from:"Billy Huddleston"

Re: Strange Issues.

2017-04-28 Thread Billy Huddleston


Also looks like the amount of incoming spam has doubled over the past few days.

DateSPAMTIMEHAMTimeTOTALTime
4/20/201732013.075729393.611661403.3322
4/21/201727974.126813.886354783.9954
4/22/201723052.572110212.821933262.6487
4/23/201721234.72289692.891430924.1489
4/24/201731543.90430659.632262196.7271
4/25/2017600756.2347408454.35061009155.4722
4/26/2017612541.8019393334.94071005839.119
4/27/2017577732.6567377220.0631954927.682

As you can see, the total messages and spam messages increased on the 25th. Which is when I started having these issues.. I upgraded SA on the 26th. The time values are avg time to 
process the spam/ham or total avg time..


Is there a new spam network out? Anyone else noticed a massive uptick in amount 
of spam coming in?

On 04/28/2017 10:04 AM, RW wrote:

On Thu, 27 Apr 2017 17:34:16 -0400
Billy Huddleston wrote:


OKay, Copy of of a spam is located at https://pastebin.com/gdCB9V6U

It processed okay with spamassassin -t -D

That's probably because it's only doing one at a time. I suspect that
these spams are so CPU intensive that you would be CPU limited at 1
child process per core.

What I am seeing is that a considerable amount of that "

Re: Strange Issues.

2017-04-27 Thread Billy Huddleston


Link to the processed spam

http://pastebin.ca/3803856 <https://pastebin.ca/3803856>



On 04/27/2017 06:07 PM, Billy Huddleston wrote:

Info from top:

top - 18:05:17 up 517 days, 19:59,  3 users,  load average: 10.28, 10.45, 9.45
Tasks:  68 total,  10 running,  58 sleeping,   0 stopped,   0 zombie
Cpu(s): 84.0% us, 16.0% sy,  0.0% ni,  0.0% id,  0.0% wa,  0.0% hi,  0.0% si
Mem:   2074920k total,  1595732k used,   479188k free,   211004k buffers
Swap:  1052248k total,0k used,  1052248k free,   809236k cached

Doesn't look I'm swapping.

It's a older Intel(R) Xeon(TM) CPU 2.66GHz

I don't remember why the max-conn-per-child was set to 5.  I originally had 
--round-robin too. But, I've removed that.


On 04/27/2017 06:01 PM, Kevin A. McGrail wrote:

On 4/27/2017 5:34 PM, Billy Huddleston wrote:

OKay, Copy of of a spam is located at https://pastebin.com/gdCB9V6U

It processed okay with spamassassin -t -D

Here is my spamd options

SPAMDOPTIONS="-d -u nobody -q -x -i 
-A192.168.2.3,192.168.1.3,192.168.1.2,127.0.0.1
--max-children=20 --max-conn-per-child=5 --timeout-child=150

I did have the child timeout @ 300, and cut it in half hoping it would help..


The max-conn-per-child of 5 is low.  Did you have a reason to lower it?

Is the machine powerful enough with enough ram to actually run 20 children 
concurrently?  Are you swapping?

Regards,

KAM

Re: Strange Issues.

2017-04-27 Thread Billy Huddleston


Info from top:

top - 18:05:17 up 517 days, 19:59,  3 users,  load average: 10.28, 10.45, 9.45
Tasks:  68 total,  10 running,  58 sleeping,   0 stopped,   0 zombie
Cpu(s): 84.0% us, 16.0% sy,  0.0% ni,  0.0% id,  0.0% wa,  0.0% hi,  0.0% si
Mem:   2074920k total,  1595732k used,   479188k free,   211004k buffers
Swap:  1052248k total,0k used,  1052248k free,   809236k cached

Doesn't look I'm swapping.

It's a older Intel(R) Xeon(TM) CPU 2.66GHz

I don't remember why the max-conn-per-child was set to 5.  I originally had 
--round-robin too. But, I've removed that.


On 04/27/2017 06:01 PM, Kevin A. McGrail wrote:

On 4/27/2017 5:34 PM, Billy Huddleston wrote:

OKay, Copy of of a spam is located at https://pastebin.com/gdCB9V6U

It processed okay with spamassassin -t -D

Here is my spamd options

SPAMDOPTIONS="-d -u nobody -q -x -i 
-A192.168.2.3,192.168.1.3,192.168.1.2,127.0.0.1
--max-children=20 --max-conn-per-child=5 --timeout-child=150

I did have the child timeout @ 300, and cut it in half hoping it would help..


The max-conn-per-child of 5 is low.  Did you have a reason to lower it?

Is the machine powerful enough with enough ram to actually run 20 children 
concurrently?  Are you swapping?

Regards,

KAM

Re: Strange Issues.

2017-04-27 Thread Billy Huddleston


OKay, Copy of of a spam is located at https://pastebin.com/gdCB9V6U

It processed okay with spamassassin -t -D

Here is my spamd options

SPAMDOPTIONS="-d -u nobody -q -x -i 
-A192.168.2.3,192.168.1.3,192.168.1.2,127.0.0.1
--max-children=20 --max-conn-per-child=5 --timeout-child=150

I did have the child timeout @ 300, and cut it in half hoping it would help..


On 04/27/2017 04:43 PM, John Hardin wrote:

On Thu, 27 Apr 2017, Billy Huddleston wrote:


Hey Guys,

I just recently started having issues with spamd getting hung on emails. I've been seeing lots of emails with cont...@qq.com and other contact@... domains. I looked at a few of 
these messages and they all had this stuff in them..

Re: Strange Issues.

2017-04-27 Thread Billy Huddleston

Yes, I'm using spamc/spamd.  And it may, or may not be that message.. but I've seen several of them just sit in my mail queue waiting on spam check.. all have about the same size 
msg. 376k to 377k.


Let me grab one of these new ones and run spamassassin -t -D against it.

On 04/27/2017 04:35 PM, Kevin A. McGrail wrote:

On 4/27/2017 1:31 PM, Billy Huddleston wrote:
I just recently started having issues with spamd getting hung on emails. I've been seeing lots of emails with cont...@qq.com and other contact@... domains.  I looked at a few of 
these messages and they all had this stuff in them..

Strange Issues.

2017-04-27 Thread Billy Huddleston


Hey Guys,

I just recently started having issues with spamd getting hung on emails. I've been seeing lots of emails with cont...@qq.com and other contact@... domains.  I looked at a few of 
these messages and they all had this stuff in them..

Re: Question about v3.2.1 and SARE rules..

2007-07-18 Thread Billy Huddleston


Malformed UTF-8 character (unexpected non-cont
inuation byte 0x00, immediately after start byte 0xd5) in pattern match 
(m//) at
/etc/mail/spamassassin/70_sare_obfu1.cf, rule __SARE_OBFU_VISIT1, line 
1, GEN4

2 line 64.

Malformed UTF-8 character (unexpected non-cont
inuation byte 0x00, immediately after start byte 0xcf) in pattern match 
(m//) at
/etc/mail/spamassassin/70_sare_obfu0.cf, rule SARE_OBFU_XANAX, line 1, 
GEN42

line 64.


Doc Schneider wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Billy Huddleston wrote:
  

I upgraded from 3.1.7 to 3.2.1 and started getting errors from
70_sare_obfu.cf rules set.. any one got any ideas on this?

Thanks, Billy

**



What are the errors?

- --

 -Doc

 Penguins: Do it on the ice.
   8:44am  up 4 days, 16:55, 17 users,  load average: 0.18, 0.30, 0.37

 SARE HQ  http://www.rulesemporium.com/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFGnlM+qOEeBwEpgcsRAhieAJ9+/oBIgmxG5BFcEhk3jQ/VFcyMawCfQ/Fr
IKmWuv4PQ83Xy3LeoZ+tRmQ=
=Cv1y
-END PGP SIGNATURE-

Re: New stock spam (2/14/07)

2007-02-14 Thread Billy Huddleston

Here is a one I've been getting.. I use a older version of spambot, SARE, 
and  Network tests.. to no avail..


http://www.pastebin.ca/356543

- Original Message - 
From: Brian Wilson [EMAIL PROTECTED]

To: users@spamassassin.apache.org
Sent: Wednesday, February 14, 2007 9:37 PM
Subject: [SPAM] Re: New stock spam (2/14/07)




On Feb 14, 2007, at 8:48 PM, Giampaolo Tomassoni wrote:


From: Quinn Comendant [mailto:[EMAIL PROTECTED]


On Thu, 15 Feb 2007 01:18:46 +0100, Giampaolo Tomassoni wrote:

I think SARE and some network tests are even better (scores 11.5  with
my surprising Bayes :)


I agree, mine scored it in a similar way:

Content analysis details:   (11.5 points, 4.9 required)

 pts rule name  description
 --
--
 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs
some mails
 0.8 SARE_LWSHORTT  BODY: SARE_LWSHORTT
 1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 3.5 BAYES_99   BODY: Bayesian spam probability is 99  to 
100%

[score: 1.]


Nah! You cheat! Bayes did already learn this message, right? :)

Giampaolo



Then we both cheated:

(no previous learns on this one that I'm aware of)

score=13.8 required=4.5
*  0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain  signs 
some mails

*  2.0 BOTNET Relay might be a spambot or virusbot
*  [botnet0.7,ip=211.48.218.5,maildomain=amante.ro,nordns]
*  0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
*  1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam
*  0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  4.2 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
*  [score: 1.]
*  2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in 
bl.spamcop.net
*  [Blocked - see http://www.spamcop.net/bl.shtml? 
211.48.218.5]

*  3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
*  [211.48.218.5 listed in zen.spamhaus.org]

Re: Botnet 0.6 plugin for Spam Assassin availabile

2006-12-08 Thread Billy Huddleston

Question, how can we avoid tagging messages that are sent to our server from 
a remote connection if they use authenticated SMTP ??


Example: I have a user who is on a different network, using my mail server, 
so I let them via authenticated SMTP, every message they send gets tagged 
because of Bot Net or Relay Checker..


Thanks, Billy

- Original Message - 
From: decoder [EMAIL PROTECTED]

To: John Rudd [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Sent: Friday, December 08, 2006 5:03 AM
Subject: Re: Botnet 0.6 plugin for Spam Assassin availabile



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


John Rudd wrote:

Michael Schaap wrote:

John Rudd wrote:


The next version of the Botnet plugin for Spam Assassin is
ready. The install instructions are in the Botnet.txt file, and
in the INSTALL file.



Great work!



To Do before 1.0:

(...)



There's another thing that would be really nice to have.  You
know how the DNS rules' descriptions specify what actually
matches?  e.g.:

3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus
XBL [12.34.56.789 listed in sbl-xbl.spamhaus.org] 1.6 URIBL_SBL
Contains an URL listed in the SBL blocklist [URIs: example.com]

It would be great if Botnet could do something similar, like:

2.0 BOTNET The submitting mail server looks like
part of a Botnet [ip=12.34.56.789 rdns=dhcp12.34.example.org]



Any tips on how to do that? :-}

Have a look at the FuzzyOcr plugin, especially on Scoring.pm in the
SVN, found here:

http://fuzzyocr.own-hero.net/browser/trunk/devel/FuzzyOcr/Scoring.pm

In each of the functions, the mail is scored with a different rule, a
custom score and a custom description which is generated there.

That should be enough for you to reproduce that :)


Chris


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFeTiMJQIKXnJyDxURAicaAJ9n5XdSIpvWXrz3W4w2DtKmbiQ82ACgvyAB
ywuRctN/qak0u61idiMFw5o=
=obGb
-END PGP SIGNATURE-

New Spam

2006-11-17 Thread Billy Huddleston

I'm getting some new spam coming through.. It's ASCII art (using nothing but 
numbers) and spells out TORA.08 and nothing else..

It looks to be coming from a Bot-Net..  Anyone seen this?

Thanks, Billy

Re: I've got TORA.08 spelled with numbers?

2006-11-17 Thread Billy Huddleston

So, here is a question...  Why spam everyone with TORA.08, I don't even know 
what the heck that means!!!

- Original Message - 
From: Evan Platt [EMAIL PROTECTED]

To: users@spamassassin.apache.org
Sent: Friday, November 17, 2006 10:48 AM
Subject: Re: I've got TORA.08 spelled with numbers?

At 07:44 AM 11/17/2006, you wrote:

I'm getting a bunch of spams this morning that have
TORA.08 spelled out with numbers like this.

4216775   0611576   215556 7 3308011   3258576
   6  7 5   153 85 2   7 3
   8  3 6   50   4   1   2 7   0 5
   7  2 2   257873  5 7  4 1   3387715
   6  2 5   7  1   111500075 8 6   2 2
   8  2 2   7   7  3   2   656   0 3   0 8
   0  6430533   44 8   6   207   5412501   7637213

Does anybody know what this is about.

Got 2 also.

Wasn't there a stock image spam with TORA.TORA or something?

Re: I've got TORA.08 spelled with numbers?

2006-11-17 Thread Billy Huddleston

Will that not get legit mail from someone sending via Microsoft Outlook ?

- Original Message - 
From: Justin Mason [EMAIL PROTECTED]

To: Billy Huddleston [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Sent: Friday, November 17, 2006 11:10 AM
Subject: Re: I've got TORA.08 spelled with numbers?

this seems to catch them:

header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 
10\.0\.6626$/
header __MOLE_2962  X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ 
V6\.00\.2900\.2962$/

meta JM_TORA_XM (__MAILER_OL_6626  __MOLE_2962)

--j.

Billy Huddleston writes:
So, here is a question...  Why spam everyone with TORA.08, I don't even 
know

what the heck that means!!!

- Original Message - 
From: Evan Platt [EMAIL PROTECTED]

To: users@spamassassin.apache.org
Sent: Friday, November 17, 2006 10:48 AM
Subject: Re: I've got TORA.08 spelled with numbers?

 At 07:44 AM 11/17/2006, you wrote:
I'm getting a bunch of spams this morning that have
TORA.08 spelled out with numbers like this.

4216775   0611576   215556 7 3308011   3258576
6  7 5   153 85 2   7 3
8  3 6   50   4   1   2 7   0 5
7  2 2   257873  5 7  4 1   3387715
6  2 5   7  1   111500075 8 6   2 2
8  2 2   7   7  3   2   656   0 3   0 8
0  6430533   44 8   6   207   5412501   7637213

Does anybody know what this is about.

 Got 2 also.

 Wasn't there a stock image spam with TORA.TORA or something?

Re: RelayChecker 0.3

2006-11-16 Thread Billy Huddleston

I wouldn't consider those false positives.. Just incorrectly configured 
/administrated servers.. Reverse DNS is a must. I'm surprised at how many 
people still haven't got that yet in the IT world.. (Consultants mostly..)


Thanks, Billy

- Original Message - 
From: Derek Harding [EMAIL PROTECTED]

To: John Rudd [EMAIL PROTECTED]
Cc: SpamAssassin Users users@spamassassin.apache.org
Sent: Thursday, November 16, 2006 8:56 PM
Subject: Re: RelayChecker 0.3



On Sun, 2006-11-12 at 17:26 -0800, John Rudd wrote:


http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar


I've been running this for a few days now and am finding it to be pretty
effective, especially against the bots that are producing all the image
spam.

Currently it's running about 87.55% hit rate with only two false
positives so far (one a company on adsl, the other a mail server with no
reverse DNS).

Thanks,

Derek

Re: R: R: R: Relay Checker Plugin (code review please?)

2006-11-05 Thread Billy Huddleston

I like the ability to give individual scores to the various tests...  Per my 
patch..  Allows for minor tweaking for each kind of issue.

- Original Message - 
From: John Rudd [EMAIL PROTECTED]

To: Nix [EMAIL PROTECTED]
Cc: Andreas Pettersson [EMAIL PROTECTED]; Steven Dickenson 
[EMAIL PROTECTED]; Giampaolo Tomassoni [EMAIL PROTECTED]; 
users@spamassassin.apache.org

Sent: Sunday, November 05, 2006 1:57 PM
Subject: Re: R: R: R: Relay Checker Plugin (code review please?)

Nix wrote:

On 1 Nov 2006, Andreas Pettersson stated:

Steven Dickenson wrote:
I can't agree with this.  Many small businesses in the US get just 
these kind of static connections from broadband ISPs.
Comcast, for  example, has all of their static customers using rDNS 
that would fail  your tests, and they refuse to set up a

custom PTR record or delegate  the record to someone else.
I disagree on your disagreement. This is my opinion: If you don't have 
control over your rDNS, do NOT run any mail server, unless

you relay all outbound mail through a server at your ISP.

What if you don't *have* a server at your ISP that you can relay your
mail through, because your ISP expects you to send mail directly from
your own mailserver?

What if your ISP provides a server but it is horrifically unreliable?

In those two cases:  Go to a service that hosts web/email servers under 
your custom domain, and relay through your own hosted server.  They exist. 
Some of them aren't expensive at all.

Most of these static customers are legitimate business networks
running their own mail server, and have neither the need nor desire
to relay their mail through Comcast's SMTP servers.  I think your
general idea is very good, but you're reaching a little too far with
this one.

'No need nor desire', that's not really any good excuse. Use a relay
or find your mail rejected, I'd say.

Charming. They're not spammers, but you want to punish them as if they
were, because reality makes your tests too complicated.

Punishing them would be blocking them outright.  Quarantining them is 
merely recognizing that they haven't obtained a class of service that 
would indicate a well configured and well maintained email server, as 
opposed to a fly-by-night or rinky-dink operation running on a 
bottom-feeder ISP's network ... characteristics that would indicate that 
the ISP is careless and not diligent, or that their customers have no care 
nor concern about their quality of service, either one making it more 
likely that I am dealing with a spambot or an open-relay.  So, I make them 
jump through an extra hoop in order to get through to me. That extra hoop 
is either a) going through my quarantine process, or b) paying for a 
hosted service with proper RDNS.  Either don't look like part of a 
botnet or accept being in my quarantine all of the time.

It is not my obligation to accept nor view every email that hits my 
server.  It is my prerogative to establish whatever hurdles I want to in 
getting through to my email inbox.  It's not punishment, as punishment 
implies that I am removing your rights or privileges ... which doesn't 
apply, because you have no rights nor privileges with regard to my inbox. 
And, the fact is, the people you're trying to raise as a counter-case, are 
not only such a minority that they aren't on my radar, they're such a 
minority that they don't exist at all in my 15 months of experience in 
doing these checks.

Every sender which has connected to my machines, without being on my own 
subnet, nor performing SMTP-AUTH, and without passing these checks, has 
been sending spam or a virus.  Without exception.

I realize that not everyone else is going to have the same experience with 
their email traffic that I do, which is why I'm making the plugin ever 
more flexible.  First, I set a preference for just skipping some tests. 
Then, last night, I removed the hard-coded dynhostname and clienthostname 
checks.  Now there's a keyword check, with the keywords used being 
supplied in the cf file.  So, each site can set their own keyword 
requirement ... or leave it blank and skip that check entirely. (I haven't 
released this new code yet)

Re: Relay Checker Plugin (code review please?)

2006-11-02 Thread Billy Huddleston


I've attached the patch file this time.. give it a go..

Use this command to patch your file.

patch  RelayChecker.patch

and it should work..  This is just the patch for the .pm file.. the other 
one was simply adding in the default score values..


Thanks, Billy

- Original Message - 
From: Dylan Bouterse [EMAIL PROTECTED]

To: users@spamassassin.apache.org
Sent: Wednesday, November 01, 2006 11:28 PM
Subject: RE: Relay Checker Plugin (code review please?)


I did a couple of times. :(


-Original Message-
From: Billy Huddleston [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 01, 2006 9:20 PM
To: Dylan Bouterse; users@spamassassin.apache.org
Subject: Re: Relay Checker Plugin (code review please?)

You may want to download new RelayChecker.pm file...  you may have

messed

it
up previously..

 If you still have problems let me know..

- Original Message -
From: Dylan Bouterse [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Sent: Wednesday, November 01, 2006 6:39 PM
Subject: RE: Relay Checker Plugin (code review please?)


 -Original Message-
 From: John D. Hardin [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, November 01, 2006 5:05 PM
 To: Dylan Bouterse
 Cc: users@spamassassin.apache.org
 Subject: RE: Relay Checker Plugin (code review please?)

 On Wed, 1 Nov 2006, Dylan Bouterse wrote:

  # headerRELAY_CHECKER   eval:relay_checker()
  # describe  RELAY_CHECKER   Check relay for DNS/Hostname

issues.

  to:
 if ($nordns) {
 
  and when I run --lint I get the following errors:
 
  /etc/mail/spamassassin/RelayChecker.pm line 44, near 27 @@

 ...how exactly did you apply the patch? From the contents of that
 error message it looks like you just inserted the patch text into

the

 source file...

 Take a look at man patch.

 (Sorry if you did do that, but that error message is really

suggestive

 of improper procedure.)


I have never used the patch command and was not aware of it. Thank you
for pointing me in the right direction. I was able to patch my
RelayChecker.cf file using the patch command and the provided patch

for

that file but I am getting errors when trying to patch the
RelayChecker.pm file.

[EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch
RelayChecker.pm
missing header for unified diff at line 3 of patch
patching file RelayChecker.pm
Hunk #3 succeeded at 102 with fuzz 1.
missing header for unified diff at line 77 of patch
can't find file to patch at input line 77
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--
|   if (! defined($name)) {
|  # the PTR record leads to a host that doesn't resolve in

DNS

|  Mail::SpamAssassin::Plugin::dbg(RelayChecker: badrdns);
|- $badrdns = 1;
|+ $badrdns = $badrdns_score;
|  }
|   else {
|  Mail::SpamAssassin::Plugin::dbg(RelayChecker: name is
$name); @@ -96,7 +123,7 @@
| # the hostname in the PTR record does resolve, but that
hostname
| # doesn't have $ip as one of its IP addresses
| Mail::SpamAssassin::Plugin::dbg(RelayChecker: baddns);
|-$baddns = 1;
|+$baddns = $baddns_score;
| }
|  else {
| ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@
-124,7 +151,7 @@
|# in hex or decimal form ... or the entire thing in
decimal
|# probably a spambot since this is an untrusted relay
|Mail::SpamAssassin::Plugin::dbg(RelayChecker:
ipinhostname);
|-   $ipinhostname = 1;
|+   $ipinhostname = $ipinhostname_score;
|}
| if ($hostname =~
|


/(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+

$/
--


RelayChecker.patch
Description: Binary data

Re: Relay Checker Plugin (code review please?)

2006-11-01 Thread Billy Huddleston


Attached is patch to allow scores to be done in the .cf file

--- RelayChecker.pm 2006-10-30 18:02:28.0 -0500
+++ ../RelayChecker.pm  2006-11-01 15:36:53.0 -0500
@@ -31,6 +31,12 @@
# headerRELAY_CHECKER   eval:relay_checker()
# describe  RELAY_CHECKER   Check relay for DNS/Hostname issues.

+our $base_score = 4;
+our $nordns_score = 1;
+our $badrdns_score = 1;
+our $baddns_score = 1;
+our $ipinhostname_score = 1;
+our $dynhostname_score = 1;

sub new {
   my ($class, $mailsa) = @_;
@@ -44,6 +50,27 @@
   return $self;
   }

+sub parse_config {
+my ( $self, $opts ) = @_;
+   if ( $opts-{key} eq rc_base_score ) {
+$base_score = $opts-{value};
+   }
+   elsif ( $opts-{key} eq rc_nordns_score ) {
+$nordns_score = $opts-{value};
+   }
+   elsif ( $opts-{key} eq rc_badrdns_score ) {
+$badrdns_score = $opts-{value};
+   }
+   elsif ( $opts-{key} eq rc_baddns_score ) {
+$baddns_score = $opts-{value};
+   }
+   elsif ( $opts-{key} eq rc_ipinhostname_score ) {
+$ipinhostname_score = $opts-{value};
+   }
+   elsif ( $opts-{key} eq rc_dynhostname_score ) {
+$dynhostname_score = $opts-{value};
+   }
+}

sub relay_checker {
   my ($self, $pms) = @_;
@@ -75,7 +102,7 @@
   if (! defined($hostname)) {
  # the IP address doesn't have a PTR record
  Mail::SpamAssassin::Plugin::dbg(RelayChecker: nordns);
-  $nordns = 1;
+  $nordns = $nordns_score;
  }
   else {
  ($name, $aliases, $addrtype, $length, @addrs) = 
gethostbyname($hostname);

@@ -83,7 +110,7 @@
  if (! defined($name)) {
 # the PTR record leads to a host that doesn't resolve in DNS
 Mail::SpamAssassin::Plugin::dbg(RelayChecker: badrdns);
- $badrdns = 1;
+ $badrdns = $badrdns_score;
 }
  else {
 Mail::SpamAssassin::Plugin::dbg(RelayChecker: name is $name);
@@ -96,7 +123,7 @@
# the hostname in the PTR record does resolve, but that 
hostname

# doesn't have $ip as one of its IP addresses
Mail::SpamAssassin::Plugin::dbg(RelayChecker: baddns);
-$baddns = 1;
+$baddns = $baddns_score;
}
 else {
($a, $b, $c, $d) = split(/\./, $ip); # decimal octets
@@ -124,7 +151,7 @@
   # in hex or decimal form ... or the entire thing in decimal
   # probably a spambot since this is an untrusted relay
   Mail::SpamAssassin::Plugin::dbg(RelayChecker: 
ipinhostname);

-   $ipinhostname = 1;
+   $ipinhostname = $ipinhostname_score;
   }
if ($hostname =~
  /(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+$/
@@ -136,7 +163,7 @@
   # hostname contains words that look dynamic
   # probably a spambot since this is an untrusted relay
   Mail::SpamAssassin::Plugin::dbg(RelayChecker: 
dynhostname);

-   $dynhostname = 1;
+   $dynhostname = $dynhostname_score;
   }

} # found ip addr
@@ -145,7 +172,7 @@

   $score = $nordns + $badrdns + $baddns + $ipinhostname + $dynhostname;
   if ($score) {
-  $score += 4;
+  $score += $base_score;
  my $description = $pms-{conf}-{description}-{RELAY_CHECKER};

  if ($nordns) {


--- RelayChecker.cf 2006-10-30 18:02:28.0 -0500
+++ ../RelayChecker.cf  2006-11-01 15:38:30.0 -0500
@@ -7,4 +7,9 @@
loadplugin  RelayCheckerRelayChecker.pm
header  RELAY_CHECKER   eval:relay_checker()
describeRELAY_CHECKER   Check relay for DNS/Hostname issues
-
+rc_base_score  1.4
+rc_nordns_score1
+rc_badrdns_score   1
+rc_baddns_score1
+rc_ipinhostname_score  1
+rc_dynhostname_score   1







- Original Message - 
From: Andreas Pettersson [EMAIL PROTECTED]

To: Steven Dickenson [EMAIL PROTECTED]
Cc: John Rudd [EMAIL PROTECTED]; Giampaolo Tomassoni 
[EMAIL PROTECTED]; users@spamassassin.apache.org

Sent: Wednesday, November 01, 2006 12:11 PM
Subject: Re: R: R: R: Relay Checker Plugin (code review please?)



Steven Dickenson wrote:


On Oct 31, 2006, at 6:09 AM, John Rudd wrote:

I've considered the exact opposite (adding static to the check for 
keywords).  My rules are really looking more for is this a  _client_ 
host, not is this a dynamic host.  That one check looks  for 
dynamic, but I'm not interested in exempting anyone because  they're 
static.  They've still got a hostname that looks like an  end-client, 
and an end-client shouldn't be connecting to other  people's mail 
servers.  Any end-client that connects to someone  else's email server 
should be treated like it's a spam/virus zombie



I can't agree with this.  Many small businesses in the US get just  these 
kind of static connections from broadband ISPs.  Comcast, for  example, 
has all of their static customers using rDNS that would fail  your tests, 
and they refuse to set up a custom PTR

Re: Relay Checker Plugin (code review please?)

2006-11-01 Thread Billy Huddleston

You may want to download new RelayChecker.pm file...  you may have messed it 
up previously..


If you still have problems let me know..

- Original Message - 
From: Dylan Bouterse [EMAIL PROTECTED]

To: users@spamassassin.apache.org
Sent: Wednesday, November 01, 2006 6:39 PM
Subject: RE: Relay Checker Plugin (code review please?)



-Original Message-
From: John D. Hardin [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 01, 2006 5:05 PM
To: Dylan Bouterse
Cc: users@spamassassin.apache.org
Subject: RE: Relay Checker Plugin (code review please?)

On Wed, 1 Nov 2006, Dylan Bouterse wrote:

 # headerRELAY_CHECKER   eval:relay_checker()
 # describe  RELAY_CHECKER   Check relay for DNS/Hostname issues.
 to:
if ($nordns) {

 and when I run --lint I get the following errors:

 /etc/mail/spamassassin/RelayChecker.pm line 44, near 27 @@

...how exactly did you apply the patch? From the contents of that
error message it looks like you just inserted the patch text into the
source file...

Take a look at man patch.

(Sorry if you did do that, but that error message is really suggestive
of improper procedure.)



I have never used the patch command and was not aware of it. Thank you
for pointing me in the right direction. I was able to patch my
RelayChecker.cf file using the patch command and the provided patch for
that file but I am getting errors when trying to patch the
RelayChecker.pm file.

[EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch
RelayChecker.pm
missing header for unified diff at line 3 of patch
patching file RelayChecker.pm
Hunk #3 succeeded at 102 with fuzz 1.
missing header for unified diff at line 77 of patch
can't find file to patch at input line 77
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--
|   if (! defined($name)) {
|  # the PTR record leads to a host that doesn't resolve in DNS
|  Mail::SpamAssassin::Plugin::dbg(RelayChecker: badrdns);
|- $badrdns = 1;
|+ $badrdns = $badrdns_score;
|  }
|   else {
|  Mail::SpamAssassin::Plugin::dbg(RelayChecker: name is
$name); @@ -96,7 +123,7 @@
| # the hostname in the PTR record does resolve, but that
hostname
| # doesn't have $ip as one of its IP addresses
| Mail::SpamAssassin::Plugin::dbg(RelayChecker: baddns);
|-$baddns = 1;
|+$baddns = $baddns_score;
| }
|  else {
| ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@
-124,7 +151,7 @@
|# in hex or decimal form ... or the entire thing in
decimal
|# probably a spambot since this is an untrusted relay
|Mail::SpamAssassin::Plugin::dbg(RelayChecker:
ipinhostname);
|-   $ipinhostname = 1;
|+   $ipinhostname = $ipinhostname_score;
|}
| if ($hostname =~
|
/(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+
$/
--

SA Webmail Portal

2006-10-17 Thread Billy Huddleston




Anyone developed a webmailportal for Spamassassin? 
What I mean by this is.. Some sort of webmail which only has a spam folder so 
people can see their spam.. anything else passes on through.. I'm running 
SA in two manners.. One of which is going directly to my pop server and tags all 
the spam.. and my pop server files stuff away accordingly.. but, I'm also 
providing spam tagging services for other customers.. whom are now requesting 
that they not get the spam, but have a webmailportal page similar to 
Postini's (also a nice place to adjust their scores)

Thanks, Billy

Re: SA Webmail Portal

2006-10-17 Thread Billy Huddleston

Okay, so next question.. might be totally out of topic for SA.. How can I 
make the front-end mail server know if a email exists on the backend 
server.. Example.. I use qmail on my front-end..  I don't like receiving 
tons of invalid emails just to turn around and attempt to deliver bounces 
that could possibly be going to honeypots or servers that don't take mail 
etc..  I solved this on my own domain by using a smtp vrfy script that 
checks against my backend mail server.. but since the other domains don't 
have mailboxes on my back-end server and is only setup to relay their mail, 
it blindly accepts EVERYTHING for them..  any suggestions?


Thanks, Billy

- Original Message - 
From: Jo Rhett [EMAIL PROTECTED]

To: Chris St. Pierre [EMAIL PROTECTED]
Cc: Billy Huddleston [EMAIL PROTECTED]; users@spamassassin.apache.org
Sent: Tuesday, October 17, 2006 2:31 PM
Subject: Re: SA Webmail Portal



Chris St. Pierre wrote:

Remember, SA doesn't filter, file, deliver, or anything else.  You can
use it to munge the message, but anything else is up to other software
-- in this case, probably your IMAP server.


Not entirely true.   These options change the delivery address.  If you 
use these and also virtusertable, you could deliver tagged mail to a 
different location.


## ADDING ADDRESS EXTENSIONS TO RECIPIENTS - 'plus addressing'
# $recipient_delimiter = undef;
# $replace_existing_extension = 1;
# $addr_extension_virus  = undef;
# $addr_extension_banned = undef;
# $addr_extension_spam   = undef;
# $addr_extension_bad_header = undef;
# @addr_extension_virus_maps  = (\$addr_extension_virus);
# @addr_extension_banned_maps = (\$addr_extension_banned);
# @addr_extension_spam_maps   = (\$addr_extension_spam);
# @addr_extension_bad_header_maps = (\$addr_extension_bad_header);




--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: How to filter these spam messages

2006-10-16 Thread Billy Huddleston


Yup.. and it sucks.. I get a 10 minute delay, and my phone starts ringing
off the hook.  I've had to beef up our spamassassin engines at least 3 times
in the past 18 months to handle the load..  and now getting these stupid
text only 3 or 4 line emails that hard very difficult to block.. Greylisting
just isn't a option that I'm willing to do if it's simply refusing to take
delivery of the message on the first go around..

Thanks, Billy

- Original Message - 
From: Jo Rhett [EMAIL PROTECTED]

To: Logan Shaw [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Sent: Monday, October 16, 2006 2:47 PM
Subject: Re: How to filter these spam messages



Logan Shaw wrote:

I guess the problem with being an ISP is that there would be
other ISPs who would be willing to not try to adjust their
expectations and instead promise them super-speedy e-mail
delivery in all cases.  The fact that it isn't possible to
deliver on that promise might not matter if they still manage
to take away your customers.  :-)


Exactly so.  At an ISP I did some work for, I used to argue this until 
people very reasonably pointed out that yahoo mail got delivered faster, 
and it was free.


Yahoo averages ~2 minutes for mail delivery.  That sets the bar for anyone 
who is trying to sell their mail services.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: How to filter these spam messages

2006-10-15 Thread Billy Huddleston

Yea, I was getting ready to post about the same kind of spam..  Very
obnoxious. Anyone ideas?

- Original Message - 
From: Simon [EMAIL PROTECTED]

To: users@spamassassin.apache.org
Sent: Sunday, October 15, 2006 2:29 PM
Subject: How to filter these spam messages

Hello,

I'm trying to figure out what to do to filter these spam messages. I can't 
seem to
find a ruleset which would filter them. Perhaps I need to change something 
in

my configuration? any help would be appreciated, thanks!

Here are the latest spam I'm receiving:

http://optinet.com/spam.txt

My config is pretty much default and I have few extra rulesets from 
rulesemporium

Thanks,
Simon

Re: How to filter these spam messages

2006-10-15 Thread Billy Huddleston

Someone want to explain Greylisting?

- Original Message - 
From: Micke Andersson [EMAIL PROTECTED]

To: Simon [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Sent: Sunday, October 15, 2006 3:50 PM
Subject: Re: How to filter these spam messages

Try Greylisting if you are admin on your own e-mail server!
That will filter most of those e-mails.

/Micke

Simon wrote:

Hello,

I'm trying to figure out what to do to filter these spam messages. I 
can't seem to
find a ruleset which would filter them. Perhaps I need to change 
something in

my configuration? any help would be appreciated, thanks!
Here are the latest spam I'm receiving:

http://optinet.com/spam.txt

My config is pretty much default and I have few extra rulesets from 
rulesemporium

Thanks,
Simon

Re: How to filter these spam messages

2006-10-15 Thread Billy Huddleston

Won't work for my use.. Running SA for ISP..  Way too many people.. Way too 
much volume..  People upset at the time delays already.. which ar under 2 - 
10 minutes.. Go Figure.

- Original Message - 
From: John Thompson [EMAIL PROTECTED]

To: users@spamassassin.apache.org
Sent: Sunday, October 15, 2006 10:59 PM
Subject: Re: How to filter these spam messages

On 2006-10-15, Michael Scheidell [EMAIL PROTECTED] wrote:

Billy Huddleston wrote:

Someone want to explain Greylisting?

It delays any email for up to 45 mins.
If the sender is running a REAL server[sic] like aol or yahoo, it will
retry it.

Ok if you don't mind waiting a log time for email.

The latest versions of milter-greylist for sendmail allow you to fine
tune greylisting on a per-user basis. My wife doesn't want to wait for
her email, and has a small enough internet footprint that she doesn't
get much spam anyway, so I put no delay on her account. My daughter and
me, OTOH, get tons of spam and are willing to wait 30 minutes for
delivery if it means less spam. Seems to work well here, anyway.

--

John ([EMAIL PROTECTED])

URI's and geocities subwebs..

2006-01-04 Thread Billy Huddleston




Is their a way to get the URI's to look at stuff like 
this?? I'm seeing more and more spam with these kinds of things in them to 
get by URI detection..

http://asia.geocities.com/april19781matt1487

Thanks, Billy

Question about addons

2005-08-09 Thread Billy Huddleston

Anyone have a method of delivering a message to a local mailbox if it's spam 
and then allowing the user to forward it on if it's not a quartine system, 
kinda like POSTINI does it? I've got a few of my customers looking for 
something like that, I can run them through my SA servers, and tag spam, but 
they would prefer not to get the messages if at all possible.


Thanks, Billy

+--+
| Billy Huddleston   Senior Systems Administrator  |
| Net-Express  http://www.nxs.net  |
| 114 Sherway Rd. Voice: 865-691-2011  |
| Knoxville, TN  37922  Fax: 865-691-9894  |
| [EMAIL PROTECTED]|
+--+

Problems with upgrade.

2004-12-02 Thread Billy Huddleston

I just upgraded my Spam Assassin engine cluster from 2.61 to 3.0.1 and now,
I'm getting some spam slipping through because it didn't get processed. I
did some testing with running GTUBE manually with spamc and sometimes it
kicks out the message immediately not processed, other times, it just hangs,
and then other times, it does it correctly.. What's going on?

Thanks, Billy


 +--+
 | Billy Huddleston   Senior Systems Administrator  |
 | Net-Express  http://www.nxs.net  |
 | 114 Sherway Rd. Voice: 865-691-2011  |
 | Knoxville, TN  37922  Fax: 865-691-9894  |
 | [EMAIL PROTECTED]|
 +--+

Problems with upgrade.

2004-12-02 Thread Billy Huddleston

I just upgraded my Spam Assassin engine cluster from 2.61 to 3.0.1 and now,
I'm getting some spam slipping through because it didn't get processed. I
did some testing with running GTUBE manually with spamc and sometimes it
kicks out the message immediately not processed, other times, it just hangs,
and then other times, it does it correctly.. What's going on?

Thanks, Billy


 +--+
 | Billy Huddleston   Senior Systems Administrator  |
 | Net-Express  http://www.nxs.net  |
 | 114 Sherway Rd. Voice: 865-691-2011  |
 | Knoxville, TN  37922  Fax: 865-691-9894  |
 | [EMAIL PROTECTED]|
 +--+

Re: Strange Issues.

Re: Strange Issues.

Re: Strange Issues.

Re: Strange Issues.

Re: Strange Issues.

Strange Issues.

Re: Question about v3.2.1 and SARE rules..

Re: New stock spam (2/14/07)

Re: Botnet 0.6 plugin for Spam Assassin availabile

New Spam

Re: I've got TORA.08 spelled with numbers?

Re: I've got TORA.08 spelled with numbers?

Re: RelayChecker 0.3

Re: R: R: R: Relay Checker Plugin (code review please?)

Re: Relay Checker Plugin (code review please?)

Re: Relay Checker Plugin (code review please?)

Re: Relay Checker Plugin (code review please?)

SA Webmail Portal

Re: SA Webmail Portal

Re: How to filter these spam messages

Re: How to filter these spam messages

Re: How to filter these spam messages

Re: How to filter these spam messages

URI's and geocities subwebs..

Question about addons

Problems with upgrade.

Problems with upgrade.

27 matches

Site Navigation

Mail list logo

Footer information