work in synergy. The big problem with make them all external and let the universe pick a score at random is that the relative effectiveness of the various lists isn't tested. I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. I'd hate to have to guess for everyone's whitelist... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 22:39 +0100, Yet Another Ninja wrote: your modules are all there already and much of it is already managed as you suggest: they're called rules.. you can even switch them on or off, or add your own modules /plugins/modules. SA provides an Open Source FRAMEWORK which caters to many millions of systems - if it doesn't fit your needs, use as you wish and/or fork out. Many do that with the ruleset - many don't I'm aware of that, BUT: - there is resource-specific stuff permanently wired in, e.g. the HABEAS rules - there are other rules and modules littered round the net. AFAIK there is no single reference point or code library where stripped-out specifics (HABEAS) or independent code can be placed. SA devs are volunteers. What's stopping you from actively contributing to the development? Time and the fact that I'm a C/Java person rather than a Perl maven. I have a couple of projects on the boil at present, one being mail-related. This has an associated SA plugin and rule that is up and running on my server and will be released as part of the mail-related project. Martin
Re: [sa] RE: emailreg.org - tainted white list
On 12/14/2009 10:55 PM, Daniel J McDonald wrote: I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. someone, somewhere is alreay converting ClamV signatures to HUGE (slow) rule files, forgot where I saw them. Google around...
RE: [sa] RE: emailreg.org - tainted white list
Hello, The taunting *is* the issue. The rest of the arguments, about design and defaults, are carried on by numerous individuals in a quite civilized manner. But when someone starts throwing arond stupid accusations, then the person attacked focuses their efforts on 'defending' themselves, rather than on a fair unbiased review of what *should* be the 'issue'. Fair call. To make a point requires nothing more than well-established facts. But name-calling and mindless accusations are an ego-driven thing. Once someone invests their arguments with ego, you cannot count on anything they say being accurate to any degree. They will literally say anything to advance their 'cause' and 'win' whatever argument they have joined. I'd have to agree on this point. My missus does this all of the time. She will know she is wrong, and still tell me until blue in the teeth that she's right about said topic.. So I guess what you're saying here is that it's no longer possible to do what we did in the old days and just 'ignore the troll'.. Someone has to stir the pot occasionally, and it doesn't hurt to have someone around that makes you think outside the square. Interestingly enough, *I* have stirred this same pot a couple of times, with very little effect. So while it is a reasonable argument that being offensive and abusive fails to achieve results, I have to admit that being quiet and deferring in tone also has little effect. So I wonder, what *does* it take for the 'amateurs' (that would be folks like me! *grin*) to bring a possible issue to the attention of the people in the 'know', and have it discussed? If you ask me, it's the whole newbie thing. People with lesser knowledge/skills are probably too afraid to raise issues, thinking that their issue is probably caused by their own ignorance, or lack of experience. I know I've felt like this before, and have certainly been made to feel rather stupid after asking certain questions - this is not specific to this mailing list, but mailing lists in general. I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? To answer the first question : No. We do not have any problems with Spam or hacking regarding our Mail gateway, using Spamassassin. Any Spam that has slipped through in the last several months certainly have not had any SA Default Whitelist scores assigned to them whatsoever. If anything, spam that gets through our system is stuff that hits almost no rules at all (positive or negative). Statistics are at the end of this E-Mail. I think one of the issues with getting information from people that aren't having any problems is the fact that they probably can't be bothered posting if they don't have any issues to resolve. What do you think? Statistics Since Thursday 04th Jun, 2009 RBL Reject: 8480229 HELO Reject:5827978 Clean Messages: 2014848 Invalid Recipients: 277983 Spam Messages: 228941 Relay Denied: 26112 Virus Messages: 2588 Total Messages Processed: 16858679 I get all of the Spam messages that slip through the system submitted to a public folder on our network, and analyse the headers for what rules did/did not fire. As previous, I've not seen any Spam that has default SA whitelist scores associated.
Re: emailreg.org - tainted white list
On Mon, 14 Dec 2009, jdow wrote: selling access to spammers, how long do you think Barracuda would stay in business. Their customers who got the spam would move elsewhere. So I really don't think that Barracuda is going to sell out their main business to make $20 off of a few spammers. Marc, I am admiring a nice pattern I see here. My mental Bayes algorithm has ticked over. Is rich...@bizzhost.co.uk a spammer trying to derail the effective tools? He's certainly acting like it. Remove the paranoia and low flying black helicopters from his posts, he has some merit in one comment, the emailreg.org _should_ be able to be disabled by customers, but, then again, you can always vote with your feet and simply not use their systems, they will quickly get the picture, but sadly a lot of people just have no clue, there are afterall, plenty of saleman out there who could sell ice to an Eskimo. I really am amazed that anyone would trust any third party whitelist of any kind in the anti-spam world. FWIW, there is only one whitelist that deserves to be active, and that's the one that we, as individuals, apply locally for our own networks for our own situations, I will never allow someone unrelated to my business to decide whats not a spam host. Even the most looked after networks, can have an authorised user who becomes worm infected, and spams the hell out of everyone. -- Res What does Windows have that Linux doesn't? - One hell of a lot of bugs!
Re: emailreg.org - pretty good white list
jdow a écrit : [snip] Per a discussion off the list the $20 is, as mentioned, pretty much a captcha and as the web site declares, an inoculation against domain tasting or 10 for a dollar .cn domains. The thousands of names registration isn't going to get through either ReturnPath or emailreg.org. It takes time to run through the hoops in either case. And $20k is a whole different ballpark for dollar expense than $200. It's not bulletproof. But it's probably worth a small negative score to allow legitimate emails a tiny bump. Their oddball DNS poll also may be an inoculation against emails originating from a site's hacked systems. In as much as one Aw Shit seems to wipe out 100 Brownie Points this may provide legitimate small businesses a quick way out of the blocked status once they clear up their infections, sort of like awarding Brownie Points 10 or more at a time. {^_^} head Can all the guys who think 20 isn't much send me 10$ each? I promise to write a song for you. /head body the problem with the 20 isn't much is if 1000 guys/groups decide to run their whitelists and ask for 20$ (on each). then I need to pay 20*1000 = 20K USD. that's a captchoom. now, what if one million guys start their lists... /body footer and of course, for each 20$, I'll need to add the fees (unless they have employees who can ring my bell :). and I also need to check they are a legitimate organization, because giving money to mafia/terrorists/... is prohibited (at least over here). etc etc etc... /footer
Re: emailreg.org - tainted white list
Bill Landry a écrit : Christian Brel, AKA rich...@buzzhost.co.uk (among other aliases), is back... Bill he switched MUA, but forgot to switch helo and get a different IP range... Received-SPF: softfail (nike.apache.org: transitioning domain of brel.spamassassin091...@copperproductions.co.uk does not designate 82.70.24.237 as permitted sender) Received: from [82.70.24.237] (HELO styone.spampig.org.uk) (82.70.24.237) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Dec 2009 16:09:40 + From: Christian Brel brel.spamassassin091...@copperproductions.co.uk Received: from [82.70.24.238] (HELO stytwo.spampig.org.uk) (82.70.24.238) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Dec 2009 14:42:42 + Subject: Interesting low scoring phish From: rich...@buzzhost.co.uk rich...@buzzhost.co.uk
hacking whitelists (was Re: [sa] RE: emailreg.org - tainted white list)
On Dec 14, 2009, at 1:35 PM, Charles Gregory wrote: I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? We're fairly certain the bad guys haven't been targeting whitelists (ours, or others) -- yet. Occasionally some spam will come from a whitelisted IP after a server gets infected, but then that IP doesn't stay whitelisted for very long -- and there's no proof that the botnet operator had any idea the IP was whitelisted. Besides, there's not all that much value for them. When the big ISPs use whitelists like ours, they'll give IPs on the list a lot of leeway -- but not a free pass forever. There are still volume limits (though higher than for non-whitelisted IPs), and they're still watching complaint rates. If there's a problem, they'll let us know. It's very similar to how SpamAssassin uses whitelists: enough points are subtracted to override /some/ spam rules, but not all. When a message is extremely spammy, the whitelist won't be enough to rescue it. And that's how it should be. All that said, I think it's only a matter of time until the bad guys DO intentionally go after whitelisted IPs, or (worse) whitelisting services. We'll detect if spam suddenly starts coming from any IP we're monitoring, and it won't stay whitelisted for long -- that's the core of our program. We've also put a lot of effort into the security of our own systems. I've been involved with computer security issues for too long to say it could never ever happen, but I can say we're always watching. -- J.D. Falk jdf...@returnpath.net Return Path Inc
Re: emailreg.org - pretty good white list
On tir 15 dec 2009 00:32:31 CET, mouss wrote head Can all the guys who think 20 isn't much send me 10$ each? I promise to write a song for you. /head what if the snail postman did not get paid ?, how many snailmails would not be sent ?, its wonder me that email is completely free of charge in the first place maybe snailpostman should take $20 for each letter now to prevent spam snailmails :) what will the song be called btw ? -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Spam from compromised web mails
Hi, Occasionally I receive mail from compromised web mails asking user name and password from my users. The source IPs are usually clean (as they are legitimate mail servers) and do not catch any ip based rules. Usually one or two mail accounts are used to pump mails via web mail after authentication. I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399 It is interesting to note that the victim was using Barracuda anti spam appliance which also failed to catch this spam. Any ideas to tackle such spam is very much welcome. with regards, raj