What setup do I need?
Hello, I am new to SA and here is the situation: A normal mail server from my hosting company (pop3) and basically I have a computer i want to check the emails, run them through SA, and then deliver them to a local mail server just in our network. Any free suggestions? I tried installing a POP3 server like Dovecot but i had a problem and couldn't get it to authenticate. Thanks -- View this message in context: http://www.nabble.com/What-setup-do-I-need--tp15518685p15518685.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: What setup do I need?
On Sat, 2008-02-16 at 14:24 -0800, tmasboa wrote: A normal mail server from my hosting company (pop3) and basically I have a computer i want to check the emails, run them through SA, and then deliver them to a local mail server just in our network. Any free suggestions? Fetchmail. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We have to realize that people who run the government can and do change. Our society and laws must assume that bad people - criminals even - will run the government, at least part of the time. -- John Gilmore --- 6 days until George Washington's 276th Birthday
Re: What setup do I need?
On Sat, 2008-02-16 at 14:24 -0800, tmasboa wrote: Hello, I am new to SA and here is the situation: A normal mail server from my hosting company (pop3) and basically I have a computer i want to check the emails, fetchmail run them through SA, procmail and then deliver them to a local mail server just in our network. Deliver using your distros preferred MTA (which actually does the procmail calling part, too). By local mail server I assume you are about a mail serving entity, like an IMAP server. Dovecot. :) Any free suggestions? I tried installing a POP3 server like Dovecot but i had a problem and couldn't get it to authenticate. Dovecot doesn't authenticate. You authenticate against Dovecot. It's a server, it's not a client... Anyway, the just outlined setup sounds strangely familiar. ;-) guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Clearly bogus false positives -- on abuse contact point, no less
Hmmm. I think we need a BL for reporting ISP's that are clueless as to run filtering on their abuse mailbox (or the mailbox that's listed for their ARIN/RIPE AbuseEmail attributes). Anyway, I have no idea why I'm seeing some of these scores. URL matches when there aren't even URL's in my message? A 2.6 score on BAYES_00? URIBL_JP_SURBL and URIBL_OB_SURBL? And what the heck is DNS_FROM_OPENWHOIS??? TVD_STOCK1? There's no mention of stock anywhere in the message. Why am I seeing all of these bogus matches? I looked on the wiki for some of these, but couldn't find descriptions. What should I do? Just block their domain? I don't want to deal with their misconfiguration issues. -Philip Received: from localhost (localhost) by mail.redfish-solutions.com (8.14.1/8.14.1) id m1H2M5XP027602; Sat, 16 Feb 2008 19:22:05 -0700 Date: Sat, 16 Feb 2008 19:22:05 -0700 From: Mail Delivery Subsystem [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=m1H2M5XP027602.1203214925/mail.redfish-solutions.com Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --m1H2M5XP027602.1203214925/mail.redfish-solutions.com The original message was received at Sat, 16 Feb 2008 19:22:01 -0700 from pool-71-112-32-245.sttlwa.dsl-w.verizon.net [71.112.32.245] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550-This email has been automatically tagged as spam) [EMAIL PROTECTED] (reason: 550-This email has been automatically tagged as spam) - Transcript of session follows - ... while talking to alpha.inbound.mercury.spaceservers.net.: DATA 550-This email has been automatically tagged as spam 550-Spam detection software, operated by UKDomains limited, has 550-identified this incoming email as possible spam. 550-contact [EMAIL PROTECTED] for details and error reports. 550-pts rule name description 550- -- -- 550-1.1 DNS_FROM_OPENWHOIS RBL: Envelope sender listed in 550-bl.open-whois.org. 550--0.0 SPF_PASS SPF: sender matches SPF record 550--2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% 550-[score: 0.] 550-1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL 550-blocklist 550-[URIs: chalturs.com] 550-1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL 550-blocklist 550-[URIs: chalturs.com] 550-0.5 WHOIS_DMNBYPROXY Contains URL registered to Domains by Proxy 550-[URIs: redfish-solutions.com] 550 3.4 AWLAWL: From: address is in the auto white-list 554 5.0.0 Service unavailable --m1H2M5XP027602.1203214925/mail.redfish-solutions.com Content-Type: message/delivery-status Reporting-MTA: dns; mail.redfish-solutions.com Received-From-MTA: DNS; pool-71-112-32-245.sttlwa.dsl-w.verizon.net Arrival-Date: Sat, 16 Feb 2008 19:22:01 -0700 Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.2.0 Remote-MTA: DNS; alpha.inbound.mercury.spaceservers.net Diagnostic-Code: SMTP; 550-This email has been automatically tagged as spam Last-Attempt-Date: Sat, 16 Feb 2008 19:22:05 -0700 Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.2.0 Remote-MTA: DNS; alpha.inbound.mercury.spaceservers.net Diagnostic-Code: SMTP; 550-This email has been automatically tagged as spam Last-Attempt-Date: Sat, 16 Feb 2008 19:22:05 -0700 --m1H2M5XP027602.1203214925/mail.redfish-solutions.com Content-Type: message/rfc822 Return-Path: [EMAIL PROTECTED] Received: from [192.168.10.120] (pool-71-112-32-245.sttlwa.dsl-w.verizon.net [71.112.32.245]) (authenticated bits=0) by mail.redfish-solutions.com (8.14.1/8.14.1) with ESMTP id m1H2M0XQ027599 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 16 Feb 2008 19:22:01 -0700 Message-ID: [EMAIL PROTECTED] Date: Sat, 16 Feb 2008 18:21:27 -0800 From: Abuse Department [EMAIL PROTECTED] User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Of course it's spam: it's an abuse mailbox Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.63 on 192.168.1.3 Of course it's spam. It's a copy of an offending message (that originated from *your* site) being reported back to you, and do you abuse mailbox. If it weren't spam, there'd hardly be a point in reporting it now, would there? What other brilliant deductions are to follow? That there are a lot of sick people in a hospital? Get a clue. Better yet, if you were as good at detecting *outbound* spam coming from your site as you are incoming spam, we wouldn't be having this
Re: Clearly bogus false positives -- on abuse contact point, no less
Please, do not paste a gigantic blob of multipart MIME messages. Put it up somewhere, raw, and simply provide a link. On Sat, 2008-02-16 at 18:44 -0800, Philip Prindeville wrote: Anyway, I have no idea why I'm seeing some of these scores. URL matches when there aren't even URL's in my message? There are. Self-inflicted. The ones in square brackets with the leading 550 code, which you seem to keep sending back and forth. :) A 2.6 score on BAYES_00? URIBL_JP_SURBL and URIBL_OB_SURBL? And what the heck is DNS_FROM_OPENWHOIS??? Well, if you don't mind having a second look, that is MINUS 2.6 for Bayes. What's wrong with that? Regarding your SURBL questions... Yes. Wait, you where hoping for more? Without any actually asked question? OK, good then. The domain chalturs.com is listed in these RBLs, as the results tell you. See http://surbl.org/ for more. Oh, and DNS_FROM_OPENWHOIS probably is http://open-whois.org/, which gives you a hint about what it actually is. The hit itself pretty much mentions this... TVD_STOCK1? There's no mention of stock anywhere in the message. From a quick glimpse of the code, it appears to identify common words used in stock (as in stock exchange, pump-n-dump penny stocks) spam. It does not search for the word stock. Just as pretty much no rule in SA ever searches for single words only... Why am I seeing all of these bogus matches? From what I can tell, and what you sent us, they don't appear to be bogus. I looked on the wiki for some of these, but couldn't find descriptions. What should I do? Just block their domain? I don't want to deal with their misconfiguration issues. Apparently you already exchanged messages? Try not sending the offensive mail in question. Put it up somewhere as reference, if need be. Hmm, sounds familiar... ;) guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Clearly bogus false positives -- on abuse contact point, no less
Karsten Bräckelmann wrote: Please, do not paste a gigantic blob of multipart MIME messages. Put it up somewhere, raw, and simply provide a link. On Sat, 2008-02-16 at 18:44 -0800, Philip Prindeville wrote: Anyway, I have no idea why I'm seeing some of these scores. URL matches when there aren't even URL's in my message? There are. Self-inflicted. The ones in square brackets with the leading 550 code, which you seem to keep sending back and forth. :) And just *mentioning* the domain name, without any sort of valid URL (ftp: or http: or anything of the sort) is going to match it as a URL? That's highly bogus. A domain name alone does not a URL make. A 2.6 score on BAYES_00? URIBL_JP_SURBL and URIBL_OB_SURBL? And what the heck is DNS_FROM_OPENWHOIS??? Well, if you don't mind having a second look, that is MINUS 2.6 for Bayes. What's wrong with that?\ Oh, sorry, read over the scores too quickly. Never mind the BAYES_00. Regarding your SURBL questions... Yes. Wait, you where hoping for more? Without any actually asked question? OK, good then. The domain chalturs.com is listed in these RBLs, as the results tell you. See http://surbl.org/ for more. I read the top-level page, but didn't see anything really pertinent. I get the idea. But naming the domain in a message, again, is not the same as embedding an entire URL containing the domain. The two aren't equivalent. Oh, and DNS_FROM_OPENWHOIS probably is http://open-whois.org/, which gives you a hint about what it actually is. The hit itself pretty much mentions this... Yeah, I read this. And I don't get that either. How does having your domain be anonymous (for whatever reason... maybe you're a small company operating below the radar) make your email any more likely to be spam TVD_STOCK1? There's no mention of stock anywhere in the message. From a quick glimpse of the code, it appears to identify common words used in stock (as in stock exchange, pump-n-dump penny stocks) spam. It does not search for the word stock. Just as pretty much no rule in SA ever searches for single words only... Again, I didn't see anything that should legitimately be causing this rule to fire, and certainly not with such a high score for such an unreliable rule. Why am I seeing all of these bogus matches? From what I can tell, and what you sent us, they don't appear to be bogus. Depends on whether you equate bare domains with URL's, I suppose. I looked on the wiki for some of these, but couldn't find descriptions. What should I do? Just block their domain? I don't want to deal with their misconfiguration issues. Apparently you already exchanged messages? Try not sending the offensive mail in question. Put it up somewhere as reference, if need be. Hmm, sounds familiar... ;) guenther No, I sent them back the offending email, initially. Which they marked as spam (bloody brilliant, of course it's spam, otherwise I wouldn't be bothering to report it what else do they expect to come to their Abuse mailbox, anyway???). So I sent back the SA scores back to them, and that's the part that I pasted previously. How do you report Spam to such a site that's going to block your Spam reports for being... well, Spam! (Yes, I'm shocked too to hear there's gambling going on in Casablanca...)
Re: Clearly bogus false positives -- on abuse contact point, no less
Karsten Bräckelmann wrote: On Sat, 2008-02-16 at 18:44 -0800, Philip Prindeville wrote: Anyway, I have no idea why I'm seeing some of these scores. URL matches when there aren't even URL's in my message? .. What should I do? Just block their domain? I don't want to deal with their misconfiguration issues. Apparently you already exchanged messages? Try not sending the offensive mail in question. Put it up somewhere as reference, if need be. Hmm, sounds familiar... ;) When it finally gets through, they will probably send you an autoreply that they cannot handle abuse complaints without the necessary evidence, e.g. the original piece of spam, included. Back to square 1 ... or the fax machine Wolfgang Hamann