MS-relayed spam

[Charles Sprickman]

Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE

I'm not really following what's going on here - a few things confuse me...

 - the empty from envelope, which I thought was more of a "bounce" thing
 - that it does seem formatted like a bounce
 - across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
 - I had assumed that MS (or gmail, or any large provider) would be a bit more 
tuned to this kind of abuse

Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is 
using MS' inbound/outbound filtering/relaying for their email, and I'm assuming 
that the company (acquiretm dot com) has compromised account(s) being used for 
spam, and that this type of account is valuable since it's relayed through a 
somewhat "trusted" entity (MS). Stumped on the empty envelope from though...

Thanks,

Charles


Full headers inline:

Return-Path: 
Delivered-To: myem...@mydomain.com
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for ; Mon, 1 Jan 2024 14:23:33 -0500 (EST)
X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024)
with ESMTP id y8UwjrBjDDCO for ;
Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com;
dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=R1X4dpKSgryTH6OLmMzRy/tDWLnQEV8mHOEEtjH+lXKLhUWP1IcSU7ti48ZJoXOksGz7A4+ZbSb5s1wNp2A4dGS+psXMeDNERbCeNVeGFRy/0AfJX4BSO52imrh48OaXFvTjmcrwSondZQkeC2plLlatu2jWPXn+a48T+gCuUZtFOpy6+1OlQqtOhQd5Ork4w7yD6nIicaXcQ4GhpDX1YM6zU02EUOSl+pxEgJj5/WuHvXNbtuTmdsGid1JhRnmIyvR15jGzXHkyrD/KYHw3evZSOV8pJ8EMpUPDEiwdHjDGYt38j/Wwiho5yVfR/zNZa5wELOq9bYgLK0G91JywQA==
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 193.176.158.140)
smtp.helo=mail.acquiretm.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=x1r862t.onmicrosoft.com;
Date: Mon, 01 Jan 2024 20:19:49 +0100
Importance: high
Subject: Your iCloud Storage Is Full. Receive 50 GB for FREE
X-TOI-MSGID: <1660898088.4bdab4ab9e89d.1704136789...@acquiretm.com>
In-Reply-To: 
<952htcjgcsdxt5hydix5kfocgsan34o2gphcyv...@egw.x1r862t.onmicrosoft.com>
Content-Type: text/html; charset="UTF-8"
CC: myem...@mydomain.com
To: myem...@mydomain.com
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Storage Notice 
Message-ID:

Re: My apologies

[Charles Sprickman]

> On Aug 5, 2023, at 3:09 PM, Charles Sprickman  wrote:
> 
> 
> 
>> On Aug 5, 2023, at 2:51 PM, Kevin A. McGrail  wrote:
>> 
>> Reindl is the definition of something I learned decades ago as an energy 
>> creature.
>> 
>> DNFTEC is an acronym to live by.  Suggested reading: 
>> http://www.cryonet.org/cgi-bin/dsp.cgi?msg=6284
> 
> You might enjoy this clip from "What We Do In the Shadows", which tells the 
> story of a house full of vampires living in Staten Island. Colin Robinson, 
> featured in this clip, is a special vampire: he's an "Energy Vampire" who 
> sometimes needs to "feed" on the internet...
> 
> C

Oops:

https://www.youtube.com/watch?v=4A7BLMA1LIw

C

> 
>> 
>> KAM 
>> 
>> On Sat, Aug 5, 2023, 13:24 Grant Taylor via users 
>> mailto:users@spamassassin.apache.org>> wrote:
>>> On 8/5/23 8:04 AM, Ralph Seichter wrote:
>>> > Well, that is what local mail killfiles are for. The world is sadly 
>>> > full of morons, but one does not necessarily have to accept mail 
>>> > from them.
>>> 
>>> Agreed.
>>> 
>>> The catch is that he keeps tripping up people that have not had the ... 
>>> experience of dealing with him and thus have not ... quieted him yet.
>>> 
>>> 
>>> 
>>> Grant. . . .
> 

Re: My apologies

[Charles Sprickman]

> On Aug 5, 2023, at 2:51 PM, Kevin A. McGrail  wrote:
> 
> Reindl is the definition of something I learned decades ago as an energy 
> creature.
> 
> DNFTEC is an acronym to live by.  Suggested reading: 
> http://www.cryonet.org/cgi-bin/dsp.cgi?msg=6284

You might enjoy this clip from "What We Do In the Shadows", which tells the 
story of a house full of vampires living in Staten Island. Colin Robinson, 
featured in this clip, is a special vampire: he's an "Energy Vampire" who 
sometimes needs to "feed" on the internet...

C

> 
> KAM 
> 
> On Sat, Aug 5, 2023, 13:24 Grant Taylor via users 
> mailto:users@spamassassin.apache.org>> wrote:
>> On 8/5/23 8:04 AM, Ralph Seichter wrote:
>> > Well, that is what local mail killfiles are for. The world is sadly 
>> > full of morons, but one does not necessarily have to accept mail 
>> > from them.
>> 
>> Agreed.
>> 
>> The catch is that he keeps tripping up people that have not had the ... 
>> experience of dealing with him and thus have not ... quieted him yet.
>> 
>> 
>> 
>> Grant. . . .

Re: excluding specific RBL checks

[Charles Sprickman]

> On Jan 8, 2023, at 10:35 PM, Henrik K  wrote:
> 
> On Sun, Jan 08, 2023 at 04:23:11PM -0500, Charles Sprickman wrote:
>> What did you end up with?
>> 
>> I have a bunch of zero rules for these yet still keep getting the 
>> "administrative notice" from sbl/zen.
>> 
>> The fact that those guys don't just send out a "yes, this is on by default 
>> in spamassassin, here is copy pasta to turn us off" email bugs me.
>> 
>> I've grown to this huge list and still get the warnings.
>> 
>> # remove spamhaus tests, they want us to pay
>> # need to include the first base rule or DNS still triggers but is ignored
>> score __RCVD_IN_ZEN 0
>> score RCVD_IN_SBL 0
>> score RCVD_IN_XBL 0
>> score RCVD_IN_PBL 0
>> score URIBL_SBL 0
>> score URIBL_CSS 0
>> score URIBL_SBL_A 0
>> score URIBL_CSS_A 0
>> score URIBL_DBL_SPAM 0
>> score URIBL_DBL_PHISH 0
>> score URIBL_DBL_MALWARE 0
>> score URIBL_DBL_BOTNETCC 0
>> score URIBL_DBL_ABUSE_SPAM 0
>> score URIBL_DBL_ABUSE_REDIR 0
>> score URIBL_DBL_ABUSE_PHISH 0
>> score URIBL_DBL_ABUSE_MALW 0
>> score URIBL_DBL_ABUSE_BOTCC 0
>> 
>> Until I can get around to updating I'm considering just nuking the actual 
>> tests from the ruleset.
> 
> Much easier and reliable way:
> 
> dns_query_restriction deny spamhaus.org

Trying this on half the pair, I assume this hits all subdomains of spamhaus.org?

Never ran into that parameter in my searches for this.

Thanks!

Charles

Re: excluding specific RBL checks

[Charles Sprickman]

> On Jan 8, 2023, at 10:44 PM, joe a  wrote:
> 
> On 1/8/2023 4:23 PM, Charles Sprickman wrote:
>> What did you end up with?
> 
> score RCVD_IN_ZEN_BLOCKED_OPENDNS 0
> 
> I am not certain if that stops the test or simply reporting of the message.  
> Looks like I will need to do some packet capture after all.
> 
>> I have a bunch of zero rules for these yet still keep getting the 
>> "administrative notice" from sbl/zen.
>> The fact that those guys don't just send out a "yes, this is on by default 
>> in spamassassin, here is copy pasta to turn us off" email bugs me.
>> I've grown to this huge list and still get the warnings.
>> # remove spamhaus tests, they want us to pay
>> # need to include the first base rule or DNS still triggers but is ignored
>> score __RCVD_IN_ZEN 0
> 
> Is that a typo? There should be no underscore before RCVD, correct?

That's copypasta from the wiki page spamhaus references. No explanation on the 
page why the underscores...

C

> 
>> score RCVD_IN_SBL 0
>> score RCVD_IN_XBL 0
>> score RCVD_IN_PBL 0
>> score URIBL_SBL 0
>> score URIBL_CSS 0
>> score URIBL_SBL_A 0
>> score URIBL_CSS_A 0
>> score URIBL_DBL_SPAM 0
>> score URIBL_DBL_PHISH 0
>> score URIBL_DBL_MALWARE 0
>> score URIBL_DBL_BOTNETCC 0
>> score URIBL_DBL_ABUSE_SPAM 0
>> score URIBL_DBL_ABUSE_REDIR 0
>> score URIBL_DBL_ABUSE_PHISH 0
>> score URIBL_DBL_ABUSE_MALW 0
>> score URIBL_DBL_ABUSE_BOTCC 0
>> Until I can get around to updating I'm considering just nuking the actual 
>> tests from the ruleset.
>> Charles



signature.asc
Description: Message signed with OpenPGP

Re: excluding specific RBL checks

[Charles Sprickman]

What did you end up with?

I have a bunch of zero rules for these yet still keep getting the 
"administrative notice" from sbl/zen.

The fact that those guys don't just send out a "yes, this is on by default in 
spamassassin, here is copy pasta to turn us off" email bugs me.

I've grown to this huge list and still get the warnings.

# remove spamhaus tests, they want us to pay
# need to include the first base rule or DNS still triggers but is ignored
score __RCVD_IN_ZEN 0
score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score URIBL_SBL 0
score URIBL_CSS 0
score URIBL_SBL_A 0
score URIBL_CSS_A 0
score URIBL_DBL_SPAM 0
score URIBL_DBL_PHISH 0
score URIBL_DBL_MALWARE 0
score URIBL_DBL_BOTNETCC 0
score URIBL_DBL_ABUSE_SPAM 0
score URIBL_DBL_ABUSE_REDIR 0
score URIBL_DBL_ABUSE_PHISH 0
score URIBL_DBL_ABUSE_MALW 0
score URIBL_DBL_ABUSE_BOTCC 0

Until I can get around to updating I'm considering just nuking the actual tests 
from the ruleset.

Charles

> On Jan 8, 2023, at 4:00 PM, joe a  wrote:
> 
> On 1/8/2023 3:50 PM, joe a wrote:
>> SA version 3.4.5
>> Gears are clashing, clutch is slipping, among other things.
>> Trying to exclude certain checks, via spamhouse services "by the book"
>> When placing these values in local.cf:
>> RCVD_IN_ZEN 0
>> RCVD_IN_XBL 0
>> RCVD_IN_PBL 0
>> "spamassassin --lint" complains. Yet SA starts without complaint and seems 
>> to not run those tests.
>> Placing "score" at the beginning of the line makes lint happy and SA seems 
>> to start fine and also does not run those tests.
>> So, one assumes it is a typo in the docs, or, one is expected to infer the 
>> "score" word.
>> Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):
>> "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"
>> Which suggests that one runs despite the directive or, I am using the wrong 
>> one.
> 
> And the answer to the latter is "I had the wrong directive".  Which is 
> obvious.  Now.
> 

Re: Do these domains merit blocking?

[Charles Sprickman]

> On Dec 15, 2021, at 1:57 PM, Alan Hodgson  wrote:
> 
> On Wed, 2021-12-15 at 10:55 -0800, Alan Hodgson wrote:
>> 
>> I got a couple to an actual human who answered ab...@princeton.edu. I can 
>> forward them privately.
> 
> Let me rephrase that; I complained to ab...@princeton.edu and actually heard 
> back from a human, to whom I have since sent copies of the spam messages.
> 

Well, this was the result of sending to the email address published on their 
info page…

--
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

  The mail system

: host
   mxa-5701.gslb.pphosted.com[205.220.160.168] said: 550 5.1.1 User
   Unknown (in reply to RCPT TO command)
Reporting-MTA: dns; mail.morefoo.com
X-Postfix-Queue-ID: AECB8B0031
X-Postfix-Sender: rfc822; c...@sporklab.com
Arrival-Date: Thu, 16 Dec 2021 12:30:27 -0500 (EST)

Final-Recipient: rfc822; rapt+privacyst...@princeton.edu
Original-Recipient: rfc822;rapt+privacyst...@princeton.edu
Action: failed
Status: 5.1.1
Remote-MTA: dns; mxa-5701.gslb.pphosted.com
Diagnostic-Code: smtp; 550 5.1.1 User Unknown

--

Re: Do these domains merit blocking?

[Charles Sprickman]

Does anyone have a sample of one of their emails?

I’m composing a brief nastygram and would like to get my eyes on one before 
finishing up.

Thanks,

Charles

> On Dec 15, 2021, at 11:39 AM, Bill Cole 
>  wrote:
> 
> There has recently been a spate of odd spams to harvested addresses asking 
> hypothetical questions about domains' privacy practices. It turns out this is 
> a grad student enrolling human subjects in a study without informed 
> consent... The explanation is at 
> https://measurement.cs.princeton.edu/privacystudy/ and there is a list of 
> domains there which were created to run this maldesigned study.
> 
> Many of the early batch compounded the consent problem with outright fraud, 
> claiming to be from people who do not exist.
> 
> I am curious about what the SA user world thinks of such domains. My personal 
> opinion is that the grad student, his faculty advisors, and his IRB should 
> all be forced to find new careers and the domains should have a null CNAME at 
> the root forever. It appears that URIBL, SURBL, and Spamhaus DBL have all 
> noticed the domains unflatteringly, which I suppose constitutes a more 
> balanced consequence...
> 
> A customer has expressed mild dismay at the concept that a fine research 
> institution should be "punished for doing research." I'm less attached to 
> Princeton than my NJ-based customer and (having worked in a NIH-funded lab) 
> less idolizing of the Ivory Tower in general. I have no difficulty explaining 
> my position, but I am rather surprised that I need to in 2021. Am I missing 
> something special that makes such research spam somehow not spam?
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire

OT: Outsourced Email Spam Filtering/Security/AV?

[Charles Sprickman]

Hi all,

I run spamassassin, clamav, and other tools in a number of places, but I do 
have a need to get a few domains behind a commercial service (ie: point MX at 
them, point outbound smtp on MUAs at them). Should have quarantine options, a 
fairly simple web UI (for quarantine, per-user settings, etc.), and have been 
around long enough that it’s clear I can “set it and forget” it for a number of 
years. Should not be penalized too hard on the pricing for only having 150 
mailboxes or so.

Google is an absolute horror show for this, all I’m getting is SEO-juiced bogus 
comparison sites with dozens of companies I’ve never heard of.

I figure there are probably some folks here that use commercial options either 
in place of or in addition to SA. Would love to hear some opinons…

Thanks,

Charles

Re: CHAOS: v1.2.2: Of Documentation

[Charles Sprickman]

What would the elevator pitch be for this?

> On Jul 23, 2021, at 12:07 AM, Jared Hall  wrote:
> 
> Simon Wilson wrote:
>>> could you, please, finally, describe what does this module do,
>>> here to the list and/or to the wiki?
>>> 
>>> the description there is too hard to understand, epecially at the beginning,
>>> and I couldn't force myself to understand it (multiple times).
>>> 
>>> Maybe you should start with the easy parts and follow with those more
>>> compliated functionality, because I feel the description starts with 
>>> thelatter.
>> 
>> I'm guessing from the silence in response that this will remain a mystery.
>> 
>> Simon.
>> 
>> ___
>> Simon Wilson
>> M: 0400 12 11 16
> 
> Reads perfectly well to me.  I guess to be compatible with any other plugin, 
> I must delete all documentation entirely :)  
> 
> Seriously, every single rule that this module can generate is listed.  That's 
> a good start, comparatively.
> 
> I answer, and have answered, all questions regarding this module.  Open-ended 
> questions, or questions that are vague and ambiguous, are ignored.  For 
> instance, "Maybe you should start with easy parts"?  OK, what's easy?  I'm 
> reminded of an old Star Trek episode where Dr. McCoy is reattaching Spock's 
> brain.  "It's so easy.  A child can do it", he muses.  Questions have value.  
> Statements less so.
> 
> This module has some unique stuff that CANNOT be done in a pure SpamAssassin 
> environment.  It also has stuff that can be replicated using standard rules.  
> 
> 1) The module, if installed and using the config file as is, does no harm at 
> all.  It will merely generate rules based upon what it finds.  These are all 
> scored at the low rate of 0.01.  It's up to the user to decide what to with 
> them.  They can wrap up a generated rule in a meta rule.  Example:
> 
> meta   JR_HATES_BEENTHERE   (JR_X_BEENTHERE)
> score JR_HATES_BEENTHERE   8.0
> 
> 2) Via a configuration file option, "chaos_mode", the module can be set to 
> automatically score its rules.
> 
> chaos_mode AutoISP
> 
> It will still run along with existing files, cranking out higher scores for 
> those rules marked with an asterisk.  That is still probably acceptable for 
> most people.  But it can cause problems.  The popular KAM ruleset scores 
> SendGrid Emails with a high value.  Mine is split into two different values 
> that are scored differently.  While they are both lower than KAM's, combined, 
> I see that as a potential problem.  I have no knowledge of what somebody's 
> rules are at any given moment.  Caveat Emptor.  There I go again with the 
> Latin :)
> 
> 2A) What values do I set for these rules?  As a percentage of another 
> configuration file option, "chaos_tag":
> 
> chaos_tag 7
> 
> Per the example above JR_X_BEENTHERE is a rule that is Auto-Scored.  If you 
> lower the chaos_tag value, the score for this rule would be reduced.  If I 
> increase the chaos_tag value, the score produced by this rule is raised.
> 
> 2B) The AutoISP mode, as is, should be fine for anybody running  a spam tag 
> level of 8 to 12.  
> 
> 2C) The initial release of CHAOS.pm did all kinds of scoring.  One of the 
> knocks I have about SpamAssassin is that is does not maintain counts of hits. 
>  My complaints about this go all the way back to 2010.  Counts and Amounts.  
> SA is great with Amounts.  It sucks with Counts.  To the SA Development 
> crew's credit, somewhere along the way, tflags were added to allow that 
> functionality in a very primitive fashion.  Many people are happy with that.  
> I'm just not one of them.
> 
> I read somewhere, while looking at META rules that SA internally builds an 
> array of the rules hit.  That way, as rules hit, METAs are then appropriately 
> updated.  Gee, an array.  Maybe we could add a count to that array if the 
> user wishes to?  I think that it is a lot of development; not so much the 
> actual process of doing it, but updating all the User handling thereof.  
> Alas, It is what it is *SIGH*
> 
> 2D) One thing about running AutoISP mode is that you can change a Rule's name 
> in the configuration file and not matter what, you'll get the Rulename that's 
> hard-coded into the program.  When a Eval plugin function is called, SA 
> passes the rule name to the plugin.  Most plugins just ignore it, and simply 
> return a Hit/Miss value for the Rulename.  I ignore that completely.
> 
> 2E) When I first released CHAOS, all it did was Automatic Scoring.  And I 
> used all kinds of fancy algorithms, even logarithmic, to demonstrate that.  
> That was pointless, as many pointed out at the time.  I don't do that stuff 
> anymore.
> 
> 2F) Still, as is, AutoISP will still work great for most people. 
> 
> 3) As the first release of CHAOS was about as successful as the Hindenburg, I 
> added the concept of Manual scoring.  This works in the same fashion as most 
> people are accustomed to.  This is set in the configuration file:
> 
> chaos_mode Manual
> 
> There 

Re: "Please send us a quote..."?

[Charles Sprickman]

> On Apr 6, 2021, at 8:20 PM, John Hardin  wrote:
> 
> On Tue, 6 Apr 2021, Kris Deugau wrote:
> 
>> John Hardin wrote:
>>> Can anybody explain to me the reason behind the blind "please send us a 
>>> quote for your product X" emails? I mean, I know they are somehow a 
>>> scam, but I can't figure it out how it's supposed to work when the target 
>>> isn't a business...
>> 
>> Most of the examples I've seen are arguably virus emails, on the basis of an 
>> attached archive file with a .exe in it.
> 
> *Those* are easy enough to figure out. I was asking about the ones with no 
> attachments, no links, nothing obviously exploitable.

I had one of them, they wanted to buy 300 hard drives from us, and were 
spoofing a DOD contractor. Wacky stuff (we don’t sell hard drives).

Had a back and forth with them, it was a pretty slick scam - had a full website 
that was like the spoofed contractor but a different TLD, US phone and fax 
numbers and were very eager for us to send them some drives. I just forwarded 
all my correspondence on to the spoofed contractor.

Not totally clear on the scam as it went no further than saying “yeah bud, we 
have the drives, how would you like to pay?”.

C

> 
> -- 
> John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
> jhar...@impsec.org pgpk -a jhar...@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>  Activist: Someone who gets involved.
>  Unregistered Lobbyist: Someone who gets involved
>   with something the MSM doesn't approve of. -- WizardPC
> ---
> 7 days until Thomas Jefferson's 278th Birthday

Re: Apache SpamAssassin and Spammers 1st Amendment Rights

[Charles Sprickman]

> On Nov 20, 2020, at 4:45 PM, Rob McEwen  wrote:
> 
> On 11/20/2020 4:37 PM, Eric Broch wrote:
>> It seems spammers are using political arguments to justify their actions. 
>> I'll give them credit, at least they're trying to justify what they do by 
>> something greater than (outside of) themselves, albeit wrongly.
>> It seems people on this side of the argument want to jettison politics (and 
>> religion) and have no justification (only personal preference) for what they 
>> do. Curious!
>> At the core spammers seem more logically consistent than those who oppose 
>> them.
> 
> 
> I have extremely large amounts of spams on file in my spamtrap spam 
> collection from all various political viewpoints, political parties, and 
> moral/ethical/religious viewpoints - MANY of them think that THEIR greater 
> good justifies spamming, and ironically their beliefs are often in 100% 
> contradiction to OTHER spammers who have opposite beliefs, but likewise think 
> that their spam is justified by THEIR "greater good". Thankfully, it isn't my 
> job to determine who is justified and, instead, I believe that NONE of them 
> are justified in sending spam - spam is about *consent* - NOT *content*.

I mean, remember campaign and I believe non-profit stuff in the US is EXEMPT 
from CAN-SPAM, so they don’t even have to play by the rules.

https://www.ftc.gov/news-events/blogs/business-blog/2015/08/candid-answers-can-spam-questions
 


First amendment stuff is going to be very fun with this current crop of federal 
judges and the SC. A recent ruling said public health interests can be 
overruled because “masking” is somehow restricting speech, lol.

Charles

> 
> -- 
> Rob McEwen, invaluement
> 

Re: What can one do abut outlook.com?

[Charles Sprickman]

Let’s remember you’re arguing with someone who clearly doesn’t run any sort of 
commercial email system because no sane person selling boxes can simply block 
outlook...

> On Oct 26, 2020, at 5:44 AM, John Wilcock  wrote:
> 
> The problem with your analogy is that you are not just interacting with one 
> unwelcome neighbour with a defective washing machine, but with dozens of 
> neighbours whose washing machines work perfectly but who happen to share the 
> same plumber as the unwelcome one. And in many cases these people aren't just 
> your neighbours but potential clients of yours. If you refuse to deal with 
> them on the basis that they use that plumber, you're the one who will lose 
> business.
> 
> I'm not sure the analogy works all that well, but hopefully you get my point. 
> Outlook.com, Google and Amazon all have millions of legitimate customers from 
> whom you might receive genuine email, and if you block them because of their 
> (relatively few) unwelcome customers, you're throwing the baby out with the 
> bathwater. 
> 
> -- 
> John
> 
>  
> On 2020-10-25 18:48, Marc Roos wrote:
> 
>> 
>> Are you guys working for Google or Amazon or so? Maybe I should give 
>> something simple analogy so you understand. 
>> 
>> If your neighbours washing machine breaks down, and causes you water 
>> damage. They have to pay for cleaning up de mess they created in your 
>> apartment. If the neighbour spills oil on your parkway, they have to 
>> clean it up.
>> 
>> 
>> Your reasoning resembles:
>> 
>> - the neighbour does have to use their washing machine every time, so I 
>> will just clean up their mess every time.
>> - it is only once of every 3 times the neighbour uses his washing 
>> machine, he floods my apartment, so that is ok.
>> - the neighbour has kids, they cannot be held responsible for dad to 
>> flood my apartment every week. So I will not ask the landlord to evict 
>> them. I will just clean up their mess every week year after year.
>> - the neighbour floods my apartment every week, I think I will teach him 
>> this week how to use the washing machine. 
>> - the neighbour floods my apartment every week, I think I will replace 
>> my wooden floor for some plastic foil.
>> 
>> 
>> 
>> 
>> 
>>  
>> 

Re: Sendgrid Under Siege from Hacked Accounts

[Charles Sprickman]

> On Aug 29, 2020, at 5:37 PM, Brent Clark  wrote:
> 
> Good day Guys
> 
> Got this off Hackernews. Thought I would share the link.
> 
> https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
> 
> Interesting comments too.

(kind of OT, sorry)

I know that at some point I setup a one-off account at one of these companies 
for a VPS that had to send confirmation emails and admin stuff out (low 
volume). It just seemed easier than trying to establish my VPS’ IP as legit in 
the eyes of major mail providers… Turns out it was Mailgun, not sendgrid.

But I went to sendgrid’s site and checked my password manager, and sure enough 
I had an account. But get this - no 2FA, and the login was something like 
cust88987...@heroku.com . So a Heroku app 
(redmine, which needed to send ticket info via email) I setup back in 2017 and 
cancelled a year later spawned this sendgrid account, and the account is 
perhaps under the control of Heroku, as I can’t view/set billing info, nor do 
anything that would require verifying the accountholder email, is just sitting 
there, presumably to just add to the subscriber count that Sendgrid/Twilio uses 
to woo investors.

As best I can tell, I can login, I can make API keys, but I can’t delete the 
account because it’s not truly mine. Totally huge oversight on someone’s part. 
The account is active and able to send...

Charles

> 
> Regards
> Brent

Re: Constructive solution to the blacklist thread

[Charles Sprickman]

That reminds me:

Eric, BLM and all the good Marxists and community organizers, and those who 
think the people that talk about “the decline of western civilization” hold 
some very questionable values about folks that don’t look like them, I’d like 
to thank you on behalf of all these organizations for the generous donation you 
have inspired:

https://imgur.com/a/Ccwj0Li

> On Jul 23, 2020, at 8:12 PM, Charles Sprickman  wrote:
> 
> HA HA HA HA HA HA HA
> 
>> On Jul 23, 2020, at 7:16 PM, Eric Broch  wrote:
>> 
>> Political correctness, BLM and Antifa (LGBTQ) as well as feminism (and many 
>> other agendas) are being used as battering rams to destroy western culture 
>> and usher in Marxist global governance. The real agenda isn't "getting 
>> along" it's quite the opposite.
>> 
>> On 7/23/2020 4:41 PM, Antony Stone wrote:
>>> On Thursday 23 July 2020 at 22:44:51, Michael Orlitzky wrote:
>>> 
>>>> The Apache foundation has some cash laying around. Make whatever wording
>>>> changes you like, but **at the same time**, donate a meaningful amount
>>>> of money to a cause like the ACLU or the defense/medical funds for the
>>>> protestors.
>>> Don't you have that the wrong way around?
>>> 
>>> All these IT companies, groups and foundations who are changing their 
>>> wording
>>> to make the world a better place are doing what the ACLU has been trying to 
>>> do
>>> for years, so surely the ACLU should be funding the IT support people who 
>>> have
>>> to deal with the extra workload of managing these changes?
>>> 
>>> The oppressed societal groups get the improvement they've been waiting for,
>>> the ACLU doesn't have to work so hard, and the IT support staff get 
>>> compensated
>>> for the extra work they have to do for the benefit of society.
>>> 
>>> Of course, that model all breaks down if you don't really believe that these
>>> changes are going to make the world a better place, or that the oppressed
>>> societal groups are not in fact going to be better off as a result of 
>>> changing
>>> the word black to block an an email filtering system, but nobody really 
>>> thinks
>>> that, do they?
>>> 
>>> Note for those challenged by sarcasm or irony: I do not agree with the 
>>> change
>>> and I do not think it will have the effects it is being done in the name of.
>>> 
>>> 
>>> Antony.
>>> 
> 

Re: Constructive solution to the blacklist thread

[Charles Sprickman]

HA HA HA HA HA HA HA

> On Jul 23, 2020, at 7:16 PM, Eric Broch  wrote:
> 
> Political correctness, BLM and Antifa (LGBTQ) as well as feminism (and many 
> other agendas) are being used as battering rams to destroy western culture 
> and usher in Marxist global governance. The real agenda isn't "getting along" 
> it's quite the opposite.
> 
> On 7/23/2020 4:41 PM, Antony Stone wrote:
>> On Thursday 23 July 2020 at 22:44:51, Michael Orlitzky wrote:
>> 
>>> The Apache foundation has some cash laying around. Make whatever wording
>>> changes you like, but **at the same time**, donate a meaningful amount
>>> of money to a cause like the ACLU or the defense/medical funds for the
>>> protestors.
>> Don't you have that the wrong way around?
>> 
>> All these IT companies, groups and foundations who are changing their wording
>> to make the world a better place are doing what the ACLU has been trying to 
>> do
>> for years, so surely the ACLU should be funding the IT support people who 
>> have
>> to deal with the extra workload of managing these changes?
>> 
>> The oppressed societal groups get the improvement they've been waiting for,
>> the ACLU doesn't have to work so hard, and the IT support staff get 
>> compensated
>> for the extra work they have to do for the benefit of society.
>> 
>> Of course, that model all breaks down if you don't really believe that these
>> changes are going to make the world a better place, or that the oppressed
>> societal groups are not in fact going to be better off as a result of 
>> changing
>> the word black to block an an email filtering system, but nobody really 
>> thinks
>> that, do they?
>> 
>> Note for those challenged by sarcasm or irony: I do not agree with the change
>> and I do not think it will have the effects it is being done in the name of.
>> 
>> 
>> Antony.
>> 

Re: Why the new changes need to be "depricated" forever

[Charles Sprickman]

> On Jul 23, 2020, at 2:29 PM, Ted Mittelstaedt  wrote:
> 
> 
> Was it really that unclear that I was speaking tongue-in-cheek?
> 
> Man o Man I missed my calling in life.  I should have gone into scamming
> people if I was able to get you guys to think that load of BS about
> forking was serious
> 
> Ted
> 
> On 7/23/2020 7:06 AM, Kevin A. McGrail wrote:
>> Note: If you fork a project, you cannot use the name, just the code.

I do wish that the handful of loud, non-contributors who have so much to say 
about someone else’s project would shut up and fork it, TBH.

Re: Why the new changes need to be "depricated" forever

[Charles Sprickman]

> On Jul 22, 2020, at 3:28 AM, Marc Roos  wrote:
> 
> 
>>> Oh my god, you snowflakes, please just get over yourselves.
> 
> The term "snowflake generation" was one of Collins English Dictionary's 
> 2016 words of the year. Collins defines the term as "the young adults of 
> the 2010s, viewed as being less resilient and more prone to taking 
> offence than previous generations".
> 
> Do you get that it is the other way around? You are using this term 
> incorrectly?

No, I think it describes you lot perfectly.

Rather than tolerate the tiniest of changes you throw a tantrum.

You could have just packed up and left, used other software that didn’t offend 
your gentle sensitivities, forked SA, or (IMO, the best option) just shut the 
f*ck up, but… no, you’d like the whole world to adjust to your narrow views 
(which all center around your experiences of the world, which of course are the 
only valid ones, right?). So yes, you’re a bunch of snowflakes.

I’m going to follow that other dude’s lead and start donating to Portland bail 
funds in your names each time you post. :)

Re: Why the new changes need to be "depricated" forever

[Charles Sprickman]

> On Jul 21, 2020, at 11:14 PM, Eric Broch  wrote:
> 
> We're not the ones melting because someone said, "blacklist," its people like 
> you.
> 
> 
> On 7/21/2020 8:48 PM, Charles Sprickman wrote:
>> 
>>> On Jul 21, 2020, at 9:25 PM, Loren Wilton  wrote:
>>> 
>>>> For better or worse, we are at an inflection point in society where 
>>>> society as a whole is deliberating the meaning and / or use of the terms 
>>>> "white" and "black".
>>> I do strongly wonder whether this is "society" or only "people in the USA". 
>>> It should be noted that historically bkacks were enslaved just as little or 
>>> much as any other race in other countries, and I don't see those contries 
>>> bending over to appease blacks because the Romans and Greeks would enslave 
>>> them (as well as anyone else).
>>> 
>>> You note that "gay" has a different meaning today. As far as I know, the 
>>> words "black" and "white" were not systematically used to refer to skin 
>>> colors before about 1963, when a movement was set afoot in the USA to 
>>> replace "negro" with "black" and "caucasian" with "white".
>>> 
>>> Yes, reference was made to skin colors before, and the English "negro" is 
>>> obviously the same word as the Spanish "negro", but in that case, it is 
>>> merely the name of a color. So the USA in the 1960s made the decision to 
>>> take a word from a non-Latin root and apply that color as a substitute for 
>>> a Latin word that denoted a race.
>>> 
>>> It therefore bothers me somewhat that we are now using this post-1963 
>>> renaming to condem terms like "blacklist" and "blackball" that have existed 
>>> for over 2000 years, and "black sheep", which has doubtless existed in 
>>> Egyptian for another 6000 years before that, as being racist and somehow 
>>> denegrating African Americans specifically.
>> Oh my god, you snowflakes, please just get over yourselves.
>> 
>> You are a loud, pedantic, solipsistic minority that is just unwilling to 
>> either a) accept this change and move on b) switch to software that doesn’t 
>> upend your tiny little worldview c) fork it and take this discussion to your 
>> fork’s technical list.
>> 
>> Please, there must be somewhere else you can discuss this issue. There’s 
>> only like 4 of you, you can do this with a cc: list.

And top-posting too - solipsists can’t help it.

Re: Why the new changes need to be "depricated" forever

[Charles Sprickman]

> On Jul 21, 2020, at 9:25 PM, Loren Wilton  wrote:
> 
>> For better or worse, we are at an inflection point in society where society 
>> as a whole is deliberating the meaning and / or use of the terms "white" and 
>> "black".
> 
> I do strongly wonder whether this is "society" or only "people in the USA". 
> It should be noted that historically bkacks were enslaved just as little or 
> much as any other race in other countries, and I don't see those contries 
> bending over to appease blacks because the Romans and Greeks would enslave 
> them (as well as anyone else).
> 
> You note that "gay" has a different meaning today. As far as I know, the 
> words "black" and "white" were not systematically used to refer to skin 
> colors before about 1963, when a movement was set afoot in the USA to replace 
> "negro" with "black" and "caucasian" with "white".
> 
> Yes, reference was made to skin colors before, and the English "negro" is 
> obviously the same word as the Spanish "negro", but in that case, it is 
> merely the name of a color. So the USA in the 1960s made the decision to take 
> a word from a non-Latin root and apply that color as a substitute for a Latin 
> word that denoted a race.
> 
> It therefore bothers me somewhat that we are now using this post-1963 
> renaming to condem terms like "blacklist" and "blackball" that have existed 
> for over 2000 years, and "black sheep", which has doubtless existed in 
> Egyptian for another 6000 years before that, as being racist and somehow 
> denegrating African Americans specifically.

Oh my god, you snowflakes, please just get over yourselves.

You are a loud, pedantic, solipsistic minority that is just unwilling to either 
a) accept this change and move on b) switch to software that doesn’t upend your 
tiny little worldview c) fork it and take this discussion to your fork’s 
technical list.

Please, there must be somewhere else you can discuss this issue. There’s only 
like 4 of you, you can do this with a cc: list.

Re: OT: "...value judgement"

[Charles Sprickman]

> On Jul 21, 2020, at 3:16 PM, Robert Schetterer  wrote:
> 
> Am 21.07.20 um 21:07 schrieb Bill Cole:
>> On 21 Jul 2020, at 14:06, Grant Taylor wrote:
>>> On 7/21/20 11:56 AM, Bill Cole wrote:
 All answers: "NO!" In those cases, "black" and "white" all reference 
 actual colors of physical things, not a metaphorical value judgment.
>>> 
>>> Hum.  Your "value judgement" statement is interesting.
>>> 
>>> The original meaning of blacklist that I found seems to be exactly that, a 
>>> value judgement on if it was okay / safe to do business with people / 
>>> businesses or not.  Specifically if someone (independent of race) was 
>>> unsafe to do business with, they were added to the blacklist.
>> Precisely.
>> That usage is problematic because in many (most? all?) Anglophone societies, 
>> "Black" is an ethno-racial label. In some cases (UK, US, probably more) it 
>> is accepted and internalized as an identity by those thus labeled. This 
>> creates a naming collision with the usage of "black" and "white" as 
>> metaphorical labels for value judgments.
>> The degree of annoyance caused by that collision of connotations varies 
>> widely.
> 
> Hi @ll, can we focus on tec problems again ?

The thread is marked “OT” unlike the outbursts from the crew of warriors 
against “cultural marxism” that are crapping on every thread…

> 
> 
> 
> -- 
> [*] sys4 AG
> 
> http://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG, 80333 München
> 
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein

Re: More Responses about Various Questions revolving around WelcomeLIst/BlockList changes

[Charles Sprickman]

> On Jul 20, 2020, at 9:03 PM, Eric Broch  wrote:
> 
> On 7/20/2020 5:49 PM, jdow wrote:
>> On 20200720 11:53:37, Kevin A. McGrail wrote:
>>> *> Why make the change?*
>>> 
>>> I believe it's the right thing to do and you are going to see more of the 
>>> ecosystem changing to.  I will not preempt the news but you are going to 
>>> see this change pretty broadly.
>> 
>> So this is basically your doing. What I think of you and your arrogance and 
>> racism displayed in your wording above and the nature of the change is not 
>> suitable for this list. The schools that produced you are training natural 
>> born losers.
>> 
>> {^_^}
> 
> The Old Dominion is a slave state once again.

y’all are so dang oppressed, how do you drag yourselves out of bed in the 
morning?

Re: Thanks to Guardian Digital & LinuxSecurity for the nice post about SpamAssassin's upcoming change

[Charles Sprickman]

> On Jul 19, 2020, at 10:12 PM, Noel Butler  wrote:
> 
> On 16/07/2020 14:47, jdow wrote:
> 
>> 
>> You can probably fork the project and go on running what exists now going 
>> forward. That is something I am mulling doing for myself. I just have to ask 
>> myself, which is more painful?
>> 
>> 
> 
> Actually, might not have to reinvent the wheel, last time I looked at rspamd 
> was several years ago.
> 
> Since the politically motivated change in spamassassin was made public last 
> week, I reinstalled it in a dev lab. Running over the weekend, tests showed 
> rspamd has remarkably improved, 603% speed increase over spamassassin (well 
> it does run in C), and 18% more hit rates, when it came to known false 
> positives, it equalled spamassassin though.
> 
> Obviously before moving production over to it, I need to run it again over a 
> much longer period of time, but it looks promising, I'll see it how goes over 
> the next 4 weeks.
> 

Yes, but what if they choose to use inclusive language? Then where do you go to 
avoid this oppression?
> 
> --
> 
> Regards,
> Noel Butler
> 
> This Email, including attachments, may contain legally privileged 
> information, therefore at all times remains confidential and subject to 
> copyright protected under international law. You may not disseminate this 
> message without the authors express written authority to do so. If you are 
> not the intended recipient, please notify the sender then delete all copies 
> of this message including attachments immediately. Confidentiality, 
> copyright, and legal privilege are not waived or lost by reason of the 
> mistaken delivery of this message.
> 

Re: spamhaus enabled by default

[Charles Sprickman]

> On Jul 14, 2020, at 12:08 PM, M. Omer GOLGELI  wrote:
> 
> July 14, 2020 6:07 PM, "Kevin A. McGrail"  wrote:
> 
>> The question you ask is exactly why we have the DNSBL Inclusion policy and 
>> require the free for
>> some model.
>> 
>> We might need to kick up the need for the BLOCKED rule with instructions in 
>> that description on how
>> to disable the rules. What are your thoughts on that?
>> 
> 
> Don't get me wrong, I use them in the scoring process as well and I'm glad to 
> use them along with a few others as I'm not that hard bent on keeping 
> everything free.
> 
> And if I hit the limits somehow, I'll either pay for them or turn them off.
> 
> But there will always be people that doesn't want it.
> Or those who wouldn't want to see their OSS software relies on commercial 
> products.
> Or there will be those who does this non-commercially. 
> Or there will be people who installed it as part of their OSS mail product 
> and doesn't know that there's such a limit etc.
> 
> So for that matter, maybe these can be left for the admins decision to enable 
> them after installation.
> Or all users should be made aware of these limitations in a better manner and 
> clearly for each semi-commercial RBL used.

Since the consensus is that this is kind of a “turn it loose out of the box” 
situation, I think a nice compromise would be huge commented chunks around 
settings that would disable any commercial services that will start sending 
nastygrams if you are outside of their (sometimes complex and kind of opaque 
“free” use case).

I do so wish some of those folks would take spamtraps in trade. We see spam 
from sources even the most expensive lists don’t see for at least 15-20 minutes 
- valuable data, IMHO. :)

Charles

> 
> 
> 
> 
> 
> 
> 
> 
> M. Omer GOLGELI

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[Charles Sprickman]

Jordan says to clean your room.

> On Jul 12, 2020, at 3:24 PM, Eric Broch  wrote:
> 
> Again, you've made my point.
> 
> All you have is a ad hominem and strawman arguments both logical fallacies.
> 
> You can't debate so call for my removal from this list.
> 
> 
> On 7/12/2020 12:40 PM, micah anderson wrote:
>> Eric Broch  writes:
>> 
>>> 2) You accuse "the right wing[er]" of making this issue political when
>>> we've/I've done no such thing.
>> hilariously, you then go on to do exactly that:
>> 
>>> The maintainers of the list have listened to those who've turned
>>> something benign (whitelist/blacklist) into something political and
>>> are now groveling to the political Marxists.
>> Maybe you don't see it, but your war against the imaginary conspiracy
>> theory of cultural marxism is not at all benign, or apolitical. Play the
>> victim all you want, but invoking the spectre of "cultural Marxism" to
>> account for things you disapprove of is just proving the original
>> poster's point.
>> 
>>> Where does it stop. No one has answered my question. Now that
>>> whitelist/blacklist are gone why isn't Apache on the chopping block?
>>> What's next?
>> Depends if you want to haul out the frankfurt school, Marcuse, and
>> Adorno and the proletariat's desire to revolt, mix in a little bit of
>> Frued and claim that a mysterious group is using insidious forms of
>> psychological manipulation to chemtrail the 9/11 inside job. Clearly the
>> renaming of whitelist/blacklist is a Soros paid for plot intended to
>> destroy traditional Christian values and overthrow free enterprise, just
>> look at Clinton's emails...obvious link to pizza gate, and
>> Benghazi...who knows where you are going to stop this regurgitated drool
>> you had brainwashed into you, but...
>> 
>> Personally, I think it needs to stop here, the theory of cultural
>> Marxism is blatantly antisemtic, drawing on the idea of Jews as a fifth
>> column bringing down western civilisation from within, a racist trope
>> that has a longer history than Marxism. Like the Protocols of the Elders
>> of Zion, the theory was fabricated to create and perpetuated a culture
>> war (William Lind).
>> 
>> So where does it stop and what is next? It needs to stop right
>> here. Spewing anti-semetic bile on this mailing list is exactly what
>> needs to be next.
>> 
>> If this guy isn't spam, I don't know what is.
>> 
>> plonk
>> 

Re: spamhaus enabled by default

[Charles Sprickman]

> On Jul 11, 2020, at 6:33 AM, Riccardo Alfieri  
> wrote:
> 
> On 10/07/20 22:51, Charles Sprickman wrote:
> 
>> 
>> That’s unrealistic. Many ISPs these days that aren’t the “big boys” with 
>> dedicated staff for every facet of ISP operations, they are one and two man 
>> shops running WISPs in rural areas or developing countries. It’s not the 
>> 90’s anymore. It’s a terrible default, even home users should have to take 
>> an effort to enable a commercial service.
> I'm not going to make comments about running an ISP without a basic knowledge 
> of email/hosting/networking

Wow, nice sales pitch my man! I will definitely recommend they sign up.

>> And spamhaus should just replace the sales pitch email with instructions on 
>> how to comment their stuff out if they don’t want small ISPs (a small 
>> business, actually!) to use it. :)
> 
> Excuse me but isn't it at least "fair" that, if you use a service provided by 
> others for commercial purposes, you pay for that service that contributes to 
> your income?

Then it shouldn’t be free for “small businesses”. Having spam-free mailboxes 
will enhance their ability to conduct business, no? Or does your product not 
provide value.

> And I don't know where you got a quote of "hundreds of dollars per month" for 
> 1000 mailboxes, but it's not really the case if you use DQS.

No idea what DQS is, nor do I care. The quote was from a sales rep. But the 
Spamhaus pitch was laughably expensive for less than 1,000 mailboxes - much 
more than they make on those mailboxes.

C

> 
> -- 
> Best regards,
> Riccardo Alfieri
> 
> Spamhaus Technology
> https://www.spamhaustech.com/
> 

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[Charles Sprickman]

Nice authoritarianism you’ve got there.

> On Jul 11, 2020, at 8:32 AM, Eric Broch  wrote:
> 
> Obama was a community organizer, and that's what community organizers do. 
> They stir up trouble where no trouble exists. This is a Marxist tactic to 
> overturn a society in the school of Saul Alinsky (Author: 'Rules for 
> Radicals').
> 
> One does not concede ground to radicals one punishes them because they are 
> intent on destroying anything civilized.
> 
> 
> On 7/11/2020 5:32 AM, Antony Stone wrote:
>> ..., they're just
>> demonstrating themselves as stirring up trouble...

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[Charles Sprickman]

Read Red Scare hours on the timeline tonight...

> On Jul 10, 2020, at 10:35 PM, Noel Butler  wrote:
> 
> Who is "we"
> 
> Name the people who decided this pathetic communist dictatorship change and 
> who want to enforce this upon members of 160 odd other countries just because 
> theirs is fucked up?
> 
> I want names
> 
> I want to see the voting, come on lets be transparent, who are they, and who 
> are hte ones who declared this an absolute joke voted against it.
> 
> I want to see the names of the people who dont care what their users and 
> contributors to the project think
> 
> 
> 
> I await your silence
> 
> 
> 
> On 11/07/2020 06:27, Kevin A. McGrail wrote:
> 
>> Hello all,
>> 
>> A common question we are receiving is what about using this terminology
>> instead, for example allow/deny.
>> 
>> The use of welcomelist and blocklist has evolved from discussions since
>> April and work done creating patches.  We found that using these names
>> of welcomelist and blocklist are non offensive, reasonably descriptive
>> and since they still start with W and B, we avoid renaming things like
>> RBLs, WLBL, DNSBL, etc. This should help minimize the disruption when
>> 4.0 is released with the new configuration options.
>> 
>> Regards,
>> 
>> KAM
>> 
> 
> -- 
> Kind Regards,
> 
> Noel Butler
> 
> This Email, including attachments, may contain legally privileged 
> information, therefore remains confidential and subject to copyright 
> protected under international law. You may not disseminate any part of this 
> message without the authors express written authority to do so. If you are 
> not the intended recipient, please notify the sender then delete all copies 
> of this message including attachments immediately. Confidentiality, 
> copyright, and legal privilege are not waived or lost by reason of the 
> mistaken delivery of this message.

Re: spamhaus enabled by default

[Charles Sprickman]

> On Jul 10, 2020, at 7:56 PM, RW  wrote:
> 
> On Fri, 10 Jul 2020 18:25:33 -0400
> Charles Sprickman wrote:
> 
> 
>> Also I just dug up the letter and the wording used was “commercial
>> use”. There was no mention of what the volume was or what the limit
>> would be.
>> 
> 
> The default is to use these list unregistered. Did that ISP register or
> did Spamhaus track them down from the IP address?

Spamhaus found them.

>> They also tagged one of the resolvers that access customers use
>> (there are two dedicated resolvers for BL lookups), so presumably
>> some very small and low-volume home and small biz users were being
>> tagged in aggregate, probably not even aware they’re using spamhaus.
> 
> Low-volume users that don't know they should be doing recursive lookups
> will often get away with it, and even if they don't, being blocked isn't
> significantly worse for them than turning-off spamhaus.

I know they have plenty of users with SOHO NAS boxes, home users that tinker, 
and other “power users”. SA is tucked away in many “appliances” these days it 
seems.

> I thought most ISPs had outsourced or given-up on email. ISP email has
> IMO always been a way of locking-in gullible customers.

They are in NYC so there’s a sizable chunk of old netheads that want a) the 
same address they’ve had since ’95 b) mail service that doesn’t exchange 
privacy for free email c) vanity domains. It’s not a money maker, it’s a 
value-add.

Personally I think Spamhaus and others going up to these tiny companies and 
asking for hundreds of bucks a month for access to a list is kind of nuts, but 
I’m no MBA.

I do wonder if they go after the larger hosters that run CPanel and have mail 
scattered over hundreds of hosts or if those individually don’t trip the 
threshold.

The small ISP with email is likely a dying breed, spam being one of the main 
things that forces yet another service to be outsourced at a not-insignificant 
cost. This same ISP discontinued Usenet service as a value-add only a few years 
ago.

C

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[Charles Sprickman]

Stop biting my nose.

I’m not forcing anything, I just suggested you take your nonsense off-list 
somewhere.

> On Jul 10, 2020, at 7:47 PM, jdow  wrote:
> 
> 1) You would not know fascism if it jumped up and bit your nose off.
> 2) You try to force your nonsense on me and I'll force my nonsense on you. 
> Square?
> 
> {^_^}
> 
> On 20200710 15:26:49, Charles Sprickman wrote:
>> What makes you think anyone on the list wants to hear your complaints and 
>> your snide crypto-fascism?
>> Take it private or open an issue in the bug tracker.
>>> On Jul 10, 2020, at 6:01 PM, jdow  wrote:
>>> 
>>> And every ancillary script sysadmins have written has to be rewritten. 
>>> Every user_prefs has to be rewritten. You are forcing a boatload of hurt on 
>>> innocent people. This is purely lifting a leg and peeing on something to 
>>> mark it as YOURS. Isn't that rather selfish?
>>> {^_^}
>>> 
>>> On 20200710 13:27:45, Kevin A. McGrail wrote:
>>>> Hello all,
>>>> A common question we are receiving is what about using this terminology
>>>> instead, for example allow/deny.
>>>> The use of welcomelist and blocklist has evolved from discussions since
>>>> April and work done creating patches.  We found that using these names
>>>> of welcomelist and blocklist are non offensive, reasonably descriptive
>>>> and since they still start with W and B, we avoid renaming things like
>>>> RBLs, WLBL, DNSBL, etc. This should help minimize the disruption when
>>>> 4.0 is released with the new configuration options.
>>>> Regards,
>>>> KAM

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[Charles Sprickman]

What makes you think anyone on the list wants to hear your complaints and your 
snide crypto-fascism?

Take it private or open an issue in the bug tracker.

> On Jul 10, 2020, at 6:01 PM, jdow  wrote:
> 
> And every ancillary script sysadmins have written has to be rewritten. Every 
> user_prefs has to be rewritten. You are forcing a boatload of hurt on 
> innocent people. This is purely lifting a leg and peeing on something to mark 
> it as YOURS. Isn't that rather selfish?
> {^_^}
> 
> On 20200710 13:27:45, Kevin A. McGrail wrote:
>> Hello all,
>> A common question we are receiving is what about using this terminology
>> instead, for example allow/deny.
>> The use of welcomelist and blocklist has evolved from discussions since
>> April and work done creating patches.  We found that using these names
>> of welcomelist and blocklist are non offensive, reasonably descriptive
>> and since they still start with W and B, we avoid renaming things like
>> RBLs, WLBL, DNSBL, etc. This should help minimize the disruption when
>> 4.0 is released with the new configuration options.
>> Regards,
>> KAM

Re: spamhaus enabled by default

[Charles Sprickman]

> On Jul 10, 2020, at 5:56 PM, Charles Sprickman  wrote:
> 
> 
>> On Jul 10, 2020, at 5:35 PM, Kris Deugau  wrote:
>> 
>> Charles Sprickman wrote:
>>> That’s unrealistic. Many ISPs these days that aren’t the “big boys” with 
>>> dedicated staff for every facet of ISP operations, they are one and two man 
>>> shops running WISPs in rural areas or developing countries. It’s not the 
>>> 90’s anymore. It’s a terrible default, even home users should have to take 
>>> an effort to enable a commercial service.
>> 
>> I'm baffled by how a "one or two man shop [W]ISP" can have an in-house email 
>> system that generates more queries than the free limits unless you're 
>> outsourcing nearly everything else including DNS caching.  (At which point, 
>> why are you not outsourcing your mail service and spam filtering too?)  From 
>> personal experience, a provider of that size likely has less than 1000 
>> customers, which should match to mail flow well under the free limit.
>> 
>> I started work for one such small ISP in 2001 with ~2600 users at peak 
>> (granted, the spam landscape was quite different then), and when that 
>> company got taken over by a larger company in 2003, moved on to maintaining 
>> the spam filtering for that larger company.
>> 
>> In that position we still weren't crossing the free query limits for a 
>> while, at ~40K users.  None of the five or six other small mail systems I've 
>> had some hand in integrating have come close to the free limits, and several 
>> of those providers have had ~10-15 full-time staff.  All of them *have* had 
>> local caching, even if it was built into some nightmare black-box mail 
>> appliance horror, or Microsoft's DNS cache from Windows Server 2003 (or 
>> possibly older, only got involved in the fringes of that one).
>> 
>> It's not impossible, I'll grant (one guy I knew of a year or two ahead in 
>> university was - in 1997 or so - getting IIRC more than ~5K spams daily, 
>> personally), but I'd call it extremely rare even today.
> 
> The letter I got was for an ISP that has less than 1,000 mailboxes and 
> queries two local, caching resolvers.

Also I just dug up the letter and the wording used was “commercial use”. There 
was no mention of what the volume was or what the limit would be.

They also tagged one of the resolvers that access customers use (there are two 
dedicated resolvers for BL lookups), so presumably some very small and 
low-volume home and small biz users were being tagged in aggregate, probably 
not even aware they’re using spamhaus.

C

> 
> C
> 
>> 
>> -kgd
> 

Re: spamhaus enabled by default

[Charles Sprickman]

> On Jul 10, 2020, at 5:35 PM, Kris Deugau  wrote:
> 
> Charles Sprickman wrote:
>> That’s unrealistic. Many ISPs these days that aren’t the “big boys” with 
>> dedicated staff for every facet of ISP operations, they are one and two man 
>> shops running WISPs in rural areas or developing countries. It’s not the 
>> 90’s anymore. It’s a terrible default, even home users should have to take 
>> an effort to enable a commercial service.
> 
> I'm baffled by how a "one or two man shop [W]ISP" can have an in-house email 
> system that generates more queries than the free limits unless you're 
> outsourcing nearly everything else including DNS caching.  (At which point, 
> why are you not outsourcing your mail service and spam filtering too?)  From 
> personal experience, a provider of that size likely has less than 1000 
> customers, which should match to mail flow well under the free limit.
> 
> I started work for one such small ISP in 2001 with ~2600 users at peak 
> (granted, the spam landscape was quite different then), and when that company 
> got taken over by a larger company in 2003, moved on to maintaining the spam 
> filtering for that larger company.
> 
> In that position we still weren't crossing the free query limits for a while, 
> at ~40K users.  None of the five or six other small mail systems I've had 
> some hand in integrating have come close to the free limits, and several of 
> those providers have had ~10-15 full-time staff.  All of them *have* had 
> local caching, even if it was built into some nightmare black-box mail 
> appliance horror, or Microsoft's DNS cache from Windows Server 2003 (or 
> possibly older, only got involved in the fringes of that one).
> 
> It's not impossible, I'll grant (one guy I knew of a year or two ahead in 
> university was - in 1997 or so - getting IIRC more than ~5K spams daily, 
> personally), but I'd call it extremely rare even today.

The letter I got was for an ISP that has less than 1,000 mailboxes and queries 
two local, caching resolvers.

C

> 
> -kgd

Re: spamhaus enabled by default

[Charles Sprickman]

> On Jul 10, 2020, at 1:57 PM, RW  wrote:
> 
> On Fri, 10 Jul 2020 18:01:30 +0200
> Philipp Ewald wrote:
> 
>>> Most smaller sites have no problem unless they use third party DNS
>>> resolvers which are blocked. if you're local resolver is forwarding
>>> to some ISP's resolver then you also get blocked.  
>> 
>> No. We are like a ISP... and got more than 50.000 accepted Mails a
>> day so this is totally not in free-use includes, but i think enabled
>> by default is... na
> 
> The default is right for most, defined in the link as 
> 
> "covering the small businesses, non-profits, personal users, etc. that
> make up the bulk of our installations."
> 
> If you are managing an ISP level mail system the assumption is that you
> are paid to understand the basics of spam filtering.

That’s unrealistic. Many ISPs these days that aren’t the “big boys” with 
dedicated staff for every facet of ISP operations, they are one and two man 
shops running WISPs in rural areas or developing countries. It’s not the 90’s 
anymore. It’s a terrible default, even home users should have to take an effort 
to enable a commercial service.

And spamhaus should just replace the sales pitch email with instructions on how 
to comment their stuff out if they don’t want small ISPs (a small business, 
actually!) to use it. :)

Charles

Re: URI_WPADMIN fp

[Charles Sprickman]

> On Oct 19, 2018, at 10:15 AM, Paul Stead  wrote:
> 
> Can't comment on the score - hacked Wordpress sites often have bits hosted in
> 
> * wp-admin

Yes.

> * wp-content

Yes and no.

Everything that a user uploads for their site lives under wp-content, so any 
rule triggering on that part of the URL would be a mistake.

The tree looks like this:

/wp-content/themes/ - this is where website themes (think templates) live. You 
will see css and js from this directory or subdirectories, also in some cases 
images (icons and the like)
/wp-content/plugins/ - this is where WP plugins (gobs of code that add some 
specific functionality to the site). Similar to themes, you’ll generally see 
css and js there, and possibly some images
/wp-content/uploads/ - this is where all images/media that the webmaster 
uploads lives. This is where you want to be strict with any URL matching rules. 
 You should NOT see any files ending in .js nor .css - that’s a strong sign 
that the installation is compromised.

You should NOT see any files ending in .php in ANY of the above directory 
trees.  Themes and plugins contain .php files, but they are NOT directly 
executed from outside, they are simply included by other WP core code.  So when 
you see a .php file in those directories in a URL, something is very wrong.  
And you’re likely looking at a compromised account, which is likely somehow 
involved in spamming or phishing.

A good webhost applies a few very simple rules that block about 99% of the WP 
exploits:

- PHP not even parsed under the uploads directory ENTIRELY, even for includes.  
Since this directory is ALWAYS writable by the web user, it’s where most 
exploits want to put their payloads. You break nothing but exploits by 
disallowing php execution there. Similarly, you block no good email by nuking 
any URL that ends in .php and lives under that directory.
- PHP not executed anywhere under /wp-content other than by includes
- /wp-admin/ only has /wp-admin/admin-ajax.php allowed for non-authenticated 
users. You should never see any URL other than that from that directory.
- Only wp-content is writable by the web user (pretty rare, but doable, and 
very common with “boutique” hosting)

You will have a surprisingly secure WP install with just those few simple steps 
above.

That’s my WP quicky for anyone writing WP rules.  If such a person is on the 
list and wants to discuss, I’m super happy to do so!

Charles

> Pages within these directories are publicly accessible, but it is very 
> unusual for a WP plugin to reference these URIs directly in outbound emails
> 
> 
> Paul
> 
> On 19/10/2018, 14:38, "Alex"  wrote:
> 
>Hi,
> 
>Should we be adding 3 points for just this, or is there never a reason
>users should be using /wp-admin in their URLs?
> 
>Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
>==> got hit: "/wp-admin/images/"
> 
>The rule description says possible phishing, but how would an end-user
>be in a position to create a public link that involves their WP admin
>directory in the first place?
> 
> 
> --
> Paul Stead
> Senior Engineer (Tools & Technology)
> Zen Internet

Re: [Offtopic] List From and Reply-To

[Charles Sprickman]

> On May 30, 2018, at 10:25 AM, Bill Cole 
>  wrote:
> 
> On 30 May 2018, at 10:00, Palvelin Postmaster wrote:
> 
>>> On 30 May 2018, at 16:48, Antony Stone 
>>>  wrote:
>>> 
>>> On Wednesday 30 May 2018 at 15:33:13, Palvelin Postmaster wrote:
>>> 
> On 30 May 2018, at 16:06, Matus UHLAR - fantomas 
> wrote:
> 
> On 30.05.18 15:49, Palvelin Postmaster wrote:
>> Hitting reply sends the response to poster directly
> 
> get a mail client that supports mailing lists. Mozilla should do.
 
 I see, the 'Mozzilla or stfu' policy ;D
>>> 
>>> No, Mozilla was just one example; there are many.
>>> 
>>> I, for example, use KMail
>> 
>> My Apple Mail/iPhone/iPad clients don’t. They all appear to be among Top 10 
>> email clients (https://emailclientmarketshare.com).
> 
> Which is unfortunate, because Apple Mail generally sucks. It seems to have 
> been put under the control of people who think Outlook 2003 was the pinnacle 
> of email clients. For MacOS, there are far better alternatives that include 
> Mozilla and MailMate. For iOS not so much, sadly.

All email clients “generally suck”.  Thunderbird is not even actively developed 
anymore last I checked, so that’s not really an option.  And if you can imagine 
this, both Thunderbird and MailMate choke on large mailboxes *even more* than 
Mail.app does.

If I had a better option than some old command-line mess, I’d use it.  Every 
3-4 years I go on a hunt for a new Mac mail client and I always come up empty.  
I’ve tried MailMate, Thunderbird, Postbox and just keep coming back to the 
(neglected) Mail.app.  I’m all ears if there’s something out there that can 
deal with 5 or 6 really large accounts well, AND does the right thing with 
mailing lists, I’m all ears.  I’ve not tried Outlook for Mac yet, maybe that’s 
the ticket? :)

Charles

ps - this email I’m replying to has a “Reply-To” header and Mail.app followed 
it.

> 
> Any mail client that does not have an easy way to view messages in raw 
> RFC5322, to create messages that follow RFC3676, and to set Reply-To and From 
> headers arbitrarily is unfit for use in the modern world no matter how many 
> people use it because switching is hard.
> 
>> I wonder if Gmail, Outlook variants and the Android mail clients do?
> 
> K9Mail for Android did, when last I used Android (many years ago.) Modern 
> Outlook on Windows does (or did, as of 2010.) I don't think I've ever used 
> the GMail web interface for anything beyond testing the GMail web interface, 
> so I can't speak to it as a MUA for mailing lists.

Re: Can't Get Removed From List

[Charles Sprickman]

> On Mar 1, 2018, at 2:54 PM, Miles Fidelman  wrote:
> 
> On 3/1/18 2:45 PM, David Jones wrote:
> 
>> On 03/01/2018 01:01 PM, Kevin Viner wrote:
>>> 
 The following text is not SA "advice" nor report.
 
 You should start by consulting who / what gave that text in response to
 get details.
>>> 
>>> Thank you. I did, and they said that they can't give me any more
>>> information. As I explained to them, I'm a professional entertainer with a
>>> mailing list of 10,000+. I'm not receiving abuse reports, and everything is
>>> opt-in. So if they are marking me as spam because of a couple complaints
>>> they are receiving, that doesn't seem fair. Not really sure where to go from
>>> here.
>>> 
>> 
>> If Mailchimp won't help you, maybe it's time to try Contact Contact, EMMA or 
>> another mass emailing service that will.
>> 
> 
> Yes.  Indeed.  Your vendor should be able to check their mail logs and 
> identify which email addresses are being rejected - so that you can then 
> remove them from your list.
> 
> (I run a bunch of opt-in email lists off of our own server - Sympa for anyone 
> who's interested - and every once in a while I have to track down complaints, 
> remove people, and get our IP address of various blacklists.  A real pain.  
> Even more of a pain from sites that provide anonymized bounce reports - one 
> has to then track down the recipient by checking message id's against the 
> outbound mail, and sometimes turn on VERP to narrow things down to an 
> individual. It's all made so much worse by morons who confuse the "spam" 
> button with their "delete" key when using webmail from a big provider. Sigh…)

(OT)

I used to be much more angry at the “send to spam” clickers on AOL webmail, but 
if you look at the UI, it’s really AOL’s fault.  It’s terrible, and you can 
make it better by changing some default settings in their webmail, but most 
people aren’t going to do that.

See this screenshot, and tell me you might not click the “do not enter” icon 
instead of the “trash can” icon…

https://www.odrive.com/s/g/05672068-18d9-40b9-bc24-8c561bc70ef4-59e5936b 


Charles


> 
> Miles Fidelman
> 
> 
> -- 
> In theory, there is no difference between theory and practice.
> In practice, there is.   Yogi Berra

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

[Charles Sprickman]

> On Feb 21, 2018, at 1:38 AM, @lbutlr  wrote:
> 
> On 2018-02-20 (22:10 MST), Reindl Harald  wrote:
>> 
>> you may hit confirmation-urls (both ham and spam), trigger actions, trigger 
>> *one-time* urls which are invalid for the user after a dumb bot used them 
>> not talking about that it would be illegal in many countries in case of 
>> private ham-mails
> 
> As I suspected, it is possible to get the goo.gl target URL without loading 
> the site, though using curl is probably not realistic in this specific case.
> 
> $ curl -s "http://goo.gl/ylUAd; | grep -o "http[^\"]*"
> http://www.hollywoodreporter.com/thr-esq/donald-trump-threatens-sue-macy-422135
>  
> 

You can also see all the analytics by appending “.info” to the URL, eg: 
http://goo.gl/ylUAd .info

Charles

> 
> $ curl -s "http://bit.ly/savecastle; | grep -o "http[^\"]*"
> http://community.livejournal.com/castle_tv/28872.html
> 
> Doesn't work with t.co, but that is not surprising since twitter uses that 
> specifically to hide URLs, considering them all their property that must go 
> through their servers.
> 
> -- 
> Mos Eisley spaceport. You will never find a more wretched hive of scum
> and villainy. We must be cautious.
> 

Re: smtp.centurylink.net 206.152.134.66

[Charles Sprickman]

> On Feb 11, 2018, at 7:13 PM, David Jones  wrote:
> 
> On 02/11/2018 03:56 PM, @lbutlr wrote:
>> On 2018-02-11 (12:37 MST), David Jones  wrote:
>>> 
>>> Anyone on this list that knows the mail admins/contacts for centurylink.net 
>>> and embarqmail.com?  This mail server has legit email for centurylink.net 
>>> and embarqmail.com plus a lot of other spam coming out of it.
>> As a customer of CenturyLink (we have symmetric Gigabit through them) I can 
>> say that their support personal are less than worthless.
>> They still have a very "Bell telephone" attitude where everything they do is 
>> automatically correct because they are the telephone company, so any problem 
>> issue, or misconfiguration is someone else's fault.
>> Whatever solutions you need, you'll have to manage them on your own and do 
>> your best to work around their incompetence.
> 
> Centurylink recently purchased Level 3 which has/had excellent support. 
> Hopefully Level 3 tech support wasn't laid off to keep the status quo.

The bellheads always win in these acquisitions. :(

> -- 
> David Jones

Re: updates.spamassassin.org gone?

[Charles Sprickman]

> On Jul 6, 2017, at 9:48 AM, Kevin A. McGrail  
> wrote:
> 
> And my firm has put a lot of time into this which is still half the time 
> David has in fixing ruleqa. So buy him a beer. 

Done!

Re: Strange audio spam

[Charles Sprickman]

I wonder if rather than spam, it’s trying to exploit something?

I know that both on windows and mac, I’ve occasionally seen patches for native 
and third party players.

Here’s an example from VLC:

https://trac.videolan.org/vlc/ticket/15888 


> On May 5, 2017, at 8:53 PM, do...@mail.com wrote:
> 
> I received this very unusual email a few days ago. It (or another
> email), timed out my spamassassin check (which is a first).
> 
> I'm including the full text of the spam below along with all of the
> headers.
> 
> I'm interested if this mail is legit, or if it's just a new trap.
> I have skipped through parts of the audio (play as user nobody :)  and
> there is no voice, or discernible instrument; just a bunch of tones and
> really bad synthetic sounding drums.
> 
> I don't even have an idea why someone would listen to this...
> 
> I can send you the whole mp3, but I've opted to just send the md5sum for
> now since the file is 10MiB. The md5 sum is
> 3fec277311e73175c6f49b70d8a063e8 .
> 
> The email also contains an html part (identical to the text part in
> content), and 8 images; 1 jpeg and 7 png. These include a facebook and
> twitter buttons.
> 
> Thanks,
> David
> 
> 
>> Return-Path: 
>> Received: from racolage.xxx ([216.51.232.227]) by mx.mail.com
>> (mxgmxus005 [74.208.5.20]) with ESMTP (Nemesis) id
>> 0MBmC1-1dGJ253K3r-00AlEr for ; Tue, 02 May 2017
>> 15:42:19 +0200 Received: from [127.0.0.1] (localhost.localdomain
>> [127.0.0.1]) by racolage.xxx (Postfix) with ESMTP id CEC563060E55
>> for ; Tue,  2 May 2017 09:42:16 -0400 (EDT)
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=racolage.xxx;
>> s=mail; t=1493732537; bh=mjg3vHGJXalwbtWTwqzRztpRTwhvBrVGp+58Vhw6DJM=;
>> h=List-Unsubscribe:From:To:Subject:Date:From;
>> b=l6O3++WGARbyASNz/FZWqZJB3Ghdyx0pzy7CtiM9O4viBfiayWejyZEi1dXy3lT6t
>>  FjOmZGb7hzymCJ4TcIcUCBPEkEVUqcb1YRn0YyqQ0Zn/9YYoVqvXZIrFHIlAj5fZWN
>>  PzyyhGyAeRJaJ18acQAVhtNz79xeH3CPYyyGGjIA=
>> Content-Type: multipart/mixed;
>> boundary="sinikael-?=_1-14937325368410.12218541851445819"
>> List-Unsubscribe: http://racolage.xxx/unsubscribe.html
>> Precedence: bulk
>> Feedback-ID: release1:racolage.xxx
>> From: racolage.xxx ⛅ ⚡ 
>> To: do...@mail.com
>> Subject: AUDIO TRACK #1 | Contact Person - Your Email Address Was
>> Selected Message-ID: 
>> X-Mailer: nodemailer (2.7.2; +https://nodemailer.com/;
>> SMTP/2.7.2[client:2.12.0])
>> Date: 05/02/2017(Tue) 09:42
>> MIME-Version: 1.0
>> Envelope-To: 
>> X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3;
>> X-GMX-Antivirus: 0 (no virus found)
>> X-UI-Filterresults:
> 
> 
> 
 YOU HAVE RECEIVED A TRACK <<
 CHECK THE ATTACHMENT!!!  <<  
>> 
>> Contact Person - Your Email Address Was Selected
>> 
>> Underprocecessed ultrasonic glitch bossanova (low bitrate mix specially
>> for racolage.xxx). CREDIT: written  produced in moscow 2014-2017
>> 
 YOU HAVE RECEIVED A TRACK <<
 CHECK THE ATTACHMENT!!!  <<  
>> 
>> Released by : http://racolage.xxx
>> facebook : https://www.facebook.com/racolage/
>> twitter : https://twitter.com/racolagexxx
>> contact : cont...@racolage.xxx
>> unsubscribe : http://racolage.xxx/unsubscribe.html
> 

Re: New whitelisting trick using from and spf

[Charles Sprickman]

> On Mar 6, 2017, at 12:58 PM, David B Funk  
> wrote:
> 
> On Mon, 6 Mar 2017, Alan Hodgson wrote:
> 
>>> It seems it should be easy to setup “If mail claims to be From: PayPal.com
>>> and is not from PayPal, score +100” but it is not.
>> 
>> This is what DMARC is for.
>> 
>> Run opendmarc as a milter and reject failures. Or score later on DMARC
>> failure, even if just selectively for highly phished domains.
>> 
>> PayPal publishes p=reject, on paypal.com at least, if not their other 
>> domains.
> 
> But that won't help you when the scammers set the user visible from as 
> "acco...@paypai.com" or some other variant (with the actual address part as 
>  or something else.
> 
> user-agents (such as OutHouse) by default only show the "comment" part of the 
> address and hide the actual <> address part, making it easy for scammers to 
> fool the non-tech savvy users.

And OS-X Mail.app in some configurations, and iOS Mail.

They all fail not just for making phishing so much easier, but get on the phone 
with a novice user using any of these email clients and ask them to give you 
the actual email address of a sender, especially when they have for example, 
two people name “John Smith” emailing them…  It’s a terrible, terrible idea to 
hide things to make email easier.

Charles


> 
> -- 
> Dave Funk  University of Iowa
> College of Engineering
> 319/335-5751   FAX: 319/384-0549   1256 Seamans Center
> Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
> #include 
> Better is not better, 'standard' is better. B{

Re: uceprotect issue

[Charles Sprickman]

> On Nov 6, 2016, at 4:54 PM, Marc Stürmer  wrote:
> 
> Am 04.11.2016 um 12:23 schrieb Holger Schramm:
> 
>> If you don't like them, don't use their services. It is really that easy.
> 
> That's the one part, the other part is what Dianne wrote about. If this 
> happens to you better be sure to have a 2nd MX ready with a totally different 
> IP address.
> 
>> Every mail server administrator that uses a blacklist has to keep in
>> mind that he gives the decision about good or bad ips/mails/whatever to
>> a third, mostly unknown, person.
>> 
>> I trust _none_ of them. Do you know the people of any other blacklist?
>> Who assures you that there is not a crazy monkey in the background doing
>> some strange stuff with the listings? Nobody.
> 
> The thing is: RBLs are cheap on CPU usage and one of the first things to be 
> checked to discard SPAM. They are not error free, but very convenient to use.
> 
> And yes, some lists have been doing quite funny things in the past, including 
> Spamhaus.
> 
> If you don't trust them, well, you can always use them to build a score like 
> SA does and then build your trust upon that score.

And there’s always postscreen if you don’t want to burden SA with all those 
lookups: http://rob0.nodns4.us/postscreen.html



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Reporting gmail spam to Google

[Charles Sprickman]

> On May 18, 2016, at 9:06 AM, Reindl Harald  wrote:
> 
> 
> 
> Am 18.05.2016 um 15:00 schrieb Emiliano Vazquez:
>> El 18/05/16 a las 05:44, Reindl Harald escribió:
 Is there any address that I can forward gmail spam to google for
 reporting?
>>> 
>>> ab...@google.com should be the address (the mail was delivered to your
>>> network by *.google.com host, wasn't it?)
>> HI guys.
>> 
>> 
>> Google only let you send 300 e-mails per day to another domains if you
>> are using free @gmail account. Maybe Google Apps can have more than
>> that. Do you receive a lot of spam from the same account?
> 
> not usually but that's not the point - the point is how they behave when you 
> report spreaded phising over different accounts reaching a lot of your 
> customers and don't change the fact that a large part of junk making it to SA 
> at all comes from large freemail providers including google while mostly 
> aol/yahoo
> 

This stems from Hooli’s, oops, I mean Google’s culture.  They build things 
correctly.  Users know nothing.  No feedback is needed.


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: PDF spam

[Charles Sprickman]

> On Apr 1, 2016, at 4:11 PM, Martin Gregorie  wrote:
> 
> On Fri, 2016-04-01 at 13:25 -0400, Alex wrote:
>> Hi all,
>> 
>> Has anyone else seen an increase in PDF invoice spam with just a link
>> in it? The centurylink IP is now blacklisted, but obviously it wasn't
>> when this was received. The link contained in the PDF has also
>> already
>> been disabled, but obviously wasn't when this was received.
>> 
>> I'd really appreciate ideas on how this one should be blocked:
>> 
>> http://pastebin.com/g7dJ7SHu
>> 
>> There's very little text in the body, so I suspect that's why bayes
>> is confused. PDF invoices and conversations involving "payment" and
>> "invoice" are not all that uncommon.
>> 
> True, but this type of spam often contains odd or somewhat archaic
> phrases. I find that a local rule that fires when it sees such a phrase
> and a dangerous attachment type detects them quite nicely.

I’m catching these at the ClamAV stage with the “unofficial sigs” package.

It’s been working really well - I have mailboxes with/without the extra ClamAV 
sigs and the difference is huge.

Charles

> 
> Martin

Re: rspamd vs spamassassin

[Charles Sprickman]

> On Mar 31, 2016, at 11:51 AM, Benny Pedersen  wrote:
> 
> https://rspamd.com/misc/2016/03/03/rspamd-performance.html
> 
> is it time to move ?

I’d love to hear from anyone that has.  I’ve known of rspamd for a long time, 
but found the docs pretty much lacking and couldn’t find anyone that had tried 
it.

Charles

Re: Abused accounts

[Charles Sprickman]

--
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
sp...@bway.net - 212.982.9800



> On Mar 15, 2016, at 12:28 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
> 
> 
> 
> Am 15.03.2016 um 17:07 schrieb Robert Boyl:
>> Hi, everyone
>> 
>> Please check http://pastebin.com/GUBqpyZ8
>> 
>> Interesting how some spams that abuse some legit account such as this
>> one are hard to detect, how Spamassassin scores almost nothing although
>> there are spammy works, etc. System caught DCC_CHECK 1.10.
>> 
>> Some other systems such as isnotspam.com <http://isnotspam.com> caught
>> some SA rule which doesnt exist anymore in latest SA...
>> AXB_X_FF_SEZ_S=3.10.
>> 
>> Any ways to report such spams to spamassassin devels so they can try to
>> create new rules?
>> 
>> Any tips how to mark such mails as spam?
> 
> easy to detect and no way to slip through our filters
> Barracuda Networks *lol* we where victims of that noobs too...
> 
> X-Barracuda-Envelope-From: williams.1...@osu.edu
> X-Barracuda-Apparent-Source-IP: 157.56.111.246
> X-Barracuda-Envelope-To: XXX
> 
> /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: 
> Sanesecurity.Spear.williams_dot_1727_at_osu_dot_edu.UNOFFICIAL FOUND
> /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: 
> ScamNailer.Phish.williams.1727_AT_osu.edu.UNOFFICIAL FOUND
> /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: 
> Sanesecurity.Spear.williams_dot_1727_at_osu_dot_edu.UNOFFICIAL FOUND
> /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: 
> Sanesecurity.Spear.williams_dot_1727_at_osu_dot_edu.UNOFFICIAL FOUND
> /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: 
> ScamNailer.Phish.williams.1727_AT_osu.edu.UNOFFICIAL FOUND
> /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: 
> Sanesecurity.Spear.williams_dot_1727_at_osu_dot_edu.UNOFFICIAL FOUND
> 
> --- VIRUS-SCAN SUMMARY ---
> Infected files: 1
> Time: 0.024 sec (0 m 0 s)
> Content analysis details:   (18.4 points, 5.5 required)
> 
> pts rule name  description
>  -- --
> -0.2 CUST_DNSWL_8   RBL: dnswl-aggregate.thelounge.net (No Trust)
>  [157.56.111.246 listed in dnswl-aggregate.thelounge.net]
> 0.1 CUST_DNSBL_33  RBL: dnsbl-backscatterer.thelounge.net
>(ips.backscatterer.org)
>  [157.56.111.246 listed in dnsbl-backscatterer.thelounge.net]
> 7.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
>[score: 0.9995]
> 3.1 AXB_X_FF_SEZ_S Forefront sez this is spam
> -0.1 CUST_DNSWL_5   RBL: list.dnswl.org (No Trust)
>[157.56.111.246 listed in list.dnswl.org]
> 0.5 CUST_DNSBL_31  RBL: bl.nszones.com
>[157.56.111.246 listed in bl.nszones.com]
> 1.0 CUST_DNSBL_23  RBL: bl.spamcannibal.org
>[157.56.111.246 listed in bl.spamcannibal.org]
> -0.1 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
>[157.56.111.246 listed in wl.mailspike.net]
> 1.5 CUST_DNSBL_21  RBL: score.senderscore.com (senderscore.com High)
>[157.56.111.246 listed in score.senderscore.com]
> 1.0 CUST_DNSBL_25  RBL: score.senderscore.com (senderscore.com Medium)
> 0.4 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
>[score: 0.9995]
> 0.0 HTML_MESSAGE   BODY: HTML included in message
> 0.7 LOTS_OF_MONEY  Huge... sums of money
> 0.5 CUST_SUBJ_6Begins Very Low
> 2.5 MONEY_FROM_41  Lots of money from Africa
> 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
> 

I thought I was doing an OK job of training Bayes, but in my case Bayes went 
hammy on this one:

Content analysis details:   (7.3 points, 5.0 required)

 pts rule name  description
 -- --
 3.1 AXB_X_FF_SEZ_S Forefront sez this is spam
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[157.56.111.246 listed in list.dnswl.org]
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[157.56.111.246 listed in wl.mailspike.net]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
 0.0 HTML_MESSAGE   BODY: HTML included in message
-1.9 BAYES_00   BODY: Bayes spam probab

Re: Missed spam, suggestions?

[Charles Sprickman]

> On Feb 29, 2016, at 3:18 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
> 
> Am 29.02.2016 um 21:05 schrieb Charles Sprickman:
>>> On Feb 29, 2016, at 4:23 AM, Reindl Harald <h.rei...@thelounge.net> wrote:
>>> 
>>> Am 29.02.2016 um 06:24 schrieb Charles Sprickman:
>>>> I’ve not had much luck with Bayes - when I had it enabled recently on a 
>>>> per-user basis it was just hitting the master DB server too hard with 
>>>> udpates
>>> 
>>> just make a sitewide bayes 
>>> (https://wiki.apache.org/spamassassin/SiteWideBayesSetup) without autolearn 
>>> / autoexpire and the default database in a folder read-only for the daemon
>>> 
>> 
>> I think I still have to stick with a db-backed option since I need to keep 
>> two SA servers in sync.
> 
> and i know that it don't matter
> 
> nothing easier then rsync the bayes-folder to several machines at the end of 
> the learning script, we even share the side-wide bayes over webservices to 
> external entities and so it coves around 5000 users at the moment in summary

I’m not seeing much of a change in load after enabling this with a global user 
and no autolearn.  I think the db was really only constrained on the 
inserts/updates.

> 
>> I’ll try that today and see how the load looks.  My concern with disabling 
>> autolearn is that then I’m the only one training.  My spam probably looks 
>> like everyone else’s, but my ham is very different, lots list traffic and 
>> such.
> 
> you should be the only one who trains in most cases for several reasons
> 
> * few to zero users train anough ham and spam for a proper bayes
> * wrong classified autolearn takes a wrong direction sooner or later
> 
> given that we now for more than a year maintain a side-wide bayes for inbound 
> MX re-used on submission servers to minimize the impact of hacked accounts 
> and it works so much better than all the "user bayes" solutions the last 
> decade it's the way to go if you *really* want proper operations

I’ve been running with some daily training for a little over a week and I’m 
seeing less spam in my inbox.  I’ve seen a few things slip through because 
bayes tipped them below the default score, these were two phishing emails.

Here’s some rule stats for anyone interested:

TOP SPAM RULES FIRED

RANKRULE NAME   COUNT %OFRULES %OFMAIL %OFSPAM  %OFHAM

   1TXREP   13171 8.47   40.38   91.00   72.91
   2HTML_MESSAGE12714 8.18   38.98   87.85   90.80
   3DCC_CHECK   10593 6.81   32.48   73.19   33.78
   4RDNS_NONE   10269 6.60   31.48   70.955.63
   5SPF_HELO_PASS   10070 6.48   30.87   69.58   23.41
   6URIBL_BLACK  9711 6.25   29.77   67.101.58
   7BODY_NEWDOMAIN_FMBLA 9550 6.14   29.28   65.981.64
   8FROM_NEWDOMAIN_FMBLA 9483 6.10   29.07   65.521.36
   9BAYES_99 8486 5.46   26.02   58.631.18
  10BAYES_9998141 5.24   24.96   56.251.06

TOP HAM RULES FIRED

RANKRULE NAME   COUNT %OFRULES %OFMAIL %OFSPAM  %OFHAM

   1HTML_MESSAGE16473 9.13   50.51   87.85   90.80
   2DKIM_SIGNED 13776 7.64   42.24   13.81   75.93
   3TXREP   13228 7.33   40.56   91.00   72.91
   4DKIM_VALID  12962 7.19   39.74   11.93   71.44
   5RCVD_IN_DNSWL_NONE   9941 5.51   30.488.08   54.79
   6DKIM_VALID_AU8711 4.83   26.717.99   48.01
   7BAYES_00 8390 4.65   25.721.84   46.24
   8RCVD_IN_JMF_W7369 4.09   22.592.54   40.62
   9RCVD_IN_MSPIKE_WL6713 3.72   20.584.39   37.00
  10BAYES_50 6201 3.44   19.01   25.56   34.18

Charles




signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Missed spam, suggestions?

[Charles Sprickman]

> On Feb 29, 2016, at 4:23 AM, Reindl Harald <h.rei...@thelounge.net> wrote:
> 
> 
> 
> Am 29.02.2016 um 06:24 schrieb Charles Sprickman:
>> I’ve not had much luck with Bayes - when I had it enabled recently on a 
>> per-user basis it was just hitting the master DB server too hard with udpates
> 
> just make a sitewide bayes 
> (https://wiki.apache.org/spamassassin/SiteWideBayesSetup) without autolearn / 
> autoexpire and the default database in a folder read-only for the daemon
> 

I think I still have to stick with a db-backed option since I need to keep two 
SA servers in sync.

I’ll try that today and see how the load looks.  My concern with disabling 
autolearn is that then I’m the only one training.  My spam probably looks like 
everyone else’s, but my ham is very different, lots list traffic and such.

> a filter without bayes is worthless

It seems so. :)

Thanks,

Charles
--
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
sp...@bway.net - 212.982.9800


> 
> 0  61323SPAM
> 0  21811HAM
> 02547152TOKEN
> 
> insgesamt 73M
> -rw--- 1 sa-milt sa-milt 10M 2016-02-29 00:21 bayes_seen
> -rw--- 1 sa-milt sa-milt 81M 2016-02-29 00:21 bayes_toks
> 
> BAYES_0029161   73.70 %
> BAYES_05  7641.93 %
> BAYES_20  9312.35 %
> BAYES_40  8152.05 %
> BAYES_50 29097.35 %
> BAYES_60  4241.07 % 8.14 % (OF TOTAL BLOCKED)
> BAYES_80  3370.85 % 6.47 % (OF TOTAL BLOCKED)
> BAYES_95  3060.77 % 5.87 % (OF TOTAL BLOCKED)
> BAYES_99 39189.90 %75.25 % (OF TOTAL BLOCKED)
> BAYES_99934918.82 %67.05 % (OF TOTAL BLOCKED)
> 
> DNSWL   53551   91.16 %
> SPF 38530   65.59 %
> SPF/DKIM WL 16750   28.51 %
> SHORTCIRCUIT19112   32.53 %
> 
> BLOCKED  52068.86 %
> SPAMMY   49858.48 %95.75 % (OF TOTAL BLOCKED)
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail

Missed spam, suggestions?

[Charles Sprickman]

Hi all,

Recently I occasionally get bursts of spam that slips through Postfix 
(postscreen BL checks, protocol checks) and SpamAssassin.  I just had another 
big jump in the last week.  This was mostly spam touting Oil Changes, SUV sales 
and Lawyer Finders.

What I just did was go through a collection of missed spam and re-ran it 
through spamassassin. All of it jumped from originally scoring around 2-3 to a 
minimum of 6.5 with most hitting around 12.  The biggest difference I see is 
that DNSBL and URIBL services had started hitting. When originally received, 
these emails all originated from very clean IPs.

I have TXREP enabled as well, but that doesn’t seem to be having either a 
positive or negative impact.

What are my options to try to catch this junk before it hits the various *BLs?

I’ve not had much luck with Bayes - when I had it enabled recently on a 
per-user basis it was just hitting the master DB server too hard with udpates.  
I’m considering enabling it again with a shared db for all users, which I hope 
might work better.  It would only be auto trained, perhaps with some manual 
training by me.

Here’s a few samples, hosted elsewhere so as not to trip anyone’s filters:

https://gist.github.com/anonymous/0fcaf481875959c9151f (2.7 on Friday, 14 
tonight)

https://gist.github.com/anonymous/a5396f68699392808988 (3.4 earlier tonight, 
6.5 just now)

I have more samples, I can dig them up if that’s helpful.

Sometimes I wonder how much this has to do with the age of our domain and the 
fact that it begins with “b”. :)

The only thing I’ve been contemplating is a local spamtrap and DNSBL.  We have 
a site that’s regularly trawled for email addresses, so seeding it should not 
be too difficult…

Charles

Re: Try my IXHASH

[Charles Sprickman]

On Dec 6, 2015, at 11:41 PM, Marc Perkel <supp...@junkemailfilter.com> wrote:

> ixhashdnsbl CTYME_IXHASH ixhash.junkemailfilter.com.
> bodyCTYME_IXHASH eval:check_ixhash('CTYME_IXHASH')
> describeCTYME_IXHASH iXhash found @ ixhash.junkemailfilter.com
> tflags  CTYME_IXHASH net
> score   CTYME_IXHASH 5
> 
> 
> Let me know if it's useful.

What, if any, usage restrictions are there on this?

Thanks,

Charles
-- 
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
sp...@bway.net - 212.982.9800

> -- 
> Marc Perkel - Sales/Support
> supp...@junkemailfilter.com
> http://www.junkemailfilter.com
> Junk Email Filter dot com
> 415-992-3400
> 

Re: Is it worth transferring bayes data between different sites?

[Charles Sprickman]

Reindl Harald  wrote:

> 
> 
> Am 02.12.2015 um 12:51 schrieb Sebastian Arcus:
>> I hope I'm not exceeding the patience of the list by posting a third
>> question in two days :-)
>> 
>> I realise the above question is a "soft" question, probably without a
>> definite "yes" or "no" answer. I am hoping that people with experience
>> of using SA in various environments might be able to throw in some
>> opinions. Based on the documentation, it is clearly possible to transfer
>> a bayes database from one install to another - specially if it is a
>> sitewide database. What I was wondering is if it is worth doing so from
>> a results point of view
> 
> we use our global bayes on the incoming MX and share it with our submission 
> servers to stop outgoing spam from hacked accounts

This is a bit OT, but I have had a hard time finding how to setup a global 
bayes DB rather than having everything done on a per-user basis.  Looking 
around the SA wiki, I don’t see global DBs addressed.  Any tips?

Thanks,

Charles

> 
> additionally we share our bayes with another company which pulls the dumps if 
> the hash file is different every 30 minutes
> 
> we as well as the other company does mail hosting on ISP level and the 
> results on both sides are perfect - we share even scorings, whitelists, 
> custom body/subject-rules and the summary is: at least in the same country 
> sharing spamfilter configurations works like a charme




signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Is it worth transferring bayes data between different sites?

[Charles Sprickman]

Reindl Harald <h.rei...@thelounge.net> wrote:

> 
> 
> Am 02.12.2015 um 21:50 schrieb Charles Sprickman:
>> Reindl Harald <h.rei...@thelounge.net> wrote:
>> 
>>> Am 02.12.2015 um 12:51 schrieb Sebastian Arcus:
>>>> I hope I'm not exceeding the patience of the list by posting a third
>>>> question in two days :-)
>>>> 
>>>> I realise the above question is a "soft" question, probably without a
>>>> definite "yes" or "no" answer. I am hoping that people with experience
>>>> of using SA in various environments might be able to throw in some
>>>> opinions. Based on the documentation, it is clearly possible to transfer
>>>> a bayes database from one install to another - specially if it is a
>>>> sitewide database. What I was wondering is if it is worth doing so from
>>>> a results point of view
>>> 
>>> we use our global bayes on the incoming MX and share it with our submission 
>>> servers to stop outgoing spam from hacked accounts
>> 
>> This is a bit OT, but I have had a hard time finding how to setup a global 
>> bayes DB rather than having everything done on a per-user basis.  Looking 
>> around the SA wiki, I don’t see global DBs addressed.  Any tips?
> 
> https://wiki.apache.org/spamassassin/SiteWideBayesSetup
> 
> in case you are runnign spamass-milter that's even the logical default 
> because your milter is running as it's own user, with it's own .spamassassin 
> directory in the userhome which contains the db

I had a look at that page - I use mysql to store the data, have multiple spamd 
boxes, and spamc on the inbound servers passing mail to spamd once all the 
“front door” checks are done.  In that config, I end up with unique per-user 
bayes tokens.  I’m looking to just pool everyone together, but don’t see an 
obvious way to do that.  It seems like folks in this thread are however doing 
that somehow (perhaps just because they are using a milter or similar).

Thanks,

Charles




signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: colo crossing AWOL abuse desk?

[Charles Sprickman]

Jo Rhett  wrote:

> Got a sudden surge in reported spam. Turns out every bit of it is coming from 
> Colo Crossing IP blocks. No abuse web interfaces or open relays either, this 
> is pure source spam with the same spams arriving from multiple IP blocks 
> within Colo Crossing.
> 
> Turns out mail review shows we’ve last seen HAM from their IP blocks over 3 
> years ago. Seems like they’ve turned a corner.

Every now and then I’ll start submitting to Spamcop for a few months until I 
tire of it.  Last time I did this, perhaps a year ago, I recall seeing a huge 
percentage of my leaks coming from ColoCrossing.  I suspect they do not care.

Charles

> 
> 192.227.128.0/17
> 198.23.128.0/17
> 172.245.0.0/16
> 
> -- 
> Jo Rhett
> Net Consonance : net philanthropy to improve open source and internet 
> projects.

Re: Filtering snowshoe spam

[Charles Sprickman]

On Oct 29, 2015, at 4:04 PM, Bill Cole 
 wrote:

> On 29 Oct 2015, at 11:09, Alex wrote:
> 
>> Hi,
>> 
>> I've been receiving tons of messages not being tagged by spamassassin
>> on one host, despite it hitting bayes999, and wanted to see if there
>> was something that could be done.
>> 
>> http://pastebin.com/vxrUdEvy
>> 
>> As of right now, 23.246.233.6 isn't listed on zen or any other popular
>> RBL, and there doesn't appear to be anything standing out in the
>> header that could be used.

Sorry to reply to Bill instead of Alex, don’t have the original message.

I am a bit surprised that even this long after the original report how few RBLs 
have this listed:

http://multirbl.valli.org/lookup/23.246.233.6.html

> 
> [ INTENTIONAL VAGUENESS FOLLOWS ]
> 
> Well, there might be, if you look for things that might have been added by 
> the spammer to trace the source of "sanitized" spam reports, for the purpose 
> of listwashing.
> 
> I'm VERY careful about adding SA rules that hit on non-standard+non-X-* 
> headers broadly, but those sorts of rules can be very productive if you have 
> adequate time and mailstream to test them. Snowshoers are the vanguard of the 
> spam arms race and can't seem to resist effectively giving their messages 
> fingerprints

Only one piece of the headers there looks a bit odd to me, but I may not be 
seeing the same thing. :)

Charles

> 
>> I realize I could write some body rules
>> (this is what I miss most about SOUGHT), but as you know it's often
>> too late to catch such a moving target. I'm finding very large blocks
>> of IPs are typically involved with these campaigns.
> 
> Or in this case, not so much: "whois -h whois.arin.net '+ 23.246.233.6'" 
> shows a /28 SWIP'ed earlier this month.
> 
> I wish there were a usable way to automate whois lookups across RIRs to 
> identify recently reassigned small blocks like that to add a probationary 
> point to SA scores (i.e. IP in a /25 or smaller net reassigned within 30 days 
> => score 1.0) but unfortunately the various bodies managing IP addresses are 
> in aggregate an obstinately anti-interop collection of narcissists, many of 
> whom have actively fought against any publicly usable federation of their 
> precious proprietary databases. (BUT: see below)
> 
>> I have dozens of these that get through before they are blacklisted
>> and would like a more general or broad solution.
> 
> Tools used in front of handling messages can help:
> 
> 1. Greylisting. As you seem to understand, these don't take terribly long to 
> ruin the reputations of their IPs and/or the domains of URLs in their bodies, 
> so making the sender wait 10 minutes can often get you past the window of 
> novelty.
> 
> 2. DNS patterns. Note that the HELO name resolves to the client IP but that 
> IP's PTR resolves to a generic name programmatically derived from the IP. The 
> spammer has taken care with DNS to get affirmative SPF results for the 
> envelope sender and HELO, but hasn't bothered to fix his PTR? Sloppy 
> spammer...
> 
> 3. Hacky imperfect whois-checking scripts. I wouldn't advise this on a 
> high-volume system, but if you can tolerate missing some cases in order to 
> err on the side of safety & taking an extra half second on every SMTP 
> session, it isn't terribly hard to identify ~75% of the snowshoe blocks at 
> connect time (and almost never penalize a legitimate sender, because 
> legitimate senders with SWIP'ed IP ranges tend to keep them for more than one 
> billing period.)
> 
>> They typically hit at least bayes80 with sa-3.4.1.
>> 
>> Are there any routines out there that can extract the last-external IP
>> and either store it in a file or otherwise make it available to be
>> added to a check_client_access map?
> 
> I'm not aware of any existing canned tools that try to automate detection of 
> messages that SA has made a mistake on and block by IP based on that 
> second-guessing. It seems like an unwise tactic.

Re: Rules needed...

[Charles Sprickman]

On Jun 29, 2015, at 12:35 PM, Reindl Harald h.rei...@thelounge.net wrote:

 
 Am 29.06.2015 um 18:29 schrieb Ted Mittelstaedt:
 Of course, Postfix fixes everything from AIDS to global warming, it's
 the greatest MTA ever invented. eyeroll
 
 for other MTA'S score-bayes RBL handling on MTA level exists too in form of 
 policy daemons eyeroll
 
 Exactly the kind of thing I would expect from you.  Haven't you worn
 out that Postfix drum your banging yet?

What other free MTA is there that’s in common use?  qmail is dead and buried.  
Sendmail and Exim are pretty much niche.  What exactly is wrong with Postfix?

I also do not undersrtand your (Ted) attitude, it really doesn’t seem 
appropriate for this list.

 
 no but That's why we all do our RBL checks in spamassassin is plain wrong, 
 *you are doing* not we all - most people except you try to get most spam 
 blocked in a sensible way before it hits expensive content filters, so just 
 stop talk about we all if you have no clue
 
 the RBL checks in SA are fine and good, but only for addititional scoring 
 comined with other rules to get messages rejected via milter which are not on 
 enough RBLs to block them straight ahead

Absolutely.  The amount of load you take off spamassassin by having the MTA do 
some filtering (and it’s not an all-or-nothing affair with postscreen) is 
pretty amazing.  I see no reason to let junk that far into the infrastructure 
when I can block it at the front door with so many fewer cpu cycles.  Putting 
weighted RBLs up front also frees you up to re-examine your spamassassin 
config.  And of course you can toggle postscreen on a per-user basis if you 
have customers that want all the spam…

Charles (not speaking as a “we”)

 
 On 6/27/2015 3:04 AM, Reindl Harald wrote:
 Am 27.06.2015 um 10:18 schrieb Martin S:
 On Friday 26 June 2015 17.40.04 Ted Mittelstaedt wrote:
 
 But, putting RBL checks into the MTA is the best way I know to piss off
 your users since tag-and-forward is not an option on MTA rbl checking.
 That's why we all do our RBL checks in spamassassin.
 
 Could you elaborate on this? I'm new to running a mail server (it's
 in test
 phase atm) as my only experience is with sendmail many years ago. I
 take it SA
 does RBL look-ups by default and there is no need to att RBL look-ups in
 postfix main.cf file?
 
 he should speek for himself and not for us all
 
 a sane MTA setup is using something like Postscreen with scoring and
 *you don't want* to scan and tag 90% of all mails which are on 5 or even
 10 RBLs, frankly you won't waste a smtpd process at all when postscreen
 can kill them
 
 below the current month and scanning additional 20 messages would
 waste ressources all day long
 
 Reject Postscreen: 205389
 Reject Postfix: 18275
 Reject Milter: 7052
 Reject Temporary: 1888
 Blacklist: 200032
 Pregreet: 40171
 Hangup: 74936
 Protocol Error: 3479
 



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Verify Bayes is functioning

[Charles Sprickman]

Reindl Harald h.rei...@thelounge.net wrote:

 
 Am 29.06.2015 um 01:14 schrieb Charles Sprickman:
 If I run sa-learn and ask it to dump some info, that works:
 
 [root@spam-b /usr/local/etc/mail/spamassassin]# sa-learn 
 --username=sp...@bway.net --dump magic
 0.000  0  3  0  non-token data: bayes db version
 0.000  0  7  0  non-token data: nspam
 0.000  0243  0  non-token data: nham
 0.000  0  56976  0  non-token data: ntokens
 0.000  0 1435355510  0  non-token data: oldest atime
 0.000  0 1435529521  0  non-token data: newest atime
 0.000  0  0  0  non-token data: last journal sync 
 atime
 0.000  0  0  0  non-token data: last expiry atime
 0.000  0  0  0  non-token data: last expire atime 
 delta
 0.000  0  0  0  non-token data: last expire 
 reduction count
 
 But I never see any bayes rule hits in the headers of my emails
 
 it can't with just 7 spam samples

Oh my.

So apparently my pre-spamassassin filtering is keeping all the best spam
away from spamassassin.

My autolearn threshold is set to 12 for spam. I’ll take it down a few
notches, feed in some spam from elsewhere, and see what happens.

Thanks for the pointer, it simply didn’t occur to me that it’s not going to
do anything without a large enough spam/ham sample size.

Charles


signature.asc
Description: Message signed with OpenPGP using GPGMail

Verify Bayes is functioning

[Charles Sprickman]

This is hopefully easier than I’m thinking it is.

We’ve been running without bayes for a very long time and I thought I’d give
it a shot again with autolearning to see if it’s helpful. The last time I
touched it was 2.6.something and we had spam scanning spread across four
servers and I don’t believe bayes was capable of storing tokens in mysql.
We’re now down to two boxes, and I’ve configured mysql storage.

In a nutshell, this is what I’ve got:

v320.pre:
loadplugin Mail::SpamAssassin::Plugin::Bayes

v310.pre:
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold

local.cf:
# Bayes settings
bayes_store_module  Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn   DBI:mysql:spamass:10.88.77.x
bayes_sql_username  spamass
bayes_sql_password  SECRET

use_bayes 1
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 12.0
bayes_journal_max_size 102400
bayes_expiry_max_db_size 15
bayes_auto_expire 1
bayes_learn_to_journal 1

If I look in the mysql db, I see plenty of entries.

If I run sa-learn and ask it to dump some info, that works:

[root@spam-b /usr/local/etc/mail/spamassassin]# sa-learn 
--username=sp...@bway.net --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0  7  0  non-token data: nspam
0.000  0243  0  non-token data: nham
0.000  0  56976  0  non-token data: ntokens
0.000  0 1435355510  0  non-token data: oldest atime
0.000  0 1435529521  0  non-token data: newest atime
0.000  0  0  0  non-token data: last journal sync atime
0.000  0  0  0  non-token data: last expiry atime
0.000  0  0  0  non-token data: last expire atime delta
0.000  0  0  0  non-token data: last expire reduction 
count

But I never see any bayes rule hits in the headers of my emails. I have in
my personal sql prefs the following:

add_header ham Bayes-Toks _TOKENSUMMARY_

That’s always empty.

So, is bayes working? I clearly am adding tokens and autolearn is happening.
But I’m not convinced any bayes-related rules are happening. What’s the
procedure to actually test this?

Glancing at the sa-learn dump, I’m mighty suspicious of the low number of
autolearn spam messages ( 7 0 non-token data: nspam), but I may be
mis-reading that.

Any pointers to debug further?

I feel like something very obvious is amiss here.

Thanks,

Charles

Re: TextCat - Language help

[Charles Sprickman]

Henrik K h...@hege.li wrote:

 On Thu, Jun 25, 2015 at 09:37:44AM +0300, Henrik K wrote:
 On Wed, Jun 24, 2015 at 07:37:28PM -0400, Charles Sprickman wrote:
 On Jun 22, 2015, at 5:21 PM, Marc Selig a29508-spamassas...@sedacon.com 
 wrote:
 
 On Mon, Jun 22, 2015 at 05:09:45PM -0400, Charles Sprickman wrote:
 
 Are there any other options for filtering based on language, or any known
 patches/fixes for TextCat to make it a bit less aggressive when it runs
 across gibberish that is probably not any particular language?
 
 You could tinker with textcat_acceptable_score.  Increasing it slightly
 (e.g. back to the old default of 1.05) seems to reduce those wild guesses.
 
 I don?t quite follow what exactly this does, the explanation seems a bit 
 circular:
 
 textcat_acceptable_score N (default: 1.05)
 Include any language that scores at least textcat_acceptable_score in the 
 returned list of languages
 
 I?m bumping it up to see what happens, I?m also lowering 
 textcat_max_languages? to 3.  How can I get more info about what this 
 plugin is doing into the headers?
 
 The scoring is a bit vague yes.. basically 1.02 means that compared to the
 best result (a vague ngram number) we only accept other results withing 2%
 of that.  If score produces more results than textcat_max_languages then
 everything is ignored.
 
 I'm going to add some headers tags to trunk code soon, it will look 
 something like this:
 
 Jun 25 09:33:12.670 [30140] dbg: check: tagrun - tag TEXTCAT_RESULTS is now
 ready, value: fi:96985(1.00) ro:112950(1.16) sv:113567(1.17) it:115650(1.19)
 da:115656(1.19) fr:116506(1.20) af:117089(1.21) sr.us-ascii:117205(1.21)
 sk.us-ascii:118124(1.22) en:118174(1.22) ms:118208(1.22)
 hr.us-ascii:118639(1.22) id:119112(1.23) ca:119196(1.23) pt:119960(1.24)
 hu:119986(1.24) sq:120081(1.24) nl:120105(1.24) es:120199(1.24)
 no:120804(1.25)
 
 Here you see the ngram result and percentile (score), fi is a clear
 winner.  For sane results 1.02-1.05 score is good range.  You can reduce
 max_languages to 1-2 if you want even more confidence.
 
 Committed, if anyone wants to debug things, just replace current version
 with this.  Also added some hopefully clarifying things in the
 documentation.
 
 http://svn.apache.org/repos/asf/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/TextCat.pm
 
 You can add_header all Textcat _TEXTCATRESULTS_ or grep it from debug
 output.

Excellent, thanks so much for taking the time to do this.

I’m running the patch on one box and I’ve added the debug output to my own 
userprefs:

X-Spam-Languages: en
X-Spam-Scores: test-scores=DCC_CHECK=1.373,GTUBE=1000,NO_RECEIVED=-0.001,
NO_RELAYS=-0.001
X-Spam-Textcat: en:104672(1.00) da:119123(1.14) ro:120823(1.15)
fr:121487(1.16) nl:121492(1.16) af:121497(1.16) de:121606(1.16)
ca:121909(1.16) sv:122529(1.17) pt:123547(1.18) es:123565(1.18)
it:123847(1.18) no:125928(1.20) ms:126042(1.20) id:126454(1.21)
sk.us-ascii:126635(1.21) hu:127719(1.22) sq:128756(1.23)
cs.iso-8859-2:130009(1.24) fi:130055(1.24)

This should be very helpful in tuning things going forward.

Thanks,


Charles

Re: TextCat - Language help

[Charles Sprickman]

On Jun 22, 2015, at 5:21 PM, Marc Selig a29508-spamassas...@sedacon.com wrote:

 On Mon, Jun 22, 2015 at 05:09:45PM -0400, Charles Sprickman wrote:
 
 Are there any other options for filtering based on language, or any known
 patches/fixes for TextCat to make it a bit less aggressive when it runs
 across gibberish that is probably not any particular language?
 
 You could tinker with textcat_acceptable_score.  Increasing it slightly
 (e.g. back to the old default of 1.05) seems to reduce those wild guesses.

I don’t quite follow what exactly this does, the explanation seems a bit 
circular:

textcat_acceptable_score N (default: 1.05)
Include any language that scores at least textcat_acceptable_score in the 
returned list of languages

I’m bumping it up to see what happens, I’m also lowering 
textcat_max_languages” to 3.  How can I get more info about what this plugin 
is doing into the headers?

Thanks,

Charles

 
 Regards,
 
 Marc

Re: Barracuda / EmailReg.org protection racket? (OT, but help?)

[Charles Sprickman]

Jered Floyd je...@convivian.com wrote:

 
 Hi Ted,
 
 Thanks for the advice.  I'm doing pretty much all of that except reserving an 
 alternate IP as a backup relay/smarthost.  That's a good idea.
 
 I use one IP for almost all web traffic (going through a reverse proxy to a 
 VM farm), one for DNS/Kerberos, one for a legacy install of my MUA, and one 
 as both my MX and MTA.  All my internal services relay to the MTA which is 
 listed in SPF and handles DKIM signing; on the inbound side it handles SA and 
 relay to appropriate internal host based on domain.

One thing to keep in mind is that you may need to rotate your spare IPs in now 
and then.  Others can correct me, but my understanding is that all the major 
email providers are going to treat an IP that regularly sends email to them 
very differently than a “new” IP.  You’d essentially be starting to send from 
an IP that has no reputation (or a reputation based on it’s neighbors).

It’s a tempting idea, we had a misconfiguration (a forgotten “mynetworks” 
entry) allow a hacked biz customer to send a giant phishing campaign.  Quick to 
clean up, but it is a PITA to sort things out with AOL and Verizon (and a few 
others that seem to have lightly-staffed postmaster departments).  Being able 
to swap to some new IPs would have been handy, but I’m not confident it’s a 
silver bullet.

Charles

 
 Having everything relay through one system gives me the opportunity to 
 monitor for unusual mail volume across all services/clients.
 
 Having an emergency MTA in my SPF records that I can relay to (or just 
 bring up as another address on the existing server) would definitely help as 
 long as the netblock isn't listed... getting a spare address on a different 
 network would be useful, but I'm not sure how hard that will be to pry from 
 Internap.
 
 The form does seem to have worked, and I'm not currently on the BRBL, 
 although this morning I got bounces from a Barracuda customer for a very 
 benign message with rejected due to spam content, so who knows.  I wish 
 there was better visibility into the process.
 
 Best,
 --Jered
 
 
 - On Jun 23, 2015, at 12:00 AM, Ted Mittelstaedt t...@ipinc.net wrote:
 
 Hi Jered,
 
 I'm not a Barracuda customer myself I can only report my own interaction
 with them.  I run several public mailservers.
 
 1) I don't run public mailing lists and if I ever was going to do that I
 would run them on a separate server with a separate IP address
 
 2) I don't run my webserver on the same server as my mailservers.
 
 3) I have gotten BLed by Barracuda a couple of times.  It usually takes
 about 3-4 days to get delisted so while I'm waiting I route outgoing
 mail through an alternate server.  I get BLed when a customer falls for
 a phish mail and gives out their password.
 
 My recommendation is you have at least 4 public IP address with servers,
 one for your webserver, one for your mailserver and one for an alternate
 mailserver and one for a mailing list server.
 
 As for the class C block I think that is likely that you are trying to
 do everything with a single static IP.  If you had a subnet of public
 IPs then the ISP that issued it to you would SWIP them to you and
 you would have no problems proving to Barracuda that your not part of
 the rabble.
 
 I realize you said your in a data center.  Contact the data center
 provider and tell them you want a block they will SWIP to you.  I
 realize this may cost you some more money.  But email is not one of
 those things you can do well on the cheap.
 
 Ted
 
 
 On 6/20/2015 8:38 AM, Jered Floyd wrote:
 Hello SA-users,
 
 I have a question on the other side of things: outgoing mail. I know
 this is off-topic but this seems to the only venue where there might be
 knowledge of the problem, and the offender is a spamassassin customer.
 
 (I operate an MTA host on which I run SpamAssassin -- it works
 flawlessly. (I am running Debian Postfix 2.7.1-1+squeeze1 with
 spamassassin 3.3.1-1.1) This system is in an Internap data center, and
 provides mail services for about a half-dozen organizations that I
 support. SPF and DKIM are correctly configured for hosted domains, as is
 user authentication for submitted mail.)
 
 I appear to be getting a shakedown scam from Barracuda Networks. They
 seem to be getting out of the anti-spam and into the protection
 racket business.
 
 A small number of recipients have been getting bounce-unsubscribed a
 community mailing list that I administer. The most recent bounces say
 that this blocked using Barracuda Reputation;
 http://www.barracudanetworks.com/reputation/; Visiting that page
 provides no information on the specific reason my MTA has been blocked
 so I can't determine if there is a configuration issue, but there is a
 link for one-time removal.
 
 Below that the page says One way to get your email through spam filters
 even if you are listed on the BRBL is to register your domain and IPs at
 EmailReg.org. OK, sounds good, I can prove 

TextCat - Language help

[Charles Sprickman]

I’m looking to get some more information on how reliable TextCat can be
considered at this point.

We are running 3.4.0, and have enabled TextCat with some more aggressive
scoring a few month ago based on user requests. For the most part, people
are very happy with this, we had some very bizarre spam that was sailing
through postscreen and spamass and this has taken care of that problem.

It has however introduced a new problem - false positives. I see a bunch of
my daily run cron outputs ending up in the spam box and we find users here
and there that find perfectly valid email (in their allowed languages)
tagged as another language.

Are there any other options for filtering based on language, or any known
patches/fixes for TextCat to make it a bit less aggressive when it runs
across gibberish that is probably not any particular language?

Thanks,

Charles

Obvious? Disabling some RBL/URIBL checks

[Charles Sprickman]

I'm a bit stumped on this one.

We recently got notice that we have too much volume to continue using 
spamhaus queries, and the quote for our rather small userbase was near 
what we'd pay for outsourcing all of our spam filtering anyhow...


That said, setting the scores to 0 is supposed to disable them, right?

# remove spamhaus tests
score RCVD_IN_ZEN 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score RCVD_IN_SBL 0
score URIBL_SBL 0

Running spamassassin in debug mode however:

r...@spamd1[/usr/local/etc/mail/spamassassin]# spamassassin -D 21  
dialup-nospam.txt | grep -i spamhaus

[3816] dbg: dns: checking RBL zen.spamhaus.org., set zen
[3816] dbg: dns: launching DNS A query for 2.59.48.64.zen.spamhaus.org. in 
background
[3816] dbg: async: starting: DNSBL-A, dns:A:2.59.48.64.zen.spamhaus.org. 
(timeout 3.0s, min 0.6s)

[3816] dbg: dns: hit dns:2.59.48.64.zen.spamhaus.org 127.0.0.10
[3816] dbg: async: completed in 0.012 s: DNSBL-A, 
dns:A:2.59.48.64.zen.spamhaus.org.

[3816] dbg: async: timing: 0.012 . dns:A:2.59.48.64.zen.spamhaus.org.

Any ideas on what I've missed here?

Thanks,

Charles

___
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
sp...@bway.net - 212.655.9344

Re: Obvious? Disabling some RBL/URIBL checks

[Charles Sprickman]

On Fri, 6 Feb 2009, Matt Kettler wrote:


Charles Sprickman wrote:

I'm a bit stumped on this one.

We recently got notice that we have too much volume to continue using
spamhaus queries, and the quote for our rather small userbase was near
what we'd pay for outsourcing all of our spam filtering anyhow...

That said, setting the scores to 0 is supposed to disable them, right?

# remove spamhaus tests
score RCVD_IN_ZEN 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score RCVD_IN_SBL 0
score URIBL_SBL 0



For set of lists in one lookup type RBLs you need to disable the
unscored base rule if you want to disable the DNS query.


OK...


Those scored rules are just tests against a result from the base rule,
so while you've disabled them, they don't cause the DNS lookup.


Interesting.  I need to read up on the non-basic rules it seems.


All the spamhaus based RCVD_IN_*  rules will have their query  disabled by:

score__RCVD_IN_ZEN 0


Just to be clear, the entire list needs to be included like this to 
completely disable the lookups:


# remove spamhaus tests
score __RCVD_IN_ZEN 0
score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score URIBL_SBL 0

For the archives...

Thanks,

Charles


This makes sense if you look at how the rule is set up in 20_dnsbl_tests.cf:

http://svn.apache.org/repos/asf/spamassassin/branches/3.2/rules/20_dnsbl_tests.cf

The URIBL_SBL one is adequate as-is.



Running spamassassin in debug mode however:

r...@spamd1[/usr/local/etc/mail/spamassassin]# spamassassin -D 21 
dialup-nospam.txt | grep -i spamhaus
[3816] dbg: dns: checking RBL zen.spamhaus.org., set zen
[3816] dbg: dns: launching DNS A query for
2.59.48.64.zen.spamhaus.org. in background
[3816] dbg: async: starting: DNSBL-A,
dns:A:2.59.48.64.zen.spamhaus.org. (timeout 3.0s, min 0.6s)
[3816] dbg: dns: hit dns:2.59.48.64.zen.spamhaus.org 127.0.0.10
[3816] dbg: async: completed in 0.012 s: DNSBL-A,
dns:A:2.59.48.64.zen.spamhaus.org.
[3816] dbg: async: timing: 0.012 . dns:A:2.59.48.64.zen.spamhaus.org.

Any ideas on what I've missed here?

Thanks,

Charles

___
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
sp...@bway.net - 212.655.9344

dccifd check failing after update

[Charles Sprickman]

Anyone have a clue on this one?

[3963] dbg: dcc: dccifd is available: /usr/local/dcc/dccifd
[3963] dbg: info: entering helper-app run mode
[3963] dbg: info: leaving helper-app run mode
[3963] warn: dcc: dccifd - check skipped: Broken pipe 
__brokenpipe__ignore__ at 
/usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/DCC.pm line 
471.


This is spamassassin 3.2.5 and DCC 1.3.99.  DCC was just updated.  It 
seems to work on it's own (ie: dccproc, etc.).


Any ideas on how to coerce more info about this out of SA?

Thanks,

Charles

___
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
sp...@bway.net - 212.655.9344

SURBL questions

[Charles Sprickman]

Hi all,

I'm not completely understanding how these checks work...

I'm seeing some email with a URL in it that hits at the online surbl 
checker (http://www.rulesemporium.com/cgi-bin/uribl.cgi), but not in 
spamassassin with the default uribl rules.  Plugin is enabled and it does 
work on a good deal of mail.


I'm going to obfuscate the below example with dashes so that it's not 
filtered by list users running SA (I hope):


http://refinance-poiku07-com;

In the cgi lookup linked above, the subdomain does not hit, but the main 
domain does.  Should SA be looking at the domain for surbl checks or not? 
Because it certainly looks like it isn't.  Running the latest SA (3.1.7) 
and latest rules via sa-update.


Thanks,

Charles

SQL prefs, what config allowed?

[Charles Sprickman]

Hi all,

Is there a canonical listing somewhere of which user prefs are allowed 
when using the SQL store for user preferences?


Can I just assume everything here:

http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html

Is possible via the SQL prefs?

Thanks,

Charles

Re: Question about --max-children

[Charles Sprickman]

On Thu, 8 Dec 2005, User for SpamAssassin Mail List wrote:


Any suggestions?  We are running a Server with a AMD Athlon(tm) XP 2100+
processor and a SCSI Raid array and 3 gigs of memory.


Memory and cpu are your main concerns.  I pack a little less than 30 spamd 
processes on an Athlon 2400+ (2GHz) with 1 GB of RAM.  I run three of 
these boxes, they are el-cheapos that currently run a little under $400. 
They also run clamav, but that seems much less resource intensive.  Other 
than those two functions, that's all these boxes do.


Hope that helps,

Charles


Thanks,

Ken Rea

Re: Problems with AOL's TOS reports

[Charles Sprickman]

On Fri, 2 Dec 2005, Ralf Hildebrandt wrote:


* Kai Schaetzl [EMAIL PROTECTED]:


In order to keep our mail flowing to AOL members, I've signed up through
the AOL postmaster service to receive TOS reports. Basically, whenever
someone reports mail from our domains as spam, AOL forwards it to me.


Be careful about that. That's what they say. Actually, it seems they have
their own filters additionally and send you everything they *think* is
spam. I've been getting a lot of TOS reports which weren't spam and where I
was able to ask the recipient and they said No, I didn't hit the button.


Yeah, I also get lots of crap that DEFINITELY not spam and that nobody
in his/her sane mind would declare as spam. But then nobody
in his/her sane mind would use AOL, either.


Yeah, I'm fairly certain after speaking with someone who routinely deals 
directly with AOL's postmaster folks that these are all button pushes.


Never underestimate the stupidity of the average computer user.  AOL does 
not help matters by putting the report as spam button next to the 
delete button in their mail client.


Charles


--
Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]

spamd logging verbosity

[Charles Sprickman]

Hi,

I noticed that spamd has been tending to log more and more things with 
each new release.  I'm not complaining, it's very useful when I run into 
problems.


However, it would be nice to be able to tone it down a little bit when 
things are running smoothly.  Looking at the spamd manpage, I don't see 
anything about a logging level or similar.  Have I missed anything?


Right now I'm just trying to ditch some warnings from the sql prefs 
complaining that some options there are no longer recognized...


Thanks,

Charles

___
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
[EMAIL PROTECTED] - 212.655.9344

Re: 3.1.0 and child handling flags

[Charles Sprickman]

On Fri, 16 Sep 2005, Mike Jackson wrote:

Under 3.0.4, I started spamd with --max-conn-per-child=30. But looking at the 
documentation for the --round-robin flag, I'm wondering if this setting has 
much, or any, effect on spamd with the new scaling algo. If it now starts and 
stops child processes as needed, keeping a bare number of really busy 
processes running and only starting new ones as necessary, is 
--max-conn-per-child of any use?


I'm curious about this, is there a way to revert to the old behaviour? 
All my spamd boxes are just that - spamd boxes and nothing else.  They 
have enough memory so that if I start 32 spamds, I've got room.  I would 
imagine that in my case, killing off and respawning children would be a 
waste.  Currently I've got the 32 children just sitting and waiting during 
idle times which should mean I don't have to wait for spamd to fork off 
children...


Thoughts?

Charles

I was using it to combat the memory 
leakage problem (for ignorance of a better term - the longer child 
processes ran, the more memory they'd use). 

Re: Spamc/spamd timeouts

[Charles Sprickman]

On Wed, 7 Sep 2005, Chris wrote:


Hmm, I had a similar error on the 4th of Sept, sent a msg to the list
regarding this, but have yet to receive any replies.

Sep  4 14:00:50 cpollock spamd[1377]: SPF: lookup failed: __alarm___BEGIN
failed--compilation aborted
at /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Net/DNS/RR/A.pm
line 8, GEN5 line 97._Compilation failed in require at (eval 56) line 3,
GEN5 line 97.
Sep  4 14:32:39 cpollock spamd[1377]: SPF: lookup failed: Can't locate object
method new via package Net::DNS::RR::A


Try grabbing a newer version of Net-DNS and anything it depends on.  That 
smells awfully familiar to me...


Charles


at /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Net/DNS/RR.pm line
241, GEN21 line 68.


And the rest is as follows (NOTE THE SCANTIMES).

Sep  7 22:08:20 quark spamd[63384]: identified spam (10.6/5.0) for
icehacker:65534 in 1384.5 seconds, 4461 bytes.
Sep  7 22:08:20 quark spamd[63384]: result: Y 10 -
BAYES_50,FB_CASH_CAPS,HTML_10_20,HTML_MESSAGE,J_CHICKENPOX_32,MIME_BOUND_NE
XTPART,NO_OBLIGATION,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL
scantime=1384.5,size=4461,mid=[EMAIL PROTECTED]

,bayes=0.56051613916,autolearn=no




My scantimes have not changed as yours have though.

--
Chris
Registered Linux User 283774 http://counter.li.org
21:18:30 up 4:05, 1 user, load average: 0.67, 0.38, 0.44
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
~~
Journalism is literature in a hurry.
-- Matthew Arnold
~~

Re: [sa-list] Re: spamd children run as root (again)

[Charles Sprickman]

I've seen this problem as well, even in the latest ports version.  Still 
runs as root.  If I apply the attached patch (obtained from one of the 
bugzilla entries), it works properly.  Running FBSD 4.11 w/perl 5.6.2 
(5.8.7 had the same problem, I backed out of 5.8 since it chewed up more 
memory than I was comfortable with).


Charles

On Mon, 8 Aug 2005, Dan Mahoney, System Admin wrote:


On Tue, 26 Apr 2005, Justin Mason wrote:



It's specifically a problem with perl on *BSD platforms -- there's
a bug open about it, but it's stalled because we don't have any
developers with BSD machines ;)


Anyone want a test machine where this is occurring?  Where it DIDN'T occur 
before under 3.0.3?  Contact me offlist.


I've had a bugzilla report sitting in NEW status for over a month now, I 
think.  I flagged it as security because I a) thought maybe there was some 
priority to that and b) actually believe it to be, but nobody has done 
anything with it.


http://bugzilla.spamassassin.org/show_bug.cgi?id=4498

-Dan



at least on some platforms (MacOS X) it appears perl's setuid
support substantially does not work.

--j.

Brandon Kuczenski writes:

I've seen this question posted a couple times in the mailing list archives
(from October 2004) but no resolution.  The question again:

I'm running SpamAssassin 3.0.2 on FreeBSD 4.10 in spamc/spamd format with
the '-u spamd' flag.  Problem is, all the child processes are running as
root:

$ ps aux | grep spam
root  333  0.0 10.1 27636 25932  ??  I11Apr05   1:03.83 spamd 
child (perl)
root  332  0.0 10.5 29020 27032  ??  I11Apr05   1:07.96 spamd 
child (perl)
root  331  0.0  9.7 26544 24852  ??  I11Apr05   0:52.68 spamd 
child (perl)
root  330  0.0  9.9 27152 25524  ??  I11Apr05   1:04.40 spamd 
child (perl)
root  329  0.0  9.8 26864 25116  ??  I11Apr05   0:58.08 spamd 
child (perl)
spamd 294  0.0  7.1 22392 18220  ??  Is   11Apr05   0:01.61 
/usr/local/bin/spamd -d -c -u spamd -H /home/spamd -r /var/run/spamd.pid 
(perl)

$

Is this intended or is it a bug?  The two threads I've seen that pertain
to it (both dating from Oct04) are left unresolved:
http://thread.gmane.org/gmane.mail.spam.spamassassin.general/57900
http://thread.gmane.org/gmane.mail.spam.spamassassin.general/58087

The practical consequence of this (aside from the unorthodoxy -- undesired
processes owned by root) is that the permissions of my
~user/.spamassassin/bayes_journal file get changed to root:spamd 0660.
I wanted them to be spamd:user 0660, so that the user can run
sa-learn without asking for root's help.  Is that not the 'right way' to
do things?

Has there been a resolution to this question?  If not, .. doesn't
everybody have this problem?  Or is it not a problem?  If not, why not?

-Brandon

 Output from gpg 
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Tue Apr 26 19:09:08 2005 EDT using DSA key ID 298BC7D0
gpg: Good signature from Justin Mason [EMAIL PROTECTED]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the 
owner.

Primary key fingerprint: 1368 71CE 3627 9CD3 FA1B  0B63 3091 7972 298B C7D0




--

Don't try to out-wierd me.  I get stranger things than you free with my
breakfast cereal.

-Button seen at I-CON XVII (and subsequently purchased)

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

--- spamd.old   Wed Oct 13 16:49:58 2004
+++ spamd   Thu Oct 14 20:15:53 2004
@@ -700,6 +700,15 @@
   # Change UID
   $ = $uuid;# effective uid
   $ = $uuid;# real uid. we now cannot setuid anymore
+
+  if ( $ != $uuid ) {
+warn(initial attempt to change real uid failed, trying BSD workaround) 
if $opt{'debug'};
+
+$ = $;   # revert euid to ruid
+$ = $uuid;# change ruid to target
+$ = $uuid;# change euid back to target
+  }
+
   if ( $ != $uuid and $ != ( $uuid - 2**32 ) ) {
 die fatal: setuid to uid $uuid failed\n;
   }

what to sa-learn, poisoning

[Charles Sprickman]

Hello,

I'm not seeing it in the FAQ/wiki, but I've missed things in there before, 
so I thought I'd ask a quick question here.


I assume everyone else sees spam sneak through that contains a spammy 
subject (usually mentioning drugs with some mis-spellings/obfu), an 
attached image that apparently has the actual spam message in it, then 
some text that is very hammy in it's content.


I've been assuming that this is what people refer to as bayes poison and 
I do not feed sa-learn with these.


Is this correct, or would information in the headers still prove valuable 
to bayes?


Thanks,

Charles

Re: RBL lookup failures

[Charles Sprickman]

Hello all,

Quick answer if you're running FreeBSD and using Net::DNS from ports... 
Install the p5-IO-INET6-2.01 port or package.  I ran into this, and I 
checked with Daniel and it worked for him as well.  It appears someone 
missed that as a dependancy on the latest Net::DNS port.


Charles

On Tue, 26 Jul 2005, Daniel O'Connor wrote:


Hi,
I am using Spam Assassin 3.0.4 called from MIMEDefang 2.51 on a FreeBSD
4.9 box with perl 5.6.2 and I get the following messages in my maillog
on occasion..

Jul 26 12:43:36 cain sm-mta[81183]: j6Q3DUp1081183: from=[EMAIL PROTECTED], 
size=4221, class=-30, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=smtp, 
relay=mx2.freebsd.org [216.136.204.119]
Jul 26 12:43:36 cain mimedefang-multiplexor[80550]: Slave 0 stderr: Failed to run 
__RFC_IGNORANT_ENVFROM RBL SpamAssassin test, skipping:   (Can't call method 
bgsend on an undefined value at 
/usr/local/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/Dns.pm line 112. )
Jul 26 12:43:36 cain mimedefang-multiplexor[80550]: Slave 0 stderr: Failed to run 
NO_DNS_FOR_FROM RBL SpamAssassin test, skipping:  (Can't call method 
bgsend on an undefined value at 
/usr/local/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/Dns.pm line 141. )
Jul 26 12:43:36 cain mimedefang-multiplexor[80550]: Slave 0 stderr: Failed to run 
DNS_FROM_AHBL_RHSBL RBL SpamAssassin test, skipping:  (Can't call method 
bgsend on an undefined value at 
/usr/local/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/Dns.pm line 112. )
Jul 26 12:43:36 cain mimedefang.pl[80553]: MDLOG,j6Q3DUp1081183,mail_in,,,[EMAIL 
PROTECTED],[EMAIL PROTECTED],6-BETA1 iwi + wpa_supplicant fails, and sometimes 
silently reboots

ie the slave errors.

I have..
skip_rbl_checks 0
use_razor2 0

###
# Add your own customised scores for some tests below.  The default scores are
# read from the installed spamassassin.cf file, but you can override them
# here.  To see the list of tests and their default scores, go to
# http://spamassassin.taint.org/tests.html .

urirhssub URIBL_JP_SURBL  multi.surbl.org.A   64
body  URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Has URI in JP at http://www.surbl.org/lists.html
tflagsURIBL_JP_SURBL  net

score URIBL_JP_SURBL3.0

trusted_networks 203.31.81.0/24 203.122.192.0/26
dns_available yes

in the MD .cf file.

Anyone have any clues about how I can resolve this?
Thanks.

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
The nice thing about standards is that there
are so many of them to choose from.
 -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

generating rule stats from spamd logs

[Charles Sprickman]

Hi,

Anyone aware of anything that can parse a day's spamd logs and then give a 
summary of total hits per rule?  I noticed since 3.0.x that all rule hits 
are in the logs now:


Jul 25 22:44:49 spamd2 spamd[59436]: result: Y 14 - 
BAYES_60,DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL 
scantime=6.7,size=2027,mid=[EMAIL PROTECTED],bayes=0.781998195315203,autolearn=disabled


I've got three spamd boxes logging to one server.  I already run 
sa-stats.pl daily, but I'd like to see more information about what rules 
are hitting.  I did see a few things in the wiki, but most of them look to 
be tied to snarfing MTA logs.


Thanks,

Charles

Re: URIDNSBL and subdomains

[Charles Sprickman]

On Thu, 21 Jul 2005, Loren Wilton wrote:


Sounds like an surbl problem if spamsite.com isn't listed.


That's just an example I made up... :)

The leading subdomains are supposed to be trimmed off, since they are 
usually identifying strings for a given spam target rather than an 
actual part of the target name.


OK, so that's supposed to happen.  Is there any way to have the entire 
host checked?  I've seen a good volume of junk where the domain is clean, 
but if I do a manual lookup on the entire hostname in the spam it is 
indeed listed.


Thanks,

Charles

There are a few cases where things go 
to three levels rather than just two, but they are exceptions.


   Loren


- Original Message -
From: Charles Sprickman [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Sent: Thursday, July 21, 2005 7:28 PM
Subject: URIDNSBL and subdomains



Hello,

I've been watching some of the misses that have passed through
spamassassin (3.0.4) lately and they are pretty clean; no DNS BL hits,
etc.

One thing I did notice is that many of them have a fairly contorted URL
for the spamvertized products, ie:

kjekliennxiffiennnkenc.spamsite.com

This doesn't trigger any URIDNSBL hits, but if I punch the entire URI into
the surbl.org checker it does hit.  It seems as if the SA check is looking
only at the domain part and not the subdomain.

Is this expected?  Is there a switch to flip to get the whole hostname
checked?

Thanks,

Charles

___
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
[EMAIL PROTECTED] - 212.655.9344

URIDNSBL and subdomains

[Charles Sprickman]

Hello,

I've been watching some of the misses that have passed through 
spamassassin (3.0.4) lately and they are pretty clean; no DNS BL hits, 
etc.


One thing I did notice is that many of them have a fairly contorted URL 
for the spamvertized products, ie:


kjekliennxiffiennnkenc.spamsite.com

This doesn't trigger any URIDNSBL hits, but if I punch the entire URI into 
the surbl.org checker it does hit.  It seems as if the SA check is looking 
only at the domain part and not the subdomain.


Is this expected?  Is there a switch to flip to get the whole hostname 
checked?


Thanks,

Charles

___
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
[EMAIL PROTECTED] - 212.655.9344