Re: Problem installing Spamassassin 4.0.0 on Ubuntu 23.10 Server
On Wed, 2024-02-14 at 09:59 +0100, Matus UHLAR - fantomas wrote: > > > > On Feb 14, 2024, at 06:12, Ken Wright > > > > wrote: > > > > > > > > I've built a mail server and I wanted to include Spamassasin. > > > > As noted above, the machine is running Ubuntu Server 23.10, so > > > > I started with > > > > > > > > sudo apt install spamassassin spamc > > > > > > > > but I can't start the spamassassin.service; the error message I > > > > get when I run > > > > > > > > sudo systemctl start spamassassin > > > > > > > > says "Failed to start spamassassin.service: Unit > > > > spamassassin.service not found." Spamd, however, is active and > > > > running. Is this normal? If it isn't, what can I do to > > > > correct things? > > > > > > > > Further information available on request. Thanks in advance! > > > On Wed, 2024-02-14 at 06:15 +0100, Niels Kobschätzki wrote: > > > The service seems to be have renamed. It is the same on Debian. > > > You also have to change now /etc/default/spamd instead of > > > /etc/default/spamassassin for start-up options. > > On 14.02.24 00:23, Ken Wright wrote: > > So it's normal? I don't need to obsess over it? > > You don't. Just note it for further installations. Thank you! I will make a note. Ken
Re: Problem installing Spamassassin 4.0.0 on Ubuntu 23.10 Server
On Wed, 2024-02-14 at 06:15 +0100, Niels Kobschätzki wrote: > > > On Feb 14, 2024, at 06:12, Ken Wright > > wrote: > > > > I've built a mail server and I wanted to include Spamassasin. As > > noted above, the machine is running Ubuntu Server 23.10, so I > > started with > > > > sudo apt install spamassassin spamc > > > > but I can't start the spamassassin.service; the error message I get > > when I run > > > > sudo systemctl start spamassassin > > > > says "Failed to start spamassassin.service: Unit > > spamassassin.service not found." Spamd, however, is active and > > running. Is this normal? If it isn't, what can I do to correct > > things? > > > > Further information available on request. Thanks in advance! > > The service seems to be have renamed. It is the same on Debian. You > also have to change now /etc/default/spamd instead of > /etc/default/spamassassin for start-up options. So it's normal? I don't need to obsess over it? Ken
Problem installing Spamassassin 4.0.0 on Ubuntu 23.10 Server
I've built a mail server and I wanted to include Spamassasin. As noted above, the machine is running Ubuntu Server 23.10, so I started with sudo apt install spamassassin spamc but I can't start the spamassassin.service; the error message I get when I run sudo systemctl start spamassassin says "Failed to start spamassassin.service: Unit spamassassin.service not found." Spamd, however, is active and running. Is this normal? If it isn't, what can I do to correct things? Further information available on request. Thanks in advance! Ken
unsubscribe
Re: My apologies
On 2023-08-02 15:49, Loren Wilton wrote: I've blocked him on my mail server, as well. I don't know that I'd block him, but you do need to take anything he says witha few horselicks of salt. I (who have almost nothing to contribute to Spamassassin itself, other than being a user) think he should be blocked. I've been online for over 40 years, and it's rare to have someone so actively hostile right out of the gate -- I admit, it made me worried what kind of environment was fostered on the Spamassassin list when I asked my newbie question, and was outright mocked by him. And so, while I have zero sway as a team member or anything like that, as a newbie mailing list member, looking for help, I humbly submit that he's not someone you want being the first interaction a new list member has. $.02, YMMV, etc. -Ken
Re: Really hard-to-filter spam
On 7/27/2023 12:08 PM, Ken D'Ambrosio wrote: Hey, all. I've recently started getting spam that's really hard to deal with, and I'm open to suggestions as to how to approach it. Superficially, I'm not sure why the OP's rule didn't match the target message, but it is NOT because of the Base64 encoding of parts with the 'text' primary MIME type. If I had to guess, I'd look for invisible characters hidden in the text (e.g. Unicode "zero width non-joiner" marks and the like) that break the pattern and for lookalike non-ASCII characters (often Cyrillic or Greek) in the target string. Sweet! The assistance of those who actually felt like assisting, instead of simply critiquing, is much appreciated. I see some assumptions I made were wrong (e.g., decoding apparently isn't a problem), and I'm guessing it is probably something stupid like Unicode. I'll also make sure I match those other rules; my rules file, I now realize, is ancient, and likely badly needs to be made more current. Much appreciated! -Ken
blacklist_from vs. mail forwarders that resend
I wonder if I could bring up again the problem of dealing with mail forwarding services that resend the message rather than simply passing it on. For example, mail to the alum.mit.edu forwarding service is passed on to the destination address with a Resent-From header giving the alum.mit.edu address (which also appears as the envelope sender). In other words, it looks exactly like a message that I had resent to myself. The reason they use this technique is to avoid problems with DMARC records that say that mail with a given from field should be sent by the servers associated with that organization, not by MIT. If Resent-From is present, spamassassin uses it instead of From when processing blacklist_from. This would be the right thing to do if it were a human resending the message to another human, but in this case the actual originator is the one in the From field in spite of the Resent-From. This may not be the right way to forward email, but it's what some places do, and it would be nice to be able to deal with it. I know that I, as the local spamassassin administrator, can create a test to check the From line for each address I want to blacklist. But it would be much nicer if users could just use blacklist_from. So what about an option to ignore specific addresses in the Resent_From field and go on to the actual From field when one of those addresses is present? Something like "ignore_resent_from a...@ress.com". Ken
URI_PHISH false positive
The attached innocuous message confirming a dentist appointment triggered URI_PHISH because of __EMAIL_PHISH because of __UPGR_MAILBOX ("If you would like to update your email preferences...") and __TVD_PH_BODY_ACCOUNTS_POST (consecutive links to "Confirm Appointment" and "Access My Account"). Maybe the latter test is too accepting of things between "confirm" and "account". Ken >From bounces+140785-04cf-kdo=cosmos.phy.tufts@email2.patientconnect365.com >Wed Jul 31 01:21:10 2019 Return-path: Envelope-to: k...@cosmos.phy.tufts.edu Delivery-date: Wed, 31 Jul 2019 01:21:10 -0400 Received: from o1.email.patientconnect365.com ([208.117.54.207]:58202) by cosmos.phy.tufts.edu ([130.64.84.253]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) id 1hsh2y-0003aw-QK - Using Exim-4.92 (MandrivaLinux) MTA (return-path ); Wed, 31 Jul 2019 01:21:10 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=patientconnect365.com; h=content-type:from:mime-version:reply-to:to:subject; s=s1; bh=165iwuad+A+xtF5cc0iKnjWaUDA=; b=OasXDZgixUFWEevZ8NWVZxwFQhOrJ 6upJyHwIEtkV3VAOEoTjmxqE5YAGonOFVbXiK8yTjajNoHPn/50Vbn9/JW+ttg1x RTFzglPvaaRhN7H9r/ADlrf219NjEyoer7Je2+zGXhkD7ogr12KFvavvO92a19oV QS3J+sB5KMkqJU= Received: by filter0430p1iad2.sendgrid.net with SMTP id filter0430p1iad2-17091-5D41253F-8 2019-07-31 05:21:03.172695982 + UTC m=+466413.108552526 Received: from MTQwNzg1 (unknown [40.79.57.229]) by ismtpd0003p1iad1.sendgrid.net (SG) with HTTP id -Fzi3hpAShmN4sWWK2PLjQ Wed, 31 Jul 2019 05:21:02.996 + (UTC) Content-Type: multipart/mixed; boundary=854eba337f1071593d97a61a9bf2387c0ed4e9d6dcebc521be45da767386 Date: Wed, 31 Jul 2019 05:21:03 + (UTC) From: "Marina Pinkas DMD" Mime-Version: 1.0 Reply-to: off...@marinapinkasdmd.com To: Ken Olum Message-ID: <-fzi3hpashmn4swwk2p...@ismtpd0003p1iad1.sendgrid.net> Subject: Confirming Ken's dental appointment - Please reply! X-SG-EID: 1w0bjdNaSLlCX9tobkNOBt+N2mDIpKdQT8Ed/rzAwvuwWwI73+uwV4PjdLAag69p5/Pomem5n7+j0c f4bP31lV5y6UHb52GqExU7ZGSuynjGTTy/dMWKak4DpJjlu7AQ3u7H4ndpNTnPVTU1sRNUlPQNdD6n XF78K490XrTJ+bKycjP2E0aeYYkhxqDpF+jwlOoMy0ZH+STrX1p1HvH1xKqkRSQ45SlxD5jIAO2Sva tosw89b8u9tpgukPODc1KC X-SG-ID: IoTBXktF44EoMbFZ1Ol3dv5Z/OEpF90pX76Ydp0dDUSJ7EwaJTkMOnKfmFjr2EM0C1tlz1zAm/2WjK FUqfRYicCMuZIzQafeXVEltrD8OUtiBL7KWm5Jy22wHMWnzzGF --854eba337f1071593d97a61a9bf2387c0ed4e9d6dcebc521be45da767386 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 Mime-Version: 1.0 http://www.= w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> http://www.w3.org/1999/xhtml; xmlns:v=3D"urn:schemas-microso= ft-com:vml"> Confirming Ken's dental appointment - Please reply! v\:* { behavior: url(#default#VML); display:inline-block} a img {border:none;} Email not displaying correctly? http://email.patientconnect365.com/wf/click?upn=3DvjamAaqwKvyJuOjPxv-2B= BaG7Y1G8tm7BdI1gNFeVLPb3A5ybiejYOUCgm4Mv3tiwoCI9rJqOQmySsIg0ksTE3-2B-2FxM4E= 9Qyk6-2FVM-2BmjfExPkLmvngUI4KfKacZ7U1ujoL3LkFv6XXnCYr-2FPYqdiDveu4xTjooo3uC= tsgcFOK-2F9lqm4QV9rRZAxqI6MP6NzlFSRoqnRRsBV3lTQuBfy4G0kIw-3D-3D_B21HWacmcOk= YOIz0NQHuRPAoV9p-2FwA7crI9sjDtWCLv0Gz2wPAVerQi1Yn8Ak-2F2A2aP0btLM9e83-2FkLG= m6a-2F6t0VYEKI3VYv4TO0SjHG6HgCH2emOvA-2FDZek5BFBUoEa1ijaw4JTN5wfGYebsvuvRpK= IKZAlDPOD8v6UFluDTXsN-2BYoDAtJHEg982GmOqm-2Fgv1DVn3SA6GUK80OZX4gyoMG-2FI8YA= jabkTZm3-2B-2B5cLNEnif7KCknIQabO9To9TvI6rJXqdhwdk-2FCzWAal0Be4ffKwjiYgO3MeY= SWQu8tMQhQtUWAuykCpfgC51F0uuK-2Fkv-2FW-2FQ9gVHzFTC-2Fs2gX-2BvYw-3D-3D" data= -mocklink=3D"true">View it in your browser. https://d26ogar5mbvu9a.cloudfront.net/Images/Email_444= 27f97862a4644932519476273b96b.png" vspace=3D"0" style=3D"width: 131px; heig= ht: 75px;" Alt=3D"Aesthetic Dental Associates (Marina Pinkas -DMD)" /> https://d26ogar5mbvu9a.cloudfront.net/Images/Email_5d4f0c= e1a97f4aab927833001695708a.png" vspace=3D"0" style=3D"width: 450px; height:= 87px;" /> =09=09=09=09=09=09 =20=20=20=20=20=20 Hello, This message is a reminder that Ken has an appointment at Aesthetic Dental = Associates (Marina Pinkas -DMD) on Thursday, August 15 at 11:45 A= M. Please click below to http://email.patientconnect365.com= /wf/click?upn=3DlUHO-2BnjtlJeb9CRQaHkINvPJDdplzL-2Bn
Re: Having trouble getting Spamassassin to work on Ubuntu Server 18.10
Success! I got so frustrated I reformatted the hard drive and started over. This time, after installing SA and before any tweaking, I tried to start it, and it worked. So I started checking after every tweak, so I could find where the problem lay. Turns out the Options line in /etc/spamassassin had a glitch, so I tweaked it a bit and tried again. Joy! My sincere thanks to everyone who tried to help. I'm sure this won't be the last time I need advice! Ken
Re: Having trouble getting Spamassassin to work on Ubuntu Server 18.10
On 2/12/19 9:53 AM, Bill Cole wrote: > On 12 Feb 2019, at 1:14, Ken Wright wrote: > >> On 2/11/19 11:42 PM, Bill Cole wrote: >>> On 11 Feb 2019, at 21:40, Ken Wright wrote: >>> >>>> On 2/11/19 9:33 PM, Bill Cole wrote: >>>>> On 11 Feb 2019, at 20:24, Ken Wright wrote: >>>>> >>>>>> it does say it's loading the Mail::SpamAssassin::Plugin::Check >>>>>> module >>>>> >>>>> This is evidence that one or more of the following is true about >>>>> spamd: >>>>> >>>>> 1. It is using a different SpamAssassin config than you use from the >>>>> command line >>>>> 2. It is using a different perl executable than you use from the >>>>> command line (e.g. perlbrew) >>>>> 3. It is using a different perl library path than you use from the >>>>> command line (e.g. local::lib) >>>>> >>>> I'm still kind of a n00b, so... how can I tell which? I have no >>>> GUI on >>>> the server, so everything is from the command line. >>> >>> OK, so you'd probably know if you had installed perlbrew or otherwise >>> rigged up a way that you could accidentally run different perl >>> executables from systemd and from the command line. So #2 is >>> *probably* eliminated. Simplest solid check: look at the first line >>> (starting with '#!') of the spamassassin script and of spamd (which is >>> also a Perl script) and confirm that they are identical and DO NOT use >>> /bin/env or /usr/bin/env to find perl. If they are not identical, then >>> you probably have issues #1 and #2 together. If they use the env >>> trick, they may be finding different perl executables. >> I haven't installed perlbrew or anything like that, as far as I know. >> Where would I find the two scripts you mentioned? > > Running 'which spamassassin' will give you the full path to the > spamassassin script that you are running. The full path to the spamd > being run by systemd should be /usr/sbin/spamd if the Debian package > hasn't been mangled, and you can see for sure in the "ExecStart " line > in the unit file for SpamAssassin: > /etc/systemd/system/spamassassin.service (if that exists) or > /lib/systemd/systemd/spamassassin.service > Okay, I checked. Both Spamassassin and spamd start with #!/usr/bin/perl -T -w. No env variables. > >>> #1 is only likely if you have installed SpamAssassin in multiple ways, >>> e.g. from the distribution's package for it and from source or using >>> CPAN. If you have stuck strictly to using the standard packages for SA >>> and Perl and the various Perl modules that SA depends on, you would >>> have a hard time creating this issue without trying very hard. If you >>> have tried installing SA and/or its dependencies "by hand" or using >>> CPAN instead of using the prebuilt packages, clean up that mess and >>> reinstall from packages. A bespoke artisanal installation is >>> inappropriate for someone who claims to be "kind of a n00b." >> I installed SA from the Ubunto repositories only. I have, however, >> installed a few modules (such as Geo::IP) from CPAN, after starting with >> the debug flag indicated there were a few uninstalled modules (such as >> Geo::IP). Repeating the debug start showed all those modules installed, >> so I don't think that's the issue. > > Maybe we need to see the whole output from a debug start attempt and > from a command-line interactive 'spamassassin --lint -D' run. > > [...] >>> One way to debug this would be to add "-D all" to the OPTIONS >>> parameter in /etc/default/spamassassin and try starting it. This >>> should spew a lot of debug output into the log, which you can compare >>> to what you got from running spamassassin from the command line with >>> '-D' to look for discrepancies in where it is looking for config files >>> and libraries. >> >> I notice the path shown for SA doesn't include /etc/spamassassin, which >> is where all the .pre files are. Is this it? Am I just not finding the >> necessary .pre files? > > Possible, but unlikely since running the spamassassin script doesn't > have the same problem. There are multiple directory paths that SA uses > for .cf and .pre files but as long as you don't have a single > self-consistent installation, you should be seeing the same files in > all SA tools. > > I have thought of 2 more possible issues that could cause this without > mangled/diverse installations of Perl and/or SA: > > 4. Restrictive permissions on the directory where the system-wide > local config files reside (/etc/spamassassin) or on the files inside > it which prevent the user running spamd from reading the files. > No, everybody has "read" permission. > 5. Spurious config files in the per-user config directory > (~/.spamassassin) for the user running spamd. > > Off the top of my head, I do not recall what user is used in the > Debian/Ubuntu package to run spamd. > The user is spamd, and there are no per-user rules there. Ken
Re: Having trouble getting Spamassassin to work on Ubuntu Server 18.10
On 2/12/19 1:56 AM, Evan Booyens wrote: > > Hi Ken > > My only other fix would be to specify the config path in > /etc/default/spamassassin at the OPTIONS="" section - add in > "--configpath=/etc/spamassassin " at the start of the configs. > > Hope it helps. > I checked, and it's already there. Thanks for trying! Ken
Re: Having trouble getting Spamassassin to work on Ubuntu Server 18.10
On 2/12/19 1:33 AM, Evan Booyens wrote: > > Also check that the actual spamassassin config directory is > /etc/spamassassin and that there is a symlink at > /etc/mail/spamassassin -> /etc/spamassassin > > If not, create it with ln -s /etc/spamassassin /etc/mail/spamassassin > Just checked. The symlink is there. Would that it had been that easy! Ken
Re: Having trouble getting Spamassassin to work on Ubuntu Server 18.10
On 2/11/19 11:42 PM, Bill Cole wrote: > On 11 Feb 2019, at 21:40, Ken Wright wrote: > >> On 2/11/19 9:33 PM, Bill Cole wrote: >>> On 11 Feb 2019, at 20:24, Ken Wright wrote: >>> >>>> it does say it's loading the Mail::SpamAssassin::Plugin::Check module >>> >>> This is evidence that one or more of the following is true about spamd: >>> >>> 1. It is using a different SpamAssassin config than you use from the >>> command line >>> 2. It is using a different perl executable than you use from the >>> command line (e.g. perlbrew) >>> 3. It is using a different perl library path than you use from the >>> command line (e.g. local::lib) >>> >> I'm still kind of a n00b, so... how can I tell which? I have no GUI on >> the server, so everything is from the command line. > > OK, so you'd probably know if you had installed perlbrew or otherwise > rigged up a way that you could accidentally run different perl > executables from systemd and from the command line. So #2 is > *probably* eliminated. Simplest solid check: look at the first line > (starting with '#!') of the spamassassin script and of spamd (which is > also a Perl script) and confirm that they are identical and DO NOT use > /bin/env or /usr/bin/env to find perl. If they are not identical, then > you probably have issues #1 and #2 together. If they use the env > trick, they may be finding different perl executables. I haven't installed perlbrew or anything like that, as far as I know. Where would I find the two scripts you mentioned? > #1 is only likely if you have installed SpamAssassin in multiple ways, > e.g. from the distribution's package for it and from source or using > CPAN. If you have stuck strictly to using the standard packages for SA > and Perl and the various Perl modules that SA depends on, you would > have a hard time creating this issue without trying very hard. If you > have tried installing SA and/or its dependencies "by hand" or using > CPAN instead of using the prebuilt packages, clean up that mess and > reinstall from packages. A bespoke artisanal installation is > inappropriate for someone who claims to be "kind of a n00b." I installed SA from the Ubunto repositories only. I have, however, installed a few modules (such as Geo::IP) from CPAN, after starting with the debug flag indicated there were a few uninstalled modules (such as Geo::IP). Repeating the debug start showed all those modules installed, so I don't think that's the issue. > #3 is actually not unlikely. I don't know if Ubuntu 18 does it, but I > know that the EL7 family of distributions have instituted local::lib > as a default, which means that an interactive login gets $PERL5LIB set > to look in ~/perl5/ for installed modules. A service started out of > systemd won't have that. If you've somehow managed to install SA under > ~/perl5/ then spamd won't find it. You can just run "echo $PERL5LIB" > to see if your login has that set. I ran "echo $PERL5LIB" with and without sudo. In both cases all I got was a new line. > One way to debug this would be to add "-D all" to the OPTIONS > parameter in /etc/default/spamassassin and try starting it. This > should spew a lot of debug output into the log, which you can compare > to what you got from running spamassassin from the command line with > '-D' to look for discrepancies in where it is looking for config files > and libraries. I notice the path shown for SA doesn't include /etc/spamassassin, which is where all the .pre files are. Is this it? Am I just not finding the necessary .pre files? Ken
Re: Having trouble getting Spamassassin to work on Ubuntu Server 18.10
On 2/11/19 9:33 PM, Bill Cole wrote: > On 11 Feb 2019, at 20:24, Ken Wright wrote: > >> it does say it's loading the Mail::SpamAssassin::Plugin::Check module > > This is evidence that one or more of the following is true about spamd: > > 1. It is using a different SpamAssassin config than you use from the > command line > 2. It is using a different perl executable than you use from the > command line (e.g. perlbrew) > 3. It is using a different perl library path than you use from the > command line (e.g. local::lib) > I'm still kind of a n00b, so... how can I tell which? I have no GUI on the server, so everything is from the command line. Ken
Re: Having trouble getting Spamassassin to work on Ubuntu Server 18.10
On 2/11/19 7:23 PM, sha...@shanew.net wrote: > I'd suggest running spamassassin directly from the command line with > the -D and --lint options to see if that provides more detail about > what exactly is going wrong. This is going to give you a lot of > output so you'll probably want to run it like: > > spamassassin -D --lint 2>&1 | less > Whew, that's a lot of output! I didn't see any obvious errors, and it does say it's loading the Mail::SpamAssassin::Plugin::Check module (along with several others). Is there anything in particular I should be looking for? Ken, grateful for all the help so far!
Re: Having trouble getting Spamassassin to work on Ubuntu Server 18.10
On 2/10/19 3:56 AM, Giovanni Bechis wrote: > On Sun, Feb 10, 2019 at 02:30:28AM -0500, Ken Wright wrote: >> I've been trying to set up an email server and I want to use >> Spamassassin to prevent it from becoming Spam Central. I've installed >> SA and spamass-milter, but when I try to restart it after customizing >> the config files, I get this: >> >> Job for spamassassin.service failed because the control process exited >> with error code. >> See "systemctl status spamassassin.service" and "journalctl -xe" for >> details. >> >> So I checked journalctl and got this: >> >> -- Unit spamassassin.service has begun starting up. >> Feb 08 02:19:31 grace spamd[6289]: logger: removing stderr method >> Feb 08 02:19:32 grace spamd[6314]: Timeout::_run: check: no loaded >> plugin implements 'check_main': cannot scan! >> Feb 08 02:19:32 grace spamd[6314]: Check that the necessary '.pre' files >> are in the config directory. >> Feb 08 02:19:32 grace spamd[6314]: At a minimum, v320.pre loads the >> Check plugin which is required. > what is the content of the "v320.pre" file ? > It seems you have disabled too many plugins. I don't think so. v320.pre loads the Check plugin first thing. Here's the file: # /etc/mail/spamassassin directory; previously only one, "init.pre" was # read. Now both "init.pre", "v310.pre", and any other files ending in # ".pre" will be read. As future releases are made, new plugins will be # added to new files, named according to the release they're added in. ### # Check - Provides main check functionality # loadplugin Mail::SpamAssassin::Plugin::Check # HTTPSMismatch - find URI mismatches between href and anchor text # loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch # URIDetail - test URIs using detailed URI information # loadplugin Mail::SpamAssassin::Plugin::URIDetail # Shortcircuit - stop evaluation early if high-accuracy rules fire # # loadplugin Mail::SpamAssassin::Plugin::Shortcircuit # Plugins which used to be EvalTests.pm # broken out into separate plugins loadplugin Mail::SpamAssassin::Plugin::Bayes loadplugin Mail::SpamAssassin::Plugin::BodyEval loadplugin Mail::SpamAssassin::Plugin::DNSEval loadplugin Mail::SpamAssassin::Plugin::HTMLEval loadplugin Mail::SpamAssassin::Plugin::HeaderEval loadplugin Mail::SpamAssassin::Plugin::MIMEEval loadplugin Mail::SpamAssassin::Plugin::RelayEval loadplugin Mail::SpamAssassin::Plugin::URIEval loadplugin Mail::SpamAssassin::Plugin::WLBLEval # VBounce - anti-bounce-message rules, see rules/20_vbounce.cf # loadplugin Mail::SpamAssassin::Plugin::VBounce # Rule2XSBody - speedup by compilation of ruleset to native code # # loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody # ASN - Look up the Autonomous System Number of the connecting IP # and create a header containing ASN data for bayes tokenization. # See plugin's POD docs for usage info. # # loadplugin Mail::SpamAssassin::Plugin::ASN # ImageInfo - rules to match metadata of image attachments # loadplugin Mail::SpamAssassin::Plugin::ImageInfo I hope this helps! Ken
Having trouble getting Spamassassin to work on Ubuntu Server 18.10
I've been trying to set up an email server and I want to use Spamassassin to prevent it from becoming Spam Central. I've installed SA and spamass-milter, but when I try to restart it after customizing the config files, I get this: Job for spamassassin.service failed because the control process exited with error code. See "systemctl status spamassassin.service" and "journalctl -xe" for details. So I checked journalctl and got this: -- Unit spamassassin.service has begun starting up. Feb 08 02:19:31 grace spamd[6289]: logger: removing stderr method Feb 08 02:19:32 grace spamd[6314]: Timeout::_run: check: no loaded plugin implements 'check_main': cannot scan! Feb 08 02:19:32 grace spamd[6314]: Check that the necessary '.pre' files are in the config directory. Feb 08 02:19:32 grace spamd[6314]: At a minimum, v320.pre loads the Check plugin which is required. Feb 08 02:19:32 grace spamd[6289]: child process [6314] exited or timed out without signaling production of a PID file: exit 255 at /usr/sbin/spamd line 3034. Feb 08 02:19:32 grace systemd[1]: spamassassin.service: Control process exited, code=exited status=255 Feb 08 02:19:32 grace systemd[1]: spamassassin.service: Failed with result 'exit-code'. Feb 08 02:19:32 grace systemd[1]: Failed to start Perl-based spam filter using text analysis. -- Subject: Unit spamassassin.service has failed At a friend's suggestion I also checked the mail.log and got this: Feb 8 02:19:25 grace spamd[6144]: logger: removing stderr method Feb 8 02:19:26 grace spamd[6172]: Timeout::_run: check: no loaded plugin implements 'check_main': cannot scan! Feb 8 02:19:26 grace spamd[6172]: Check that the necessary '.pre' files are in the config directory. Feb 8 02:19:26 grace spamd[6172]: At a minimum, v320.pre loads the Check plugin which is required. Feb 8 02:19:26 grace spamd[6144]: child process [6172] exited or timed out without signaling production of a PID file: exit 255 at /usr/sbin/spamd line 3034. Yes, v320.pre loads the Mail::SpamAssassin::Plugin::Check module, which is installed and up to date. I've just about run out of ideas. Anyone have any? Sorry this is so long, but I didn't want to omit any pertinent information. Ken Wright, pulling his hair out.
RE: Rule to compare rDNS to regular expression
On Wednesday, January 18, 2017, I wrote: >I would like to write a rule to compare the rDNS lookup of the >sender's IP address to a regular expression. I have written >super simple URI rules for /etc/spamassassin/local.cf (Debian >Linux system) like this: > >uri LOCAL_AWSURI /.*amazonaws\.com/ >score LOCAL_AWSURI 2.6 >describeLOCAL_AWSURI Links to site at amazonaws.com > >which work as expected. But my Google searches for examples >or discussion must be the wrong search terms, as the search >results are about other topics, not the one I want. > >Can someone provide an example or point me toward >documentation of how to write such a rule? > >Thanks, > >Ken Thank you for the helpful responses!
Rule to compare rDNS to regular expression
Hi, I would like to write a rule to compare the rDNS lookup of the sender's IP address to a regular expression. I have written super simple URI rules for /etc/spamassassin/local.cf (Debian Linux system) like this: uri LOCAL_AWSURI /.*amazonaws\.com/ score LOCAL_AWSURI 2.6 describeLOCAL_AWSURI Links to site at amazonaws.com which work as expected. But my Google searches for examples or discussion must be the wrong search terms, as the search results are about other topics, not the one I want. Can someone provide an example or point me toward documentation of how to write such a rule? Thanks, Ken
RE: What is the meaning of "host=NULL"
Bill, Thanks for the helpful reply. I performed a reverse lookup on several of the IPs, but didn't take the next step of looking up the name in the PTR. Ken On 17 Sep 2015, at 15:35, Ken Johnson wrote: > Spamassassin is run by Exim. > > Spamassassin version: > X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) > X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:57:07 +) > from dpkg: spamassassin 3.4.0-2~bpo70+1 > > Platform: Debian 7.8 > > A recent surge in unfiltered spam made me re-examine log files. Every > message I found that generated a log entry like this: > > :2015-09-09 07:35:40 1ZZeb1-00053O-Hy SA: Action: scanned but message > isn't > spam: score=3.7 required=4.0 (scanned in 13/13 secs | Message-Id: > NDY1OGI4NmNhYjc3YTU3YmM3MzExYjBhMTY0MzY2ZWM_@URLTHATMUSTNOTBENAMED). > From > <info@URLTHATMUSTNOTBENAMED> (host=NULL [45.58.126.146]) for x...@y.com > > which included the string "(host=NULL " was a message I could safely > filter out. Or at least, could safely add two or three to the score. > > What condition or attribute of received mail corresponds to a log > entry of "host=NULL"? Bill Cole wrote: That precise wording seems to be an artifact of the Exim-SA plumbing (I've never seen SA itself generate "host=NULL" anywhere I use it) but based on the context and DNS fact, it would appear to be an indication that there is no valid hostname discernible for that IP address. In this specific case, the IP has a PTR record but the name in that PTR record has no A record confirming the name-IP relationship (or any records at all.)
What is the meaning of "host=NULL"
Spamassassin is run by Exim. Spamassassin version: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:57:07 +) from dpkg: spamassassin 3.4.0-2~bpo70+1 Platform: Debian 7.8 A recent surge in unfiltered spam made me re-examine log files. Every message I found that generated a log entry like this: :2015-09-09 07:35:40 1ZZeb1-00053O-Hy SA: Action: scanned but message isn't spam: score=3.7 required=4.0 (scanned in 13/13 secs | Message-Id: ndy1ogi4nmnhyjc3ytu3ymm3mzexyjbhmty0mzy2z...@light.bylawswhippy.com). From <i...@bylawswhippy.com> (host=NULL [45.58.126.146]) for x...@y.com which included the string "(host=NULL " was a message I could safely filter out. Or at least, could safely add two or three to the score. What condition or attribute of received mail corresponds to a log entry of "host=NULL"? Thanks, Ken
Solved: Re: Large messages not being scanned.
On 2015-08-06 11:53, RW wrote: On Thu, 06 Aug 2015 11:38:56 -0400 Ken D'Ambrosio wrote: Hi! I'm getting headers like this: Aug 4 04:24:58 agrajag spamc[2557]: skipped message, greater than max message size (512000 bytes) Now, I'm just not sure where to *change* that; apparently, it's set via the -s max_size for spamc, but I have no idea where/how that gets invoked by spamd. It doesn't, spamc passes the mail to spamd. Ah; silly me, I'd assumed the daemon invoked the standalone. You can set the argument in whatever glue calls spamc. or set it in spamc.conf. Right. Finding the glue was somewhat trickier, though. Finally realized that it was postfix that was invoking spamc in the /etc/postfix/master.cf file. My line now reads thusly: root@agrajag:/etc/postfix# grep spamc master.cf user=spamd argv=/usr/bin/spamc -s 1048576 -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Thanks for the pointers, all! Got me down the road...
Large messages not being scanned.
Hi! I'm getting headers like this: Aug 4 04:24:58 agrajag spamc[2557]: skipped message, greater than max message size (512000 bytes) Now, I'm just not sure where to *change* that; apparently, it's set via the -s max_size for spamc, but I have no idea where/how that gets invoked by spamd. Suggestions? Thanks! -Ken
Re: .link TLD spammer haven?
On 10/22/2014 2:40 PM, Jesse Stroik wrote: I noticed URLs from the TLD .link aren't properly classified on my mail server. I wrote a simple URI rule to recognize that TLD which never matched. I wrote a similar body rule, which did properly match. Interestingly, I do see DNS queries going out for the URLs in question. This is sa 3.3.2-4 -- is it a known issue? The URL in question is on a single line and is easily pulled out with egrep and properly parsed with the body rule. 3.3.2 does not work with tlds that are not hardcoded into the software. I signed up on this list last week with the same complaint (.link and .website) are the latest spam havens. Apparently even 3.4 does not address this yet, but is being address in the future. Since I use Centos 7 which ships with 3.3.2, it creates a problem for me, meaning unless backported, I'm kinda stuck. What is a bit frustrating is that the URI rules will work for emails that are HTML encoded, but not for plain text emails. So I was pulling my hair out trying to figure out why my rules were working sometimes and not others.
SA skipping URI processing
I'm using Centos 7, which means SA version 3.3.2. I am encountering several emails that are not being processed correctly when checking against URI rules. 1) My local.cf has a rule to address the new .link domain which spammers appear to be using recently: uri LR_LINK_TLD /^(?:https?:\/\/|mailto:)[^\/]+\.link(?:\/|$)/i describe LR_LINK_TLD Contains a URL in the LINK top-level domain score LR_LINK_TLD 3.0 2) The URIDNSBL rules are not being executed for these email either. Debug of SA shows an empty domains to query: Huh? Oct 15 16:24:55.416 [15519] dbg: uridnsbl: domains to query: Here is the pastebin link to the full spam email: http://pastebin.com/RJWyGkKB
Re: SA skipping URI processing
On 10/15/2014 4:52 PM, Kevin A. McGrail wrote: On 10/15/2014 4:49 PM, Ken Bass wrote: 1) My local.cf has a rule to address the new .link domain which spammers appear to be using recently: uri LR_LINK_TLD /^(?:https?:\/\/|mailto:)[^\/]+\.link(?:\/|$)/i describe LR_LINK_TLD Contains a URL in the LINK top-level domain score LR_LINK_TLD 3.0 2) The URIDNSBL rules are not being executed for these email either. Debug of SA shows an empty domains to query: Huh? Oct 15 16:24:55.416 [15519] dbg: uridnsbl: domains to query: Here is the pastebin link to the full spam email: http://pastebin.com/RJWyGkKB The TLDs are hardcoded in SA 3.3.2. We are working on not having them hard-coded in 3.4.1. I believe someone made a patch suitable for 3.3.2 but I can't find it at the moment. Sorry but I think you might be confusing some specific TLD related rule issues rather than the more generic custom uri rules and uridnsbl rules that I am using. Because these work fine on OTHER emails. Something in specific emails, like the one in the above pastebin are causing the issue. I've got lots of other emails that hit the above LR_LINK_TLD and/or URIBL_DBL_SPAM.
Re: SA skipping URI processing
On 10/15/2014 4:52 PM, Kevin A. McGrail wrote: The TLDs are hardcoded in SA 3.3.2. We are working on not having them hard-coded in 3.4.1. I found Bug 6782, which I think you are referring to. I don't quite understand the details of it. But are saying that the 'uri' and uridnsbl rules rely on those functions? If so, I am confused, because I have many spam emails with the '.link' domain that are being tagged properly.
Re: SA skipping URI processing
On 10/15/2014 6:12 PM, Martin Gregorie wrote: I'm certain KAM is right and here's why. ...snip... IOW, uri rules depend on matching the terminal part of the domain name with an entry in SA's built-in TLD list and my version, installed from the Fedora repo, doesn't yet include .link. I reverted my rules and test messages to test for the .link TLD and am now waiting for a TLD list that contains .link to percolate through the Fedora update process. I think my confusion is that for many spam messages, the uri rule is working fine for the .link domain. After looking at some different spam emails, I think the difference is that if the .link is inside an 'HTML' spam, the url processing works. If it is a normal text spam email, the url processing does not work. That has been the source of my confusion and why I was thinking KAM was referring to a different issue. So I am thinking that the HTML decoding part of SA doesn't use that built-in TLD list, but the test email processing does. That is the only way I can explain it what I am seeing.
Re: SA skipping URI processing
On 10/15/2014 6:50 PM, Kevin A. McGrail wrote: I'd have to dig into it to find out more but there are different modules used for different tests so deviation in behavior is not something that alarms me. If you replace your RegistrarBoundaries.pm and it still has issues, please let us know. I am 99.9% sure I'm right. regards, KAM Thanks -- My apologies for doubting you. Kinda of scary that there is a loophole that will grow each time a new tld is introduced. For now, I'll just block the .link domain at the smtp level.
Re: [OT] RBLs
On 1/11/2012 11:51 AM, Dave Funk wrote: On Wed, 11 Jan 2012, --[ UxBoD ]-- wrote: The type of SPAM we are seeing is where legit companies are having their adverts cloned and the hyperlinks changed to spammy sites. sanesecurity hits many of these. uri filters can also assist.. surbl, uribl Bayes is being by-passed due to the content looking valid so it is coming down to the IPs and domains. Had one yesterday where at 06:39 it was received by one of our clients and at 06:42 it appeared on one of the RBLs. I am guessing that it must have been a huge spam mailing that hit a lot of honeypots and people all at once. Downside is not a happy client ;( Graylisting would be one answer to this particular senario. However it has the downside of delaying legit messages. Some clients seem to think that e-mail == IM and get PO'ed if messages don't arrive with seconds of sending. Actually had a faculty ask me how to set his T-bird to check for new messages every -second-, didn't want to wait a minute. ;( imap? -- Ken Anderson
Re: day old bread DNSBL
yes. URIBL_RHS_DOB is somewhat useful. It's not _very_ reliable alone though, so I use it with META rules that add points for combinations with other things that are common with uri type spam. It seems to hit much of the same things as fresh.spameatingmonkey.net ymmv. Ken On 5/27/2011 3:17 AM, Andreas Schulze wrote: Hi all, yesterday I learned about day old bread, a list of domains registered in the last five day. I found informations from 2007: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200704.mbox/4615e4b7.5010...@inetmsg.com Has anybody current experiences ?? Thanks
Re: using spamhaus droplist with sa ?
On 2/17/2011 6:52 PM, Warren Togami Jr. wrote: On 2/17/2011 5:40 AM, RW wrote: The suggestion is that it be scored higher for that reason. Or just outright block all MTA connections from anything listed in zen.spamhaus.org, which seems to be safe. Large sites I know have been doing that for years without any complaints. But, Zen contains some infected hosts, not just known spam orgs. That would make it a bit hard for a small sender with an infection problem to discover the problem, right? Not very polite to block them at the firewall, imo. Maybe we need a new type of ICMP response for infected hosts? Ken Warren -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
On 12/1/2010 11:47 AM, Rob McEwen wrote: On 12/1/2010 12:05 PM, David F. Skoll wrote: Where did you hear that? I can't imagine that IPv6 is any less (or any more) anonymous than IPv4. One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's nightmare. A spammers (and blackhat ESPs) would potentially send out each spam from a different IP and then not use each IP again for YEARS! This will make DNSBLs much less effective.. and it will bloat their file sizes and memory/resource requirements exponentially. The DNSBLs will have no choice but to make their entire DNSBL the equivalent of a /24 list today... except painting with a much broader stroke, and many will complain about unfair collateral damage. Even then, the bloat will STILL be out of control. SOLUTIONS? Personally, I prefer everyone everywhere agree that, unless the e-mail is password authenticated to one's own mail server, all mail be rejected unless the mail server had IPv4. But purists won't like that because their goal is to eventually *end* IPv4. So what else could be done? v6 is now at the core and at the edge, and much of the server-to-server talking in the middle is going to remain v4 for a while. Significant numbers of smtp servers will remain v4 only, and so v6 only servers will need to use a v4 gateway to be of any real use to their customers. I think we can safely firewall, or whitelist v6 on port 25 until we have a useful whitelist, and probably a large droplist. Greylisting and watching for IPv6 hopping would probably be useful too.. Ken If we must receive mail from IPv6 IPs, then I recommend doing the equivalent of the following (put in IPv4 terms for simplicity): (A) All other non-authenticated mail rejected... unless the message came from a XXX.XXX.XXX.0 IP (this is in IPv4 terms... translate this into some equivalent IPv6 standard... but case a super wide net!) That will greatly reduces the number of possible valid mail sending IP. (again, auth mail to one's own server need not fulfill this standard) (b) industry wide, agree that mail is NOT accepted from IPv6 unless it does Forward Confirmed reverse DNS FCrDNS If one or both of those were agreed upon up front--this would go a long way towards preventing the coming nightmare. (and forgive me of RFCs have already established those as absolute standards for IPv6... I haven't kept up with all the RFC for IPv6!) -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: email address forgery
On 11/11/2010 7:07 PM, Rob McEwen wrote: On 11/11/2010 7:41 PM, Noel Butler wrote: Really? I don't use SPF in SA, only MTA, if that's the case, it is a shame that SA also is behind the times. It was years ago SPF type was ratified. Justin: Any plans to change that? I guess I'm one of those mail admins who is behind the times. But I don't really care that much because I take the same position as Suresh Ramasubramanian... that SPF is a failed technology because, for one, it breaks e-mail forwarding and there are ALWAYS too many legit e-mail forwarding situations (and legit substitutionary from situations--like sending from one's phone) to create problems in comparison to the problems that SPF solves. The ONLY exception is when enduring a severe Joe Job attack. In THAT situation, a strong SPF record will disrupt much of the spammer's messages, and cause them to switch to OTHER forged from addresses. In that situation, SPF is your friend. Otherwise, it is more trouble than its worth, imo. I find it useful for whitelisting (whitelist_auth) things like banks, or other trusted, and properly configured SPF senders. But, as a small ISP with lots of roaming users, SPF is pretty much useless for outgoing mail (?all). Ken Because many feel this way, I suspect that this may be the reason why the lastest and greatest SPF support probably wasn' a huge priority for SA? -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: BOTNET timeouts?
I've had no trouble with Botnet timeouts, but just now patched anyway, to avoid any potential trouble. I, and many others appreciate how responsive you've been with your sanesecurity work, but not everyone has the same resources. Whenever I install GNU free software, I have to remember this. If someone wants to fork Botnet, go for it! Otherwise, just patch. This isn't Microsoft, where you can sit on a serious security bug for 3 years and be held accountable... u.. nevermind. Ken Bill Landry wrote: McDonald, Dan wrote: On Wed, 2009-06-10 at 21:40 -0700, John Rudd wrote: On Wed, Jun 10, 2009 at 21:11, Bill Landryb...@inetmsg.com wrote: Jake Maul wrote: Interesting that I'm just now running into this... I've been using Botnet on this server for several months without issue. Thanks for the link, shorter timeouts should cure it. :) The patch was originally developed when SpamAssassin's resolver library was patched to shorten the timeouts. I suggested the changes to mimic the SpamAssassin code. Even though Mark Martinec had provided John Rudd with a nice, neat patch for botnet.pm well over a year ago to resolve this issue, John has not opted to take the 5 minutes that is necessary to fix botnet by applying the patch. He is no longer maintaining botnet, and it has become an orphaned plugin that is in serious need of repair. If you feel that way about it, fork it. I personally don't feel that way about John's work. That's a rather presumptuous statement to make. The plug-in works in the vast majority of cases, and I've had higher priority things to work on. But the plug-in has not been abandoned (no are you qualified to make that statement), nor is it in _serious_ need of repair. Nor do you know how much pre-release work (testing, etc.) I put into a release, whether or not that's the solution to the specific problem I want to go with, etc., Correct. A more elegant solution would be to use the parallelizing resolver library built into SpamAssassin, but that would increase the complexity significantly, and take a lot more time to get right. I know I don't have the time to do that sort of development properly, and I fully sympathize with John's priorities. John has been citing other priorities for 2 years (second verse, same as the first), and it has been even longer than that since the plugin has been updated - despite the issues that have been reported (a simple search (botnet timeout) of the mailing list archives will prove my point). You can start your search here: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5506 And the results of this effort were reported to John and summarily ignored. http://markmail.org/message/dmqjh5haffw7vbfg#query:mark%20Martinec%20botnet+page:1+mid:dmqjh5haffw7vbfg+state:results And still are ignored to date: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200901.mbox/%3c200901151806.07138.mark.martinec...@ijs.si%3e http://mail-archives.apache.org/mod_mbox/spamassassin-users/200901.mbox/%3c8b155d900901151312h6599f2e5ra2d4fe3ffd289...@mail.gmail.com%3e This issue has been unresolved for way too long. All of this, in my mind, this makes the plugin orphaned and unusable if not patched with Mark's patch. Bill -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: Barracuda Blacklist
Neil Schwartzman wrote: - Thank you for contacting Barracuda Networks regarding your issue. ... There are a number of reasons your IP address may have been listed as poor, including: ... 8. In some rare cases, your recipients' Barracuda Spam Firewall may be misconfigured I have seen this in less than 'rare' cases. It's quite easy using the Barracuda web admin to apply PBL or other dynamic range lists to all IPs found in ALL Received headers. You will certainly get less spam. :-) Ken -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: DOB Lookup Timeouts
Raymond Dijkxhoorn wrote: Hi! I wanted to ask if others were seeing timeouts with the DOB lookups within spamassassin. Also, it looks like their website http://www.support-intelligence.com/dob/ is timing out as well. Are others seeing this as well? I'm assuming most are zero'ing out the rule for the time being? We have the same troubles when reaching them by mail, someone knows anyhing about it if they have network issues? Bye, raymond. Looks like maybe they just changed nameserver providers. Try flushing your dns cache. Ken -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: Phishing
Neil Schwartzman wrote: On 24/04/09 11:44 PM, it was written: Most people do not fall for it, but the dumbest ones do fall for it. This is not a question of intellect, it is a question of the verisimilitude of the messaging. both might probably more true than false. In fact I could think of several more, but won't bore you.. Ken
Re: Trying out a new concept
Marc Perkel wrote: Blaine Fleming wrote: John Hardin wrote: Why is it so flippin' difficult to get a feed of newly-registered domain names? Because the TLDs hate giving people access to the data and certainly won't provide a feed without a bunch of cash involved. Even worse, all the ccTLDs pretty much refuse to even talk to you about access to the zones. This is why I started processing all the TLDs I was able to obtain access to. There is lag but the most it could be is about 24 hours and that assumes they register a new domain immediately after the TLD dumps the zone. Honestly, on my system I have less than 0.01% hits against a list of domains registered in the last five days so I've always considered the list a failure. However, several others are reporting excellent hit rates on it. I think it is because the test is so far after everything else though. --Blaine Thanks Blaine, John, the problem is that even if you have access to the data you have to compare gigabyts to the previous day so there's a big delay in even producing the lists. So my experiment is not to figure out how to get them listed, but detect them from not being listed. I'm also NOT testing this with SA. I'm using Exim rules and combining it with other sins to produce an RBL list that those of you using SA can use. Where I'm getting hits is on spam bots that link to these new domains. Spambots are easy to detect because they never use the QUIT command to clost the connection. So if a spambot message links to an unfamliar domain (a domain NOT on my list) then that domain goes into my URIBL list which I'm going to ship off to the folks at SURBL, which will trickle down to you all here. Is this data coming from connections to you free tempfail mx service? Ken That is the plan - if it works. And it will get the offenders listed quickly. -- Ken Anderson Pacific.Net
Re: Trying out a new concept
Marc Perkel wrote: Ken A wrote: Marc Perkel wrote: I don't know how this will work but I'm building the data now. For those of you who are familiar with Day old bread lists to detect new domains, as you know there's a lag time in the data and they often don't have data from all the registries. So - here's a different solution. What I'm thinking is to accumulate every domain name that interacts with my system and storing it in a list. Eventually after a week or so I should have a good list. Then the idea is to do a lookup to see if a new domain is NOT on the list. This will catch all really new domains, but will have some false positives. But - if it is mixed with other conditionals it might be a good way to detect and block spam from or linking to tasting domains. Thoughts? How will you keep your list from being easily polluted? Ken I'm not dure what you mean. The idea is to detect what's NOT on the list. And also to track new entries for a week or so. I'm just in the data accumulation stage. I only have one day of data. But the idea is to detect new domains. nevermind. You've since explained that you only plan to add new domains to your list if the domains are urls in known spam that you detect using other methods. Please don't call it DOB, since it's 'unseen' domains you are talking about. In your initial email, the only condition to be on the list was 'interacting with your system', which was very vague. Good luck, Ken -- Ken Anderson Pacific.Net
Re: New free blacklist: BRBL - Barracuda Reputation Block List
DAve wrote: Jeff Chan wrote: [Pardon the spam; thought this new blacklist might be worth at least trying.] Apparently Barracuda will be publishing a free-to-use sender blacklist called BRBL: http://www.barracudacentral.org/rbl Haven't tried it myself but thought it may be of interest. We have a system in use for members of a specific group within the state. The system takes a list of ID numbers from an email and returns a result for each number back to the sender. It requires a paid membership and a manual verification by a human to sign up for the service. The result emails are very structured, no images, plain text, proper and complete headers. We have several clients who have the result emails captured by the Barracuda Reputation System, they cannot seem to get the result emails past their Barracuda. Other clients have no issues at all. I have three other clients who we do spam filtering for, they have a Barracuda between our spam filtering server and their Exchange servers. They often trap their own intra office mail. Frank in LA emails Bob in Atlanta, the Atlanta Barracuda says spam and bounces the message back to Frank, then Frank's Barracuda says spam and bounces the message back to Bob. They do not seem to be able to make it stop doing so and will not pay for a tech to come onsite and investigate. I have a special slow mail queue I dump their traffic into. If the reputation is based on spam tagged from client managed systems I would think it not much to count on. I hope that's not how it's managed! We regularly see barracudas bounce email with PBL listed IPs in the received headers (NOT the connecting server). MailMarshall does this too, if properly misconfigured. :-( Ken DAve -- Ken Anderson Pacific.Net
Re: New free blacklist: BRBL - Barracuda Reputation Block List
Rose, Bobby wrote: I had the same issue and found that the system that's relaying (216.129.105.40) those confirmation emails doesn't have a PTR record. You'd think someone selling a antispam/email appliance would be familiar with the RFCs. -Original Message- From: Justin Piszcz [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:15 AM To: Daniel J McDonald Cc: users@spamassassin.apache.org Subject: Re: New free blacklist: BRBL - Barracuda Reputation Block List On Mon, 22 Sep 2008, Daniel J McDonald wrote: Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail from them? What is the RBL name? Justin. It hit botnet rules here too, just now. Ken -- Ken Anderson Pacific.Net
Re: Trying out a new concept
Marc Perkel wrote: I don't know how this will work but I'm building the data now. For those of you who are familiar with Day old bread lists to detect new domains, as you know there's a lag time in the data and they often don't have data from all the registries. So - here's a different solution. What I'm thinking is to accumulate every domain name that interacts with my system and storing it in a list. Eventually after a week or so I should have a good list. Then the idea is to do a lookup to see if a new domain is NOT on the list. This will catch all really new domains, but will have some false positives. But - if it is mixed with other conditionals it might be a good way to detect and block spam from or linking to tasting domains. Thoughts? How will you keep your list from being easily polluted? Ken -- Ken Anderson Pacific.Net
Re: Blacklist Mining Project - Project Tarbaby
Ralf Hildebrandt wrote: * Robert Schetterer [EMAIL PROTECTED]: Project Tarbaby helps you reduce spam and helps us build our blacklist. This is done by adding a fake MX record to your existing MX lists thats could be seen as a security risk cause in rare cases you may recieve legal mails i.e at an network outage etc How? He tempfails all mails. Are you asking how sending your customer, or company email off someplace you don't control might be a security risk? Read the fine print. The way Marc's system works is by waiting for the absence of the QUIT command. That means anything the system sees before it's done waiting for QUIT is available to a process. Do you have any idea what that process does, how it's coded, or how secure it is? This isn't an open source project. Most of our customers would wonder why we are sending their mail off without their explicit permission. That's a breach of trust at least, and perhaps of contract. It might also be a violation of company policy, or just plain illegal. Ken -- Ken Anderson Pacific.Net
Re: Blacklist Mining Project - Project Tarbaby
Ralf Hildebrandt wrote: * Ken A [EMAIL PROTECTED]: How? He tempfails all mails. Are you asking how sending your customer, or company email off someplace you don't control might be a security risk? It's in no way more dangerous than using Postini... Have you compared Postini's contract to the one you get from Marc? Ummm.. just in case you have no luck finding that, what about a Privacy policy? See the link at bottom of http://wiki.junkemailfilter.com/index.php/Project_tarbaby for the Privacy Policy. It's currently a blank page. That doesn't give me a secure feeling.. Ken -- Ken Anderson Pacific.Net
Re: Blacklist Mining Project - Project Tarbaby
Marc Perkel wrote: Ken A wrote: Ralf Hildebrandt wrote: * Robert Schetterer [EMAIL PROTECTED]: Project Tarbaby helps you reduce spam and helps us build our blacklist. This is done by adding a fake MX record to your existing MX lists thats could be seen as a security risk cause in rare cases you may recieve legal mails i.e at an network outage etc How? He tempfails all mails. Are you asking how sending your customer, or company email off someplace you don't control might be a security risk? Read the fine print. The way Marc's system works is by waiting for the absence of the QUIT command. That means anything the system sees before it's done waiting for QUIT is available to a process. Do you have any idea what that process does, how it's coded, or how secure it is? This isn't an open source project. Most of our customers would wonder why we are sending their mail off without their explicit permission. That's a breach of trust at least, and perhaps of contract. It might also be a violation of company policy, or just plain illegal. Ken It's not like I'm a stranger here. I've been on this list for 6 years so a lot of people do trust me. That's not the kind of trust I'm talking about (it's not personal). It's about data security, code review, privacy assurances. As to looking for QUIT, it's not just that. There are a number of other sins that are required for blacklisting. As to getting pernmission from customers, you do ask customers for permission before using razor or dcc. Same thing. Not. You are comparing systems that share checksums and allow simple whitelisting (to exclude entries from shared db) to sharing plain text email. Ken And - if you don't trust me - don't use it. This is just for people who know me and want to help out. -- Ken Anderson Pacific.Net
Re: mysterious spam - what is this trying to do?
Arvid Ephraim Picciani wrote: On Wednesday 30 July 2008 00:55:50 mouss wrote: Ken A wrote: Can be a probe too. Accepting mail from that IP with that content says something about your system. Spammers aren't stupid. They fingerprint us just like we fingerprint them. If I was a spammer, I don't see why I would probe you. I understand if it's filter poisoning, but probing to see if the message will be accepted is useless. they can just send their spam. if you reject it, others will accept it, and some will read it, which is exactly what they want to achieve. No. Some spammers are a lot more clever then that. Especialy if you sell lists, you usually make sure they are high quality. This is a low volume probe. Propably to clean out harvested lists. - They are probing for wrong addresses (This is why returning 550 imho makes sense and greylisting does not) - They are probing for backscatterer All mails would have the same From address,envelope, and helo of a compromised mailserver. - They are probing for spamtraps. Bigger ISPs can propably detect that best, since the mails would have a pattern. Of course there is always the posibility that the ratware is simply broken. shit happens :P Yes. And also, in any war, consider resource usage. A simple example: Spammer at any given time may have access to a number of DNSRBL listed bots, and a number of unlisted bots. With an understanding of how ISP handles filtering based on a given DNSRBL, spammer may choose a certain delivery pattern. Ken -- Ken Anderson Pacific.Net
Re: mysterious spam - what is this trying to do?
ram wrote: On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote: Arvid Ephraim Picciani wrote: On Wednesday 30 July 2008 00:55:50 mouss wrote: Ken A wrote: Can be a probe too. Accepting mail from that IP with that content says something about your system. Spammers aren't stupid. They fingerprint us just like we fingerprint them. If I was a spammer, I don't see why I would probe you. I understand if it's filter poisoning, but probing to see if the message will be accepted is useless. they can just send their spam. if you reject it, others will accept it, and some will read it, which is exactly what they want to achieve. No. Some spammers are a lot more clever then that. Especialy if you sell lists, you usually make sure they are high quality. This is a low volume probe. Propably to clean out harvested lists. - They are probing for wrong addresses (This is why returning 550 imho makes sense and greylisting does not) - They are probing for backscatterer All mails would have the same From address,envelope, and helo of a compromised mailserver. - They are probing for spamtraps. Bigger ISPs can propably detect that best, since the mails would have a pattern. Of course there is always the posibility that the ratware is simply broken. shit happens :P Yes. And also, in any war, consider resource usage. A simple example: Spammer at any given time may have access to a number of DNSRBL listed bots, and a number of unlisted bots. With an understanding of how ISP handles filtering based on a given DNSRBL, spammer may choose a certain delivery pattern. How does the spammer come to know his mail is delivered and not quarantined / deleted / or spam tagged If it's a yahoo, google or other freemail address, that's not too hard to figure out, is it? If it's another email provider, who knows.. many providers document their anti-spam approach, use very informative bounce messages, or use easily identifiable products that have certain behaviors. It certainly isn't possible to learn everything from a probe email, but it's worth thinking about, imho. Of course we don't want to give them any ideas either! Ken -- Ken Anderson Pacific.Net
Re: mysterious spam - what is this trying to do?
Can be a probe too. Accepting mail from that IP with that content says something about your system. Spammers aren't stupid. They fingerprint us just like we fingerprint them. Ken Pacific.Net Karsten Bräckelmann wrote: Please do NOT *reply* to a mail, if you start a new thread. Changing the Subject and removing the quoted text does not make it a new mail. It still is a reply. You just hijacked an unrelated thread. On Tue, 2008-07-29 at 10:38 -0400, Kevin Parris wrote: Sample posted here: http://pastebin.com/m7d993dc7 Have seen several similar to this, the message contains only random words, no images, no web links. What's the point? It's not advertising, or trying to lure victims to a site, or carrying any payload. Commentary anyone? It is most likely just horribly broken. These are rather common since a few days. The weird X-Header-CompanyDBUserName: header is entirely static. As is the X-Mailer: header. The other X-Header-* headers likely aren't intended to be sent either. The first Received: is utterly broken (IP with 18-digit numbers). Even the body is pretty static. The words are random (including length), but the punctuation and whitespace of the body is static again. I guess it should be rather safe to catch these based on the headers, if you got problems detecting them otherwise. guenther -- Ken Anderson Pacific.Net
Re: Detecting the Registrar of the sending host?
Marc Perkel wrote: Yet Another Ninja wrote: On 7/2/2008 6:05 PM, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Here's what I'm thinking. I think there's some expensive and highly secure registrars out there who are the registrar of expensive domains and probably have no spam domains at all. This could be used to create white rules. Can this be done? you sure there are major registrars you can whitelist? http://rss.uribl.com/nic/ Even EUrid is happily supporting pillz spammers on .eu Not major registrars, minor ones. There's one called markmonitor.com that seems to have clients like banks and major corporations. My guess is that this is an extremely expensive registrar where security means everything and no one is going to accidentally mess with anything. The idea here is that if the registrar is this expensive and restrictive then only the good guys will be using them. At least that was what I would test if there were a way to test it. Apparently there is not. Not reliably securely. Parsing whois data is messy, there's no standard format, clients are blocked frequently, and data can be quite stale (dns servers ips are often old). The best you can do is a static list that is part of an SA rule to add a point or so if you are also happy with the dnsif you really think it's worth it. DKIM does a better job with most of these domains anyway, imo. fwiw, markmonitor 'monitors' 'marks' - they are in the intellectual property protection business. Too bad ICANN wasn't using them. http://www.icann.org/en/announcements/announcement-03jul08-en.htm ooops! Ken -- Ken Anderson Pacific.Net
Re: Day Old Bread/Spammers
# host contagiousensemble.com.black.uribl.com contagiousensemble.com.black.uribl.com has address 127.0.0.2 uribl.com + milter-link = rejected spam Ken Mailing Lists wrote: Here's today's first WagonJumper's email ... the domain has a registry date back in October 2007. One of the bottom img src tags is the WagonJumper's logo img. I'd love to find a way to be able to scan those imgs - but since they are image refs, and not embedded - that doesn't occur. From [EMAIL PROTECTED] Thu Jul 3 06:36:24 2008 Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on myhost X-Spam-Level: * X-Spam-Status: No, score=5.4 required=8.0 tests=DCC_CHECK,DIGEST_MULTIPLE, HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.2.4 Received: from mx12.contagiousensemble.com (mx12.contagiousensemble.com [147.203.149.217]) by myhost (8.13.1/8.13.1) with ESMTP id m63AaN5V009292 for me; Thu, 3 Jul 2008 06:36:24 -0400 Message-ID: [EMAIL PROTECTED] From: Work At Home [EMAIL PROTECTED] To: Me me Subject: Work at Home Job Search. Immediate Placement Date: Thu, 03 Jul 2008 03:36:24 -0700 Reply-To: Work At Home [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_896_339913931877807616 X-UID: 23560 Status: RO Content-Length: 4615 This is a multi-part message in MIME format. --=_Part_896_339913931877807616 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Work at Home - Easy Work- Great Pay - Start Today http://mx12.contagiousensemble.com/7VKkLt379368yk227542196KjDrP46NEnUs109CX392n101U http://mx12.contagiousensemble.com/6155vp37936822eb7542196QF46qoGeH10rU9392cyH --=_Part_896_339913931877807616 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit html body IMG SRC=http://mx12.contagiousensemble.com/2IET3793682ptar27542196Fb46nN10iBk9392xV;BR center style Congress attacks global warming with a cap on greenhouse gases – and then allows firms to pollute if they buy carbon offsets elsewhere – lawmakers should consult the UN's abysmal record in this slippery type of trading. The UN set up its Clean Development Mechanism (CDM) to help companies in industrialized countries invest in projects in poorer nations that cut greenhouse-gas emissions as part of their countries' commitment under the Kyoto Protocol or the European Union's emissions plan. The concept: Cutting emissions anywhere is equally effective in fighting global warming. So why not keep polluting at home and simply pay, under this so-called cap-and- trade system, to close a polluting plant in China or to save a forest in Brazil? The cost of financing wind turbines in Bangladesh, for instance, is much less than scrubbing carbon dioxide from smokestacks in Germany. But Stanford University researchers who've studied the CDM say the emissions cuts are largely illusory: As many as two-thirds of the programs funded contribute nothing new to reducing emissions. How can that be? One problem is that many offset payments are meant to prevent something from happening that might worsen climate change. The CDM must somehow prove a project has additionality, that it would not have occurred anyway without a payment. But that isn't working out in practice, the researchers say. One simple clue: Most projects are already completed at the time they are approved for CDM offsets. As a British investigative journalist put it: Offsets are an imaginary commodity created by deducting what you hope happens from what you guess would have happened. The CDM also creates perverse incentives, says Patrick McCully, executive director of International Rivers Network, another critic of the program. A chemical company in China, for example, may actually produce more of one potent greenhouse gas – HFC-23, a byproduct of making refrigerant gases – in order to sell an offset credit. The money earned through CDM is greater than the cost of making HFC-23. CDM asks that a project not be something that's already common practice. But that logic only dissuades a poor country from promoting energy-efficiency or, say, curbing methane from landfills. Why take such actions if they will disqualify a company from CDM credits? Next week, the US Senate takes up a bill that would impose a cap-and-trade system that includes the buying and selling of licenses to emit carbon. Yesterday, a similar bill was unveiled in the House. As in Europe, a final bill from Congress will likely allow US companies to buy carbon offsets through CDM or similar groups that claim an expertise in identifying projects that reduce greenhouse gases. Even if a US plan only links up with Europe's scheme, it would be part of a system that includes bogus CDM credits
Re: Spam volumes down since last week
Our spam levels are 1/2 to 1/3 of what they were two weeks ago. Also, virus e-mails are also very very low. Low enough for me to start reviewing the e-mail logs for anomalies. The summer doldrums are upon us...
Re: MailChannles SPAMMING List Members?
On 12-Jun-08, at 9:41 PM, mouss wrote: if it really came from them, it's probably an isolated/unsupported initiative from a marketer gone crazy. report the problem to their abuse team (or anyone in their tech team). In all companies I worked for, I've seen few guys coming up with bad good ideas/initiatives. Most of the time, these were stopped during internal discussions, but sometimes such initiatives were only discovered later thanks to a complaint. so do complain, but provide evidence (message with full headers). Hi Dave, Mouss, and others, I can confirm that this is an instance of a marketer gone crazy, rather than a spam campaign: - Desmond found Dave's name when he was looking for people in the EDUCAUSE group who know about email. - Dave's email address was taken from Mary Baldwin College's staff directory (http://academic.mbc.edu/cis/search/facstaff/ namesearch.asp). It was not taken from the SA mailing list. - The message to Dave was a one-to-one correspondence - it was not part of a bulk mail-out. Regards, Ken -- Ken Simpson CEO MailChannels - Reliable Email Delivery http://blog.mailchannels.com 604 685 7488 tel
Re: I need your spam!
What is this the junkemailfilter announce list? Give it a rest. Ken Marc Perkel wrote: Actually - I just need your spam attempts. I have a way to detect spambots on the first try and add them to my blacklist at hostkarma.junkemailfilter.com Sp - if you want to participate and lose a chunk of your virus spambot spam all you have to do is add us as your highest numbered MX record. tarbaby.junkemailfilter.com 100 What we will do is return a 451 error after the DATA command is sent. And - if you then also use our blacklists then the bots spamming your domains will be blacklisted. Here's infor on our lists: http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists Here's the SA rules to make it work. header __RCVD_IN_JMF eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.') describe __RCVD_IN_JMF Sender listed in JunkEmailFilter tflags __RCVD_IN_JMF net header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -5 header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 3.0 header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4') describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN tflags RCVD_IN_JMF_BR net score RCVD_IN_JMF_BR 1.0 -- Ken Anderson Pacific.Net
Re: List of Banks often spoofed in Phishing scams
Graham Murray wrote: ram [EMAIL PROTECTED] writes: That is not practical. Atleast in India, Banks use third party servers to send their mailers often. And the ips have PTR's HELO's which dont match the banks', because these dont belong to the bank Which practice does nothing at all to combat phishing. Banks and other financial institutions should send mail only from their own domain(s). Any bank which does not have a sufficiently large (or cluefull) IT setup to enable them to send email from their own domains is probably not worth doing business with. Financial institutions should be in the forefront of online security. Chances are you do business with them whether you like it or not, through other parties that process your payments through BofA, Citicorp, Amex and others. :-( This is of course not the IT dept, but Marketing. All you email admins out there that can afford to block them, please do! In the customer centric world of email service providers, most email admins can't block these mailers, even if they do invite a phishing tag. Hopefully, they will get a clue eventually. Ken -- Ken Anderson Pacific.Net
Re: DNS ISP Host List Available
John Hardin wrote: On Thu, 29 May 2008, Ken A wrote: http://www.rhyolite.com/anti-spam/you-might-be.html So how is a proponent of the Hunt down and kill spammers very messily FUSSP classified? I'm suggesting that some homework should be done before creating a list of this or that and then promoting it as something that it's NOT on the SA users list. A list of dynamic IP addresses is already available in the correct/usable form. There's no need for a 'name based' version. Marc said This list was created by grabbing the registry barrier part of the domain name of IPs from other DNS lists that list the IPs as dynamic. That would seem to translate to doing a reverse lookup or whois on PBL or NJABL IPs. That's fine, but then he claims that his list is a list of domains that provide consumer dynamic IP address space. But it's not. It may give you IP address ownership information if your list is created using whois, but it doesn't tell you what ISP (domain) assigned the address to the customer. If you are depending on reverse lookups, then the info is more suspect, since ISPs are not very good at keeping in-addr.arpa zones up to date. Also, many larger network operators and ISPs trade/lease/rent consumer IP address space to other ISPs very frequently. These addresses roam around to various ISPs. There is no 1-to-1 mapping. Ken -- Ken Anderson Pacific.Net
Re: DNS ISP Host List Available
Marc Perkel wrote: Matus UHLAR - fantomas wrote: Marc Perkel wrote: I've also created a DNS based list of domains that provide consumer dynamic IP address space. I'm using this list internally but thought I'd make it public in case others can use it. Trying to inspire innovation. Example: dig comcast.com.isphosts.junkemailfilter.com This list was created by grabbing the registry barrier part of the domain name of IPs from other DNS lists that list the IPs as dynamic. Ken A wrote: NJABL PBL already provide this, AND they are already part of SpamAssassin AND they work quite well. So, while you are 'trying to inspire innovation', you should take note of this potential problem: http://www.rhyolite.com/anti-spam/you-might-be.html On 29.05.08 14:49, Marc Perkel wrote: They have name based lists? Show me where. why should anyone need name-based lists? Name based DNS lists are more reliable because IP addresses can change. Obviously dynamic IPs and names change. Thats all built into DHCP (lease time) and DNS (TTLs). So, please elaborate on your thinking here. The name based list covers all IP addresses where the FCrDNS resolves to that name. Okay, so only domains that have dns setup correctly get into the list? That leaves out huge chunks of the world. How is this more reliable? It is probably a small subset of dynamic address space. The botnet plugin does a good job of making use of broken dnynamic DNS names in SA. PBL and NJABL do a good job of identifying IP address space that is dynamic. What can this method do better or is it supposed to do something else? Ken -- Ken Anderson Pacific.Net
Re: DNS ISP Host List Available
Marc Perkel wrote: I've also created a DNS based list of domains that provide consumer dynamic IP address space. I'm using this list internally but thought I'd make it public in case others can use it. Trying to inspire innovation. Example: dig comcast.com.isphosts.junkemailfilter.com This list was created by grabbing the registry barrier part of the domain name of IPs from other DNS lists that list the IPs as dynamic. NJABL PBL already provide this, AND they are already part of SpamAssassin AND they work quite well. So, while you are 'trying to inspire innovation', you should take note of this potential problem: http://www.rhyolite.com/anti-spam/you-might-be.html Ken -- Ken Anderson Pacific.Net
Re: Directory Harvest Attack
Jason Holbrook wrote: I am undergoing a massive directory harvest attack. Is there a good set of rules that will help stop this or a place anyone could point me. Assuming you are doing obvious things, like not accepting mail for non-existent users, and using whatever tweaks are available in your MTA (bad recipient throttle, etc), an IDS like ossec will help. (free) http://ossec.net/ It'll block using the system firewall if an IP hits your machine more than a few times causing log entries that it triggers on. There are default rules for common MTAs. Ken Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] weblog.empoweris.com http://weblog.empoweris.com/ www.empoweris.com Skype: holbrook.jason Gtalk: jaholbrook 757-320-2667 (Direct) 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) This message is being sent by or on behalf of Empower Information Systems. It is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender Jason Holbrook immediately by e-mail [EMAIL PROTECTED] and delete all copies of this message. Empower Information Systems operates under a zero spam policy. If you believe this message to be spam, please contact [EMAIL PROTECTED] -- Ken Anderson Pacific.Net
Re: purge byes in sql
Hi Miguel, I run /usr/local/bin/sa-learn --force-expire daily with MySQL and it works fine. Here is an excellent slide show on use SQL with SA: http://people.apache.org/~parker/presentations/MO13slides.pdf You may also find these SQL queries helpful, I run them monthly. echo Starting Monthly AWl purge - echo Delete AWL entries older than 4 months; $MYSQL -u$USER -p$PW -h$SERVER -e\ SELECT count(*) as 4MonthOld FROM awl WHERE lastupdate = DATE_SUB(SYSDATE(), I NTERVAL 4 MONTH); \ $DB $MYSQL -u$USER -p$PW -h$SERVER -e\ DELETE FROM awl WHERE lastupdate = DATE_SUB(SYSDATE(), INTERVAL 4 MONTH); \ $DB echo Delete AWL entries with only a single e-mail over 30 days old $MYSQL -u$USER -p$PW -h$SERVER -e\ SELECT count(*) as 30DayOldSingles FROM awl WHERE count = 1 AND lastupdate = D ATE_SUB(SYSDATE(), INTERVAL 30 DAY); \ $DB $MYSQL -u$USER -p$PW -h$SERVER -e\ DELETE FROM awl WHERE count = 1 AND lastupdate = DATE_SUB(SYSDATE(), INTERVAL 30 DAY); \ $DB echo Check for insignigcant scoring AWL entries $MYSQL -u$USER -p$PW -h$SERVER -e\ SELECT count(*) as Insignificant FROM awl WHERE totscore/count .1 AND totscor e/count .1; \ $DB $MYSQL -u$USER -p$PW -h$SERVER -e\ DELETE FROM awl WHERE totscore/count .1 AND totscore/count .1; \ $DB $MYSQL -u$USER -p$PW -h$SERVER -e\ SELECT count(*) as TotalBayesSeen FROM bayes_seen; \ $DB echo Delete bayes seen older than 1 month $MYSQL -u$USER -p$PW -h$SERVER -e\ SELECT count(*) as 1MonthOldBayesSeen FROM bayes_seen WHERE lastupdate = DATE_ SUB(SYSDATE(), INTERVAL 1 MONTH); \ $DB $MYSQL -u$USER -p$PW -h$SERVER -e\ DELETE FROM bayes_seen WHERE lastupdate = DATE_SUB(SYSDATE(), INTERVAL 1 MONTH ); \ $DB Miguel wrote: Hi, does SA takes care of purging old bayesian records stored in mysql similar what it does to the traditional DB files? If not, what is the recommended procedure to do so? regards
Re: DOB timeouts?
Michael Scheidell wrote: One more thing: email to them, ar.com alices-registery, ANYTHING bounces. Any DNS blacklist provider who is not transparent and accessible needs to stop being used. (example: blocked.secnap.net They rules for use are VERY explicit) and we are VERY easy go get ahold of DOB's home is here: http://support-intelligence.com/dob/ It clearly says it's a BETA service. It's not blocking queries from us, currently, but it has in the past been a bit unreliable, due to it's own growing pains. It's a free service, so there's no requirement of transparency or accessibility. Use it or don't. I've found it quite useful simply because nobody else has made this data available, so it's a good thing for use in SA META rules. Ken Pacific.Net
Re: Time to blacklist google.
Michael Scheidell wrote: Ok, google/gmail emails back says 'this didn't come from us because people are forging our domain'. Reverse dns shows it google, dkim sig says its google. Time to blacklist google. Either google lies or they have been hacked and hackers are spamming through them. Either case, till google fixes their network and attitude, we should blacklist them. SA: header GOOGLEISBAD received =~ /google\.com/ score GOOGLEISBAD 100 Postfix ACL: google.com REJECT GOOGLEISBAD Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by fl.us.spammertrap.net (Postfix) with ESMTP id ABB5C2E11A for [EMAIL PROTECTED]; Fri, 29 Feb 2008 02:08:33 -0500 (EST) Received: by fg-out-1718.google.com with SMTP id 13so2466562fge.45 for [EMAIL PROTECTED]; Thu, 28 Feb 2008 23:08:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:message-id:date:from:to:subject:mime-version: content-type:content-transfer-encoding:content-disposition:precedence:x-auto reply; bh=sL3vqqwqMdE5yWWphM0o1dUtNuEzLTPRmNUSyn+hD6s=; b=razzMn3uCoyrvZErxj1Nud67bPfwzrESFSZM+Oo06FGxw00Dhg3wvDn7MCloiNk3eHA7zkNr/u 7LjInJ+LCl1KmHOi1AQENVOaVjt82b6o43N6/hUGivDC3HRSSRi9eYFouvmVufkwzxM9Y/Bvbx9Z KnyXtB+ofa/k1SjY+tgbY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer -encoding:content-disposition:precedence:x-autoreply; b=VFo5w/0cZsC3zDwg0h6+rKfTF+UgIcOUinVWWXe1xHzRan7ZkVlYcIrNnjc+KELNRoOyYu8EBg 3/ZgSF+WCoBXyYyipZxpqnr4+wAorfmYth0Kbe4PW4NR//kLL6CvVIRQZ4gkUf/NMccUWBgjRIKB F43RHr0X34LkhbF9sjYm4= Received: by 10.86.3.4 with SMTP id 4mr9872622fgc.69.1204268912528; Thu, 28 Feb 2008 23:08:32 -0800 (PST) Message-ID: [EMAIL PROTECTED] Are there any X- headers? It's known that the captcha was cracked and that some webmail auto-responders are being abused. There might be a better way to ID this mail. Ken -- Ken Anderson Pacific.Net
Developing a Bayes corpus...
I'm using Postfix 2.4.6, Amavisd-new 2.5.2, ClamAV 0.91.2 and Mail-SpamAssassin 3.2.3 in a Linux mail filter. I'm having problems getting enough ham and spam for Bayes training. I know that public corpuses and starter DB's are available, but would prefer to train using our own ham/spam. Unfortunately, this is a very labor intensive and slow process. Right now, I'm using the Postfix always_bcc function to send a copy of every email to a Linux user's mailbox. I manually classify and save the e-mails to seperate disk files one-by-one. That has the downside of altering each e-mail by changing the recipient and adding several X-Amavisd headers and I understand that might impact Bayes accuracy. It's also a pain... I'm curious: how do the rest of you approach this problem? Thanks! Ken Morley
Rules penalizing The BAT!
I'm using Postfix 2.4.6, Amavisd-new 2.5.2, ClamAV 0.91.2 and Mail-SpamAssassin 3.2.3 in a Linux mail filter. As I recall, SA used to have some rules that penalized e-mail originating from mass-emailing applications like The Bat!. I see some of these now slipping through and don't see where they are scored negatively. Have those rules been obsoleted? If I wanted to add a point for messages coming from The Bat!, how would I write that rule? Thanks! Ken Morley Here's a sample. Note that I'm also using Passive OS Fingerprinting, which doesn't recognize the IP stack either. From [EMAIL PROTECTED] Mon Dec 17 18:42:02 2007 X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Virus-Scanned: by amavisd-new using ClamAV at private_domain X-Spam-Flag: NO X-Spam-Score: 3.949 X-Spam-Level: *** X-Spam-Status: No, score=3.949 tagged_above=3 required=5 tests=[BAYES_50=0.001, DCC_CHECK=2.17, HTML_MESSAGE=0.001, L_P0F_UNKN=0.8, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1] X-Amavis-OS-Fingerprint: UNKNOWN [65535:52:1:52:M1364,N,W3,N,N,S:.:?:?], (link: unknown-1404), [189.15.220.184] Date: Tue, 18 Dec 2007 00:49:29 + From: Behlmer Cherrez [EMAIL PROTECTED] X-Mailer: The Bat! (3.62.09) Professional Reply-To: Behlmer Cherrez [EMAIL PROTECTED] X-Priority: 3 (Normal) To: [EMAIL PROTECTED] Subject: consoling MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--372B7EDE864719 372B7EDE864719 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hej, =20 Downlooadable Softwaree=20 http://www.geocities.com/wpn3iof2b2qg13g/=09 A special point of practice: they circumcise themselves western railway in regard to goods despatched legend, set the damsel asneezing violently, an man who was a bosom friend of the sparrow. But allow him to come out alone. My friend rose lazily take again.' and ere the schoolmaster could call and also another which, on coming down a steep course you
RE: Score all emails and delete some of them
Chris wrote: Does anyone know if there's a way to score *all* emails at the server with scores from 0-100, then delete all emails at the server with scores of over 10 and deliver the rest with the scores in the subject title please ? Any help much appreciated. Chris. Spamassassin only scores emails. You'll need another application to do something with them. I use MailScanner and what you need is easily done with it. It gives you many other options as well. I think Amavis-new and Mailwatch may do the same thing but have no experience with them. Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc.
Adjusting SA scores in 50_scores.cf...
I'm running SpamAssassin 3.2.3 and have been advised to increase the score for URIBL_SBL to 5.0. I see where it is defined in 50_scores.cf, but I don't completely understand the format. Mine shows: score URIBL_SBL 0 2.468 0 1.499 # n=0 n=2 Is the last score (1.499) the one I should increase? We are using both Bayes and Network Checks and I do have Mail::SpamAssassin::Plugin::URIDNSBL installed. Thanks!
Re: Forward Conformed Reverse DNS troubleshooting tool
Matus UHLAR - fantomas wrote: On 30.11.07 06:06, Ben Spencer wrote: Some sendmail milters due look at that banner. And perform lookups on it. One which comes to mind is milter-spiff (SPF checks). A misconfiguration host with misleading banner information may also contain other misconfiguration which, while may not allow spam, may cause some MTAs to reject the message. they are rejecting what? are they rejecting client if HELO command does not match reverse lookup on connecting IP? if so, that's clear violation of RFC2822. You can score. You can reject because of other reasons (and rejecting because someone's trying to fake your mailserver is good). But not just because the HELO is not what the reverse lookup says. RFCs say: 1. helo should be a fqdn. 2. you should not reject based on helo. But if 99.999% of connections that helo with a single word are bots, then you have a legitimate reason to reject based on helo, imo. Ken -- Ken Anderson Pacific.Net
Re: What to do with backscatter?
Bob Proulx wrote: Arthur Dent wrote: One thing that does plague me however is a periodic rash of Non Delivery Receipt messages (I've just had one now - about 10-15 or so). These score anywhere between 1.2 and 11.1 but mainly around the 3.7 mark (below my spam threshold of 5.0). They all hit the ANY_BOUNCE_MESSAGE rule. I think the best thing to do is to reject as many of those messages as you can at SMTP time. I am using Postfix with good result incorporating the ideas from this reference. http://www.postfix.org/BACKSCATTER_README.html Other MTA's will use similar methods. Bob milter-null -- Ken Anderson Pacific.Net
Re: spam and virus
From: Dean Clapper [EMAIL PROTECTED] Sent: Friday, September 14, 2007 9:38 AM Is there a configuration for spamassassin to catch virus attachments? Or, does any one know of one to run on a server with sendmail? I use mimedefang http://www.mimedefang.org/ with sendmail,clamav and SA. Great flexibility. Lots of mimedefang recipes on the wiki page. Ken
Re: FW: List of 700,000 IP addresses of virus infected computers
Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. Jason +1 It's a waste of time. Other subjects posted by M. Perkel: The best way to use Spamassassin is to not use Spamassassin and the very humorous, What changes would you make to stop spam? - United Nations Paper, there are dozens of other equally off topic and troll-like posts here by M. Perkel. It's clearly turned from plain ignorance of the rules of this list to marketing his junk list now, and that really doesn't belong here. Ken -- Ken Anderson Pacific.Net
Re: Outbound spam filtering for a large ISP
Joe Pranevich wrote: Hello, I maintain a large webmail host (I bet you can figure out which one) for free/paid accounts that sends out tens of thousands of emails a day. We're not quite Yahoo Mail or Hotmail, but we're pretty big. We're looking to scan outbound mail using SpamAssassin and I'm hoping that someone here might have some suggestions or feedback on what the best way to configure this would be. I've seen a handful of posts about this in the archive, so I know it's come up before. My plan is to scan all outbound mail and drop all mails that match to a log file or a separate directory where they can be hand-reviewed by someone in our customer service department. We also wouldn't want to actually modify the mails on the way out-- so we wouldn't add the spamassassin mail headers. Does anyone here have practical experience or advice, tweaks, etc. that would help us to implement this sort of thing? (I know the volume will be fairly high, but a nice farm of machines all running spamd should be able to load balance that part fairly well. It's the rules I'm worried about and how to make the log/discard work the way I want.) Thanks in advance for any help you can provide. Joe For one more option, see http://mailscanner.info It's perl, works great with sendmail, and has a wide variety of options for queuing, quarantining, and classifying mail using SA and going beyond what SA does by itself. It's not a milter. It has a queue, check, then forward approach that nicely levels out the load on SA. There's also some nice addon reporting available in MailWatch (sourceforge). -- Ken Anderson Pacific.Net
Re: Detecting short-TTL domains?
Jim Maul wrote: Stream Service || Mark Scholten wrote: For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have to many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM. Most SA rules look for spam signs, not RFC violations. Now whether or not these are good spam signs I do not know... -Jim They are good spam signs. Not always spam though, because sometimes a domain that is changing IP addresses has turned down a TTL temporarily, so you'd want to combine such a test with other factors, but SA is good at that! I've noticed some ISPs ignore small TTLs, presumably with a intended (or unintended) side-effect that they actually fail to resolve a lot of these fast-flux spam domains. For some interesting reading on this, see:http://www.honeynet.org/papers/ff/index.html Ken -- Ken Anderson Pacific.Net
Re: not everyone is happy with SA
Leonardo Rodrigues Magalhães wrote: John Rudd escreveu: If they're not multi-lingual, and only speak english, then there wasn't any point in the non-english speaker trying to contact them, was there? :-) And what about non-english companies that host their domains worldwide, sometimes in USA servers or even in other countries Well, you could put the language based on the email's character set into the url as a query string. But, it's still a very unfriendly practice. Email is email, and should not require a browser of any kind. So, you are back to sending a challenge email, which is broken for all the other reasons already stated by many here. Stick a fork in it, it's done. Ken -- Ken Anderson Pacific.Net
Re: not everyone is happy with SA
Dave Pooser wrote: I think CR can perhaps work quite well for an individual user with the technical insight time to spare, but such individual users are only an small part of the picture. No it doesn't. It foists the recipients burden on others, usually due to the *lack* of technical insight. Otherwise they'd realize they are only making the problem worse. Actually I've seen one C/R variant that addresses the backscatter C/R issue quite nicely; it dropped the suspected spam in a quarantine folder and issued an SMTP fakereject after DATA that included a link to a website where the sender could release the spam from quarantine. So no backscatter spamming innocent third parties, but you still get a chance for the sender to verify sending a message. The backend might be a little involved to set up, but the final system looked secure and easy to use. If you return a 5xx error, what is to prevent the spammer from clicking to release? CAPTCHA? What if this system was in widespread use? It could be a serious single point of failure. -- Ken Anderson Pacific.Net
Re: Post cart spams
Igor Chudov wrote: I am receiving a huge amount of these spams: http://igor.chudov.com/tmp/postcard-spam.txt Just how much I got is totally incredible. I am afraid that the reason for the sheer quantity is that I actually did check out the website. (I assume a hacked computer) I knew full well that it was a bad site. But I was not afraid since I used Linux. This is some sort of a windows exploit, using metafile holes and asking to run an .exe. But I guess the unique id embedded in the URL noted that I reacted to this spam, so I am getting a lot. Anyway, it seems that a lot of these postcard spams are slipping by SA. I wrote a procmail rule to catch them: :0 * ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.* $MAILDIR/rejected (that's a folder that I do review periodically) I would prefer, however, to use spamassassin instead of homebrew procmail rules, due to fear of false positives. Any idea if there are any rules that I am missing that would help? i clamav is catching these, fwiw. -- Ken Anderson Pacific.Net
Re: Post cart spams
Igor Chudov wrote: Ken, I just downloaded clamav, it seems to be a file scanning tool? How do you use it from procmail? Thanks a lot! i sorry. I don't know how to use from procmail, but if you want to scan for viruses, read the install docs. -- Ken Anderson Pacific.Net
Re: Rulesemporium
John D. Hardin wrote: On Fri, 13 Jul 2007, Christopher X. Candreva wrote: On Thu, 12 Jul 2007, Kelson wrote: I don't think the typical SA ruleset is big enough to take advantage of BitTorrent. However, what you might gain is the redundancy if (in fantasy world) every user was also serving them out via bittorrent. I was just mulling over in my head a hypothetical BittorrentMirror client. The idea being to mirror a group of files (rulesemporium rules, the whole site, etc). I'll bring this up again: coral. Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... interesting. the coral wiki seems to be full of porno links.. seems that they could use some uribl assistance. :-( -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 11 days until The 38th anniversary of Apollo 11 landing on the Moon -- Ken Anderson Pacific.Net
Re: Need a rule written - Can whitelisting be this easy?
Per Jessen wrote: Marc Perkel wrote: What I have is a database of a few thousand big domains who never send spam. Banks, Credit Card compaines, airlines, and other big bisunesses. I think big domains who never send spam is an oxymoron. I don't think that is a valuable criteria at all. Once the host is verified as not being spoofed RDNS then for example the host is *.wellsfargo.com then it's from Wells Fargo Bank. Nope, that's not correct. It's being sent by a Wells Fargo mail server, that is all. or maybe a bot, who knows.. unless you establish with some confidence that the IP used sends ham only, you have nothing. According to arin, wellsfargo.com has 151.151.0.0/16 at least.. probably more. You really think you can trust 65534 hosts, so long as somebody setup the DNS properly? Ken /Per Jessen, Zürich -- Ken Anderson Pacific.Net
Re: Need a rule written - Can whitelisting be this easy?
Per Jessen wrote: Ken A wrote: Nope, that's not correct. It's being sent by a Wells Fargo mail server, that is all. or maybe a bot, who knows.. unless you establish with some confidence that the IP used sends ham only, you have nothing. My point exactly. And even if you do establish with some confidence, how much confidence is that really? Confidence is everything, whether it's ham or spam, whether you are looking at DNS, Content, or any statistical value you come up with. That's why SA is so great, because you can combine things like the Botnet plugin and various content checks and all sorts of things into a score that represents a confidence. M. Perkel tends towards oversimplification and curious 'marketing-like' subject lines that get threads like this one going. Sometimes it's interesting, but usually not. ymmv. Ken /Per Jessen, Zürich -- Ken Anderson Pacific.Net
Re: Rulesemporium
jdow wrote: From: Ken A [EMAIL PROTECTED] SARE Webmaster wrote: Daryl C. W. O'Shea wrote: div class=moz-text-flowed style=font-family: -moz-fixedLoren Wilton wrote: Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Perhaps you are. I get 500 Server closed connection without sending any data back or 500 Can't connect to www.rulesemporium.com:80 (connect: timeout) at least once an hour out of three queries an hour. Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. darn spammers.. don't they have anything else to do? From both Northern California and N.E. Arkansas, I get nothing beyond 9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 75.275 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 78.995 ms so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 81.046 ms Looks like maybe Level3 has dampend the route to you due to the problem. Time to get a mirror in Miami? Ken The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. I am in the Los Angeles area. The mtr utility reports: My traceroute [v0.71] morticia.wizardess.wiz (0.0.0.0) Tue Jul 10 19:05:13 2007 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings HostLoss% Snt Last Avg Best Wrst StDev 1. netblock-68-183-128-1.dslextreme 0.0% 3 23.3 23.4 23.3 23.4 0.0 2. LAX1.CR1.Gig9-0-3.dslextreme.com 0.0% 3 23.7 24.3 23.7 25.3 0.9 3. ge-5-1-115.ipcolo1.LosAngeles1.L 0.0% 3 23.6 24.2 23.6 24.6 0.5 4. ae-2-54.bbr2.LosAngeles1.Level3. 0.0% 3 24.2 24.4 24.2 24.6 0.2 5. as-1-0.mp1.Miami1.Level3.net 0.0% 3 87.8 98.4 87.2 120.1 18.8 6. so-7-0-0.gar1.Miami1.Level3.net 0.0% 3 87.6 87.6 87.6 87.6 0.0 7. ??? So as you see there already is a mirror in the Miami area. (It is probably the one that just worked. For the mtr check I probably got the address out of the DNS cache.) Put A DelayBetweenEachFileYouFetchor attempttofetch. Maybe typing slowly so you guys can read will help. {o.o} sarcasm A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you do it just right, you can browse the whole site before the IDS blocks you. /sarcasm The rulesemporium site is great, and much thanks goes to the ninjas who operate it and write the rules, forcing spammers to read harry potter books. Ken -- Ken Anderson Pacific.Net
Re: Rulesemporium
Mike Grau wrote: sarcasm A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you do it just right, you can browse the whole site before the IDS blocks you. /sarcasm The rulesemporium site is great, and much thanks goes to the ninjas who operate it and write the rules, forcing spammers to read harry potter books. Ken Yes, the rulesemporium site _is_ great. As are the rules themselves. That's why I'd like to use my browser and read just one page. Right now all I get (and this is my first attempt to browse the site since yesterday) is Waiting for www.rulesemporium.com I'm not talking about rules_du_jour or sa-update or seeing how fast I can manually click stop or cycle through pages with my browser. I just want to go to the one page I have bookmarked. Isn't that the point of having a website? Allowing people to view your content? I'd say the DDOS is still very effective one way or another. My sympathies to the rulesemporium folks. I wish I could help, but I'm just some slob who wants to view their website. Still waiting ... Mike If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Ken -- Ken Anderson Pacific.Net
Re: Rulesemporium
SARE Webmaster wrote: Daryl C. W. O'Shea wrote: div class=moz-text-flowed style=font-family: -moz-fixedLoren Wilton wrote: Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Perhaps you are. I get 500 Server closed connection without sending any data back or 500 Can't connect to www.rulesemporium.com:80 (connect: timeout) at least once an hour out of three queries an hour. Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. darn spammers.. don't they have anything else to do? From both Northern California and N.E. Arkansas, I get nothing beyond 9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 75.275 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 78.995 ms so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 81.046 ms Looks like maybe Level3 has dampend the route to you due to the problem. Time to get a mirror in Miami? Ken The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. Thanks, -- Ken Anderson Pacific.Net
Re: Rulesemporium
Duane Hill wrote: On Tue, 10 Jul 2007 at 07:01 -0700, [EMAIL PROTECTED] confabulated: At 04:57 AM Tuesday, 7/10/2007, SARE Webmaster wrote -= Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. From somewhere in sunny southern California: [EMAIL PROTECTED] ~]$ traceroute www.rulesemporium.com traceroute to www.rulesemporium.com (209.200.135.151), 30 hops max, 40 byte packets 1 ns5gt.wrenkasky.com (10.10.10.1) 0.632 ms 0.861 ms 1.193 ms 2 router.wrenkasky.com (216.102.129.41) 635.312 ms 636.093 ms 637.040 ms 3 dist4-vlan60.irvnca.sbcglobal.net (67.114.50.66) 638.464 ms 639.417 ms 640.596 ms 4 bb2-g4-0.irvnca.sbcglobal.net (151.164.43.143) 641.546 ms 642.494 ms 643.673 ms 5 ex1-p2-0.eqlaca.sbcglobal.net (151.164.40.161) 644.560 ms 645.740 ms 646.693 ms 6 te-3-4.car3.LosAngeles1.Level3.net (4.68.110.113) 647.873 ms 743.477 ms 1185.795 ms 7 ae-2-56.bbr2.LosAngeles1.Level3.net (4.68.102.161) 1186.617 ms ae-2-54.bbr2.LosAngeles1.Level3.net (4.68.102.97) 1187.442 ms ae-2-52.bbr2.LosAngeles1.Level3.net (4.68.102.33) 1188.649 ms 8 as-1-0.mp1.Miami1.Level3.net (64.159.0.1) 1313.398 ms 1314.443 ms 1315.393 ms 9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 1316.574 ms 1317.520 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 1354.421 ms 10 * * * While I get the same results as you from Iowa on the last good hop, I can get to the web site from a browser. Perhaps a firewall has ICMP blocked as I can not ping the web site either. - _|_ (_| | You are 100% correct. Works from here as well, though not real quick at the moment. I should have tried tcptraceroute instead; works nice for stuff like this! Ken -- Ken Anderson Pacific.Net
Re: rewriting header so I get a blind copy of spam
Bill McGonigle wrote: On Jul 6, 2007, at 08:03, Lina, Patrick wrote: Is there some way for SA to rewrite the header of mail with a 15+ score so I get a copy (Bcc:) of those emails? How about doing it the other way around? Set up postfix's always_bcc to send a copy of all messages to a special account, then run SpamAssassin (if they're not already tagged by e.g. MailScanner) and procmail to filter them into appropriate buckets. Well, if you are running MailScanner with SA, you can have it do the bcc'ing, only on high scoring spam if you like. Ken -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf -- Ken Anderson Pacific.Net
www.uribl.com
Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( -- Ken Anderson Pacific.Net
Re: www.uribl.com
Martin.Hepworth wrote: Ken Web site may be having trouble but the BL's are still responding Only one of three US rsync mirrors is. Good to know the public BLs are. Ken -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Ken A [mailto:[EMAIL PROTECTED] Sent: 06 June 2007 17:38 To: users@spamassassin.apache.org Subject: www.uribl.com Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( -- Ken Anderson Pacific.Net ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ** -- Ken Anderson Pacific.Net
Re: www.uribl.com
Raymond Dijkxhoorn wrote: Hi! Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( There are some botnets having fun with both URIBL and SURBL. Bye, Raymond. Ah, yes www.surbl.org has gone missing too. Forget national id cards. How about a license to operate a computer? Everyone running unpatched, unfirewalled windows, please shutdown now. Thanks, -- Ken Anderson Pacific.Net
Re: zen.spamhaus.org
Jerry Durand wrote: On Jun 1, 2007, at 6:48 AM, Luis Hernán Otegui wrote: Search through the archives, there was a patch to add it to SA. Also note, do NOT use Zen to evaluate headers or anything in the body. Unless of course you need to. ;-) http://wiki.apache.org/spamassassin/TrustedRelays Ken Zen is ONLY for approving the server that contacted your server. See the notes on the Spamhaus.org web page. -- Ken Anderson Pacific.Net
Re: zen.spamhaus.org
Jerry Durand wrote: On Jun 1, 2007, at 11:54 AM, Richard Frovarp wrote: That's assuming you aren't using it intelligently. SA checks all received headers via Zen to see if they are in the SBL. PBL and XBL are only checked against last external header, via Zen. Ah, nobody mentioned that SA was only using a subset of Zen, I was talking about the people using Zen to scan ALL the headers and the body of the message. So, really, SA is just using the SBL subset of Zen to scan the headers. How about the body of the message? Everything I know that uses zen, uses a subset of it. It's a composite list, so that is pretty much a given. That's why I send the link to zen and the link to the page on SA TrustedRelays, to show you a scenario where one could use ALL of zen on a received header, rather than just the connecting relay (in a case where the connecting relay is Trusted). The body of a message is looked at by uri parsers and uses things like surbl,uribl,uri country, etc to score based on uris found in message bodies. I wouldn't use any of zen for that, but it's possible to do. Problem is you lump any host on an IP with other hosts sharing that same ip. In virtual hosting environment, there can be hundreds of sites on a single IP, so FPs are common doing this - except perhaps with SBL. -- Ken Anderson Pacific.Net
:3793/xpopup.js and _popupControl() ?
Does anyone know what is injecting this 3793/xpopup.js and _popupControl() all over the place. There's usually a http://127.0.0 .1 in front of the port :3793 I'm seeing it in webpages and email (not mine! google for it and you'll see what a mess it's making). I've searched and all I see are some guesses that it's norton or google toolbar or 'some popup blocker'. Anyone know for sure what is leaving this behind? I suspect IE of course. I'm asking here because it's leaving tracks in email that are triggering false positives in SA, so I want to know what it is. Thanks for any ideas, -- Ken Anderson Pacific.Net
Re: So you wanted to firewall your mail server...
Ernie Dunbar wrote: We just put our mailserver (with SpamAssassin of course) behind a firewall, and now we get many many interesting error messages from spamd telling me that there's no route to some host or other. I tweaked the DnsResolver.pm module to show what host it was trying to route to, and I got this output: May 11 12:00:09 pop spamd[47940]: dns: sendto() failed: No route to host Host: clickboothlnk.com at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/DnsResolver.pm line 340, GEN1444 line 137. May 11 12:00:09 pop spamd[47940]: dns: sendto() failed: No route to host Host: mktexpertise.net.multi.uribl.com. at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/DnsResolver.pm line 340, GEN1444 line 137. May 11 12:00:09 pop spamd[47940]: dns: sendto() failed: No route to host Host: 190.57.78.66.combined.njabl.org. at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/DnsResolver.pm line 340, GEN1444 line 137. May 11 12:00:09 pop spamd[47940]: dns: sendto() failed: No route to host Host: 190.57.78.66.bl.spamcop.net. at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/DnsResolver.pm line 340, GEN1444 line 137. Of course, hosts like 190.57.78.66.bl.spamcop.net are DNSBL blacklist members, and they resolve to nothing at all, which is why there is no route to host. But why is spamd suddenly spewing these errors now? It didn't do this before the firewall was in place. They don't resolve to nothing at all. The response from the DNS server is usually NXDOMAIN, not 'no route to host'; you get _that_ when you block the connection to the dns server you are using. -- Ken Anderson Pacific.Net
DKIM_POLICY_SIGNSOME matches all mail
According to: http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_release_3_2_0/Changes - separate a signature verification from fetching a policy, which makes it possible to avoid one DNS lookups (by not fetching a policy) for each unverified message by setting score to 0 for all policy-related rules (DKIM_POLICY_SIGNALL, DKIM_POLICY_SIGNSOME, and DKIM_POLICY_TESTING). I Installed MAIL::DKIM and enabled the DKIM plugin. Now I'm seeing DKIM_POLICY_SIGNSOME hit every message unless the message hits DKIM_SIGNED and DKIM_VERIFIED. The score for DKIM_POLICY_SIGNSOME is set to 0. Obviously this is wrong, since most spam isn't coming from domains that 'sign some'. Any ideas? -- Ken Anderson Pacific.Net
RE: IP - Responsible Person
Bob McClure Jr wrote: On Tue, Apr 24, 2007 at 09:03:51PM -0700, Marc Perkel wrote: Is there an algorithm that one can feed an IP address into and return the email address of the responsible person for the IP to report spam to? There is the command-line whois, as well as the ARIN web site http://www.arin.net/whois/index.html snip I have been using a tool called Sam Spade since '99 or so. Quick and works pretty well although it still has the same problems outlined earlier in the thread as all it does is whois lookups. But on the plus side it's really quick and gives you the opportunity to either go with a magic lookup which tries to auto-determine the correct whois server or it lets you select the server you want to hit. I use it not only for these kinds of lookups, but it's also very useful when going through my logs looking at questionable connections. When doing any kind of lookups I always start with this tool. I really like the fact that if there is a subnet block in the whois returned, you can simply click on any of the subnets and it will do a lookup on that subnet. For that matter you have the ability to click on any blue link in the returned data and it will pre-fill that into the lookup box to do another lookup... very useful. It also attempts to do lookups at abuse.net although this is only sometimes helpful. AFAIK it only runs on Windose machines but there may be a *nix version out there somewhere. A quick google search turned up http://www.softpedia.com/get/Network-Tools/Network-Tools-Suites/Sam-Spade.sh tml HTH Kind regards, Ken Ken Goods Network Administrator
Why is this failing SPF???
According to my understanding of the way SPF works the following message should not be failing. Can anyone tell me why this failed? Here's the pertinent parts of the log: -- Apr 11 15:00:18 maildrop postgrey[2407]: request: client_address=66.179.38.26 client_name=hamhock-outbound.hoovers.com etrn_domain= helo_name=hamhock.hoovers.com instance=7dbd.461d3042.a4146.0 protocol_name=ESMTP protocol_state=RCPT queue_id= [EMAIL PROTECTED] recipient_count=0 request=smtpd_access_policy reverse_client_name=hamhock-outbound.hoovers.com [EMAIL PROTECTED] size=18654 action=PREPEND X-Greylist: delayed 1063 seconds by postgrey-1.27 at maildrop.domain.com; Wed, 11 Apr 2007 15:00:18 EDT Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP MAIL FROM:[EMAIL PROTECTED] SIZE=18654\r\n Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) lookup (debug_sender) = undef, [EMAIL PROTECTED] does not match Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP 250 2.1.0 Sender [EMAIL PROTECTED] OK Apr 11 15:00:18 maildrop amavisd[32198]: (32198-06) ESMTP::10024 /var/amavisd/tmp/amavis-20070411T141549-32198: [EMAIL PROTECTED] - [EMAIL PROTECTED] SIZE=18654 Received: from maildrop.domain.com ([127.0.0.1]) by localhost (maildrop.domain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for [EMAIL PROTECTED]; Wed, 11 Apr 2007 15:00:18 -0400 (EDT) Apr 11 15:00:19 maildrop amavisd[32198]: (32198-06) Checking: pOlR15g8xTwO [66.179.38.26] [EMAIL PROTECTED] - [EMAIL PROTECTED] Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED], Yes, score=9.243 tag=3 tag2=6.31 kill=6.31 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, HTML_MESSAGE=0.001, SARE_GIF_ATTACH=0.75, SPF_HELO_FAIL=10], autolearn=no, quarantine pOlR15g8xTwO (spam-quarantine) Apr 11 15:00:33 maildrop amavisd[32198]: (32198-06) one_response_for_all [EMAIL PROTECTED]: REJECTs, '554 5.7.0 Reject, id=32198-06 - SPAM' Here's the SPF record for hoovers.com: -- hoovers.com text = v=spf1 ip4:66.179.38.0/23 ip4:66.45.81.128/27 ip4:66.45.81.160/27 ip4:66.179.85.192/27 ip4:216.234.248.64/26 ip4:216.234.248.78 ip4:216.234.248.82 ip4:66.162.217.59 mx ptr a:exchange.hoovers.com a:mail.eca.com include:dartmail.net ~all The sending server is hamhock-outbound.hoovers.com [66.179.38.26] and that IP address is within the range listed in the first SPF entry. Why did this fail? Thanks! Ken Morley JM Technology Group Ken -AT- jmtg.com
Re: spam graphs
Jim Knuth wrote: Heute (05.04.2007/02:34 Uhr) schrieb Luis Hernán Otegui, Well, if you have Postfix and Amavis, I've tried amavis-stats (a little bit old now, and frankly, never worked correctly on my Debian-based servers). I'm currently using Mailgraph, from the Debian package. Works like a charm almost out-of-the-box. Though it should be available as a package for another distros... Luix 2007/4/4, maillist [EMAIL PROTECTED]: I have seen a few people present, on this mail list, nicely detailed graphs, that obviously were the result of some server output, but they focused on email, mainly spam. I am interested in having the same. Does anyone have any recommendations for a good package that can do this? All I currently use is logwatch. It's nice for my needs to administer, but the boss would like to see something that he can understand without having to do so much thinking. Maybe he wants to replace me with a bar-graph. As always, any help is appreciated. -=Aubrey=- I use MRTG for all systemreports. Ram, Swap, httpd, load average, CPU usage, CPU temperature and so on. http://oss.oetiker.ch/mrtg/ And I use mailgraph too. cricket is a nice, and easy to use once you figure out the config files.. http://cricket.sourceforge.net/ or if you really want the boss to think you have too much time on your hands.. http://www.aditus.nu/jpgraph/ Ken Anderson Pacific.Net
Re: Bayes db size....
- Original Message - From: Dave Koontz [EMAIL PROTECTED] To: 'spam mailling list' users@spamassassin.apache.org Sent: Saturday, February 17, 2007 9:30 AM Subject: Re: Bayes db size Is there a consensus on this need? I deal with the seen db issue by scheduled deletion of that file. That said, with SA becoming more and more prominent all the time, I suspect the Average Joe will miss this oddity until they wind up with a sluggish system, out of drive space or other related issues. I was mostly curious of the logic on NOT doing maintenance on the Seen and AWL db files. If there is a consensus this needs to occur, then perhaps I can take the time to create a proper patch. I just want to make sure I am not missing something fundamental here Michael Parker wrote: Dave Koontz wrote: I use the SQL interface and expire the bayes_seen like this. I believe 6 months to be over conservative. I added a lastupdate column as a timestamp. In the perl DBM I would recommend you use a technique such as this and update the timestamp in perl. It converts nicely to SQL. Here is my query for cleaning bayes_seen: mysql -u$USER -p$PW -h$SERVER -e\ DELETE FROM bayes_seen WHERE lastupdate = DATE_SUB(SYSDATE(), INTERVAL 6 MONTH); \ $DB Hope this helps, Ken
Re: TVD_SILLY_URI_OBFU
John D. Hardin wrote: On Tue, 6 Feb 2007, Kenneth Porter wrote: The latest obfuscation cleverly uses a dash, a legal domain character, so one can no longer match based on non-domain characters. I think the most robust non-DNS test would be on the length of the TLD in the obfuscated domain. What's the longest valid TLD these days? info at 4? Perhaps something like: ,https?://[^/]{1,80}\.[^./]{5}, (Refinements, of course, solicited. That's totally off the top of my head and untested.) There are too many possible obfuscations using valid characters. This extends to non url spam as well, of course.. ie: replace the R with a P for the stock symbol spam, etc. We need to have a good rule(s) for all of the variations of the 'remove|replace|substitute' text. Ken A. Pacific.Net -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control: The theory that a woman found dead in an alley, raped and strangled with her panty hose, is somehow morally superior to a woman explaining to police how her attacker got that fatal bullet wound. --- 6 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays
Re: TVD_SILLY_URI_OBFU
John D. Hardin wrote: On Tue, 6 Feb 2007, Ken A wrote: John D. Hardin wrote: I think the most robust non-DNS test would be on the length of the TLD in the obfuscated domain. There are too many possible obfuscations using valid characters. It doesn't matter what obfuscation character they use if you're looking at the length of the part after the last period. I can't see them obfuscating with periods... But what's the point if they simply have to move the obfuscation to the domain part, rather than the tld? Is it worth the cost of the additional test? ie: http://www.swell_your_dongR.com Remove the R in the link Replace the 'R' to get to the site etc... Ken A Pacific.Net Well, maybe we need to consider stuff like: http://www..spammer..com/ important: un-double the periods This extends to non url spam as well, of course.. ie: replace the R with a P for the stock symbol spam, etc. Say they obfuscate with R: http://www.swell_your_dongRcom/ important: substitute R to . then the TLD in the obfuscated URL is swell_your_dongRcom which is (1) not a valid TLD and (2) obviously too long to be a valid TLD. SA doesn't need to worry how it's obfuscated or even that it's obfuscated. Just pull everything after the final period from the URI domain name (stripping port number stuff if necessary) and consider the validity of that as a TLD. We need to have a good rule(s) for all of the variations of the 'remove|replace|substitute' text. This would compliment that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control: The theory that a woman found dead in an alley, raped and strangled with her panty hose, is somehow morally superior to a woman explaining to police how her attacker got that fatal bullet wound. --- 6 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays
Re: Spam graphing
Johnson, S wrote: Howdy, I've been using amavis-stats for around a couple of years and recently went on a rampage to stop spam. I was concerned that the graph was showing that I was catching about 30% spam on average which I thought was rather low. Over the weekend I spent a lot of time tuning rules and adding additional features to spamassassin and have gotten a much better effect. However, my graph is still showing that a lot of messages are making it through. I sat down for 10 minutes and tailed -f the maillog and saw that 2 messages out of 162 made it through spamassassin but the amavisd-stats still showed around 65 messages making it through. I'm pretty sure now that the graphing utility is not working correctly. I -think- that amavisd-stats is not seeing the postfix blocked or the RBL blocked messages in the log. I noticed that amavisd-stats is no longer an active project. (when I went to find an update for it) I then spend the better part of the day looking for a nice graphing utility that works. I'd like it to show total messages, spam/blocked messages, and virus emails in a clean graph. Does anyone know of any or have recommendations? Cricket is pretty easy to use, but you still have to grep your logs to create the raw numbers that it (using RRDTool) uses to graph things. I don't know if there are any pre-made configs for graphing all variety of mail logs, but there are a lot of examples to build from http://cricket.sourceforge.net/contrib/ Ken A Pacific.Net Regards, Scott
Re: Need to block spam - help!
Nathan Zabaldo wrote: I am getting pounded by increase your size, your sausage is small for your darling emails. The subject is always different and the body, but the common words. Is there a ruleset out there? I am running sa 3.1.7 with all the latest sa-updates, but these just come right on through. Spammers design spam to get through anti-spam systems. :-\ You have to either write your own rules or wait for sa-update or SARE (do get the SARE rules if you don't have them yet!) to come out with a rule that matches them. If you can write your own rules, you'll be able to respond to this sort of thing much quicker. The risk of an FP is somewhat greater though.. Especially if you happen to have customers that get email from HR Block, telling them how they will increase the size of their ... tax refund. Ken A Pacific.Net