Re: MS-relayed spam
I started forwarding full headers and text to "ab...@outlook.com" and they blocked my IP. -Original Message- From: David Jones via users Sent: Tuesday, January 2, 2024 1:07 PM To: Charles Sprickman Cc: SA Mailing list Subject: Re: MS-relayed spam I would report this to Microsoft Abuse and setup local rules that add a point or two something like this: header BAD_O365_SENDER X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/ With a threshold of 6.2, you might want to consider either lowering that a little or bumping up some default scores for some of the "worse" rules. Most legit senders should not be using their onmicrosoft.com for their primary address but there are a few that I have seen over the years so I also have a counter rule to subtract a point or two for specific onmicrosoft.com subdomains. On 1/1/24, 3:29 PM, "Charles Sprickman" <mailto:sp...@bway.net>> wrote: EXTERNAL EMAIL: This message originated outside of ENA. Use caution when clicking links, opening attachments, or complying with requests. Click the "Phish Alert Report" button above the email, or contact MIS, regarding any suspicious message. Hi all, Full headers are here as well: https://pastebin.com/wHNmnvtE <https://pastebin.com/wHNmnvtE> I'm not really following what's going on here - a few things confuse me... - the empty from envelope, which I thought was more of a "bounce" thing - that it does seem formatted like a bounce - across multiple servers I'm seeing a ton more spam just like this the past few weeks coming in via MS - I had assumed that MS (or gmail, or any large provider) would be a bit more tuned to this kind of abuse Anyone else seeing this and if so, what mitigations are you doing in SA? To me, it appears that a company with some kind of on-prem email server is using MS' inbound/outbound filtering/relaying for their email, and I'm assuming that the company (acquiretm dot com) has compromised account(s) being used for spam, and that this type of account is valuable since it's relayed through a somewhat "trusted" entity (MS). Stumped on the empty envelope from though... Thanks, Charles Full headers inline: Return-Path: Delivered-To: myem...@mydomain.com <mailto:myem...@mydomain.com> Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2]) by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44 for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:33 -0500 (EST) X-Virus-Scanned: amavisd-new at MYDOMAIN.COM X-Spam-Flag: NO X-Spam-Score: 3.971 X-Spam-Level: *** X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2 tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no Received: from mail.MYDOMAIN.COM ([207.99.1.2]) by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024) with ESMTP id y8UwjrBjDDCO for <mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:31 -0500 (EST) Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43 for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:31 -0500 (EST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=; b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is 193.176.158.140) smtp.rcpttodomain=MYDOMAI
sa-update
Hello, I didn't get an update since 5 March (1908044). FreeBSD 12.4-RELEASE-p2 spamassassin 4.0.0_2 Mar 17 08:19:41.458 [41854] dbg: channel: metadata version = 1908044, from file /var/db/spamassassin/4.00/updates_spamassassin_org.cf Mar 17 08:19:41.471 [41854] dbg: dns: 0.0.4.updates.spamassassin.org => 1908044, parsed as 1908044 Mar 17 08:19:41.471 [41854] dbg: channel: current version is 1908044, new version is 1908044, skipping channel
Re: Help me waste spammers resources
What if I am already using mxbackup1.junkemailfilter.com? From: Marc Perkel Sent: Friday, June 19, 2015 2:41 PM To: users@spamassassin.apache.org Subject: Help me waste spammers resources I found a great trick for wasting spammer's resources and getting them blacklisted that I'd like to share will all of you. On my main spam filtering servers I advertise authenticated login even though I don't actually have any authenticated users. Anyone who tries to authenticate is a spammer. I accept all passwords as good and we accept the email which is then added to my black list and I then ship copies of the spam off to all my spam filtering partners who use it to add to their black lists. And I'm wasting a lot of their resources absorbing spam that just isn't being delivered. Just last week on my main good email processing server I accepted 37,232,709 spams. So - this works. I encourage others to do the same thing. Or - you can just help me do it. If you have domains you are filtering just add this as your highers numbered MX record. tarbaby.junkemailfilter.com or you can CNAME to it if you want. And I'll absorb the spam for you as they hack mt servers and that's spam you don't have to process. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: Spam not stopped???
Also this is my /etc/default/spamass-milter OPTIONS=-u nobody -i 127.0.0.1,209.102.124.20 -r 9 -M What strikes me odd is that the message that was stopped the milter had its id set to spamass-milter Jun 15 06:27:31 mail spamd[981]: spamd: connection from localhost [127.0.0.1] at port 42127 Jun 15 06:27:31 mail spamd[981]: spamd: setuid to spamass-milter succeeded The message that did not get stopped the milter had its id set the target email id: Jun 15 08:08:10 mail spamd[20901]: spamd: connection from localhost [127.0.0.1] at port 55987 Jun 15 08:08:10 mail spamd[20901]: spamd: setuid to user succeeded Both of the actual targets were real users (not aliases). And I cannot see anywhere it should be set to spamass-milter when I have the -u nobody option set in the default/spamass-milter file. Ken On Thu, 16 Jun 2011, Mihamina Rakotomandimby wrote: On Wed, 15 Jun 2011 21:15:06 -0400 Ryan Pavely para...@nac.net wrote: but doesn't that log show it was identified as spam? it does... -- RMA.
Re: Spam not stopped???
I think I might have found the problem: The directory /var/run/spamass/ Had owner group set at spamass-milter:root. I changed that to spamass-milter:smmta. Also the permissions were set to drwxr-xr-x and I changed that to drwxr-sr-x. I will see if that will solve the problem. Ken On Wed, 15 Jun 2011, User for SpamAssassin Mail List wrote: Also this is my /etc/default/spamass-milter OPTIONS=-u nobody -i 127.0.0.1,209.102.124.20 -r 9 -M What strikes me odd is that the message that was stopped the milter had its id set to spamass-milter Jun 15 06:27:31 mail spamd[981]: spamd: connection from localhost [127.0.0.1] at port 42127 Jun 15 06:27:31 mail spamd[981]: spamd: setuid to spamass-milter succeeded The message that did not get stopped the milter had its id set the target email id: Jun 15 08:08:10 mail spamd[20901]: spamd: connection from localhost [127.0.0.1] at port 55987 Jun 15 08:08:10 mail spamd[20901]: spamd: setuid to user succeeded Both of the actual targets were real users (not aliases). And I cannot see anywhere it should be set to spamass-milter when I have the -u nobody option set in the default/spamass-milter file. Ken On Thu, 16 Jun 2011, Mihamina Rakotomandimby wrote: On Wed, 15 Jun 2011 21:15:06 -0400 Ryan Pavely para...@nac.net wrote: but doesn't that log show it was identified as spam? it does... -- RMA.
Spam not stopped???
Hello, I have something I cannot explain. We blacklisted an email address for a client but Spam assassin still let it through. Here are the logs: Jun 15 08:08:10 mail spamd[20901]: spamd: identified spam (104.0/6.0) for client:2130 in 0.2 seconds, 1729 bytes. Jun 15 08:08:10 mail spamd[20901]: spamd: result: Y 103 - BAYES_50,HTML_MESSAGE,MISSING_SUBJECT,SPF_PASS,TVD_SPAC E_RATIO,USER_IN_BLACKLIST scantime=0.2,size=1729,user=client,uid=2130,required_score=6.0,rhost=localhost,raddr=127. 0.0.1,rport=55987,mid=snt117-w309552c1e79d42eb67a294ad...@phx.gbl,bayes=0.479706,autolearn=no Jun 15 08:08:10 mail sm-mta[21077]: p5FF86ld021067: to=cli...@pcez.com, delay=00:00:03, xdelay=00:00:02, mailer=local, pri=31672, dsn=2.0.0, stat=Sent As you can see the use is in the black list but yet the mail was delivered. I checked other email that was over a score of 9 and the mail was rejected, but for some reason or another this was not. Anyone have an idea why this making it through? Thanks, Ken
Re: Spam not stopped???
Lawrence, Thanks for the responce. I know Spam Assassin doesn't stop it we use a spamassassin milter for sendmail to reject it. (We been doing this for years). Anyway here is a log on a email that was rejected: Jun 15 06:27:33 mail spamd[981]: spamd: identified spam (22.2/6.0) for spamass-milter:111 in 2.1 seconds, 5378 bytes. Jun 15 06:27:33 mail spamd[981]: spamd: result: Y 22 - AWL,BAYES_99,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,SARE _SPEC_ROLEX,SARE_SPOOF_COM2COM,SARE_SPOOF_COM2OTH,SPOOF_COM2COM,SPOOF_COM2OTH,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_ RHS_DOB,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=2.1,size=5378,user=spamass-milter,uid=111,required_score=6.0,rhost= localhost,raddr=127.0.0.1,rport=42127,mid=20110615185711.2964.qmail@vsp-6214cbe9e6d,bayes=1.00,autolearn=spam Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: to=u...@pcez.com, delay=00:00:02, pri=35237, stat=Blocked by SpamAssassin The reason we did not block this at the MTA level is we do not know if OTHER users might want email from this email address. Anyway I'm still looking for a clue why one is blocked and the other is not. Thanks, Ken On Wed, 15 Jun 2011, Lawrence @ Rogers wrote: On 15/06/2011 10:00 PM, User for SpamAssassin Mail List wrote: Hello, I have something I cannot explain. We blacklisted an email address for a client but Spam assassin still let it through. Here are the logs: Jun 15 08:08:10 mail spamd[20901]: spamd: identified spam (104.0/6.0) for client:2130 in 0.2 seconds, 1729 bytes. Jun 15 08:08:10 mail spamd[20901]: spamd: result: Y 103 - BAYES_50,HTML_MESSAGE,MISSING_SUBJECT,SPF_PASS,TVD_SPAC E_RATIO,USER_IN_BLACKLIST scantime=0.2,size=1729,user=client,uid=2130,required_score=6.0,rhost=localhost,raddr=127. 0.0.1,rport=55987,mid=snt117-w309552c1e79d42eb67a294ad...@phx.gbl,bayes=0.479706,autolearn=no Jun 15 08:08:10 mail sm-mta[21077]: p5FF86ld021067: to=cli...@pcez.com, delay=00:00:03, xdelay=00:00:02, mailer=local, pri=31672, dsn=2.0.0, stat=Sent As you can see the use is in the black list but yet the mail was delivered. I checked other email that was over a score of 9 and the mail was rejected, but for some reason or another this was not. Anyone have an idea why this making it through? Thanks, Ken SpamAssassin merely assigns scores and doesn't do any rejections on it's own. That is handled by whatever is calling SpamAssassin and using the score that the e-mail is assigned. This could be something like MailScanner, Amavis, or some other third party software. Also, it would be better to blacklist an e-mail address at the MTA level (ex: Exim, Postfix) Regards, Lawrence
Re: Spam not stopped???
On Thu, 16 Jun 2011, Lawrence @ Rogers wrote: On 15/06/2011 11:13 PM, User for SpamAssassin Mail List wrote: Lawrence, Thanks for the responce. I know Spam Assassin doesn't stop it we use a spamassassin milter for sendmail to reject it. (We been doing this for years). Anyway here is a log on a email that was rejected: Jun 15 06:27:33 mail spamd[981]: spamd: identified spam (22.2/6.0) for spamass-milter:111 in 2.1 seconds, 5378 bytes. Jun 15 06:27:33 mail spamd[981]: spamd: result: Y 22 - AWL,BAYES_99,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,SARE _SPEC_ROLEX,SARE_SPOOF_COM2COM,SARE_SPOOF_COM2OTH,SPOOF_COM2COM,SPOOF_COM2OTH,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_ RHS_DOB,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=2.1,size=5378,user=spamass-milter,uid=111,required_score=6.0,rhost= localhost,raddr=127.0.0.1,rport=42127,mid=20110615185711.2964.qmail@vsp-6214cbe9e6d,bayes=1.00,autolearn=spam Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: to=u...@pcez.com, delay=00:00:02, pri=35237, stat=Blocked by SpamAssassin The reason we did not block this at the MTA level is we do not know if OTHER users might want email from this email address. Anyway I'm still looking for a clue why one is blocked and the other is not. Thanks, Ken On Wed, 15 Jun 2011, Lawrence @ Rogers wrote: On 15/06/2011 10:00 PM, User for SpamAssassin Mail List wrote: Hello, I have something I cannot explain. We blacklisted an email address for a client but Spam assassin still let it through. Here are the logs: Jun 15 08:08:10 mail spamd[20901]: spamd: identified spam (104.0/6.0) for client:2130 in 0.2 seconds, 1729 bytes. Jun 15 08:08:10 mail spamd[20901]: spamd: result: Y 103 - BAYES_50,HTML_MESSAGE,MISSING_SUBJECT,SPF_PASS,TVD_SPAC E_RATIO,USER_IN_BLACKLIST scantime=0.2,size=1729,user=client,uid=2130,required_score=6.0,rhost=localhost,raddr=127. 0.0.1,rport=55987,mid=snt117-w309552c1e79d42eb67a294ad...@phx.gbl,bayes=0.479706,autolearn=no Jun 15 08:08:10 mail sm-mta[21077]: p5FF86ld021067: to=cli...@pcez.com, delay=00:00:03, xdelay=00:00:02, mailer=local, pri=31672, dsn=2.0.0, stat=Sent As you can see the use is in the black list but yet the mail was delivered. I checked other email that was over a score of 9 and the mail was rejected, but for some reason or another this was not. Anyone have an idea why this making it through? Thanks, Ken SpamAssassin merely assigns scores and doesn't do any rejections on it's own. That is handled by whatever is calling SpamAssassin and using the score that the e-mail is assigned. This could be something like MailScanner, Amavis, or some other third party software. Also, it would be better to blacklist an e-mail address at the MTA level (ex: Exim, Postfix) Regards, Lawrence Although you shouldn't be using SARE rules anymore (No longer developed and reportedly hit many FPs), this e-mail would be blocked by a 9.0 limit. That would indicate that your setup is working, at least sometimes. The first set of headers you posted were as follows Jun 15 08:08:10 mail spamd[20901]: spamd: result: Y 103 - BAYES_50,HTML_MESSAGE,MISSING_SUBJECT,SPF_PASS,TVD_SPAC E_RATIO,USER_IN_BLACKLIST scantime=0.2,size=1729,user=client,uid=2130,required_score=6.0,rhost=localhost,raddr=127. 0.0.1,rport=55987,mid=snt117-w309552c1e79d42eb67a294ad...@phx.gbl,bayes=0.479706,autolearn=no BAYES_50 is 0.8 HTML_MESSAGE is 0.001 MISSING_SUBJECT is 0.001 SPF_PASS is -0.001 TVD_SPACE_RATIO is 0.001 USER_IN_BLACKLIST is 100.00 I got this from http://spamassassin.apache.org/tests_3_3_x.html (except MISSING_SUBJECT and TVD_SPACE_RATIO, which are not listed but are present in the current 3.3 rules available via sa-update) So the overall score should have been 100.802 What was the score shown as being returned by SA? Regards, Lawrence As the log showed: Jun 15 08:08:10 mail spamd[20901]: spamd: identified spam (104.0/6.0) spamd is reporting it as spam. sendmail.mc is set up as: INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass/spamass.sock, F=, T=S:6m;R:9m;E:16m')dnl As you can see the one message is blocked by MTA: Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: to=u...@pcez.com, delay=00:00:02, pri=35237, stat=Blocked by SpamAssassin But the message in question got delivered even though the spamassassin said it was spam. So it looked like the milter is working for one email but not the other. What would cause this? Thanks, Ken
Pyzor Server
Hello, I don't keep constant eye on the mail server logs but did notice that pyzor was not working. I've ping the server that I've been using for years: # pyzor ping 82.94.255.100:24441 TimeoutError: And see it is not working. I did a pyzor discover and found a public server and did a ping on it: # pyzor ping public.pyzor.org:24441 (200, 'OK') My question: Did this old server go away? And it this new server the one to use now days? Thanks, Ken
RE: spamassassin-3.3.0 for Fedora/RHEL
http://wtogami.livejournal.com/33674.html If you use spamassassin on Fedora or RHEL5, please see my blog post for RPM packages and distro-specific notes. quote * STOP USING SARE or OpenProtect. They died a long time ago. Some of their rules are dangerous or redundant. Many of the better rules were integrated into spamassassin upstream. So how do I stop using sare or openprotect?
RE: spamassassin-3.3.0 for Fedora/RHEL
So how do I stop using sare or openprotect? remove the rules? remove the channels? I suppose you know if you use them or not, do you? Yes I am using it. Since the blog advise to stop using it, thus I am wondering how do I do so? I had remove the sa-update from my crontab. Do I need to remove all those dostech_net.cf files? regards
RE: spamassassin-3.3.0 for Fedora/RHEL
Of course. You have to remove everything from /var/lib/spamassassin/3.003000 that you do not want to use. As an example, that is what remains here: Thank you
DomainKeys.pm
Hi, After upgrading to 3.3.0. I began to get an error Jan 29 03:12:40.458 [9168] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/DomainKeys.pm in @INC (@INC contains: lib /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8) at (eval 45) line 1. I did a locate DomainKeys.pm and it is in /usr/lib/perl5/vendor_perl/5.8.8/Mail/DomainKeys.pm So I copied DomainKeys.pm to /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/ and still getting the error I am running a CentOS 5.4 machine. I do have perl-Mail-DomainKeys-1.0-1.el5.rf.noarch installed Did I missed out anything? Regards
removing check for rulenames
Hi, How do I remove checking with RCVD_IN_DNSWL_LOW and RCVD_IN_RP_SAFE -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [67.131.25.23 listed in list.dnswl.org] -2.0 RCVD_IN_RP_SAFERBL: Sender is in Return Path Safe (trusted relay) [Return Path SenderScore Safe List (formerly] Thanks with regards
RE: removing check for rulenames
How do I remove checking with RCVD_IN_DNSWL_LOW and RCVD_IN_RP_SAFE -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [67.131.25.23 listed in list.dnswl.org] -2.0 RCVD_IN_RP_SAFERBL: Sender is in Return Path Safe (trusted relay) [Return Path SenderScore Safe List (formerly] Setting the score of any rule to 0 in local.cf, will disable it. Although many people choose to disable such rules, reporting false positives to list maintainers may help the rest of the community. score RCVD_IN_DNSWL_LOW 0 score RCVD_IN_RP_SAFE 0 Thanks Jason for both the answers. I did reported to list.dnswl.org but there is no reporting tool for SenderScore
RE: removing check for rulenames
I did reported to list.dnswl.org but there is no reporting tool for SenderScore Well, there is, but it has been notoriously difficult to find. Although the rule names have changed with the release of 3.3.0, you can find reporting information in the SA wiki. http://wiki.apache.org/spamassassin/ReportingSpam Many thanks again, Jason
RE: exclude domain from server-wide
I am running a qmail + simscan + spamassassin + clamav on a centos 5.3. Regards there are many ways to do it... you could try @example.com in your /var/qmail/control/badmailfrom might work... depending on some factors... you could smtp reject above a certain score and do a blacklist in your SA configs and reject it that way... lots of ways... be creative... Thanks you guys for replying. What I meant was, is there a way to exclude one of my virtual domains. The client would like to filter mails with their mail client instead
exclude domain from server-wide
Hi, How do I exclude a domain from a server-wide envoirment? regards
RE: exclude domain from server-wide
How do I exclude a domain from a server-wide envoirment? with magic words ? *g describe your mail spamassassin server setup ( cause there are thousend ways which it might be implemented at your side ), then you might get an answer I am running a qmail + simscan + spamassassin + clamav on a centos 5.3. Regards
flooded with undetected spam
Hi, My inbox is flooded by some new spams. Any idea how do I block it? http://202.42.86.77/1.eml http://202.42.86.77/2.eml Best regards
spamd and sendmail mailertable
Hello, Were using sendmail and their feature mailertable for forwarding certain domains to other mail servers. (using somedomain.com esmtp:[mail.somedomain.com]) When an email comes in for one of these forwarded domains it will check our greylist, our clamav, but will not do a spamassassin check. Our sendmail.mc looks like: (skipped the first part) # dnl # greylist settings INPUT_MAIL_FILTER(`greylist', `S=local:/var/run/milter-greylist/greylist.sock')dnl define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl dnl # spamassassin settings INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/sendmail/spamass.sock, F=, T=S:6m;R:9m;E:16m')dnl dnl # clamav-milter plugin form ClamAV Virus Scanner include(`/etc/mail/m4/clamav-milter.m4')dnl MAILER(local)dnl MAILER(smtp)dnl It's been a long time since I've gotten into the bowels of the spamassassin, sendmail setup and at this point I cannot figure out why when these emails come in for these forwarded domains they checked for greylist, clamav but not spamassassin. Anyone have an Idea? Thanks, Ken
Re: spamd and sendmail mailertable
Checking into this more I notice this happens on any forwarded email to another system. Spamassassin refuses to check it. Any Ideas? Thanks, Ken On Fri, 14 Mar 2008, User for SpamAssassin Mail List wrote: Hello, Were using sendmail and their feature mailertable for forwarding certain domains to other mail servers. (using somedomain.com esmtp:[mail.somedomain.com]) When an email comes in for one of these forwarded domains it will check our greylist, our clamav, but will not do a spamassassin check. Our sendmail.mc looks like: (skipped the first part) # dnl # greylist settings INPUT_MAIL_FILTER(`greylist', `S=local:/var/run/milter-greylist/greylist.sock')dnl define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl dnl # spamassassin settings INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/sendmail/spamass.sock, F=, T=S:6m;R:9m;E:16m')dnl dnl # clamav-milter plugin form ClamAV Virus Scanner include(`/etc/mail/m4/clamav-milter.m4')dnl MAILER(local)dnl MAILER(smtp)dnl It's been a long time since I've gotten into the bowels of the spamassassin, sendmail setup and at this point I cannot figure out why when these emails come in for these forwarded domains they checked for greylist, clamav but not spamassassin. Anyone have an Idea? Thanks, Ken
Re: Is http://www.rulesemporium.com?
I have the same problem here: traceroute to www.rulesemporium.com (72.52.4.74), 30 hops max, 38 byte packets 1 roxanne.pcez.com (209.102.124.1) 0.179 ms 0.146 ms 0.143 ms 2 52.ATM5-0.GW9.POR3.ALTER.NET (157.130.180.65) 3.016 ms 3.190 ms 2.917 ms 3 0.so-4-3-0.XT2.POR3.ALTER.NET (152.63.104.254) 3.397 ms 3.131 ms 3.121 ms 4 0.so-3-0-0.XL2.SJC7.ALTER.NET (152.63.0.146) 17.919 ms 17.896 ms 17.895 ms 5 POS7-0-0.GW4.SJC7.ALTER.NET (152.63.48.245) 19.365 ms 19.351 ms 19.328 ms 6 teliasonera-test-gw.customer.alter.net (157.130.215.70) 21.223 ms 21.364 ms 21.248 ms 7 las-bb1-link.telia.net (213.248.80.17) 30.684 ms 30.711 ms 30.628 ms 8 dls-bb1-link.telia.net (213.248.80.14) 71.889 ms 71.869 ms 71.875 ms 9 mai-b1-link.telia.net (80.91.252.62) 98.787 ms 98.759 ms 98.765 ms 10 * * * Ken On Fri, 29 Feb 2008, David Filion wrote: Ed Kasky wrote: At 12:08 AM Friday, 2/29/2008, blaine wrote -= I was not able to access http://www.rulesemporium.com? is this working are moved some where? Works fine from here. Site is reachable and resolves to 72.52.4.74 which pings fine as well. Something's broken somewhere. From sunny Los Angeles where it was 80 degrees yesterday: traceroute to 72.52.4.74 (72.52.4.74), 30 hops max, 40 byte packets 1 ns5gt.wrenkasky.com (10.10.10.1) 0.620 ms 0.809 ms 1.058 ms 2 router.wrenkasky.com (216.102.129.41) 13.910 ms 19.470 ms 24.269 ms 3 dist4-vlan60.irvnca.sbcglobal.net (67.114.50.66) 29.160 ms 34.044 ms 38.922 ms 4 bb2-g10-0.irvnca.sbcglobal.net (151.164.92.198) 85.450 ms 86.375 ms 87.311 ms 5 151.164.93.167 (151.164.93.167) 70.757 ms 71.946 ms 72.868 ms 6 151.164.251.214 (151.164.251.214) 74.810 ms 76.133 ms 80.781 ms 7 dls-bb1-link.telia.net (213.248.80.14) 144.269 ms 72.000 ms 71.572 ms 8 mai-b1-link.telia.net (80.91.252.62) 100.388 ms 102.816 ms 107.478 ms 9 * * * 10 * * * 11 * * * 12 * * * --snip-- 30 * * * Half / half here. From one server it doesn't work: traceroute to 72.52.4.74 (72.52.4.74), 30 hops max, 40 byte packets 1 heroine.xprima.com (207.96.225.62) 0.621 ms 0.649 ms 0.695 ms 2 ia-piex-gw06-vl1219.vtl.net (207.253.197.1) 1.667 ms 1.366 ms 0.978 ms 3 216.113.123.9 (216.113.123.9) 1.721 ms 1.593 ms 1.248 ms 4 ia-piex-bb04-pos11-0-0-cpe082.vtl.net (216.113.122.82) 14.211 ms * * 5 sl-tisca1-60020-0.sprintlink.net (144.223.37.150) 11.102 ms 11.099 ms 23.997 ms 6 so-0-0-0.mia11.ip.tiscali.net (89.149.186.45) 46.055 ms 46.032 ms 46.057 ms 7 prolexic-gw.ip.tiscali.net (213.200.73.38) 46.046 ms 46.059 ms 45.550 ms 8 * * * 9 * * * --snip-- 30 * * * From a second server it does: traceroute to 72.52.4.74 (72.52.4.74), 30 hops max, 38 byte packets 1 erx02.tor.pppoe.ca (206.248.154.120) 52.137 ms 47.751 ms 49.089 ms 2 i2110.border1.pppoe.ca (206.248.155.249) 48.226 ms 47.784 ms 47.483 ms 3 65.39.198.249 (65.39.198.249) 46.819 ms 48.314 ms 47.175 ms 4 oc48-po4-0.nyc-telx-dis-2.peer1.net (216.187.115.126) 56.828 ms 57.145 ms 56.887 ms 5 oc48-po3-0.nyc-75bre-dis-1.peer1.net (216.187.115.134) 58.735 ms 57.571 ms 58.153 ms 6 oc48-po2-0.wdc-eqx-dis-1.peer1.net (216.187.115.54) 63.232 ms 64.553 ms 63.534 ms 7 * * * 8 unknown.hwng.net (69.16.190.161) 85.520 ms 86.509 ms 85.609 ms 9 1-1.r1.lo.hwng.net (69.16.191.50) 153.904 ms 154.564 ms 154.897 ms 10 unknown.hwng.net (69.16.189.66) 148.284 ms 148.410 ms 148.168 ms 11 unknown.prolexic.com (209.200.156.34) 147.512 ms 148.232 ms 148.250 ms 12 unknown.prolexic.com (72.52.4.74) 147.229 ms 148.328 ms 148.167 ms David
picture spams
Hi, Will ImageInfo be able to detect and catch this picture spam soon? http://dreams.741.com/spam.gif Thanks
Public.pm
Hi List, Does anyone encounter this error and how do you fix it? Use of uninitialized value in string eq at /usr/lib/perl5/vendor_perl/5.8.8/Mail/DomainKeys/Key/Public.pm line 67, GEN934 line 319. Thanks
[EMAIL PROTECTED] strikes again
The original message was received at Tue, 14 Aug 2007 11:50:13 -0400 from localhost.localdomain [127.0.0.1] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)) (expanded from: [EMAIL PROTECTED]) - Transcript of session follows - ... while talking to mail.mx05.net.: RCPT To:[EMAIL PROTECTED] 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) 550 5.1.1 [EMAIL PROTECTED] User unknown Return-Path: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by ns.mx04.com (8.11.6/8.11.6) with ESMTP id l7EFoDt31728 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 11:50:13 -0400 Received: from pop.zajil.net [212.24.224.61] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Tue, 14 Aug 2007 11:50:13 -0400 (EDT) Received: from bmwebin.zajil.net ([212.24.224.151]) by pop.zajil.net (Merak 8.3.6) with ESMTP id TXN40659 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 18:51:59 +0300 Received: from bmwebin.zajil.net (unknown [127.0.0.1]) by bmwebin.zajil.net (Symantec Mail Security) with ESMTP id C240830429 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 18:01:06 +0300 (AST) X-AuditID: d418e097-af8b2bb00a34-15-46c1c3b1f614 Received: from mail.apache.org (hermes.apache.org [140.211.11.2]) by bmwebin.zajil.net (Symantec Mail Security) with SMTP id B37A130140 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 18:01:05 +0300 (AST) Received: (qmail 27303 invoked by uid 500); 14 Aug 2007 15:47:18 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id: users.spamassassin.apache.org Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 27294 invoked by uid 99); 14 Aug 2007 15:47:18 - Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Aug 2007 08:47:18 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of [EMAIL PROTECTED] designates 209.85.198.190 as permitted sender) Received: from [209.85.198.190] (HELO rv-out-0910.google.com) (209.85.198.190) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Aug 2007 15:47:14 + Received: by rv-out-0910.google.com with SMTP id c24so1461045rvf for users@spamassassin.apache.org; Tue, 14 Aug 2007 08:46:54 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=W8riJXKcP7tjMGodnC54UqKof7JusOySWiJDOkqienhASG+HfcRMm55cD0lU62X6qar4wm6gJu6mwVfETukRx3pUJJSB7uOqSm9hFhfwoBHFqhoJ4/JKIrXQLX6JNpSChFKHHZNrVdlbhfQ7sqfvW5g9qZmcDExxIUDqhPpFDtE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Kt0Nt44b3Z02LFQL89KgbvbyqZZO5tLzhbJVsw2O5BwQkP61RsL1uAs+y5LtNMwMfK0v5Y53FJtA+MdwpeJC+IGpVdyujeHtlC+k28nhoxcKz5WuwCJSVzvxIipRUUdk4JRS925cE+O9JRyNWf1j9GQmhjUrJAWQW5HkJOn9+n4= Received: by 10.114.27.20 with SMTP id a20mr2782785waa.1187106414523; Tue, 14 Aug 2007 08:46:54 -0700 (PDT) Received: from dw ( [220.255.72.245]) by mx.google.com with ESMTPS id m10sm10662529waf.2007.08.14.08.46.51 (version=SSLv3 cipher=RC4-MD5); Tue, 14 Aug 2007 08:46:53 -0700 (PDT) Message-ID: [EMAIL PROTECTED] From: Spamassassin List [EMAIL PROTECTED] To: users@spamassassin.apache.org Subject: Public.pm Date: Tue, 14 Aug 2007 23:47:12 +0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-Virus-Checked: Checked by ClamAV on apache.org X-Brightmail-Tracker: AA== ATT00550.dat Description: Binary data
Re: A rule for empty body and pdf attachment??
Hello, We are running a Debian Sarge system here with spamassassin version Version: 3.0.3-2sarge1. I tried to put these plugins (ImageInfo and loadplugin) into my system and got the following errors when I restarted: Aug 2 12:08:56 mail spamd[8789]: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Logger.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/ImageInfo.pm line 100._BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Plugin/ImageInfo.pm line 100._Compilation failed in require at (eval 26) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::ImageInfo at (eval 27) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Logger.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 131._BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 131._Compilation failed in require at (eval 28) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to create instance of plugin Mail::SpamAssassin::Plugin::PDFInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::PDFInfo at (eval 29) line 1. --- What am I missing here to make this work? Thanks, Ken On Thu, 2 Aug 2007, Jeroen Tebbens wrote: Hi, Get the plugin PDFinfo http://www.rulesemporium.com/plugins/ And it will give you more control about PDF spam. It has a rule for empty body emails with PDF attachment (GMD_PDF_EMPTY_BODY) and give it a score to your liking. /Jeroen On Thu, 2 Aug 2007, Michael W Cocke wrote: These blasted PDF spams are driving me mad! Any ideas for a rule that would trip if there's no text in the body, just a PDF attachment ? (I'm using the PDFinfo plugin now, but I don't really understand it) Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: A rule for empty body and pdf attachment??
As a follow up. I found a Logger.pm on the system but it was not in the /usr/share/perl5/Mail/SpamAssassin/ directory. I did find one in the /usr/share/perl5/Razor2 directory. I made copy of this Logger.pm file and placed it in the Mail/SpamAssassin/ directory like it was looking for in the error log below. When I restarted up the spamassassin program I got different errors this time: --- Aug 2 13:00:23 mail spamd[4820]: spamd starting Aug 2 13:00:23 mail spamd[4822]: Subroutine new redefined at /usr/share/perl5/Mail/SpamAssassin/Logger.pm line 17. Aug 2 13:00:23 mail spamd[4822]: Subroutine log redefined at /usr/share/perl5/Mail/SpamAssassin/Logger.pm line 73. Aug 2 13:00:23 mail spamd[4822]: Subroutine log2file redefined at /usr/share/perl5/Mail/SpamAssassin/Logger.pm line 114. Aug 2 13:00:24 mail spamd[4822]: Failed to run GMD_PDF_FUZZY2_T1 SpamAssassin test, skipping:__(Undefined subroutine Mail::SpamAssassin::Plugin::PDFInfo::dbg called at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 393._) My guess is that this is not the right Logger.pm file. Where do I find the correct file so I can make this work? And is that my only problem??? Thanks, Ken On Thu, 2 Aug 2007, User for SpamAssassin Mail List wrote: Hello, We are running a Debian Sarge system here with spamassassin version Version: 3.0.3-2sarge1. I tried to put these plugins (ImageInfo and loadplugin) into my system and got the following errors when I restarted: Aug 2 12:08:56 mail spamd[8789]: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Logger.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/ImageInfo.pm line 100._BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Plugin/ImageInfo.pm line 100._Compilation failed in require at (eval 26) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::ImageInfo at (eval 27) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Logger.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 131._BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 131._Compilation failed in require at (eval 28) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to create instance of plugin Mail::SpamAssassin::Plugin::PDFInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::PDFInfo at (eval 29) line 1. --- What am I missing here to make this work? Thanks, Ken On Thu, 2 Aug 2007, Jeroen Tebbens wrote: Hi, Get the plugin PDFinfo http://www.rulesemporium.com/plugins/ And it will give you more control about PDF spam. It has a rule for empty body emails with PDF attachment (GMD_PDF_EMPTY_BODY) and give it a score to your liking. /Jeroen On Thu, 2 Aug 2007, Michael W Cocke wrote: These blasted PDF spams are driving me mad! Any ideas for a rule that would trip if there's no text in the body, just a PDF attachment ? (I'm using the PDFinfo plugin now, but I don't really understand it) Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
error with 3.2.2
Hi, I just updated to 3.2.2. Encountered an error as follows: Jul 30 21:00:33 beyond spamd[20765]: dcc: check failed: failed to read header Jul 30 21:00:36 beyond spamd[20767]: dcc: check failed: util: setuid 0 to 508 failed! at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Util.pm line 1343. How can i solve this? Thanks LC
pyzor problem.
Hello, I've noticed a big jump in spam here and looking through logs it looks like my system is not getting pyzor to respond. When I do a spamassassin --lint -D I show: debug: Pyzor is available: /usr/bin/pyzor debug: Pyzor: got response: 66.250.40.33:24441 TimeoutError: debug: Pyzor: couldn't grok response 66.250.40.33:24441TimeoutError: Has something changed with pyzor as of late ? Anyone have any clues? Thanks, Ken
Re: pyzor problem.
On Mon, 30 Jul 2007, Gary V wrote: We noticed pyzor latency/timeouts last week and had to disable it. User for SpamAssassin Mail List wrote: Hello, I've noticed a big jump in spam here and looking through logs it looks like my system is not getting pyzor to respond. When I do a spamassassin --lint -D I show: debug: Pyzor is available: /usr/bin/pyzor debug: Pyzor: got response: 66.250.40.33:24441 TimeoutError: debug: Pyzor: couldn't grok response 66.250.40.33:24441 TimeoutError: Has something changed with pyzor as of late ? Anyone have any clues? Thanks, Ken -- Joel Nimety I think the main server has been overloaded for a couple years now. Find .../.pyzor/servers file and replace 66.250.40.33:24441 with 82.94.255.100:24441 It should help. Gary V Gary, That server 82.94.255.100:24441 solved the problem. The next problem was how to change that IP address in the ~/.pyzor/servers files for all the customers. So I put together a script to do just that. Here is that script in case others want to do the same thing. Thanks, Ken You must put in a servers file in the /etc/skel/.pyzor directory with 82.94.255.100:24441 in the servers file. Script follows: #! /bin/sh # #This script changes the pyzor server in each users home directory to #the server that is listed in /etc/skel/.pyzor/servers . #This became a problem when the primary server stopped #responding. - knr - 7-07 # # # USERNAME= cd /home for USERNAME in `ls -d *`; do if [ -d /home/${USERNAME}/.pyzor ]; then if [ -f /home/${USERNAME}/.pyzor/servers ]; then cp /etc/skel/.pyzor/servers /home/${USERNAME}/.pyzor/servers; chown ${USERNAME}:users /home/${USERNAME}/.pyzor/servers; fi fi done
Re: How would you provide a 554 rejection notice for spam?
dalchri wrote: I've recently put SpamAssassin in front of my Exchange server as an SMTP proxy. Our previous spam filter would provide a 554 rejection notice for anything that was identified as spam. This meant that any FP would be notified so that email would not get silently ignored. Although a rejection notice was sent, we still retained the spam. This meant that when our users got a call from their customer about the rejected spam, they could quickly locate the message without it having to be resent. I would like to continue doing this with the new SA/Exchange setup. Right now I use spampd but I would like to change to Sendmail just because it is part of the default install for Redhat. How would you go about providing a 554 rejection notice? Would you do it on the SMTP proxy? On Exchange? Would you use Sendmail? Postfix? Something else? a milter from sendmail, provided you wish to stick with sendmail. mimedefang springs to mind, but I have no experience with it. Any idea for qmail?
Re: graphic spam
Other than FuzzyOCR, is there other way to filter graphic spams? I had ImageInfo but seem like it is not working. PS... also check out ImageInfo.pm http://www.rulesemporium.com/plugins.htm Yes I had that, but it is not working for me. [26559] dbg: config: read file /etc/mail/spamassassin/imageinfo.cf
Re: graphic spam
Other than FuzzyOCR, is there other way to filter graphic spams? I had ImageInfo but seem like it is not working. PS... also check out ImageInfo.pm http://www.rulesemporium.com/plugins.htm Yes I had that, but it is not working for me. [26559] dbg: config: read file /etc/mail/spamassassin/imageinfo.cf Probably you're missing the needed LoadPlugin line? Put this on top of the imageinfo.cf or any .pre file: loadplugin Mail::SpamAssassin::Plugin::ImageInfo /path/to/ImageInfo.pm I have loadplugin Mail::SpamAssassin::Plugin::ImageInfo in v320.pre I have also move ImageInfo.pm to /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/ In imageinfo.cf # Version: 0.7 # Requires: ImageInfo.pm plugin ifplugin Mail::SpamAssassin::Plugin::ImageInfo I still dont see any hit for image email. Thanks
Routing messages marked as [Spam] to Maildir/.Spam
I apologize if this is a duplicate. I posted the original using Nabble, but there was an error message and not sure if it went through or not. Here goes: I am using Qmail-Scanner 1.25 and Spamassassin 3.1.8 which is the most recent available of the 3.1.x series to Gentoo users. Using qmail, vpopmail, and qmail-scanner to invoke spamassassin. I am using verbose spamassassin mode, and am trying to get mails tagged with rewrite_subject [Spam] to be auto-delivered to the Maildir/.Spam folder. The challenge is that I want this to be done site-wide, and for some reason that I cannot tell, this no longer works for me. Meaning that it was working, and I cannot explain why not any longer. Except that on Friday, I needed to remove fprot from the qmail-scanner process. It was throwing some nasty errors on my box, and when I recompiled everything, I've just been getting no love at all. However, one thing that is of interest is that MOST of the [Spam] ends up in the proper place. Some [Spam] slips by. The stuff that slips by is somehow using the /etc/spamassassin/local.cf preferences. All the [Spam] that is properly delivered to Maildir/.Spam is using my /var/vpopmail/domains/%d/%l/.spamassassin/user_prefs file. What would be the cause of two different prefs files in use by the same account? It's the weirdest thing. Qmail-scanner config options: ./configure --spooldir /var/spool/qmailscan --qmaildir /var/qmail --bindir /var/qmail/bin --qmail-queue-binary /var/qmail/bin/qmail-queue --admin postmaster --domain ark --notify psender,nmlvadm --local-domains ark --silent-viruses auto --lang en_GB --debug 1 --unzip 1 --block-password-protected 0 --add-dscr-hdrs 0 --archive 0 --redundant yes --log-details syslog --log-crypto 0 --fix-mime 2 --ignore-eol-check 0 --scanners auto --install 1 Spamd runtime options: -c -d -v -s local4 -q -u vpopmail --virtual-config-dir=/var/vpopmail/domains/%d/%l/.spamassassin/ -H /var/vpopmail Any help would be greatly appreciated, I have lost 3 days looking for an answer but have just exhausted myself trying. Thanks.
graphic spam
Hi, Other than FuzzyOCR, is there other way to filter graphic spams? I had ImageInfo but seem like it is not working. regards LC
Re: Please remove [EMAIL PROTECTED] from the list
He is bouncing emails. (See attachment.) Scroom and the camel he rode in on. I am getting the same thing
Re: Bye for good FuzzyOCR
Spamassassin List schrieb: Spamassassin List schrieb: i just uninstalled FuzzyOCR from my system as it seems like its become out of fashion to send those spam images that FuzzyOCR can read and I noticed that I dont even need it to get the remaining imagespam above a score of 10. Thanks alot to the author, the plugin was great when imagespam was on a high and no good rules existed to bust them through metadata ;-) So what are u using now? HTML_IMAGE_ONLY_XX, SHORT_HELO_AND_INLINE_IMAGE, DC_IMAGE_SPAM_TEXT, DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO, SARE_GIF_ATTACH together with botnet, bayes and other standard rules is enough to bring all my image spam to above 10 points, even without cpu intensive FuzzyOCR. I'm not recieving much of it anymore anyways. How do u get DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO? Using ImageInfo? must be on updates.spamassassin.org or saupdates.openprotect.com, otherwise i wouldnt have them I have updates.spamassassin.org, saupdates.openprotect.com and botnet, yet i cant achieve HTML_IMAGE_ONLY_XX, SHORT_HELO_AND_INLINE_IMAGE, DC_IMAGE_SPAM_TEXT, DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO, SARE_GIF_ATTACH. What am i missing out here?
Re: Bye for good FuzzyOCR
i just uninstalled FuzzyOCR from my system as it seems like its become out of fashion to send those spam images that FuzzyOCR can read and I noticed that I dont even need it to get the remaining imagespam above a score of 10. Thanks alot to the author, the plugin was great when imagespam was on a high and no good rules existed to bust them through metadata ;-) So what are u using now?
Re: Bye for good FuzzyOCR
Spamassassin List schrieb: i just uninstalled FuzzyOCR from my system as it seems like its become out of fashion to send those spam images that FuzzyOCR can read and I noticed that I dont even need it to get the remaining imagespam above a score of 10. Thanks alot to the author, the plugin was great when imagespam was on a high and no good rules existed to bust them through metadata ;-) So what are u using now? HTML_IMAGE_ONLY_XX, SHORT_HELO_AND_INLINE_IMAGE, DC_IMAGE_SPAM_TEXT, DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO, SARE_GIF_ATTACH together with botnet, bayes and other standard rules is enough to bring all my image spam to above 10 points, even without cpu intensive FuzzyOCR. I'm not recieving much of it anymore anyways. How do u get DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO? Using ImageInfo?
Re: Bye for good FuzzyOCR
Spamassassin List schrieb: Spamassassin List schrieb: i just uninstalled FuzzyOCR from my system as it seems like its become out of fashion to send those spam images that FuzzyOCR can read and I noticed that I dont even need it to get the remaining imagespam above a score of 10. Thanks alot to the author, the plugin was great when imagespam was on a high and no good rules existed to bust them through metadata ;-) So what are u using now? HTML_IMAGE_ONLY_XX, SHORT_HELO_AND_INLINE_IMAGE, DC_IMAGE_SPAM_TEXT, DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO, SARE_GIF_ATTACH together with botnet, bayes and other standard rules is enough to bring all my image spam to above 10 points, even without cpu intensive FuzzyOCR. I'm not recieving much of it anymore anyways. How do u get DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO? Using ImageInfo? must be on updates.spamassassin.org or saupdates.openprotect.com, otherwise i wouldnt have them Thanks
Re: Logging with Syslog
The current SA install was from my initial install of RHEL 4 and using up2date to get the packages all current. I figured I would stop using up2date from this point on and switch to CPAN upgrades in the future. The CPAN method is what I had used before and it worked nicely, plus I can stay more current with CPAN. I never know when RH will be shipping updates for SA. The base RHEL4 with the latest service release only installed SA 3.04. RH then jumped from 3.04 to 3.18 about 6 weeks ago using the up2date system. I would rather not wait for RH to approve SA updates since this server is mainly a mail server and spammers don't wait around for RH to catch up with them. This server was upgraded from RHEL3. RH never released an update for SA beyond 2.x for RHEL3. If I had waited for them, I would have really been out of date. If RH behaves the same, now that RHEL5 has shipped they may stop keeping RHEL4 current on a lot of different packages. Plus, I'll be adding plugins as I go along and I have no idea what might get messed up with a RH package update. Do you know of any problems with switching from the RH package manager to using CPAN from this point forward? Kris Deugau writes: sa-list wrote: Thanks! Instead of messing with the /etc/sysconfig/spamassassin file, I just commented out those lines. Any reason to keep this configuration, other than wanting more headaches in the future when I try to figure this out again? Well, like I said, /etc/init.d/spamassassin will usually be overwritten on a package upgrade. That's why the files in /etc/sysconfig are provided for quite a few packages - if you have custom startup options to be passed to whichever daemon the file is for, you put them there so they stay set the way you want them when you upgrade the package. Debian does something very similar, except the options files are in /etc/default (I think). Editing the init script should really only be used as a last resort, because you will almost certainly have to go back and try to remember what you changed if you install a newer version of the package. -kgd
Logging with Syslog
I can't seem to get SA Syslog to log messages to a log file other than maillog. I changed the spamassassin start up script to add -s local5 to the spamd start up options. I modified syslog.conf to add local5 as an entity. I restarted syslog, courier and spamd. I still get logging messages in /var/log/maillog instead of the desired /var/log/spamd.log. I tested the syslog change using: logger -p local5.warning -t SpamAssassin testing This gives me the appropriate message written into the /var/log/spamd.log file so it makes me think the syslog changes actually work. What am I doing wrong? I am using Courier 0.54.2 on RHEL4. SA is 3.1.8. My Courier maildroprc is: import RECIPIENT import SENDER import HOME import USER { exception { xfilter /usr/bin/spamc -u $USER } } This is working and I am getting email with the SA headers added. The top part of my /etc/init.d/spamassassin is: . /etc/rc.d/init.d/functions prog=spamd # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = no ] exit 0 # Set default spamd configuration. SPAMDOPTIONS=-d -m5 -H -s local5 SPAMD_PID=/var/run/spamd.pid # Source spamd configuration. if [ -f /etc/sysconfig/spamassassin ] ; then . /etc/sysconfig/spamassassin fi [ -f /usr/bin/spamd -o -f /usr/local/bin/spamd ] || exit 0 PATH=$PATH:/usr/bin:/usr/local/bin # By default it's all good RETVAL=0 # See how we were called. case $1 in start) # Start daemon. echo -n $Starting $prog: daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID RETVAL=$? echo if [ $RETVAL = 0 ]; then touch /var/lock/subsys/spamassassin fi ;; My syslog.conf is: # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.*/var/log/boot.log # Save Spamassassin messages to spamd.log local5.*/var/log/spamd.log
Re: Logging with Syslog
Thanks! Instead of messing with the /etc/sysconfig/spamassassin file, I just commented out those lines. Any reason to keep this configuration, other than wanting more headaches in the future when I try to figure this out again? Kris Deugau writes: sa-list wrote: I can't seem to get SA Syslog to log messages to a log file other than maillog. I changed the spamassassin start up script to add -s local5 to the spamd start up options. [snip] ... on RHEL4. [snip] The top part of my /etc/init.d/spamassassin is: [snip] # Set default spamd configuration. SPAMDOPTIONS=-d -m5 -H -s local5 SPAMD_PID=/var/run/spamd.pid # Source spamd configuration. if [ -f /etc/sysconfig/spamassassin ] ; then . /etc/sysconfig/spamassassin fi This is the part of the init script that's tripping you up. Most RH-oriented init scripts are managed by the packaging system, and among other things will usually be overwritten by package upgrades. Thus the last three lines in that segment; it overrides the package default options with whatever you set in /etc/sysconfig/spamassassin. In this case, it also overrides the change you made in the previous lines. Add your -s local5 to the SPAMDOPTIONS definition in /etc/sysconfig/spamassassin, and you should get your syslog output in the right place. ps x|grep spamd should show you the full command line of the currently-running spamd. -kgd
cannot install it on BSD
Hi guys, I cannot install spamassassin on FreeBSD. Does anyone experienced with this before? any advices will be appreciated. thx
domainkey
Hi, spamassassin -D --lint shows that i am having some problem with domainkey [31077] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/DKIM.pm in @INC (@INC contains: lib /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/DKIM.pm line 60. [EMAIL PROTECTED] ~]# rpm -q perl-Mail-DomainKeys perl-Mail-DomainKeys-1.0 What other package do i need? regards
CentOS 5 with FuzzyOCR
Hi, I am getting some errors when try to spamassassin -t email.txt Subroutine FuzzyOcr::O_CREAT redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 Subroutine FuzzyOcr::O_EXCL redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 Subroutine FuzzyOcr::O_RDWR redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 [4840] warn: FuzzyOcr: Cannot find executable for giffix [4840] warn: FuzzyOcr: Cannot find executable for giftext [4840] warn: FuzzyOcr: Cannot find executable for gifinter [4840] warn: FuzzyOcr: Cannot find executable for ocrad [4840] warn: FuzzyOcr: Cannot find executable for tesseract Does FuzzyOcr works with CentOS 5? regards
Re: CentOS 5 with FuzzyOCR
Have you installed the programs that FuzzyOcr is calling? rpm -qa ocrad? Yes i have. [EMAIL PROTECTED] Spam]# rpm -qa ocrad ocrad-0.16
Re: CentOS 5 with FuzzyOCR
Spamassassin List wrote: I am getting some errors when try to spamassassin -t email.txt Subroutine FuzzyOcr::O_CREAT redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 Subroutine FuzzyOcr::O_EXCL redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 Subroutine FuzzyOcr::O_RDWR redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 These seem to be conflicts between the POSIX and Fcntl modules from Perl; not something inherently in FuzzyOcr. FuzzyOcr's author(s) should really look at whether importing these from two places is really necessary, however. Is there anything i can do to fix this? [4840] warn: FuzzyOcr: Cannot find executable for giffix [4840] warn: FuzzyOcr: Cannot find executable for giftext [4840] warn: FuzzyOcr: Cannot find executable for gifinter [4840] warn: FuzzyOcr: Cannot find executable for ocrad [4840] warn: FuzzyOcr: Cannot find executable for tesseract Do you have these programs installed? AFAIK none of the graphics-data-munging programs FuzzyOcr uses are actually bundled with it. Other than ocrad, what packages do i need? thanks and regards
Re: spam test
http://hege.li/howto/spam/spamassassin.html Remove everything from Botnet.cf RULES-section and set it up this way: Does the above line mean to remove from the # THE RULES? regards
Re: No RBL checks
i think my spamassassin is performing no RBL checks, i disabled that once, reset that change but it seems that the RBL are still not working Have you remove -L from the setup of SA?
FuzzyOCR: pamthreshold
Hi, I am running CentOS 4.4 and have netpbm installed. [EMAIL PROTECTED] textspam]# rpm -q netpbm-devel netpbm-devel-10.25-2.EL4.3 [EMAIL PROTECTED] textspam]# rpm -q netpbm-progs netpbm-progs-10.25-2.EL4.3 [EMAIL PROTECTED] textspam]# rpm -q netpbm-devel netpbm-devel-10.25-2.EL4.3 I still have the below error. Can anyone please tell me what package am i lacking of. [4292] warn: FuzzyOcr: Cannot find executable for pamthreshold Thanks Regards, Nic
Online game spam
Hi, I am getting hit by the online game spam. If i test it using spamassassin -t email, the result score 24.9. Please see http://202.42.86.68/result.txt But the header says:- X-Spam-Status: No, score=2.5 required=5.0 tests=DATE_IN_FUTURE_03_06, HTML_MESSAGE,MIME_HTML_ONLY autolearn=disabled version=3.1.7 Did i forgotton to turn on anything? in local.cf required_hits 5 report_safe 0 rewrite_header Subject [SPAM(_SCORE_)] use_bayes 0 auto_learn 0 skip_rbl_checks 0 use_bayes 0 bayes_auto_learn 0 in v310.pre loadplugin Mail::SpamAssassin::Plugin::DCC loadplugin Mail::SpamAssassin::Plugin::Pyzor loadplugin Mail::SpamAssassin::Plugin::Razor2 loadplugin Mail::SpamAssassin::Plugin::SpamCop loadplugin Mail::SpamAssassin::Plugin::URIDNSBL Regards, Nic
Re: Online game spam
On Thu, 8 Feb 2007, Spamassassin List wrote: But the header says:- X-Spam-Status: No, score=2.5 required=5.0 tests=DATE_IN_FUTURE_03_06, HTML_MESSAGE,MIME_HTML_ONLY autolearn=disabled version=3.1.7 I see no network tests (e.g. RCVD_IN_XBL) - do your logs show *any* messages hitting on network tests? There is none at all. I am wondering where to turn it on. But i had them turned on in the v310.pre
Re: Online game spam
On Thu, 8 Feb 2007, Spamassassin List wrote: But the header says:- X-Spam-Status: No, score=2.5 required=5.0 tests=DATE_IN_FUTURE_03_06, HTML_MESSAGE,MIME_HTML_ONLY autolearn=disabled version=3.1.7 I see no network tests (e.g. RCVD_IN_XBL) - do your logs show *any* messages hitting on network tests? There is none at all. I am wondering where to turn it on. But i had them turned on in the v310.pre I had remove the -L in the spamassassin start up and it is working with the network tests. Thanks
Re: FuzzyOCR: pamthreshold
Use patches from here http://www200.pair.com/mecham/spam/image_spam2.html to solve your problem. thanks. but is the site down? unable to access to it.
Re: Drug Spam
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf I had encountered errors [21895] info: rules: meta test KAM_RPTR_PASSED has undefined dependency '__URIBL_ANY' [21895] info: rules: meta test KAM_REAL has undefined dependency '__KAMREAL1' [21895] info: rules: meta test KAM_REAL has undefined dependency '__KAMREAL2' [21895] info: rules: meta test KAM_REAL has undefined dependency '__KAMREAL3' [21895] info: rules: meta test KAM_BLANK01 has undefined dependency 'FM_NO_FROM_OR_TO' [21895] info: rules: meta test KAM_BLANK01 has undefined dependency 'FM_NO_TO' Any idea? Thanks
URIBL
Hi List, Anyone having intermittance problem with URIBL? I got a few of the same spam which are having different scores, with and without scoring from blacklist of URIBL. Regards, LC
Re: blarsbl
This is the guy's www site http://www.blars.org/errors/block.html I had some trouble with his list before too. Not many people is using that list, so i guess, not much of damage done anyway.
Re: Default SpamAssassin scores don't make sense
... That's where the human tweaking is supposed to happen; if gobs of spam flag the 80% meter of some test while no ham does, and the 90% meter is almost never hit by anything, it should have a higher value than the 80% meter does. If the 90% meter has more ham than spam despite the 80% meter having more spam than ham, the tests need to be closely looked at rather than inappropriately weighted. just my two cents, anyway -Adam Katz Here one of your own examples pops up - SPF_FAIL vs. SPF_SOFT_FAIL. In the current state of the world, *most* soft fail results are actual forgeries, but *most* hard fail results are administrator or user error. So SOFT_FAIL is a better spam sign than FAIL - often these things can and do make sense when a rational explanation is looked for (but it can be very far from obvious at time). Hopefully as administrators learn, things like SPF, DK and/or DKIM will become more useful (~all and sign some are both serious dilutions of what the technologies has to offer). Paul Shupak [EMAIL PROTECTED]
rules_du_jour
Has anyone come up with a rule that will combat the spam that I have been seeing lately? That is a spam that rambles about much of nothing then has an image or a link at the bottom. I see more and more of these and it seems like the spammers have figured out a way to get this past SA. I include one such message at the end of this post. Thanks, Ken Example of this spam: [IMAGE] Jeg er udvalgt som blogger, dvs. There is little doubt that asynchronous solutions require us to think in new ways as we have to deal with concurrency, out-of-sequence issues, correlation and other. Ingen interesse mere. But it makes me feel better that Ted Neward seems to beat me in that category, though. In my eyes this is really the best indicator of success for a pattern language. We don't have to go further than the local coffee shop. But it makes me feel better that Ted Neward seems to beat me in that category, though. While the conference logistics can be quirky at times the content is top notch. Even if you choose the right specification, it still is likely to evolve over time. Jeg er udvalgt som blogger, dvs. However, when building distributed applications, that asymmetry really has no place. After loosely coupled, stateless must be a close runner-up as the ultimate nirvana in buzzword-compliant architectures. While Java is not necessarily the greatest language to host a DSL we can go a lot further than developers generally believe or care for. Ideally, the debate would involve alcoholic beverages and the other person would pick up the check. This time, though, Ken Arnold stole a little bit of my show by publishing an excellent article in ACM Queue magazine called Programmers are People, too. During the proverbial hallway discussions we started talking about boxes and lines, but in a profound way. Read on to learn more about the implementation and our experiences with intra-JVM EDA. Hearing this tag line for the third or fourth time got me wondering, what really is the difference between coding and configuring? For one thing, a fair number of my intellectual drinking buddies tend to congregate around the large software company in the Pacific Northwest. First, because I was going to meet the exalted one in person.
Re: Scoring PTR's
... On 10/23/2006 7:01 PM, John Rudd wrote: Eric A. Hall wrote: http://www.ehsco.com/misc/spamassassin/std_compliance.cf might help or work for what you're doing. Make sure to read the disclaimers and warnings Those helped a lot. There's only three checks I can't do with them (probably need to use a plugin for it): a) does the hostname in the PTR record point to a CNAME instead of an A record That's not illegal. It's pretty common too, since subnet delegation of in-addr space only works on /8, /16 and /24 subnets due to the way that octets are mapped to domain name labels in that hierarchy. Eric, I think you either misread, or have it backwards; Indeed a PTR to a CNAME is illegal (RFC not on the fingertips at the moment). What is *very* common is a CNAME to a PTR (which *is* legal). Example: % host 64.32.188.109 109.188.32.64.in-addr.arpa is an alias for 109.104/29.188.32.64.in-addr.arpa. 109.104/29.188.32.64.in-addr.arpa domain name pointer smtp.mpa0.Plectere.COM. b) does the hostname contain it's IP address in _hex_ form (instead of in decimal form, which I've already got working) I don't recall ever seeing that. If you create a rule for that you might also want to do octal notations too, which is another valid address encoding syntax that should never appear naturally. c) does the hostname in the PTR record actually going to an A record which includes the relay's IP addr that's a reasonable test Also called FCrDNS (i.e. Full Circle reverse DNS). -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ Paul Shupak [EMAIL PROTECTED]
Re: senders domain has MX or not?
Which rule will help me in checking if senders domain has MX record or not. E.g I am getting email from [EMAIL PROTECTED], then the rule should check whether domain.com has an MX record or not. I think this should be a question on your mail daemon. Not spamassassin.
Re: Moderator: User needs to be unsubscribed...
... To: users@spamassassin.apache.org From: Evan Platt [EMAIL PROTECTED] Subject: Moderator: User needs to be unsubscribed... ... For every post, I'm getting: Subject: Autoreply from [EMAIL PROTECTED] (was Re:perl hogging my memory? ) Errors-To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Bonjour, Je suis en conges jusqu'au 23 octobre, pour toute demande veuillez contacter notre support technique. Cordialement Thanks. Evan See thread - Tom Van Overbeke is out of the office This message is the auto-reply from the auto-forward to [EMAIL PROTECTED] that is occuring - Seems they are on vacation too. Paul Shupak [EMAIL PROTECTED]
Re: Tom Van Overbeke is out of the office.
On Mon, 2 Oct 2006 01:16:00 +0200 [EMAIL PROTECTED] wrote: On Mon, October 2, 2006 00:10, [EMAIL PROTECTED] wrote: I will be out of the office starting 29/09/2006 and will not return until 08/10/2006. this is usefull to know on maillists :-) ... Better than his last vacation where the junk went to each poster instead of the list: ... Subject: Tom Van Overbeke is out of the office. From: [EMAIL PROTECTED] To: List Mail User [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Tue, 11 Apr 2006 08:28:09 +0200 ... I will be out of the office starting 06/04/2006 and will not return until 18/04/2006. I will respond to your message when I return. For urgent support issues, you can either send a mail to [EMAIL PROTECTED], or contact the central dispatch at (++32)/2 333 4000 Thank you. Paul Shupak [EMAIL PROTECTED]
stock spams
The stock spams are killing me. I had 70_sare_stocks.cf and its not blocking them. Below is part of the spam and the score. What can i do to beat them? W a t c h o u t! ALLINACE ENTERPRSIE (A ETR) Curernt Pirce: 0.80 Add this g e m to your wat ch list, and w atch it tard closely! Nwes Reelase! Teacorp announces breackrough in removing deadly land mines. Mill Valley, California August 25, 2006 - The Allaince Enetrprise Corpoartion announced today a breakthrough in developing an Aeiral Landimne Sytsem aimed at locating, detecting and mapping deadly landm ines. TaeoCrp's mission is to reclaim lands around the globe embedded with lan dmines that victimize countries and their stakeholders. X-Spam-Status: No, score=3.9 required=5.0 tests=DK_POLICY_SIGNSOME, DK_POLICY_TESTING,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL, SARE_RMML_Stock18 autolearn=no version=3.1.4
Adding 'SA scores' to all incoming mails
I'd like SA to make a extra line/section under all my mails where it tells what score the mail got (or maybe even which rules scored on the mail) is there such a setting? it would help me to finetune my SA. tnx
Re: a new kind of spam (with images)
Stephane Bentebba wrote: hi all, i am more or less happy with my spamassassin configuration works good for one year but i have problem with a new kind of spam which easylly go throught it : spam which has poor text, poor token, or none, and a subject always changing the only thing which remain the same is the image incoporated in it it get always very low hit (bellow 3) subject on the image in the body is either breaking news concerning... or we have a runner ! would it be possible to find a solution ? add / modify a test to look at first bytes of an attachement and recognize the image ? i can send you samples of this spam if you like... (prefer not to attach them) Have a look at FuzzyOCR http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Works very well for me - I'm using it in conjuction with ImageInfo and since I'm using them those image spams get through VERY rarely They will also block off legit emails too
Re: a new kind of spam (with images)
Spamassassin List wrote: Stephane Bentebba wrote: hi all, i am more or less happy with my spamassassin configuration works good for one year but i have problem with a new kind of spam which easylly go throught it : spam which has poor text, poor token, or none, and a subject always changing the only thing which remain the same is the image incoporated in it it get always very low hit (bellow 3) subject on the image in the body is either breaking news concerning... or we have a runner ! would it be possible to find a solution ? add / modify a test to look at first bytes of an attachement and recognize the image ? i can send you samples of this spam if you like... (prefer not to attach them) Have a look at FuzzyOCR http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Works very well for me - I'm using it in conjuction with ImageInfo and since I'm using them those image spams get through VERY rarely They will also block off legit emails too How so? I wouldn't expect any from FuzzyOCR but ImageInfo certainly has the chance to block legit mail. Sorry, I meant ImageInfo plugin.. I have many legit emails blocked by this plugin.
Re: animated GIF spam
While skimming thru my daily rejected spam pile, did a double take when a GIF spam seemed to blink at me. Thought it was a sw glitch at first... then realized the sneaky Borg had adapted again. Took a look at the frames in PaintShopPro's AnimationShop, and the first three are all but blank (wee bit of noise), followed by the payload. Below are links to the raw message, and the extracted GIF: http://Puffin.net/software/spam/samples/0001a_animated_gif.eml http://Puffin.net/software/spam/samples/0001b_been.gif Decoder/Chris, I'd view this as a compliment to your FuzzyOCR. ;) The good news is that ImageInfo should have no problem with this particular instance, as the initial width x height are correct. Yes ImageInfo got them well.
Re: Image spam with inline jpeg image
- Original Message - From: Gary Funck [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Thursday, August 10, 2006 12:04 AM Subject: RE: Image spam with inline jpeg image Menno wrote: Ramprasad wrote: But still this mail is getting thru http://ecm.netcore.co.in/tmp/imagespam.txt I tested your mail here with the latest imageinfo.pm and it comes through indeed. The exact same one in .gif (same text, same background) was detected though. It was even my first and only image-spam that got a LARGO score since the install last week, I don't get many of those spams.. The OCR plugin hits on this one: Content analysis details: (11.5 points, 5.0 required) pts rule name description -- -- 1.5 SPAMPIC_ALPHA_3Image contains many alphanumeric chars -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.0 HTML_MESSAGE BODY: HTML included in message 10 SPAMPIC_WORDS_4Contains inline spam picture (4+) -0.0 NO_RECEIVEDInformational: message has no Received headers (One might argue that a score of 10 is a bit excessive, but note that this spam escaped all other tests.) I am only getting 3.0 Content analysis details: (3.0 points, 5.0 required) pts rule name description -- -- 1.5 SPAMPIC_ALPHA_3Image contains many alphanumeric chars -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.0 NO_RECEIVEDInformational: message has no Received headers 1.5 SPAMPIC_WORDS_1Contains inline spam picture (1) Why so?
Re: Improved OCR Plugin with approximate matching
decoder wrote: See http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Major changes: Replaced imagemagick with netpbm, support png, invoked giffix for broken gifs, detect image format with magic bytes and not by content-type, added various configuration options. I install the above plugin, and i keep getting the same error. [EMAIL PROTECTED] spamtest]# spamassassin -t spam-gif-1.txt sh: /usr/bin/giffix: No such file or directory giftopnm: error reading magic number (null): Error reading magic number from Netpbm image stream. Most often, this means your input file is empty. sh: /usr/bin/giffix: No such file or directory giftopnm: error reading magic number (null): Error reading magic number from Netpbm image stream. Most often, this means your input file is empty. sh: /usr/bin/giffix: No such file or directory giftopnm: error reading magic number (null): Error reading magic number from Netpbm image stream. Most often, this means your input file is empty. I notice the error occur when the attachment is gif format.
Re: Improved OCR Plugin with approximate matching
Spamassassin List wrote: decoder wrote: See http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Major changes: Replaced imagemagick with netpbm, support png, invoked giffix for broken gifs, detect image format with magic bytes and not by content-type, added various configuration options. I install the above plugin, and i keep getting the same error. [EMAIL PROTECTED] spamtest]# spamassassin -t spam-gif-1.txt sh: /usr/bin/giffix: No such file or directory giftopnm: error reading magic number (null): Error reading magic number from Netpbm image stream. Most often, this means your input file is empty. sh: /usr/bin/giffix: No such file or directory giftopnm: error reading magic number (null): Error reading magic number from Netpbm image stream. Most often, this means your input file is empty. sh: /usr/bin/giffix: No such file or directory giftopnm: error reading magic number (null): Error reading magic number from Netpbm image stream. Most often, this means your input file is empty. I notice the error occur when the attachment is gif format. You are missing a tool. It is called giffix and part of the giflib package. Without it, the plugin can't fix broken gifs to analyze them. Install giflib. I did a yum install giflib, but it install another package. What is the package for yum? libungifi386 4.1.3-3.fc4.2updates-released 39 k
Re: internal/trusted again, MSA tested for SPF ?
... Mark Martinec wrote: As required per docs, the MTA is considered trusted and internal, and MSA is declared trusted and NOT internal. (both MSA and MTA are on the same IP network) ... Is it normal that our own MSA ip address is being submitted for RBL tests? It' normal, in the sense that that's what the code says to do. I'm sure that this isn't optimal, but it works better than the way we did it before (lastuntrusted FP'd all over). dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl ... Good, REMOTE is being tested for RBL. dbg: spf: checking EnvelopeFrom (helo=MSA, ip=MSA, [EMAIL PROTECTED]) ... Hmm, I don't think that our own MSA is supposed to be tested for SPF. It is normal? Yeah, and correct. Your MSA is the host responsible for sending the mail to your server running SA. Your SPF record must cover the MSAs IP. Looking at the options, SA could either check the IP of your MSA or the IP of the remote client. Obviously checking the remote client IP is wrong. And here is an unfortunate consequence: ... Yeah, fix your SPF record. Daryl Everything Daryl says is correct, except possibly the word record in the last sentence could/should be plural:) In the name of stricter security, you have a few options: You could use views in BIND to present different SPF 'TXT' RRs to the outside world and internally and/or (depending on where and if you do host/domain address re-writing), you could provide a restricted SPF record for just the MSA host. Something like: MSA_HOSTIN TXT v=spf1 a -all Whether or not this will work depends on the RHS of mail addresses on email sent from your MSA to your MTA. If your MSA sends mail with a RHS of its own hostname, and the MTA rewrites the source hostname to the domain name, this will allow you to keep your current SPF record for the MTA (which is more restrictive than it would be if you added another source). Anyway, it works for me to do it this way. And BIND views are more effort to setup, but what I would recommend if you can't use this. Paul Shupak [EMAIL PROTECTED]
Re: [dns-operations] negative caching of throwaway spam domains
I wonder if it is pure coincidence or not - There seems to have been an upswing in the use of 0-day domains today (which don't get caught by DOB - e.g. stedatlan.com-M olpartmen.com-M in the past hour). But we still have the various BLs, so these are still high scoring spams:-) Oh well, if spammers lose the use of their new domains for most of the first week, some good has still been done. Paul Shupak [EMAIL PROTECTED]
pyzor
Hi, Is there a port which I have to open to allow pyzor to run properly? I keep having the below error. [26217] dbg: util: executable for pyzor was found at /usr/bin/pyzor [26217] dbg: pyzor: pyzor is available: /usr/bin/pyzor [26217] dbg: info: entering helper-app run mode [26217] dbg: pyzor: opening pipe: /usr/bin/pyzor check /tmp/.spamassassin26217aJlAZctmp [26219] dbg: util: setuid: ruid=0 euid=0 [26217] dbg: pyzor: [26219] finished: exit=0x0100 [26217] dbg: pyzor: got response: Traceback (most recent call last):\n File /usr/bin/pyzor, line 4, in ?\n pyzor.client.run()\n File /usr/lib/python2.4/site-packages/pyzor/client.py, line 934, in run\n ExecCall().run()\n File /usr/lib/python2.4/site-packages/pyzor/client.py, line 188, in run\n if not apply(dispatch, (self, args)):\n File /usr/lib/python2.4/site-packages/pyzor/client.py, line 264, in check\n response = runner.run(server, (digest, server))\n File /usr/lib/python2.4/site-packages/pyzor/client.py, line 725, in run\n response = apply(self.routine, varargs, kwargs)\n File /usr/lib/python2.4/site-packages/pyzor/client.py, line 58, in check\n self.send(msg, address)\n File /usr/lib/python2.4/site-packages/pyzor/client.py, line 77, in send\n self.socket.sendto(mac_msg_str, 0, address)\nsocket.error: (1, 'Operation not permitted') regards
Re: [Fwd: Re: [dns-operations] negative caching of throwaway spam domains]
... Jeff Chan wrote: On Thursday, June 22, 2006, 10:35:10 AM, Ken A wrote: Rick Wesson over at Alice's Registry has a dnsrbl listing recently registered domains (see below). I thought this might be of interest to SA users. Anyone used this, or other rbl with similar functions? Scoring? Accuracy? Thanks, Ken A Pacific.Net Hi Ken, I was corresponding with Rick about how to test this and was going to suggest the developers add a test rule. # test for Day Old Bread DNSRBL of recently registered domains. header FROM_IN_DOB eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.') describeFROM_IN_DOB Domain recently registered tflags FROM_IN_DOB net score FROM_IN_DOB 0.1 This has hit a few spams today. ymmv.. Ken A Pacific.Net ... Seems quite conservative to me - It seems that any new domain should/would be *very* well behaved during the 5-day ICANN defined trial period (a domains can be deleted by the registrar in the first 5 days with no redemption period). So I just started with: ## Aging would be nice - an MTA could 45x for a couple of days header __RCVD_IN_DOBeval:check_rbl('dob', 'dob.sibl.support-intelligence.net.', '255') describe __RCVD_IN_DOB Received via relay in new domain (Day Old Bread) tflags __RCVD_IN_DOBnet score __RCVD_IN_DOB 0 header RCVD_IN_DOB eval:check_rbl_sub('dob', '127.0.0.2') describe RCVD_IN_DOBReceived via relay in new domain (Day Old Bread) tflags RCVD_IN_DOB net score RCVD_IN_DOB 1.667 header DNS_FROM_DOB eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.') describe DNS_FROM_DOB Sender from new domain (Day Old Bread) tflags DNS_FROM_DOB net score DNS_FROM_DOB 1.334 urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 127.0.0.2 body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB') describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) tflags URIBL_RHS_DOBnet score URIBL_RHS_DOB 2.75 It has hit a significant amount of spam from traps and feeds, but mostly the URI rule (and a few senders too). Basically, I'm only allowing mail sent from and referencing a brand new domain if it hits practically no other rules or earns some negative points. Lots of spam domains don't get used for the first 5 days already because of the ease with which they can be nuke'd in that time period. BTW. Everything that has been hit has been 30 point scores already, so the value may not be that great - i.e. spammers who use new domains are already caught by existing SA rules (and the smarter ones wait). Paul Shupak [EMAIL PROTECTED]
Re: The Future of Email is SQL
... Well - I'm a member of the Exim cult - but if something better comes along I might convert. :) And you're not even British:) Actually I count Exim in the short list of well done and readily usable/useful MTAs (i.e. works as expected, not can be made to work). Still, I'm partial to postfix and use many sendmail setups (20+ years of experience is hard to ignore). Paul Shupak [EMAIL PROTECTED]
Re: New spam type - sender domain quickly deleted
... On Montag, 12. Juni 2006 10:03 Jamie L. Penman-Smithson wrote: On 12 Jun 2006, at 07:53, Michael Monnerie wrote: yesterday I've got some new kind of spam: X-Envelope-From: [EMAIL PROTECTED] Received: from abruxateatro.com (unknown [210.245.161.31]) by power2u.goelsen.net (Postfix) with SMTP id for _; Sun, 11 Jun 2006 18:25:57 +0200 (CEST) X-Envelope-From: [EMAIL PROTECTED] Received: from acidstufftv.com (unknown [210.245.161.31]) by power2u.goelsen.net (Postfix) with SMTP id for _; Sun, 11 Jun 2006 18:25:58 +0200 (CEST) These domains don't exist now, but obviously did yesterday. Did anybody else see such SPAM? How can I check if a domain ever existed? Is anybody working on a check for new domains, so that you could say if a domain is newer than 2 days, temporary reject? abruxateatro.com still exists in DNS. although it looks like just a domain parked site: Oh, I got fooled by: # whois abruxateatro.com NO DOMAIN (1) So, that domain at least exists. Could there be a check for whether a=20 domain has an MX record, and if not give it some points? Would make=20 sense, I guess, because normally e-mail is two-way... And what about the acidstufftv.com domain? mfg zmi =2D-=20 // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE ... Sloppy (and maybe even blackhat) registrars (belgiumdomains.com, capdom.com and domaindoorman.com). You don't need a 'MX' - fallback to 'A' is still part of the standards. Both sites have non-parked pages (or did in the past) - See: http://whois.domaintools.com/abruxateatro.com and http://whois.domaintools.com/acidstufftv.com Paul Shupak [EMAIL PROTECTED] % whois -h whois.completewhois.com abruxateatro.com Completewhois.Com Whois Server, Version 0.91a33, compiled on May 28, 2006 Please see http://www.completewhois.com/help.htm for command-line options Use of this server and any information obtained here is allowed only if you follow our policies at http://www.completewhois.com/policies.htm [DOMAIN whois information for ABRUXATEATRO.COM ] Domain Name: ABRUXATEATRO.COM Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org TLD Info: See IANA Whois - http://www.iana.org/root-whois/com.htm Registry: VeriSign, Inc. - http://www.verisign-grs.com Registrar: Whois data parsing problem, no registrar information found Whois Server: rs.internic.net Name Server[from dns, whois ip]: DNS4.K--SERVICE.COM 66.45.237.186 Name Server[from dns, dns ip]: DNS4.K--SERVICE.COM 64.20.33.131 Name Server[from dns, whois ip]: DNS2.K--SERVICE.COM 66.45.237.186 Name Server[from dns, dns ip]: DNS2.K--SERVICE.COM 64.20.39.27 Name Server[from dns, whois ip]: DNS.K--SERVICE.COM 66.45.237.186 Name Server[from dns, dns ip]: DNS.K--SERVICE.COM 64.20.33.4 Domain ABRUXATEATRO.COM not found in registry whois server. But this domain appears to be delegated in dns. This is either an error with registrar whois database or it is possible this domain was recently registered and whois data is not yet available. Completewhois domain information above should list current nameservers as has been found in dns, for more information regarding this domain, please do whois lookup on these nameservers or IPs [RS.INTERNIC.NET] ... % jwhois acidstufftv.com [Querying whois.internic.net] [Redirected to whois.domaindoorman.com] [Querying whois.domaindoorman.com] [whois.domaindoorman.com] This whois service shows the information for .COM, .NET and .ORG domains The fact that your query returns NOT FOUND does not necessarily mean that the domain may be available for registration. To search all domains, please go to the shared registry whois located at: http://www.internic.net/whois.html Registrant: Wang Lee (ACIDSTUFFTV-COM-DOM) Olympia Plaza 255 King's Road North Point, Hong Kong +852.30149162 +852.30149162 [EMAIL PROTECTED] Domain Name: ACIDSTUFFTV.COM Status: PROTECTED Administrative Contact: Wang Lee [EMAIL PROTECTED] Olympia Plaza 255 King's Road North Point, Hong Kong +852.30149162 Fax- +852.30149162 Technical Contact, Zone Contact: Wang Lee [EMAIL PROTECTED] Olympia Plaza 255 King's Road North Point, Hong Kong +852.30149162 Fax- +852.30149162 Record last updated on 12-Jun-2006. Record expires on 12-Jun-2007. Record created on 12-Jun-2006. Domain servers in listed order: Name Server: DNS4.K--SERVICE.COM Name Server
Re: Gmail spam
... Is anyone else getting spam from gmail? The ones I'm getting are very lengthy but doesn't look like bayes poison. headers Microsoft Mail Internet Headers Version 2.0 Received: from mail2.adventureaquarium.com ([10.0.0.205]) by MAIL-I.adventureaquarium.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 8 Jun 2006 08:05:21 -0400 Received: (qmail 31386 invoked from network); 8 Jun 2006 12:05:21 - Received: from [EMAIL PROTECTED] by mail2.adventureaquarium.com by uid 503 with qmail-scanner-1.20 (clamdscan: 0.88.2/1467. spamassassin: 3.1.1. Clear:RC:0(66.148.73.132):SA:0(2.2/7.5):. Processed in 0.48126 secs); 08 Jun 2006 12:05:21 - X-Spam-Status: No, hits=2.2 required=7.5 X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mail2.adventureaquarium.com X-Qmail-Scanner: 1.20 (Clear:RC:0(66.148.73.132):SA:0(2.2/7.5):. Processed in 0.48126 secs) Received: from unknown (HELO 192.168.0.4) (66.148.73.132) by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 - Received: from crysholgh.com (9.13.1/9.13.1) id XAA37462; Thu, 08 Jun 2006 05:05:20 -0800 Message-Id: [EMAIL PROTECTED] From: Marcelino Crews [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: this weeks stock pick KMAG - build a strong position now X-Mailer: Opera/6.05 (Windows 2000; U) [fi] Date: Thu, 08 Jun 2006 05:05:20 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=Boundary-00=_9HReE4jIy7jpiF0 Content-Transfer-Encoding: 7bit Content-Disposition: inline To: [EMAIL PROTECTED] Subject: this weeks stock pick KMAG - build a strong position now /headers Maybe gmail has an open relay? Or does this look like something else? Jason Spam, from Gmail? Who would have ever believed it! Plenty of spam does come through Gmail, but yours looks like it came from HopOne (i.e. IP 66.148.73.132). If you apply the needed 27,000 patches to qmail, you can actually get it to refuse garbage HELO/EHLO arguments like the '192.168.0.4' that is came in with (or client hosts with no rDNS, etc.); Or you could update to a MTA which is supported by its author(s) still. Paul Shupak [EMAIL PROTECTED]
Re: DNS Blacklist Policy Design
... Here's what I'm trying. I'm using MyDNS but added a few fields. Basically I'm createing a white list and a black list. The while list merely prevents an IP from getting on the black list. An IP gets on the whitelist for 12 hours and on the blacklist for 4 hours. The idea being to prevent any source that sends any good email from accidentally being blacklisted. ... Marc, If you use a bitmasked value, you have (in the common case) 23 bits to work with. You can use the bottom two bits for three values of bad behavior - please don't use a 4 hour time-out, spam runs last *much* longer than that; I'd suggest incrementing the bitfield from zero to three for every spam received and decrementing it approximately every *ten* hours when no spam shows up (i.e. bad behavior lasts 10 to 30 hours after the last spam). You can use another two bits for three values of good behavior - if a ham is recieved and no spam has been for some time, increment the good field and if it is non-zero decrement the bad field; Here you would use a shorter time period - I'd suggest 8 hours - Thus good behavior would be rewarded for up to 24 hours. Finally a fifth bit could be used to denote known ISPs and service providers who many have temporary problems (i.e. Yahoo!, Hotmail, Gmail, etc.). Your original concept of a 12 hour good period and 4 hour bad period is doomed to failure because many spam runs send innocuous messages at the beginning to test for acceptance by the MX - you would be rewarding this action by preventing any such spam run from ever causing a bad mark (i.e. spammers would quickly use this tactic if you were successful in getting your list used, and I for one like the criteria you have proposed for listing; I just have problems with the timing period suggestions you have proposed). Further, one more bit with a much longer timeout (3 days to a week) could be used to immediately escalate repeat offenders back to the maximum bad value. A scheme like this would allow MTA level choices between a 5xx response or a 4xx response by comparing the bit mask - e.g. If only bad bits are set send a 5xx, if both bad and good or well-known send a 4xx (effectively a long term greylisting) or let the message be accepted and just score in SA. Also, scoring is SA for accepted messages (if no MTA blocks are used or occur) could assign different values for the 32 (or 64) possible combinations. All of this that I have described would mean keep track of three time counters: The time since that last spam, the time since the last ham and the time since the spam counters has been expired to zero. All of this would use up 6 bits and still leave 17 for any other purposes you have in mind (assuming codes from 127.0.0.2 to 127.0.0.126). Paul Shupak [EMAIL PROTECTED]
Re: DNS Blacklist Policy Design
... From: List Mail User [EMAIL PROTECTED] All of this would use up 6 bits and still leave 17 for any other purposes you have in mind (assuming codes from 127.0.0.2 to 127.0.0.126). Uses up 6 of the 7 bits in that range, Paul. Did you mean 127.0.0.2 through 127.255.255.254? {o.o} No I meant 127.0.0.2 to 127.0.0.126; The bitmask '6' would check the bad bits; '24' the good bits; '32' for well-known; And '64' for a recent offender. The bottom bit can't be safely used if it can be set alone (i.e. result in 127.0.0.1) and the top bit isn't needed. Using the #1 bit (value 2) for any purpose is just redundant and not needed. (Using bit numbering starting at zero, and drawing little endian for all of the programmers brought up on Intel documentation.) So I really did mean the 6 bits as below (warning ASCII art) 128 64 32 168421 unused recent well-known (good bits) (bad bits) unusable with all of the possible value of: 2 (one bad msg) 4 (two bad msgs) 6 (three bad msg) 8 (one good msg) 10 (one good and one bad msg) 12 (one good and two bad msgs) 14 (one good and three bad msgs) 16 (two good msgs) 18 (two good msgs and one bad msg) 20 (two good msgs and two bad msgs) 22 (two good msgs and three bad msgs) 24 (three good msgs) 26 (three good msgs and one bad msg) 28 (three good msgs and two bad msgs) 30 (three good msgs and three bad msgs) 32 (well-known - shouldn't occur alone) 34 (well-known with one bad msg) 36 (well-known with two bad msgs) 38 (well-known with three bad msgs) 40 (well-known with one good msg) 42 (well-known with one good msg and one bad msg) 44 (well-known with one good msg and two bad msgs) 46 (well-known with one good msg and three bad msgs) 40 (well-known with two good msgs) 50 (well-known with two good msgs and one bad msg) 52 (well-known with two good msgs and two bad msgs) 54 (well-known with two good msgs and three bad msgs) 56 (well-known with three good msgs) 58 (well-known with three good msgs and one bad msg) 60 (well-known with three good msgs and two bad msgs) 62 (well-known with three good msgs and three bad msgs) 64 (recent offender) ... then repeat with the recent offender bit set Since the case of value '32' shouldn't occur, I guess there are only 63 different cases ('96' - a well-known but recent offender would occur). Any spam arriving with bit 6 set (value '64') would set both bits 1 and 2 (value '6'). Any spam arriving with either bit 3 or 4 set (values '8' and '16') would decrement the good bits field by one (so a testing ham before spam would be at least partially erased) *and* increment the value of the bad bits. Otherwise the bits would simply increment for each ham or spam received and decrement for each time counter expiration (with the spam counter needing to be a longer time than the ham counter - or the good field would have to be smaller than the bad field so that the total possible good time period is less than the maximum possible bad time period). Sorry for the complexity, but I spent too much time years ago on military and other hard real-time systems - most of the constraints I've expressed are needed to avoid deadlock/live-lock or trivial circumvention of the system. In this system, the best a spammer could do would be to send three ham and one spam every ten hours, resulting in a value of '18' when the spam is processed and increasing his connection rate 4 fold. As long as that value (two good and one bad) still has a slightly evil score (small positive number in SA or an MTA 45x response), there would be no way to game the system. The currently common case of a direct spam or a single ham with a following spam would result in a value of '2' which should be an effectively evil - guess at a score of ~2 for SA or even a MTA 5xx or 45x response. Downgrade any SA scores for well-known senders and never use a 5xx code at the MTA, just 45x for the worst cases (i.e. long term grey-listing - effectively 10 hours). Paul Shupak [EMAIL PROTECTED]
Re: DNS Blacklist Policy Design
... From: List Mail User [EMAIL PROTECTED] ... From: List Mail User [EMAIL PROTECTED] All of this would use up 6 bits and still leave 17 for any other purposes you have in mind (assuming codes from 127.0.0.2 to 127.0.0.126). Uses up 6 of the 7 bits in that range, Paul. Did you mean 127.0.0.2 through 127.255.255.254? {o.o} No I meant 127.0.0.2 to 127.0.0.126; The bitmask '6' would check the bad bits; '24' the good bits; '32' for well-known; And '64' for a recent offender. The bottom bit can't be safely used if it can be set alone (i.e. result in 127.0.0.1) and the top bit isn't needed. Using the #1 bit (value 2) for any purpose is just redundant and not needed. (Using bit numbering starting at zero, and drawing little endian for all of the programmers brought up on Intel documentation.) So I really did mean the 6 bits as below (warning ASCII art) 128 64 32 168421 --- unused recent well-known (good bits) (bad bits) unusable OK you meant 2 to 126 was used not that the ultimately usable bits extends over that range, which is what I had read your statement to mean. I took the parenthetical expression to be referring to the 17 for any other purposes as opposed to the 6 bits used up. {^_^} Back on-list:-) Actually, on reflection, since the well-known bit should never occur alone without other bits, it could use bit 0 (value '1') and the BL could them have 18 bits to spare (i.e. move recent to bit 5, value '32') and use the range from 127.0.0.2 up to 127.0.0.63 - a total of 62 cases, most of which wouldn't not need to be returned by the DNS server, but could be useful with meta rules for good guy/negative SA scoring (e.g. a domain with only good bits, anti-fraud measures and a good reputation value could be given a small negative score - negative SA scores are very valuable becaue they are hard to construct in a way that can not be gamed/defrauded - for eample, good bits only, SPF or DK/DKIM and HASHCASH, BSP, HABEAS, IATB or maybe even SIQ or the commercial version of DCC's reputation value). Paul Shupak [EMAIL PROTECTED]
RE: DNS Blacklist Policy Design
... Paul, I've always thought of you as chief scientist among everyone on the spam assassin list... I've seen you dissect the inner mysterious workings of a spam like no other... uncovering the spammer's tracks like a superhero FBI agent meticulously piecing together data from the forensics lab. However, this time, I do think you've taken this DNS blacklist thing way too far. You have to consider the consumers of the DNS list as well. Overcomplicate this and few will ever get it to work effectively. :) Rob McEwen PowerView Systems [EMAIL PROTECTED] Rob, You have an excellent point. But I think if the rules or a plugin can be written so that the typical user need only install it, the hidden complexity won't matter. What I am afraid of it that the list can be made useless by simple actions on the part of spammers (then everybody will have wasted time, and maybe even opened up a hole for spam to get in - like white-listing for twelve hours after an innocent looking message is sent). To me, the data being offered seems too valuable not to try and take some advantage of. From the original discussson, this is intended to be an automatically self-cleaning list, and that issue does greatly complicate things (though it greatly reduces the work required of its operator). It is important that a self-cleaning list can't be caused to ignore spam sources easily. No doubt, I do often make things more complex than they appear to be *and* I haven't had enough sleep recently, which I don't think has hurt my logic (yet), but does interfere with my ability to explain things:). Paul Shupak [EMAIL PROTECTED]
Re: gobs of misses suddenly
... My guess is that these came in before any of razor, uribl, etc, got ahold of them. I just checked them all: score=3D43.64 score=3D16.961 score=3D24.61 score=3D13.893 score=3D10.81 score=3D34.878 score=3D39.367 score=3D23.321 score=3D41.673 score=3D47.624 score=3D36.642 score=3D14.435 score=3D15.479 score=3D37.889 score=3D31.853 ... Theo, Many of the name servers involved have been SBL listed for weeks. Also his Bayes failed horribly on some of these and even auto-learned some others as ham. Besides, DCC and Razor are usually slightly faster than Pyzor to pick things up (just my observations) and he has some Pyzor hits. There are more problems here than just being at the leading edge of a spam-run (DNS and net test timeouts maybe?). Paul Shupak [EMAIL PROTECTED]
Re: Hiring for Spam Assassin Troubleshooting
You have a bunch of problems; You have no PTR record for your MXs except to the dead end of worldfamousgiftbaskets.net - That domain has bogus Whois/registration data (i.e. Not Given is invalid). Also that domain has no 'A' or 'MX' records. Your NS records in the TLD zone files don't match your own DNS zone files (contact the registrar or login using the control panel to fix this). Plus you are a South Florida LLC - always looks bad. Also, your host at 63.134.208.125 has no rDNS (needs a PTR record also). I suggest that you setup a validated submission address for your own users (answers how left for someone else later). Free advice, but you seem sincere, so it is a start. (Anything more will cost you a significant amount - at least from me.) Paul Shupak [EMAIL PROTECTED] P.S. Get caught spamming after this and you won't like the consequences.
Re: false scoring for DNS_FROM_RFC_ABUSE
... On Thursday 25 May 2006 21:31, Kai Schaetzl took the opportunity to write: Jamie L. Penman-Smithson wrote on Thu, 25 May 2006 17:12:07 +0100: .de does not have a working WHOIS server, that's fundamentally broken: No, *your* whois client is outdated and broken. snip And this is not the only TLD they are wrong about. If you want to follow-up, better to me directly, I think it's off-topic. You should have explained why they where wrong from the beginning. You're=20 absolutely right. The RFC doesn't define any syntax. The evidence is totall= y=20 bogus. =2D-=20 Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) ... Um... Syntax? RFC3912 Section 3 3. Protocol Example If one places a request of the WHOIS server located at whois.nic.mil for information about Smith, the packets on the wire will look like: client server at whois.nic.mil open TCP (SYN) -- (SYN+ACK) - send query SmithCRLF get answer Info about SmithCRLF - More info about SmithCRLF close (FIN) -- - (FIN) - DeNIC does not follow this protocol; However for many (even most) domains, proper data can be gotten using *undocumented* extensions they have added to their own Whois server. A large number of whois clients do special case the DeNIC and .de domains, but this only shows that the .de TLD is indeed *not* RFC compliant. Please examine the source of any not outdated and broken client and look at the code, or better look at (previous listing): http://www.rfc-ignorant.org/tools/detail.php?domain=desubmitted=1094941143table=whois BTW. The many common clients use the ISO-8859-1 character set, which only works for a subset of the domains at DeNIC - so please don't count any of these as not broken (and US-ASCII still doesn't work for all domains either - just nearly all). Oh, and for clients that follow referrals to HTTP servers (which many country specific NICs do provide in place of Whois servers), we have: RFC3912 Section 2 2. Protocol Specification A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF. The response might contain more than one line of text, so the presence of ASCII CR or ASCII LF characters does not indicate the end of the response. The WHOIS server closes its connection as soon as the output is finished. The closed TCP connection is the indication to the client that the response has been received. Simply, if it isn't plain text on port 43, it isn't a RFC compliant Whois server. Oh, and if anyone knows of an IANA registered Whois server for a TLD that does function (I know of several which work, but aren't listed at IANA), then an email to RFCI will get a listing removed. Paul Shupak [EMAIL PROTECTED]
Re: false scoring for DNS_FROM_RFC_ABUSE
... From: Kai Schaetzl [EMAIL PROTECTED] Jamie L. Penman-Smithson wrote on Fri, 26 May 2006 00:52:39 +0100: After some research, I came to the conclusion that .de is, indeed, still broken: ftp://ftp.isi.edu/in-notes/rfc3912.txt And *where exactly* does this RFC say that the whois input and output must behave in a different way than the .de input and output does now? Kai More to the point, Kai, in line with my earlier comment that RFCs are Request For Comment documents not standards, where does ANYTHING say that ANYONE MUST abide by them as if they were standards? Of course, NOTHING says a particular anti-spam tool cannot decide to use the formalisms from an RFC to build a filter mechanism, either. The RFCs are good things. They just are not mandatory things, yet. {^_-} Actually Joanne, there is STD-1, which is exactly those RFCs which have been adopted as standards (i.e. it is too late to make any comments on their content). Though Kai won't like these - they *still* contain RFC954, not RFC3912 and by that requirement DeNIC is completely in violation; RFC954 basically reads like a portion of the ICANN registrars agreement which governs unsponsored TLDs - i.e. .aero, .arpa, .biz, .cat, .com, .coop, .edu, .info, .int, .jobs, .mobi, .museum, .name, .net, .org, .pro, and .travel. See: http://rfc.net/std1.html Of course, STD-1 is itself an RFC:) But the last accepted standard for Whois is RFC954, everything later is largly attempts by DeNIC (and Chile) to remove Whois entirely (and their lastest proposal is to do exactly that). (Though it is clear that RFC3912 *will* become the standard in some later version of STD-1 - but it isn't *yet*.) Still none of any of these has the weight of law behind them except for possibly the contractual element of the ICANN registrars agreement (but ICANN has never really tried to do much to enforce that for most ill-behaving registrars) and that would be civil law, not criminal; There are no net police except the self-appointed ones (like every admin who uses a blacklist, firewall blocks or even SA). Paul Shupak [EMAIL PROTECTED]
Re: Spamassassin + vpopmail
1st problem - now I got a lot of empty messages after deleting spam (I have compiled vpopmail with this options - 'WITH_SPAMASSASSIN=yes SPAM_THRESHOLD=15 RELAYCLEAR=15 LOGLEVEL=e' on freebsd). Those e-mails are empty with this header (margaret.starnet.cz is my server): I dont think vpopmail has that 'WITH_SPAMASSASSIN=yes; option.
Re: Fast WHOIS lookup
I'm doing some research using WHOIS to find the owners of domains in the URI blocklists and finding that many of them have the same owners. I thing that a database of owners of the URIs that spam links to could be extremely useful in detecting spam.. I;m seeing that a huge amount of spam is owned by optinrealbig.com Is there any fast and efficient way to pipe a bunch of URIs into a program and return owners? Most spam domains' whois data is bogus - but much does get reused until shown as such. Here you have hit on a slight exception to the norm; Some spammers admit when they own resources. Look at Spamhaus' ROKSO pages and try a search on OptInRealBig. OptInRealBig.com is an old line, old domain, and one that often claims to be an ESP (i.e. mailer for hire). Try a web search and also Google Groups for the NANA{ES} history. The original OptInRealBig was Scott Richter who is now supposed to be reformed (i.e. not spamming), but others have taken to using the name/service mark he created as well as similar domain names. The domain is due to expire in a few weeks (and seems unlikely to get renewed by Richter). While you're on that trail, you might want to look into/learn a bit about the closely related wholesalebandwidth.com; Some of these guys have been around almost forever:( Unfortunately, the best you can do for most of the spammers is to learn their patterns and find the connections between old and new domains. Many of the have certain patterns they follow (current example is the 20th street mortage spammer - he likes Geocities and over half of his domains have bogus addresses on 20th street all over the world). Be careful how you do large numbers of Whois queries - some registrars will block you temporarily if you go over a certain limit, other will block you permanently, and a few will ever firewall your IPs from any access. At a few hundred a day. spread around, you're likely to be relatively safe, but get to thousands and you need to be *very* careful. Paul Shupak [EMAIL PROTECTED]
Re: AW: WebGUI for Spamassassin?
Christian Reiter wrote: Hi Patrick! is there any WebGUI for training and managing Spamassassin like DSPAM uses one? May Maia Mailguard could help you: http://www.renaissoft.com/maia/ Or MailWatch if you use MailScanner/SA. http://mailwatch.sourceforge.net/ Ken A Any SA/Qmail? regards
RE: My only problem with URIBL_BLACK
... What are your thoughts guys? Lower the score for URI_BLACK and JP? seriously? the domains is 3 days old and is unreachable, and uses outfitter.net NS's which appear to have an identity crisis. April 25th, ns1.outfiter.net 206.173.156.105 ns2.outfiter.net 24.98.13.40 April 27th, ns1.outfiter.net 24.182.165.233 ns2.outfiter.net 67.64.112.94 May 4th, ns1.outfiter.net 24.247.114.91 ns2.outfiter.net 68.36.53.205 May 8th, ns1.outfiter.net 24.168.96.193 ns2.outfiter.net 24.247.114.91 Right Now, ns1.outfitter.net 66.199.187.181 ns2.outfitter.net 66.199.187.181 ... dallas Are you just giving a sample? How about the some more of the IP jumps in the past nine days: ns1.outfiter.net 2006-May-04 21:05:5324.168.96.193 2006-May-01 21:05:1368.36.53.205 2006-May-01 15:05:5524.24.83.45 2006-Apr-30 22:04:8024.182.165.233 2006-Apr-30 14:04:419 71.241.106.238 Hosted on cable modem and DSL zombies, registered using the reseller Regtime.net/webnames.ru at OnlineNIC, using a real address but the name of an unregistered/unlicensed corporation in Missouri with a telephone number in Montana. (No Barnwell Inc. exists, but a BARNWELL HAYS, INC. is an inactive business, shutdown in 2000). Or the rest of a current snapshot (all zombies) % dig outfiter.net @68.36.53.205 ... ;; ANSWER SECTION: outfiter.net. 300 IN A 65.75.90.172 outfiter.net. 300 IN A 194.208.180.242 outfiter.net. 300 IN A 24.182.165.233 ;; AUTHORITY SECTION: outfiter.net. 300 IN NS ns1.outfiter.net. outfiter.net. 300 IN NS ns2.outfiter.net. ;; ADDITIONAL SECTION: ns1.outfiter.net. 300 IN A 68.36.53.205 ns2.outfiter.net. 300 IN A 68.111.102.17 ... Plus the original domain, uhmcargo-M.net, has already been suspended (though if you force it to be resolved, you can see it is also up and hosted on zombies). % whois uhmcargo-M.net | fgrep Status Status: REGISTRAR-HOLD EPP Status: clientHold EPP Status: clientDeleteProhibited EPP Status: clientUpdateProhibited EPP Status: clientTransferProhibited % dig uhmcargo-M.net @67.167.254.42 ... ;; ANSWER SECTION: uhmcargo-M.net. 300 IN A 212.183.251.114 uhmcargo-M.net. 300 IN A 66.31.52.46 uhmcargo-M.net. 300 IN A 172.201.36.111 uhmcargo-M.net. 300 IN A 24.205.215.159 ... Tell the recipient that this message either did not come from monster.com, or (quite unlikely) someone has turned black-hat. Paul Shupak [EMAIL PROTECTED]
RE: Tinurl being abused by spammers.. (leo/badcow)
... For the last week, I feel like I should receive a paycheck from Geocities! All I've been doing is submitting damn redirect web pages. I even did some testing and found some sites listed in NANAS as far back as 5 days that were still active. The source code for these pages use at most 3-4 different techniques. Not very hard to filter for on new pages. Hell, I think 100% of the redirected URLs were listed in URIBL black!! Every freaking morning I see more geocities redirects. Whatever they are doing, could be a lot better. Checking on ones from Sunday, I see they are still running, even after being reported. At this rate, the geocities redirect are lasting longer then new domains. Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com ... Even worse, they will close a site, then another site with exactly identical content will appear (probably created at the same time). To create their own blacklist of already nuke'd sites seem pretty trivial. And also the use of Yahoo! sites for hosting spammer images, where the directories under the root remain constant seems another easy case to have wiped out, but they haven't. In their favor, it seems that Yahoo! is now the second largest source of child pornography in the world, down from #1 because so many of the sites are now hosted on zombies (but often advertised via sites on Geocities that redirect to them). For an organization that supposedly can index the entire world's web sites and cross-reference them to giant databases, either they don't look inward very much or this is not a very high priority for them. And, if only it were just Leo, but many other spammers use these technique now - there are even programs for sale that automate the creation of Geocities sites and Yahoo! maildrops (and amazingly, some of these even use Yahoo! email accounts for the contact point - so these guys aren't even slightly trying to keep up, or worse they don't know how, but still ignore abuse complaints which tell them about these things). Paul Shupak [EMAIL PROTECTED]
Re: why is that the same sendin server is seen differently by spam assassin
... I run mail on the secondary server against 3 RBLs (the slightly slower response is the price they pay for going to the secondary), which things things out, but running a second implementation of SA on the secondary is not something I really considered. Do most people run SA or something similar on there secondary MX servers? If so how - I assume a Milter or something similar? --- Kind Regards, David http://www.flanigan.net If you don't want to run another copy of SA, try using a dozen RBLs, but 450 everything instead of a permanent reject; That way most mail will go through, but anything questionable will have to retry. Also, using some greylisting (unconditionally) on any asymetrical (i.e. different setup than your primary MX) secondary MX is probably a good idea also, In the end, your choices will all depend on the MTA you're using. Paul Shupak [EMAIL PROTECTED]
Re: OR NOT Logic
... I believe that's a fundamental logic rule, so yes. A B == ~A || ~B --Russell Almost: -- Not to confuse things with C's short ciruit operations | v ( A and B ) equals ( not ( ( not A ) or ( not B ) ) ) ^ | Also known as one case of the contrapositive. Paul Shupak [EMAIL PROTECTED]
Re: Those Re: good obfupills spams
... Matt Kettler replied: John Tice wrote: Greetings, This is my first post after having lurked some. So, I'm getting these same RE: good spams but they're hitting eight rules and typically scoring between 30 and 40. I'm really unsophisticated compared to you guys, and it begs the questionwhat am I doing wrong? All I use is a tweaked user_prefs wherein I have gradually raised the scores on standard rules found in spam that slips through over a period of time. These particular spams are over the top on bayesian (1.0), have multiple database hits, forged rcvd_helo and so forth. Bayesian alone flags them for me. I'm trying to understand the reason you would not want to have these type of rules set high enough? I must be way over optimizedwhat am I not getting? BAYES_99, by definition, has a 1% false positive rate. Matt, If we were to presume a uniform distribution between a estimate of 99% and 100%, then the FP rate would be .5%, not 1%. And for large sites (i.e. 10s or thousands or messages a day or more), this may be what occurs; But what I see and what I assume many other small sites see is a very much non-uniform distribution; From the last 30 hours, the average estimate (re. the value reported in the bayes=xxx clause) for spam hitting the BAYES_99 rule is .41898013269 with about two thirds of them reporting bayes=1 and a lowest value of bayes=0.998721756590216. While SA is quite robust largely because of the design feature that no single reason/cause/rule should by itself mark a message as spam, I have to guess that the FP rate that the majority of users see for BAYES_99 is far below 1%. From the estimators reported above, I would expect that I would have seen a .003% FP rate for the last day plus a little, if only I received 100,000 or so spam messages to have been able to see it:). I don't change the scoring from the defaults, but if people were to want to, maybe they could change the rules (or add a rule) for BAYES_99_99 which would take only scores higher than bayes=. and which (again with a uniform distribution) have an expected FP rate of .005% - than re-score that just closer (but still less) than the spam threshold, or add a point of fraction thereof to raise the score to just under the spam threshhold (adding a new rule would avoid having to edit distributed files and thus would probably be the better method). Anyway, to better address the OP's questions: The system is more robust if instead of changing the weighting of existing rules (assuming that they were correctly established to begin with), you add more possible inputs (and preferably independant ones - i.e. where the FPs between rules have a low correlation). Simply increasing scores will improve your spam capture rate, just as decreasing the spam threshold will - but both methods will add to the likelyhood of false positives; Look into the distributed documentation to see the expected FP rates at different spam threshold levels for numbers to drive this point home (and changing specific rules' scores is just like changing the threshold, but in a non-uniform fashion - unless you actually measure the values for your own site's mail and recompute numbers that are a better estimate for local traffic). Paul Shupak [EMAIL PROTECTED]
Re: Those Re: good obfupills spams
... Bart Schaefer wrote: The largest number of spam messages currently getting through SA at my site are short text-only spams with subject Re: good followed by an obfuscated drug name (so badly mangled as to be unrecognizable in many cases). The body contains a gappy-text list of several other kinds of equally unreadable pharmaceuticals, a single URL which changes daily if not more often, and then several random words and a short excerpt from a novel. They usually hit RCVD_IN_BL_SPAMCOP_NET,URIBL_SBL but those alone aren't scored high enough to classify as spam, and I'm reluctant to crank them up just for this. However, the number of spams getting through SA has tripled in the last four days or so, from around 14 for every thousand trapped, to around 40. I'm testing out RdJ on the SARE_OBFU and SARE_URI rulesets but so far they aren't having any useful effect. Other suggestions? These few rules can help a lot (potentially with some possible FPs though). And as always, train your BAYES with the ones that get through and enable the digest tests (i.e. DCC, Pyzor and Razor). uridnsblURI_COMPLETEWHOIS combined-HIB.dnsiplists.completewhois.com. A bodyURI_COMPLETEWHOIS eval:check_uridnsbl('URI_COMPLETEWHOIS') describeURI_COMPLETEWHOIS URI in combined-HIB.dnsiplists.completewhois.com tflags URI_COMPLETEWHOIS net score URI_COMPLETEWHOIS 1.25 uridnsblURI_IN_SORBS_DNS_SPAM spam.dnsbl.sorbs.net. A bodyURI_IN_SORBS_DNS_SPAM eval:check_uridnsbl('URI_IN_SORBS_DNS_SPAM') describeURI_IN_SORBS_DNS_SPAM URI in spam.dnsbl.sorbs.net tflags URI_IN_SORBS_DNS_SPAM net score URI_IN_SORBS_DNS_SPAM 1.125 meta URI_M_SBL_COMWHOIS (URI_COMPLETEWHOIS URIBL_SBL) describe URI_M_SBL_COMWHOIS Both SBL and COMPLETEWHOIS score URI_M_SBL_COMWHOIS1.375 meta URI_M_SORBS_SPAM_SBL (URI_IN_SORBS_DNS_SPAM URIBL_SBL) describe URI_M_SORBS_SPAM_SBL Both SORBS SPAM and SBL score URI_M_SORBS_SPAM_SBL 0.5 meta URI_M_SORBS_SPAM_CWHO (URI_IN_SORBS_DNS_SPAM URI_COMPLETEWHOIS) describe URI_M_SORBS_SPAM_CWHO Both SORBS SPAM and CompleteWhois score URI_M_SORBS_SPAM_CWHO 0.833 These rules help to catch brand new domains at the same IP as previous spam domains (i.e. they are IP based BLs). If you have any religous problems with SORBS, leave those out. About 92% of what I see hit the completewhois rule, also hits the meta-rule, and over 9 months, I've never had an FP from the meta rule (which means my scoring is likely out of whack - too high for the BL tests, and too low for the meta rules). Also, as always, watch out for line-wrap and be sure to lint after adding them to any local configuration files. These add two DNS lookups, but will catch about half of Leo's pill spam (adding several points for most of them). Paul Shupak [EMAIL PROTECTED]
Re: Those Re: good obfupills spams (uridnsbl's, A records vs NS records)
Neat stuff Paul.. I'll have to try it out. That said, technically, doesn't this really look up the IP address by fetching the NS record, not the A record of the URI? (this would catch domains hosted at the same nameserver, not domains hosted at the same server IP address) Or has SA changed and it looks up both NS and A for uridnsbl? I know previously there was a strong argument against looking up the A record, as it provided an opportunity for spammers to poison email with extra URIs that nobody would normally click on or lookup. These poison URIs could be used to trigger DNS attacks, or simply generate slow responses to force a timeout. NS records on the other hand are generally not handled by the spammer's own DNS servers, but are returned by the TLD's servers. ie: the NS record for evi-inc.com is stored on my authoritative DNS server, but it's only there for completeness. Nobody normally queries it from there except my own server. Most folks find out the NS list from the servers for .com (ie: a.gtld-servers.net). This makes it impractical to perform poison URIs if SA is only looking up NS records. Matt, While I'd like to see two classes of rules, and both types of BLs used for both types of lookup (preferably with different scores - since my testing shows very different FP and FN rates for 'A' and 'NS' checks), you are completely correct: IP based BLs are only used for the 'NS' checks and RHS based BLs are only used for targeted domain checks (and not for the domain of the URI's NSs). Currently nothing is used to directly check the IP of the spam site (i.e. the 'A' RR), but since in many cases this happens to be the same as the NS' IP, the IP based BLs often are checking it (though almost by accident). I personally think that poisoning spam with extra URIs is already seen quite a bit, and the issue of DNS timeouts is almost a non-issue, since you would be no worse off than before. Already we see stock pumpdump and 419 spams with large amounts of poison URIs in them. Ultimately the spammer wants as short a message as he can get by with to maximize the use of his own bandwidth (or the stolen bandwidth he has access to). What makes these test much more efficient than you might expect is that many very-large scale spammers (think ROKSO top-ten) tend to use the same hosts/IPs for both the web hosting and the DNS server. Also they tend to reuse IPs so that last week's spam web server is this week's spam DNS server. This means that hosts that hit SORBS spam-traps are often name servers for current spam runs using brand new domain names that haven't made SURBL or URIBL lists yet (or sometimes, if you have the misfortune of being at the start of a run, haven't even hit the digests yet). I find (after already significant MTA filtering) that these few rules hit about 10% to 25% of the spam I get. The SORBS spam list alone hits almost 25% of spam, but also hits about .85% of ham (but much of that is email that many people would consider spam), The completewhois list hits about 12% of spam, but again, ~.7% of ham. The meta rules hit slightly more than the product of the hit ratios of the individual rules (i.e. including the SBL) for spam (except the completewhois/SBL meta which hits 92% of the original completewhois hits - i.e. mostly Chinese and Korean IPs, but some from all parts of the world), and have a no ham hits over the past two or three months (and only one or two ever); This implies that they are indeed independent, with different FP sources and heavily biased toward spam to begin with. They do disproportionally catch certain spammers, so they can be though of as similar to the SARE Specific rule set. In particular they work extremely well against certain classes of pill and mortgage spam. Paul Shupak [EMAIL PROTECTED]
Re: help required in blocking this spam
Leo's pill domains. Feed several to sa-learn (gets you a high BAYES score), make sure that net tests are enabled and do use digests (DCC, Razor and Pyzor); Then these spam will get 30+ point scores. Even with no net tests, your example scores 4 points without BAYES, so training BAYES will cause it to be flagged. The SARE rules can also help quite a bit. Some time has probably passed, but your example hits 5 SURBLs, URIBL, the SBL and RAZOR, as well as received in the XBL, SpamCopBL and a handful of standard non-net rules (INVALID_MSGID, FORGED_MUA_OUTLOOK and more). Paul Shupak [EMAIL PROTECTED]
Web page scraping software
Hi, Is anyone here familiar with the web page email address scraping software sold at: http://newsman.asp.be/featuresu.jsp ? I only found this because one of their programmers, subscribed to this list (i.e. [EMAIL PROTECTED]), is running an out-of-office auto-responder and spewing garbage for the past few days. Oh well, I guess both spammers and people who support them can subscribe to whatever they like. Paul Shupak [EMAIL PROTECTED]