Re: Spam troubleshooting
Can I also ask where the best place to start with to implement razor and/or pyzor in SA3.2 on Linux with postfix? EHM? implement it on your mailserver... On 22.07.09 22:38, MySQL Student wrote: Heh, no, I mean where can I go to learn how to implement it? Where's the docs? :-) well, install razor, configure SA to load razor plugin ... that's all. I think I'm headed towards razor first, as it doesn't require python and appears to be simpler and more effective, even? yes. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe.
Re: Spam troubleshooting
How effective are razor/pyzor and SPF/DKIM? very effective, razor/pyzor altogether with DCC. SPF also helps much, although it should be implemented at SMTP level and refuse all messages that cause (hard) fail. While DKIM is currently in SA, the only place it currently applies is whitelisting, since it has scores of +/-0.001. Different scores were mentioned here, but not incorporated into SA scores yet. I've always been a bit hesitant to use any of those. Why? Because how often do spammers have DNS entries with valid SPF or DKIM information? How often do spammers use compromised hosts with valid SPF or DKIM information? Will they help with emails that only contain a random URL and a line or two of text, like: ma...@myhost.com: Get your Nursing Degree here http://spamsite.com/ Or would that be DCC? Often times these types of emails get through, apparently before the URL is listed in spamcop, SURBL, or URIBL_BLACK? Can I also ask where the best place to start with to implement razor and/or pyzor in SA3.2 on Linux with postfix? Thanks, Alex
Re: Spam troubleshooting
How effective are razor/pyzor and SPF/DKIM? very effective, razor/pyzor altogether with DCC. SPF also helps much, although it should be implemented at SMTP level and refuse all messages that cause (hard) fail. While DKIM is currently in SA, the only place it currently applies is whitelisting, since it has scores of +/-0.001. Different scores were mentioned here, but not incorporated into SA scores yet. I've always been a bit hesitant to use any of those. Why? On 22.07.09 04:56, MySQL Student wrote: Because how often do spammers have DNS entries with valid SPF or DKIM information? How often do spammers use compromised hosts with valid SPF or DKIM information? Both happen, however you have missed the point of both systems. They are not here to prevent spam, but to prevent forgery. And they are quite good at that. If spammer signs his own domain by SPF/DKIM, and sends mail from his domain, nothing happens, we won't negatively score the mail. Only idiots will, and that's reason why spammers still try that. If spammer sends mail with gmail.com, yahoo.com, or WTF and the SPF/DKIM check fails, you know that it's apparently forged and therefore it's most likely spam. Will they help with emails that only contain a random URL and a line or two of text, like: Neither SPF nor DKIM care about email content. They only care about the sender's validity - if the mail is forged, there's no reason to accept it. Or would that be DCC? Often times these types of emails get through, apparently before the URL is listed in spamcop, SURBL, or URIBL_BLACK? DCC may catch those, although I haven't try that yet. Can I also ask where the best place to start with to implement razor and/or pyzor in SA3.2 on Linux with postfix? EHM? implement it on your mailserver... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: Spam troubleshooting
Can I also ask where the best place to start with to implement razor and/or pyzor in SA3.2 on Linux with postfix? EHM? implement it on your mailserver... Heh, no, I mean where can I go to learn how to implement it? Where's the docs? :-) I think I'm headed towards razor first, as it doesn't require python and appears to be simpler and more effective, even? Thanks, Alex
Re: Spam troubleshooting
ALL_TRUSTED is a bit odd. If you you look back through the debug, it has identified untrusted relays: [11689] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=194.230.33.137 rdns=mx.xm-rz.net helo=mail.xm-rz.net by=myhost.mydomain.com ident= envfrom= intl=0 id=B94C2118004 auth= msa=0 ] [ ip=62.2.104.4 rdns= On 05.07.09 20:51, MySQL Student wrote: Yes, after noticing xm-rz and t-p.com in 'Received:' headers on several of these, I've since added a header rule to add points for those relays. Is this the proper way to do it? header LOCAL_RECVD_TP Received =~ /.\.t-p\.com/ score LOCAL_RECVD_TP 3.6 describe LOCAL_RECVD_TP Recvd from botnet technically correct, but did you report that spam to t-p.com and xm-rz.net before de facto blacklisting the company? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One World. One Web. One Program. - Microsoft promotional advertisement Ein Volk, ein Reich, ein Fuhrer! - Adolf Hitler
Re: Spam troubleshooting
On 04.07.09 20:50, MySQL Student wrote: I am stuck trying to figure out why the attached spam isn't caught properly. In fact, BAYES_99 isn't flagged and I know it should be, and the total score is 0.0, despite several rules being flagged. The LOCAL_BODY_1577053434 and LOCAL_BODY_4046600451 both catch the phone numbers and have a 2.01 value. [11689] dbg: config: using /home/bcc-user/.spamassassin for user state dir [11689] dbg: bayes: no dbs present, cannot tie DB R/O: /home/bcc-user/.spamassassin/bayes_toks [11689] dbg: config: score set 1 chosen. [11689] dbg: message: main message type: text/plain [11689] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x9ce2e88) implements 'check_start', priority 0 [11689] dbg: bayes: no dbs present, cannot tie DB R/O: /home/bcc-user/.spamassassin/bayes_toks [11689] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x9cbdaec) implements 'check_main', priority 0 you don't have bayes DB, why do you know it should be flagged? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: Spam troubleshooting
spamassassin 21 -D --lint search here for missing perl modules On 05.07.09 18:57, MySQL Student wrote: How effective are razor/pyzor and SPF/DKIM? very effective, razor/pyzor altogether with DCC. SPF also helps much, although it should be implemented at SMTP level and refuse all messages that cause (hard) fail. While DKIM is currently in SA, the only place it currently applies is whitelisting, since it has scores of +/-0.001. Different scores were mentioned here, but not incorporated into SA scores yet. I've always been a bit hesitant to use any of those. Why? and the spam mail have all_trusted ?, you trust a spammer in trusted_networks trusted_networks isn't at all defined. It looks like it was previously defined with just 127.0.0.1, but it's now commented out. What should it be? You are referring to the spamassassin trusted_networks, not postfix, right? 127.0.0.1 is in trusted_networks by default. The mail didn't hit ALL_TRUSTED in your spamassassin, only in MailCleaner on sending network. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
Re: Spam troubleshooting
On 5-Jul-2009, at 18:55, MySQL Student wrote: * -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/ What the hell is RECVD_IN_DNSWL_MED and why is it trusted in dnswl.org? Did you look at the URL? I put the following in local.cf score RCVD_IN_DNSWL_LOW -1 score RCVD_IN_DNSWL_MED -2 score RCVD_IN_DNSWL_HI -3 As I thought the default scores were too low. I am considering going with score RCVD_IN_DNSWL_LOW -0.1 score RCVD_IN_DNSWL_MED -0.5 score RCVD_IN_DNSWL_HI -1 But I'm not there yet. -- hedgerow don't be alarmed now.
Re: Spam troubleshooting
On Mon, July 6, 2009 14:59, LuKreme wrote: On 5-Jul-2009, at 18:55, MySQL Student wrote: * -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/ What the hell is RECVD_IN_DNSWL_MED and why is it trusted in dnswl.org? Did you look at the URL? I put the following in local.cf score RCVD_IN_DNSWL_LOW -1 score RCVD_IN_DNSWL_MED -2 score RCVD_IN_DNSWL_HI -3 As I thought the default scores were too low. I am considering going with score RCVD_IN_DNSWL_LOW -0.1 score RCVD_IN_DNSWL_MED -0.5 score RCVD_IN_DNSWL_HI -1 But I'm not there yet. have any of you tryed going to dnswl.org homepage ?, even tryed to lookup the ip ?, got refused submit of new ticket ? dnswl is your friend if you use it properly -- xpoint
Re: Spam troubleshooting
Hi, have any of you tryed going to dnswl.org homepage ?, even tryed to lookup the ip ?, got refused submit of new ticket ? Yes, I went to the site, but didn't try to resolve either of them because I knew they were already on the list. They now appear to no longer be on the list. Now I know to submit a ticket. Thanks, Alex
Re: Spam troubleshooting
On Sun, July 5, 2009 02:50, MySQL Student wrote: The X-MailCleaner headers were there when I received the email. I've obfuscated our customers domain for security. Any ideas greatly appreciated. Where can I start? Am I doing something wrong or is there something in the header that is reducing the score? sa-udate sa-compile add rulex2re plugin spamassassin 21 -D --lint search here for missing perl modules and the spam mail have all_trusted ?, you trust a spammer in trusted_networks perldoc Mail::SpamAssassin::Conf and maybe also check perldocs for the plugins this mail was quarantined in my setup so i know it works :) -- xpoint
Re: Spam troubleshooting
Hi, spamassassin 21 -D --lint search here for missing perl modules How effective are razor/pyzor and SPF/DKIM? I've always been a bit hesitant to use any of those. and the spam mail have all_trusted ?, you trust a spammer in trusted_networks trusted_networks isn't at all defined. It looks like it was previously defined with just 127.0.0.1, but it's now commented out. What should it be? You are referring to the spamassassin trusted_networks, not postfix, right? Thanks, Alex
Re: Spam troubleshooting
Hi again, and the spam mail have all_trusted ?, you trust a spammer in trusted_networks I meant to add, how can I determine which IP it was that is being trusted, anyway? Thanks again, Alex
Re: Spam troubleshooting
On Mon, July 6, 2009 00:57, MySQL Student wrote: spamassassin 21 -D --lint search here for missing perl modules How effective are razor/pyzor and SPF/DKIM? I've always been a bit hesitant to use any of those. well it helps, if used properly, how thay works is depending on your need and configs pyzor is digest razor is digest ixhash is digest spf / dkim is dns based, just littele diff in that dkim checks signed key on dns and in recieved mail, point is that you can use this as whitelist_auth whitelist_from_dkim whitelist_from_spf on u...@foo.tld you really trust to not send spam and the spam mail have all_trusted ?, you trust a spammer in trusted_networks trusted_networks isn't at all defined. It looks like it was previously defined with just 127.0.0.1, localhost is always trusted now, silly no spammer exists in localhost sa wice :) spam exists everywhere, it just depends on what is spam but it's now commented out. What should it be? good question, i have very minimal set trusted network to all my wan ip not including 127.0.0.1, and all isp i know send me forwared email is also added here, this prevent false spf hits for dkim this does no change, either it verify or not You are referring to the spamassassin trusted_networks, not postfix, right? yes, postfix have no trusted_networks, but this sa table can be shared, but i cant find a good reason to -- xpoint
Re: Spam troubleshooting
On Mon, July 6, 2009 01:00, MySQL Student wrote: I meant to add, how can I determine which IP it was that is being trusted, anyway? spamassassin 21 -D -t spammsg | grep trusted | less there you see all trusted ip, is all safe ? grep untrusted aswell to see where other ips is, hopefully the spammer is in the untrusted range -- xpoint
Re: Spam troubleshooting
On Sun, 5 Jul 2009 18:17:21 +0200 (CEST) Benny Pedersen m...@junc.org wrote: and the spam mail have all_trusted ?, you trust a spammer in trusted_networks ALL_TRUSTED is a bit odd. If you you look back through the debug, it has identified untrusted relays: [11689] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=194.230.33.137 rdns=mx.xm-rz.net helo=mail.xm-rz.net by=myhost.mydomain.com ident= envfrom= intl=0 id=B94C2118004 auth= msa=0 ] [ ip=62.2.104.4 rdns= helo=spamnix.t-p.com by=mail.xm-rz.net ident= envfrom= intl=0 id=md50001677005.msg auth= msa=0 ] [ ip=62.2.104.116 rdns= helo=EVRLDVVDU by=spamnix.t-p.com ident= envfrom= intl=0 id=1MN3AL-000337-5f auth= msa=0 ]
Re: Spam troubleshooting
Hi, ALL_TRUSTED is a bit odd. If you you look back through the debug, it has identified untrusted relays: [11689] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=194.230.33.137 rdns=mx.xm-rz.net helo=mail.xm-rz.net by=myhost.mydomain.com ident= envfrom= intl=0 id=B94C2118004 auth= msa=0 ] [ ip=62.2.104.4 rdns= Yes, after noticing xm-rz and t-p.com in 'Received:' headers on several of these, I've since added a header rule to add points for those relays. Is this the proper way to do it? header LOCAL_RECVD_TP Received =~ /.\.t-p\.com/ score LOCAL_RECVD_TP 3.6 describe LOCAL_RECVD_TP Recvd from botnet Thanks, Alex
Re: Spam troubleshooting
Hi again, I have more information on those untrusted hosts. ALL_TRUSTED is a bit odd. If you you look back through the debug, it has identified untrusted relays: [11689] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=194.230.33.137 rdns=mx.xm-rz.net helo=mail.xm-rz.net by=myhost.mydomain.com ident= envfrom= intl=0 id=B94C2118004 auth= msa=0 ] [ ip=62.2.104.4 rdns= Now, for some reason, when I run this spam through SA, I see this: X-Spam-Report: * -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/ , * medium trust * [194.230.33.137 listed in list.dnswl.org] * 0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE * 3.6 LOCAL_RECVD_TP Recvd from botnet * 3.6 LOCAL_RECVD_XM Recvd from botnet * 2.0 LOCAL_BODY_4046600451 BODY: This message contained the string * 1.845.709.8044 * 2.0 LOCAL_BODY_1577053434 BODY: This message contained the string * 845.709.8044 X-Spam-Status: Yes, score=7.2 required=5.0 tests=LOCAL_BODY_1577053434, LOCAL_BODY_4046600451,LOCAL_RECVD_TP,LOCAL_RECVD_XM,RCVD_IN_DNSWL_MED, STOX_REPLY_TYPE shortcircuit=no autolearn=disabled version=3.2.5 What the hell is RECVD_IN_DNSWL_MED and why is it trusted in dnswl.org? Thanks, Alex
