Bullshit. There is no ipaddress with a rdns below.
Bullshit 2. We arnt querying spamhaus servers.
Isnt this jyst a spam scam ?
Show me packet traces.
--
Michael Scheidell, CTO
SECNAP Network Security
-Original message-
From: MXTools Spamhaus Team msm...@mxtools.com
To: Michael
Bullshit 3.
There isn't even a dns server on this host.
--
Michael Scheidell, CTO
SECNAP Network Security
-Original message-
From: MXTools Spamhaus Team msm...@mxtools.com
To: Michael Scheidell michael.scheid...@secnap.com
Sent: Sat, Aug 20, 2011 01:20:11 GMT+00:00
Subject: Caution
On 8/19/11 9:27 PM, Michael Scheidell wrote:
Bullshit 3.
There isn't even a dns server on this host.
and, checking to see if this is a joe job: considering spf failed:
they can't even get THEIR DNS right, and they think I have my DNS set wrong?
lusers.
Received: from smtp.mxtools.com
On 8/19/11 9:27 PM, Michael Scheidell wrote:
Bullshit 3.
There isn't even a dns server on this host.
noop, no dns server here on this ip.
sockstat -4p53
USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
mx1# ps -ax | grep named
37956 p0 S+J0:00.00 grep named
.
R's,
John
don't run a dns server on that host. so, don't know what they think
they are looking at.
and its spam, UCE (they want me to buy something), has NO remove
instructions, and they harvested whois records.
anti-spam companies spamming.. really great.
--
Michael Scheidell, CTO
o: 561
and someone will give them money,
someone who doesn't read their contract too closely.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist
.
interesting, spamassassin --lint didn't pick anything up.
also note, 'scanner2.c' is a blank file, 0 bytes
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot
On 8/15/11 10:13 AM, Michael Scheidell wrote:
On 8/15/11 10:07 AM, Daniel McDonald wrote:
mine too. running sa-update again(just now) picks up a new build.
interesting, spamassassin --lint didn't pick anything up.
also note, 'scanner2.c' is a blank file, 0 bytes\
didn't help: (tz is CEST
On 8/15/11 10:15 AM, Michael Scheidell wrote:
On 8/15/11 10:13 AM, Michael Scheidell wrote:
On 8/15/11 10:07 AM, Daniel McDonald wrote:
mine too. running sa-update again(just now) picks up a new build.
interesting, spamassassin --lint didn't pick anything up.
also note, 'scanner2.c
EDT) and was able to stop it from
updating systems in more eastern timezones, so I do have systems with
sought rules that work.
see this diff:
http://pastebin.com/57fU6X4D
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile
.
re2c: error: line 154, column 2: unterminated string constant (missing )
command failed: exit 1
mx1#
I'm going to remove sought for now.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best
in? a 501C3 non profit charitable
organization? ).. no, a commercial organization.
no, return path should de-certify linked in until they have a button
like the others have' click here to report abuse' /and/or click here to
never get invitations again.
--
Michael Scheidell, CTO
o: 561-999
a
spamhaus notice, and arn't pulling spamhaus rbls from their DNS, look at
your sonicwall.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
, your spam is not 'commercial' its transactional (according
to return path who certifies that linked in doesn't spam)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
On 8/11/11 9:53 PM, Benny Pedersen wrote:
why do you self post spam here ?
http://tools.ietf.org/html/rfc3676
http://www.hanselman.com/blog/EmailSignatureEtiquetteTooMuchFlair.aspx
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best
)
received:from MBX1.client.local ([169.254.1.69]) by MBX2.client.local
([169.254.2.63]) with mapi id 14.01.0289.001; Wed, 10 Aug 2011 09:57:51
-0400
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best
be avoided if ms actually
followed RFC's
http://technet.microsoft.com/en-us/magazine/gg314976.aspx
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company
it is NOT on their web site:
google site:returnpath.net report+spam
(something about hitting the 'report spam' button) which linked in does
NOT have in their spam.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
the phishing url...) its not listed either.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
test message with 2 jpeg images.
it is NOT a blank test message, it includes a 'blank sig' which seems to
want information in your lines 57-62.
to a computer, it looks like you intentionally left this information
blank so the recipient can 'fill the form'.
--
Michael Scheidell, CTO
o: 561-999
On 8/8/11 6:30 AM, Tom Kinghorn wrote:
On 08/08/2011 12:23, Michael Scheidell wrote:
On 8/8/11 4:16 AM, Tom Kinghorn wrote:
Well spotted.
I missed that.
it was 4am :-)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile
/doku.php?id=documentation:anti_spam:spamassassin:bayes:sdbmrev=1269508492
guide , but it describes solution for mailscanner...
but, this is interesting.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product
On 7/29/11 11:33 AM, David F. Skoll wrote:
Has anyone investigated writing a CDB backend for SpamAssassin's Bayes
implementation? I'm guessing the need to rewrite the DB each time makes
it a bit complex.
esp for people with 2gb db's?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948
to think we go from 1 s/email processing time
to 60 seconds or something while journal is locked.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company
On 7/29/11 12:20 PM, David F. Skoll wrote:
This INSERT-only
operation cannot block under PostgreSQL MVCC.
ok, but are you using cdb or postgresql for bayes?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product
? do expires? or just interesting
entries in local.cf?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security
and ip's being
blacklisted by ip reputation lists like spamcop, dcc, spamhaus, etc.
(of course the non legit ones just get a new ipv6 address every 15 mins :-)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions
, no, but, maybe someone will tell them to stop violating
federal law or dell could be fined.
somewhere, somehow, people should be held accountable for using common
sense.
if they don't BLACKLIST THEM!!!
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security
]) (using
TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate
requested) by spammertrap
sample headers offline for the truly self indulgent.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product
?
And, maybe its not a 'real spam' since this is 'transactional' and not
'sales' related, so it doesn't count, right?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
bayes_expiry_max_db_size 100
missing this:
bayes_auto_expire 0
and only run the 'sa-learn –force-expire' late at night, when no one is
doing anything.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best
On 7/25/11 10:41 AM, Jason Ede wrote:
The force expire is run in middle of the night, but the bayes_auto_expire 0
isn't set. How often does bayes try and do this if this is 1?
just in the middle of when you don't want it to. eg: sorta random
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561
' left at its
default being turned on using a per-user configuration.
google for
bayes_auto_expire 0
you will see everyone telling you to turn it off.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
with
storage other than the filesystem itself. As I stated before, never
have I seen an issue using MySQL as a backend.
one clue rule
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion
On 7/22/11 12:49 PM, Michael Scheidell wrote:
On 7/22/11 12:08 PM, Michael Scheidell wrote:
On 7/22/11 12:04 PM, Bret Miller wrote:
Well, I don't actually subscribe to any active techtarget lists, but
I do still get marketing garbage from them. Got one on the 19th that
looked fine here
NetType:Reassigned
RegDate:2003-11-12
Updated:2003-11-12
Ref:http://whois.arin.net/rest/net/NET-205-162-40-0-1
OrgName:Omeda Communications
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best
if they sent it wrong.
best I can tell:
6/15/ 1605 edt good
6/15/ 1900 edt no good.
I am also running some checks for files that changed in that 3 hour
period. maybe updated something that broke (some) dkim signed emails.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP
On 7/22/11 12:08 PM, Michael Scheidell wrote:
On 7/22/11 12:04 PM, Bret Miller wrote:
Well, I don't actually subscribe to any active techtarget lists, but
I do still get marketing garbage from them. Got one on the 19th that
looked fine here.
packet captures SEEMS to indicate its them: note
think that ANY rule that scores above a 3 is asking for trouble?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email
?
would more specific (info@) override least specific? *@ or is does it
depend on precedence?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist
RCVD_IN_IADB_MI_CPEARnet nice noautolearn
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
with amavis problems.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT
On 7/16/11 10:54 AM, dar...@chaosreigns.com wrote:
My guess is Net::DNS version 0.59 is too old. I
on freebsd, we specify a minimum version of Net-DNS=0.63
Not sure if it was due to problems we knew about, or bug reports on this
list.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948
def_whitelist_auth.
it will give you a credit score if spf or dkim passes.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
sure there isn't something killing your headers.
(hint: you cannot whitelist_from_dkim if the dkim signature is invalid!)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention
AXB_XMID_OEGOESNULL 0 # n=0 n=1 n=2 n=3
mx1# su - vscan -c 'spamassassin --lint'
give me no errors at all.
-D just makes noise.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention
domain is well-known in security and anti-spam circles for
being a favorite spot for phishing and spam domains, but there also are
legitimate domains hosted there.
http://threatpost.com/en_us/blogs/google-removes-cocc-subdomains-over-phishing-spam-concerns-070611
--
Michael Scheidell, CTO
o
settings do, then the amavis group
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT
for 0.97.1 builds?)
This mean no action needs to be taken for 0.97.1, and I assume a 0.97.2
is in the works?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot
On 7/5/11 3:15 PM, m...@smtp.fakessh.eu wrote:
hi folks
in my station
anti virus EICAR file is not detected by the couple clamd amavisd
all testimonials are welcome
works fine here. you must be doing something wrong.
find out what you are doing wrong and it will work.
--
Michael
On 6/28/11 4:17 PM, Yves Goergen wrote:
Insecure $ENV{TERM} while running with -T switch at /usr/bin/sa-update line 710.
did you possibly restart cronjob from cli? and it sucked in the ${TERM}
env variable from your console?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
it.
If you loaded the pre-official port from our web site, you are advised
to install the official port.
Remember that SA does not come with current rules, so while installing
the port you must run sa-update, or you must run sa-update after you
install the port.
Happy Hunting!
--
Michael Scheidell
: score
HK_FAKENAME_MICROSOFT (-1)
Jun 25 03:07:57.166 [10956] warn: lint: 1 issues detected, please rerun with
debug enabled for more information
suggestion (and yes, I'll open a bug)
don't fail it? just ignore it?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network
this decision?
or is this a bug?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT
or support requests for older versions, but
it looks like it still compiles on 6.4 and 7.3
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist
in
thanks.. at 1:46 edt, I updated it to include patch for SA bug 6624
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6624
anyone think of any other critical patches (as long as they are not
documentation, or os specific), let me know.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948
count 3 the same as count value 2.
i put the official patch in place at 1:46pm edt.
so, I think I am good to go, and will be sending this to freebsd ports
maintainers.
Mark
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile
at the sample my.cnf configuration files for samples in your
configuration sizes.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
/RESOLV.CONF.. THE FIRST SERVER ONLY.
YOU TESTED IT USING THE AUTHORITATIVE DNS.. YOU MIGHT BE BLOCKED FROM
TESTING IT.. YOUR DNS SERVERS MIGHT BE BORKED.
IF YOU ASK FOR HELP, FOLLOW INSTRUCTIONS.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
/spamassassin_org.cf (or ../etc/mail/spamassassin)
ln -s /var/db/spamassassin/{ver}/sought_rules_yerp_org.cf
/var/db/spamassassin/{ver}/updates_spamassassin_org.cf/zzz_sought.cf
right? scores are ok now?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security
On 6/11/11 6:45 AM, Michael Scheidell wrote:
On 6/10/11 9:56 PM, Karsten Bräckelmann wrote:
spamassassin -D config --lint 21 | less
so, one MORE option, we don't need to add the symlink to crontab?
Jun 11 06:39:13.419 [71425] dbg: config: read file
/var/db/spamassassin/3.003001
practice' is to what?
symlink/reorder hack? or stop running sought channels, and add your own
scores?
Similar to not running sa-update for the main channel. Simply no update.
No harm otherwise.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
to be
installed all together. you will need to install newer dkim and spf
modules.
untar SA, and look at the install and readme's for dependencies.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best
pm's SHOULD
work with old SA.
look at upgrading file and tar/pax as well.
--pat--
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist
.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network
try to tell clients who wonder why they can't get that email from
their home yahoo account, cc'd to 175 employees that if we rate limit
it, yahoo will not even try to resend it.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
, then on mx4,
bounce the email back to sender with the last mx's ip in the error
message and the 4xx too many
aol does something similar also, but will send the first 'x' number of
emails, and MAYBE later send the rest.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP
.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network
On 5/8/11 7:20 AM, Marco Beishuizen wrote:
...
warn: Use of uninitialized value $opt{syslog-socket} in lc at
/usr/local/bin/spamd line 444
...
missing the syslog conf setting?
PS: running SA on FreeBSD 8.2-STABLE
--
the official freebsd port? what port version? newest?
--
Michael
not match any reasonable rbl.. in fact, your legit users would be
in dialup, pbl lists.
implement capta and maybe a honeypot rbl list for webspam.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention
.!
if not, then have postfix check server, and insert a header.
then let SA score that custom header.
(friday is NOT a good day to match wits with regex)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product
helo=moutng.kundenserver.de
by=mail.redbus.holtain.net ident= envfrom= intl=0 id= auth= msa=0 ] [
ip=84.165.216.65 rdns=p54A5D841.dip.t-dialin.net
how about 'msa=0 \] \[ ip=.*rdns=.*dip\.t-dialin\.net/i'
(and do you need the /i? isn't it expensive?)
--
Michael Scheidell, CTO
o: 561-999-5000
*Michael Scheidell* (Client) Posted On: 21 Apr 2011 11:46 AM
i think, that even if a 'member', you can't sign away federal law. even
someone who subscribes to a marketing list has the right unsub
(and check: go to linked
.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010
headers (not email) and post the EXACT LINE YOU USED in local.cf
you did restart spamd after, right?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT
Its marked no spam. So where is the problem?
--
Michael Scheidell
CTO SECNAP Network Security
561-948-2259tel:5619482259
-Original message-
From: Sergei ser...@publicschoolworks.com
To: Michael Scheidell michael.scheid...@secnap.com
Cc: users@spamassassin.apache.org users
.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010
.
something you typed wrong.
a wrong typo.
sorry, but at this point, since you are so concerned about actually
posting real data, I am sure there is nothing anyone can do to help you.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
, except that the RFC's allow it.
Anyone know of any legitimate use of multiple email addresses in a from
line?
if you want a reply to multiple people, just put them all in the reply to.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security
to compile the rules or remove the plugin that looks for
compiled rules.
google.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot
maintainer, and unless you borked the perl 5.12 upgrade,
it should work just fine.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot
On 4/5/11 3:01 PM, Marco Beishuizen wrote:
On Tue, 5 Apr 2011, Michael Scheidell wrote:
spamd[1353]: Can't locate
Mail/SpamAssassin/CompiledRegexps/body_0.pm in @INC (@INC contains:
/var/db/spamassassin/compiled/5.012/3.003001
/var/db/spamassassin/compiled/5.012/3.003001/auto
/usr/local
On 4/5/11 3:17 PM, Marco Beishuizen wrote:
On Tue, 5 Apr 2011, Michael Scheidell wrote:
just 'sa-compile'
make sure it completes.
do a 'spamassassin --lint' to make sure you don't have any rules that
won't compile.
also, AFTER you compile the rules, you have to restart spamd.
I already
On 4/5/11 3:28 PM, Marco Beishuizen wrote:
On Tue, 5 Apr 2011, Michael Scheidell wrote:
did you reload spamd, restart spamd?
when you recompile the rules, you need to tell spamd to reload.
did this used to work before you upgraded to perl 5.12?
Yes I recompiled and restarted spamd. I
collect percentages of HAM. the collect
percentages of BULK).
maybe 2nd or 3rd octet could contain 'confidence factor'.. eg:
some sliding scale of how many actual emails you have seen?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security
slowdowns.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email
)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network
-mailer:Microsoft Outlook Express 5.00.2919.6700
x-mimeole:Produced By Microsoft MimeOLE V5.00.2919.6700
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT
On 3/31/11 1:46 PM, Adam Katz wrote:
On 03/31/2011 08:59 AM, Michael Scheidell wrote:
What rules? Running `grep -Pri '\b\w?ups' rules*` ('\w?' allows for
matching '\bups') hits only one related rule, DOS_FAKE_UPS_TRACK_NUM,
which is still in testing (and keys on the word 'UPS' in the subject
amavisd-new, we can set up policies, per user, and per domain if
needed to match the end users needs.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT
On 3/31/11 3:27 PM, John Hardin wrote:
On Thu, 31 Mar 2011, Michael Scheidell wrote:
received:from smtp1.txfxczpw.net ([11169.98.12888.1258]) by
relay.cxjrc.com with SMTP; Thu, 31 Mar 2011 09:09:04 -0600
...aren't there any rules for invalid IPs like that? There don't
appear to be any
On 3/31/11 3:27 PM, John Hardin wrote:
On Thu, 31 Mar 2011, Michael Scheidell wrote:
received:from smtp1.txfxczpw.net ([11169.98.12888.1258]) by
relay.cxjrc.com with SMTP; Thu, 31 Mar 2011 09:09:04 -0600
...aren't there any rules for invalid IPs like that? There don't
appear to be any
On 3/31/11 3:27 PM, John Hardin wrote:
On Thu, 31 Mar 2011, Michael Scheidell wrote:
received:from smtp1.txfxczpw.net ([11169.98.12888.1258]) by
relay.cxjrc.com with SMTP; Thu, 31 Mar 2011 09:09:04 -0600
egrep '^Received: from .* \(\[.*\.?[0-9]{4}+\.?\]\) by' NqamNZvwyRnh.eml
would need SA
a virus.
we are seeing about one of these per email address per day.
so, a 10,000 user system is seeing 10,000 of these a day now.
and they change at about 23:00 GMT.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best
with our clients about setups on their virtual serers.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World
an ipv4 list, but it will block 100% of
your spam if you use it in your MTA. (google before you use it)
DOB has broken so many times, from a massive delay standpoint to this
now that we disabled it a long time ago.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
, you can set up exclusions (whitelist)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
some domains
while not matching others, e.g. allow
a href=http://example.com/;http://example.net/a
while not allowing
a href=http://example.org/;http://example.net/a
but I doubt this is possible with this kind of rules.
On 23.03.11 14:45, Michael Scheidell wrote:
that is why you do
On 3/23/11 5:10 PM, Karsten Bräckelmann wrote:
Michael, I don't think I could follow you. Did you say that these
identical systems do have different rules?
there might be some slight differences in local.cf. thats it.
this one is very strange.
offlist if you want more details...
--
Michael
101 - 200 of 1049 matches
Mail list logo
