Re: Anyone from ReturnPath want to deal with this
On Sat, 2012-09-01 at 01:14 +0100, Ned Slider wrote: Hi list, Would anyone from ReturnPath care to take a look at the following: Received: from mail5.eventbrite.com (mail5.eventbrite.com [67.192.45.102]) which just spammed a contact@ address scraped off website and has -5pts awarded by ReturnPath: RCVD_IN_RP_CERTIFIED=-3 RCVD_IN_RP_SAFE=-2 sent from miracle_mur...@hotmail.com Compromised server/account maybe?? Nope, just the usual $$$ Return Path $$$ quality customer base :-)
Re: Suddenly getting lots of false positives.
On Sun, 2012-05-27 at 12:39 +0300, Jari Fredriksson wrote: On Sun, May 27, 2012 12:28, Jeremy Morton wrote: I don't see what relevance the DNS servers I use on my my machine have to do with querying dnswl.org - surely dnswl.org shouldn't even know if I'm using Google's nameservers? You ask Google. Google does not know. They ask dnswl.org's DNS. dnswl.org does not see You. They see only Google. And lots of them. They block Google. Exactly - just like Spamhaus. The difference with Spamhaus is you will usually get no A record back even for a blacklisted IP or domain. I'm sure they are not the only blocklist to do it. It's all mostly related to revenue protection money, but hey - their blocklist, their rules. I must add that the Barracuda list works flawlessly through Google's servers and is still the best list I've found.
Re: Suddenly getting lots of false positives.
On Thu, 2012-05-24 at 10:14 +0100, Jeremy Morton wrote: I've gotten a lot of false positives coming into my inbox lately, and the principle reason for most of them seems to be that they are matching the following rule: -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust Given the connecting IP is listed with an number of anti-spam blocklists: 59.94.13.26 Listed in Spamhaus XBL (CBL Data) 59.94.13.26 Listed in Spamhaus PBL (ISP Maintained) 59.94.13.26 Listed in Barracuda Reputation List 59.94.13.26 Listed in dul.dnsbl.sorbs.net 59.94.13.26 Listed in UCE PROTECT LEVEL 2 59.94.13.26 Listed in UCE PROTECT LEVEL 3 and that bestinternetdancer.com Is listed in Spamhaus domain block list the multi.uribl.com block list you'd have to wonder why it gets a reduction from: www.dnswl.org I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting site that anyone can kind of abuse? The rule is tucked away in 72_active.cf, along with the other 'pay to spam' whitelists from the likes of Return Path. I suggest you add this to your local.cf to deal with such abuse: score RCVD_IN_DNSWL_MED 0 score RCVD_IN_RP_CERTIFIED 0 score RCVD_IN_RP_SAFE 0 But that's just my default settings on every instance of SA that I work on. Sometimes I add points for Return Path as it seems to help BLOCK spam rather than pass ham - but that's a can of worms and a different subject.
Re: Suddenly getting lots of false positives.
On Thu, 2012-05-24 at 11:11 +0100, Jeremy Morton wrote: Where would the rules for these blocklists be, so I can check my rules files to see whether they're there? In later rulesets (forget when they added it) it looks something like this: ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_BRBL_LASTEXT eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org') tflags RCVD_IN_BRBL_LASTEXT net endif And tends to live in 72_active.cf Grep for it with: grep -Hl -r RCVD_IN_BRBL_LASTEXT /usr/share/spamassassin/* or grep -Hl -r RCVD_IN_BRBL_LASTEXT /* if you get stuck (it's slow this way, but if you don't know where your rules are, this will tell you if it's there or not) If it's not there just add it to your local.cf file with something like this: header BARRACUDA_BL eval:check_rbl('Barracuda', 'b.barracudacentral.org.') describe BARRACUDA_BLlisted by BARRACUDA tflags BARRACUDA_BL net score BARRACUDA_BL4.5 It's also worth adding that taking out the Spamhaus WHITELIST is worth doing - it's rubbish and wastes a DNS lookup: score DKIMDOMAIN_IN_DWL 0 On the subject of Spamhaus, if you are using big name resolvers (like Google DNS servers or similar) then you will not get reliable results. Spamhaus decided to block these and always return clear even if the IP address is on one of their lists. Personally I've lost most of my respect for Spamhaus, and find the Barracuda list much, much better in any case.
Re: Suddenly getting lots of false positives.
On Thu, 2012-05-24 at 16:22 +0100, Jeremy Morton wrote: Not sure. I get this: http://pastebin.com/0U3WrgSS The answer is at the botton: 40.152.71.64.list.dnswl.org. 43200 IN A 127.0.6.3 ;; Received 61 bytes from 208.67.172.131#53(c.ns.dnswl.org) in 76 ms So, according to c.ns.dnswl.org it's a hit. And if we do: dig +short @208.67.172.131 40.152.71.64.list.dnswl.org 127.0.6.3 It appears to be a hit.
Documentation for: bayes_auto_learn ?
I can't seem to find any documentation on bayes_auto_learn, in particular how it works / where it creates the db / how it sources spam/ham. Is there a link anyone knows of that gives some detail on it?
Re: STOX_REPLY_TYPE_WITHOUT_QUOTES
On Fri, 2012-04-27 at 18:41 +0100, RW wrote: On Fri, 27 Apr 2012 14:28:21 +0100 corpus.defero wrote: I'm seeing this rule: STOX_REPLY_TYPE_WITHOUT_QUOTES Catching on legitimate mail. It's a meta rule and right enough it catches this line: Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original AND does NOT match either: __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/ or rawbody __HS_QUOTE /^ SCORING. 0.2 STOX_REPLY_TYPESTOX_REPLY_TYPE 1.9 STOX_REPLY_TYPE_WITHOUT_QUOTES STOX_REPLY_TYPE_WITHOUT_QUOTES As legitimate mail, it's picking up just over 2 points for this - and I'm wondering what the sender is possibly doing wrong here? I think the intention is to look for spam where the headers say it's a reply, but it doesn't look like a reply. reply-type seems to be made-up by Microsoft so the rule is looking for spoofed headers. The problem is that, from a quick search though this list, reply-type doesn't seem to specific to replies. It was a false positive for me too. I'm wondering if the sender used the 'reply to' button in error, cleared the content, and then put fresh content in?
STOX_REPLY_TYPE_WITHOUT_QUOTES
I'm seeing this rule: STOX_REPLY_TYPE_WITHOUT_QUOTES Catching on legitimate mail. It's a meta rule and right enough it catches this line: Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original AND does NOT match either: __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/ or rawbody __HS_QUOTE /^ SCORING. 0.2 STOX_REPLY_TYPESTOX_REPLY_TYPE 1.9 STOX_REPLY_TYPE_WITHOUT_QUOTES STOX_REPLY_TYPE_WITHOUT_QUOTES As legitimate mail, it's picking up just over 2 points for this - and I'm wondering what the sender is possibly doing wrong here?
Re: Invalid Date: header (not RFC 2822)
On Tue, 2012-04-10 at 15:11 +0100, corpus.defero wrote: Good afternoon, I have this hit: 0.4 INVALID_DATE Invalid Date: header (not RFC 2822) Catching on: Date: Tue, 10 Apr 12 11:36:40 +0200 Which in turn is produced by this line off PHP code: $headers .= Date: .date(DATE_RFC822).\n; Unless I've gone made, the issue is the year being 2 digits, is that correct? Ignore me. $headers .= Date: .date(DATE_RFC822).\n; != $headers .= Date: .date(DATE_RFC2822).\n; Derrr, what's the matter with me..
Re: Comment - GFI/SORBS
On Tue, 2010-12-14 at 16:58 +, Nigel Frankcom wrote: Hi All, Is sorbs going to be continued as a scoring option in SA? Having hit yet more problems with them I've zeroed their scoring. ... I hope so. I find SORBS wonderful in dealing with those troublesome mailers that have managed to by passage from the likes of $pamhau$$ and Barracuda myself. That said, I'd like to see the total removal of rules that favour that haven of transactional spammers - Return Path.
Re: Comment - GFI/SORBS
Ultimately, this seems to be more of a witch hunt against SORBS than a SA issue. Although I'm not opposed to a SORBS witch hunt, I don't think it belongs here. Indeed, and it's Lynford and his money grabbing cronies mostly behind it - hence it lacks sophistication.
Re: HELO_DYNAMIC false positives on a UK web host
On Thu, 2010-12-09 at 20:18 +, Cedric Knight wrote: I noticed some bad false positives on email sent... Received: from 94.229.160.4.srvlist.ukfast.net (94.229.160.4.srvlist.ukfast.net [94.229.160.4]) ukfast == firewall on site. IME a major source of little more than spam in the UK. Thanks for the extra /20
Re: How do I get delisted from SORBS? [OT]
On Sat, 2010-10-09 at 15:58 +0200, Per Jessen wrote: corpus.defero wrote: On Fri, 2010-10-08 at 20:13 +0200, Per Jessen wrote: corpus.defero wrote: On Thu, 2010-10-07 at 08:56 -1000, Alexandre Chapellon wrote: Indeed no IP should be blacklisted undefinitely... at least without checking regularily. I don't agree. An IP that hops on and off lists should stay ON until the blocklist operator is satisfied that no further abuse will come from it. How does that differ from what Alexandre said? It differs because I am saying they *should* remain listed forever. Actually, as far as I can tell, you said until the blocklist operator is satisfied that no further abuse will come from it which is clearly not forever. No, in my clarification I have been precise and clear and said: I am saying they *should* remain listed forever Really, I cannot be any more exact than that. This is all OT for a Spamassassin. If you want to bitch about blocklists why not do it on SPAM-L or at NANAE?
Re: How do I get delisted from SORBS? [OT]
On Thu, 2010-10-07 at 08:56 -1000, Alexandre Chapellon wrote: on getting delisted at SORBS. At least they give a time window :) Try to know why you're listed at barracuda: This is true pain! This is not correct. Barracuda offer a 24 hour phone service when you can speak to a real person should you have an issue. Getting delisted is simple but ongoing offenders can simply forget it. Indeed no IP should be blacklisted undefinitely... at least without checking regularily. I don't agree. An IP that hops on and off lists should stay ON until the blocklist operator is satisfied that no further abuse will come from it. Hoping on and off as spammers/esp's run around a ring of IP's for a few weeks defeats the point somewhat. As for SORBS, the easy way to get delisted and quit whining about how long it takes, is to *not* get listed in the first place. It's really a case of actions have consequences. Not careful in your output, don't expect any sympathy.
Re: How do I get delisted from SORBS? [OT]
On Fri, 2010-10-08 at 08:19 -1000, Alexandre Chapellon wrote: This is not correct. Barracuda offer a 24 hour phone service when you can speak to a real person should you have an issue. Getting delisted is simple but ongoing offenders can simply forget it. Cool! Calling some indian call center to get an idea of why one single IP is listed What a great tool! Err, it's *not* an Indian call centre. They have a support office in India, but the majority of calls are handled in the USA and UK - and they operate around the clock 'following the sun'. The only time India would handle a call is if (a) something went very wrong (b) you were located in India seeking service in India. Barracuda are *very* good at reputation lists - one of the best for all their other failings. They can easily tell you the extent of your spamming and support it with evidence. If you've got listed at Barracuda *YOU HAVE SENT SPAM* so quit bleating. Barracuda was listing more than 8000 of my IPs. Thoose IP was listed years ago and never unlisted. Port 25 was blocked for months for this subnets and Barracuda explicitly refused to do bulk removal ... because it was too much wrok for them... We had to hire someone to manually delist filling their form (with captcha). Now manual delisting is over for weeks and *none* of the delisted IPs has been listed again... Yes am a bit angry against barracuda issue handling :). Don't spam then. Simple. I think you've mistaken me for someone that gives a damn.
Re: How do I get delisted from SORBS? [OT]
On Fri, 2010-10-08 at 20:13 +0200, Per Jessen wrote: corpus.defero wrote: On Thu, 2010-10-07 at 08:56 -1000, Alexandre Chapellon wrote: Indeed no IP should be blacklisted undefinitely... at least without checking regularily. I don't agree. An IP that hops on and off lists should stay ON until the blocklist operator is satisfied that no further abuse will come from it. How does that differ from what Alexandre said? It differs because I am saying they *should* remain listed forever. Personally if I were running the show I'd seek a large deposit to remove an IP and any repeat would result in the loss of that deposit with no further chance to remove the IP until it was clearly and demonstrably reassigned. Hopefully my take on it, and how it differs is now clear for you. Warm regards
Re: How the hell barracuda behaves?
On Wed, 2010-08-18 at 06:36 -0400, Michael Scheidell wrote: On 8/17/10 7:30 PM, Alexandre Chapellon wrote: Hi the list, I am posting the results of my tests in order to have fedback/feelings/remarqs. This is not directly spamassassin related, but can be helpful for people (I saw here) wondering if they would used the barracuda DNSBL. When other well known DNSBL (I have always heard spamhaus sbl and xbl are trust worthy) list less at most 50 entries , barrcuda lists almost 8000 They list spammers based on trend and feedback from their appliance users. Personally I find it very accurate and it hits out rubbish that other lists seem to inexplicably (£$£$£$) miss. Third reason is 'emailreg.org'. Totally agree - the owners of Barracuda appliances are unable to disable the 'emailreg.org' whitelist without calling support which, in my view, makes it a bypass or 'pay to spam barracuda owners' . That said, compared to their internal whitelist (which has some really interesting clients on it) emailreg.org is small fry. Barracuda - not white hat, not black hat, but kinda pinky grey hat.
Re: Is there a way to block invalid non delivery notifications?
On Wed, 2010-06-30 at 02:02 -0700, Daniel Lemke wrote: For a short time we receive several hundreds of non delivery notifications and other failure notices on one of our mailboxes. Most of them look very similar, containing Cyrillic charset and .ru addresses. Are there any special rules that are able to identify this kind of spam? As our company is small sized, we use a site wide Bayes which scores this mails negative (I’m not really sure, but I guess it does because sometimes we send a newsletter to a couple of customers, so receiving a (“real”) ndr from time to time is nothing special. I don’t know how to convert ndr to plain text so I paste one of those failure notices: http://pastebin.com/X9ewhwG4 Daniel BATV (if your MTA supports it) - overview http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation
Re: Should Spamhaus default to disabled?
On Fri, 11 Jun 2010 10:42:31 -0400 (EDT) Andy Dills a...@xecu.net wrote: I think the maintainers of SA should strongly consider defaulting Spamhaus to off. At the very least, it should be better documented how to entire disable Spamhaus queries. I think the maintainers of SA should strongly consider turning the Return Path accreditations rules to off by default, but it ain't gonna happen ;-)
Re: Spamassasin as a gateway filter for Exchange
On Wed, 2010-05-19 at 17:37 -0500, Andy Dorman wrote: On 05/19/2010 04:26 PM, Karsten � wrote: On Wed, 2010-05-19 at 23:13 +0200, Mikael Syska wrote: Not to highjack the thread, but there are also other things to consider. I have no idea how on Postfix, but this could help you too Scott Lavoie. If there are multiple exchange backends for postfix/spamasassin gateway ... how could one validate that users exists, given that you only have a list of valid users for some of the exchange servers and the mailahead/milterahead/smtp are not an option? Don't think you're hijacking the thread -- you just stated exactly, what I mentioned in my previous post. The only real problem, validating recipients at the front MX, based on the data in the backend Exchange servers. Everything else is not a problem, even though managing a Linux server might seem to be one from the point of view of a Windows admin... ;) Aside from the spam, keeping track of the valid addresses has been one of our (AnteSpam) biggest challenges over the past 8 years. The solution that has worked best for us has been to maintain a separate list of valid addresses for postfix to use. But coming from a db background, it has annoyed us no end that we have to maintain a duplicate of another db. ;-) We develop the valid address list by using a short (and very fast) perl smtp test that checks the destination server's response to RCPT for the new address. We run this test when email comes in for every new/unknown address (and we track the failures in a simple key-value high speed db so we do not continuously hammer the poor destination servers with queries for the same bad address used yesterday or earlier). Exchange servers have been our biggest headache with doing this however cause many take eons to respond. And when your filtering server is trying to handle a LOT of incoming junk emails per second, you just can not wait for Exchange to get around to answering you. So for most Exchange servers we either require they manage their address list manually OR, if they insist on AnteSpam automatically adding new addresses, we send what we call a ping email with a special reply-to address so when the Exchange server gets around to sending us the NDR, we can mark that address as bogus and move on. As you can see from this long-winded but simplified explanation, this has not been easy to do. Honestly, I am NOT an Exchange expert...but I swear it had to be a design goal for some of these servers take 15 or 30 minutes (or longer) to send the NDR. And when you are supporting a domain that is being flooded with thousands of emails to bogus addresses per hour, it gets kinda tedious holding the mail and addresses in limbo long enough to give the Exchange server time to respond (or not) so you know what to do with the email. Honestly, for a simple solution the best thing is to manually keep a list of valid addresses for Postfix (or whatever MTA you use). It adds a little support load until you train the domain admin to add new addresses twice, once in Exchange and once for the filter. But the option of building the valid address list automatically is NOT for the faint of heart. Or I suppose it is possible for Exchange and Postfix/your MTA to share a db of valid addresses? I know Postfix is very flexible in that regard. No clue about Exchange. Good luck. You can use Postfix's probing (or Exim's callout) to query the Exchange 'server' provided it is set up to reject invalid recipients. As pointed out if this is not done Exchange will happily take any old rubbish and bounce it some time later. Alternatively have the MTA make an LDAP callout to AD. Exchange is basically an AD schema extension so it's reasonably easy to do - but network chatter is a PITA. To solve that annoying Exchange 'I take any mail dot com...' issue: To enable valid recipients only 1) Expand ESM, Message Delivery. 2) Right click on Message Delivery and choose Properties. 3) Click on the tab Recipient Filtering. 4) Enable the option Filter Recipients who are not in the directory. You then need to enable the Recipient Filter on the SMTP Server. 1) Still in ESM, Expand Admin Groups, , Server, , Protocols, SMTP. 2) Right click on SMTP Virtual Server and choose Properties. 3) Click on Advanced next to the IP address on the first tab. 4) With the IP address selected, choose Edit. 5) Enable Apply Recipient Filter. 6) Click Apply/OK until clear.
Re: [OT] was SORBS
On Fri, 2010-04-30 at 11:46 +0100, n.frank...@gmail.com wrote: Here's the chuckle Mail transport error, MTSPro SMTP Relay Agent could not deliver the following message for users@spamassassin.apache.org. Reason: 550 Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?217.36.54.209 And has it taken you all that time to get BT to add this to their whois: descr: Single Static IP Addresses Man, that is quality service. I take it you've spoken with phone: +44 207 777 7766 fax-no: +44 1524 34523 e-mail: steve.r.wri...@bt.com e-mail: ab...@bt.net remarks:trouble: 1st Line Support remarks:Please send delisting issues to btnet...@bt.net ... and they have actually spoken with SORBS? The old bucket still holds water. It is your ISP that needs to resolve this - as a customer you can do nothing. Really they should have dealt with this a long time ago. I've lost track of it, is this two weeks later now? Really - you should sack your ISP and go to someone competent. You may fair better taking this to the SPAM-L mailing list where you may find someone that actually cares. Here you will only get generic opinion and nothing tangible to help. Spam-l mailing list - http://spam-l.com/mailman/listinfo/spam-l
Re: [OT] was SORBS
On Fri, 2010-04-30 at 08:43 -0400, Lee Dilkie wrote: On 4/30/2010 7:43 AM, corpus.defero wrote: On Fri, 2010-04-30 at 11:46 +0100, n.frank...@gmail.com wrote: Here's the chuckle Mail transport error, MTSPro SMTP Relay Agent could not deliver the following message for users@spamassassin.apache.org. Reason: 550 Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?217.36.54.209 The old bucket still holds water. It is your ISP that needs to resolve this - as a customer you can do nothing. Really they should have dealt with this a long time ago. I've lost track of it, is this two weeks later now? Really - you should sack your ISP and go to someone competent. First, I'd like to point out that not everyone has the option of changing ISP's. Believe it or not, there are many folks who have only one choice for high-speed internet access (myself included). Second. The fact that a mail server rejects, outright, based on something so false-positivity as a db for dynamic ip's is irresponsible on the part of the admin. Sure, add some spammy points and do a scan but an outright rejection? -lee Without wishing to come accross rude. I accept your points as they are, in part, valid. But; 1. In this case the OP has a choice and has elected to trust a notoriously awful former state owned ISP to deal with it. 2. No mail server rejects based on SORBS. It rejected where admins choose to implement SORBS at an SMTP level. Doing so they are usually well aware of the caveats of using SORBS. 3. This is all irrelevant to the Spamassassin list. Like I say there may be some opinion here, there may be mixed advice here, but there is no resolution or listening ear here. Michelle 'listens' to NANAE and SPAM-L last time I checked, but again it's an issue for BT to deal with. The fact the OP has to go around chasing this is a clear indication of failure of his ISP. It's blunt, but it's really that simple.
Re: [OT] was SORBS
On Fri, 2010-04-30 at 10:10 -0500, Daniel McDonald wrote: On 4/30/10 8:22 AM, Martin Gregorie mar...@gregorie.org wrote: On Fri, 2010-04-30 at 08:43 -0400, Lee Dilkie wrote: First, I'd like to point out that not everyone has the option of changing ISP's. Believe it or not, there are many folks who have only one choice for high-speed internet access (myself included). However, that doesn't apply to the OP, who is using British Telecom as his ISP. My broadband connection goes through the local BT exchange and copper after that, but BT has never been my ISP. I initially used Demon as my ISP, switching to my current ISP (who subcontract broadband connectivity to a third party, *not* BT) when I discovered that Demon didn't offer a suitable package that included domain registration. The OP can do exactly what I did. Out of pure curiosity, what is there about the broadband set-up in your locality that could prevent you from doing something similar? Are both your broadband provider and your ISP monopolies? For me, it was the case the last time I renegotiated my contract for my business-class broadband at home. Short of bringing in a T1 at $600-$1000/month, I had exactly one choice for a provider that would provide me with a static /29 and a SWIP record - the monopoly cable provider. In another year or so I'll see if the monopoly POTS provider can provide the service I need - they promise the moon in their advertisements but balk really fast when you start to ask specific, tangible questions. I have a number of friends who concur that the US small-business broadband scene is seriously poor so I feel your pain. I can remember the hassle one guy had trying to get a static IP out of Warners. They wanted to up his subscription by a factor of three. In the UK we are really lucky in most cases that we can pick and choose good providers and change fairly easily without it costing an arm and a leg.
Re: [OT] was SORBS
On Fri, 2010-04-30 at 16:50 +0100, Nigel Frankcom wrote: We're on a BT only exchange here so it's them or nothing, well not quite, I could go CoLo... hmmm maybe not, or satellite, I was involved in setting that up in Cyprus. Nigel Is there such a thing? I appreciate many are not unbundled, but the BTW agreement means you should have no problems getting a wires-only with someone like Zen, IDNET or Newnet. Believe me, the service just pee's over BT.
Re: [OT] was SORBS
On Fri, 2010-04-30 at 17:19 +0100, Nigel Frankcom wrote: On Fri, 30 Apr 2010 16:59:57 +0100, corpus.defero corpus.def...@idnet.com wrote: On Fri, 2010-04-30 at 16:50 +0100, Nigel Frankcom wrote: We're on a BT only exchange here so it's them or nothing, well not quite, I could go CoLo... hmmm maybe not, or satellite, I was involved in setting that up in Cyprus. Nigel Is there such a thing? I appreciate many are not unbundled, but the BTW agreement means you should have no problems getting a wires-only with someone like Zen, IDNET or Newnet. Believe me, the service just pee's over BT. Fair point. I live in a small village right on the end of a spur. After being burgled at my town offices I moved the whole dammed shebang home and now run it from my own server room. There is nothing wrong with that - it makes good environmental sense as well as security sense. BT may not be the best, but they (or rather OpenReach) own the lines, exchange and pretty much all else... plus they have helped. Having spent 16 years with them I know the ins and outs. Openreach were not allowed to show any favouritism to BT customers and went out of their way for 'other licensed operators'. Many BT folk of X years service found the notion of Openreach rather unpalatable and went out of their way to be awkward to native BT customers. I'm not sure if that attitude subset still exists but there really was an attitude towards all things BT. But good on your for sticking with them. If I go through a third party I end up with at least one more level of 'have you re-booted your router' etc. That depends on who you go with. People like Zen, IDNET, aaisp, Newnet are actually much better than BT at dealing with issues - and usually much more knowledgeable. This SORBS issue would not even be an issue with them as they had the brains to sort out their space - rather than just try and cluelessly blindmug sell it so SOHO's. Bottom line, I'd rather solve a problem than work round it. As it happens I have a second IP off the range that I could have used, but that would have meant a lot of DNS work etc (and DNS and I are not good friends). I admire the spirit and good luck with it. If the Lib Dems win the election they may find a whole in their mad ideas to offer treatment for those with delusional misguided belief in BT syndrome. (DMBBT). IMHO solving is better than blaming. My original post was a request for advice and help. I got a lot of both... plus a lot of opinion. You knew that would happen. Being a BT customer is nearly as bad as being a spammer {joke} have a good weekend. Kind regards Nigel
Re: [OT] was SORBS
On Fri, 2010-04-30 at 21:09 +0200, Per Jessen wrote: corpus.defero wrote: 2. No mail server rejects based on SORBS. It rejected where admins choose to implement SORBS at an SMTP level. Same thing. /Per Jessen, Zürich Key point is the admin has made a choice and is aware of that. On the other hand they may be using SORBS in SA as part of a score shifter - nothing more. The OP can ask the recipient to whitelist his IP if he has a trading relationship with them. If not, then chances are his mail is unsolicited regardless of his SORBS listing. It's just a point of view - nothing more.
Re: Filtering zip spam
On Tue, 2010-04-27 at 02:16 -0400, Alex wrote: Hi, Here's an example: http://pastebin.com/h9JwTQ9T The score is very low. Does someone have an idea of other characteristics that I can flag on? Hits for me on this: Sanesecurity.Junk.22048.UNOFFICIAL FOUND Ah, very good. I think that might be what I'm missing. How are you implementing this? From here? http://www.sanesecurity.co.uk/download_scripts_linux.htm Or are you using the clamav SA plugin-in? Using clamav-milter ahead of SA with Postfix with SANE but any implementation that uses clam/sane will do the same. I'm using amavisd with clam-0.96 and sa-3.2.5. 9.0 RELAYCOUNTRY_FRRelayed through France 5.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net I wish I could use scores like that :-) Might as well just block all of \.fr at smtp time for that matter :-) Poor France :( I mostly do... au revoir Le France Thanks, Alex
Re: Filtering zip spam
On Tue, 2010-04-27 at 11:08 -0400, Alex wrote: Hi, Might as well just block all of \.fr at smtp time for that matter :-) Poor France :( I mostly do... au revoir Le France Somewhat off-topic, but in the interest of increasing awareness, India reportedly ranks first: http://www.dnaindia.com/mumbai/report_india-ranks-first-in-sending-spam-mails_1374118 Regards, Alex Not in my logs it doesn't ;-) but each user and server has different experiences.
Re: Filtering zip spam
On Mon, 2010-04-26 at 20:37 -0400, Alex wrote: Hi, I'm seeing an increase in zip attachment spam, and hoped someone could help me figure out why it isn't being properly tagged. Are others seeing this? Is BAYES_99 being triggered or is it lower? Here's an example: http://pastebin.com/h9JwTQ9T The score is very low. Does someone have an idea of other characteristics that I can flag on? Thanks! Alex Hits for me on this: Sanesecurity.Junk.22048.UNOFFICIAL FOUND But how long that has bitten it I can't say. Other than that it's not doing well: pts rule name description -- -- 9.0 RELAYCOUNTRY_FRRelayed through France 5.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?80.14.188.63]
Re: UCEPROTECT
On Thu, 2010-04-22 at 13:53 +0100, n.frank...@gmail.com wrote: Hi All, For reference the SORBS issue is still ongoing, my ISP (BT) is working hard to resolve it. I mentioned in one of my posts how UC (UCPROTECT) were also an issue. They seem to have taken entire netblocks and are demanding 20Euro's per year to remove individual IP's Does anyone have any information about this and in particular any law enforcement involvement since this smacks of extortion to me. TIA Nigel Uceprotect has some strange listing policies that have been questioned numerous times. But the crux of it is this, the people who use UCEProtect are well aware of it - and it's not widely used. Personally it's one of those lists I don't trust to block at an SMTP level, but will include a score shifter on a hit. Listen Nigel, your main issue here is not SORBS or UCEProtect, but your ISP. BT are - quite simply - pants. They are tardy, lazy and poor at dealing with issues like this. If you don't want this hassle change providers - or put up with the fallout that comes from using BT. Honestly, it's probably the best advice you'll ever get. It's a few days down the road since you came here and mentioned this issue and your provider has still not dealt with it. That would be 'MAC CODE - GOODBYE' in my book.
Re: SORBS
On Tue, 2010-04-20 at 14:04 +0100, Nigel Frankcom wrote: Hi All, Am I the only one incabale of figuring out the SORBS interface? I'm told by various mailserver that sorbs is blocking me (including this list hence mailing from my gmail account). When I log on to sorbs, give my details I get a nice email back saying: $Id: Act.pm,v 1.16 2006/11/27 03:36:09 lem Exp $ I'm a robot writing you on behalf of the SORBS' admins. The reason you're getting this automated response, is our desire to provide you with consistent and fast responses. I'm prepared to correctly analyze most of the cases appearing in the DUHL queue. You might want to keep your responses as short as possible (and to trim my own responses) to help humans better serve you should the need arise. I'm glad to report that the IP space will be submitted for delisting from the DUHL. Best regards. SORBS It's now Day 6. and I'm still listed. If anyone has any ideas - please let me know? Kind regards Nigel Since when did the Spamassassin list become a place for people to bitch about SORBS ;-) The link is clear enough - get delisted/support here it is in case you can't see it amoungst all that clutter: http://www.au.sorbs.net/cgi-bin/support
RE: SORBS
On Tue, 2010-04-20 at 11:34 -0700, R-Elists wrote: Having full rDNS isn't the issue. What probably happened was something like this: 1) your ISP reported their dynamic addresses to SORBS, or SORBS inferred them via various means. 2) SORBS listed those addresses in DUL 3) Your ISP ran low on static addresses, and allocated to you one of the addresses that was formerly a dynamic address. 4) Your ISP did NOT inform SORBS of the change, or SORBS mechanisms for inferrence didn't pick up the change (or they don't bother to try to detect such changes) 5) You're in the DUL even though you think you shouldn't be, because you're on a static IP. What you need to do is force #4 to get fixed. rDNS is a helpful part of the bigger picture, but has nothing to do with the above 5 steps/events. John, good info thing is, let the isp deal with it all, it isnt nigels problem, he isnt the isp. Nigel, switch to different clean ip space with your isp and be done with it in 5 minutes you are the client, get your fix and move on - rh That's the best suggestion so far, but you'll have to take care of mx/ptr records et al. These are 'clean' on Sorbs: inetnum:81.149.200.0 - 81.149.207.255 remarks:*** remarks:* Please send abuse reports to ab...@btopenworld.com * remarks:*** remarks:* USED FOR CUSTOMERS WITH SINGLE STATIC IP ADDRESSES * remarks:*** netname:BT-ADSL descr: Single Static IP Addresses
CLAMAV 0.95 to be disabled
Appreciate that this is an SA list, but it tends to share a userbase with ClamAV. Apologies if mentioned, but potentially these could mean carnage to users of Clam who have not updated in a while: http://lurker.clamav.net/message/20100407.141109.2a7c287b.en.html Dear ClamAV users, this is a reminder that starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year. We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV. For more information please refer to the original announcement: http://lists.clamav.net/lurker/message/20091006.143601.d27bbd20.en.html Hope that this spares someone some blushes next week :-)
Re: CLAMAV 0.95 to be disabled
On Fri, 2010-04-09 at 08:47 +0100, corpus.defero wrote: Appreciate that this is an SA list, but it tends to share a userbase with ClamAV. Apologies if mentioned, but potentially these could mean carnage to users of Clam who have not updated in a while: http://lurker.clamav.net/message/20100407.141109.2a7c287b.en.html Dear ClamAV users, this is a reminder that starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year. We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV. For more information please refer to the original announcement: http://lists.clamav.net/lurker/message/20091006.143601.d27bbd20.en.html Hope that this spares someone some blushes next week :-) To follow that up - another good reason to update (not sure if this is just a Ubuntu issue or has implications in Debian + others) === Ubuntu Security Notice USN-926-1 April 08, 2010 clamav vulnerabilities CVE-2010-0098 === A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: libclamav6 0.95.3+dfsg-1ubuntu0.09.04~intrepid3 Ubuntu 9.04: libclamav6 0.95.3+dfsg-1ubuntu0.09.04.1 Ubuntu 9.10: libclamav6 0.95.3+dfsg-1ubuntu0.09.10.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that ClamAV did not properly verify its input when processing CAB files. A remote attacker could send a specially crafted CAB file to evade malware detection. (CVE-2010-0098) It was discovered that ClamAV did not properly verify its input when processing CAB files. A remote attacker could send a specially crafted CAB file and cause a denial of service via application crash. Updated packages for Ubuntu 8.10: Source archives:
Re: Blacklists Compared 17 October 2009
On Wed, 2010-04-07 at 11:38 +0100, Ned Slider wrote: Alex wrote: Hi, Last October Marc posted the following URL that compared the various RBLs: http://www.sdsc.edu/~jeff/spam/cbc.html It seems barracuda is still leading, but is that also everyone's experience? Can anyone provide details on how Jeff computed this information and is it as cut-and-dried as this makes it seem? IOW, barracuda, the free service, is better than all the rest... As others have noted, FPs are not taken into account so one must consider that. Last year when the barracuda config was first posted to this list, I implemented it on my personal mail server with a very high score so as to trigger automatic quarantines for all mail hitting the list, and have since checked all hits by hand. I currently use zen.spamhaus at the smtp stage to reject spam, so hits against barracuda only comprise of those that are missed by zen. I was particularly interested in FPs. During the last year I don't think I've seen a single FP hit against barracuda :surprised: That said, I still haven't found the confidence to implement it at the smtp stage for outright rejection but the numbers I'm seeing do tend towards telling me the list is of generally high quality. In reality I make use of Barracuda first at SMTP time, Spamhaus after and have done so since 2008. I've never seen a FP from Barracuda in that time. I'm no fan of Barracuda - and that is widely documented. However, they are a legal, professional business that is accountable. Spamhaus, on the other hand, are not. Whilst their efforts in blocklisting are laudable and noted, they appear to operate in a somewhat underground manner without any proper base or contact details - not unlike gypsies. Until they become fully legitimate and accountable their business credibility will remain in question. With Barracuda, yes, you know they are selling GPL code, you know that one of them is a former spammer, you know about 'emailreg'. They make no secret of it. You don't, however, know about just who is pulling the strings at Spamhaus. On several occasions in the past I have received obvious and clear spam from the likes of IHM in Nottingham, B2B deals, and uncounted attacks from Emailvision in France all of which pass through Spamhaus and have you saying 'Why is this?' I have found (and I fully expect another round) that if you bad mouth or question Spamhaus you are subjected to abuse, port scans, publication of personal data in news groups and the like. As far as the Barracuda list is concerned, I have total confidence in it, and the company that operates it. Given the number of anti-spam appliances they have in the field doing a very good job with it I would say 'have confidence in it'.
Re: Blacklists Compared 17 October 2009
On Wed, 2010-04-07 at 15:14 +0200, Raymond Dijkxhoorn wrote: Hi! http://www.sdsc.edu/~jeff/spam/cbc.html It seems barracuda is still leading, but is that also everyone's experience? Can anyone provide details on how Jeff computed this information and is it as cut-and-dried as this makes it seem? IOW, barracuda, the free service, is better than all the rest... spams him. So the experience of others might vary. There's not a lot of comparisons out there so this gives me some clue. But it doesn'y say anything about the quality of the lists as it has apews listed highly. If I created a list that blacklisted everything I would be first. Setup a blacklist blocking ANY ip and you are ranked #1 in this test. Its of no use at all IMHO. Bye, Raymond. They have - it's called 'UCEPROTECT' ..
Re: Anyone who use spamass-milter?
On Fri, 2010-04-02 at 11:31 -0700, forrie wrote: I'm running in to this same problem - I've been trying to debug this all morning. The error message is ambiguous and appears to be directly connected to spamassassin. I upgraded to 3.3.1 and rebuilt, and the problem happens still. It seems to happen for large sites like aol.com, facebook.com, ... there are others that work fine, such as Google Gmail. I do not have any grey-listing installed. These messages are being rejected with an ambiguous: Milter: data, reject=451 4.3.2 Please try again later and it doesn't make any sense. I've checked the socket file, permissions, etc. I don't see any errors in the logs. What could be causing this? It's becoming a problem as mails are not being received inbound. Strict 'users' will say this is *not* a SpamAssassin issue so have your flame-proof pants handy :=0 It may help somewhat if you mentioned the MTA you are using and how you've configured it to use the milter. FWIW I once had that issue with Postfix - lots of 451 4.7.1 Service unavailable - try again later errors which were nearly as helpful :-) First things first, it is running? You've configured your MTA to talk to the milter? You don't have any issues with the socket being relative to a chroot jail?
Re: The Impossible Rule??? Bug???
On Tue, 2010-03-23 at 10:00 +, --[ UxBoD ]-- wrote: mimeheader __ANY_IMAGE_ATTACHContent-Type =~ /image\/(?:gif|jpe?g|png|bmp)/ mimeheader MIME_IMAGE_JPGContent-Type =~ /image\/jpg/ describe MIME_IMAGE_JPGContains wrong MIME type image\/jpg score MIME_IMAGE_JPG1.0 That's just what the doctor ordered! Thank you :-)