Re: RCVD_IN_DNSWL
See below: On 5/13/2022 8:41 PM, Arne Jensen wrote: Den 13-05-2022 kl. 23:42 skrev Jeff Koch: We're getting numerous false positives on 'RCVD_IN_DNSWL_HI RBL'. When I check these IP's (193.106.175.39, for example) at https://www.dnswl.org they are NOT listed. * -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high * trust * [193.106.175.39 listed in list.dnswl.org] How can I fix this? I've run sa-update and it does not help. From the machine running your SpamAssassin, please run the following commands: 1. dig TXT o-o.myaddr.l.google.com o-o.myaddr.l.google.com. 60 IN TXT "3.228.172.202" 2. dig TXT whoami-ecs.v6.powerdns.org NA 3. dig TXT whoami-ecs.v4.powerdns.org whoami-ecs.v4.powerdns.org. 60 IN TXT "ip: 3.239.157.44, netmask: no ECS" Jeff And provide a response with their outputs. -- Med venlig hilsen / Kind regards, Arne Jensen
RCVD_IN_DNSWL
Hi: We're getting numerous false positives on 'RCVD_IN_DNSWL_HI RBL'. When I check these IP's (193.106.175.39, for example) at https://www.dnswl.org they are NOT listed. * -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high * trust * [193.106.175.39 listed in list.dnswl.org] How can I fix this? I've run sa-update and it does not help. TIA - Jeff
Re: Off Topic - SPF - What a Disaster
At 06:02 AM 2/27/2010, you wrote: Benny Pedersen m...@junc.org writes: On Thu 25 Feb 2010 10:31:16 PM CET, Kai Schaetzl wrote I don't know to what you disagree, but SPF is not an anti-spam tool. Full stop. oh so what is spf then ? It is an anti-forgery tool. SPF as defined in RFC 4408, is an email validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. Quoted from the RFC: The current E-Mail infrastructure has the property that any host injecting mail into the mail system can identify itself as any domain name it wants. Hosts can do this at a variety of levels: in particular, the session, the envelope, and the mail headers. Although this feature is desirable in some circumstances, it is a major obstacle to reducing Unsolicited Bulk E-Mail (UBE, aka spam). I think this argument is now over. Best Regards, Jeff Koch, Intersessions
Re: Off Topic - SPF - What a Disaster
At 02:31 PM 2/25/2010, you wrote: Marc Perkel wrote on Thu, 25 Feb 2010 09:29:48 -0800: The anti-SPF bandwagon is not ego driven but results driven. Than you for admitting that SPF in not a spam filtering solution. However it is also not a white listing solution because as many people have said here - spammers are the ones who are using SPF correctly. You make the same mistake again. SPF is for assuring that mail with a certain sender domain was sent from a mailserver that is allowed to send mail for that domain. Nothing more, nothing less. It's for instance often used to have mail bypass greylisting as it doesn't make sense to greylist mail from an apparent mailserver. This has nothing to do with spam. Certain combinations of SPF results and other stuff may typically indicate a spam or ham, but in general you just get a validation if that server was allowed to send. That is, by definition, whitelisting. If SPF was adapted 99% (and always strict with no allowance of not-listed servers), then you could also do blacklisting based on this. Still, this doesn't mean that you can use it for bland-and -white spam-filtering. You could just reject *some* spam (that is now rejected by RBLs and access lists, anyway). The only problem here is that a loose SPF definition can include all servers. To allow this was a big mistake. If someone doesn't want to restrict themselves to a certain range of servers, then they shouldn't use SPF. Kai I disagree. SPF is just one of the tools - among other tools (e.g. DKIM, domain keys, not accepting email from servers with no RDNS, etc) - developed to help reduce spam. -- Get your web at Conactive Internet Services: http://www.conactive.com Best Regards, Jeff Koch, Intersessions
Re: Off Topic - SPF - What a Disaster
How silly. That's like saying an iPhone is not a gaming device even though plenty of people use it to play game apps. Perhaps you should re-read the SPF FAQ's. At 04:31 PM 2/25/2010, you wrote: Jeff Koch wrote on Thu, 25 Feb 2010 15:08:46 -0500: I disagree. I don't know to what you disagree, but SPF is not an anti-spam tool. Full stop. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com Best Regards, Jeff Koch, Intersessions
Off Topic - SPF - What a Disaster
In an effort to reduce spam further we tried implementing SPF enforcement. Within three days we turned it off. What we found was that: - domain owners are allowing SPF records to be added to their zone files without understanding the implications or that are just not correct - domain owners and their employees regularly send email from mailservers that violate their SPF. - our customers were unable to receive email from important business contacts - our customers were unable to understand why we would be enforcing a system that prevented them from getting important email. - our customers couldn't understand what SPF does. - our customers could not explain SPF to their business contacts who would have had to contact their IT people to correct the SPF records. Our assessment is that SPF is a good idea but pretty much unworkable for an ISP/host without a major education program which we neither have the time or money to do. Since we like our customers and they pay the bills it is now a dead issue. Any other experiences? I love to hear. Best Regards, Jeff Koch, Intersessions
Re: Yahoo Feedback Loop - off topic
The only large ISP that seems to have an FBL friendly approach is AOL. We've been on their FBL for years. If anyone knows of another ISP with a friendly FBL I'd love to know. At 01:05 AM 2/19/2010, ram wrote: On Thu, 2010-02-18 at 12:17 -0800, J.D. Falk wrote: On Feb 14, 2010, at 10:31 PM, ram wrote: Anyway ReturnPath operates FBL's for yahoo and they provide IP address based feedback loops at Cox etc I dont know why this diff for yahoo. Because that's how Yahoo! wants it. There are a lot of advantages to routing feedback by authenticated domain: ease of maintenance, survives forwarding, et cetera. But for an ISP this is so painful. Every new customer who comes on board you have to ask them to dkim sign their mails or sign them on their behalf. Setting up the FBL on behalf of the customer is another pain And anyway for the spams which dont get signed ( for eg using a direct relay with a compromised account ) you may be relaying the spams inadvertently on the outbound , but never get FBL's until all the world blacklists you -- J.D. Falk jdf...@returnpath.net Return Path Inc Best Regards, Jeff Koch, Intersessions
Yahoo FBL - Off Topic - Part One
HI JD: What I particularly find amusing is this email saying they have an ISP program followed by the next one I'm going to send you. BTW - I have made several attempts to escalate this issue about getting on the ISP FBL to no avail. If you know a real live person at Yahoo and can give me a contact name I would appreciate it. Jeff Delivered-To: intersessions.com-jeffk...@intersessions.com X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on pegasus.avspamfilter.com X-Spam-Level: * X-Spam-Status: No, score=1.8 required=5.0 tests=RDNS_NONE,URI_HEX autolearn=no version=3.2.4 X-Spam-Report: * 1.3 URI_HEX URI: URI hostname has long hexadecimal sequence * 0.5 RDNS_NONE Delivered to trusted network by a host with no rDNS Date: Sat, 13 Feb 2010 09:11:56 -0800 To: Jeff Koch jeffk...@intersessions.com Subject: Re: CFL Application (KMM104380179V81098L0KM) From: Yahoo! Mail abuse-ad...@cc.yahoo-inc.com Reply-To: Yahoo! Mail abuse-ad...@cc.yahoo-inc.com X-Mailer: KANA Response 7.0.1.142.15 Hello Jeffrey, Thank you for writing to Yahoo! Mail. Thank you for your interest in Yahoo! Mail's Complaint Feedback Loop program. An Internet Service Provider (ISP) who wishes to participate in the Complaint Feedback Loop program can do so even if they are not signing their outbound email with DomainKeys or DKIM. Available only to ISPs, we do offer a feedback loop that is based on the provider's sending IP addresses or CIDR ranges. If you represent an ISP that is interested in signing up to our Complaint Feedback Loop program, you may register by going to: http://feedbackloop.yahoo.net Once you have completed your registration, please fill out our request form with the required information so we can review your eligibility and possible inclusion in the program. This form can be found at: http://help.yahoo.com/l/us/yahoo/mail/postmaster/cfl_app.html Note: When completing your registration, please provide your corporate email address during the registration process. Thank you again for contacting Yahoo! Mail. Your case number for this issue is 68500664. Please reference it in all future communication about this particular issue. Regards, Frank Yahoo! Customer Care 68500664 Original Message Follows: - Mail-Id: w1.help.re1.yahoo.com-/l/us/yahoo/mail/postmaster/cfl_app.html-126601230 8-62 1. What is your name? -- Name: Jeffrey Koch 2. What is your email address? --- Email Address: jeffk...@intersessions.com Confirm your email address: jeffk...@intersessions.com 3. What is your company's name? Company Name: Intersessions Inc 4. What is the URL for your company's web site? Company web site: http://www.Intersessions.com 5. Please describe your company Select one: ISP 6. If you selected other as the description of your company, please tell us how you would describe your company. --- Not set by user 7. Do you sign your emails with DomainKeys and/or DKIM? DomainKeys/DKIM: Neither 8. Do you have an existing account at our Complaint Feedback Loop site? - Registered: Yes 9. What domains (or IPs for ISPs) are you contacting us about? --- 74.220.16.1/24 74.220.23.1/24 10. Please tell us what your concern/request is. - Subject: We are an ISP interested in the IP-based program 11. Enter any additional information here: --- Not set by user While Viewing: Last URL: :// Form Name: http://help.yahoo.com/l/us/yahoo/mail/postmaster/cfl_app.html Yahoo ID: Other ID: Machine: Unknown OS: unknown Browser: Mozilla 1.9 REMOTE_ADDR: 24.187.176.53 REMOTE_HOST: ool-18bbb035.dyn.optonline.net Date Originated: Friday February 12, 2010 - 14:05:08 Cookies: enabled AOL: no --- Best Regards, Jeff Koch, Intersessions
Yahoo FBL - Part Two
JD - and after spending an hour registering and filling out forms I finally get this email. Sweet! Jeff Delivered-To: intersessions.com-jeffk...@intersessions.com X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on pegasus.avspamfilter.com X-Spam-Level: * X-Spam-Status: No, score=1.8 required=5.0 tests=RDNS_NONE,URI_HEX autolearn=no version=3.2.4 X-Spam-Report: * 1.3 URI_HEX URI: URI hostname has long hexadecimal sequence * 0.5 RDNS_NONE Delivered to trusted network by a host with no rDNS Date: Sun, 14 Feb 2010 08:54:46 -0800 To: Jeff Koch jeffk...@intersessions.com Subject: Re: CFL Application (KMM104418975V66474L0KM) From: Yahoo! Mail abuse-ad...@cc.yahoo-inc.com Reply-To: Yahoo! Mail abuse-ad...@cc.yahoo-inc.com X-Mailer: KANA Response 7.0.1.142.15 Hello Jeffrey, Thank you for writing to Yahoo! Mail. Thank you for your interest in Yahoo! Mail's Complaint Feedback Loop program. Senders who wish to participate in the Complaint Feedback Loop program are required to sign their outbound email with DomainKeys and/or DKIM, both of which are email authentication technologies that Yahoo! Mail utilizes to determine the actual sender of an email. (We do not offer feedback loops based on a sender's IP addresses or CIDR ranges.) If you are already signing your outbound emails with DomainKeys and/or DKIM, you may enroll in the program by going to: http://feedbackloop.yahoo.net For each selector/domain pair you want to enroll in the program, you will need to click on a URL in the verification email which we will send you. The completion of this verification process is necessary to activate any domain for the feedback loop. You will be given an option to receive the verification email at either of these role addresses: abuse@yourdomain or postmaster@yourdomain. Note: If you have yet to utilize domain-based email authentication, we encourage you to consider DKIM, which is the successor to DomainKeys. You may read more about DKIM at: http://dkim.org Thank you again for contacting Yahoo! Mail. Your case number for this issue is 68524040. Please reference it in all future communication about this particular issue. Regards, Hank Yahoo! Customer Care 68524040 Original Message Follows: - Mail-Id: w1.help.re1.yahoo.com-/l/us/yahoo/mail/postmaster/cfl_app.html-126609396 8-2206 1. What is your name? -- Name: Jeffrey Koch 2. What is your email address? --- Email Address: jeffk...@intersessions.com Confirm your email address: jeffk...@intersessions.com 3. What is your company's name? Company Name: Intersessions Inc 4. What is the URL for your company's web site? Company web site: http://www.Intersessions.com 5. Please describe your company Select one: Email Service Provider 6. If you selected other as the description of your company, please tell us how you would describe your company. --- Not set by user 7. Do you sign your emails with DomainKeys and/or DKIM? DomainKeys/DKIM: Neither 8. Do you have an existing account at our Complaint Feedback Loop site? - Registered: Yes 9. What domains (or IPs for ISPs) are you contacting us about? --- 74.220.16.1 - 255 74.220.23.1 - 255 10. Please tell us what your concern/request is. - Subject: We are an ISP interested in the IP-based program 11. Enter any additional information here: --- Not set by user While Viewing: Last URL: :// Form Name: http://help.yahoo.com/l/us/yahoo/mail/postmaster/cfl_app.html Yahoo ID: Other ID: Machine: Unknown OS: unknown Browser: Mozilla 1.9 REMOTE_ADDR: 24.187.176.53 REMOTE_HOST: ool-18bbb035.dyn.optonline.net Date Originated: Saturday February 13, 2010 - 12:46:08 Cookies: enabled AOL: no --- Best Regards, Jeff Koch, Intersessions
Yahoo Feedback Loop - off topic
Sorry this is off-topic but has anyone successful applied for the Yahoo Email Complaint Feedback Loop? On the one hand their website says they have an ISP program based on IP addresses and CIDR ranges that does not require emails to be signed with DomainKeys or DKIM and then, on the other hand, they send out emails from their abuse-admin saying that they have no such program. Yahoo is making me crazy. If anyone has the email address of someone their that can actually get an ISP signed up for the program I would appreciate it. Best Regards, Jeff Koch, Intersessions
Date in the Future
Well, now that it's 2010 I'm getting a lot of hits on FH_DATE_PAST_20XX The date is grossly in the future for emails that have been sent this year and are otherwise OK. What's up with that? Our SA is fairly current and we run sa-update once a week. Has this program bug been corrected yet? Best Regards, Jeff Koch, Intersessions
Re: Spam from compromised web mails
I have to say that it is extremely annoying that this mailing list does not put a tag identifying itself in the subject line. Every other mailing list of a similar technical nature that I participate in has a tag. A tag of two characters would allow users to quickly identify the email as coming from the SA mailing list and decide whether the email is worth opening. At 08:25 AM 12/15/2009, you wrote: On tir 15 dec 2009 08:25:00 CET, Rajkumar S wrote I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399 http://sa.hege.li/ to me it looks like a gmail user trying to get more users sending there login and passwords then what ever it really is ? -- xpoint http://www.unicom.com/pw/reply-to-harmful.html Best Regards, Jeff Koch, Intersessions
SA Tag Spam from compromised web mails
How could a two character tag like SA be annoying? You must never use a blackberry or iPhone to check your email either. At 11:12 AM 12/15/2009, RW wrote: On Tue, 15 Dec 2009 09:44:50 -0500 Jeff Koch jeffk...@intersessions.com wrote: I have to say that it is extremely annoying that this mailing list does not put a tag identifying itself in the subject line. Every other mailing list of a similar technical nature that I participate in has a tag. I'm exactly the opposite, hardly any of the lists I subscribe to do that, and I find it annoying when it's done. Every list mail comes with a List-Id header so you can filter, tag or whatever. I'd find it annoying to look at a list where every single message starts with [sa-user]. Best Regards, Jeff Koch, Intersessions
SA Tag - Spam from compromised web mails
Why be forced into using one mail client? Hey, it's almost 2010 - people use multiple devices to check email - smartphones, PDA's, mail to voice, webmail, internet cafes. The days of using only one client are long past. You can still use IMAP on a main PC to keep your email sorted - but why not also make it easy to follow discussions on other devices? At 12:00 PM 12/15/2009, Toni Mueller wrote: Hi, On Tue, 15.12.2009 at 11:44:49 -0500, Charles Gregory cgreg...@hwcn.org wrote: On Tue, 15 Dec 2009, Jeff Koch wrote: I have to say that it is extremely annoying that this mailing list does not put a tag identifying itself in the subject line. Every other mailing list of a similar technical nature that I participate in has a tag. A tag of two characters would allow users to quickly identify the email as coming from the SA mailing list and decide whether the email is worth opening. +1 -100 As you may have noticed, I've got my procmail set to insert one (as seen above). But this has the unfortunate side-effect of messing with threading in some threaded mail clients and archives :( I don't know the abilities of Alpine, but if you use procmail anyway, why can't you simply sort on the List-Id header? :0 * ^List-Id: .users.spamassassin.apache.org $MAILDIR/spamassassin/ Kind regards, --Toni++ Best Regards, Jeff Koch, Intersessions
Re: SA Tag Spam from compromised web mails
As I said not everyone controls the mailserver they get their list mail from. At 12:55 PM 12/15/2009, LuKreme wrote: On 15-Dec-2009, at 10:52, Jeff Koch wrote: At 12:41 PM 12/15/2009, Benny Pedersen wrote: open your eyes and see more, both the above smartphones above can handle imap just fine, but i just test it from nokia e51, should i prove it ? Of course an iPhone can see IMAP folders. But what's going to sort mail into folders when I'm traveling for a week and the office PC is turned off? Server side IMAP rules? Procmail? Mailsieve? -- Light thinks it travels faster than anything but it's wrong. No matter how fast light travels it finds the darkness has always got there first, and is waiting for it. --Reaper Man Best Regards, Jeff Koch, Intersessions
Re: SA Tag Spam from compromised web mails
Instead of trying to make points why not read the whole thread? As I said in a prior response - not everyone has management control over the mailserver they use to get SA list mail. At 01:01 PM 12/15/2009, Toni Mueller wrote: On Tue, 15.12.2009 at 12:52:44 -0500, Jeff Koch jeffk...@intersessions.com wrote: Of course an iPhone can see IMAP folders. But what's going to sort mail into folders when I'm traveling for a week and the office PC is turned off? The server on which the imap server runs? Kind regards, --Toni++ Best Regards, Jeff Koch, Intersessions
SA Tag
I give up! Best Regards, Jeff Koch, Intersessions
New Comcast Postmaster Link
We have a mailserver that's been blocked by Comcast. After correcting the problem (user got hacked) we need to get Comcast to lift the block. Has anyone got the new URL for this? Comcast seems to have revised their website and the link provided in the bounce reports does not work. TIA Best Regards, Jeff Koch
rDNS problem
Hi All Hopefully another pair of eyes can help find the reason for this rDNS error. Here's SA header message: * 1.0 RDNS_NONE Delivered to trusted network by a host with no rDNS Received: from unknown (HELO cronus.intersessions.com) (74.220.16.65) As far as I can tell 'cronus.intersessions.com' has reverse setup and it matches 74.220.16.65. What am I missing? Best Regards, Jeff Koch, Intersessions
Re: rDNS problem
Hi Benny: How do I correct this problem? When I run 'nslookup 74.220.16.65' from various machines it shows the correct answer. At 07:02 PM 11/21/2008, you wrote: On Sat, November 22, 2008 00:22, Jeff Koch wrote: As far as I can tell 'cronus.intersessions.com' has reverse setup and it matches 74.220.16.65. What am I missing? http://www.robtex.com/ip/74.220.16.65.html see the graph, no PTR, and no A there http://www.robtex.com/dns/cronus.intersessions.com.html see graph :) PTR and A works -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098 Best Regards, Jeff Koch, Intersessions
Re: rDNS problem
Hi Benny: Reverse DNS seems to work via dig and nslookup but the links, although indicating a problem, were not terribly helpful in explaining the cause. Apparently, you know more than I do. Perhaps you could reveal a little more info so we can get this straightened out. I would really appreciate it. Jeff At 07:53 PM 11/21/2008, you wrote: On Sat, November 22, 2008 01:41, Jeff Koch wrote: How do I correct this problem? When I run 'nslookup 74.220.16.65' from various machines it shows the correct answer. your computer, your problem :) i showed 2 links, should i show more ? -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098 Best Regards, Jeff Koch, Intersessions
Re: FORGED_MUA_OUTLOOK is a nuisance
I agree - let's get rid of it until it can be fixed. We've had to manually drop the score to zero because of so many complaints. At 08:22 AM 5/17/2008, Jari Fredriksson wrote: I received something like this from my email to a list Sorry for the inconvinience, but we have started to fight against spam. Content analysis details: (4.3 points, 4.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5% [score: 0.0276] 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 1.0 GUZMAN_STOCKALERT02looks like contains a Symbol Name 4.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook Apparently the list operator is using SpamAssasin, which I, too, happily use. I can understand FORGED_RCVD_HELO Maybe it is from my internal handouts? I have a LAN but also a Smart Host to send my email out. BAYES_05 All good. DNS_FROM_RFC_ABUSE No idea. iki.fi is my email-provider and they should me ok. But they provide for a lot of folks... Dunno GUZMAN_STOCKALERT02 Absolutely no idea. I used capital letters, because I was talking about a C language application and its #defined VALUES. FORGED_MUA_OUTLOOK This!! I posted that from Windows XP SP3 with default Outlook Express. !!! Oh my. Whatta heck! Oh my. Can we get rid of this Outlook problem, so many ppl have reported problems already? Or is it fixed? Good. Thanks. Best Regards, Jeff Koch, Intersessions
Re: FORGED_MUA_OUTLOOK is a nuisance
mouss - Last week I sent you and the list full headers from the false positives I got on this item. Let's not go around and around. This has been reported numerous times. At 08:51 AM 5/17/2008, mouss wrote: Jari Fredriksson wrote: I received something like this from my email to a list Sorry for the inconvinience, but we have started to fight against spam. Content analysis details: (4.3 points, 4.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5% [score: 0.0276] 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 1.0 GUZMAN_STOCKALERT02looks like contains a Symbol Name 4.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook Apparently the list operator is using SpamAssasin, which I, too, happily use. I can understand FORGED_RCVD_HELO Maybe it is from my internal handouts? I have a LAN but also a Smart Host to send my email out. BAYES_05 All good. DNS_FROM_RFC_ABUSE No idea. iki.fi is my email-provider and they should me ok. But they provide for a lot of folks... Dunno GUZMAN_STOCKALERT02 Absolutely no idea. I used capital letters, because I was talking about a C language application and its #defined VALUES. FORGED_MUA_OUTLOOK This!! I posted that from Windows XP SP3 with default Outlook Express. !!! Oh my. Whatta heck! Oh my. Can we get rid of this Outlook problem, so many ppl have reported problems already? Or is it fixed? Good. Thanks. Please show full headers of the message. Best Regards, Jeff Koch, Intersessions
Re: False positive on forged_mua_outlook
That part (i.e. the top part of the header) was generated by qmail. Please look at the bottom part of the header after the spam scoring which shows the header from the user's email which was mistakenly scored as a forged_mua_outlook. At 04:13 AM 5/10/2008, mouss wrote: Randy Ramsdell wrote: [snip] Scratch that and reverse it. If it does match, then it will score the message header as fake. oops :) sorry. Let me check some more things. Did outlook really generate this message-id: Message-ID: [EMAIL PROTECTED] ? Best Regards, Jeff Koch, Intersessions
Re: False positive on forged_mua_outlook
If you guys are going to keep looking at the wrong part of the header information that I sent in nothing will get done. Please look at the section below the spam scoring. Here's the header from the user's email and it was sent from Outlook Express: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161]) by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 At 09:09 AM 5/10/2008, D Hill wrote: On Sat, 10 May 2008 at 10:13 +0200, [EMAIL PROTECTED] confabulated: Randy Ramsdell wrote: [snip] Scratch that and reverse it. If it does match, then it will score the message header as fake. oops :) sorry. Let me check some more things. Did outlook really generate this message-id: Message-ID: [EMAIL PROTECTED] I just sent myself a test message from Outlook Express 6.00.2900.2180: Message-ID: [EMAIL PROTECTED] The message ID's part before the '@' and is two characters less than what you show. 'meme' is the name of my computer. Outlook and Outlook Express use the name of the computer in the message ID after the '@'. I don't have access to Outlook for testing. On a side note, Outlook and Outlook Express also HELO with the computer's name when sending a message through an email server. Best Regards, Jeff Koch, Intersessions
False positive on forged_mua_outlook
Hi: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? Best Regards, Jeff Koch
Re: False positive on forged_mua_outlook
Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta __FORGED_OE(__OE_MUA !__OE_MSGID_1 !__OE_MSGID_2 !__OE_MSGID_3 !__OE_MSGID_4 !__UNUSABLE_MSGID) meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA !__OE_MSGID_2 !__OUTLOOK_DOLLARS_OTHER !__VISTA_MSGID !__IMS_MSGID !__UNUSABLE_MSGID) meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS) at least Message-Id and X-Mailer... btw do do you update rules periodically? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows. Best Regards, Jeff Koch, Intersessions
Re: False positive on forged_mua_outlook
Hi Randy - here's the whole thing: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 - Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4 Received: from localhost by libra..com with SpamAssassin (version 3.2.4); Tue, 06 May 2008 15:13:09 -0400 From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: *SPAM* Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on libra..com X-Spam-Level: * X-Spam-Status: Yes, score=5.3 required=3.0 tests=FORGED_MUA_OUTLOOK,RDNS_NONE, TVD_PDF_FINGER01 autolearn=no version=3.2.4 X-Spam-Report: * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4820ADC5.A4580A7F This is a multi-part message in MIME format. =_4820ADC5.A4580A7F Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system libra.xxx.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: [...] Content analysis details: (5.3 points, 3.0 required) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. =_4820ADC5.A4580A7F Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161]) by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. --=_NextPart_000_0039_01C8AF72.8920CD60 Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-Transfer-Encoding: 7bit --=_NextPart_000_0039_01C8AF72.8920CD60 At 04:29 PM 5/9/2008, Randy Ramsdell wrote: Jeff Koch wrote: Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta __FORGED_OE(__OE_MUA !__OE_MSGID_1
Re: Low Scores on Bounce Backs
From what I've seen the VBounce ruleset catches ALL backscatter and does not distinguish between legitimate bounce-backs and bounce-backs of emails with forged return addresses - which basically makes it useless for filtering out joe-jobs. VBounce should be matching the forged name of the orginating mailserver against the IP address of the originating mailserver. At 04:59 AM 4/11/2008, Justin Mason wrote: Jason Haar writes: I think we've detoured from the actual problem? The fact is that lots of spam is now being sent to other sites, pretending to be from (collectively) our email addresses, so that we get the bounces containing the spam. And SA isn't marking these messages as spam, whereas if it was directly sent the same spam, it would. So how do we fix this situation? What about getting SA to detach the associated bounced message as a separate message and score that instead? I know I can casually just say that - doing is a different matter - but isn't that really the only answer to this problem? There's no problem. SpamAssassin 3.2.x includes the VBounce ruleset which is expressly designed to catch backscatter -- and does a good job at it. If you have a backscatter problem, you need to start using that ruleset. --j. Best Regards, Jeff Koch, Intersessions
Re: Low Scores on Bounce Backs
Our users are getting hundreds of these! One of the problems is that the actual spam email is sometimes not attached. But interestly enough we are usually sent the email header of the original email. From that we (the humans) can easily spot that the IP address of the mailserver claiming to be ours is, in fact, not. So, if that line in the returned email header can be parsed perhaps a program can validate the IP address. Only a suggestion - I'm sure a lot harder in real life. SPF only works in these instances if (1) the domain users know what mailservers they might use amd (2) the mailserver that received the original SMTP connection analyzes SPF before accepting the connection and doesn't just bounce the email back to the sender. At 07:28 PM 4/10/2008, Jason Haar wrote: I think we've detoured from the actual problem? The fact is that lots of spam is now being sent to other sites, pretending to be from (collectively) our email addresses, so that we get the bounces containing the spam. And SA isn't marking these messages as spam, whereas if it was directly sent the same spam, it would. So how do we fix this situation? What about getting SA to detach the associated bounced message as a separate message and score that instead? I know I can casually just say that - doing is a different matter - but isn't that really the only answer to this problem? How are others (successfully) handling backscatter? Moving bounces into yet another separate folder isn't a solution for our users - and I'm sure the same applies elsewhere. Spam is spam... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 Best Regards, Jeff Koch, Intersessions
Low Scores on Bounce Backs
Maybe I'm doing something wrong but the bounces we receive are getting extremely low scores. My understanding was that by enabling VBounce in the V3.2.4 config's and by adding: whitelist_bounce_relays mailserver_name.com we would have a shot at filtering out bounces. Instead we are seeing very low bounces scores: * 0.1 BOUNCE_MESSAGE MTA bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message A scoring of 0.2 does little. Here's the full header. If anyone can help explain what we're doing wrong or should change I'd appreciate it. Return-Path: Delivered-To: [EMAIL PROTECTED] Received: (qmail 32048 invoked by uid 89); 6 Apr 2008 16:11:23 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 32046 invoked by uid 89); 6 Apr 2008 16:11:23 - Received: by simscan 1.3.1 ppid: 32002, pid: 32005, t: 2.3057s scanners: clamav: 0.92/m: spam: 3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mailserver_name.com X-Spam-Level: X-Spam-Status: No, score=4.7 required=5.0 tests=ANY_BOUNCE_MESSAGE, BOUNCE_MESSAGE,DATE_IN_PAST_03_06,INVALID_DATE,RDNS_NONE,URI_HEX autolearn=no version=3.2.4 X-Spam-Report: * 1.7 INVALID_DATE Invalid Date: header (not RFC 2822) * 1.4 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date * 1.3 URI_HEX URI: URI hostname has long hexadecimal sequence * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 0.1 BOUNCE_MESSAGE MTA bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message Received: from unknown (HELO eSolutionsWebServer.esolutions.com.jo) (69.46.25.141) by 0 with SMTP; 6 Apr 2008 16:11:20 - Date: Sun, 6 Apr 2008 12:23:42 Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Postmaster [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Undeliverable Mail X-Mailer: SMTP32 v9.23 X-UID: 74000 User mailbox exceeds allowed size: [EMAIL PROTECTED] Original message follows. Received: from Dynamic-IP-19015811685.cable.net.co [190.158.116.85] by eSolutionsWebServer.esolutions.com.jo with ESMTP (SMTPD-9.23) id A3340334; Sun, 06 Apr 2008 12:23:32 -0700 Message-ID: [EMAIL PROTECTED] From: Replicae [EMAIL PROTECTED] To: Most Exclusive [EMAIL PROTECTED] Subject: [SPAM Premium Filter] [X-IMail-SPAM-Connection] Handbags Date: Sun, 06 Apr 2008 14:23:50 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0003_01C89800.06801453 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-IMAIL-SPAM-DNSBL: (dul.dnsbl.sorbs.net,233101d0db85,127.0.0.10) X-Mail-Filters-Spam: Spam [ID=2 4B300C2D2BC44937ABDB0C10BEF68235] X-IMAIL-SPAM-PREMIUM: (233101d0db85) This is a multi-part message in MIME format. Best Regards, Jeff Koch, Intersessions
Re: Low Scores on Bounce Backs
Hello Karsten: Thanks for the reply. I thought the purpose of adding the 'whitelist_bounce_relays mailserver_name.com' in local.cf was so that SA could assign a higher score to bounces that never originated at your own mailserver. Thereby identifying return address forgery. At 02:04 PM 4/6/2008, Karsten Bräckelmann wrote: On Sun, 2008-04-06 at 13:19 -0400, Jeff Koch wrote: Maybe I'm doing something wrong but the bounces we receive are getting extremely low scores. My understanding was that by enabling VBounce in the V3.2.4 config's and by adding: whitelist_bounce_relays mailserver_name.com we would have a shot at filtering out bounces. Instead we are seeing very low bounces scores: The goal of VBounce is to *identify* and spot backscatter, not to flag it as spam. Actually, IIRC it's stated intention is, to treat back- scatter differently from spam, because (strictly) it is not. * 0.1 BOUNCE_MESSAGE MTA bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message A scoring of 0.2 does little. Here's the full header. If anyone can help explain what we're doing wrong or should change I'd appreciate it. $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf # If you use this, set up procmail or your mail app to spot the # ANY_BOUNCE_MESSAGE rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} Best Regards, Jeff Koch, Intersessions
RE: Dramatic increase in bounce messages to forged addresses
I'll second that - a tremendous increase At 08:15 PM 4/1/2008, Kurt Buff wrote: Yup. Big rise over the past two weeks. Kurt -Original Message- From: William Terry [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 17:07 To: users@spamassassin.apache.org Subject: Dramatic increase in bounce messages to forged addresses I mostly lurk here, gleaning bits of wisdom from those far more knowledgeable than me, however... I am getting a dramatic increase in bounce messages with my domain forged sent to me. At least some of the messages still retain the headers so I can tell that we did not originate the message. I also know that there is probably little I can do to keep them coming. I'm just wondering if anyone else is seeing a dramatic rise in these messages? Is there anything I can do to mitigate this? Thanks. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Best Regards, Jeff Koch, Intersessions
Re: Detail Spam Scoring
Hi Matt: Thanks for answering. However neither 'add_header all Report_REPORT_' or 'add_header all' seem to be valid SA commands per 'lint' [4716] warn: config: SpamAssassin failed to parse line, all is not valid for add_header, skipping: add_header all [27883] warn: config: SpamAssassin failed to parse line, all Report_REPORT_ is not valid for add_header, skipping: add_header all Report_REPORT_ We already have 'report_safe 0' in the local.cf which according to the doc's should produce a report with detailed scoring but doesn't. Any idea how we can troubleshoot this? We are trying to get a report with detailed scoring. At 08:27 AM 3/28/2008, Matt Kettler wrote: Jeff Koch wrote: We used to get detailed spam scoring in the email headers but it seems to have disappeared after installing 3.2.4. Is there some command for turning the detailed scoring back on. Can someone please tell me what it is? look at the add_header command. Since 2.6.0 this has been the way to configure your header reports.. This should add a fairly detailed header called X-Spam-Report: add_header all Report_REPORT_ see also: man Mail::SpamAssassin::Conf Best Regards, Jeff Koch, Intersessions
Re: Detail Spam Scoring
Thanks - that worked!! At 07:08 PM 3/30/2008, Matt Kettler wrote: Jeff Koch wrote: Hi Matt: Thanks for answering. However neither 'add_header all Report_REPORT_' or 'add_header all' seem to be valid SA commands per 'lint' You're missing a space between Report and _REPORT_, which apparently I missed in my post. My bad, it should be: add_header all Report _REPORT_ Add header takes 3 parameters. Any less will result in an error. Best Regards, Jeff Koch, Intersessions
Detail Spam Scoring
We used to get detailed spam scoring in the email headers but it seems to have disappeared after installing 3.2.4. Is there some command for turning the detailed scoring back on. Can someone please tell me what it is? Thanks Best Regards, Jeff Koch, Intersessions
Bounce back spam
Our users are getting inundated with bounce-back, joe-job spam. We have the Vbounce.pm plugin enabled (v3.2.4) and have a 'whitelist_bounce_relays' with the name of the mailserver in the local.cf file and the 'failure notices', 'mail delay' and undeliverables don't seem to be getting any score at all. Here's the portion of the header from one showing almost no score: ('s added to protect our innocent mailserver.) Received: (qmail 29961 invoked for bounce); 28 Mar 2008 03:48:18 +0900 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on x.x.com X-Spam-Status: No, score=0.1 required=5.0 tests=MISSING_MID,RDNS_NONE autolearn=no version=3.2.4 Hi. This is the qmail-send program at xsp.fenics.jp. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. Best Regards, Jeff Koch, Intersessions
Re: Bounce Back Spam
Hi Matus: Thanks but I don't even see these rules getting triggered. We have the plugin enabled and the 'whitelist_bounce_relays mailserver_name' line in local.cf At 12:09 PM 3/25/2008, you wrote: On 25.03.08 12:00, Jeff Koch wrote: Our users are getting tons of bounce-back (joe job) spam starting Monday. The bounces-backs are getting very low scores. Is there anything we can do/change/adjust in SA to block these? load VBounce plugin and increase scores for BOUNCE_MESSAGE, CRBOUNCE_MESSAGE, VBOUNCE_MESSAGE and ANY_BOUNCE_MESSAGE maybe SA could look at included headers (if they are RFC822 bounces) to check if the original message was spam, and score apropriately, if it was -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. Best Regards, Jeff Koch, Intersessions Best Regards, Jeff Koch, Intersessions
Bounce Back Spam
Hi: Our users are getting tons of bounce-back (joe job) spam starting Monday. The bounces-backs are getting very low scores. Is there anything we can do/change/adjust in SA to block these? Best Regards, Jeff Koch, Intersessions
auto_whitelist path error
I'm getting this spamd error in the maillogs and I have AWL turned off. We're also using vpopmail and have the following spamd starting parameters: SPAMDOPTIONS=-d -c -m5 -H -q -u vpopmail Can anyone tell me what we're doing wrong? Feb 4 02:33:24 libra spamd[2948]: auto-whitelist: open of auto-whitelist file failed: auto-whitelist: cannot open auto_whitelist_path /home/vpopmail/.spamassassin/auto-whitelist: Inappropriate ioctl for device Feb 4 02:33:24 libra spamd[2948]: Can't call method finish on an undefined value at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/AWL.pm line 397, GEN268 line 689. This whole setup is working properly on two other mailservers and we can't see what's different about the one. Any suggestions would be welcome. TIA Best Regards, Jeff Koch
spamd starting error
Hi: On both 3.0.2 and 3.0.4 I'm getting the following error when trying to start spamd on a CentOS 3.4 mailserver (Redhat ES 3.4 clone). /etc/init.d/spamd has SPAMDOPTIONS=-d -c -m5 -q -x -v -H which works successfully with a number of Redhat 8.0 mailservers. I tried local.cf with 'use_auto_whitelist 0' and without. Has anyone else seen this error? Any solutions? TIA Starting spamd: The -a option has been removed. Please look at the use_auto_whitelist config option instead. [FAILED] Best Regards, Jeff Koch
Relay Country
What does one need to do to activate the relay country tests? We have the CPAN module installed and added this line to local.cf loadplugin Mail::SpamAssassin::Plugin::RelayCountry Do we need to add any scores or tests? We are not yet seeing any evidence that the test is being used. Best Regards, Jeff Koch
Bayes FP/FN Training Procedures
Has anyone come up with a script or method that would allow users to forward their false positive and false negative emails back to an address on the mailserver where they can be used to train the Bayes database. I understand that Bayes needs the email in its original format so the script has to strip off the forwarding enclosure. Thanks in advance. Jeff Koch
Ready for Production Use
Two months ago when we tried upgrading one of our production mailservers to SA v3 we had a complete disaster - numerous processes spawning, heavy load factors, high memory usage. I was wondering whether now that SA 3.02 has been released whether it is now time to try the upgrade again. What are the opinions of those running heavily used mailservers? Any suggestions or words of wisdom on the proper settings to keep things under control. Best Regards, Jeff Koch
Re: Frustration...
Hi Lisa: Hi Lisa: Spamassassin basically justs tags emails as spam. You need other programs like procmail to actually dispose of it. We run email for about 5000 domains and around 20,000 users. We use qmail with qmail-scanner for virus scanning and then vpopmail with qmailadmin, maildrop and spamassassin for pop3 and user mail management. Qmailscanner automatically dumps emails with viruses into a holding directory. Qmailadmin allows you to pass all mail through 'maildrop' before putting it into the user's mailbox. Maildrop is a scripting program similar to procmail. We use a maildrop script to run spamassasssin against the email - if the spam flag is triggered maildrop directs the mail to a Spam account (or spam folder if we're running IMAP). Otherwise the mail goes into the user's regular pop3 box. A cron job automatically deletes virus and spam emails older than ten days. It sounds more complicated than it is but it works really well and allows us to have user configurable spam preferences and domain level bayes databases. I'm sure there are similar ways of handling things in the sendmail world. However, we switched from Sendmail to Qmail about a year ago because it just seemed easier to accomplish what we wanted with Qmail At 02:15 PM 11/4/2004, you wrote: Hi Folks, I've spent most of this week on this and am just getting frustrated. I'm Sysadmin for an ISP. I installed MIMEDefang, Spamassassin and filter::scan on my Red Hat Sendmail server as a way of dealing with my customers spam/virus (mostly the spam, it's a REAL problem). As far as I can tell, MIMEDefang/Spamassassin are working OK. I tested Spamassassin when I installed it with the sample-nonspam.txt and sample-spam.txt included. Mimeddefang adds this header to e-mail: X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1 and Spamassassin adds a SpamAssassinReport.txt as an attachment to each spam mail. But I've been reading websites for two days now and can't figure out how to do anything else with this. Basically I don't want spam coming into my users mailboxes, they don't want it. I understand there will be some amount of false positives, but I just want to drop (or bounce or whatever) the spam before it reaches the mailboxes. I'ld also like to drop, bounce, whatever mail that has certain words in the subject, such as rolex, penis, viagra, etc. I know I can do the above with MIMEDefang/Spamassassin, but I'll be darned if I can figure out how. And the more I try to figure it out, it seems, the more confused I am getting. Also, I'm not sure how I'm supposed to feed it spam. I have Sendmail/Qpopper and most of my users pick up their mail using Outlook Express. I understand I can't just forward spam to a spam mailbox and run sa-learn on that as the forwarding will not get the original headers. There has to be a easy way to learn to use this and get it to do what I want but I can't really figure it out. Surely there are some other ISP's on these lists who might be willing to tell me how they use it. Thanks, Lisa Casey Best Regards, Jeff Koch, Intersessions
Re: spamd still burning CPU in 3.0.1
We have two production mailservers running SA spamd. The first handles about 5,000 incoming emails per hour, does spam filtering with SA and virus filtering with qmailscanner and forwards the filtered mail to a server handling the pop accounts. We're using SA 2.64 with Bayes, AWL, Razor and about half of the RBL's. The machine is a 2.8Ghz P4 with 1.0GB RAM and SCSI hard drive. CPU usuage runs between 25-40% and system load runs 1.50 to 2.20 with isolated spikes to 7.0. The second machine is a 2Ghz Athlon with 1.0GB RAM and an IDE drive. It does spam and virus filtering with SA 2.64 and qmailscanner and also handles POP3 sessions with vpopmail. We use Bayes, AWL, Razor and the same RBL's. It handles approx 2,500 emails per hour (with peaks of 5K emails/hour) and approx 2,000 pop3 sessions per hour (peaks of 5K pops/hour). CPU usage runs about 20% with peaks to 50% and system load averages 0.80 with peaks of 16.0. We are pretty satisfied with the above setup. We tried moving one of the servers to SA 3.0 in order to use the new MySQL Bayes features but got absolutely killed on CPU usage and system load - that lasted about a day and we reverted to 2.64. We figure that we'd have to reduce the email load on each server by 50% in order to use SA 3.0 and thereby need twice as many servers. However, we're going to wait until the SA developers take the memory and load issues seriously and fix the problem. Maybe if enough users complain they'll do some high volume production test comparisons of 3.0 with previous versions and sort out the problem. At 09:33 PM 10/27/2004, email builder wrote: email builder wrote: email builder wrote: How much email are you processing ? Well, just the other day we had an average of 48 msgs/min (max 255/min) get run through SA. Can't say today yet because can't run our stats tools until the busy hours are over cuz SA is hogging the CPU. ;) Hi, Your CPU is over loaded. At 48 a minute it should run just ok on a 2.8 Ghz machine, much over that it's going to start having problems. On our 2.4 Ghz (not HT) processor if I process over 35 a minute I start having problems with load. I have two reactions to this: 1) I like the glimmer of hope and the idea that throwing hardware at the problem can solve it 2) Throwing hardware at problems is usually avoiding fixing the *real* problem. According to other posters on this list, my load is not excessive for a modern-day 2.xGHz machine. I will have to re-read some messages, but I believe responders to my posts on the [OT] Email Servers thread quoted similar machine specs and higher load than me and said they did not have load problems. I'd love to hear that I am mistaken and that it's just a matter of too little hardware, but I am skeptical... I'd recommend upgrading to a dual server or perhaps putting in a second server with round robin DNS (or if you can do it, a load balancer). We've been thinking about a multiple-machine email solution and have been wondering about architecture. Since SA seems to be the *only* email server module that causes us grief (even amavisd-new/clamav is nicer to our machine!!), and although it seems strange not to go with a separate file server or database server machine (or to otherwise split up SMTP and IMAP, etc), I am starting to think (as you suggest) that just adding a separate SA server is going to get us the biggest performance increase. What are people's opinions and experience setting up separate/multiple SA servers? Are there any good links for reading about such setups on the wiki or anywhere else? SA is that CPU intensive, it really is. Maybe try adding RBL's in front of the MTA to reduce the number of messages you have to scan, that's what we do. Ha! Yeah, this message rate is *WITH* something like 10 RBL's in Postfix up front. W/out that, we'd *really* be drowning. :) Many thanks! __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail Best Regards, Jeff Koch
Re: spamd still burning CPU in 3.0.1
You are correct and I apologize to the SA team. I cannot characterize the problem as a bug - SA 3.0 is just much slower and resource intensive than SA 2.64. If I understand you correctly you are just testing Bayes. Our production testing involved using SA as a whole. And I again suggest that SA 3.0 be compared against previous versions (like 2.64) in a real world production test. Maybe the answer is to publish a cheat sheet of new features in 3.0 that need to be turned off in order to achieve the throughput of 2.64. At 01:41 AM 10/28/2004, Michael Parker wrote: On Thu, Oct 28, 2004 at 01:09:57AM -0400, Jeff Koch wrote: We figure that we'd have to reduce the email load on each server by 50% in order to use SA 3.0 and thereby need twice as many servers. However, we're going to wait until the SA developers take the memory and load issues seriously and fix the problem. Maybe if enough users complain they'll do some high volume production test comparisons of 3.0 with previous versions and sort out the problem. I believe this is an entirely unfair characterization of the development team. In all cases where recent memory issues have cropped we've worked to resolve them. As for load and speed issues, I personally take these very seriously. I would guess I benchmark bayes on the average of twice a day. The benchmark pumps 300+ msgs per minute through my server, 6.5+ million SQL queries averaging around 3200 queries per second on my MySQL server. If anyone has a reproducible memory or load issue I highly encourage you to file a bug so that we can start tracking it down. Michael Best Regards, Jeff Koch, Intersessions
Re: spamd still burning CPU in 3.0.1
we do. Ha! Yeah, this message rate is *WITH* something like 10 RBL's in Postfix up front. W/out that, we'd *really* be drowning. :) Many thanks! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Best Regards, Jeff Koch, Intersessions
Re: spamd still burning CPU in 3.0.1
To clarify - the first server handles 700 domains and the second 250. The first is only handling virus and spam filtering for incoming email while the second is doing that plus pop3 and outgoing mail. The first is also SCSI which seems to help alot - especially for qmail. Oh, also in both machines we use MySQL per-user spam preferences which puts another big load on the servers. At 04:36 AM 10/28/2004, John Andersen wrote: On Thursday 28 October 2004 12:18 am, email builder wrote: We have two production mailservers running SA spamd. The first handles about 5,000 incoming emails per hour, does spam filtering with SA and virus Can I ask you how you load balance between the two machines (obviously if one handles 5000/hr and the other 2,500, it's not straight round robin)? I saw nothing in his post to suggest he balanced load, or even that the two servers were serving the same domains. I just took it at face value that with 3.0.1 they couldn't keep up, but falling back to 2.64 he could carry the load. -- _ John Andersen Best Regards, Jeff Koch, Intersessions
procedure for AWL pruning
Our auto-whitelist file on our server has grown to 700MB. Is there a procedure for pruning it? It seems to be growing indefinitely. Best Regards, Jeff Koch