Kshatriya wrote:
On Tue, 14 Aug 2007, ram wrote:
The page says the primary MX should not be accepting connections at all.
Has anyone else tried this , will this cause delay in my mail
It almost doesn't work anymore. Better try adaptive greylisting, with
some whitelists so you don't notice
vately if interested.
Marc Perkel
Junk Email Filter
http://www.junkemailfilter.com
If spammers were smart they would blacklist me.
jdow wrote:
This made it past my filters. But it's unreadable gibberish.
I wonder why they bother.
Good point. The fact that they have to resort to gibberish, image spam,
pdf spam all of which is far harder than clocking on a link shows we are
winning. Their return in the amount of spam
The new 3.2.2 seems to be significantly lighter on the CPU than 3.2.1
was. So far so good.
Jason Haar wrote:
Marc Perkel wrote:
Never mind - my fault. I don't think it was spamhaus but a screwed up
DNS server.
Care to share? I'm a bit concerned a "screwed up" DNS server could cause
RBL software to start declaring IP addresses were blacklisted.
Marc Perkel wrote:
Getting a ton of false positives today on spamhaus. Generally they
never get it wrong. Anyone else seeing this or is it just me?
Never mind - my fault. I don't think it was spamhaus but a screwed up
DNS server.
Getting a ton of false positives today on spamhaus. Generally they never
get it wrong. Anyone else seeing this or is it just me?
For what it's worth you should make it available and then announce it. :)
Theo Van Dinter wrote:
On Sun, Jul 22, 2007 at 07:15:50AM -, [EMAIL PROTECTED] wrote:
Mark Perkel wrote:
If I have a string, what's that fastest way to count the number of
periods in the string?
in perl, I would probably split the string at the periods
@parts = split /\./, $string;
OK - I'm not experienced at Perl by trying to do something that should
be fairly simple for those of you who are good at it.
I need a subroutine that I can pass and IP address to. It will do a
reverse DNS lookup and get a hostname. Then lookup the hostname to
verify that one of the IP addresse
If I have a machine with a screwed up perl configuration, some installed
in /usr/lib/perl5 and some in /usr/local/lib/perl5, is there any easy
way to get everything back under /usr/lib/perl5 without starting over?
Running Fedora Core 6.
Thanks in Advance
I've written a best practices guide and suggestions on how to defeat the
spam bot armies. If anyone wants to comment I'm looking for feedback and
new ideas.
http://wiki.junkemailfilter.com/index.php/How_to_put_an_end_to_Virus_Infected_Spam_Bots
John Rudd wrote:
Robert - eLists wrote:
What stops your customers from submitting to port 25 on your port 25
machines, when they're out roaming (ie. not on an IP address from which
you have blocked port 25 traffic)?
What stops them from submitting on port 25 is admin-ing it so that
"no s
John Rudd wrote:
Marc Perkel wrote:
Jari Fredriksson wrote:
[EMAIL PROTECTED] wrote:
If port 25 were blocked from consumers and they were forced to talk to
servers on port 587, even without authentication, then a server could
distinguish consumers from other servers. I think this kind of
Jari Fredriksson wrote:
[EMAIL PROTECTED] wrote:
If port 25 were blocked from consumers and they were forced to talk to
servers on port 587, even without authentication, then a server could
distinguish consumers from other servers. I think this kind of
configuration could be used to help isola
One of the problems with SMTP in my opinion is that it allows end users
to talk on port 25 to servers and therefore can't be distinguished from
server to server traffic.
Imagine a policy where ISPs blocked port 25 for consumers by default and
forced them to talk to mail servers on port 587 to
Daryl C. W. O'Shea wrote:
Marc Perkel wrote:
I appreciate you effort in this but lets come up with something
useful. If you give up SPF I will give you and PoBox some anti-spam
technology that will revolutionize your spam filtering. I'm just
tired of having to deal with th
Daryl C. W. O'Shea wrote:
Guess what Marc, spammers can publish ANY DNS records! That includes
TXT records, type 99 (SPF) records, and your precious A and PTR records.
What spammers can't do is publish a forward confirmed RNDS that ends in
wellsfargo.com, which would be a listed domain
Daryl C. W. O'Shea wrote:
Marc, I'm quite amazed that you still haven't picked up the term FCrDNS!
Thanks - never hard that before. Glad there's a word for it.
Meng Weng Wong wrote:
Without diving too deep into this can of worms I'd like to point out
that rejecting mail due to SPF fails is a whole different
ball-game-of-wax than accepting mail due to an SPF pass -- the
limitations related to forwarding are well known, but orthogonal to
whitelisting
John D. Hardin wrote:
On Thu, 12 Jul 2007, Marc Perkel wrote:
I'm just tired of having to deal with the bad side effects of SPF
and expainging to people that the can't use my spam filtering
unless they turn SPF off.
What's wrong with that? They are explicitly contr
Bill Landry wrote:
Marc Perkel wrote the following on 7/12/2007 7:19 PM -0800:
Meng Weng Wong wrote:
On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
Need a rule written to take advantage of this trick and this could
be a major breakthrough in white listing.
Here's wh
Meng Weng Wong wrote:
On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
Need a rule written to take advantage of this trick and this could be
a major breakthrough in white listing.
Here's what it needs to do:
1) Take the IP of the connecting host and do an RDNS lookup to get
the na
Dave Koontz wrote:
Marc, please don't mis-read. Honestly, it was a simple question. Is
the list from your own observation, or from user submissions? It's that
simple. The rest is just why it may not work for us in it's present form!
It's a combination of a lot of sources. Some of them
Dave Koontz wrote:
Marc, how do you arrive at your list, through user submission or your own
observation? I notice the list is mostly void of any .EDU organizations.
As you probably know, .EDU domain registration is restricted to only those
meeting certain criteria and must go through EduCause
Here's my list so far. These are host name - not from addresses. So it
matches *.hostname.com
I could use more to add to the list.
123greetings.com
123greetings.info
20min.ch
2checkout.com
2co.com
2wheelsuperstore.com
34sp.com
360degreeslawn.com
3dsystems.com
3kloffice.info
4342thomas.com
aa.co
Loren Wilton wrote:
How about this one:
Client IP is 213.200.218.50 - reverse lookup returns mail.specogna.ch.
Lookup mail.specogna.ch returns 213.200.218.50. Looks good.
Lookup mail.specogna.ch.junkemailfilter.com - (what does this tell me,
regardless of what it returns?)
But let's assume ma
Per Jessen wrote:
Marc Perkel wrote:
1) Take the IP of the connecting host and do an RDNS lookup to get the
name.
2) Verify that the name that was looked up resolves to the same
IP address.
3) Look up the name in this dns list ===
example.com.hostdomain.junkemailfilter.com
4) if it
Need a rule written to take advantage of this trick and this could be a
major breakthrough in white listing.
Here's what it needs to do:
1) Take the IP of the connecting host and do an RDNS lookup to get the name.
2) Verify that the name that was looked up resolves to the same IP address.
3) Lo
Getting a lot of these:
spamd: timeout: (100 second timeout while trying to TELL)
Can I change the timeout? And - a better error message should include
who it is trying tel tell what.
Whoops - left out an important piece of the rules
header __RCVD_IN_JMFILTER
eval:check_rbl('JMFILTER','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMFILTER Sender listed in JMFILTER
tflags __RCVD_IN_JMFILTER net
header RCVD_IN_JMFILTER_W eval:check_rbl_sub('JMFILTER', '127.0.0.1')
des
I'm looking for lists of domains to whitelist. Here's the criteria.
1) The host will be whitelisted based on RDNS of the IP where the RDNS
name matches the IP that was looked up.
2) That the domain never sends any spam.
So - not looking for mixed spam sources but pure ham sources. If the
host
continues. A lot of
spam sources are getting shut down.
If anyone is interested in my spam feed contact me privately.
Marc Perkel
Fearless Leader
Junk Email Filter dot com
Per Jessen wrote:
guenther wrote:
Dirk, I don't think this really puts an end to this discussion, and I
believe what Per actually was wondering about are some precise
statements about each of the iXhash lists sources. At the very least,
that is what I am wondering about. ;)
That is
Per Jessen wrote:
Marc Perkel wrote:
I think I'm the highest volume source for Dirk. If not the highest I'm
up there. I'm feeding his public servers. i have been for about a
year.
Hi Marc,
a feed that size is very interesting to be perfectly honest. I have a
coup
Per Jessen wrote:
[EMAIL PROTECTED] wrote:
The difference is that the .de domain is fed by input that's either
visually checked or stems from dedicated spamtraps, so I'm quite
confident the hashes contained really mark spam.
The .ag domain contains hashes either from feedback loops (ie. e
Per Jessen wrote:
Marc Perkel wrote:
I'm feeding in spam from 1600 domains through my junkemailfilter.com
service and I think that I'm helping out a very good service. I
encourage other to do the same.
At a price of course. Thanks for the advertising Marc.
To stay on-
Per Jessen wrote:
Dirk Bonengel wrote:
For those that don't know what this plugin does: It uses an algorithm
developed by Bert Ungerer of the German IT magazin iX (Heise Verlag)
to compute fuzzy checksums from (spam) emails and checks them against
those hashes I and Heise computed from our
Loren Wilton wrote:
Who likes this idea?
While its a little out of date now and was manually generated and
verified, SARE has a whitelist of hosts and the like that are
supposedly never spam, even though they may be commercial mail.
Loren
Looks like a useful list. I'm going to
A little play on words spoofing "A plan for spam".
I have been testing a new technique for detecting ham that is working
quite well. It's nearly (or possibly at) 100% accurate in that what it
identifies is ham.
First of all you get a verified RDNS lookup on the host. Verified means
that you
OK - tell me if this is useful. I created a DNS list that you can pass a
host name to and get information as to where the registrar barrier is.
You can use it as follows:
dig .rb.junkemailfilter.com
Example:
dig perkel.com.rb.junkemailfilter.com - returns 127.0.0.1
dig perkel.co.uk.rb.junkemai
Loren Wilton wrote:
You have a bit of a chicken and egg problem at the start. Until
some learning takes place in the system.
Two possibilities. The rules exist and have scores. Assume they are
maintained, for whatever reason.
1.Until Bayes has enough info to kick in, classification
Tom Allison wrote:
On Jun 30, 2007, at 1:20 AM, Marc Perkel wrote:
Tom Allison wrote:
For some years now there has been a lot of effective spam filtering
using statistical approaches with variations on Bayesian theory,
some of these are inverse Chi Square modifications to Niave Bayes
Tom Allison wrote:
For some years now there has been a lot of effective spam filtering
using statistical approaches with variations on Bayesian theory, some
of these are inverse Chi Square modifications to Niave Bayes or even
CRM114 and other "languages" have been developed to improve the
sc
Quick question. I understand to level TLDs like .co.uk but are there 3
and 4 level registrar barriers. There seems to be some reference to that
in the registrarbarrier.pm file
d ways to block spam and reduce the
load SpamAssassin puts on your servers.
Marc Perkel
http://www.junkemailfilter.com
I'm using it and I really like it. Very effective.
Theo Van Dinter wrote:
On Mon, Jun 25, 2007 at 06:30:19AM -0700, Marc Perkel wrote:
What would be the method of detecting the domain part of a host address?
82-46-151-246.cable.ubr04.perr.blueyonder.co.uk
How would you write a perl script that would extract the
blueyonder.co.uk part
What would be the method of detecting the domain part of a host address?
For example:
82-46-151-246.cable.ubr04.perr.blueyonder.co.uk
How would you write a perl script that would extract the
blueyonder.co.uk part?
Clarification. When I say that spammers can't spoof RNDS what I mean is
that if you do a reverse lookup and get a spoofed name then when you
look up the spoofed name it won't resolve back to the IP you looked up.
I'm testing this idea now.
Marc Perkel wrote:
OK - here's
OK - here's an idea I'm rolling around in my brain and thinking this
could work to massively automatically generate white lists of IP
addresses from companies that generate no spam at all. This could be
used not only to greatly reduce false positives, but also you reduce
system load. Any IP lis
arni wrote:
Marc Perkel schrieb:
That doesn't answer his question though. He didn't ask for your
opinion about if he needed it. If the rules were working for him he
wouldn't be asking for help. When someone asks a question telling
them they don't need it is generally
arni wrote:
Suhas Ingale schrieb:
Can someone help me writing rules to catch below content spam?
* 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.]
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 5.
Matthias Leisi wrote:
I think it would be useful to start using this idea more widely to
improve the quality of DNS listing. So roll the idea around and see if
we can build on it.
It's somewhat similar to the "trust levels" we use in dnswl.org (where,
incidentially, we partly import data
OK - yes it's a term I invented. Yellow listing is a DNS list of hosts
that are mailservers for big ISPs and other sources of mixed ham and
spam. yahoo, gmail, hotmail, comcast, aol are examples of hosts that
would be yellow listed.
Why yellow list? The idea of a yellow list is to prevent cert
Craig Carriere wrote:
Matt wrote:
First - use dummy MX records. Real mail retries. Botnet and must
spammers don't. It's easier for them to try to spam someone else than to
fight your filter. MX config is as follows:
dummy - 10
real - 20
real-backups - 30
dummy - 40
dummy - 50
dummy - 60
I'm seeing a lot of people saying that bayes isn't working like it used
to, that load levels are high, and that they are getting a lot of image
and botnet spam. There are a few simple tricks you can do to get rid of
90% of it.
First - use dummy MX records. Real mail retries. Botnet and must
s
Yes - I googled it and found a lot of messages pointing to some patches
- and they didn't wotk. What do I really have to do to get rid of this
error?
pyzor: check failed: internal error
Thanks in advance
John Rudd wrote:
If you're going to do this, I would suggest that instead of counting
to X hits on your low priority MX's and then blacklisting the IP, do
this:
Count on all of your MX's, and look for a ratio between "hits on low
priority MX's and hits on high priority MX's".
IFF the hi
I'd like to see a feature on FuzzyOCR to cap the points it adds.
Sometimes it really goes wildwhere it's a false positive and adds over
40 points. I'd like to cap it at 8 or so.
Rick Cooper wrote:
I am probably over sensitive to blacklists of this nature because of past
problems. I had an issue where someone could not deliver a reply to a
customer once and when I investigated I found the (actually two) server was
on a blacklist I had never heard of. I let our ISP kno
John Rudd wrote:
If you're going to do this, I would suggest that instead of counting
to X hits on your low priority MX's and then blacklisting the IP, do
this:
Count on all of your MX's, and look for a ratio between "hits on low
priority MX's and hits on high priority MX's".
IF the hig
Rick Cooper wrote:
I don't know what his reason is but had I attempted to send mail to your
server last Friday I could easily have ended up hitting one of your higher
MXs. I had a problem with Verizon where I would loose my connection for
seconds to a min and everything would be fine for second
Shane Williams wrote:
This is a personal mail server, so I know exactly who sends mail on
it, and "we" don't have a spam problem (unless you mean all the spam
we're fighting to keep out). Of course, since it's a dynamic address,
I can't be certain that other users of this address haven't sent
Shane Williams wrote:
On Sun, 17 Jun 2007, Marc Perkel wrote:
Shane Williams wrote:
Here's the "failed for the last 4 hours" message...
- Transcript of session follows -
... while talking to mx.junkemailfilter.com.:
<<< 550-REJECTED - 70.112
Michael Scheidell wrote:
Buy, before you use it, I suggest you google for 'blocked.secnap.net'
(you will see a 2003 set of posts announcing this list).
Odd - I only get 15 list when I google it.
Shane Williams wrote:
On Sun, 17 Jun 2007, Marc Perkel wrote:
Daryl C. W. O'Shea wrote:
Shane Williams wrote:
> On Sat, 16 Jun 2007, Marc Perkel wrote:
> > > Using my new ideas here's my raw blacklist file. It has about
80k IP > > addresses and
Shane Williams wrote:
On Sat, 16 Jun 2007, Marc Perkel wrote:
Using my new ideas here's my raw blacklist file. It has about 80k IP
addresses and is updated every 10 minutes.
http://iplist.junkemailfilter.com/black.txt
Here's instructions on how to use it with SpamAssassin and E
Daryl C. W. O'Shea wrote:
Shane Williams wrote:
On Sat, 16 Jun 2007, Marc Perkel wrote:
Using my new ideas here's my raw blacklist file. It has about 80k IP
addresses and is updated every 10 minutes.
http://iplist.junkemailfilter.com/black.txt
Here's instructions on how
Bart Schaefer wrote:
On 6/16/07, Marc Perkel <[EMAIL PROTECTED]> wrote:
Using my new ideas here's my raw blacklist file. It has about 80k IP
addresses and is updated every 10 minutes.
http://iplist.junkemailfilter.com/black.txt
Just glancing through the list and reversing an
Jari Fredriksson wrote:
Marc Perkel wrote:
Using my new ideas here's my raw blacklist file. It has about 80k IP
addresses and is updated every 10 minutes.
http://iplist.junkemailfilter.com/black.txt
Here's instructions on how to use it with SpamAssassin and Exim.
http://wiki
Using my new ideas here's my raw blacklist file. It has about 80k IP
addresses and is updated every 10 minutes.
http://iplist.junkemailfilter.com/black.txt
Here's instructions on how to use it with SpamAssassin and Exim.
http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
I'
[EMAIL PROTECTED] wrote:
Hi, list,
the DNS server of manitu.net, Germany, currently the only server hosting
the iXhash blacklist @ ix.dnsbl.manitu.net, is apparently being ddos'ed.
Admins using the iXhash plugin should either temporarily disable using
that server or request being included in a
Richard Frovarp wrote:
Marc Perkel wrote:
Terry Soucy wrote:
In the testing we have done here, less than 1% of connections to our
low
priority MX actually cycled around to one of the higher priority MX
systems to deliver the message. I'm still not sure if this is a
growing
patter
Terry Soucy wrote:
In the testing we have done here, less than 1% of connections to our low
priority MX actually cycled around to one of the higher priority MX
systems to deliver the message. I'm still not sure if this is a growing
pattern yet, but it could be a sign of spambots catching on.
Terry Soucy wrote:
In the testing we have done here, less than 1% of connections to our low
priority MX actually cycled around to one of the higher priority MX
systems to deliver the message. I'm still not sure if this is a growing
pattern yet, but it could be a sign of spambots catching on.
Shane Williams wrote:
On Fri, 15 Jun 2007, Marc Perkel wrote:
What I see happening is that they are hitting MX randomly. So some
times they hit a good server and sometimes they hit the trap. Once
they have hit the trap several times then they are blacklisted in my
hostkarma blacklist and
Michael Scheidell wrote:
-Original Message-
From: Marc Perkel [mailto:[EMAIL PROTECTED]
Sent: Friday, June 15, 2007 3:19 AM
To: users@spamassassin.apache.org
Subject: Innovative Host Blacklisting Idea
I'm trying out a new idea for blacklisting hosts. I have
several email
se
Raymond Dijkxhoorn wrote:
Hi!
servers for processing spam. These servers service my lowered
numbered MX records. I also have several dummy mx records that are
higher numbered than my real servers. So in theory no one should ever
hit the higher numbered servers. Especially when the IP addres
Daryl C. W. O'Shea wrote:
Marc Perkel wrote:
I'm trying out a new idea for blacklisting hosts. I have several
email servers for processing spam. These servers service my lowered
numbered MX records. I also have several dummy mx records that are
higher numbered than my real serv
I'm trying out a new idea for blacklisting hosts. I have several email
servers for processing spam. These servers service my lowered numbered
MX records. I also have several dummy mx records that are higher
numbered than my real servers. So in theory no one should ever hit the
higher numbered s
Just wondering how long it's going to take to get SA 3.2.1 into CPAN?
Every now and then my MySQL databased seems to be getting corrupted.
What seems to be happening is that spamd is waiting too long trying to
access the MySQL. Is there any way to get spamd to give up if MySQL
isn't responding to requests?
One thing that I'm not seeing is clean spamc/spamd failover. For
example, what I would like to see is of spamd reaches the max-children
barrier then it should close the port until it processes what it's
working on and them open it back up again. I would also like to see a
setting that would clo
Henrik Krohns wrote:
On Mon, Apr 30, 2007 at 12:41:44PM +0300, Henrik Krohns wrote:
On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
OK - I did this with Exim rules but the same trick could be used in SA.
I figured out a trick that catches 419 spam with amazing accuracy
What's this "use bytes" thing and where do you add it and what does it do?
Theo Van Dinter wrote:
On Tue, May 08, 2007 at 06:45:32PM -0700, Marc Perkel wrote:
I have to admit that I'm seeing higher server load levels since
upgrading to 3.2.0 from 3.1.8 as well. It was enough to make me wonder
if some ne features were slowing things down.
Last t
Jerry Durand wrote:
At 01:26 PM 5/8/2007, Daryl C. W. O'Shea wrote:
Bayes auto expiries (taking to long and getting killed)? I think
that's a 600 second timeout.
A couple of months ago I was getting a lot of timeouts due to
auto-expire so I disabled it and set a cron job to stop the mail
Been getting a few strange false positives lately. Here's something unusual.
X-Spam-Report:
* 0.0 HTML_MESSAGE BODY: HTML included in message
* -2.0 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
* [score: 0.0206]
* 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
As you know SA reports spam to various service like Pyzor, Razor,
Spamcop, etc. Why not have a module that sends messages to
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] etc. If we had such
a module then these free email services could automatically shut down
spammers after seeing a
oh - and - here's my freemail list
aim.com
aol.co.uk
aol.com
bellsouth.net
comcast.net
compuserve.com
cox.net
excite.com
excite.co.uk
fastmail.com
gci.net
gmail.com
google.com
hotmail.co.uk
hotmail.com
hotmail.fr
hotpop.com
juno.com
lycos.com
mail.com
msn.com
myspace.com
myway.com
sbcglobal.com
OK - I did this with Exim rules but the same trick could be used in SA.
I figured out a trick that catches 419 spam with amazing accuracy.
419 spammers generally use Yahoo, Hotmail, Gmail, and other popular free
mailers. And they generally have different from and reply-to addresses.
And both t
these feeds for sale. Several of the blacklists some of you already use
gets spam from me. I hate spam and want to help fight it.
So - if anyone is interested in my feeds let me know and I can set you up.
Marc Perkel
http://www.junkemailfilter.com
Matt Kettler wrote:
You imply Comcast has sufficient technical know-how to manage a network.
For a while their own outbound mailserver wasn't even generating a HELO
or EHLO.
Is that what it was? I had been getting a lot of complaints that random
Comcast users couldn't email anyone one o
John Rudd wrote:
Marc Perkel wrote:
My thinking on this is that if we had better automated reporting then
spammers could be shut down at the source and we could reduce spam
that way. I think what needs to happen is to develop some sort of
auto-reporting of spam process that's easy an
My thinking on this is that if we had better automated reporting then
spammers could be shut down at the source and we could reduce spam that
way. I think what needs to happen is to develop some sort of
auto-reporting of spam process that's easy and tie in ISPs and the big
boys into the databse
Is there an algorithm that one can feed an IP address into and return
the email address of the responsible person for the IP to report spam to?
I'm seeing a lot of one words spam. I'm guessing they are probing for
capabilities. Is anyone else seeing this? If so - what do you know about it?
Kelson wrote:
Aggh. I think Thunderbird 2 changed the menu layout a bit. I hit
"Reply to Sender" instead of "Reply to All."
Marc Perkel wrote:
For what it's worth, what would be nice is if yahoo had some kind of
automated complaint mailbox so that if complaints ab
For what it's worth, what would be nice is if yahoo had some kind of
automated complaint mailbox so that if complaints about a particular
account were coming in at a high rate it would disable the account. Same
for Hotmail, Gmail, and other free mailers.
If automated complaint features were st
701 - 800 of 1072 matches
Mail list logo