Re: UCEPROTECT
On Thursday, 22 of April 2010, Jared Hall wrote: It takes two to tango. But takes just one to spoil the fun. Trust me, I do ballroom dancing :-) 1) If your recipient's Email server didn't use UCEPROTECT, you would not In terms of extortion, I don't see any liability whatever. Level 1 addresses auto-expire. If you want that expedited, you pay. Sounds fair to me. Level 2 and Level 3 addresses require intervention by the sender's ISP. A fee is charged, presumably to cover the cost of scanning netblocks to verify the problem has been resolved. Not altogether an easy thing to do, and a MAJOR cost factor, as also indicated at SORBS. Problems exists elsewhere, as well. RFC-Ignorant listings come to mind. Nobody is forced to use UCEPROTECT. For those that do, see 2,3, and 5 above. Solutions abound. In your case, item 6 seems most appropriate. This is only part of the truth. First of all - anyone is free to use anything for policing their SMTP servers as long as he does it conforming to relevant RFC's. But anyone is free to have his own views on that so I'm just stating my point of view. First of all again ;-), UCEPROTECT adds IP's to their blacklists for as much as one (I repeat - one, single) mail sent to, for example, non-existing mailbox. (Mr. I-don't-make-typos-in-addresses anyone?). Been there, done that, got blacklisted for one mail. That's just plain wrong. I can understand low listing thresholds in case of deliberately set up spamtraps for which you feed address to harvesters by putting it on web pages or sending to usenet. But single mail to non-existent mailbox? Ridiculuous. Secondly - they claim they don't manualy interfere with the listing and thus the auto-expire. But if you ever express your disgust about how you've been treated (like I did on NANAE), you're immediately getting the express-delist option manually revoked. So much for no manual tampering with the lists. Thirdly - Claus von Wolfhausen - the person who claims to be a Technical Director of UCEPROTECT-network. You just can't argue with him. He just knows better and you're a freaking spammer. Burn in hell, die die die!!! Sorry, but you'd expect something more from a Technical Director. Something a bit more grown-up. Fourthly - as Mr. Wolfhausen confirmed himself on NANAE - they don't have a normal administrative stuff. Instead they have a bunch of students who race to be the first one to delist if you make a payment because the one that does it gets his share of the money. Very professional organization indeed. Fifthly - They don't give a damn about how the network is really organized. They just blacklist whole wide ranges (/14 in case of my network) regardless of how the range is divided. (in my case there are many different networks in that /14 segment, of which I own a /29 with my own whois entry and all - easy distinguishable from the rest of the net). Sixtly - Sometimes you just don't have a choice, you must use the only ISP in your area. Even if you have your own own range and you're easily distinguishable from the background noise, they don't care. They won't whitelist you just because you're the good guy. No, they can whitelist you if you give them money. Therefore I advocate strongly against any use of UCEPROTECT. It's not reliable, gives many false positives and looks like a scheme deliberately set up to list wide ranges of IP's so that some people pay to get delisted/whitelisted. Just as spammers send huge quantities of spam in hope that some of them are profitable. It's the same mechanism just implemented differently. -- /\-\/\-\/\-\/\-\/\-\/\-\/\ \ k...@epsilon.eu.org / / http://epsilon.eu.org/ \ \/-/\/-/\/-/\/-/\/-/\/-/\/
Re: UCEPROTECT
On Thu, 22 Apr 2010 10:44:53 -0400, Jared Hall jh...@tbi.net wrote: Nigel, It takes two to tango. 1) If your recipient's Email server didn't use UCEPROTECT, you would not be having this issue. 2) If your recipient's ISP ran their own local cached copy of the UCEPROTECT zone file(s), they could simply remove your IP address. 3) If your recipient's ISP ran a local DNS Whitelist, they could simply add your IP address and you would be fine. 4) If you run your mail operations off a dynamic IP address, that is just poor system administration. 5) If the recipient's ISP doesn't have any control over blocking capability, they shouldn't be in the mail server business. Anybody using some externally controlled service, without local override capabilities, can expect Email delivery problems forever. 6) If YOU used a decent ISP that gave a crap about you, you would not be having this problem. In terms of extortion, I don't see any liability whatever. Level 1 addresses auto-expire. If you want that expedited, you pay. Sounds fair to me. Level 2 and Level 3 addresses require intervention by the sender's ISP. A fee is charged, presumably to cover the cost of scanning netblocks to verify the problem has been resolved. Not altogether an easy thing to do, and a MAJOR cost factor, as also indicated at SORBS. Problems exists elsewhere, as well. RFC-Ignorant listings come to mind. Nobody is forced to use UCEPROTECT. For those that do, see 2,3, and 5 above. Solutions abound. In your case, item 6 seems most appropriate. Jared Hall n.frank...@gmail.com wrote: Hi All, For reference the SORBS issue is still ongoing, my ISP (BT) is working hard to resolve it. I mentioned in one of my posts how UC (UCPROTECT) were also an issue. They seem to have taken entire netblocks and are demanding 20Euro's per year to remove individual IP's Does anyone have any information about this and in particular any law enforcement involvement since this smacks of extortion to me. TIA Nigel Your points are taken and I agree ISP's could do more. But in terms of payment for removal I don't see why that should happen. CBL seem to cope well without it. I agree anyone running off a dynamic IP has no business doing so, however, the definition of a dynamic IP is a blurred one, this is an issue I'm having to deal with currently. In BT's defence, they do appear to be doing all they can. Sadly in true large organisation fashion those that used to deal with these issues are no longer there and the replacements don't know what their full remit is. This is an issue I'm working with BT on now so that their customers won't get as badly affected as they are currently. IMO yelling at them solves little, working with them to resolve the problem is a much better option. In the years I've used BT as my ISP I've had issues certainly, but the same can be said for any ISP. To date BT have resolved all of mine. Thanks for your thoughts though. They do make some sense and have given me a better idea of how UC operate. I still don't agree with their operating procedures but I guess that's my issue. Kind regards Nigel
Re: UCEPROTECT
Mariusz Kruk wrote: First of all - anyone is free to use anything for policing their SMTP servers as long as he does it conforming to relevant RFC's. Anyone is free to use anything for policing their SMTP servers, period. Been there, done that, got blacklisted for one mail. That's just plain wrong. I can understand low listing thresholds in case of deliberately set up spamtraps for which you feed address to harvesters by putting it on web pages or sending to usenet. But single mail to non-existent mailbox? Ridiculuous. Yes, that doesn't sound right at all. Sending an email to one of my spamtraps will get you listed immediately though. /Per Jessen, Zürich
Re: UCEPROTECT
corpus.defero wrote: Uceprotect has some strange listing policies that have been questioned numerous times. But the crux of it is this, the people who use UCEProtect are well aware of it - and it's not widely used. Personally it's one of those lists I don't trust to block at an SMTP level, but will include a score shifter on a hit. Same here. Wrt how widely UCEPROTECT is used, I'm not so sure. Any list that pops up in discussion every so often must be used quite a bit. After all, if nobody used it, no discussion. /Per Jessen, Zürich
Re: UCEPROTECT
On 22.04.10 13:53, n.frank...@gmail.com wrote: For reference the SORBS issue is still ongoing, my ISP (BT) is working hard to resolve it. I mentioned in one of my posts how UC (UCPROTECT) were also an issue. They seem to have taken entire netblocks and are demanding 20Euro's per year to remove individual IP's UCEPROTECT has three levels of listing, from single IP (L1) to whole autonomous system (L3). L2 lists /24 and above (allocated) range. L2 and L3 are escalations based on % of spamming (L1-listed) IPs. While L2 and L3 should not be used at SMTP time, some people do it. However, they offer quick delisting if the problem disappeared, otherwise they delist after 7 days (L1) and after problem disappears (L2/L3). This is now what ISPs should do - enforce no-spam policies, apparently including blocking outgoing SMTP for non-MTAs. We (at my employer) are doing this now, even because of UCEPROTECT but also because of different reasons. Does anyone have any information about this and in particular any law enforcement involvement since this smacks of extortion to me. I guess it's quite hard to enforce a law here. Maybe if you'd prove that they provide false/fake informations, and they somehow advise people to block acording to that false informations. But I wouldn't count on that, and I think that if you have spammed, they'd have proof against you... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: UCEPROTECT
On Friday, 23 of April 2010, Matus UHLAR - fantomas wrote: This is now what ISPs should do - enforce no-spam policies, apparently including blocking outgoing SMTP for non-MTAs. We (at my employer) are doing this now, even because of UCEPROTECT but also because of different reasons. Of course. But that's kinda ortogonal to the whole UCEPROTECT issue. But I wouldn't count on that, and I think that if you have spammed, they'd have proof against you... Well... There is no way to contact them if you're listed. Even if it's not level1. Not to mention that they never provide any proof of any abuse which is supposed to have caused the listing. -- /\-\/\-\/\-\/\-\/\-\/\-\/\ \ k...@epsilon.eu.org / / http://epsilon.eu.org/ \ \/-/\/-/\/-/\/-/\/-/\/-/\/
Re: UCEPROTECT
Matus UHLAR - fantomas wrote: On 22.04.10 13:53, n.frank...@gmail.com wrote: For reference the SORBS issue is still ongoing, my ISP (BT) is working hard to resolve it. I mentioned in one of my posts how UC (UCPROTECT) were also an issue. They seem to have taken entire netblocks and are demanding 20Euro's per year to remove individual IP's UCEPROTECT has three levels of listing, from single IP (L1) to whole autonomous system (L3). L2 lists /24 and above (allocated) range. L2 and L3 are escalations based on % of spamming (L1-listed) IPs. While L2 and L3 should not be used at SMTP time, some people do it. Which should really only be causing them more trouble than it is worth. Does anyone have any information about this and in particular any law enforcement involvement since this smacks of extortion to me. I guess it's quite hard to enforce a law here. Maybe if you'd prove that they provide false/fake informations, and they somehow advise people to block acording to that false informations. Anyone is free to take them to court (e.g. ask for an injunction). /Per Jessen, Zürich
Re: UCEPROTECT
On Fri, 23 Apr 2010 12:58:02 +0200, Mariusz Kruk mariusz.k...@epsilon.eu.org wrote: On Friday, 23 of April 2010, Matus UHLAR - fantomas wrote: This is now what ISPs should do - enforce no-spam policies, apparently including blocking outgoing SMTP for non-MTAs. We (at my employer) are doing this now, even because of UCEPROTECT but also because of different reasons. Of course. But that's kinda ortogonal to the whole UCEPROTECT issue. But I wouldn't count on that, and I think that if you have spammed, they'd have proof against you... Well... There is no way to contact them if you're listed. Even if it's not level1. Not to mention that they never provide any proof of any abuse which is supposed to have caused the listing. A bit of a catch 22 situation. How to know why you are in a list if nobody has reported abuse to you. For myself, every outgoing email from our mailserver has a URL embedded in the header from which abuse can be reported. I can't speak for others, but for our networks those reports are acted on immediately. Nigel
Re: UCEPROTECT
Mariusz Kruk wrote: Not to mention that they never provide any proof of any abuse which is supposed to have caused the listing. Surely that is not unusual - do any of the many list providers provide such proof?? /Per Jessen, Zürich
Re: UCEPROTECT
On Friday, 23 of April 2010, n.frank...@gmail.com wrote: But I wouldn't count on that, and I think that if you have spammed, they'd have proof against you... Well... There is no way to contact them if you're listed. Even if it's not level1. Not to mention that they never provide any proof of any abuse which is supposed to have caused the listing. A bit of a catch 22 situation. How to know why you are in a list if nobody has reported abuse to you. For myself, every outgoing email from our mailserver has a URL embedded in the header from which abuse can be reported. Whois record shows contact info. And usually abuse mailbox. But UCEPROTECT is not interested in reporting. They are interested in listing so maybe someone pays them. Reporting could lead to actually solving the problems. Listing leads only to demanding money. -- Kruk@ -\ | }- epsilon.eu.org | http:// -/ | |
Re: UCEPROTECT
On Friday, 23 of April 2010, Per Jessen wrote: Not to mention that they never provide any proof of any abuse which is supposed to have caused the listing. Surely that is not unusual - do any of the many list providers provide such proof?? Honestly - I have no idea since I had not been listed in any DNSBL except RFC- ignorant I knew of before. Rfc-ignorant was self explanatory since I made a stupid typo in zone configuration. I've received reports of spam on one of my servers and reacted on that, so I there was no listing anywhere. But that's clearly not UCEPROTECT's policy. -- Kruk@ -\ | }- epsilon.eu.org | http:// -/ | |
Re: Reporting (Off Topic)
On Thu, Apr 22, 2010 at 1:48 PM, Kaleb Hosie kho...@spectraaluminum.com wrote: Another (more automated way) is to use the following command: spamassassin -r the_spam_message_file Thanks for that info! I think the 'automated' suggestion sounds very nice! When I submit it using 'SA' command, does it get routed to Spamhaus or SpamCop or none of the above? I am just curious how that works? What exactly happens when I use the SA service to route the message? Does it have to get X many number of submissions before it's considered a known spammer? Secondly, what exactly do you mean by the_spam_message_file? How do I locate this? If I get the message in my Inbox, then I have something to ID it by, right? Some kind of number tagged by my system but if I see in my logs that this spammer is doing a dictionary attack on my mail server by using generic known user ID's like b...@... j...@... h...@... Those would all fail for unknown recipient table lookups. How would I then reference the spam message if there is no spam but I can clearly see this spammer is attempting to spam me. I would like to be proactive before the spam gets through and report them. Thanks!
Re: Problems with sa-update
I reported this issue about a month ago and didn't receive a response. So I set about fixing it myself. First, I edited the sa-update script to not delete the rules that it downloaded and was running lint on... I looked at those rules to see if I could spot the problem, but I couldn't... looked for control chars, ^M's, nothing... So I removed the lint check from sa-update and that allowed it to install the rules. The I ran sa-update again and a new ruleset was downloaded... and this one passed the lint check... I have no idea what was wrong with that original set but it prevented sa-update from continuing and it appears to me that sa-update seems to just get the next released rules rather than get the last released rules and that held up downing a good set to replace the bad set... I dunno if that's the case but it matches my observations. your mileage may vary... I've had no problem since and the original sa-update has been used since my one time hack. -lee Personal Técnico wrote: Hi, I'm getting this error when I run sa-update: config: failed to parse line, skipping, in /tmp/.spamassassin26787Cjo628tmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin26787Cjo628tmp/72_active.cf: mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin26787Cjo628tmp/72_active.cf: mimeheader __TVD_MIME_ATT_TPContent-Type =~ /^text\/plain/i channel: lint check of update failed, channel failed Spamassassin installed version is 3.3.1-1 in a Debian Lenny 64 bits system. Why am I getting this error? Thanks.
Legitimate mail flagged as Spam
Hi, I have a problem with legimate mail getting flagged as spam. I have a system that send software licence certificates over email, and many customers never receive it. When I send it to my own email it gets marked as spam by SpamAssin. I've been trying to figure out why. The sending system is a Windows 2003 SMTP (not Exchange, the one that comes with IIS), and it's hostname is licsvr.pssoft.fi. The sender email is lice...@kasoori.net. The headers mark as following: X-Virus-Check-By: mailwash7.pair.com X-Spam-Check-By: mailwash7.pair.com X-Spam-Status: Yes, hits=8.7 required=4.0 tests=BAD_ENC_HEADER,HELO_LH_HOME,MIME_BASE64_BLANKS,TRACKER_ID autolearn=disabled version=3.002005 Message-ID: e16d86f82b904878b4ecf4e882b7c...@pssoft.fi X-Spam-Flag: YES X-Spam-Level: X-Spam-Filtered: 8217c97b20a887b0ba3c84f733b09305 X-Mailer: Microsoft CDO for Exchange 2000 MIME-Version: 1.0 From: =?utf-8?Q?KAS=C3=96=C3=96RI.NET_Lisenssipalvelu?= lice...@kasoori.net To: petri.suomi...@pssoft.fi Date: Fri, 23 Apr 2010 15:46:10 +0300 Subject: =?utf-8?Q?**JUNK**_KAS=C3=96=C3=96RI.NET_Lisenssitilauksenne?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Content-Class: urn:content-classes:message Importance: normal Priority: normal What I'm trying to figure out is what am I doing wrong that causes the tests to fail and score high points. Any Help would be appreciated ! br, Petri -- View this message in context: http://old.nabble.com/Legitimate-mail-flagged-as-Spam-tp28340960p28340960.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Legitimate mail flagged as Spam
On 4/23/10 7:53 AM, PSuo petri.suomi...@pssoft.fi wrote: Hi, I have a problem with legimate mail getting flagged as spam. The headers mark as following: X-Virus-Check-By: mailwash7.pair.com X-Spam-Check-By: mailwash7.pair.com X-Spam-Status: Yes, hits=8.7 required=4.0 tests=BAD_ENC_HEADER,HELO_LH_HOME,MIME_BASE64_BLANKS,TRACKER_ID What I'm trying to figure out is what am I doing wrong that causes the tests to fail and score high points. Any Help would be appreciated ! You should grep the test names above in /var/lib/spamassassin/3.3.1/updates.spamassassin.org And then change your mail to not look like them. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Legitimate mail flagged as Spam
PSuo wrote: Hi, I have a problem with legimate mail getting flagged as spam. I have a system that send software licence certificates over email, and many customers never receive it. When I send it to my own email it gets marked as spam by SpamAssin. I've been trying to figure out why. Hi Petri feel free to send me (p...@jessen.ch) such an email, and I'll tell you how and why it scores. /Per Jessen, Zürich
Re: Legitimate mail flagged as Spam
Daniel McDonald wrote: On 4/23/10 7:53 AM, PSuo petri.suomi...@pssoft.fi wrote: The headers mark as following: X-Virus-Check-By: mailwash7.pair.com X-Spam-Check-By: mailwash7.pair.com X-Spam-Status: Yes, hits=8.7 required=4.0 tests=BAD_ENC_HEADER,HELO_LH_HOME,MIME_BASE64_BLANKS,TRACKER_ID You should grep the test names above in /var/lib/spamassassin/3.3.1/updates.spamassassin.org BAD_ENC_HEADER - very often blanks in the MIME-encoded subject. (blanks should be encoded as underscores). Usually about 3 points. HELO_LH_HOME - poor helo from your mailserver. Another 3 points. MIME_BASE64_BLANKS - poor base64 encoding (blank lines\?) TRACKER_ID - contains a trackerid for user monitoring. 2-3 points. /Per Jessen, Zürich
Re: Legitimate mail flagged as Spam
On Fri, 23 Apr 2010, PSuo wrote: X-Spam-Status: Yes, hits=8.7 required=4.0 tests=BAD_ENC_HEADER,HELO_LH_HOME,MIME_BASE64_BLANKS,TRACKER_ID BAD_ENC_HEADER - verify that you are properly encoding your message headers. HELO_LH_HOME - what helo string does your MTA use when sending messages? MIME_BASE64_BLANKS - verify that your body parts are being encoded into base64 properly. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Insofar as the police deter by their presence, they are very, very good. Criminals take great pains not to commit a crime in front of them. -- Jeffrey Snyder --- Today: Max Planck's 152nd birthday
RE: Reporting (Off Topic)
On Thu, Apr 22, 2010 at 1:48 PM, Kaleb Hosie kho...@spectraaluminum.com wrote: Another (more automated way) is to use the following command: spamassassin -r the_spam_message_file Thanks for that info! I think the 'automated' suggestion sounds very nice! When I submit it using 'SA' command, does it get routed to Spamhaus or SpamCop or none of the above? I am just curious how that works? Plugins in SA may optionally support a reporting functionality, which is meant to report a spam message to the spam-detection source through it. FWIK, the stock SA distribution supplies DCC, RAZOR, PYZOR, HashCash and SpamCop plugins which may report to external engines. Each of these plugin follows its own way in reporting, such they all of them may require a specific reporting directives to be configured in SA and/or required some external, introductory action (like registering to SpamCop, in example). Once you have registered to sources, tuned their plugin and configured SA accordingly, you may use the '-r' switch to report to it. What exactly happens when I use the SA service to route the message? SA doesn't route a message. SA analyzes it and yields a result, which is score points, on each message you pass to it. Does it have to get X many number of submissions before it's considered a known spammer? It depends by the people who run the blacklist or hashing engine. But generally the answer is yes. Secondly, what exactly do you mean by the_spam_message_file? How do I locate this? The the_spam_message_file is just the file containing the full spam message (i.e.: complete with header and body). Its meaning is easy to understand to people used to manage mail servers, since often mail servers store each received message in its own file. But even as the user of a mailbox using a mailer to access it, you may probably find some way to save messages you receive in a file, which may then be reported through spamassassin. If I get the message in my Inbox, then I have something to ID it by, right? You don't need it. Just use '-r' with the original spam message and reporting will be fine. Get the original spam message first! Some kind of number tagged by my system but if I see in my logs that this spammer is doing a dictionary attack on my mail server by using generic known user ID's like b...@... j...@... h...@... From now on this is OT, but anyway. Often this kind of activity is not a dictionary attack, but instead an attempt to use misconfigured mail servers as spam relayers. If your mail server bounces mail addressed to inexistent recipients, then that is your case. Those would all fail for unknown recipient table lookups. How would I then reference the spam message if there is no spam but I can clearly see this spammer is attempting to spam me. As long as your mail server doesn't accept nor bounces these mails, just don't do anything. There are of course ways to reject mail after it has been delivered to your SMTP server, but this is something very OT here and mileage varies a lot according the kind of mailing system you are running. Also, it is not always considered a good practice to report messages you already rejected, because a message rejected is regarded as not received in the SMTP world... I would like to be proactive before the spam gets through and report them. You may eventually filter out that specific source for some time as long as these attempts are meant to cause a DoS, instead of leveraging on some bounce feature to spread spam. Thanks! You welcome, but please note these matters quite OT here. Giampaolo
Re: SA-3.2 need help
Tux Techie wrote: I've inserted score FH_DATE_PAST_20XX 0 without the quotes to the end of your local.cf http://local.cf file to disable the rule for 2010 bug. You need to double-check this entry and then restart spamd since the rule is still hitting on all of the examples you gave. If it is still hitting after that, then you need to make sure you are changing the right file. Below is an example of a geniune mail from outside domain marked as ham for a user and spam for other user http://pastebin.com/33WGrJ4b Differences are Bayes and AWL. It is normal for these to differ between users. Another example of a geniune yahoo.com http://yahoo.com mail marked as SPAM http://pastebin.com/VkJcj3XK Example of a mail from local network marked as SPAM http://pastebin.com/4FEMpc3G Post some example headers so we can see what the scores are for each rule (We can assume default scores, but you may have changed them in local.cf, so it is best to look at the spam report header). You can add this to your local.cf if you want to see the report on ham as well as spam: add_header all Report _REPORT_ I've entered my local lan series in trusted_networks in local.cf http://local.cf but still its catching my local mails as SPAMS. All of your local mail should hit the ALL_TRUSTED rule. If not, you should re-check your trusted_network settings. Adding your servers to trusted_networks does not exempt them from spam checking, it just exempts them from blacklist checks and such. If a local user sends a spammy message, it will still be caught (although the ALL_TRUSTED rule gives a -1 to the score, to help prevent false positives from your own network). Take an example mail and run in through SA manually to see exactly what is happening. $ spamassassin -D rules sample.msg This will give lots of output, but most of it is easily understandable. Keep in mind that you will get different results (particularly with Bayes and AWL) depending on which user you are when you run the test. If you can please guide me to some docs or how to for configuring and tuning SA to give gud results. The wiki is always a good starting point. http://wiki.apache.org/spamassassin/ -- Bowie
Re: Amavisd Down after HUP'ing server
On Thu, Apr 22, 2010 at 9:08 PM, Kalpin Erlangga Silaen kal...@gmail.com wrote: Hello, On Thu, Apr 22, 2010 at 8:56 PM, Mark Martinec mark.martinec...@ijs.si wrote: Kalpin Erlangga Silaen wrote: I always get this error (once a day) Apr 22 14:07:35 stargate amavis[7147]: (!)Net::Server: 2010/04/22-14:07:35 HUP'ing server after that, amavis down and can not connect to port 10024 amavisd-new-2.6.4 (20090625) Versions older than 2.7.0 (not yet officially released) do not support reloading by a HUP signal, you need to use: amavisd reload It is normal that a server stays down after sending HUP to 2.6.4. Mark This is automatically by Net Server. I am using CentOS 5.4 without init.d. I use manual /usr/local/sbin/amavisd to start amavisd. But somehow, once a day always down after get HUP'ing Check your log rotation script, newsyslog or logrotate or whatever is used on your system.
Re: UCEPROTECT
Hello Nigel, Am 2010-04-22 13:53:41, hacktest Du folgendes herunter: I mentioned in one of my posts how UC (UCPROTECT) were also an issue. They seem to have taken entire netblocks and are demanding 20Euro's per year to remove individual IP's Does anyone have any information about this and in particular any law enforcement involvement since this smacks of extortion to me. My legitim server is also blocked and I can not reach more then 20 customers and manufacturers du to this problem. Some of them have already stoped using UCEPROTECT and I assume, you know WHO owns ths enterprise... I am spamed (more then 200.000 per month) by the owners of this Enter- prise and even can not complain, because ANY mails to them are blocked. I am considering a lawsuite against the owners of UCEPROTECT. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France itsyst...@tdnet UG (haftungsbeschränkt) Gesch. Michelle Konzack Gesch. Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: UCEPROTECT
Michelle Konzack wrote: My legitim server is also blocked and I can not reach more then 20 customers and manufacturers du to this problem. Some of them have already stoped using UCEPROTECT and I assume, you know WHO owns ths enterprise... I am spamed (more then 200.000 per month) by the owners of this Enterprise and even can not complain, because ANY mails to them are blocked. I am considering a lawsuite against the owners of UCEPROTECT. It sounds like all you need to do is report them to the German authorities. You know who they are, and you know that they are spamming you, and you care about that - what else do you need? If you can't be bothered with the police, tell the press. /Per Jessen, Zürich
Re: SA-3.2 need help
On Fri, 2010-04-23 at 11:16 +0530, Tux Techie wrote: I've inserted score FH_DATE_PAST_20XX 0 without the quotes to the end of your local.cf file to disable the rule for 2010 bug. According to the timestamps the samples are older than your mail. Assuming you restarted spamd, these hits should now be gone and drastically lower your FP rate. I've googled all the stuff in my local.cf its not inherited from any setup. Err? The question was, if you added all that stuff to your local.cf, or if someone else who *was* in charge of the mail server added that earlier. Below is an example of a geniune mail from outside domain marked as ham for a user and spam for other user http://pastebin.com/33WGrJ4b Nope, it is not. It is not a mail, as we requested. That's log messages. At least we got the rules hit. And there's the second major issue. All your samples hit DNS_FROM_OPENWHOIS -- which is DEAD for almost 10 months. See bug 6157 [1]. BOTH your problems would NOT have come up, if you would run sa-update at least on a monthly basis. May I strongly suggest to run sa-update? It will fix a bunch of issues magically, after restarting your SA daemon. Hmm, in your previous post you said something about sa-update, and then went to list all stock rule-sets, plus some other files that are more likely to be in /etc/mail/spamassassin... these are default rules which i fetched from sa-update What do you mean, fetched? Where are all these *.cf files you listed on your system? You did not copy them into /etc/mail/spamassassin, did you? guenther [1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6157 -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: UCEPROTECT
Hello Per, Am 2010-04-23 19:48:14, hacktest Du folgendes herunter: It sounds like all you need to do is report them to the German authorities. You know who they are, and you know that they are spamming you, and you care about that - what else do you need? If you can't be bothered with the police, tell the press. I was already thinking to write an article for Spiegel Online in the section Netzwelt... And if I see, how many spams I get from Microsoft domains, Yahoo, Google and Co... and can not get them because the have a very nice lobby created to protect them... Geting 140 GByte spam per day is not realy funny... Exspecialy if the customers want it, to get to check for false positives. Oh, I pay 25 Euro per MBit bandwidth consumed, which mean 1MBit = ~320GB per month = in total 4250 GByte = 330 Euro/month for receiving spam. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France itsyst...@tdnet UG (haftungsbeschränkt) Gesch. Michelle Konzack Gesch. Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: Problems with sa-update
On fre 23 apr 2010 14:34:55 CEST, Lee Dilkie wrote Why am I getting this error? check spamassassin --lint before sa-update, if error fix it first :) if that does not help then its a rule bug on remote -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: How to I disable spam checking for a domain
On 4/22/10, Alex wrote: Hi, I have a server with multiple virtual domain, I want to disable spam checking on some of them. Is this possible? You can't disable a domain *in* SA, but you can whitelist a domain in local.cf like so: # Disable SpamAssassin for this user/domain whitelist_tosome...@example.com whitelist_to*...@example.com For completeness, you should know that some mail will still get tagged with whitelist_to, according to this page: http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html#item_whitelist_to_add_40ress_2ecom You should use all_spam_to if you don't want the mail to be tagged at all. Although it's much more involved, the best approach is to bypass SA entirely, as Ned suggested. Does anyone know where the best reference for doing this with amavisd and postfix would be, btw? I'd like to include it in some docs I'm putting together. Best, Alex I think my doc might be helpful: http://www200.pair.com/mecham/spam/bypassing.html -- Gary V
Re: Reporting (Off Topic)
On Fri, 2010-04-23 at 08:33 -0400, Carlos Mennens wrote: On Thu, Apr 22, 2010 at 1:48 PM, Kaleb Hosie kho...@spectraaluminum.com wrote: Another (more automated way) is to use the following command: spamassassin -r the_spam_message_file Thanks for that info! I think the 'automated' suggestion sounds very nice! When I submit it using 'SA' command, does it get routed to Spamhaus or SpamCop or none of the above? I am just curious how that works? What exactly happens when I use the SA service to route the message? Does it have to get X many number of submissions before it's considered a known spammer? Secondly, what exactly do you mean by the_spam_message_file? How do I locate this? If I get the message in my Inbox, then I have something to ID it by, right? Some kind of number tagged by my system but if I see in my logs that this spammer is doing a dictionary attack on my mail server by using generic known user ID's like b...@... j...@... h...@... Those would all fail for unknown recipient table lookups. How would I then reference the spam message if there is no spam but I can clearly see this spammer is attempting to spam me. I would like to be proactive before the spam gets through and report them. Thanks! Here is a link to a perl script that will run sa-learn on your ham and spam and report your spam to razor/pyzor/DCC and Spamcop. http://pastebin.com/53ZWejDn This may be kind of what you're looking for. HTH Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part