Hi Matt,
Thanks a lot for your clarifications. Everything is clearer now :)
ddaas
Matt Kettler wrote:
ddaasd wrote:
Hi,
I have a problem with SpamAssassin. I would appreciate if someone could
help me.
My setup is:
I’ve upgraded to SpamAssassin version 3.0.3 running on Perl version
Matt Kettler wrote:
Claude Kries wrote:
Hi there,
it would be nice to hear of some statistical tools you are using, to
analyze how much spam SA filtered during a period of some time.
Any out ther? Maybe some generating nice HTML output or something?
There's some misc mrtg scripts out
Matt Kettler wrote:
Claude Kries wrote:
Hi there,
it would be nice to hear of some statistical tools you are using, to
analyze how much spam SA filtered during a period of some time.
Any out ther? Maybe some generating nice HTML output or something?
There's some misc mrtg scripts out
On Tue, 9 Aug 2005, Joe Borg said:
Its easier not to try to count asterisks...
Sample procmailrc portion
:0
* ^X-Spam-Status:.*score=[1-9][0-9]
{
:0
/dev/null
}
-end sample
Agreed, but you don't have to use regexps for the counting job either.
I use something akin
Hi all
I'm quite new to spamassassin...
Our ISP has a scanner running on their fallback MX machines for their
clients (some spammers aparently use the fallback MX rather than the
default MX)
So I get e-mails with their headers (see below) and then I scan them as
well, adding my own
On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote:
the IP
219 dot 144 dot 194 dot 158
is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a
phishing mail with
http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
in it's body
On Tue, 09 Aug 2005, Justin Mason said:
BTW, before we go too far down this rabbit-hole, everyone please note
that actually, the SpamAssassin project *does* have its own definition
of spam: that being Unsolicited Bulk Email.
There was a wonderful old post on news.admin.net-abuse.misc
On Wed, 10 Aug 2005, Herb Martin wrote:
Is there a UNIX socket test client program (a la NetCat)?
I need to test a variety of UNIX (not IP/INET) socket daemons for both
syntax and are you running.
Is there a program that can read-write to an arbitrary Unix-type socket in a
manner similar
Matt Kettler wrote:
At 05:37 AM 8/11/2005, Simon Oosthoek wrote:
snip
X-Virtu-MailScanner-SpamCheck: spam, SpamAssassin (score=25.456,
required 5,
autolearn=spam, BAYES_99 3.50, FORGED_YAHOO_RCVD 2.70,
That header wasn't made by SpamAssassin.. MailScanner builds it's own
headers.
Simon Oosthoek wrote:
Matt Kettler wrote:
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTSSCORES_ autolearn=_AUTOLEARN_ version=_VERSION
Ok, I've put this in the /etc/spamassassin/local.cf file and it doesn't
change the appearance of the Status header at all :-(
Huh? Subject didn't have month in it at all.. :(
Return-Path: [EMAIL PROTECTED]
Received: from mailgate.pbp.net (mailgate.pbp.net [192.168.10.87])
by mail.pbp.net (Postfix) with ESMTP id 95CA7117720
for [EMAIL PROTECTED]; Thu, 11 Aug 2005 05:24:29 -0700 (PDT)
Received:
Subject: We may be able to help you eradicate your student loans.
Erm, may is a month afaik :-)
Ben
On 8/11/05, Jonathan Nichols [EMAIL PROTECTED] wrote:
Huh? Subject didn't have month in it at all.. :(
Return-Path: [EMAIL PROTECTED]
Received: from mailgate.pbp.net
Jonathan Nichols wrote:
Huh? Subject didn't have month in it at all.. :(
snip
Subject: We may be able to help you eradicate your student loans.
Sure there is.. Perhaps you forgot about the month of May.
That said, the SUBJECT_MONTH rule hasn't existed since SpamAssassin 2.44.
Versions
On Thu, Aug 11, 2005 at 03:31:57AM -0700, Jeff Chan wrote:
the IP
219 dot 144 dot 194 dot 158
is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a
phishing mail with
http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
in it's body
I'm trying to figure out the route this took to get to me
My guess is...
Some trojan/whetever sent an email to a nonexistent address
([EMAIL PROTECTED])
The return address was spoofed as one of my addresses ([EMAIL PROTECTED])
Their brain-dead mailer daemon then sent the failure back to
Steve Martin wrote:
I'm trying to figure out the route this took to get to me
My guess is...
Some trojan/whetever sent an email to a nonexistent address
([EMAIL PROTECTED])
The return address was spoofed as one of my addresses ([EMAIL PROTECTED])
Their brain-dead mailer daemon then
On Tue, 9 Aug 2005, E. Falk wrote:
Rob McEwen wrote:
Does anyone else consider SpamHaus's definition as too weak and believe
that
ANY unsolicited e-mail is spam, even if a personally hand-typed note?
I'm really curious as to how we would defined solicited e-mail.
solicited ==
Sounds like a good plan, although I doubt I'll remember to stop
blocking it after 24 hours ;-)
On Aug 11, 2005, at 12:01 PM, Matt Kettler wrote:
Tell postfix to refuse mail from 83.102.221.67?
That's generally what I do with joe-job bounces. I block the
affected server for
24 hours with a
On Tue, 9 Aug 2005, Bowie Bailey wrote:
Personally, I have a very simple definition of spam:
If I didn't ask for it and it comes from someone I don't know, it's spam.
That's not a workable definition. If someone I don't know checks out my
website and emails me asking me to do some work for
On Tue, 9 Aug 2005, Mike Wiebeld wrote:
I don't think you understand the situation. How is the recipient
supposed to know whether it is actually a hand crafted email sent just
to him or a spam run of 10,000?
There are tools like Razor and DCC that help determine that.
--
Steve Sobol,
From: Steven J. Sobol [mailto:[EMAIL PROTECTED]
On Tue, 9 Aug 2005, Bowie Bailey wrote:
Personally, I have a very simple definition of spam:
If I didn't ask for it and it comes from someone I don't
know, it's spam.
That's not a workable definition. If someone I don't know checks
Hi all,
Yesterday I updated SpamAssassin with perl and CPAN, and today I asked
it to update bayes with ~400 stored spam messages.
The results:
$ sa-learn --mbox --spam /var/mail/spamhole
configuration file /usr/local/share/spamassassin/20_body_tests.cf
requires version 3.04 of SpamAssassin,
Kelson wrote:
The ones I hate are the viruses that forge addresses like
[EMAIL PROTECTED], then try to send to [EMAIL PROTECTED] We reject
incoming mail claiming to be from [EMAIL PROTECTED] and similar
addresses with a Forgery detected! error, since we know we'll only
ever send that
In an older episode (Thursday, 11. August 2005 12:31), Jeff Chan wrote:
On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote:
the IP
219 dot 144 dot 194 dot 158
is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a
phishing mail with
-Original Message-
From: wolfgang [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 11, 2005 2:56 PM
To: users@spamassassin.apache.org
Subject: Re: Phishing IP listed in URIBL and SURBL, but not triggering
URI rules
In an older episode (Thursday, 11. August 2005 12:31), Jeff
Hi,
I'm on a Redhat ES 4 (x86) with
postfix-2.1.5-4.2.RHEL4
spamassassin-3.0.4-1.el4
spamd is launch with this command (according to ps -edf | grep spamd)
root 27429 1 0 21:51 ?00:00:00 /usr/bin/spamd -d -c -m5 -H
When i send a mail it goes through spamd and then i get this
Well, the IP is listed OK, but one needs to do reverse queries:
dig 158.194.144.219.multi.surbl.org
gives
158.194.144.219.multi.surbl.org. 1850 IN A 127.0.0.12
which sounds good to me.
Dirk
Chris Santerre schrieb:
-Original Message-
From: wolfgang [mailto:[EMAIL PROTECTED]
Sent:
This is a very, very dangerous road to go down. You would see a lot of
collateral damage by doing a URIBL by IP. A lot of domain hosts these days
use shared IPs. I could host any number of legit websites on one virtual
IP
and I do. I share IPs with any number of other websites at the web
hosting
In an older episode (Thursday, 11. August 2005 22:46), Dirk Bonengel wrote:
Well, the IP is listed OK, but one needs to do reverse queries:
dig 158.194.144.219.multi.surbl.org
gives
158.194.144.219.multi.surbl.org. 1850 IN A 127.0.0.12
which sounds good to me.
But the uribl plugin
Negative ghostrider!
We aren't getting the ip. We are taking the ip directly from the URL, not
doing a reverse lookup. I haven't seen a legit email use an IP in a URL in
ages. And even if it was legit, it would have to be listed in URIBL.
Again, no reverse lookups being done. Just using what is
In an older episode (Thursday, 11. August 2005 22:58), Greg Allen wrote:
This is a very, very dangerous road to go down. You would see a lot of
collateral damage by doing a URIBL by IP. A lot of domain hosts these days
use shared IPs. I could host any number of legit websites on one virtual
Juan Machado wrote:
I got an error after I added the headers thing...
spamassassin -D --lint
snip
config: SpamAssassin failed to parse line, skipping: _
lint: 1 issues detected. please rerun with debug enabled for more
information.
Fix the line-wraps.
It looks like somewhere along
Nee,
but the subrl/uribl backoffice does, and, yes, thinking of it they're
overdoing it:
The phish IP you mentioned was 219.144.194.158
In the zone files it's in reverse notation
extract of multi.surbl.org.rbldnsd (Zonefile for the rbldnsd I host:)
158.194.144.219 :127.0.0.12:Blocked,
Greg,
given you speak of name-based virtual hosts, your concerns do not apply.
You'd not be affected if the IP of one of your web servers would be
listed in an URIB list..The plugin does not resolve the IP of an URL.
The only thing that matters is the actual domain. The case in question
here
Greg Allen wrote:
This is a very, very dangerous road to go down. You would see a lot of
collateral damage by doing a URIBL by IP. A lot of domain hosts these days
use shared IPs. I could host any number of legit websites on one virtual
IP…and I do. I share IPs with any number of other websites
Dallas (and all the rest),
what you're saying is:
- We're talking of forward lookups, not of reverse lookup.
What I'm seeing, however, is that the zone files contain IPs in reverse
notation.So SA does a forward lookup on a reversed IP.
I think that's about it. Wolfgang complained about not
-Original Message-
From: Dirk Bonengel [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 11, 2005 5:01 PM
To: Dallas L. Engelken
Cc: users@spamassassin.apache.org
Subject: Re: Phishing IP listed in URIBL and SURBL, but not
triggering URI rules
Dallas (and all the rest),
what
In an older episode (Friday, 12. August 2005 01:18), Dallas L. Engelken wrote:
Looks like we agree with surbl..
# host -tTXT 158.194.144.219.multi.uribl.com
158.194.144.219.multi.uribl.com descriptive text Listed on [black] -
See http://lookup.uribl.com/?domain=158.194.144.219;
Yes, but -
Sure there is.. Perhaps you forgot about the month of May.
*smacks forehead like the moron he is*
D'oh!
If you aren't running 2.43 or older, perhaps you should find out why you have
rules from 2.43 in your config.
I'm running 3.x - I've just been dragging around the same local.cf since
-Original Message-
From: wolfgang [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 11, 2005 6:36 PM
To: users@spamassassin.apache.org
Subject: Re: Phishing IP listed in URIBL and SURBL, but not
triggering URI rules
In an older episode (Friday, 12. August 2005 01:18), Dallas
L.
In an older episode (Friday, 12. August 2005 01:46), Dallas L. Engelken wrote:
-Original Message-
From: wolfgang [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 11, 2005 6:36 PM
To: users@spamassassin.apache.org
Subject: Re: Phishing IP listed in URIBL and SURBL, but not
On Aug 10, 2005, at 1:21 PM, Matt Kettler wrote:
For example, try doing turkeybacon as a destination. Firefox will
fail the
lookup, do a web search (using google or whatever your default
search engine is)
and jump to the first hit:
http://www.livejournal.com/userinfo.bml?user=turkeybacon
Steven Dickenson wrote:
On Aug 10, 2005, at 1:21 PM, Matt Kettler wrote:
For example, try doing turkeybacon as a destination. Firefox will
fail the
lookup, do a web search (using google or whatever your default search
engine is)
and jump to the first hit:
43 matches
Mail list logo