Re: Strange Issues.
Also looks like the amount of incoming spam has doubled over the past few days. DateSPAMTIMEHAMTimeTOTALTime 4/20/201732013.075729393.611661403.3322 4/21/201727974.126813.886354783.9954 4/22/201723052.572110212.821933262.6487 4/23/201721234.72289692.891430924.1489 4/24/201731543.90430659.632262196.7271 4/25/2017600756.2347408454.35061009155.4722 4/26/2017612541.8019393334.94071005839.119 4/27/2017577732.6567377220.0631954927.682 As you can see, the total messages and spam messages increased on the 25th. Which is when I started having these issues.. I upgraded SA on the 26th. The time values are avg time to process the spam/ham or total avg time.. Is there a new spam network out? Anyone else noticed a massive uptick in amount of spam coming in? On 04/28/2017 10:04 AM, RW wrote: On Thu, 27 Apr 2017 17:34:16 -0400 Billy Huddleston wrote: OKay, Copy of of a spam is located at https://pastebin.com/gdCB9V6U It processed okay with spamassassin -t -D That's probably because it's only doing one at a time. I suspect that these spams are so CPU intensive that you would be CPU limited at 1 child process per core. What I am seeing is that a considerable amount of that "
Re: Strange Issues.
Link to the processed spam http://pastebin.ca/3803856 <https://pastebin.ca/3803856> On 04/27/2017 06:07 PM, Billy Huddleston wrote: Info from top: top - 18:05:17 up 517 days, 19:59, 3 users, load average: 10.28, 10.45, 9.45 Tasks: 68 total, 10 running, 58 sleeping, 0 stopped, 0 zombie Cpu(s): 84.0% us, 16.0% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, 0.0% si Mem: 2074920k total, 1595732k used, 479188k free, 211004k buffers Swap: 1052248k total,0k used, 1052248k free, 809236k cached Doesn't look I'm swapping. It's a older Intel(R) Xeon(TM) CPU 2.66GHz I don't remember why the max-conn-per-child was set to 5. I originally had --round-robin too. But, I've removed that. On 04/27/2017 06:01 PM, Kevin A. McGrail wrote: On 4/27/2017 5:34 PM, Billy Huddleston wrote: OKay, Copy of of a spam is located at https://pastebin.com/gdCB9V6U It processed okay with spamassassin -t -D Here is my spamd options SPAMDOPTIONS="-d -u nobody -q -x -i -A192.168.2.3,192.168.1.3,192.168.1.2,127.0.0.1 --max-children=20 --max-conn-per-child=5 --timeout-child=150 I did have the child timeout @ 300, and cut it in half hoping it would help.. The max-conn-per-child of 5 is low. Did you have a reason to lower it? Is the machine powerful enough with enough ram to actually run 20 children concurrently? Are you swapping? Regards, KAM
Re: Strange Issues.
Info from top: top - 18:05:17 up 517 days, 19:59, 3 users, load average: 10.28, 10.45, 9.45 Tasks: 68 total, 10 running, 58 sleeping, 0 stopped, 0 zombie Cpu(s): 84.0% us, 16.0% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, 0.0% si Mem: 2074920k total, 1595732k used, 479188k free, 211004k buffers Swap: 1052248k total,0k used, 1052248k free, 809236k cached Doesn't look I'm swapping. It's a older Intel(R) Xeon(TM) CPU 2.66GHz I don't remember why the max-conn-per-child was set to 5. I originally had --round-robin too. But, I've removed that. On 04/27/2017 06:01 PM, Kevin A. McGrail wrote: On 4/27/2017 5:34 PM, Billy Huddleston wrote: OKay, Copy of of a spam is located at https://pastebin.com/gdCB9V6U It processed okay with spamassassin -t -D Here is my spamd options SPAMDOPTIONS="-d -u nobody -q -x -i -A192.168.2.3,192.168.1.3,192.168.1.2,127.0.0.1 --max-children=20 --max-conn-per-child=5 --timeout-child=150 I did have the child timeout @ 300, and cut it in half hoping it would help.. The max-conn-per-child of 5 is low. Did you have a reason to lower it? Is the machine powerful enough with enough ram to actually run 20 children concurrently? Are you swapping? Regards, KAM
Re: Strange Issues.
OKay, Copy of of a spam is located at https://pastebin.com/gdCB9V6U It processed okay with spamassassin -t -D Here is my spamd options SPAMDOPTIONS="-d -u nobody -q -x -i -A192.168.2.3,192.168.1.3,192.168.1.2,127.0.0.1 --max-children=20 --max-conn-per-child=5 --timeout-child=150 I did have the child timeout @ 300, and cut it in half hoping it would help.. On 04/27/2017 04:43 PM, John Hardin wrote: On Thu, 27 Apr 2017, Billy Huddleston wrote: Hey Guys, I just recently started having issues with spamd getting hung on emails. I've been seeing lots of emails with cont...@qq.com and other contact@... domains. I looked at a few of these messages and they all had this stuff in them..
Re: Strange Issues.
Yes, I'm using spamc/spamd. And it may, or may not be that message.. but I've seen several of them just sit in my mail queue waiting on spam check.. all have about the same size msg. 376k to 377k. Let me grab one of these new ones and run spamassassin -t -D against it. On 04/27/2017 04:35 PM, Kevin A. McGrail wrote: On 4/27/2017 1:31 PM, Billy Huddleston wrote: I just recently started having issues with spamd getting hung on emails. I've been seeing lots of emails with cont...@qq.com and other contact@... domains. I looked at a few of these messages and they all had this stuff in them..
Strange Issues.
Hey Guys, I just recently started having issues with spamd getting hung on emails. I've been seeing lots of emails with cont...@qq.com and other contact@... domains. I looked at a few of these messages and they all had this stuff in them..
Re: Question about v3.2.1 and SARE rules..
Malformed UTF-8 character (unexpected non-cont inuation byte 0x00, immediately after start byte 0xd5) in pattern match (m//) at /etc/mail/spamassassin/70_sare_obfu1.cf, rule __SARE_OBFU_VISIT1, line 1, GEN4 2 line 64. Malformed UTF-8 character (unexpected non-cont inuation byte 0x00, immediately after start byte 0xcf) in pattern match (m//) at /etc/mail/spamassassin/70_sare_obfu0.cf, rule SARE_OBFU_XANAX, line 1, GEN42 line 64. Doc Schneider wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Billy Huddleston wrote: I upgraded from 3.1.7 to 3.2.1 and started getting errors from 70_sare_obfu.cf rules set.. any one got any ideas on this? Thanks, Billy ** What are the errors? - -- -Doc Penguins: Do it on the ice. 8:44am up 4 days, 16:55, 17 users, load average: 0.18, 0.30, 0.37 SARE HQ http://www.rulesemporium.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGnlM+qOEeBwEpgcsRAhieAJ9+/oBIgmxG5BFcEhk3jQ/VFcyMawCfQ/Fr IKmWuv4PQ83Xy3LeoZ+tRmQ= =Cv1y -END PGP SIGNATURE-
Re: New stock spam (2/14/07)
Here is a one I've been getting.. I use a older version of spambot, SARE, and Network tests.. to no avail.. http://www.pastebin.ca/356543 - Original Message - From: Brian Wilson [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, February 14, 2007 9:37 PM Subject: [SPAM] Re: New stock spam (2/14/07) On Feb 14, 2007, at 8:48 PM, Giampaolo Tomassoni wrote: From: Quinn Comendant [mailto:[EMAIL PROTECTED] On Thu, 15 Feb 2007 01:18:46 +0100, Giampaolo Tomassoni wrote: I think SARE and some network tests are even better (scores 11.5 with my surprising Bayes :) I agree, mine scored it in a similar way: Content analysis details: (11.5 points, 4.9 required) pts rule name description -- -- 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] Nah! You cheat! Bayes did already learn this message, right? :) Giampaolo Then we both cheated: (no previous learns on this one that I'm aware of) score=13.8 required=4.5 * 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails * 2.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=211.48.218.5,maildomain=amante.ro,nordns] * 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT * 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam * 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 4.2 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml? 211.48.218.5] * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [211.48.218.5 listed in zen.spamhaus.org]
Re: Botnet 0.6 plugin for Spam Assassin availabile
Question, how can we avoid tagging messages that are sent to our server from a remote connection if they use authenticated SMTP ?? Example: I have a user who is on a different network, using my mail server, so I let them via authenticated SMTP, every message they send gets tagged because of Bot Net or Relay Checker.. Thanks, Billy - Original Message - From: decoder [EMAIL PROTECTED] To: John Rudd [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Friday, December 08, 2006 5:03 AM Subject: Re: Botnet 0.6 plugin for Spam Assassin availabile -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Rudd wrote: Michael Schaap wrote: John Rudd wrote: The next version of the Botnet plugin for Spam Assassin is ready. The install instructions are in the Botnet.txt file, and in the INSTALL file. Great work! To Do before 1.0: (...) There's another thing that would be really nice to have. You know how the DNS rules' descriptions specify what actually matches? e.g.: 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [12.34.56.789 listed in sbl-xbl.spamhaus.org] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: example.com] It would be great if Botnet could do something similar, like: 2.0 BOTNET The submitting mail server looks like part of a Botnet [ip=12.34.56.789 rdns=dhcp12.34.example.org] Any tips on how to do that? :-} Have a look at the FuzzyOcr plugin, especially on Scoring.pm in the SVN, found here: http://fuzzyocr.own-hero.net/browser/trunk/devel/FuzzyOcr/Scoring.pm In each of the functions, the mail is scored with a different rule, a custom score and a custom description which is generated there. That should be enough for you to reproduce that :) Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFeTiMJQIKXnJyDxURAicaAJ9n5XdSIpvWXrz3W4w2DtKmbiQ82ACgvyAB ywuRctN/qak0u61idiMFw5o= =obGb -END PGP SIGNATURE-
New Spam
I'm getting some new spam coming through.. It's ASCII art (using nothing but numbers) and spells out TORA.08 and nothing else.. It looks to be coming from a Bot-Net.. Anyone seen this? Thanks, Billy
Re: I've got TORA.08 spelled with numbers?
So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
Re: I've got TORA.08 spelled with numbers?
Will that not get legit mail from someone sending via Microsoft Outlook ? - Original Message - From: Justin Mason [EMAIL PROTECTED] To: Billy Huddleston [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Friday, November 17, 2006 11:10 AM Subject: Re: I've got TORA.08 spelled with numbers? this seems to catch them: header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta JM_TORA_XM (__MAILER_OL_6626 __MOLE_2962) --j. Billy Huddleston writes: So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
Re: RelayChecker 0.3
I wouldn't consider those false positives.. Just incorrectly configured /administrated servers.. Reverse DNS is a must. I'm surprised at how many people still haven't got that yet in the IT world.. (Consultants mostly..) Thanks, Billy - Original Message - From: Derek Harding [EMAIL PROTECTED] To: John Rudd [EMAIL PROTECTED] Cc: SpamAssassin Users users@spamassassin.apache.org Sent: Thursday, November 16, 2006 8:56 PM Subject: Re: RelayChecker 0.3 On Sun, 2006-11-12 at 17:26 -0800, John Rudd wrote: http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar I've been running this for a few days now and am finding it to be pretty effective, especially against the bots that are producing all the image spam. Currently it's running about 87.55% hit rate with only two false positives so far (one a company on adsl, the other a mail server with no reverse DNS). Thanks, Derek
Re: R: R: R: Relay Checker Plugin (code review please?)
I like the ability to give individual scores to the various tests... Per my patch.. Allows for minor tweaking for each kind of issue. - Original Message - From: John Rudd [EMAIL PROTECTED] To: Nix [EMAIL PROTECTED] Cc: Andreas Pettersson [EMAIL PROTECTED]; Steven Dickenson [EMAIL PROTECTED]; Giampaolo Tomassoni [EMAIL PROTECTED]; users@spamassassin.apache.org Sent: Sunday, November 05, 2006 1:57 PM Subject: Re: R: R: R: Relay Checker Plugin (code review please?) Nix wrote: On 1 Nov 2006, Andreas Pettersson stated: Steven Dickenson wrote: I can't agree with this. Many small businesses in the US get just these kind of static connections from broadband ISPs. Comcast, for example, has all of their static customers using rDNS that would fail your tests, and they refuse to set up a custom PTR record or delegate the record to someone else. I disagree on your disagreement. This is my opinion: If you don't have control over your rDNS, do NOT run any mail server, unless you relay all outbound mail through a server at your ISP. What if you don't *have* a server at your ISP that you can relay your mail through, because your ISP expects you to send mail directly from your own mailserver? What if your ISP provides a server but it is horrifically unreliable? In those two cases: Go to a service that hosts web/email servers under your custom domain, and relay through your own hosted server. They exist. Some of them aren't expensive at all. Most of these static customers are legitimate business networks running their own mail server, and have neither the need nor desire to relay their mail through Comcast's SMTP servers. I think your general idea is very good, but you're reaching a little too far with this one. 'No need nor desire', that's not really any good excuse. Use a relay or find your mail rejected, I'd say. Charming. They're not spammers, but you want to punish them as if they were, because reality makes your tests too complicated. Punishing them would be blocking them outright. Quarantining them is merely recognizing that they haven't obtained a class of service that would indicate a well configured and well maintained email server, as opposed to a fly-by-night or rinky-dink operation running on a bottom-feeder ISP's network ... characteristics that would indicate that the ISP is careless and not diligent, or that their customers have no care nor concern about their quality of service, either one making it more likely that I am dealing with a spambot or an open-relay. So, I make them jump through an extra hoop in order to get through to me. That extra hoop is either a) going through my quarantine process, or b) paying for a hosted service with proper RDNS. Either don't look like part of a botnet or accept being in my quarantine all of the time. It is not my obligation to accept nor view every email that hits my server. It is my prerogative to establish whatever hurdles I want to in getting through to my email inbox. It's not punishment, as punishment implies that I am removing your rights or privileges ... which doesn't apply, because you have no rights nor privileges with regard to my inbox. And, the fact is, the people you're trying to raise as a counter-case, are not only such a minority that they aren't on my radar, they're such a minority that they don't exist at all in my 15 months of experience in doing these checks. Every sender which has connected to my machines, without being on my own subnet, nor performing SMTP-AUTH, and without passing these checks, has been sending spam or a virus. Without exception. I realize that not everyone else is going to have the same experience with their email traffic that I do, which is why I'm making the plugin ever more flexible. First, I set a preference for just skipping some tests. Then, last night, I removed the hard-coded dynhostname and clienthostname checks. Now there's a keyword check, with the keywords used being supplied in the cf file. So, each site can set their own keyword requirement ... or leave it blank and skip that check entirely. (I haven't released this new code yet)
Re: Relay Checker Plugin (code review please?)
I've attached the patch file this time.. give it a go.. Use this command to patch your file. patch RelayChecker.patch and it should work.. This is just the patch for the .pm file.. the other one was simply adding in the default score values.. Thanks, Billy - Original Message - From: Dylan Bouterse [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, November 01, 2006 11:28 PM Subject: RE: Relay Checker Plugin (code review please?) I did a couple of times. :( -Original Message- From: Billy Huddleston [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 01, 2006 9:20 PM To: Dylan Bouterse; users@spamassassin.apache.org Subject: Re: Relay Checker Plugin (code review please?) You may want to download new RelayChecker.pm file... you may have messed it up previously.. If you still have problems let me know.. - Original Message - From: Dylan Bouterse [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, November 01, 2006 6:39 PM Subject: RE: Relay Checker Plugin (code review please?) -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 01, 2006 5:05 PM To: Dylan Bouterse Cc: users@spamassassin.apache.org Subject: RE: Relay Checker Plugin (code review please?) On Wed, 1 Nov 2006, Dylan Bouterse wrote: # headerRELAY_CHECKER eval:relay_checker() # describe RELAY_CHECKER Check relay for DNS/Hostname issues. to: if ($nordns) { and when I run --lint I get the following errors: /etc/mail/spamassassin/RelayChecker.pm line 44, near 27 @@ ...how exactly did you apply the patch? From the contents of that error message it looks like you just inserted the patch text into the source file... Take a look at man patch. (Sorry if you did do that, but that error message is really suggestive of improper procedure.) I have never used the patch command and was not aware of it. Thank you for pointing me in the right direction. I was able to patch my RelayChecker.cf file using the patch command and the provided patch for that file but I am getting errors when trying to patch the RelayChecker.pm file. [EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch RelayChecker.pm missing header for unified diff at line 3 of patch patching file RelayChecker.pm Hunk #3 succeeded at 102 with fuzz 1. missing header for unified diff at line 77 of patch can't find file to patch at input line 77 Perhaps you should have used the -p or --strip option? The text leading up to this was: -- | if (! defined($name)) { | # the PTR record leads to a host that doesn't resolve in DNS | Mail::SpamAssassin::Plugin::dbg(RelayChecker: badrdns); |- $badrdns = 1; |+ $badrdns = $badrdns_score; | } | else { | Mail::SpamAssassin::Plugin::dbg(RelayChecker: name is $name); @@ -96,7 +123,7 @@ | # the hostname in the PTR record does resolve, but that hostname | # doesn't have $ip as one of its IP addresses | Mail::SpamAssassin::Plugin::dbg(RelayChecker: baddns); |-$baddns = 1; |+$baddns = $baddns_score; | } | else { | ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@ -124,7 +151,7 @@ |# in hex or decimal form ... or the entire thing in decimal |# probably a spambot since this is an untrusted relay |Mail::SpamAssassin::Plugin::dbg(RelayChecker: ipinhostname); |- $ipinhostname = 1; |+ $ipinhostname = $ipinhostname_score; |} | if ($hostname =~ | /(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+ $/ -- RelayChecker.patch Description: Binary data
Re: Relay Checker Plugin (code review please?)
Attached is patch to allow scores to be done in the .cf file --- RelayChecker.pm 2006-10-30 18:02:28.0 -0500 +++ ../RelayChecker.pm 2006-11-01 15:36:53.0 -0500 @@ -31,6 +31,12 @@ # headerRELAY_CHECKER eval:relay_checker() # describe RELAY_CHECKER Check relay for DNS/Hostname issues. +our $base_score = 4; +our $nordns_score = 1; +our $badrdns_score = 1; +our $baddns_score = 1; +our $ipinhostname_score = 1; +our $dynhostname_score = 1; sub new { my ($class, $mailsa) = @_; @@ -44,6 +50,27 @@ return $self; } +sub parse_config { +my ( $self, $opts ) = @_; + if ( $opts-{key} eq rc_base_score ) { +$base_score = $opts-{value}; + } + elsif ( $opts-{key} eq rc_nordns_score ) { +$nordns_score = $opts-{value}; + } + elsif ( $opts-{key} eq rc_badrdns_score ) { +$badrdns_score = $opts-{value}; + } + elsif ( $opts-{key} eq rc_baddns_score ) { +$baddns_score = $opts-{value}; + } + elsif ( $opts-{key} eq rc_ipinhostname_score ) { +$ipinhostname_score = $opts-{value}; + } + elsif ( $opts-{key} eq rc_dynhostname_score ) { +$dynhostname_score = $opts-{value}; + } +} sub relay_checker { my ($self, $pms) = @_; @@ -75,7 +102,7 @@ if (! defined($hostname)) { # the IP address doesn't have a PTR record Mail::SpamAssassin::Plugin::dbg(RelayChecker: nordns); - $nordns = 1; + $nordns = $nordns_score; } else { ($name, $aliases, $addrtype, $length, @addrs) = gethostbyname($hostname); @@ -83,7 +110,7 @@ if (! defined($name)) { # the PTR record leads to a host that doesn't resolve in DNS Mail::SpamAssassin::Plugin::dbg(RelayChecker: badrdns); - $badrdns = 1; + $badrdns = $badrdns_score; } else { Mail::SpamAssassin::Plugin::dbg(RelayChecker: name is $name); @@ -96,7 +123,7 @@ # the hostname in the PTR record does resolve, but that hostname # doesn't have $ip as one of its IP addresses Mail::SpamAssassin::Plugin::dbg(RelayChecker: baddns); -$baddns = 1; +$baddns = $baddns_score; } else { ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@ -124,7 +151,7 @@ # in hex or decimal form ... or the entire thing in decimal # probably a spambot since this is an untrusted relay Mail::SpamAssassin::Plugin::dbg(RelayChecker: ipinhostname); - $ipinhostname = 1; + $ipinhostname = $ipinhostname_score; } if ($hostname =~ /(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+$/ @@ -136,7 +163,7 @@ # hostname contains words that look dynamic # probably a spambot since this is an untrusted relay Mail::SpamAssassin::Plugin::dbg(RelayChecker: dynhostname); - $dynhostname = 1; + $dynhostname = $dynhostname_score; } } # found ip addr @@ -145,7 +172,7 @@ $score = $nordns + $badrdns + $baddns + $ipinhostname + $dynhostname; if ($score) { - $score += 4; + $score += $base_score; my $description = $pms-{conf}-{description}-{RELAY_CHECKER}; if ($nordns) { --- RelayChecker.cf 2006-10-30 18:02:28.0 -0500 +++ ../RelayChecker.cf 2006-11-01 15:38:30.0 -0500 @@ -7,4 +7,9 @@ loadplugin RelayCheckerRelayChecker.pm header RELAY_CHECKER eval:relay_checker() describeRELAY_CHECKER Check relay for DNS/Hostname issues - +rc_base_score 1.4 +rc_nordns_score1 +rc_badrdns_score 1 +rc_baddns_score1 +rc_ipinhostname_score 1 +rc_dynhostname_score 1 - Original Message - From: Andreas Pettersson [EMAIL PROTECTED] To: Steven Dickenson [EMAIL PROTECTED] Cc: John Rudd [EMAIL PROTECTED]; Giampaolo Tomassoni [EMAIL PROTECTED]; users@spamassassin.apache.org Sent: Wednesday, November 01, 2006 12:11 PM Subject: Re: R: R: R: Relay Checker Plugin (code review please?) Steven Dickenson wrote: On Oct 31, 2006, at 6:09 AM, John Rudd wrote: I've considered the exact opposite (adding static to the check for keywords). My rules are really looking more for is this a _client_ host, not is this a dynamic host. That one check looks for dynamic, but I'm not interested in exempting anyone because they're static. They've still got a hostname that looks like an end-client, and an end-client shouldn't be connecting to other people's mail servers. Any end-client that connects to someone else's email server should be treated like it's a spam/virus zombie I can't agree with this. Many small businesses in the US get just these kind of static connections from broadband ISPs. Comcast, for example, has all of their static customers using rDNS that would fail your tests, and they refuse to set up a custom PTR
Re: Relay Checker Plugin (code review please?)
You may want to download new RelayChecker.pm file... you may have messed it up previously.. If you still have problems let me know.. - Original Message - From: Dylan Bouterse [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, November 01, 2006 6:39 PM Subject: RE: Relay Checker Plugin (code review please?) -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 01, 2006 5:05 PM To: Dylan Bouterse Cc: users@spamassassin.apache.org Subject: RE: Relay Checker Plugin (code review please?) On Wed, 1 Nov 2006, Dylan Bouterse wrote: # headerRELAY_CHECKER eval:relay_checker() # describe RELAY_CHECKER Check relay for DNS/Hostname issues. to: if ($nordns) { and when I run --lint I get the following errors: /etc/mail/spamassassin/RelayChecker.pm line 44, near 27 @@ ...how exactly did you apply the patch? From the contents of that error message it looks like you just inserted the patch text into the source file... Take a look at man patch. (Sorry if you did do that, but that error message is really suggestive of improper procedure.) I have never used the patch command and was not aware of it. Thank you for pointing me in the right direction. I was able to patch my RelayChecker.cf file using the patch command and the provided patch for that file but I am getting errors when trying to patch the RelayChecker.pm file. [EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch RelayChecker.pm missing header for unified diff at line 3 of patch patching file RelayChecker.pm Hunk #3 succeeded at 102 with fuzz 1. missing header for unified diff at line 77 of patch can't find file to patch at input line 77 Perhaps you should have used the -p or --strip option? The text leading up to this was: -- | if (! defined($name)) { | # the PTR record leads to a host that doesn't resolve in DNS | Mail::SpamAssassin::Plugin::dbg(RelayChecker: badrdns); |- $badrdns = 1; |+ $badrdns = $badrdns_score; | } | else { | Mail::SpamAssassin::Plugin::dbg(RelayChecker: name is $name); @@ -96,7 +123,7 @@ | # the hostname in the PTR record does resolve, but that hostname | # doesn't have $ip as one of its IP addresses | Mail::SpamAssassin::Plugin::dbg(RelayChecker: baddns); |-$baddns = 1; |+$baddns = $baddns_score; | } | else { | ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@ -124,7 +151,7 @@ |# in hex or decimal form ... or the entire thing in decimal |# probably a spambot since this is an untrusted relay |Mail::SpamAssassin::Plugin::dbg(RelayChecker: ipinhostname); |- $ipinhostname = 1; |+ $ipinhostname = $ipinhostname_score; |} | if ($hostname =~ | /(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+ $/ --
SA Webmail Portal
Anyone developed a webmailportal for Spamassassin? What I mean by this is.. Some sort of webmail which only has a spam folder so people can see their spam.. anything else passes on through.. I'm running SA in two manners.. One of which is going directly to my pop server and tags all the spam.. and my pop server files stuff away accordingly.. but, I'm also providing spam tagging services for other customers.. whom are now requesting that they not get the spam, but have a webmailportal page similar to Postini's (also a nice place to adjust their scores) Thanks, Billy
Re: SA Webmail Portal
Okay, so next question.. might be totally out of topic for SA.. How can I make the front-end mail server know if a email exists on the backend server.. Example.. I use qmail on my front-end.. I don't like receiving tons of invalid emails just to turn around and attempt to deliver bounces that could possibly be going to honeypots or servers that don't take mail etc.. I solved this on my own domain by using a smtp vrfy script that checks against my backend mail server.. but since the other domains don't have mailboxes on my back-end server and is only setup to relay their mail, it blindly accepts EVERYTHING for them.. any suggestions? Thanks, Billy - Original Message - From: Jo Rhett [EMAIL PROTECTED] To: Chris St. Pierre [EMAIL PROTECTED] Cc: Billy Huddleston [EMAIL PROTECTED]; users@spamassassin.apache.org Sent: Tuesday, October 17, 2006 2:31 PM Subject: Re: SA Webmail Portal Chris St. Pierre wrote: Remember, SA doesn't filter, file, deliver, or anything else. You can use it to munge the message, but anything else is up to other software -- in this case, probably your IMAP server. Not entirely true. These options change the delivery address. If you use these and also virtusertable, you could deliver tagged mail to a different location. ## ADDING ADDRESS EXTENSIONS TO RECIPIENTS - 'plus addressing' # $recipient_delimiter = undef; # $replace_existing_extension = 1; # $addr_extension_virus = undef; # $addr_extension_banned = undef; # $addr_extension_spam = undef; # $addr_extension_bad_header = undef; # @addr_extension_virus_maps = (\$addr_extension_virus); # @addr_extension_banned_maps = (\$addr_extension_banned); # @addr_extension_spam_maps = (\$addr_extension_spam); # @addr_extension_bad_header_maps = (\$addr_extension_bad_header); -- Jo Rhett Network/Software Engineer Net Consonance
Re: How to filter these spam messages
Yup.. and it sucks.. I get a 10 minute delay, and my phone starts ringing off the hook. I've had to beef up our spamassassin engines at least 3 times in the past 18 months to handle the load.. and now getting these stupid text only 3 or 4 line emails that hard very difficult to block.. Greylisting just isn't a option that I'm willing to do if it's simply refusing to take delivery of the message on the first go around.. Thanks, Billy - Original Message - From: Jo Rhett [EMAIL PROTECTED] To: Logan Shaw [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Monday, October 16, 2006 2:47 PM Subject: Re: How to filter these spam messages Logan Shaw wrote: I guess the problem with being an ISP is that there would be other ISPs who would be willing to not try to adjust their expectations and instead promise them super-speedy e-mail delivery in all cases. The fact that it isn't possible to deliver on that promise might not matter if they still manage to take away your customers. :-) Exactly so. At an ISP I did some work for, I used to argue this until people very reasonably pointed out that yahoo mail got delivered faster, and it was free. Yahoo averages ~2 minutes for mail delivery. That sets the bar for anyone who is trying to sell their mail services. -- Jo Rhett Network/Software Engineer Net Consonance
Re: How to filter these spam messages
Yea, I was getting ready to post about the same kind of spam.. Very obnoxious. Anyone ideas? - Original Message - From: Simon [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Sunday, October 15, 2006 2:29 PM Subject: How to filter these spam messages Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium Thanks, Simon
Re: How to filter these spam messages
Someone want to explain Greylisting? - Original Message - From: Micke Andersson [EMAIL PROTECTED] To: Simon [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Sunday, October 15, 2006 3:50 PM Subject: Re: How to filter these spam messages Try Greylisting if you are admin on your own e-mail server! That will filter most of those e-mails. /Micke Simon wrote: Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium Thanks, Simon
Re: How to filter these spam messages
Won't work for my use.. Running SA for ISP.. Way too many people.. Way too much volume.. People upset at the time delays already.. which ar under 2 - 10 minutes.. Go Figure. - Original Message - From: John Thompson [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Sunday, October 15, 2006 10:59 PM Subject: Re: How to filter these spam messages On 2006-10-15, Michael Scheidell [EMAIL PROTECTED] wrote: Billy Huddleston wrote: Someone want to explain Greylisting? It delays any email for up to 45 mins. If the sender is running a REAL server[sic] like aol or yahoo, it will retry it. Ok if you don't mind waiting a log time for email. The latest versions of milter-greylist for sendmail allow you to fine tune greylisting on a per-user basis. My wife doesn't want to wait for her email, and has a small enough internet footprint that she doesn't get much spam anyway, so I put no delay on her account. My daughter and me, OTOH, get tons of spam and are willing to wait 30 minutes for delivery if it means less spam. Seems to work well here, anyway. -- John ([EMAIL PROTECTED])
URI's and geocities subwebs..
Is their a way to get the URI's to look at stuff like this?? I'm seeing more and more spam with these kinds of things in them to get by URI detection.. http://asia.geocities.com/april19781matt1487 Thanks, Billy
Question about addons
Anyone have a method of delivering a message to a local mailbox if it's spam and then allowing the user to forward it on if it's not a quartine system, kinda like POSTINI does it? I've got a few of my customers looking for something like that, I can run them through my SA servers, and tag spam, but they would prefer not to get the messages if at all possible. Thanks, Billy +--+ | Billy Huddleston Senior Systems Administrator | | Net-Express http://www.nxs.net | | 114 Sherway Rd. Voice: 865-691-2011 | | Knoxville, TN 37922 Fax: 865-691-9894 | | [EMAIL PROTECTED]| +--+
Problems with upgrade.
I just upgraded my Spam Assassin engine cluster from 2.61 to 3.0.1 and now, I'm getting some spam slipping through because it didn't get processed. I did some testing with running GTUBE manually with spamc and sometimes it kicks out the message immediately not processed, other times, it just hangs, and then other times, it does it correctly.. What's going on? Thanks, Billy +--+ | Billy Huddleston Senior Systems Administrator | | Net-Express http://www.nxs.net | | 114 Sherway Rd. Voice: 865-691-2011 | | Knoxville, TN 37922 Fax: 865-691-9894 | | [EMAIL PROTECTED]| +--+
Problems with upgrade.
I just upgraded my Spam Assassin engine cluster from 2.61 to 3.0.1 and now, I'm getting some spam slipping through because it didn't get processed. I did some testing with running GTUBE manually with spamc and sometimes it kicks out the message immediately not processed, other times, it just hangs, and then other times, it does it correctly.. What's going on? Thanks, Billy +--+ | Billy Huddleston Senior Systems Administrator | | Net-Express http://www.nxs.net | | 114 Sherway Rd. Voice: 865-691-2011 | | Knoxville, TN 37922 Fax: 865-691-9894 | | [EMAIL PROTECTED]| +--+