Re: Breaking up the Bot army - we need a plan
Once again, Perkel clutters the SpamAssassin list with a non-SpamAssassin discussion. One which, IIRC, he's just rehashing from a year or so ago (are we going to see a rehash of the the future of email storage is sql thread, too?). There are FAR more appropriate forums for these non-SA related things. Is anyone else getting tired of this? Forty eight messages on the SA list today that have nothing to do with SA. What's the point of having a topical mailing list if nobody cares that the discussion is off-topic? St- As spam keeps increasing in volume and complexity we will eventually lose the war on spam if we don't change the standards. I'd like to open a discussion about what needs to be done and how to go about doing that. So I'll start. Any changes to the standard needs to be evolutionary. If we add a new feature to the standard that is so compelling that people give up the old standard and it is phased out. First - I see bot nets as the biggest culprit. Not just as spammers but as sources for DDOS attacks. In the early days of email only the sharpest people had access to it. Now that consumers are using it they need some protection and we need protection from them. How do we isolate end users so that they can't get viruses as easily and spread them as easily? By default all consumers should be behind a NAT to protect them from the outside world. Like many of you. I'm someone who works from home and provides so service from home. So I would not want to be prohibited from running an email server from home. But if I had to got to a web panel that my ISP provided to open up ports that would be fine with me. All outgoing email from consumers should by default be required to use authenticated SMTP or some new authenticated protocol. At least force consumers to use the submission port and block off port 25 for outgoing SMTP by default. If consumers were forced by default to send mail on a different port then servers could determine if they were talking to a consumer or if they were talking to another server. And outgoing email would require a password to send, So the virus wouldn't know the password and the virus wouldn't be able to send email. You could also have the operating system register apps that are allowed to send email and block all apps that aren't specifically allowed. The idea here is that if you can reduce the mechanisms that allow viruses to spread then there comes a point where viruses go away. All we have to do is get the spreading down to that threshold. I believe that if we do it right that the bot army threat can be beaten. And if we got to that point the rest would be manageable. We can talk about other things but I'll stop here to focus on the bot army.
Re: Block wrote: spams
I've added three procmail rules in the last few days to combat the deluge of these (and other) spams. I figure that these are all passing fads and aren't worth writing SA rules. YMMV, of course, but in my case, the procmail method works best. :0 * ^subject:.*your concert tickets reservation .spam.learn/ :0 * ^subject:.* here :\) .spam.learn/ :0 * ^subject:.* wrote:$ .spam.learn/ I normally don't tweak my .procmailrc for a specific type of spam, but the sheer volume of these three types of spams made it worth it. I've cut the volume of spam that makes it to my inbox and spam folder in half - the rest goes directly into the 'learn' directory, where a cron job runs once an hour to add them to bayes.
Re: Fishing
.com will, of course, be a challenge. /htt[p|ps]:\/\/.*?\/.*\.com$/i
Re: Fishing
.com will, of course, be a challenge. /htt[p|ps]:\/\/.*?\/.*\.com$/i Correction! That should be: /htt(p|ps):\/\/.*?\/.*\.com$/i and slightly more efficient (doesn't capture backreference): /htt(?:p|ps):\/\/.*?\/.*\.com$/i
Re: Fishing
Steve Thomas wrote: /htt(?:p|ps):\/\/.*?\/.*\.com$/i Why not /https?:\/\/.*?\/.*\.com$/i Because I always forget that the question mark can be used that way, and if I can't seem to remember it, nobody else gets to use it! That's why. :) Nice catch. Steve atrophying perl skills Thomas
Re: catching fake usernames?
On Thu, August 31, 2006 05:41, Rick Roe wrote: like there should be a simpler, more automatic way to do this. Am I missing something? in postfix main.cf smtpd_reject_unlisted_sender = yes In exim.conf, somewhere in acl_check_rcpt: require verify = sender
Re: Hacked E-Trade Phishing Site
Check at the top of this E-trade Phishing site: http://196.1.161.115/e/t/user/login/ That's brilliant. Looks like there's a creative grey-hat out there somewhere. Also interesting - the login form itself is a flash app. I haven't seen that before (but I don't check many of them out, either...). St-
Re: What changes would you make to stop spam? - United Nations Paper
Why use 2 protocols when you can use one? Oh I don't know. Maybe because the infrastructure for it is already in place in the form of hundreds of thousands of existing mail servers that already require authentication if the message being transmitted isn't destined for a local user? There would have to be a POP SEND as well. I see. So you're advocating the complete rewrite of two of the most widely used protocols on the Internet, plus the addition of your solution to the hundreds or thousands of perfectly good MUAs out there, and for what? So end users don't have to click three or four times in their client while setting up a new account? You're just not getting it. Your idea is bad. Not just bad, but really, really bad. Actually, it's worse than that. It's incredibly stupid. You haven't provided one single advantage to be gained by implementing it, other than end users not having to turn on SMTP AUTH. You're talking about a complete overhaul of the global mail system with no discernable advantage to be gained. Even if the UN (who shouldn't even be bothered with something like this) were to praise your suggestion and recommend its use, you wouldn't get anybody to implement it. It's a horrible, useless idea. Kudos for trying to come up with something revolutionary to address the spam problem, but you failed miserably. Toss this one in the shredder and try again. We'd all like to see a real solution to the problem, and if you can come up with it, fantastic. This isn't it, though. St-
Re: Allowing IMAP/POP to Send Email
Spam is never eliminated - just reduced. Most spam comes from virus infected zombies that talk SMTP. If end users were by default set up so that they can only send email by IMAP then you can block off SMTP ports for end users isolating them from the SMTP world. That would take a huge bite out of the spam problem. Which is something that many ISPs and corporations already do. What makes you think that any more of them will do it if your plan were to be implemented? Responsible networks are already blocking port 25, while irresponsible networks (generalizing to make a point) aren't. What's going to happen to make the irresponsible networks change their ways? Why hasn't it happened already? What kind of incentive does your plan specifically provide to help change those network owners' minds?
Re:
unsubscribe end list-unsubscribe: mailto:[EMAIL PROTECTED]
Re: question about SpamAssassin
We use a MTA package called Extremail (http://www.extremail.com) and I was wondering if SpamAssasin is compatible with it. Did you check their forums at http://extremail.monsterserver.de/main.php ? They have a forum dedicated to integrating anti-spam products with their server, although it requires a login before you can view any posts, so I don't know if SA is discussed in there. HTH, St-
Re: using spamdc/spamd getting better results?
Hi Yossi, My mail relay is built on sendmail and MailScanner configured wit SA 3.1.1. ... How do i start spamc? IIRC, MailScanner loads the SpamAssassin perl modules directly - it doesn't use spamc/d, nor does it use the spamassassin script. HTH, St-
RE: outlook email is beeing flag as spam...
-1.8 ALL_TRUSTEDPassed through trusted hosts only via SMTP -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3371] 0.1 HTML_90_100BODY: Message is 90% to 100% HTML 1.8 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words 1.0 HTML_MESSAGE BODY: HTML included in message 1.7 MSGID_DOLLARS Message-Id has pattern used in spam 1.9 RATWARE_MS_HASHBulk email fingerprint (msgid ms hash) found 2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found FWIW, I just sent myself a test message using Outlook and these are the only rules that fired: -1.8 ALL_TRUSTED -2.6 BAYES_00 -0.0 AWL I'm using Outlook 2003 (11.8010.6568) SP2 and SA 3.1.0.
Re: The Future of Email is SQL
So - like I said - this is visionary stuff. Think SQL - think outside the box. It's not all that visionary. Microsoft's been working on WinFS - a SQL based system for storing files - for years. It's supposed to have been released as a part of longhorn (vista), but they're pushing it back. I'm still confused as to why this is even being discussed on this list, though. SA is just a system for identifying and labeling certain types of messages. It has nothing whatsoever to do with where or how those messages are stored. St-
Re: The Future of Email is SQL
While this is quite an interesting topic, I have to ask why it's on the spamassassin list. Message stores aren't spamassassin specific and this is already a pretty high-volume list. Does this discussion really belong here? St-
Re: is there a way to block email coming from
country, other than USA? How would you look up the network block on country such as Romania, China, Taiwan,Thailand, Korea, and so on... Thanks. Check out http://countries.nerd.dk/ and http://www.blackholes.us/
Re: 3.1.2?
On Wed, Apr 26, 2006 at 05:32:45PM -0400, Joe Flowers wrote: Any educated guesses on when 3.1.2 will be released? I was hoping to get it out this month, but I think it'll probably be next early month before it's all ready to go. Any word on whether or not it includes a fix for bug #4590? http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4590 Thanks for your efforts - you guys rock. St-
RE: apache httpd + spam assassin = web without spam?
I was having this problem for a while... then I added a confirmation block to my guestbook - so that any post had to be confirmed. Boom - spam stopped (I've never even gotten confirmation notices that they tried again). I did basically the same thing. I hacked PHPBB a little to throw an error if a certain non-standard form field didn't have a specific value, and my forum spam has stopped completely. Their bots are still creating accounts, but they can't post, so there's no real damage done. St-
Re: This isn't being tagged
These things are being properly detected for me. Here's the headers from one I received this morning: -- Return-path: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on titan.sthomas.net X-Spam-Level: *** X-Spam-Status: Yes, score=7.5 required=5.0 tests=BAYES_99,HTML_90_100, HTML_MESSAGE,RCVD_IN_XBL,UNPARSEABLE_RELAY autolearn=no version=3.1.0 X-Spam-Report: * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay * lines * 0.1 HTML_90_100 BODY: Message is 90% to 100% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [87.97.49.1 listed in sbl-xbl.spamhaus.org] Envelope-to: [me] Delivery-date: Fri, 17 Mar 2006 07:33:49 -0800 Received: from mail by titan.sthomas.net with spam-scanned (Exim 4.30) id 1FKGxY-0006Ao-CW for [me]; Fri, 17 Mar 2006 07:33:49 -0800 Received: from [87.97.49.1] (helo=aias.gr) by titan.sthomas.net with smtp (Exim 4.30) id 1FKGxX-0006Ai-O6 for [me]; Fri, 17 Mar 2006 07:33:48 -0800 Message-ID: [EMAIL PROTECTED] Reply-To: Darius Clack [EMAIL PROTECTED] From: Darius Clack [EMAIL PROTECTED] To: [me] Subject: Re: PhU8aramacy news Date: Fri, 17 Mar 2006 10:32:50 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0001_01C649AE.24185770 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Re: encoded spam that got thru
Without being able to decode that block of stuff myself and thus see what it says It's a stock spam for some oil company. Decoding anything base64 encoded is pretty easy if you have perl installed somewhere: cut #!/usr/bin/perl use MIME::Base64; print decode_base64(put the encoded data here); cut
Re: SA-LEARN HANGING when database over 2000 SPAM messages
I think it was Steve that said his database is in SQL format. How do I convert the spamassassin database on FreeBSD 5.4 to SQL? I used the procedure found on this page as a guide: http://www200.pair.com/mecham/spam/fc4-spamassassin-sql.html
Re: SA-LEARN HANGING when database over 2000 SPAM messages
-rw--- 1 root wheel 549775048704 Feb 28 10:47 bayes_toks I'll leave it to the experts to help you out here, but I would assume that a token db that's apparently half a terrabyte in size is a *slight* indication of a problem somewhere... ;)
Re: SA-LEARN HANGING when database over 2000 SPAM messages
The first time I encountered this problem is when the spam database has around 3000 SPAM and about 1 HAM, the database seems to become corrupt. I start to receive PERL errors. ... Is there a problem with the database when it reaches a certain size? I can't offer much assistance with your problem, but on the db size, I can say that we were running it with around 25k spams and 25k hams learned, with sa-learn running on shared imap folders every hour adding more. This was with SA 2.70-cvs. We just upgraded to 3.1.0 and converted the bayes and whitelist databases to MySQL. Spamd and MySQL now run on a dedicated server which is accessed by spamc on our smtp/incoming MX and sa-learn on our pop/imap server. Our setup is a little complex, but it works very well. St-
spamd mysql redux
Howdy list, I'm having the exact same problem that Glenn is/was having as posted about last week. (see http://article.gmane.org/gmane.mail.spam.spamassassin.general/77708) I'm using Fedora Core 4, perl 5.8.6, SA 3.1.0 and mysql 4.1. SA was installed by building an RPM directly from the tarball. It's a fresh install of everything on a brand new box. The sql username/password/database/port/etc is all fine. If I start spamd from the command line (spamd -q) it works fine. If I start it daemonized (spamd -q -d from the command line or service spamd start [with appropriate options in init script]), it won't talk to the database. The errors it produces (when run with -D) are: Feb 22 11:45:42 ronin spamd[3322]: bayes: using username: root Feb 22 11:45:42 ronin spamd[3322]: bayes: unable to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) Feb 22 11:45:42 ronin spamd[3322]: config: score set 1 chosen. Feb 22 11:45:42 ronin spamd[3322]: config: failed to load user (root) scores from SQL database: config: SQL error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) Feb 22 11:45:42 ronin spamd[3322]: spamd: service unavailable: Error fetching user preferences via SQL at /usr/bin/spamd line 1682. I have it set up to use the db for bayes and user prefs. When it isn't running daemonized, I get the expected less than 200 spams learned and no user prefs found type of messages, indicating that the connection is being made and queries are being run successfully. This seems to be an issue with the daemonization of spamd, perhaps only on FC4. I've contacted Glen and he was nice enough to reply in a very timely manner, but he also hasn't found a solution. I've been pounding on this for a couple of days now and all I've got for my troubles is less hair (that's what happens when you pull it out!). I'm at my wit's end, and have to get this up and integrated this week. It's replacing an OLD SA installation (2.70-cvs) that's eating up all the resources on the server it's running on, which handles some other business-critical processes. If anyone has a suggestion beyond what's already been posted in the earlier thread, I'm all ears... Thanks, St-
Re: spamd mysql redux
Feb 22 11:45:42 ronin spamd[3322]: bayes: unable to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) Is that where mysql.sock is located? I don't know where the MySQL RPMs might stick it, but source installs stick it at /tmp/mysql.sock by default. Yep, that's where it's at. I've also tried specifying the port in the dsn options in the cf file, i.e. user_scores_dsn DBI:mysql:spamassassin:localhost:3306 I'm most curious about the error number given - (13). In mysql speak, that's a 'permission denied', but according to the logs, there's no connection attempt even being made. I don't know if that number is coming from spamd, the perl db api or mysql. I doubt it's coming from mysql, since I'm not seeing any connection attempt whatsoever. Thanks, St-
Re: spamd mysql redux
i googled a bit and found this related to fedora3 and SELinux: http://forums.mysql.com/read.php?11,20759,21482#msg-21482 I had seen that page, but didn't know what selinux was (thought it was a distro!) so I thought it was irrelevant. After checking it out, it turns out that that's what the problem is/was! I disabled selinux and the first test after rebooting seems to have worked. I don't believe I need selinux for anything, as our environment's pretty well controlled and we've made do without it for.. well forever, but I'll probably have to learn about it eventually so I suppose I'll start looking into it... Thanks a million Matthias. I'm kind of embarrassed that I was looking at the answer yesterday and dismissed it... :\ For Glen and the archives: I disabled selinux by setting the SELINUX environment variable to disabled in /etc/selinux/config and rebooting. Thanks again, St-
Re: From: '' whitelisted?
How is it that this (weird, sort-of-null) From: address is whitelisted? It's surely not listed in my local.cf or user_prefs. Any ideas? From RFC 2821: If an SMTP server has accepted the task of relaying the mail and later finds that the destination is incorrect or that the mail cannot be delivered for some other reason, then it MUST construct an undeliverable mail notification message and send it to the originator of the undeliverable mail (as indicated by the reverse- path). Formats specified for non-delivery reports by other standards (see, for example, [24, 25]) SHOULD be used if possible. This notification message must be from the SMTP server at the relay host or the host that first determines that delivery cannot be accomplished. Of course, SMTP servers MUST NOT send notification messages about problems transporting notification messages. One way to prevent loops in error reporting is to specify a null reverse-path in the MAIL command of a notification message. When such a message is transmitted the reverse-path MUST be set to null (see section 4.5.5 for additional discussion). A MAIL command with a null reverse-path appears as follows: MAIL FROM: Whether or not the null sender should be in the default whitelist is subjective, but I think most would agree that it's prudent.
Re: From: '' whitelisted?
1) null sender isn't in the default whitelist 2) the rule matched isn't due to the default whitelist, as that would show up as USER_IN_DEF_WHITELIST, instead of USER_IN_WHITELIST. I guess I need to brush up on my SA rules vocabulary.. :) 3) The message in question has the null path as it's From: header address, this is COMPLETELY different from the return path mentioned in RFC 2821. Yes, it is, and I realized my mistake about the same time as I released the mouse button from clicking Send. Someone else had asked about the return-path, and I was waiting on a response to that before correcting myself, if necessary.
Re: Recurring abuser
My MailScanner boxes are still getting drilled with the Sober.Virus and
spam (none which have made it through) from a single IP address. I did
a lookup on dnsstuff.com for the address {66.243.13.178} but made no
headway on what to do about this. What steps do I need to do in order
to get this to stop? I haven't seen a degridation in mail processing,
but seeing over 150 Sober infected emails, and countless spam each day
is a bit annoying.
iptables, access.db, cisco acl, hosts.deny, smtp daemon config... choose
your poison..
Re: SpamAssassin as a Relay Server - how can I make it better?
On Tue, Sep 21, 2004 at 11:34:08AM -0700, Ken Versteeg is rumored to have said: I'm running SpamAssassin-2.55 ... ...Thanks for any feedback/assistance. The first thing to do is upgrade to the latest release version, which is 2.64. Do that, then see how it goes. There were a LOT of improvements made between the 2.5x and 2.6x releases and I'll bet that most of your problems disappear if/when you upgrade. -- Steve Thomas -=*=- sthomas.net Registered Linux User #281447
